r10k puppet deployment
David Caro
dcaroest at redhat.com
Fri Sep 13 09:00:27 UTC 2013
On Wed 11 Sep 2013 04:09:17 PM CEST, Ewoud Kohl van Wijngaarden wrote:
> For https://fedorahosted.org/ovirt/ticket/71 I submitted
> http://gerrit.ovirt.org/19141 to use r10k for module deployment.
>
> I do have some concerns for further deployment. Until now I've assumed
> that we want jenkins to build on new git versions (possibly via the
> jenkins patch merged trigger) and then push that to foreman.ovirt.org.
> However, that means we give jenkins implicit root on all of our infra
> which is a bad thing.
>
> Some solutions I can think of:
>
> 1. Set up a cronjob on foreman to poll git
> 1.1. Run make as the current patch
> 1.2. Change the patch and switch to dynamic environment support[1]
> 2. Set up an infra jenkins to automate this
We can also restrict the ssh commands that the user can run, and
restrict it to the script that updates the manifests. That will avoid
having to give root access to the puppetmaster, that said, the
manifests that will be applied have implicit root access everywhere
too, but if we want automatic deployments that's what you get (only
maintainers should have merge access, meaning that anything that goes
through has been reviewed, so what we are really doing is reducing the
manual steps to one, when the reviewer merges the patch).
>
> I'm leaning to 1.2, but maybe I'm missing some other solutions.
>
> [1]: https://github.com/adrienthebo/r10k#dynamic-environment-support
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
--
David Caro
Red Hat Czech s.r.o.
Continuous Integration Engineer - EMEA ENG Virtualization R&D
Tel.: +420 532 294 605
Email: dcaro at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
RHT Global #: 82-62605
More information about the Infra
mailing list