Feature #11837: Upgrade Puppet master to Puppet 4

Feature #11837

Upgrade Puppet master to Puppet 4

Added by intrigeri 2016-09-24 04:48:17 . Updated 2018-05-02 13:55:18 .

Status:

Resolved

Priority:

Normal

Assignee:

groente

Category:

Infrastructure

Target version:

Tails_3.7

Start date:

2016-09-24

Due date:

% Done:

100%

Feature Branch:

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

https://docs.puppet.com/puppet/4.5/reference/upgrade_major_server.html

Also see https://bugs.debian.org/832536 and https://lists.alioth.debian.org/pipermail/pkg-puppet-devel/2017-January/010545.html wrt. backwards compatibility with 3.x agents, that might require a little bit of patching on the agent side.

As of 2018-04-04, to install PuppetDB from Debian on Strech one needs:

ackage: lib*-clojure lib*-java
Pin: release o=Debian,n=buster
Pin-Priority: 990

Package: puppetdb libcomidi-clojure libdujour-version-check-clojure libpantomime-clojure libpuppetlabs-http-client-clojure libpuppetlabs-ring-middleware-clojure libssl-utils-clojure libtrapperkeeper-metrics-clojure libtrapperkeeper-status-clojure libtrapperkeeper-webserver-jetty9-clojure libtika-java
Pin: release o=Debian,n=sid
Pin-Priority: 990

To make PuppetDB work and the puppetmaster use it (on sid):

install Puppet from Stretch (due to https://bugs.debian.org/894800) and apply https://github.com/puppetlabs/puppet/commit/578687a00195191185f44d8cb38f4b7716d99c31 (otherwise it won’t work on sid)
dpkg-reconfigure puppetdb, go through the dbconfig setup and leave the default settings
set up TLS like /usr/share/doc/puppetdb/README.Debian says:
- cp -a /var/lib/puppet/ssl/certs/localhost.pem /etc/puppetdb/cert.pem && cp -a /var/lib/puppet/ssl/private_keys/localhost.pem /etc/puppetdb/private_key.pem && cp -a /var/lib/puppet/ssl/ca/ca_crt.pem /etc/puppetdb/ca_crt.pem && chown puppetdb:puppetdb /etc/puppetdb/*.pem
- adjust /etc/puppetdb/conf.d/jetty.ini:
  - ssl-port = 8081
  - ssl-key = /etc/puppetdb/private_key.pem
  - ssl-cert = /etc/puppetdb/cert.pem
  - ssl-ca-cert = /etc/puppetdb/ca_crt.pem
patch puppetdb.service to use /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java instead of /usr/bin/java
install puppet-terminus-puppetdb and postgresql
enable storeconfigs in puppet.conf
create /etc/puppet/puppetdb.conf, owned by puppet:puppet, with contents:
```
[main]
server_urls = https://localhost:8081
```
create /etc/puppet/routes.yaml, owned by puppet:puppet, with contents:
```
---
master:
  facts:
    terminus: puppetdb
    cache: yaml
```

Subtasks

Related issues

Blocked by Tails - ~~Feature #11836~~: Stop stringifying Puppet facts	Resolved	2016-09-24
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure)	Confirmed	2017-06-30

History

#1 Updated by intrigeri 2016-09-24 04:48:33

blocked by ~~Feature #11833~~: Make our Puppet code compatible with the "future" parser added

#2 Updated by intrigeri 2016-09-24 04:48:37

blocked by ~~Feature #11835~~: Upgrade Puppet master and clients to 3.8 added

#3 Updated by intrigeri 2016-09-24 04:48:43

blocked by ~~Feature #11836~~: Stop stringifying Puppet facts added

#4 Updated by intrigeri 2016-09-24 04:49:29

blocks ~~Feature #11838~~: Upgrade Puppet agents to Puppet 4 added

#5 Updated by intrigeri 2016-10-02 13:27:50

blocks deleted (~~~~Feature #11835~~: Upgrade Puppet master and clients to 3.8~~)

#6 Updated by intrigeri 2017-04-09 11:01:43

Assignee set to intrigeri

#7 Updated by intrigeri 2017-04-11 16:05:04

Description updated

#8 Updated by intrigeri 2017-06-05 13:39:40

Target version set to Tails_3.5

#9 Updated by intrigeri 2018-01-09 22:58:08

Target version changed from Tails_3.5 to Tails_3.6

#10 Updated by intrigeri 2018-01-09 23:01:16

blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#11 Updated by intrigeri 2018-01-26 20:24:18

Target version changed from Tails_3.6 to Tails_3.7

#12 Updated by intrigeri 2018-04-04 08:44:34

Description updated

#13 Updated by intrigeri 2018-04-04 11:38:48

Description updated

#14 Updated by intrigeri 2018-04-04 12:08:02

Description updated

#15 Updated by intrigeri 2018-04-05 13:07:21

blocks ~~Feature #15490~~: Remove MariaDB on puppet-git.lizard added

#16 Updated by intrigeri 2018-04-05 16:14:49

Status changed from Confirmed to In Progress
% Done changed from 0 to 20

Upgrade done, re-enabled puppet agent everywhere, everything looks good except Puppet fails on the 4 systems that have shorewall. It might be that upgrading the shorewall module or ~~Feature #11838~~ will fix that. I’ll look into this tomorrow or Saturday.

#17 Updated by intrigeri 2018-04-06 08:15:28

% Done changed from 20 to 30

intrigeri wrote:
> Puppet fails on the 4 systems that have shorewall. It might be that upgrading the shorewall module or ~~Feature #11838~~ will fix that.

Fixed by ~~Feature #11838~~ :)

I’ve also followed the rest of the upgrade doc and then https://docs.puppet.com/puppet/4.5/upgrade_major_post.html.

Next steps:

ensure our last run check + the corresponding monitoring works fine
~~Feature #15492~~
~~Feature #15490~~

#18 Updated by intrigeri 2018-04-06 08:37:23

Assignee changed from intrigeri to groente
% Done changed from 30 to 50
QA Check set to Ready for QA

intrigeri wrote:
> Next steps:
>
> * ensure our last run check + the corresponding monitoring works fine

It’s broken => ~~Bug #15493~~.

> * ~~Feature #15492~~
> * ~~Feature #15490~~

Both are now ready for QA.

#19 Updated by groente 2018-05-02 10:52:11

blocked by deleted (~~~~Feature #15490~~: Remove MariaDB on puppet-git.lizard~~)

#20 Updated by groente 2018-05-02 13:54:35

blocks deleted (~~~~Feature #11833~~: Make our Puppet code compatible with the "future" parser~~)

#21 Updated by groente 2018-05-02 13:55:18

Status changed from In Progress to Resolved
% Done changed from 50 to 100
QA Check changed from Ready for QA to Pass

clear, thanks!

#22 Updated by groente 2018-05-02 13:58:49

blocked by deleted (~~~~Feature #11838~~: Upgrade Puppet agents to Puppet 4~~)