modules/: modules (or component modules)- Usually only support a single operating system.
modules/roles_profiles/manifests/profiles: profiles- Profiles provide an OS-independent interface to functionality provided by roles.
- Where os detection and routing is done.
modules/roles_profiles/manifests/roles- Roles specify everything a machine type needs to fufill a role.
- Calls a single profile, maps to device groups.
- #1 Profiles can't call other profiles.
- Goal is to have roles be completely transparent (at least at the top level).
- Exception: Allowed when creating 'base' OS profiles.
- #2 Profiles can't be called/included inside (component) modules.
- #3 Hiera lookups should only be done within profiles and then passed as args to the class.
More information:
- https://puppet.com/docs/puppet/6/designing_system_configs_roles_and_profiles.html
- https://puppet.com/docs/puppet/6/the_roles_and_profiles_method.html#the_roles_and_profiles_method
Many profiles run puppet at boot, but some only do on demand.
# setup bolt first, see https://mana.mozilla.org/wiki/display/ROPS/M1+and+R8+Catalina+Deployment
bolt plan run deploy::apply -t macmini-r8-140.test.releng.mdc1.mozilla.com noop=false -v
Vagrant is useful for testing the full masterless bootstrapping process.
Vagrant mounts this directory at /vagrant.
gem install bundler
bundle install ## .bundle/config sets the gemfile to .gemfile
vagrant up bionic-bare
vagrant ssh bionic-bare
sudo /vagrant/provisioners/linux/bootstrap_bitbar_devicepool.sh
test-kitchen (with kitchen-puppet ) provides infrastructure to automate running Puppet convergence and InSpec tests for each role.
The repo contains configurations for Test Kitchen to use Vagant, Docker, and Mac instances.
- ./bin/kitchen: Uses Vagrant and VirtualBox. Configured in .kitchen_configs/kitchen.yml.
- ./bin/kitchen_docker: Uses Docker. Configured in .kitchen_configs/kitchen_docker.yml.
- (no binary): Used by CircleCI tests. Configured in .kitchen_configs/kitchen.circleci.yml.
We use Vagrant/VirutalBox and Docker for a few reasons:
- Docker is the only way we can test on cloud CI systems.
- Some tests don't work with Docker (kernel module tests).
- Docker is faster (~1 minute faster on a converge from a new image).
InSpec tests live in tests/integration/SUITE/inspec/*_spec.rb.
# install ruby via homebrew or other means
brew install ruby
# add gem bin path (may differ on your system) to your PATH
export PATH=$PATH:/usr/local/lib/ruby/gems/2.6.0/bin # may be 2.7.0
gem install bundler
# install testing tools
bundle install
## testing bitbar workers
./bin/kitchen converge bitbar
# run spec tests
./bin/kitchen verify bitbar
## testing linux workers
# coverge host
./bin/kitchen converge linux
# run serverspec tests
./bin/kitchen verify linux
# login to host
./bin/kitchen login linux- Edit
.kitchen.ymland.kitchen.docker.yml. Set the appropriate details. - Create a new manifest dir for the suite.
cd manifests-kitchen
mkdir <suite_name>
cd <suite_name>
ln -s ../../manifests/site.pp .
touch z-<suite_name>.pp
vim z-<suite_name>.ppWe need our pp file to be run after the site.pp, that's why it starts with a z.
- Include your desired role
In the recently created z-<suite_name>.pp:
include roles_profiles::roles::your_favorite_role-
(optional) Write spec tests.
Convergence is somewhat tolerant of failures. Write tests to ensure that the system is in the desired state. Tests help ensure that refactoring doesn't break things also.
See tests/integration.
-
Add the new suite to Travis.
See
.travis.yml.
- refactor kitchen testing
- rename linux kitchen env to base
- create a talos kitchen env for non-base
The InSpec tests (see above) can be run on production hosts also.
inspec exec test/integration/linux/inspec/ -t ssh://t-linux64-ms-001.test.releng.mdc1.mozilla.com -i ~/.ssh/id_rsa --user=aerickson --sudo