GNOME Infrastructure Apprentice Group - Changes on our Puppet Infrastructure



Hello sysadmins,

we'll be introducing a GNOME Infrastructure Apprentice Group very soon
to welcome new participants within the team with very limited
privileges to begin with. The Apprentices will be able to:

1. Access our Puppet repository in read-only mode by connecting
through bastion.gnome.org

2. Propose, discuss changes and patches to the Puppet repository

3. Patches are subjected to the approval of at least two existing
members who will then verify, test and eventually apply the
modifications on the production machines

More details on the program are available at [1]. Please review them
and provide some feedback.

Introducing the above mentioned Program took in a few problems for
what concerns the huge amount of certificates, passwords, secret keys
we kept on our Puppet repository in the past. Several actions have
been taken on this side:

1. The Puppet repository has been cleansed from sensitive information:
 1a: certificates (now stored on puppet-back [2])
 2a: passwords, secret keys (now stored on a Hiera GPG-encrypted
database on Puppet-back)

2. Passwords and secret keys are now stored under
/etc/puppet/hieradata/secrets.eyaml which is a GPG-encrypted yaml
file. More details about the private keys used and how to add more
recipients to the keyring are available at [3].

3. /home/admin/secret has been moved to puppet-back under /srv/secret
(accessible by root only). What remains on combobox are the files
shared with the services (gnomeftp, ego, perf-web) still needing them
to work properly. Please consider adding new files to the new path
from now on.

4. The Puppet repository will be re-created (as a "shallow" clone) and
all history will be moved to a parallel repository which full-access
sysadmins will be able to access to. (through git's clone --depth)

Please let me know if you have any question on the previous items.

[1] https://wiki.gnome.org/Sysadmin/Apprentices
[2] https://wiki.gnome.org/Sysadmin/SSL
[3] https://wiki.gnome.org/Sysadmin/Puppet

-- 
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors Secretary,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]