-
Notifications
You must be signed in to change notification settings - Fork 29
Manual Rollout with Puppet
Heitor Neiva edited this page Mar 1, 2023
·
27 revisions
For imaging, see this page.
- As of 2020.04.15, this automatically puppetizes the machine. However, it's busted due to an issue around widevine?
- As of 2020.04.20, widevine is fixed with this commit on the notarization-poller branch.
- As of 2020.06.18, v3
ronin_puppet
now works, with python 3.8. Details here. - As of 2020.07.15, it looks like production puppet now works for poller and scriptworker, with python 3.8, for everything but the 4 secrets in
certs/
and starting up the launchctl services. Dep signing puppetization is currently broken. Set these up by hand. - As of 2021.01.15, puppetization works for prod, tb-prod, and dep
- As of 2021.03.18, puppetization will automatically run against the
ronin_puppet
production-mac-signing
branch, every 15 minutes, and restart the scriptworker and poller daemons on change. We still need to populate the signing secrets and enable the scriptworker+poller daemons on reimage.
This will create the following files:
-
/var/root/bootstrap_mojave.sh
which contains the logic for puppetizing -
/var/root/vault.yaml
with the secrets
sudo -u root -i
/usr/local/bin/periodic-puppet.sh
# This will create a /tmp/.periodic-puppet lock directory, or exit if it exists
# to avoid a concurrent puppet run.
# It will log to /tmp/.periodic-puppet.log
# It will pull from ronin_puppet's production-mac-signing branch then puppetize
# We need to reimage to get new secrets in vault.yaml
# Old instructions
#cd ~/ronin_puppet
#git pull
## Puppet will break if you remain cd'ed in root's home dir
#cd /
#puppet apply --modulepath=/var/root/ronin_puppet/modules/:/var/root/ronin_puppet/r10k_modules/ --hiera_config=/var/root/ronin_puppet/hiera.yaml --logdest=console --noop /var/root/ronin_puppet/manifests
## Then repeat without --noop
Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps. The easiest way to get the secrets is to pull them from an existing signing machine. Failing that, you will likely need to dig into offline backups.
widevine_dep.crt
dep-signing.keychain
for info in "depbld1:dep1" "depbld2:dep2" "tbbld:tb-dep"; do
username=$(echo $info | cut -f1 -d:)
dir=$(echo $info | cut -f2 -d:)
cp widevine_dep.crt /builds/${dir}/certs/
cp dep-signing.keychain /builds/${dir}/certs/
chown ${username} /builds/${dir}/certs/*
sh -x /builds/${dir}/enable_scriptworker.sh
done
widevine_prod.crt
nightly-signing.keychain
release-signing.keychain
ed25519_privkey
- Copy all the above files to
/builds/scriptworker/certs/
- The simplest way to do this is to tar up this directory from an existing scriptworker of the same type
-
ed25519_privkey
must have no EOL. If you create it by editing it, make sure toperl -pi -e 'chomp if eof' ed25519_privkey
chown cltbld /builds/scriptworker/certs/*
chmod 400 /builds/scriptworker/certs/*
sh -x /builds/scriptworker/enable_scriptworker.sh