Project

General

Profile

Feature #11837

Feature #11834: Migrate our infrastructure to Puppet 4

Upgrade Puppet master to Puppet 4

Added by intrigeri almost 2 years ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
Start date:
09/24/2016
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

https://docs.puppet.com/puppet/4.5/reference/upgrade_major_server.html

Also see https://bugs.debian.org/832536 and https://lists.alioth.debian.org/pipermail/pkg-puppet-devel/2017-January/010545.html wrt. backwards compatibility with 3.x agents, that might require a little bit of patching on the agent side.

As of 2018-04-04, to install PuppetDB from Debian on Strech one needs:

ackage: lib*-clojure lib*-java
Pin: release o=Debian,n=buster
Pin-Priority: 990

Package: puppetdb libcomidi-clojure libdujour-version-check-clojure libpantomime-clojure libpuppetlabs-http-client-clojure libpuppetlabs-ring-middleware-clojure libssl-utils-clojure libtrapperkeeper-metrics-clojure libtrapperkeeper-status-clojure libtrapperkeeper-webserver-jetty9-clojure libtika-java
Pin: release o=Debian,n=sid
Pin-Priority: 990

To make PuppetDB work and the puppetmaster use it (on sid):

  • install Puppet from Stretch (due to https://bugs.debian.org/894800) and apply https://github.com/puppetlabs/puppet/commit/578687a00195191185f44d8cb38f4b7716d99c31 (otherwise it won't work on sid)
  • dpkg-reconfigure puppetdb, go through the dbconfig setup and leave the default settings
  • set up TLS like /usr/share/doc/puppetdb/README.Debian says:
    • cp -a /var/lib/puppet/ssl/certs/localhost.pem /etc/puppetdb/cert.pem && cp -a /var/lib/puppet/ssl/private_keys/localhost.pem /etc/puppetdb/private_key.pem && cp -a /var/lib/puppet/ssl/ca/ca_crt.pem /etc/puppetdb/ca_crt.pem && chown puppetdb:puppetdb /etc/puppetdb/*.pem
    • adjust /etc/puppetdb/conf.d/jetty.ini:
      • ssl-port = 8081
      • ssl-key = /etc/puppetdb/private_key.pem
      • ssl-cert = /etc/puppetdb/cert.pem
      • ssl-ca-cert = /etc/puppetdb/ca_crt.pem
  • patch puppetdb.service to use /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java instead of /usr/bin/java
  • install puppet-terminus-puppetdb and postgresql
  • enable storeconfigs in puppet.conf
  • create /etc/puppet/puppetdb.conf, owned by puppet:puppet, with contents:
    [main]
    server_urls = https://localhost:8081
    
  • create /etc/puppet/routes.yaml, owned by puppet:puppet, with contents:
    ---
    master:
      facts:
        terminus: puppetdb
        cache: yaml
    

Related issues

Blocked by Tails - Feature #11836: Stop stringifying Puppet facts Resolved 09/24/2016
Blocks Tails - Feature #13284: Core work 2017Q2→2019Q1: Sysadmin (Adapt our infrastructure) Confirmed 06/30/2017

History

#1 Updated by intrigeri almost 2 years ago

  • Blocked by Feature #11833: Make our Puppet code compatible with the "future" parser added

#2 Updated by intrigeri almost 2 years ago

  • Blocked by Feature #11835: Upgrade Puppet master and clients to 3.8 added

#3 Updated by intrigeri almost 2 years ago

#4 Updated by intrigeri almost 2 years ago

#5 Updated by intrigeri almost 2 years ago

  • Blocked by deleted (Feature #11835: Upgrade Puppet master and clients to 3.8)

#6 Updated by intrigeri over 1 year ago

  • Assignee set to intrigeri

#7 Updated by intrigeri over 1 year ago

  • Description updated (diff)

#8 Updated by intrigeri about 1 year ago

  • Target version set to Tails_3.5

#9 Updated by intrigeri 6 months ago

  • Target version changed from Tails_3.5 to Tails_3.6

#10 Updated by intrigeri 6 months ago

  • Blocks Feature #13284: Core work 2017Q2→2019Q1: Sysadmin (Adapt our infrastructure) added

#11 Updated by intrigeri 6 months ago

  • Target version changed from Tails_3.6 to Tails_3.7

#12 Updated by intrigeri 3 months ago

  • Description updated (diff)

#13 Updated by intrigeri 3 months ago

  • Description updated (diff)

#14 Updated by intrigeri 3 months ago

  • Description updated (diff)

#15 Updated by intrigeri 3 months ago

#16 Updated by intrigeri 3 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 20

Upgrade done, re-enabled puppet agent everywhere, everything looks good except Puppet fails on the 4 systems that have shorewall. It might be that upgrading the shorewall module or #11838 will fix that. I'll look into this tomorrow or Saturday.

#17 Updated by intrigeri 3 months ago

  • % Done changed from 20 to 30

intrigeri wrote:

Puppet fails on the 4 systems that have shorewall. It might be that upgrading the shorewall module or #11838 will fix that.

Fixed by #11838 :)

I've also followed the rest of the upgrade doc and then https://docs.puppet.com/puppet/4.5/upgrade_major_post.html.

Next steps:

  • ensure our last run check + the corresponding monitoring works fine
  • #15492
  • #15490

#18 Updated by intrigeri 3 months ago

  • Assignee changed from intrigeri to groente
  • % Done changed from 30 to 50
  • QA Check set to Ready for QA

intrigeri wrote:

Next steps:

  • ensure our last run check + the corresponding monitoring works fine

It's broken => #15493.

Both are now ready for QA.

#19 Updated by groente 3 months ago

  • Blocks deleted (Feature #15490: Remove MariaDB on puppet-git.lizard)

#20 Updated by groente 3 months ago

  • Blocked by deleted (Feature #11833: Make our Puppet code compatible with the "future" parser)

#21 Updated by groente 3 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

clear, thanks!

#22 Updated by groente 3 months ago

Also available in: Atom PDF