[MediaWiki-commits] [Gerrit] operations/puppet[production]: contint: provision the secondary CI master

Thu, 15 Dec 2016 16:39:40 -0800 

Dzahn has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/327594 )

Change subject: contint: provision the secondary CI master
......................................................................


contint: provision the secondary CI master

We have a new server contint2001 in codfw that is to act as an hotspare
for the CI master contint1001.  Later on it will eventually let us have
an active/active Jenkins setup.

Via hiera, apply the same settings as contint1001:
* grant access to CI people
* disable modern SSH algos since Jenkins does not support them
* Jenkins service is unmanaged

Apply basic classes to grant us access and set up Jenkins, the CI
webhost and backup.  Zuul will be set up independently.

Enable ipv6 and update firewall rules.

Bug: T150771
Change-Id: Ic35d8adb99c07017ed52d07f844249d05b53ac7d
---
M hieradata/hosts/contint1001.yaml
A hieradata/hosts/contint2001.yaml
M hieradata/role/common/ci/master.yaml
A hieradata/role/common/ci/slave.yaml
M manifests/site.pp
M modules/contint/manifests/firewall/labs.pp
M modules/role/manifests/zuul/merger.pp
7 files changed, 36 insertions(+), 12 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/hieradata/hosts/contint1001.yaml b/hieradata/hosts/contint1001.yaml
index ddfd725..4a490d3 100644
--- a/hieradata/hosts/contint1001.yaml
+++ b/hieradata/hosts/contint1001.yaml
@@ -1,11 +1,2 @@
-admin::groups:
-  - contint-users
-  - contint-admins
-  - contint-roots
-ssh::server::disable_nist_kex: false
-ssh::server::explicit_macs: false
-cluster: misc
-contactgroups: 'admins,contint'
-
 jenkins::service_ensure: unmanaged
 jenkins::service_enable: false
diff --git a/hieradata/hosts/contint2001.yaml b/hieradata/hosts/contint2001.yaml
new file mode 100644
index 0000000..4a490d3
--- /dev/null
+++ b/hieradata/hosts/contint2001.yaml
@@ -0,0 +1,2 @@
+jenkins::service_ensure: unmanaged
+jenkins::service_enable: false
diff --git a/hieradata/role/common/ci/master.yaml 
b/hieradata/role/common/ci/master.yaml
index d01b266..c3813354 100644
--- a/hieradata/role/common/ci/master.yaml
+++ b/hieradata/role/common/ci/master.yaml
@@ -1,3 +1,10 @@
+admin::groups:
+  - contint-users
+  - contint-admins
+  - contint-roots
+cluster: misc
+contactgroups: 'admins,contint'
+
 debdeploy::grains:
   debdeploy-ci:
     value: standard
diff --git a/hieradata/role/common/ci/slave.yaml 
b/hieradata/role/common/ci/slave.yaml
new file mode 100644
index 0000000..0d97fa9
--- /dev/null
+++ b/hieradata/role/common/ci/slave.yaml
@@ -0,0 +1,4 @@
+# Jenkins does not support KEX/MAC
+# T103351
+ssh::server::disable_nist_kex: false
+ssh::server::explicit_macs: false
diff --git a/manifests/site.pp b/manifests/site.pp
index 486a078..8b25914 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -286,7 +286,7 @@
     include base::firewall
 }
 
-# New CI master
+# CI master
 node 'contint1001.wikimedia.org' {
     role(ci::master,
         ci::slave,
@@ -299,6 +299,21 @@
     include contint::firewall
 }
 
+# CI warm
+node 'contint2001.wikimedia.org' {
+    # Not ready yet for zuul::server
+    # T1150771
+    role(ci::master,
+        ci::slave,
+        ci::website,
+        backup::host)
+
+    include standard
+    interface::add_ip6_mapped { 'main': interface => 'eth0', }
+    include contint::firewall
+
+}
+
 # Debian package/docker images building host in production
 node 'copper.eqiad.wmnet' {
     role(builder)
diff --git a/modules/contint/manifests/firewall/labs.pp 
b/modules/contint/manifests/firewall/labs.pp
index bfb6652..93fa0c1 100644
--- a/modules/contint/manifests/firewall/labs.pp
+++ b/modules/contint/manifests/firewall/labs.pp
@@ -11,4 +11,9 @@
         port   => '22',
         srange => '@resolve(contint1001.wikimedia.org)'
     }
+    ferm::service { 'contint2001_ssh_to_slaves':
+        proto  => 'tcp',
+        port   => '22',
+        srange => '@resolve(contint2001.wikimedia.org)'
+    }
 }
diff --git a/modules/role/manifests/zuul/merger.pp 
b/modules/role/manifests/zuul/merger.pp
index 0cd7751..46764b9 100644
--- a/modules/role/manifests/zuul/merger.pp
+++ b/modules/role/manifests/zuul/merger.pp
@@ -24,13 +24,13 @@
         zuul_git_dir => $conf_merger['git_dir'],
     }
 
-    # We run a git-daemon process to exposes the zuul-merger git repositories.
+    # We run a git-daemon process to expose the zuul-merger git repositories.
     # The slaves fetch changes from it over the git:// protocol.
     # It is only meant to be used from slaves, so only accept internal
     # connections.
     ferm::service { 'git-daemon_internal':
         proto  => 'tcp',
         port   => '9418',
-        srange => '(($LABS_NETWORKS @resolve(contint1001.wikimedia.org) ))',
+        srange => '(($LABS_NETWORKS @resolve(contint1001.wikimedia.org) 
@resolve(contint2001.wikimedia.org)))',
     }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/327594
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ic35d8adb99c07017ed52d07f844249d05b53ac7d
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Hashar <has...@free.fr>
Gerrit-Reviewer: Paladox <thomasmulhall...@yahoo.com>
Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to