[OpenStack-Infra] Problems setting up my own OpenStack Infrastructure

Lenny Berkhovsky lennyb at mellanox.com
Sun Apr 1 05:21:56 UTC 2018 

Hello Bernd,
There is also a Third Party CI page[1] that may assist you

[1] https://docs.openstack.org/infra/openstackci/third_party_ci.html

-----Original Message-----
From: Bernd Bausch [mailto:berndbausch at gmail.com] 
Sent: Wednesday, March 28, 2018 3:12 AM
To: openstack-infra at lists.openstack.org
Subject: Re: [OpenStack-Infra] Problems setting up my own OpenStack Infrastructure

Resending this message because it was too large for the distribution list.

-------

Clark,

My first test uses this local.pp. It's copied verbatim from [1]:
~~~~
# local.pp
class { 'openstack_project::etherpad':
  ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
  ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),
  ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  mysql_host              => hiera('etherpad_db_host', 'localhost'),
  mysql_user              => hiera('etherpad_db_user', 'etherpad'),
  mysql_password          => hiera('etherpad_db_password','etherpad'),
}
~~~~
The commands I run are also verbatim from the same page:
~~~~
# ./install_puppet.sh
# ./install_modules.sh
# puppet apply -l /tmp/manifest.log --modulepath=modules:/etc/puppet/modules
manifests/local.pp
~~~~

My second test closely follows [2]. Here, I take the puppetmaster's original site.pp, adapt the domain "openstack.org" to my domain at home and remove all node definitions except puppetmaster and etherpad. My file is at the end of this message[4].

The commands:
~~~~
# ./install_puppet.sh
# ./install_modules.sh
# vi site.pp                                          # see [4]
# puppet
apply --modulepath='/opt/system-config/production/modules:/etc/puppet/modules' 
 -e 'include openstack_project::puppetmaster'
~~~~

> Generally though hiera is used for anything that will be secret or 
> very site specific. So in this case the expectation is that you will 
> set up a hiera file with the info specific for your deployment 
> (because you shouldn't have the ssl cert private data for our deployment and we shouldn't have yours).
> This is likely a missing set of info for our docs. We should add 
> something with general hiera setup to get people going.

Yes. The documentation seems to treat the hiera as a given; it just exists, and there doesn't seem to be any information about its content or even whether it's really required.
Once I know the issues and technology better (steep learning curve), I'd be happy to write documentation from the perspective of a newbie.
For now, let me do more testing with hardcoded values rather than hiera. I certainly learn a lot doing this.

> Unfortunately I don't remember off the top of my head how to set up a 
> hiera so I will have to dig into docs (or maybe someone else can chime 
> in with that info).

In principle, I can do that (for Puppet 4 at least), but the question is what goes into the OpenStack CI production hiera. I see a directory /opt/system-config/production/hiera [3] - is that it? It doesn't contain anything about Etherpad, though. I also did a codesearch for "etherpad_ssl_cert_file_contents", no result (except for the site.pp).

Thanks much, Clark!

Bernd
---
[1]
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.openstack.org%2Finfra%2Fsystem-config%2Fsysadmin.html%23making-a-change-in-puppet&data=02%7C01%7Clennyb%40mellanox.com%7Cec2acbd3ae964b7c601308d594409eee%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636577927640908874&sdata=QDK%2FYxBHdxDbBgTu0IBNbhTwIqcphhL0lkktmnhTTzs%3D&reserved=0
[2] https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.openstack.org%2Finfra%2Fsystem-config%2Fpuppet.html&data=02%7C01%7Clennyb%40mellanox.com%7Cec2acbd3ae964b7c601308d594409eee%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636577927640908874&sdata=XYYNtE8Wi4aqwX9PxmUY714%2FBnzs4%2FWgy%2BNIB2HfuA0%3D&reserved=0
[3] https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openstack.org%2Fcgit%2Fopenstack-infra%2Fsystem-config%2Ftree%2Fhiera&data=02%7C01%7Clennyb%40mellanox.com%7Cec2acbd3ae964b7c601308d594409eee%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636577927640908874&sdata=Me0AmFUukBFrXqiFtEay7L0OvAX02A%2B7WfQnU1nftTI%3D&reserved=0
[4] My site.pp:
~~~~
#
# Top-level variables
#
# There must not be any whitespace between this comment and the variables or # in between any two variables in order for them to be correctly parsed and # passed around in test.sh # $elasticsearch_nodes = hiera_array('elasticsearch_nodes')

#
# Default: should at least behave like an openstack server # node default {
  class { 'openstack_project::server':
    sysadmins => hiera('sysadmins', []),
  }
}

# Node-OS: trusty
# (I try this with Centos 7 first)
node 'puppetmaster.home' {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [8140],
    sysadmins                 => hiera('sysadmins', []),
    pin_puppet                => '3.6.',
  }
  class { 'openstack_project::puppetmaster':
    root_rsa_key                               => 
hiera('puppetmaster_root_rsa_key'),
    puppetmaster_clouds                        => 
hiera('puppetmaster_clouds'),
    enable_mqtt                                => true,
    mqtt_password                              => 
hiera('mqtt_service_user_password'),
    mqtt_ca_cert_contents                      => 
hiera('mosquitto_tls_ca_file'),
  }
  file { '/etc/openstack/infracloud_vanilla_cacert.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
    require => Class['::openstack_project::puppetmaster'],
  }
  file { '/etc/openstack/infracloud_chocolate_cacert.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
    require => Class['::openstack_project::puppetmaster'],
  }
  file { '/etc/openstack/limestone_cacert.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => hiera('limestone_ssl_cert_file_contents'),
    require => Class['::openstack_project::puppetmaster'],
  }
}

# Node-OS: trusty
# Node-OS: xenial
node /^etherpad\d*\.home$/ {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22, 80, 443],
    sysadmins                 => hiera('sysadmins', []),
  }

  class { 'openstack_project::etherpad':
    ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
    ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),
    ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
    mysql_host              => hiera('etherpad_db_host', 'localhost'),
    mysql_user              => hiera('etherpad_db_user', 'username'),
    mysql_password          => hiera('etherpad_db_password'),
  }
}

# Node-OS: trusty
# Node-OS: xenial
node /^etherpad-dev\d*\.home$/ {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22, 80, 443],
    sysadmins                 => hiera('sysadmins', []),
  }

  class { 'openstack_project::etherpad_dev':
    mysql_host          => hiera('etherpad-dev_db_host', 'localhost'),
    mysql_user          => hiera('etherpad-dev_db_user', 'username'),
    mysql_password      => hiera('etherpad-dev_db_password'),
  }
}
~~~~
_______________________________________________
OpenStack-Infra mailing list
OpenStack-Infra at lists.openstack.org
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openstack.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fopenstack-infra&data=02%7C01%7Clennyb%40mellanox.com%7Cec2acbd3ae964b7c601308d594409eee%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636577927640908874&sdata=avJe4%2FCdCg56Dydq9Te37onb2Ej6JfuqOEKOHkT6N8o%3D&reserved=0

More information about the OpenStack-Infra mailing list