Dzahn has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/327594 )
Change subject: contint: provision the secondary CI master ...................................................................... contint: provision the secondary CI master We have a new server contint2001 in codfw that is to act as an hotspare for the CI master contint1001. Later on it will eventually let us have an active/active Jenkins setup. Via hiera, apply the same settings as contint1001: * grant access to CI people * disable modern SSH algos since Jenkins does not support them * Jenkins service is unmanaged Apply basic classes to grant us access and set up Jenkins, the CI webhost and backup. Zuul will be set up independently. Enable ipv6 and update firewall rules. Bug: T150771 Change-Id: Ic35d8adb99c07017ed52d07f844249d05b53ac7d --- M hieradata/hosts/contint1001.yaml A hieradata/hosts/contint2001.yaml M hieradata/role/common/ci/master.yaml A hieradata/role/common/ci/slave.yaml M manifests/site.pp M modules/contint/manifests/firewall/labs.pp M modules/role/manifests/zuul/merger.pp 7 files changed, 36 insertions(+), 12 deletions(-) Approvals: jenkins-bot: Verified Dzahn: Looks good to me, approved diff --git a/hieradata/hosts/contint1001.yaml b/hieradata/hosts/contint1001.yaml index ddfd725..4a490d3 100644 --- a/hieradata/hosts/contint1001.yaml +++ b/hieradata/hosts/contint1001.yaml @@ -1,11 +1,2 @@ -admin::groups: - - contint-users - - contint-admins - - contint-roots -ssh::server::disable_nist_kex: false -ssh::server::explicit_macs: false -cluster: misc -contactgroups: 'admins,contint' - jenkins::service_ensure: unmanaged jenkins::service_enable: false diff --git a/hieradata/hosts/contint2001.yaml b/hieradata/hosts/contint2001.yaml new file mode 100644 index 0000000..4a490d3 --- /dev/null +++ b/hieradata/hosts/contint2001.yaml @@ -0,0 +1,2 @@ +jenkins::service_ensure: unmanaged +jenkins::service_enable: false diff --git a/hieradata/role/common/ci/master.yaml b/hieradata/role/common/ci/master.yaml index d01b266..c3813354 100644 --- a/hieradata/role/common/ci/master.yaml +++ b/hieradata/role/common/ci/master.yaml @@ -1,3 +1,10 @@ +admin::groups: + - contint-users + - contint-admins + - contint-roots +cluster: misc +contactgroups: 'admins,contint' + debdeploy::grains: debdeploy-ci: value: standard diff --git a/hieradata/role/common/ci/slave.yaml b/hieradata/role/common/ci/slave.yaml new file mode 100644 index 0000000..0d97fa9 --- /dev/null +++ b/hieradata/role/common/ci/slave.yaml @@ -0,0 +1,4 @@ +# Jenkins does not support KEX/MAC +# T103351 +ssh::server::disable_nist_kex: false +ssh::server::explicit_macs: false diff --git a/manifests/site.pp b/manifests/site.pp index 486a078..8b25914 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -286,7 +286,7 @@ include base::firewall } -# New CI master +# CI master node 'contint1001.wikimedia.org' { role(ci::master, ci::slave, @@ -299,6 +299,21 @@ include contint::firewall } +# CI warm +node 'contint2001.wikimedia.org' { + # Not ready yet for zuul::server + # T1150771 + role(ci::master, + ci::slave, + ci::website, + backup::host) + + include standard + interface::add_ip6_mapped { 'main': interface => 'eth0', } + include contint::firewall + +} + # Debian package/docker images building host in production node 'copper.eqiad.wmnet' { role(builder) diff --git a/modules/contint/manifests/firewall/labs.pp b/modules/contint/manifests/firewall/labs.pp index bfb6652..93fa0c1 100644 --- a/modules/contint/manifests/firewall/labs.pp +++ b/modules/contint/manifests/firewall/labs.pp @@ -11,4 +11,9 @@ port => '22', srange => '@resolve(contint1001.wikimedia.org)' } + ferm::service { 'contint2001_ssh_to_slaves': + proto => 'tcp', + port => '22', + srange => '@resolve(contint2001.wikimedia.org)' + } } diff --git a/modules/role/manifests/zuul/merger.pp b/modules/role/manifests/zuul/merger.pp index 0cd7751..46764b9 100644 --- a/modules/role/manifests/zuul/merger.pp +++ b/modules/role/manifests/zuul/merger.pp @@ -24,13 +24,13 @@ zuul_git_dir => $conf_merger['git_dir'], } - # We run a git-daemon process to exposes the zuul-merger git repositories. + # We run a git-daemon process to expose the zuul-merger git repositories. # The slaves fetch changes from it over the git:// protocol. # It is only meant to be used from slaves, so only accept internal # connections. ferm::service { 'git-daemon_internal': proto => 'tcp', port => '9418', - srange => '(($LABS_NETWORKS @resolve(contint1001.wikimedia.org) ))', + srange => '(($LABS_NETWORKS @resolve(contint1001.wikimedia.org) @resolve(contint2001.wikimedia.org)))', } } -- To view, visit https://gerrit.wikimedia.org/r/327594 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ic35d8adb99c07017ed52d07f844249d05b53ac7d Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> Gerrit-Reviewer: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: Paladox <thomasmulhall...@yahoo.com> Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits