Upgrade Puppet to version 7
A lot of modules are requiring puppet versions >5.5, so we should upgrade puppet.
Note: Puppet, Puppet Server and Puppet DB version 7 are now in Bookworm.
Preparation
-
Install a dev Puppet Server VM in Skink with Bookworm. -
Deploy a Puppet Server there using a dev env, add itself as a Puppet node. -
Fix whatever is needed so it's able to properly run and configure itself. -
Upgrade all submodules to the lowest version compatible with Puppet 7 (we are unsure about backwards compatibility and want to have a working setup as soon as possible)
Reinstall the production Puppet Server using Bookworm
-
Disable Puppet Agent in all machines -
Stop the Puppet Server VM -
Install a fresh Puppet Server VM with Bookworm, use the same Libvirt config (name, IP, resources, etc) (related: #17982 (closed)) -
Push to the new VM the changes made to the dev env in the preparation step -
Add puppet.lizardas a node to itself
Add all machines to the new Puppet Server
For each machine:
- Allow connections from the node to the Puppet VM (VPN and firewall will be broken, so this might need custom net/forward iptables rules locally and on lizard)
- Add
noop = trueto/etc/puppet/puppet.conf - Check what would change or break and needs fix by running the Puppet Agent with
--noop - Fix whatever is needed
- Remove
noop = truefrom/etc/puppet/puppet.conf - Run Puppet Agent in the machine until it stops complaining and is happy
Add physical servers:
-
Skink -
Iguana -
Dragon -
Lizard -
Stone(Masterless node)
Add 3rd-party VMs:
-
teels.tails.boum.org -
ecours.tails.boum.org
Add self-hosted VMs:
-
apt.lizard -
apt-proxy.lizard -
bitcoin.lizard -
bittorrent.lizard -
bridge.lizard -
dns.lizard -
mail.lizard -
misc.lizard -
puppet.lizard -
puppet-git.lizard -
rsync.lizard -
survey.lizard -
translate.lizard -
whisperback.lizard -
www.lizard -
isoworker1.dragon -
isoworker2.dragon -
isoworker3.dragon -
isoworker4.dragon -
isoworker5.dragon -
jenkins.dragon -
gitlab-runner.iguana -
isoworker6.iguana -
isoworker7.iguana -
isoworker8.iguana
Needfix
-
Mirroring of puppet-code.gitfrom the Puppet VM to GitLab is broken -
Puppet Server can't find the gpgmegem --⚠ Breaks yapgp! -
Document the issue with hiera-eyaml: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1927662.html -
Document manual creation of the puppet@puppetSSH or Puppetize it -
Make sure GitLab knows about all new SSH keys -
Make sure Gitolite knows about all new SSH keys -
Make sure there's documentation about the manual installation of SSH keys (GitLab, Gitolite, something else?) -
Decide about the unmaintained translate module -
Decide about the future of tails/puppet-reprepro>
Upgrade submodules to latest version compatible
For each 3rd-party submodule:
- Upgrade it to the latest version compatible with Puppet 7
- Fix whatever is needed to make our code compatible with that version
Submodules:
-
modules/apt -
modules/apt_listchanges -
modules/archive -
modules/augeas -
modules/augeasproviders_core -
modules/augeasproviders_ssh -
modules/backupninja -
modules/bitcoind -
modules/borgbackup -
modules/concat -
modules/docker -
modules/dovecot -
modules/etckeeper -
modules/extlib -
modules/firewall -
modules/git -
modules/gitlab_ci_runner -
modules/gitolite -
modules/groupmembership -
modules/healthcheck -
modules/icinga2 -
modules/icingaweb2 -
modules/inifile -
modules/jenkins -
modules/letsencrypt -
modules/libvirt -
modules/loginrecords -
modules/mailalias -
modules/munin -
modules/mysql -
modules/network -
modules/nginx -
modules/openssl -
modules/podman -
modules/postfix -
modules/postgresql -
modules/powerdns -
modules/puppet -
modules/puppetdb -
modules/rbac -
modules/reboot -
modules/redis -
modules/reprepro -
modules/rspamd -
modules/rss2email -
modules/schleuder -
modules/sshkeys -
modules/stdlib -
modules/sudo -
modules/sysctl -
modules/systemd -
modules/tails -
modules/timezone -
modules/tirewall -
modules/tor -
modules/translate -
modules/unattended_upgrades -
modules/vcsrepo -
modules/weblate -
modules/yapgp
Edited by Zen Fu