Skip to content


Switch branches/tags
This branch is 375 commits behind openshift:master.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This module helps install OpenShift Origin Platform As A Service. Through the declaration of the openshift_origin class, you can configure the OpenShift Origin Broker, Node and support services including ActiveMQ, MongoDB, named and OS settings including firewall, services, and ntp.


  • Jamey Owens

  • Ben Klang

  • Ben Langfeld

  • Krishna Raman


  • Puppet >= 3

  • Facter >= 1.6.17

  • Puppetlabs/stdlib module. Can be obtained here or with the command puppet module install puppetlabs/stdlib

  • Puppetlabs/ntp module. Can be obtained here or with the command puppet module install puppetlabs/ntp


The module can be obtained from the github repository.

  1. Download the Zip file from github

  2. Upload the Zip file to your Puppet Master.

  3. Unzip the file. This will create a new directory called puppet-openshift_origin-{commit hash}

  4. Rename this directory to just openshift_origin and place it in your modulepath.


There is one class (openshift_origin) that needs to be declared on all nodes managing any component of OpenShift Origin. These nodes are configured using the parameters of this class.

Using Parameterized Classes

Example: Single host (broker+console+node) which uses the Avahi MDNS and mongo Auth plugin:
class { 'openshift_origin' :
  domain                     => '',
  node_unmanaged_users       => ['root'],
  development_mode           => true,
  conf_node_external_eth_dev => 'eth0',
  install_method             => 'yum',
  register_host_with_named   => true,
  broker_auth_plugin         => 'mongo',
  broker_dns_plugin          => 'avahi',
Example: Single host (broker+console+node) which uses the Kerberos Auth plugin and GSS-TSIG.
class { 'openshift_origin' :
  domain                     => '',
  node_unmanaged_users       => ['root'],
  development_mode           => true,
  conf_node_external_eth_dev => 'eth0',
  install_method             => 'yum',
  register_host_with_named   => true,
  broker_auth_plugin         => 'remote-user',
  broker_dns_plugin          => 'named',
  bind_krb_principal         => $hostname,
  bind_krb_keytab            => '/etc/dns.keytab'
  broker_krb_keytab          => '/etc/http.keytab',
  broker_krb_auth_realms     => 'EXAMPLE.COM',
  broker_krb_service_name    => $hostname,

Please note:

  • The Broker needs to be enrolled in the KDC as a host, host/node_fqdn as well as a service, HTTP/node_fqdn

  • Keytab should be generated, is located on the Broker machine, and Apache should be able to access it (chown apache <kerberos_keytab>)

  • Like the example config below:

    • set broker_auth_plugin to 'kerberos'

    • set broker_krb_keytab and bind_krb_keytab to the absolute file location of the keytab

    • set broker_krb_auth_realms to the kerberos realm that the Broker host is enrolled with

    • set broker_krb_service_name to the FQDN of the enrolled kerberos service, e.g. $hostname

  • After setup, to test:

    • authentication: kinit <user> then curl -Ik --negotiate -u : <node_fqdn>

    • GSS-TSIG (should return nil):

      $ cd /var/www/openshift/broker
      $ bundle --local
      $ rails console
      $ d = OpenShift::DnsService.instance
      $ d.register_application "appname", "namespace", "node_fqdn"
      => nil
    • For any errors, on the Broker, check /var/log/openshift/broker/httpd/error_log.



Choose from the following roles to be configured on this node.

  • broker - Installs the broker and console.

  • node - Installs the node and cartridges.

  • activemq - Installs activemq message broker.

  • datastore - Installs MongoDB (not sharded/replicated)

  • named - Installs a BIND dns server configured with a TSIG key for updates.

Default: ['broker','node','activemq','datastore','named']


Choose from the following ways to provide packages:

  1. none - install sources are already set up when the script executes (default)

  2. yum - set up yum repos manually

    • repos_base

    • os_repo

    • os_updates_repo

    • jboss_repo_base

    • jenkins_repo_base

    • optional_repo

Default: yum


CPU Architecture to use for the definition OpenShift Origin yum repositories Defaults: $::architecture (from facter)

*Fedora: x86_64 armv7hl *RHEL: **x86_64


Repository path override. Uses dependencies from repos_base but uses override_install_repo path for OpenShift RPMs. Used when doing local builds.

Default: none


The URL for a Fedora 19/RHEL 6 yum repository used with the "yum" install method. Should end in x86_64/os/.

Default: no change


The URL for a Fedora 19/RHEL 6 yum updates repository used with the "yum" install method. Should end in x86_64/.

Default: no change


The URL for a JBoss repositories used with the "yum" install method. Does not install repository if not specified.


The URL for a Jenkins repositories used with the "yum" install method. Does not install repository if not specified.


The URL for a EPEL or optional repositories used with the "yum" install method. Does not install repository if not specified.


The network domain under which apps and hosts will be placed.







Default: the root plus the domain, e.g. - except

These supply the FQDN of the hosts containing these components. Used for configuring the host’s name at install, and also for configuring the broker application to reach the services needed.

if installing a nameserver, the script will create DNS entries for the hostnames of the other components being installed on this host as well. If you are using a nameserver set up separately, you are responsible for all necessary DNS entries.


Default: IP of a named instance or current IP if installing on this node. This is used by every node to configure its primary name server.

Default: the current IP (at install)


When the nameserver is remote, use this to specify the HMAC-MD5 key for updates. This is the "Key:" field from the .private key file generated by dnssec-keygen. This field is required on all nodes.


When the nameserver is remote, Kerberos keytab together with principal can be used instead of the HMAC-MD5 key for updates.


When the nameserver is remote, this Kerberos principal together with Kerberos keytab can be used instead of the HMAC-MD5 key for updates.


List of upstream DNS servers to use when installing named on this node.

Default: ['']


This is used for the node to record its broker. Also is the default for the nameserver IP if none is given.

Default: the current IP (at install)


This is used for the node to give a public IP, if different from the one on its NIC.

Default: the current IP (at install)


Enabling this configures NTP. It is important that the time be synchronized across hosts because MCollective messages have a TTL of 60 seconds and may be dropped if the clocks are too far out of synch. However, NTP is not necessary if the clock will be kept in synch by some other means.

Default: true

Passwords used to secure various services. You are advised to specify only alphanumeric values in this script as others may cause syntax errors depending on context. If non-alphanumeric values are required, update them separately after installation.


This is the admin password for the ActiveMQ admin console, which is not needed by OpenShift but might be useful in troubleshooting.

Default: scrambled



This is the user and password shared between broker and node for communicating over the mcollective topic channels in ActiveMQ. Must be the same on all broker and node hosts.

Default: mcollective/marionette



These are the username and password of the administrative user that will be created in the MongoDB datastore. These credentials are not used by in this script or by OpenShift, but an administrative user must be added to MongoDB in order for it to enforce authentication. Note: The administrative user will not be created if CONF_NO_DATASTORE_AUTH_FOR_LOCALHOST is enabled.

Default: admin/mongopass



These are the username and password of the normal user that will be created for the broker to connect to the MongoDB datastore. The broker application’s MongoDB plugin is also configured with these values.

Default: openshift/mongopass


This is the name of the database in MongoDB in which the broker will store data.

Default: openshift_broker



This user and password are entered in the /etc/openshift/htpasswd file as a demo/test user. You will likely want to remove it after installation (or just use a different auth method).

Default: demo/changeme





Salt, public and private keys used when generating secure authentication tokens for Application to Broker communication. Requests like scale up/down and jenkins builds use these authentication tokens. This value must be the same on all broker nodes.

Default: Self signed keys are generated. Will not work with multi-broker setup.



Session secrets used to encode cookies used by console and broker. This value must be the same on all broker nodes.


List of all gear sizes this will be used in this OpenShift installation.

Default: ['small']


Default gear size if one is not specified.

Default: ['small']


List of all gear sizes that newly created users will be able to create.

Default: ['small']


DNS plugin used by the broker to register application DNS entries. Options:

  • nsupdate - nsupdate based plugin. Supports TSIG and GSS-TSIG based authentication. Uses bind_key for TSIG and bind_krb_keytab, bind_krb_principal for GSS_TSIG auth.

  • avahi - sets up a MDNS based DNS resolution. Works only for all-in-one installations.


Authentication setup for users of the OpenShift service. Options:

  • mongo - Stores username and password in mongo.

  • kerberos - Kerberos based authentication. Uses broker_krb_service_name, broker_krb_auth_realms, broker_krb_keytab values.

  • htpasswd - Stores username/password in a htaccess file.

  • ldap - LDAP based authentication. Uses broker_ldap_uri.

Default: htpasswd


The KrbServiceName value for mod_auth_kerb configuration


The KrbAuthRealms value for mod_auth_kerb configuration


The Krb5KeyTab value of mod_auth_kerb is not configurable — the keytab is expected in /var/www/openshift/broker/httpd/conf.d/http.keytab


URI to the LDAP server (e.g. ldap://,dc=my-domain,dc=com). Set <code>broker_auth_plugin</code> to <code>ldap</code> to enable this feature.


Specify the container type to use on the node. Options:

  • selinux - This is the default OpenShift Origin container type.


Specify one or more plugins to use register HTTP and web-socket connections for applications. Options:

  • apache-mod-rewrite - Mod-Rewrite based plugin for HTTP and HTTPS requests. Well suited for installations with a lot of creates/deletes/scale actions.

  • apache-vhost - VHost based plugin for HTTP and HTTPS. Suited for installations with less app create/delete activity. Easier to customize.

  • nodejs-websocket - Web-socket proxy listening on ports 8000/8444

  • haproxy-sni-proxy - TLS proxy using SNI routing on ports 2303 through 2308 requires /usr/sbin/haproxy15 (haproxy-1.5-dev19 or later).

Default: ['apache-mod-rewrite','nodejs-websocket']


List of user names who have UIDs in the range of OpenShift gears but must be excluded from OpenShift gear setups.

Default: []


External facing network device. Used for routing and traffic control setup.

Default: eth0


Name of supplementary UNIX group to add a gear to.


Set development mode and extra logging.

Default: false


Install a Getty shell which displays DNS, IP and login information. Used for all-in-one VM installation.


Setup DNS entries for this host in a locally installed bind DNS instance.

Default: false


List of cartridges to be installed on the node. Options:

  • 10gen-mms-agent

  • cron

  • diy

  • haproxy

  • mongodb

  • nodejs

  • perl

  • php

  • phpmyadmin

  • postgresql

  • python

  • ruby

  • jenkins

  • jenkins-client

  • mariadb (will install mysql on RHEL)

  • jbossews

  • jbossas

  • jbosseap

Default: ['10gen-mms-agent','cron','diy','haproxy','mongodb', 'nodejs','perl','php','phpmyadmin','postgresql', 'python','ruby','jenkins','jenkins-client','mariadb']

Manual Tasks

This script attempts to automate as many tasks as it reasonably can. Unfortunately, it is constrained to setting up only a single host at a time. In an assumed multi-host setup, you will need to do the following after the script has completed.

  1. Set up DNS entries for hosts.

    If you installed BIND with the script, then any other components installed with the script on the same host received DNS entries. Other hosts must all be defined manually, including at least your node hosts. oo-register-dns may prove useful for this.

  2. Copy public rsync key to enable moving gears.

    The broker rsync public key needs to go on nodes, but there is no good way to script that generically. Nodes should not have password-less access to brokers to copy the .pub key, so this must be performed manually on each node host:

    # scp root@broker:/etc/openshift/ /root/.ssh/
    (above step will ask for the root password of the broker machine)
    # cat /root/.ssh/ >> /root/.ssh/authorized_keys
    # rm /root/.ssh/

    If you skip this, each gear move will require typing root passwords for each of the node hosts involved.

  3. Copy ssh host keys between the node hosts.

    All node hosts should identify as the same host, so that when gears are moved between hosts, ssh and git don’t give developers spurious warnings about the host keys changing. So, copy /etc/ssh/ssh_* from one node host to all the rest (or, if using the same image for all hosts, just keep the keys from the image).


Puppet module to create OpenShift Brokers and Nodes. Can be used to create a full OpenShift Origin deployment.







No releases published


No packages published


  • Puppet 92.8%
  • Ruby 7.2%