This module handles installing, updating, and running puppet master. This setup uses Apache and mod_passenger. Puppet masters doesn't sign client certificates. They are generated by a self signed CA (on cruncher).

Installation

This procedure has been tested on freshly onstalled CentOS 6.2 hosts with "Base" yum group installed.

• Install puppet and mercurial packages from releng repo (link to how set it up?)
• Generate puppet master certificates using CA scripts (see below) and copy them.
• Clone puppetagain repo to /etc/puppet/production

hg clone http://hg.mozilla.org/build/puppet /etc/puppet/production

• Copy secrets.csv and local-config.csv files to /etc/puppet/production/manifests/extlookup/
• Run /etc/puppet/production/setup/masterize.sh to bootstrap the master

Updates

Masters update themselves by puppet::periodic (ReleaseEngineering/PuppetAgain/Modules/puppet).

Certificate management

TODO, bug 784716

CRL sync

To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a cron job and gracefuly restart apache.