Feature #11834
Migrate our infrastructure to Puppet 4
100%
Description
On Stretch we won’t have Puppet 3, so we’ll have to migrate to Puppet 4.
Lots of interesting discussions on this topic have happened on https://bugs.debian.org/826551, including how to migrate an existing storedconfig database to PuppetDB. Since then, puppetdb made it into Debian.
See upstream’s upgrading checklist for details.
Subtasks
Feature #11833: Make our Puppet code compatible with the "future" parser | Resolved | intrigeri | 100 |
||
Feature #11835: Upgrade Puppet master and clients to 3.8 | Resolved | 100 |
|||
Feature #11836: Stop stringifying Puppet facts | Resolved | intrigeri | 100 |
||
Feature #11837: Upgrade Puppet master to Puppet 4 | Resolved | groente | 100 |
||
Feature #11838: Upgrade Puppet agents to Puppet 4 | Resolved | groente | 100 |
||
Feature #15490: Remove MariaDB on puppet-git.lizard | Resolved | groente | 100 |
||
Feature #15492: Set up PuppetDB backups | Resolved | groente | 100 |
||
Bug #15493: Adjust monitoring check for Puppet runs for Puppet master 4.x | Resolved | groente | 100 |
||
Bug #15555: PuppetDB is regularly unavailable | Resolved | groente | 100 |
Related issues
Related to Tails - |
Resolved | 2016-06-23 | |
Related to Tails - |
Resolved | 2018-06-11 | |
Related to Tails - |
Resolved | 2018-06-12 | |
Related to Tails - |
Resolved | 2018-10-31 | |
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) | Confirmed | 2017-06-30 | |
Blocks Tails - Bug #13285: Migrate to upstream Puppet Icinga2 module | Confirmed | 2017-06-30 |
History
#1 Updated by intrigeri 2016-09-24 04:44:22
- blocked by
Feature #11833: Make our Puppet code compatible with the "future" parser added
#2 Updated by intrigeri 2016-09-24 04:44:32
- blocked by
Feature #11835: Upgrade Puppet master and clients to 3.8 added
#3 Updated by intrigeri 2016-09-24 04:45:03
- related to
Bug #11543: bitcoin.lizard cannot connect to our Puppet master added
#4 Updated by intrigeri 2016-09-24 04:46:33
- blocks deleted (
)Feature #11833: Make our Puppet code compatible with the "future" parser
#5 Updated by intrigeri 2016-09-24 04:46:57
- blocks deleted (
)Feature #11835: Upgrade Puppet master and clients to 3.8
#6 Updated by intrigeri 2016-09-24 04:56:44
- Description updated
#7 Updated by intrigeri 2017-04-09 11:03:23
- Assignee set to intrigeri
#8 Updated by intrigeri 2017-04-11 16:09:44
- Description updated
#9 Updated by intrigeri 2017-06-05 13:39:21
- Target version set to Tails_3.5
#10 Updated by intrigeri 2017-06-30 11:21:37
- blocked by Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added
#11 Updated by intrigeri 2017-06-30 11:22:04
- blocks deleted (
Feature #13284: Core work: Sysadmin (Adapt our infrastructure))
#12 Updated by intrigeri 2017-06-30 11:22:13
- blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added
#14 Updated by intrigeri 2017-08-13 14:12:02
- Description updated
#15 Updated by intrigeri 2017-11-28 09:36:43
intrigeri wrote:
> PuppetDB is now in Debian :)
I don’t understand why it did not migrate to testing yet => asked the maintainer.
#16 Updated by intrigeri 2017-11-30 09:08:36
intrigeri wrote:
> intrigeri wrote:
> > PuppetDB is now in Debian :)
>
> I don’t understand why it did not migrate to testing yet => asked the maintainer.
It seems to be caused at least by libtika-java being RC buggy.
#17 Updated by intrigeri 2018-01-09 22:56:11
- Status changed from Confirmed to In Progress
As said elsewhere last week, during the 3.5 cycle I want to plan this migration. Here’s what I did in order to get a clearer idea of what this project will involve:
- Started a discussion with the shared Puppet modules group to learn how others are handling this. Jérôme’s first answer is inspiring:
- He went ahead and “dumped a number of shared modules in favor of modules maintained by other people”, which is consistent with the long-term plan of this group. I think we should do the same when feasible, instead of investing time to port these poorly maintained modules to Puppet 4: moving to modules maintained by big players in the Puppet community (puppetlabs, voxpopuli, camptocamp) might require a bigger initial investment, but it’s clear it’ll pay off on the long term. I’ll decide on a case by case basis.
- He’s running PuppetDB from sid on Stretch (and apparently Micah does the same). Good news, this gives us a workable solution while I was really wondering what kind of ugly trade-off we would have to make :) I’ll try this.
- Migrated my own laptop (that runs sid) to Puppet 4. This machine runs a subset of the modules we use on our infra, so:
- This gave me an idea of how much work is required to port code to Puppet 4. tl;dr: not that much in general, it’s mostly mechanical once one has understood the differences; but when the code is really old school it sometimes requires quite involved refactoring, which is a bit scary without a good test suite.
- I’ve updated all the Puppet code I use to make it work with Puppet 4 (i.e. basically
Feature #11833), which resulted in submiting at a bunch of merge requests against some of the aforementioned shared Puppet modules. groente, if you want to come back to it when you have time, in order to learn by reviewing, this first batch is: https://gitlab.com/shared-puppet-modules-group/postfix/merge_requests/20, https://gitlab.com/shared-puppet-modules-group/postfix/merge_requests/18, https://gitlab.com/shared-puppet-modules-group/puppet/merge_requests/10, https://gitlab.com/shared-puppet-modules-group/shorewall/merge_requests/11 and https://gitlab.com/shared-puppet-modules-group/postfix/merge_requests/19. There will be more as I move forward with the next steps.
Next steps are (note to myself but also so that you folks can follow along):
- Install PuppetDB locally and see how some of the exported resources we use work with it.
- Handle
Feature #11833, for which I now have a plan (I’ve realized there’s a small chance it magically fixesFeature #11836). - Deal with
Feature #11836, somehow (possibly while doing the next step). - Set up a Puppet 4 master + PuppetDB on our production infra, feed it with our manifests + modules (using a different branch on the manifests repo, so I can point to new versions of submodules that are compatible with Puppet 4), make it manage a few non-critical systems that don’t export resources used by other systems (most likely something on sib), fix problems.
- Press the big red button i.e. make the Puppet 4 master manage all our systems: migrating them one after the other would be ideal, but due to our heavy reliance on exported resources, I think there will need to be a few flag days — best case — or a single one — worst case).
- Upgrade all Puppet agents to Puppet 4.
Regarding planning, I’ll probably focus on this next week but then my schedule is quite packed already in 2018Q1. Still, I think there’s actually a chance that I get this done by the end of March, we’ll see. In any case, I’ll take note of everything that would be worth reviewing by groente, as part of his Puppet training, like I started to do above :)
#18 Updated by intrigeri 2018-01-09 22:58:38
- Target version changed from Tails_3.5 to Tails_3.7
#19 Updated by intrigeri 2018-01-23 16:46:45
intrigeri wrote:
> As said elsewhere last week, during the 3.5 cycle I want to plan this migration.
Done.
> Regarding planning, I’ll probably focus on this next week
Did not happen, will postpone Feature #11833 and Feature #11836 accordingly.
> but then my schedule is quite packed already in 2018Q1. Still, I think there’s actually a chance that I get this done by the end of March, we’ll see.
I don’t think that’ll be done in 2018Q1. 2018Q2 seems more realistic.
#20 Updated by intrigeri 2018-04-04 12:03:33
Other modules I’ve upgraded for Puppet 4 compatibility:
- sysctl: to its latest upstream release (0.0.11); wasn’t strictly needed but it fixes a warning
- sshkeys: our previous upstream was abandonned, switched to https://github.com/FrankVanDamme/puppet-sshkeys which fixes Puppet 4 compatibility among other things; I’m not upgrading to the very latest commits as they’re introducing syntax that’s not compatible with Puppet 3.x (although they work locally with Puppet 4.x and 5.x).
intrigeri wrote:
> Next steps are (note to myself but also so that you folks can follow along):
>
> # Install PuppetDB locally and see how some of the exported resources we use work with it.
Done, this works :) I’ve documented how I did that on Feature #11837.
#21 Updated by intrigeri 2018-04-08 10:02:24
- Assignee changed from intrigeri to groente
- QA Check set to Ready for QA
(All subtasks are now Ready for QA :)
#22 Updated by intrigeri 2018-04-09 10:38:07
And while I was at it, I’ve taken advantage of the data type system that Puppet 4 introduced and ported puppet-tails to it:
- https://puppet.com/docs/puppet/4.8/lang_classes.html
- https://puppet.com/docs/puppet/4.8/lang_data_type.html
- 17b0eee41fea1708d3ae3685886db2ab13aa154d.. in our manifests repo + the corresponding changes in the puppet-tails submodule
I see 106 files changed, 563 insertions(+), 1011 deletions(-) in puppet-tails, pretty good!
#23 Updated by groente 2018-05-02 16:41:35
- Status changed from In Progress to Resolved
- QA Check changed from Ready for QA to Pass
\o/
#24 Updated by intrigeri 2018-06-11 06:55:59
- related to
Bug #15647: PuppetDB is broken since 2018-06-10 added
#25 Updated by groente 2018-06-12 07:02:25
- related to
Bug #15650: libtools-nrepl-clojure updates kept back on puppet-git added
#26 Updated by intrigeri 2018-10-31 08:18:24
- related to
Bug #16083: APT snapshot used for libjetty9 is unreliable added
#27 Updated by intrigeri 2018-12-29 11:13:40
- blocks Bug #13285: Migrate to upstream Puppet Icinga2 module added