r10k puppet deployment

Ewoud Kohl van Wijngaarden ewoud+ovirt at kohlvanwijngaarden.nl
Mon Sep 23 21:59:46 UTC 2013


On Mon, Sep 16, 2013 at 11:05:34AM +0200, David Caro wrote:
> On Fri 13 Sep 2013 09:24:24 PM CEST, Ewoud Kohl van Wijngaarden wrote:
> > On Fri, Sep 13, 2013 at 11:00:27AM +0200, David Caro wrote:
> >> On Wed 11 Sep 2013 04:09:17 PM CEST, Ewoud Kohl van Wijngaarden wrote:
> >>> For https://fedorahosted.org/ovirt/ticket/71 I submitted
> >>> http://gerrit.ovirt.org/19141 to use r10k for module deployment.
> >>>
> >>> I do have some concerns for further deployment. Until now I've assumed
> >>> that we want jenkins to build on new git versions (possibly via the
> >>> jenkins patch merged trigger) and then push that to foreman.ovirt.org.
> >>> However, that means we give jenkins implicit root on all of our infra
> >>> which is a bad thing.
> >>>
> >>> Some solutions I can think of:
> >>>
> >>> 1. Set up a cronjob on foreman to poll git
> >>> 1.1. Run make as the current patch
> >>> 1.2. Change the patch and switch to dynamic environment support[1]
> >>> 2. Set up an infra jenkins to automate this
> >>
> >> We can also restrict the ssh commands that the user can run, and
> >> restrict it to the script that updates the manifests. That will avoid
> >> having to give root access to the puppetmaster, that said, the
> >> manifests that will be applied have implicit root access everywhere
> >> too, but if we want automatic deployments that's what you get (only
> >> maintainers should have merge access, meaning that anything that goes
> >> through has been reviewed, so what we are really doing is reducing the
> >> manual steps to one, when the reviewer merges the patch).
> >
> > I like this solution. It would remove the polling from foreman and give
> > us logging in jenkins. I'd prefer if foreman retrieves the sources
> > straight from gerrit so jenkins is more like a glorified cron. I think
> > that's less insecure ;)
> 
> Agree, so what we need then is:
>  * Create update scripts
>  * Set up restricted shell account to only run that script
>  * Create jenkins job

So I was looking into installing r10k. First of all, I don't like
installing through gem. So my next try was using fpm to package it, but
it needs rubygem(systemu) >= 2.5.2 and 1.2.0 is in epel. Some options:

* Create a newer rubygem(systemu) and hope nothing needs < 2.5.2.
* Install through gem and hope nothing breaks
* Set up a user with minimal privileges, install it to its homedir.

I'm toward the last option, but would love to hear a better alternative.



More information about the Infra mailing list