[OpenStack-Infra] Problems setting up my own OpenStack Infrastructure

Bernd Bausch berndbausch at gmail.com
Wed Mar 28 00:12:04 UTC 2018


Resending this message because it was too large for the distribution list.

-------

Clark,

My first test uses this local.pp. It's copied verbatim from [1]:
~~~~
# local.pp
class { 'openstack_project::etherpad':
  ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
  ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),
  ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  mysql_host              => hiera('etherpad_db_host', 'localhost'),
  mysql_user              => hiera('etherpad_db_user', 'etherpad'),
  mysql_password          => hiera('etherpad_db_password','etherpad'),
}
~~~~
The commands I run are also verbatim from the same page:
~~~~
# ./install_puppet.sh
# ./install_modules.sh
# puppet apply -l /tmp/manifest.log --modulepath=modules:/etc/puppet/modules 
manifests/local.pp
~~~~

My second test closely follows [2]. Here, I take the puppetmaster's original 
site.pp, adapt the domain "openstack.org" to my domain at home and remove all 
node definitions except puppetmaster and etherpad. My file is at the end of 
this message[4].

The commands:
~~~~
# ./install_puppet.sh
# ./install_modules.sh
# vi site.pp                                          # see [4]
# puppet 
apply --modulepath='/opt/system-config/production/modules:/etc/puppet/modules' 
 -e 'include openstack_project::puppetmaster'
~~~~

> Generally though hiera is used for anything that will be secret or very site 
> specific. So in this case the expectation is that you will set up a hiera 
> file with the info specific for your deployment (because you shouldn't have 
> the ssl cert private data for our deployment and we shouldn't have yours).
> This is likely a missing set of info for our docs. We should add something 
> with general hiera setup to get people going.

Yes. The documentation seems to treat the hiera as a given; it just exists, 
and there doesn't seem to be any information about its content or even whether 
it's really required.
Once I know the issues and technology better (steep learning curve), I'd be 
happy to write documentation from the perspective of a newbie.
For now, let me do more testing with hardcoded values rather than hiera. I 
certainly learn a lot doing this.

> Unfortunately I don't remember off the top of my head how to set up a hiera 
> so I will have to dig into docs (or maybe someone else can chime in with 
> that info).

In principle, I can do that (for Puppet 4 at least), but the question is what 
goes into the OpenStack CI production hiera. I see a directory 
/opt/system-config/production/hiera [3] - is that it? It doesn't contain 
anything about Etherpad, though. I also did a codesearch for 
"etherpad_ssl_cert_file_contents", no result (except for the site.pp).

Thanks much, Clark!

Bernd
---
[1] 
https://docs.openstack.org/infra/system-config/sysadmin.html#making-a-change-in-puppet
[2] https://docs.openstack.org/infra/system-config/puppet.html
[3] https://git.openstack.org/cgit/openstack-infra/system-config/tree/hiera
[4] My site.pp:
~~~~
#
# Top-level variables
#
# There must not be any whitespace between this comment and the variables or
# in between any two variables in order for them to be correctly parsed and
# passed around in test.sh
#
$elasticsearch_nodes = hiera_array('elasticsearch_nodes')

#
# Default: should at least behave like an openstack server
#
node default {
  class { 'openstack_project::server':
    sysadmins => hiera('sysadmins', []),
  }
}

# Node-OS: trusty
# (I try this with Centos 7 first)
node 'puppetmaster.home' {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [8140],
    sysadmins                 => hiera('sysadmins', []),
    pin_puppet                => '3.6.',
  }
  class { 'openstack_project::puppetmaster':
    root_rsa_key                               => 
hiera('puppetmaster_root_rsa_key'),
    puppetmaster_clouds                        => 
hiera('puppetmaster_clouds'),
    enable_mqtt                                => true,
    mqtt_password                              => 
hiera('mqtt_service_user_password'),
    mqtt_ca_cert_contents                      => 
hiera('mosquitto_tls_ca_file'),
  }
  file { '/etc/openstack/infracloud_vanilla_cacert.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
    require => Class['::openstack_project::puppetmaster'],
  }
  file { '/etc/openstack/infracloud_chocolate_cacert.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
    require => Class['::openstack_project::puppetmaster'],
  }
  file { '/etc/openstack/limestone_cacert.pem':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0444',
    content => hiera('limestone_ssl_cert_file_contents'),
    require => Class['::openstack_project::puppetmaster'],
  }
}

# Node-OS: trusty
# Node-OS: xenial
node /^etherpad\d*\.home$/ {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22, 80, 443],
    sysadmins                 => hiera('sysadmins', []),
  }

  class { 'openstack_project::etherpad':
    ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
    ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),
    ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
    mysql_host              => hiera('etherpad_db_host', 'localhost'),
    mysql_user              => hiera('etherpad_db_user', 'username'),
    mysql_password          => hiera('etherpad_db_password'),
  }
}

# Node-OS: trusty
# Node-OS: xenial
node /^etherpad-dev\d*\.home$/ {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [22, 80, 443],
    sysadmins                 => hiera('sysadmins', []),
  }

  class { 'openstack_project::etherpad_dev':
    mysql_host          => hiera('etherpad-dev_db_host', 'localhost'),
    mysql_user          => hiera('etherpad-dev_db_user', 'username'),
    mysql_password      => hiera('etherpad-dev_db_password'),
  }
}
~~~~
_______________________________________________
OpenStack-Infra mailing list
OpenStack-Infra at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5518 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20180328/73e667c1/attachment.bin>


More information about the OpenStack-Infra mailing list