Page MenuHomePhabricator

Set up salt for integration slaves in labs
Closed, ResolvedPublic

Description

Because ssh-ing into each manually and fixing stuff sucks.

Event Timeline

Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added subscribers: Krinkle, bd808.

@Andrew @coren @yuvipanda Pinging you for acknowledgement.

The deployment-prep labs project already has its own salt master. We are going to do the same for the integration project since CI has a ton of instances and that will make our life easier. A side effect is that salt commands meant to be executed on all labs project will no more reach 'integration' instances (just like they are not reaching the 'deployment-prep' project).

Yeah, go ahead. T78466 should let us chain salt masters, thus getting rid of the second problem.

Krinkle set Security to None.

Created instance i-00000b91 m1.small with image "ubuntu-12.04-precise" and integration-saltmaster.eqiad.wmflabs.

https://wikitech.wikimedia.org/wiki/Nova_Resource:I-00000b91.eqiad.wmflabs

I have applied role::salt::masters::labs::project_master and ran puppet.

I took:

  • public key from /etc/salt/pki/master/master.pub
  • fingerprint via salt-key -f /etc/salt/pki/master/master.pub ( 70:48:7d:38:dc:44:2a:5d:51:0e:49:fe:a3:21:0c:eb ).

Applied that to Hiera:Integration.

integration-saltmaster# salt-key --list all
Accepted Keys:
Unaccepted Keys:
i-00000392.eqiad.wmflabs
i-00000474.eqiad.wmflabs
i-0000063a.eqiad.wmflabs
i-00000924.eqiad.wmflabs
i-00000a4c.eqiad.wmflabs
i-00000a8d.eqiad.wmflabs
i-00000a8e.eqiad.wmflabs
i-00000a92.eqiad.wmflabs
i-00000a96.eqiad.wmflabs
i-00000a98.eqiad.wmflabs
i-00000a9f.eqiad.wmflabs
i-00000aa1.eqiad.wmflabs
i-00000b2a.eqiad.wmflabs
i-00000b91.eqiad.wmflabs
Rejected Keys:

Now we need to find out how to have the keys to be automatically signed.

The salt autosigner is part of puppet class puppetmaster::autosigner. I have applied it and that creates the cron:

* * * * * /usr/local/sbin/puppetsigner.py > /dev/null 2>&1

That signed them all and puppet still runs fine on the instance. Example run:

integration-salt.png (531×404 px, 62 KB)