Feature #11837

Upgrade Puppet master to Puppet 4

Added by intrigeri 2016-09-24 04:48:17 . Updated 2018-05-02 13:55:18 .

Status:
Resolved
Priority:
Normal
Assignee:
groente
Category:
Infrastructure
Target version:
Start date:
2016-09-24
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

https://docs.puppet.com/puppet/4.5/reference/upgrade_major_server.html

Also see https://bugs.debian.org/832536 and https://lists.alioth.debian.org/pipermail/pkg-puppet-devel/2017-January/010545.html wrt. backwards compatibility with 3.x agents, that might require a little bit of patching on the agent side.

As of 2018-04-04, to install PuppetDB from Debian on Strech one needs:

ackage: lib*-clojure lib*-java
Pin: release o=Debian,n=buster
Pin-Priority: 990

Package: puppetdb libcomidi-clojure libdujour-version-check-clojure libpantomime-clojure libpuppetlabs-http-client-clojure libpuppetlabs-ring-middleware-clojure libssl-utils-clojure libtrapperkeeper-metrics-clojure libtrapperkeeper-status-clojure libtrapperkeeper-webserver-jetty9-clojure libtika-java
Pin: release o=Debian,n=sid
Pin-Priority: 990

To make PuppetDB work and the puppetmaster use it (on sid):

  • install Puppet from Stretch (due to https://bugs.debian.org/894800) and apply https://github.com/puppetlabs/puppet/commit/578687a00195191185f44d8cb38f4b7716d99c31 (otherwise it won’t work on sid)
  • dpkg-reconfigure puppetdb, go through the dbconfig setup and leave the default settings
  • set up TLS like /usr/share/doc/puppetdb/README.Debian says:
    • cp -a /var/lib/puppet/ssl/certs/localhost.pem /etc/puppetdb/cert.pem && cp -a /var/lib/puppet/ssl/private_keys/localhost.pem /etc/puppetdb/private_key.pem && cp -a /var/lib/puppet/ssl/ca/ca_crt.pem /etc/puppetdb/ca_crt.pem && chown puppetdb:puppetdb /etc/puppetdb/*.pem
    • adjust /etc/puppetdb/conf.d/jetty.ini:
      • ssl-port = 8081
      • ssl-key = /etc/puppetdb/private_key.pem
      • ssl-cert = /etc/puppetdb/cert.pem
      • ssl-ca-cert = /etc/puppetdb/ca_crt.pem
  • patch puppetdb.service to use /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java instead of /usr/bin/java
  • install puppet-terminus-puppetdb and postgresql
  • enable storeconfigs in puppet.conf
  • create /etc/puppet/puppetdb.conf, owned by puppet:puppet, with contents:
    [main]
    server_urls = https://localhost:8081
  • create /etc/puppet/routes.yaml, owned by puppet:puppet, with contents:
    ---
    master:
      facts:
        terminus: puppetdb
        cache: yaml

Subtasks


Related issues

Blocked by Tails - Feature #11836: Stop stringifying Puppet facts Resolved 2016-09-24
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 2017-06-30

History

#1 Updated by intrigeri 2016-09-24 04:48:33

  • blocked by Feature #11833: Make our Puppet code compatible with the "future" parser added

#2 Updated by intrigeri 2016-09-24 04:48:37

  • blocked by Feature #11835: Upgrade Puppet master and clients to 3.8 added

#3 Updated by intrigeri 2016-09-24 04:48:43

#4 Updated by intrigeri 2016-09-24 04:49:29

#5 Updated by intrigeri 2016-10-02 13:27:50

  • blocks deleted (Feature #11835: Upgrade Puppet master and clients to 3.8)

#6 Updated by intrigeri 2017-04-09 11:01:43

  • Assignee set to intrigeri

#7 Updated by intrigeri 2017-04-11 16:05:04

  • Description updated

#8 Updated by intrigeri 2017-06-05 13:39:40

  • Target version set to Tails_3.5

#9 Updated by intrigeri 2018-01-09 22:58:08

  • Target version changed from Tails_3.5 to Tails_3.6

#10 Updated by intrigeri 2018-01-09 23:01:16

  • blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#11 Updated by intrigeri 2018-01-26 20:24:18

  • Target version changed from Tails_3.6 to Tails_3.7

#12 Updated by intrigeri 2018-04-04 08:44:34

  • Description updated

#13 Updated by intrigeri 2018-04-04 11:38:48

  • Description updated

#14 Updated by intrigeri 2018-04-04 12:08:02

  • Description updated

#15 Updated by intrigeri 2018-04-05 13:07:21

#16 Updated by intrigeri 2018-04-05 16:14:49

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 20

Upgrade done, re-enabled puppet agent everywhere, everything looks good except Puppet fails on the 4 systems that have shorewall. It might be that upgrading the shorewall module or Feature #11838 will fix that. I’ll look into this tomorrow or Saturday.

#17 Updated by intrigeri 2018-04-06 08:15:28

  • % Done changed from 20 to 30

intrigeri wrote:
> Puppet fails on the 4 systems that have shorewall. It might be that upgrading the shorewall module or Feature #11838 will fix that.

Fixed by Feature #11838 :)

I’ve also followed the rest of the upgrade doc and then https://docs.puppet.com/puppet/4.5/upgrade_major_post.html.

Next steps:

#18 Updated by intrigeri 2018-04-06 08:37:23

  • Assignee changed from intrigeri to groente
  • % Done changed from 30 to 50
  • QA Check set to Ready for QA

intrigeri wrote:
> Next steps:
>
> * ensure our last run check + the corresponding monitoring works fine

It’s broken => Bug #15493.

> * Feature #15492
> * Feature #15490

Both are now ready for QA.

#19 Updated by groente 2018-05-02 10:52:11

  • blocked by deleted (Feature #15490: Remove MariaDB on puppet-git.lizard)

#20 Updated by groente 2018-05-02 13:54:35

  • blocks deleted (Feature #11833: Make our Puppet code compatible with the "future" parser)

#21 Updated by groente 2018-05-02 13:55:18

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

clear, thanks!

#22 Updated by groente 2018-05-02 13:58:49

  • blocked by deleted (Feature #11838: Upgrade Puppet agents to Puppet 4)