Skip to content

Manual Rollout with Puppet

Jump to bottom
Aki Sasaki edited this page Apr 17, 2020 · 27 revisions

Imaging and puppetizing

For imaging, see this page.

As of 2020.04.15, this automatically puppetizes the machine.

This will create the following files:

  • /var/root/bootstrap_mojave.sh which contains the logic for puppetizing
  • /var/root/vault.yaml with the secrets
  • plus a /tmp/puppet_working.RANDOM_STRING where we've downloaded a master tarball from the ronin_puppet repo. (This doesn't contain a .git directory.)

Notarization rollout

Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps.

Some of the secrets are in the releng passwords repo, notarization-*.

Some of the files below may already exist thanks to Puppet, but they will contain dummy values This is so that we can deploy them with puppet later, after secrets safety is assessed in more depth.

dep

Requires

  • widevine_dep.crt
  • dep-signing.keychain

Steps

for username in depbld1 depbld2 tbbld; do 
  cp widevine_dep.crt /builds/${username}/certs/
  cp dep-signing.keychain /builds/${username}/certs/
  chown ${user} /builds/${username}/certs/* 
done

launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld1.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld2.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.tbbld.plist

Firefox Production

Requires

  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey

Steps

  • Copy all the above files to /builds/cltbld/certs/
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey
  • chown cltbld /builds/cltbld/certs/*
  • chmod 400 /builds/cltbld/certs/*
  • launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.cltbld.plist

Thunderbird production

Requires

  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey

Steps

  • Copy all the above files to /builds/cltbld/certs/
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey
  • chown tbbld /builds/cltbld/certs/*
  • chmod 400 /builds/cltbld/certs/*
  • launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.cltbld.plist

Old puppetizing docs

For puppetizing from Simon's env, try

/opt/puppetlabs/bin/puppet apply --modulepath=/private/etc/puppet/environments/sfraser/code/modules:/private/etc/puppet/environments/sfraser/r10k_modules/ --hiera_config=/private/etc/puppet/environments/production/code/hiera.yaml --logdest=console --detailed-exitcodes /private/etc/puppet/environments/sfraser/code/manifests/

This might be:

ENV=production
/opt/puppetlabs/bin/puppet apply \
  --modulepath=/private/etc/puppet/environments/$ENV/code/modules:/private/etc/puppet/environments/$ENV/code/r10k_modules/ \
--hiera_config=/private/etc/puppet/environments/production/code/hiera.yaml --logdest=console \
--detailed-exitcodes /private/etc/puppet/environments/$ENV/code/manifests/
Clone this wiki locally