Jump to content

Help:Cumin master

From Wikitech

A standalone Cumin master can be setup inside a Cloud VPS instance to perform automation and orchestration across the instances of the project. For more general information on what Cumin is and how it's used, see Cumin.


On the soon-to-be Cumin master host

On the host that will be the Cumin master of the project, follow these steps

Create an SSH key with passhphrase

sudo ssh-keygen -t ed25519 -f /root/.ssh/cumin

N.B. save the passphrase in an encrypted form (i.e. in a password manager) and in any case not on the host itself.

Export the SSH public key

sudo cat /root/.ssh/cumin.pub

Get the IP of the Cumin master

sudo facter -p ipaddress

On Horizon UI

Go to the Puppet Project page on Horizon

If you have access to multiple projects, ensure to have selected the right project from the menu at the top.

Click on the Edit button below the Hiera Config block, insert the following values, replacing the highlighted variables ##NAME## with the data extracted above, and save:

profile::openstack::eqiad1::cumin::project_pub_key: '##SSH_PUBLIC_KEY##'

Go to the Cumin master Puppet configuration on Horizon

From the instances page, select the Cumin master host and go to the Puppet Configuration tab.

  • Click on the Edit button below the Hiera Config block, insert the following block and save:
profile::openstack::eqiad1::cumin::aliases: {}
profile::openstack::eqiad1::cumin::project_ssh_priv_key_path: /root/.ssh/cumin
  • Click on the top-right all button to show all the available Puppet classes, search the profile::openstack::eqiad1::cumin::master one and click on the Apply Class button on the right. Leave the default values and click the Apply button.

On the Cumin master host

  • Run puppet to apply the changes: sudo run-puppet-agent
  • Arm the keyholder with the SSH key passphrase: sudo keyholder arm
  • Restart the keyholder proxy: sudo systemctl restart keyholder-proxy
  • Verify the keyholder status: sudo keyholder status

For more information, see the Keyholder page.

All done

At the next Puppet run, all the instances of the project will be configured to allow SSH connections from the Cumin master host with the specified SSH key. Once Puppet has run on all the instances, to test if all work fine, run:

sudo cumin '*' 'true'