Skip to content

Manual Rollout with Puppet

Jump to bottom
Aki Sasaki edited this page Jun 18, 2020 · 27 revisions

Imaging and puppetizing

For imaging, see this page.

  • As of 2020.04.15, this automatically puppetizes the machine. However, it's busted due to an issue around widevine?
  • As of 2020.04.20, widevine is fixed with this commit on the notarization-poller branch.
  • As of 2020.06.18, v3 ronin_puppet now works in mdc2, but needs may need to be reverted from v4 puppet in mdc1. More here.

This will create the following files:

  • /var/root/bootstrap_mojave.sh which contains the logic for puppetizing
  • /var/root/vault.yaml with the secrets

It's missing the /etc/puppet directory.

Notarization rollout

Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps.

Some of the secrets are in the releng passwords repo, notarization-*.

Some of the files below may already exist thanks to Puppet, but they will contain dummy values This is so that we can deploy them with puppet later, after secrets safety is assessed in more depth.

dep

Requires

  • widevine_dep.crt
  • dep-signing.keychain

Steps

for username in depbld1 depbld2 tbbld; do 
  cp widevine_dep.crt /builds/${username}/certs/
  cp dep-signing.keychain /builds/${username}/certs/
  chown ${user} /builds/${username}/certs/* 
done

launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld1.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld2.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.tbbld.plist

Firefox Production

Requires

  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey

Steps

  • Copy all the above files to /builds/cltbld/certs/
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey
  • chown cltbld /builds/cltbld/certs/*
  • chmod 400 /builds/cltbld/certs/*
  • add mac_notarize_part_1 and mac_notarize_part_3 to the 2 supported behaviors locations in script_config.yaml
  • update the access token in scriptworker.yaml
  • update the workerGroup in scriptworker.yaml to mdc1 or mdc2 as appropriate

Thunderbird production

Requires

  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey

Steps

  • Copy all the above files to /builds/cltbld/certs/
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey
  • chown tbbld /builds/cltbld/certs/*
  • chmod 400 /builds/cltbld/certs/*
  • add mac_notarize_part_1 and mac_notarize_part_3 to the 2 supported behaviors locations in script_config.yaml
  • update the access token in scriptworker.yaml
  • update the workerGroup in scriptworker.yaml to mdc1 or mdc2 as appropriate

Old puppetizing docs

For puppetizing from Simon's env, try

/opt/puppetlabs/bin/puppet apply --modulepath=/private/etc/puppet/environments/sfraser/code/modules:/private/etc/puppet/environments/sfraser/r10k_modules/ --hiera_config=/private/etc/puppet/environments/production/code/hiera.yaml --logdest=console --detailed-exitcodes /private/etc/puppet/environments/sfraser/code/manifests/

This might be:

ENV=production
/opt/puppetlabs/bin/puppet apply \
  --modulepath=/private/etc/puppet/environments/$ENV/code/modules:/private/etc/puppet/environments/$ENV/code/r10k_modules/ \
--hiera_config=/private/etc/puppet/environments/production/code/hiera.yaml --logdest=console \
--detailed-exitcodes /private/etc/puppet/environments/$ENV/code/manifests/
Clone this wiki locally