Skip to content

Manual Rollout with Puppet

Jump to bottom
Heitor Neiva edited this page Mar 1, 2023 · 27 revisions

Imaging and puppetizing

For imaging, see this page.

  • As of 2020.04.15, this automatically puppetizes the machine. However, it's busted due to an issue around widevine?
  • As of 2020.04.20, widevine is fixed with this commit on the notarization-poller branch.
  • As of 2020.06.18, v3 ronin_puppet now works, with python 3.8. Details here.
  • As of 2020.07.15, it looks like production puppet now works for poller and scriptworker, with python 3.8, for everything but the 4 secrets in certs/ and starting up the launchctl services. Dep signing puppetization is currently broken. Set these up by hand.
  • As of 2021.01.15, puppetization works for prod, tb-prod, and dep
  • As of 2021.03.18, puppetization will automatically run against the ronin_puppet production-mac-signing branch, every 15 minutes, and restart the scriptworker and poller daemons on change. We still need to populate the signing secrets and enable the scriptworker+poller daemons on reimage.

This will create the following files:

  • /var/root/bootstrap_mojave.sh which contains the logic for puppetizing
  • /var/root/vault.yaml with the secrets

Running puppet without imaging

sudo -u root -i
/usr/local/bin/periodic-puppet.sh
# This will create a /tmp/.periodic-puppet lock directory, or exit if it exists
# to avoid a concurrent puppet run.
# It will log to /tmp/.periodic-puppet.log
# It will pull from ronin_puppet's production-mac-signing branch then puppetize
# We need to reimage to get new secrets in vault.yaml

# Old instructions
#cd ~/ronin_puppet
#git pull
## Puppet will break if you remain cd'ed in root's home dir
#cd /
#puppet apply --modulepath=/var/root/ronin_puppet/modules/:/var/root/ronin_puppet/r10k_modules/ --hiera_config=/var/root/ronin_puppet/hiera.yaml --logdest=console --noop /var/root/ronin_puppet/manifests
## Then repeat without --noop

Notarization rollout

Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps. The easiest way to get the secrets is to pull them from an existing signing machine. Failing that, you will likely need to dig into offline backups.

dep

Requires

  • widevine_dep.crt
  • dep-signing.keychain

Steps

for info in "depbld1:dep1" "depbld2:dep2" "tbbld:tb-dep"; do 
  username=$(echo $info | cut -f1 -d:)
  dir=$(echo $info | cut -f2 -d:)
  cp widevine_dep.crt /builds/${dir}/certs/
  cp dep-signing.keychain /builds/${dir}/certs/
  chown ${username} /builds/${dir}/certs/* 
  sh -x /builds/${dir}/enable_scriptworker.sh
done

Firefox and Thunderbird Production

Requires

  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey

Steps

  • Copy all the above files to /builds/scriptworker/certs/
    • The simplest way to do this is to tar up this directory from an existing scriptworker of the same type
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey 
chown cltbld /builds/scriptworker/certs/*
chmod 400 /builds/scriptworker/certs/*
sh -x /builds/scriptworker/enable_scriptworker.sh
Clone this wiki locally