Change I3d0962b975ffaf disabled puppet on review-dev.o.o to allow
testing it-storyboard plugin. Testing is complete so now renable
puppet again.
Change-Id: Ieb6279d96331d4c793aaf62e8d5ef11abb420e98
We're test-driving a newer recaptcha configuration which may or may
not be viable, so easier to temporarily disable configuration
management until we know what config change to prose next.
Change-Id: I5571fe8dedab266521364911ce193c435adfb165
The configuration adjustments for recaptcha support have been tested
and are now ready, so we can reenable this.
This reverts commit 7dc243b594ceb14b0a28cfbf7e9c76268d03758f.
Change-Id: Id1692788390dfb08310ddd2d9bf97b8dabe7ffb4
Create the signing01.ci.openstack.org job node and puppet the
signing subkey onto it via pubring.gpg and secring.gpg files stored
in private hiera. Also set up some basic configuration and packages
on the management bastion to aid in key management/rotation, and add
the beginnings of administrative documentation for this.
Change-Id: Iecddb778994a38f7898e0c20e7f3f8e93f0a7f60
Depends-On: I70c3b82185681ee64791cda653360c26a93bd466
Story: #2000336
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
This is a redo of change 9c717d9c108b32. That change was incorrect,
the server needs to be placed on the disable list.
Change-Id: I3d0962b975ffaf4560bace88abddb2f661763d55
A set of manual investigation and remediation is under way. While that
is going on, we don't want puppet to step on things.
Change-Id: I7ebc54b222f72ca90475420499ca568b4dcb40d8
Now that we have access again to baremetal00.vanilla.ic.openstack.org
we can enroll it again into puppet.
Change-Id: Id15c8694fe5e23896dd5778997d12dd13169183e
Depends-On: I9dfdd617fba45c0947bd3d4e853d85b83923018b
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
To handle the jenkins slaves attached to jenkins.o.o.
Change-Id: I070cbb546af848b3417dfce194f4b81e8340e419
Depends-On: I4d51a9367d1c0547daec242d5b03a19aa7b9969b
We can readd them when they return
Running ansible in ad-hoc mode against 'all' hosts causes many errors
because these hosts don't exist any more.
Change-Id: If095df0811ca6d2fc04542044958055b9b835170
Due to various puppet changes which were required to support running
OpenStackId on Trusty, I7f1434a6218d3300d1315a2e3c0a446f05124353
disabled Puppet updates on the production openstackid.org server
temporarily. Given that the current plan is to replace
openstackid.org with a new server running Trusty now, switch the
disablement from its name to its UUID so we can successfully puppet
the replacement server.
Change-Id: I37fe3763c1e27ff7dfea2e2012f5df071224d30a
A refactor for the puppet-openstackid module in
I66c6ad413a6b0c31a19cc663058a53edc3bec5cc (switch to Puppetlabs
apache module, apache2-mpm-event, php5-fpm proxy handler) for
improved performance needs to be vetted on
openstackid-dev.openstack.org without adversely impacting production
openstackid.org.
This temporary disablement will be reverted once the updates are
confirmed to have the intended effect on the dev server and not
subtly break it in ways manual testing and CI jobs have not exposed.
Change-Id: I7f1434a6218d3300d1315a2e3c0a446f05124353
Stop running Puppet on openstackid.org so that we can manually apply
a hostname fix in concert with the puppet-openstackid change
I41ddb3cd12fa564d19cedc18ca5585d2ca7481da .
Change-Id: If67783a2cbaf77e89a3d2aae80a9206b547dbac6
As they come from an static inventory, we need to
add all the servers into the list. At the moment, adding
them as disabled, because they will need that all pending
changes are merged until puppet can safely run on it.
Change-Id: I665b12912d38562230e2bb8d53a35dbc37dd9c06
Some infracloud machines do not respond to ssh. Comment them out here
so they don't fill up our logs with errors that aren't actionable.
Change-Id: If56e773e3fe8beb0aad42e079eb8cb8492cde652
Add separate playbook for infacloud nodes to ensure they run in the
correct order - baremetal -> controller -> compute.
Baremetal is intentionally left out, it is not ready yet.
All 'disabled' flags on infracloud hosts are turned off. This patch
landing turns on management of the infracloud.
Co-Authored-By: Yolanda Robla <info@ysoft.biz>
Co-Authored-By: Spencer Krum <nibz@spencerkrum.com>
Change-Id: Ieeda072d45f7454d6412295c2c6a0cf7ce61d952
We only need one infracloud right now. Technically the controller
doesn't need to be in 'infracloud' because its secrets are duplicated.
This aligns the groups at any rate.
Change-Id: Ibc056505a4ef397c2adeae6a3b4afb21db9b4a02
Since these are baremetal hosts, they need to come from a static
inventory not the openstack inventory. Fortunately, thats pretty easy.
Also setting infracloud groups to be children of disabled to keep them
disabled until we are ready.
Change-Id: I87ed4008ed9c4867f79bbb5fbb6be53707b42625
We need temporarily stop services and disable puppet run to
restore the production database on askbot staging server.
Change-Id: Iec7852ebdb8d3cce9f6339e538bb906d0a8006b3
The wheel-mirror workers share a common set of hiera keys, and so
keeping them in a group together reduces significant duplication in
our hiera files.
Change-Id: I67b717943eb19404c87b2a3b571f681a0a15b7b4
We already have a dynamic system for managing static group management.
Use it for the disabled group so that the rules for managing the members
are not different.
Also, update the disabled list to match reality.
Also, Update docs because hosts are no longer groups
The upstream OpenStack Inventory in Ansible was fixed to no longer
return each cloud host as its own group unless there are duplicates for
the host in question. This means it's no longer the right thing to do
to put hosts into disabled:children - disabled is just fine.
Change-Id: I95c83ed64801db15ad99a14547895f3520356f99
We have ansible inventory reporting hosts as proper hosts not as groups
now, so we no longer need to list them as children. In fact, this does
not work.
Change-Id: Idd72824023ecaef41bb98fb3a3092122d4397895
Ansible --list-hosts output looks like this:
root@puppetmaster:~# ansible logstash-worker --list-hosts
hosts (20):
loggstash-worker01.openstack.org
Which means we need to strip out the hosts (20): line.
Change-Id: Id2ab90baadcf13836f9d605bab1cf13ebf3c1a70
We have a set of hostname patterns which is not a thing that ansible
supports in inventory files. While we can put hostname patterns into
playbooks directly, that does not help us with copying hiera group files
since ansible doesn't know about the groups in site.pp and puppet
doesn't know about the ansible groups.
Instead, do a quick expansion any time the groups.txt file changes and
at the end of launch-node. It will be left to admins to run
expand-groups.sh whenever they delete a node.
Change-Id: I00c60748ddb2d35a3b98f78d828dabebcf065118
With the puppetmaster not there anymore, we should consume inventory
from OpenStack rather than from puppet.
It turns out that because of the way static and dynamic inventories get
merged, the static file needs to stand alone. SO - if you need to
disable a dynamic host from OpenStack (pretty much all of our hosts) you
need to not only add it to dynamic:children, you need to add an emtpy
group into the static file too, otherwise you'll get an error like:
root@puppetmaster:~# ansible -i newinv '!disabled' --list-hosts
ERROR: newinv/static:4: child group is not defined: (jenkins-dev.openstack.org)
Change-Id: Ic6809ed0b7014d7aebd414bf3a342e3a37eb10b6
We're not ready to move from puppet inventory to openstack inventory
just yet, so don't actually swap the dynamic inventory plugin. But, add
it to the system so that running manual tests of all of the pieces is
possible.
Add the currently administratively disabled hosts to the disabled group
so that we can verify this works.
Change-Id: I73931332b2917b71a008f9213365f7594f69c41e
We need to exist for a period of time with both agent and apply being
operational so that we can test things appropriately.
This moves agent specific settings to the [agent] section and adds a
[user] section which is used to control puppet apply.
As part of this, we need to add a production environment to all of our
nodes. Doing this in this way will also cover the current puppetmaster,
since puppetmaster is a puppet client.
Change-Id: I550c474d1c51c5795f745630fb91ee8cc1a55e36
When puppet apply runs on a host, it will need a hiera.yaml to inform
lookups with. Manage that in base.pp.
Change-Id: I61603bf2f8e1c11640c744a20377790cd217356d
