Upgrade Puppet to version 7
A lot of modules are requiring puppet versions >5.5, so we should upgrade puppet.
Note: Puppet, Puppet Server and Puppet DB version 7 are now in Bookworm.
Preparation
-
Install a dev Puppet Server VM in Skink with Bookworm. -
Deploy a Puppet Server there using a dev env, add itself as a Puppet node. -
Fix whatever is needed so it's able to properly run and configure itself. -
Upgrade all submodules to the lowest version compatible with Puppet 7 (we are unsure about backwards compatibility and want to have a working setup as soon as possible)
Reinstall the production Puppet Server using Bookworm
-
Disable Puppet Agent in all machines -
Stop the Puppet Server VM -
Install a fresh Puppet Server VM with Bookworm, use the same Libvirt config (name, IP, resources, etc) (related: #17982 (closed)) -
Push to the new VM the changes made to the dev env in the preparation step -
Add puppet.lizard
as a node to itself
Add all machines to the new Puppet Server
For each machine:
- Allow connections from the node to the Puppet VM (VPN and firewall will be broken, so this might need custom net/forward iptables rules locally and on lizard)
- Add
noop = true
to/etc/puppet/puppet.conf
- Check what would change or break and needs fix by running the Puppet Agent with
--noop
- Fix whatever is needed
- Remove
noop = true
from/etc/puppet/puppet.conf
- Run Puppet Agent in the machine until it stops complaining and is happy
Add physical servers:
-
Skink -
Iguana -
Dragon -
Lizard -
Stone(Masterless node)
Add 3rd-party VMs:
-
teels.tails.boum.org
-
ecours.tails.boum.org
Add self-hosted VMs:
-
apt.lizard
-
apt-proxy.lizard
-
bitcoin.lizard
-
bittorrent.lizard
-
bridge.lizard
-
dns.lizard
-
mail.lizard
-
misc.lizard
-
puppet.lizard
-
puppet-git.lizard
-
rsync.lizard
-
survey.lizard
-
translate.lizard
-
whisperback.lizard
-
www.lizard
-
isoworker1.dragon
-
isoworker2.dragon
-
isoworker3.dragon
-
isoworker4.dragon
-
isoworker5.dragon
-
jenkins.dragon
-
gitlab-runner.iguana
-
isoworker6.iguana
-
isoworker7.iguana
-
isoworker8.iguana
Needfix
-
Mirroring of puppet-code.git
from the Puppet VM to GitLab is broken -
Puppet Server can't find the gpgme
gem --⚠ Breaks yapgp! -
Document the issue with hiera-eyaml
: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1927662.html -
Document manual creation of the puppet@puppet
SSH or Puppetize it -
Make sure GitLab knows about all new SSH keys -
Make sure Gitolite knows about all new SSH keys -
Make sure there's documentation about the manual installation of SSH keys (GitLab, Gitolite, something else?) -
Decide about the unmaintained translate module -
Decide about the future of tails/puppet-reprepro>
Upgrade submodules to latest version compatible
For each 3rd-party submodule:
- Upgrade it to the latest version compatible with Puppet 7
- Fix whatever is needed to make our code compatible with that version
Submodules:
-
modules/apt
-
modules/apt_listchanges
-
modules/archive
-
modules/augeas
-
modules/augeasproviders_core
-
modules/augeasproviders_ssh
-
modules/backupninja
-
modules/bitcoind
-
modules/borgbackup
-
modules/concat
-
modules/docker
-
modules/dovecot
-
modules/etckeeper
-
modules/extlib
-
modules/firewall
-
modules/git
-
modules/gitlab_ci_runner
-
modules/gitolite
-
modules/groupmembership
-
modules/healthcheck
-
modules/icinga2
-
modules/icingaweb2
-
modules/inifile
-
modules/jenkins
-
modules/letsencrypt
-
modules/libvirt
-
modules/loginrecords
-
modules/mailalias
-
modules/munin
-
modules/mysql
-
modules/network
-
modules/nginx
-
modules/openssl
-
modules/podman
-
modules/postfix
-
modules/postgresql
-
modules/powerdns
-
modules/puppet
-
modules/puppetdb
-
modules/rbac
-
modules/reboot
-
modules/redis
-
modules/reprepro
-
modules/rspamd
-
modules/rss2email
-
modules/schleuder
-
modules/sshkeys
-
modules/stdlib
-
modules/sudo
-
modules/sysctl
-
modules/systemd
-
modules/tails
-
modules/timezone
-
modules/tirewall
-
modules/tor
-
modules/translate
-
modules/unattended_upgrades
-
modules/vcsrepo
-
modules/weblate
-
modules/yapgp
Edited by Zen Fu