Skip to content
This repository has been archived by the owner on Nov 22, 2021. It is now read-only.

Puppet ssh

Jump to bottom
Petr Chalupa edited this page Jun 26, 2014 · 65 revisions

Scenarios

(1) Discovered hosts scenario

Assumptions:

  • Staypuft has full control over provisioning
  • Configured deployment already exists
  • Staypuft can execute puppetrun
    • StrictHostKeyChecking set to no
  • all hosts have a module for managing puppet agent, lets call it puppet-management-module
    • to be able to enable/disable puppet agent service just by changing param and re-running puppet

Steps:

  • Hosts are discovered
    • by booting to Discovery image
  • Hosts are assigned to the deployment
    • conversion to Host::Managed
    • hosts are assigned to hostgroup
    • build flag set to true
    • environment set to discovery (to keep them booting to Discovery image)
  • Deployment is triggered
    • all machines are provisioned
      • environment is changed to production
      • machines are restarted using SmartProxy running on the Discovery image
      • puppet service is turned down
        • needs altering of provisioning template
      • authorized_key is set
        • needs altering of provisioning template
    • puppetrun is executed on hosts in order given by dependencies between roles
      • triggered by orchestration
      • executing puppetrun on hosts through proxy
    • then on each machine puppet service is reenabled
      • by changing the param for puppet-management-module

(2) Registered hosts scenario

Assumptions:

  • Staypuft doesn't have control over provisioning (DHCP) and cannot restart the machines
  • Configured deployment already exists
  • Auto-sign for the hosts is set on proxy page

Steps:

  • staypuft installer generates answer-file for staypuft-client-installer
    • including authorized key of foreman-proxy user from host running SmartProxy
  • staypuft-client-installer is executed on hosts
    • puppet service is disabled
    • adds authorized key for foreman-proxy to be able to execute commands
    • registers the host to Staypuft
      • hosts are unmanaged, without hostgroup, in discovery environment
  • hosts are assigned to the deployment
    • environment is set to discovery (if not set already)
    • hosts are assigned to hostgroup
  • Deployment is triggered
    • one puppetrun in discovery environment to ensure puppet agent service is disabled using puppet-management-module (That is useful for host adding)
    • environment is changed to production
    • puppetrun is executed on hosts in order given by dependencies between roles
      • same as in (1)
    • then on each machine puppet service is reenabled (as in (1))

Action items

  • @ares staypuft-client-installer

    • ✅ disables puppet agent service
    • ✅ registers the host
    • ✅ registered host must have authorized_keys set for foreman-proxy's public key under root user to be able to trigger puppetrun
    • ✅ configures puppetmaster using augeas (foreman's puppet module can't handle that easily)
    • ✅ packaging of new files

  • staypuft installer

    • @ares must generate answer file for client installer (read ssh key and fqdn)

    • @ares print out instructions to register existing host

    • @mtaylor has to generate key for foreman-proxy user on host hosting the SmartProxy in /usr/share/foreman-proxy/.ssh

    • @mtaylor Setup foreman-proxy with puppetssh enabled and configured.

    • @mtaylor has to set StrictHostKeyChecking no because foreman proxy does not know all the hosts

    • @ares has to enable Setting['puppetrun']

    • @ares do not start puppet agent service, should be configurable by a parameter

    • @ares discovered host has to have authorized_keys set for foreman-proxy to be able to trigger puppetrun, should be configurable by a parameter

      # Set up authorized_keys
mkdir /root/.ssh
echo "<%= @host.params['smart_proxy_ssh_pub_key'] %>" >> /root/.ssh/authorized_keys
/sbin/restorecon -r /root/.ssh # not to get denied by selinux

      @host.params['smart_proxy_ssh_pub_key'] or Setting['...']

  • @ares find suitable or write one puppet-management-module

  • @pitr-ch update orchestration actions to reflect new process

    • @pitr-ch detection discovered vs registered

      registered hots are managed? == false and they cannot be provisioned, managed? == true hosts are by default provisioned but user can choose not to.

    • @pitr-ch test the machine is ready for puppetrun (#ssh_open? method)

    • @pitr-ch trigger puppetrun

    • @pitr-ch check subsequent report

    • @pitr-ch ensure that new process works with discovered hosts

    • @pitr-ch ensure that new process works with registered hosts

    • @pitr-ch humanized outputs

    • @pitr-ch reenabling the puppet agent service,

  • @pitr-ch figuring out remaining steps to setup puppetssh

  • @ares hiera/puppet bug: Could not run: no such file to load -- hiera/filecache

  • @ares build all rpms

    • scratch builds
    • staypuft released
    • staypuft-installer released
    • staypuft-client-installer released
    • ❗ rhel7 packaging of client-installer

  • End to End Testing

    • discovered hosts @pitr-ch@ares
    • registered hosts @mtaylor@pitr-ch

Nice to have:

  • ensures puppet agent service is disabled before orchestration starts, uses puppet-manage-module
  • distribute host keys to foreman-proxy so StrictHostKeyChecking no can be disabled
  • @pitr-ch merge fix for foreman-proxy when on f19 https://github.com/theforeman/smart-proxy/pull/163
  • check that only puppet agent service was enabled nothing else
  • @mtaylor do not test that machine is ready just by testing port 22 that it's open, try to actually connect via ssh

Legend:

  • ✅ - tested that it works
  • ❔ - not done yet, it'll need testing
  • ❓ - needs testing
  • ❗ - blocker
Clone this wiki locally