From dd4b3f22c328e4caf88f197b78b5fb73adf95809 Mon Sep 17 00:00:00 2001 From: ebner Date: Mon, 30 Oct 2023 11:43:45 +0100 Subject: [PATCH 01/13] update gateway documentation --- services-admin-guide/ssh_gateways.md | 9 ++++++++- services-user-guide/ssh_gateways.md | 6 +----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/services-admin-guide/ssh_gateways.md b/services-admin-guide/ssh_gateways.md index 00746a7f..d3f325bd 100644 --- a/services-admin-guide/ssh_gateways.md +++ b/services-admin-guide/ssh_gateways.md @@ -2,7 +2,14 @@ The purpose of the ssh gateways is to give access to protected networks and resources (for a finite period of time). -Users are only supposed to use ssh to connect and on the gateways. They are also supposed to only use the ssh command to further connect to other machines. It is not intended that users keep state on the gateways (e.g. screen/tmux sessions) +Users are only supposed to use ssh to connect to the gateways as well as them to further connect to other machines. Never the less, for ease of use, there are some protocols/ports that can directly be accessed from the ssh gateway. These ports include: 5900 VNC, 3389 RDP, ICMP/PING. +Therefore direct portforwarding on those ports will work. + +``` +ssh -L 3389:machine-you-want-to-connect:3389 protected-network-gw +``` + +It is not intended that users keep state on the gateways (e.g. screen/tmux sessions) Depending on the gateway the user authenticates via password or password/MFA combination. diff --git a/services-user-guide/ssh_gateways.md b/services-user-guide/ssh_gateways.md index 0e83300a..d079d68b 100644 --- a/services-user-guide/ssh_gateways.md +++ b/services-user-guide/ssh_gateways.md @@ -1,10 +1,9 @@ # SSH Gateways -The purpose of the ssh gateways is to give temporary access to protected networks and resources. Users are only supposed to use __ssh__ to connect to and on the gateways. They are not supposed to only use the __ssh__ command to further connect to the machine they need to connect to. +The purpose of the ssh gateways is to give temporary access to protected networks and resources. Users are only supposed to use __ssh__ to connect to and from the gateways. The access to the gateway is controlled by special ActiveDirectory groups. The membership of the groups are managed by the responsible of the protected network the gateway gives access to. In case of a beamline this is the beamline scientist. - Connecting to a gateway: ```bash @@ -25,6 +24,3 @@ Establishing an SSH connection through the gateway to a machine inside the prote ```bash ssh -J -gw ``` - - - From 715fdba4cef2b1873ef65761d7cbf1304c212f57 Mon Sep 17 00:00:00 2001 From: ebner Date: Mon, 30 Oct 2023 12:53:23 +0100 Subject: [PATCH 02/13] add link to list of supported gateways --- services-admin-guide/ssh_gateways.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services-admin-guide/ssh_gateways.md b/services-admin-guide/ssh_gateways.md index d3f325bd..ff27821d 100644 --- a/services-admin-guide/ssh_gateways.md +++ b/services-admin-guide/ssh_gateways.md @@ -34,6 +34,10 @@ However, the general baseline is that always the responsible of the protected ne The administration and management of the gateways is done via hiera: https://git.psi.ch/linux-infra/hiera/data-lx (all the machines are in the sshgw group) +## Gateway List +The list of supported gateways can be found here: +https://git.psi.ch/linux-infra/ansible/playbooks/lx_ansible/-/blob/main/inventory.yaml#L3 + ## Troubleshooting From 18e2ca37d1e2e71b44b205899ec0229372953da1 Mon Sep 17 00:00:00 2001 From: ebner Date: Tue, 31 Oct 2023 10:45:24 +0100 Subject: [PATCH 03/13] added dmz part - not fully done yet --- .../overview_linux.drawio.svg | 1386 +++++++++++------ 1 file changed, 899 insertions(+), 487 deletions(-) diff --git a/infrastructure-guide/overview_linux.drawio.svg b/infrastructure-guide/overview_linux.drawio.svg index 79ee80cd..cb99ce8b 100644 --- a/infrastructure-guide/overview_linux.drawio.svg +++ b/infrastructure-guide/overview_linux.drawio.svg @@ -1,13 +1,14 @@ - + - - - + + + + -
+
tftp udp:69 @@ -15,17 +16,17 @@
- + tftp udp:69 - - + + -
+
timer / pull (every 30s) @@ -33,16 +34,16 @@
- + timer / pu... - + -
+
iso sync: @@ -63,19 +64,19 @@
- + iso sync: https://id-sat-prd-02.ethz.ch/pub/isos/... - - - - + + + + -
+
http tcp:80 @@ -85,17 +86,17 @@
- + http tcp:8... - - + + -
+
tcp:8086 @@ -103,17 +104,17 @@
- + tcp:8086 - - + + -
+
http tcp:80 @@ -125,19 +126,19 @@
- + http tcp:8... - - - - + + + + -
+
network infra structure servers @@ -147,19 +148,19 @@
- + network infra structure servers... - - - - + + + + -
+
subscribed via @@ -169,16 +170,16 @@
- + subscribed via... - + -
+
sysdb.psi.ch @@ -190,7 +191,7 @@
- + sysdb.psi.ch... @@ -198,7 +199,7 @@ -
+
@@ -223,17 +224,17 @@
- + Services:... - - + + -
+
internet repositories @@ -241,16 +242,16 @@
- + internet repositories - + -
+
@@ -266,17 +267,17 @@
- + repo sync  sources defined in /opt/rpm-repo-ut... - - + + -
+
@@ -298,16 +299,16 @@
- + Services:... - + -
+
@@ -323,16 +324,16 @@
- + boot.psi.ch... - + -
+
@@ -342,38 +343,16 @@
- + /tftpboot - + -
-
-
-

- - https://git.psi.ch/linux-infra/network-boot - -
-

-
-
-
- - - https://git.psi.ch/linux-infra/network-boot - - - - - - - -
+
@@ -390,7 +369,7 @@
- + repos.psi.ch... @@ -398,7 +377,7 @@ -
+
@@ -418,16 +397,16 @@
- + Services:... - + -
+
@@ -437,17 +416,17 @@
- + /packages - - + + -
+
http tcp:80 @@ -457,16 +436,16 @@
- + http tcp:8... - + -
+
@@ -482,7 +461,7 @@
- + metric00.psi.ch... @@ -490,7 +469,7 @@ -
+
@@ -515,18 +494,18 @@
- + Services:... - - - + + + -
+
@@ -539,7 +518,7 @@
- + influx00.psi.ch... @@ -547,7 +526,7 @@ -
+
@@ -565,16 +544,16 @@
- + Services:... - + -
+

@@ -587,16 +566,601 @@

- - Local storage for dat... + + Local storage for data... - + -
+
+
+
+
+ lxweb00.psi.ch +
+
+ linux.web.psi.ch +
+
+ 129.129.190.46 +
+
+
+
+ + + lxweb00.psi.ch... + + + + + + +
+
+
+
+ + Services: + +
+
+ + http server + +
+
+
+
+ + + Services:... + + + + + + + + +
+
+
+ puppet.psi.ch +
+ + puppet01.psi.ch + +
+
+
+ + + puppet.psi.ch... + + + + + + + +
+
+
+ puppet00-test.psi.ch +
+
+
+ + + puppet00-test.psi.ch + + + + + + +
+
+
+
+ + Services: + +
+
+ puppet +
+
+
+
+ + + Services:... + + + + + + + + +
+
+
+ https/443 +
+ 8140 +
+
+
+ + + https/443... + + + + + + + + +
+
+
+ https/443 +
+ 8140 +
+
+
+ + + https/443... + + + + + + + + +
+
+
+ http:80 +
+
+
+ + + http:80 + + + + + + + + +
+
+
+ http:80 +
+
+
+ + + http:80 + + + + + + + + +
+
+
+ https:443 +
+
+
+ + + https:443 + + + + + + + + +
+
+
+ manual pull/ansible +
+
+
+ + + manual pul... + + + + + + + + +
+
+
+ icmp/ping +
+
+
+ + + icmp/ping + + + + + + + + + + + +
+
+
+
+ + lx-sync-01.psi.ch + +
+
+
+
+
+ + + lx-sync-01.psi.ch + + + + + + +
+
+
+
+ + Services: + + + +
+
+ repo sync RHEL7/8 +
+
+
+
+ + + Services:... + + + + + + +
+
+
+ id-sat-prd-02.ethz.ch +
+ (located at and operated by ETHZ) +
+
+
+ + + id-sat-prd-02.ethz.c... + + + + + + + + + +
+
+
+
+ lx-fs.psi.ch +
+
+
+
+ + + lx-fs.psi.ch + + + + + + + +
+
+
+ + /packages + +
+
+
+ + + /packages + + + + + + + + +
+
+
+ NFS4 +
+
+
+ + + NFS4 + + + + + + + + +
+
+
+ NFS4 +
+
+
+ + + NFS4 + + + + + + + +
+
+
+
+ + repos-dmz.psi.ch + +
+
+ + lx-repos-dmz-01.psi.ch + +
+
+
+
+ + + repos-dmz.psi.ch... + + + + + + + +
+
+
+
+ + boot + + + -dmz.psi.ch + +
+
+ + lx-boot-dmz-01.psi.ch + +
+
+
+
+ + + boot-dmz.psi.ch... + + + + + + + + +
+
+
+
+ lx-fs-dmz + + .psi.ch + +
+
+
+
+ + + lx-fs-dmz.psi.ch + + + + + + +
+
+
+
+ lx-fs-dmz-ext + + .psi.ch + +
+
+
+
+ + + lx-fs-dmz-ext.psi.ch + + + + + + + +
+
+
+ + /packages_dmz + +
+
+
+ + + /packages_... + + + + + + + + +
+
+
+ NFS4 +
+
+
+ + + NFS4 + + + + + + + + +
+
+
+ NFS4 +
+
+
+ + + NFS4 + + + + + + + +
+
+
+

+ + https://git.psi.ch/linux-infra/network-boot + +
+

+
+
+
+ + + https://git.psi.ch/linux-infra/network-boot + + + + + + + + +
+
+
+

+ + https://git.psi.ch/linux-infra/sysdb + +
+

+
+
+
+ + + https://git.psi.ch/linux-infra/sysdb + + + + + + +

@@ -639,370 +1203,16 @@

- + /dist "/afs/psi.ch/project/linux/www/dist"... - + -
-
-
-
- lxweb00.psi.ch -
-
- linux.web.psi.ch -
-
- 129.129.190.46 -
-
-
-
- - - lxweb00.psi.ch... - - - - - - -
-
-
-
- - Services: - -
-
- - http server - -
-
-
-
- - - Services:... - - - - - - - - -
-
-
- puppet.psi.ch -
- - puppet01.psi.ch - -
-
-
- - - puppet.psi.ch... - - - - - - - -
-
-
- puppet00-test.psi.ch -
-
-
- - - puppet00-test.psi.ch - - - - - - -
-
-
-
- - Services: - -
-
- puppet -
-
-
-
- - - Services:... - - - - - - - - -
-
-
- https/443 -
- 8140 -
-
-
- - - https/443... - - - - - - - - -
-
-
- https/443 -
- 8140 -
-
-
- - - https/443... - - - - - - - - -
-
-
- http:80 -
-
-
- - - http:80 - - - - - - - - -
-
-
- http:80 -
-
-
- - - http:80 - - - - - - - - -
-
-
- https:443 -
-
-
- - - https:443 - - - - - - - -
-
-
-

- - https://git.psi.ch/linux-infra/sysdb - -
-

-
-
-
- - - https://git.psi.ch/linux-infra/sysdb - - - - - - - - -
-
-
- manual pull/ansible -
-
-
- - - manual pul... - - - - - - - - -
-
-
- icmp/ping -
-
-
- - - icmp/ping - - - - - - - - - - - -
-
-
-
- - lx-sync-01.psi.ch - -
-
-
-
-
- - - lx-sync-01.psi.ch - - - - - - -
-
-
-
- - Services: - - - -
-
- repo sync RHEL7/8 -
-
-
-
- - - Services:... - - - - - - -
-
-
- id-sat-prd-02.ethz.ch -
- (located at and operated by ETHZ) -
-
-
- - - id-sat-prd-02.ethz.c... - - - - - - - - - -
-
-
-
- lx-fs.psi.ch -
-
-
-
- - - lx-fs.psi.ch - - - - - - - -
+
@@ -1012,44 +1222,246 @@
- + /packages - - -
-
-
- NFS4 +
+
+
+ Firewall
- - NFS4 + + Firewall - - + + -
-
-
- NFS4 +
+
+
+ + sync-iso /sync-tag +
- - NFS4 + + sync-iso /... + + + + + + + +
+
+
+ + /tftpboot + +
+
+
+ + + /tftpboot + + + + + + + + +
+
+
+ 8140 +
+
+
+ + + 8140 + + + + + + + + +
+
+
+ GET / grub/kickstart requests / only UEFI +
+
+
+ + + GET / grub/kickstart requests / only UEFI + + + + + + + +
+
+
+ F5 +
+
+
+ + + F5 + + + + + + + + +
+
+
+ http tcp:80 +
+ https tcp:443 +
+
+
+ + + http tcp:8... + + + + + + + + +
+
+
+ tftp udp:69 +
+
+
+ + + tftp udp:69 + + + + + + + + +
+
+
+ manual push +
+
+
+ + + manual push + + + + + + + +
+
+
+

+ + https://git.psi.ch/linux-infra/network-boot-dmz + +
+

+
+
+
+ + + https://git.psi.ch/linux-infra/network-boot-dm... + + + + + + + + +
+
+
+ puppet-dmz.psi.ch +
+ sysdb-dmz.psi.ch +
+
+
+ + + puppet-dmz.psi.ch... + + + + + + +
+
+
+ add additional parameter for the sysdb request +
+
+
+ + + add additi... + + + + + + +
+
+
+ client certificate / puppet uses this to identify the machine ? Does this work with a reverse proxy? +
+
+
+ + + client certificate / puppe... From 733d8c829c27aaf49846c634ddf26bc028110aa4 Mon Sep 17 00:00:00 2001 From: ebner Date: Thu, 2 Nov 2023 10:07:59 +0100 Subject: [PATCH 04/13] add information about port 4000 for ssh gateways --- services-admin-guide/ssh_gateways.md | 2 +- .../ssh_gateways_overview.drawio.svg | 28 +++++++++++++++---- services-user-guide/nx_nomachine.md | 2 ++ 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/services-admin-guide/ssh_gateways.md b/services-admin-guide/ssh_gateways.md index ff27821d..6fbf7404 100644 --- a/services-admin-guide/ssh_gateways.md +++ b/services-admin-guide/ssh_gateways.md @@ -2,7 +2,7 @@ The purpose of the ssh gateways is to give access to protected networks and resources (for a finite period of time). -Users are only supposed to use ssh to connect to the gateways as well as them to further connect to other machines. Never the less, for ease of use, there are some protocols/ports that can directly be accessed from the ssh gateway. These ports include: 5900 VNC, 3389 RDP, ICMP/PING. +Users are only supposed to use ssh to connect to the gateways as well as them to further connect to other machines. Never the less, for ease of use, there are some protocols/ports that can directly be accessed from the ssh gateway. These ports include: 5900 VNC, 3389 RDP, 4000 NX, ICMP/PING. Therefore direct portforwarding on those ports will work. ``` diff --git a/services-admin-guide/ssh_gateways_overview.drawio.svg b/services-admin-guide/ssh_gateways_overview.drawio.svg index 54d90209..1f5667bc 100644 --- a/services-admin-guide/ssh_gateways_overview.drawio.svg +++ b/services-admin-guide/ssh_gateways_overview.drawio.svg @@ -1,4 +1,4 @@ - + @@ -89,6 +89,24 @@ + + + + + +
+
+
+ ICMP/PING +
+
+
+ + + ICMP/PING + + + @@ -169,13 +187,13 @@
- ICMP/PING + NX / 4000
- ICMP/PING + NX / 4000 @@ -220,8 +238,8 @@ - Viewer does not support full SVG 1.1 + Text is not SVG - cannot display - \ No newline at end of file + diff --git a/services-user-guide/nx_nomachine.md b/services-user-guide/nx_nomachine.md index 310f17fa..f9e1ffe0 100644 --- a/services-user-guide/nx_nomachine.md +++ b/services-user-guide/nx_nomachine.md @@ -2,3 +2,5 @@ More info on the nomachine service can be found here: [User Documentation - Intranet](https://www.psi.ch/en/photon-science-data-services/remote-interactive-access) + + From dd6890995c59e1110146e854dca7ba6495ece9ed Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 11:42:23 +0100 Subject: [PATCH 05/13] move software installation docs to admin configuration guides --- _toc.yml | 6 +- admin-guide/configuration.md | 10 ++- admin-guide/configuration/packages.md | 122 ++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 3 deletions(-) create mode 100644 admin-guide/configuration/packages.md diff --git a/_toc.yml b/_toc.yml index f253e65b..c6f9a11a 100644 --- a/_toc.yml +++ b/_toc.yml @@ -36,13 +36,17 @@ chapters: - file: admin-guide/configuration sections: - file: admin-guide/configuration/icinga2 - - file: admin-guide/configuration/central_logging_elastic + - file: admin-guide/configuration/packages +# - file: admin-guide/configuration/package_updates +# - file: admin-guide/configuration/package_repositories +# - file: admin-guide/configuration/services - file: admin-guide/configuration/mount - file: admin-guide/configuration/distribute_files - file: admin-guide/configuration/vgroot - file: admin-guide/configuration/xrdp - file: admin-guide/configuration/custom_nameservers - file: admin-guide/configuration/puppet_agent + - file: admin-guide/configuration/central_logging_elastic - file: admin-guide/configuration/keyboard_layout - file: admin-guide/configuration/autologin - file: admin-guide/configuration/screen_lock diff --git a/admin-guide/configuration.md b/admin-guide/configuration.md index a78766ae..e3cb4266 100644 --- a/admin-guide/configuration.md +++ b/admin-guide/configuration.md @@ -5,8 +5,11 @@ Here starts a so far small collections of configuration guides for sysadmins of ## Monitoring - [Icinga2](configuration/icinga2) -## Logging -- [Setup Central Logging to Elastic](configuration/central_logging_elastic) +## Software Management +- [Package Installation](configuration/packages) +- [Automated Package Updates](configuration/package_updates) +- [Adding Package Repositories](configuration/package_repositories) +- [Managing Services with Systemd)](configuration/services) ## Basic Setup - [Mounting Volumes](configuration/mount) @@ -16,6 +19,9 @@ Here starts a so far small collections of configuration guides for sysadmins of - [Custom Nameservers](configuration/custom_nameservers) - [Puppent Agent run frequency](configuration/puppet_agent) +## Logging +- [Setup Central Logging to Elastic](configuration/central_logging_elastic) + ## Desktop - [Keyboard Layout](configuration/keyboard_layout) - [Autologin](configuration/autologin) diff --git a/admin-guide/configuration/packages.md b/admin-guide/configuration/packages.md new file mode 100644 index 00000000..ed563e5e --- /dev/null +++ b/admin-guide/configuration/packages.md @@ -0,0 +1,122 @@ +# Package Installation + +## Install Packages with Hiera Package Groups + +The packages automatically installed onto a system by Puppet are managed in the Hiera list `base::package_groups`. It contains the names of the package groups to be installed. Items can be added at all levels of the Hiera hierarchy and are merged. + +The package groups itself are Hieara lists named `base::pkg_group::$USE_CASE`. +Here list all the packages you want to install. + +Currently there exist the following package groups in the main [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml): + +- `base::pkg_group::system_tools` (installed by default) +- `base::pkg_group::daq_buffer` +- `base::pkg_group::desktop_settings` +- `base::pkg_group::dev` +- `base::pkg_group::login_server` +- `base::pkg_group::qt5` +- `base::pkg_group::root` + +but further ones can be created in Hiera at lower hierachies and added to `base::package_groups`, for example + +``` +base::pkg_group::java: + - 'java-1.8.0-openjdk' + - 'java-11-openjdk' + - 'java-17-openjdk' + +base::package_groups: + - 'java' +``` + + + +## Install a Group of Packages + +To add a RedHat predefined group of packages (checkout out `dnf grouplist --hidden`) prepend the name of it with a `@`, e.g. for "Java Platform" it would be `@Java Platform`: + +``` +base::pkg_group::java: + - '@Java Platform' +``` + +## Install Latest Package Version + +Puppet by default only checks if a package is installed and only installs it if missing. +To ensure that always the latest available package version is installed, append the `:latest` tag to the package name in the package group: + +``` +base::pkg_group::java: + - 'java-1.8.0-openjdk' + - 'java-11-openjdk' + - 'java-17-openjdk:latest' +``` + +## Install Packages only on Given OS Version + + Certain packages are only used on a given OS Version, so a `os=` with the OS name and the major version selects a package only for given OS, where as a `os!` will filter away given package on hosts with given OS, so they are not installed there. + +``` +base::pkg_group::java: + - 'java-1.8.0-openjdk:os=redhat7' + - 'java-11-openjdk' + - 'java-17-openjdk:os!redhat7' +``` + +Note that this tag can be combined with the `latest` and `absent` tag. + +## Install Module Stream + +RHEL 8 introduced the concept of [module streams](https://docs.pagure.org/modularity/). +A specific stream can be selected with the `stream` tag: +``` +base::pkg_group::nodejos: + - 'nodejs:stream=12' +``` + +## Remove Packages + +To remove an already installed package, append the `:absent` tag to the package name in the package group: + +``` +base::pkg_group::java: + - 'java-1.8.0-openjdk:absent' + - 'java-11-openjdk' + - 'java-17-openjdk' +``` + +## Ignore Packages + +To make packages unavailable for installation, even though provided by the package repositories, add them in Hiera to the list `base::package_exclude`: +``` +base::package_exclude: + - 'epics-base-7.0.6*' +``` +This list is merged over the full Hiera hierachy, so there is no need to copy exclusions from higher levels when creating an exclusion on a low level. + +This list can also be used to opt out packages from other, maybe inherited package groups. But unlike the `:absent` tag in a package list it will not uninstall a package when found. + +### Install Debuginfo Packages + +The package repositories for debuginfo packages are disabled by default. To spontaneously install such a package, do + +``` +dnf --enablerepo '*_debug' install ... +``` + +## Legacy Package Installation + +The legacy Hiera lists for package groups is `yum_client::pkg_group::$USE_CASE` and supports the `latest` and `absent` tag, but not the filtering by operating system version. + +Then `yum_client::package_groups` is the Hiera list to contain the package groups to be installed. + +Please migrate them to the equivalent `base::*` list. You can have both of them available at the same time, with possibly the same content. + +## Missing Package + +If there is no such package in the repositories, then + +``` +Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install non-existing-package-for-test' returned 1: Error: Unable to find a match: non-existing-package-for-test +``` + From 35eba470df33fc9b14ecd151517a83779c801d6f Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 14:28:25 +0100 Subject: [PATCH 06/13] move automatic package updates documentation --- _toc.yml | 2 +- admin-guide/configuration/package_updates.md | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 admin-guide/configuration/package_updates.md diff --git a/_toc.yml b/_toc.yml index c6f9a11a..4974d33d 100644 --- a/_toc.yml +++ b/_toc.yml @@ -37,7 +37,7 @@ chapters: sections: - file: admin-guide/configuration/icinga2 - file: admin-guide/configuration/packages -# - file: admin-guide/configuration/package_updates + - file: admin-guide/configuration/package_updates # - file: admin-guide/configuration/package_repositories # - file: admin-guide/configuration/services - file: admin-guide/configuration/mount diff --git a/admin-guide/configuration/package_updates.md b/admin-guide/configuration/package_updates.md new file mode 100644 index 00000000..7525cba9 --- /dev/null +++ b/admin-guide/configuration/package_updates.md @@ -0,0 +1,12 @@ +# Automated Package Updates + +The automatic updates are controlled in Hiera: + +| Hiera key | default | comments | +|-----------------------------------|----------|-------------------------------------------------------------------------------| +| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates | +| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates | +| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed | +| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically | + +Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. From 75d969f97e20ffbfc4b1386884df0920bb27d9ad Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 14:33:09 +0100 Subject: [PATCH 07/13] move automatic package updates documentation --- admin-guide/configuration/package_updates.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/admin-guide/configuration/package_updates.md b/admin-guide/configuration/package_updates.md index 7525cba9..760ded84 100644 --- a/admin-guide/configuration/package_updates.md +++ b/admin-guide/configuration/package_updates.md @@ -4,9 +4,9 @@ The automatic updates are controlled in Hiera: | Hiera key | default | comments | |-----------------------------------|----------|-------------------------------------------------------------------------------| -| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates | -| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates | -| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed | -| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically | +| `base::automatic_updates::interval` | `weekly` | valid are `daily`, `weekly` and `never` which disables the automatic updates | +| `base::automatic_updates::type` | `security` | `security` installs only security updates whereas `all` installs all updates | +| `base::automatic_updates::exclude` | `[]` | list of packages not to update, wildcards like "*" are allowed | +| `base::automatic_updates::kernel` | `false` | define if new kernel packages also should be installed automatically | Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. From 3dce08113cd98ad2458090ff1aa1cc7bc65334e3 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 14:47:55 +0100 Subject: [PATCH 08/13] move package repo management documentation --- _toc.yml | 2 +- .../configuration/package_repositories.md | 150 ++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 admin-guide/configuration/package_repositories.md diff --git a/_toc.yml b/_toc.yml index 4974d33d..979c4687 100644 --- a/_toc.yml +++ b/_toc.yml @@ -38,7 +38,7 @@ chapters: - file: admin-guide/configuration/icinga2 - file: admin-guide/configuration/packages - file: admin-guide/configuration/package_updates -# - file: admin-guide/configuration/package_repositories + - file: admin-guide/configuration/package_repositories # - file: admin-guide/configuration/services - file: admin-guide/configuration/mount - file: admin-guide/configuration/distribute_files diff --git a/admin-guide/configuration/package_repositories.md b/admin-guide/configuration/package_repositories.md new file mode 100644 index 00000000..592abc73 --- /dev/null +++ b/admin-guide/configuration/package_repositories.md @@ -0,0 +1,150 @@ +# Management of Package Repositories + +## Package Repository Lists +Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed. +The default list (except for nodes with the `bootpc` and `appliances::lenovo::*` Puppet roles) is `rpm_repos::default` (legacy: `yum_client::repositories`). + +If repositories are managed in Hiera, feel free to add them to `rpm_repos::default` like +``` +rpm_repos::default: + - 'gfa' +``` + +Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node. + +If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml) and then to install it only when needed. An example is `profile::telegraf` which only installes the repositories listed in `rpm_repos::influx` when needed. + +## Package Repository Definition + +An individual package repository is configured in Hiera within the namespace `rpm_repos::repo::*`, like following example: + +``` +rpm_repos::repo::epel_rhel8: + name: 'epel' + descr: "Extra Packages for Enterprise Linux 8" + baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/' + gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg' + disable: false + gpgcheck: true + osversion: 8 + exclude: + - "slurm*" +``` + +The legacy namespace `yum_client::repo::*` is currently used for RHEL7 repositories to be backward compatible as some Hiera configuration with higher precedence overwrites certain stuff. + +### Package Repository Name + +The reference name used in Hiera (the part after `rpm_repos::repo::` should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the `gfa` repository which has different URLs on different `sysdb` environments. + +Note for `name` attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there. + +### Package Repository URL + +Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries. + +If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node. + +Also feel free to define all your package repositories in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml). + +### Select Package Repository by OS Version + +Usually a package repository only serves packages for one major OS version. This can be stated by the `osversion` attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured. + +If the `osversion` attribute is not set, then it is always installed. + +### Package Repository GPG Verification +GPG verification is optional, so `gpgkey` may not be defined and `gpgcheck` is `false` by default. But ideally the packages are signed and checked for tampering and corruption. + +### Exclude Packages +If certain packages provided by given repository should be ignored on the nodes, then add them to the `exclude` list. + + + +## Using Specific Package Repository Snapshot +Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7), https://repos.psi.ch/rhel8 (RHEL 8) and https://repos.psi.ch/rhel9 (RHEL 9) have snapshots which can be used to freeze the available package versions to a given date. + +The tags are different per major OS version and are definied in the Hiera hash `rpm_repos::tag`, below you see the default: + +``` +yum_client::repo_tag: 'prod' + +rpm_repos::tag: + redhat7: "%{lookup('yum_client::repo_tag')}" + redhat8: 'rhel-8' + redhat9: 'rhel-9' +``` + +So for RHEL 7 the default is `prod` and can be overriden on `yum_client::repo_tag` (backwards compatibility) or on the `redhat7` attribute of `rpm_repos::tag`. + +To fix to a specific snapshot on RHEL 8, the `redhat8` attribute has to be set on `rpm_repos::tag`, the default is `rhel-8` which points to the latest snapshot. + +The available tags your find at +- [https://repos.psi.ch/rhel9/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 9 +- [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out) +- [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7 + +### Package Repositories made Available by the Linux Group + +Availabe on all systems are: +- RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories +- [Extra Packages for Enterprise Linux (EPEL) repositories](https://docs.fedoraproject.org/en-US/epel/) +- Puppet 7 repository +- Auristor repository for YFS and AFS related packages (RHEL 7 and 8 only) +- Google Chrome repository +- pli-misc (not tagged for RHEL7, but on RHEL 8/9) +- Code (Visual Studio Code from Microsoft) +- Microsoft Teams +- PowerScript et. al. (Microsoft) +- HashiCorp (`vault`, `terraform`, `vagrant`, ...) +- Oracle Instant Client 19 and 21 +- Opera + + +Predefined and used when needed are: +- Influx (`influxdb`, `telegraf`, ...) +- CUDA +- Nomachine + +To be added/defined in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml)? +- GPFS +- Epics (available for RHEL7) + + +### pli-misc Repository + +A small list of packages managed by the Linux Team. + +- *RHEL8*: make v4.3 from [CentOS](https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/make-4.3-7.el9.x86_64.html) as v4.2.1 has been reported to to make trouble +- latest [Zoom client](https://zoom.us/download?os=linux) +- latest [Webex client](https://www.webex.com/downloads.html) +- latest [Slack client](https://slack.com/downloads/linux) +- latest [NoMachine Enterprise Client](https://downloads.nomachine.com/download/?id=11) +- latest [Real VNC Viewer](https://www.realvnc.com/en/connect/download/viewer/), recommended for VNC remote access to Windows machines +- `pli-assets` containing the PSI and the Customer Self Service logo, any hints about the source rpm are welcome +- *RHEL8*: [mod_gearman v4.0.1](https://mod-gearman.org/download/v4.0.1/rhel8/x86_64/) +- *RHEL8*: lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter ([SRPM](https://git.psi.ch/linux-infra/lightdm-gtk-rpm), [PR](https://github.com/Xubuntu/lightdm-gtk-greeter/pull/121)) which allows to limit the presented keyboard layouts +- Code Beamer Office pluging v9.5.0 managed by Gilles Martin +- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou +- [pam_single_kcm_cache PAM Module](https://github.com/paulscherrerinstitute/pam_single_kcm_cache) managed by Konrad Bucheli +- [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available +- [bob](https://git.psi.ch/linux-infra/bob) + +### Package Repositories made Available by other PSI Groups + +- `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT +- `nxserver` for NoMachine NX + + +## Automated Package Updates + +The automatic updates are controlled in Hiera: + +| Hiera key | default | comments | +|-----------------------------------|----------|-------------------------------------------------------------------------------| +| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates | +| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates | +| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed | +| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically | + +Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. From 64a495660d18f58a77015f6e3e7c957a75208903 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 14:54:17 +0100 Subject: [PATCH 09/13] move package repo management documentation --- admin-guide/configuration.md | 2 +- admin-guide/configuration/package_repositories.md | 2 +- admin-guide/configuration/package_updates.md | 7 +++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/admin-guide/configuration.md b/admin-guide/configuration.md index e3cb4266..0e78acb7 100644 --- a/admin-guide/configuration.md +++ b/admin-guide/configuration.md @@ -8,7 +8,7 @@ Here starts a so far small collections of configuration guides for sysadmins of ## Software Management - [Package Installation](configuration/packages) - [Automated Package Updates](configuration/package_updates) -- [Adding Package Repositories](configuration/package_repositories) +- [Selecting Package Repositories](configuration/package_repositories) - [Managing Services with Systemd)](configuration/services) ## Basic Setup diff --git a/admin-guide/configuration/package_repositories.md b/admin-guide/configuration/package_repositories.md index 592abc73..204eab9d 100644 --- a/admin-guide/configuration/package_repositories.md +++ b/admin-guide/configuration/package_repositories.md @@ -1,4 +1,4 @@ -# Management of Package Repositories +# Selecting Package Repositories ## Package Repository Lists Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed. diff --git a/admin-guide/configuration/package_updates.md b/admin-guide/configuration/package_updates.md index 760ded84..41165fda 100644 --- a/admin-guide/configuration/package_updates.md +++ b/admin-guide/configuration/package_updates.md @@ -10,3 +10,10 @@ The automatic updates are controlled in Hiera: | `base::automatic_updates::kernel` | `false` | define if new kernel packages also should be installed automatically | Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. + +--- +**Important** + +There will be no updates if you fix the package source to a snapshot/repo tag i.e. `rpm_repos::tag` or `yum_client::repo_tag` setting in Hiera point to a specfic snapshot. + +--- From d5a69a2f39c95295cc46cb5e59727958f33c4c83 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 14:56:06 +0100 Subject: [PATCH 10/13] move package repo management documentation --- .../configuration/package_repositories.md | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/admin-guide/configuration/package_repositories.md b/admin-guide/configuration/package_repositories.md index 204eab9d..c53f7a94 100644 --- a/admin-guide/configuration/package_repositories.md +++ b/admin-guide/configuration/package_repositories.md @@ -84,7 +84,7 @@ The available tags your find at - [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out) - [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7 -### Package Repositories made Available by the Linux Group +## Package Repositories made Available by the Linux Group Availabe on all systems are: - RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories @@ -130,21 +130,9 @@ A small list of packages managed by the Linux Team. - [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available - [bob](https://git.psi.ch/linux-infra/bob) -### Package Repositories made Available by other PSI Groups +## Package Repositories made Available by other PSI Groups - `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT - `nxserver` for NoMachine NX -## Automated Package Updates - -The automatic updates are controlled in Hiera: - -| Hiera key | default | comments | -|-----------------------------------|----------|-------------------------------------------------------------------------------| -| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates | -| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates | -| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed | -| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically | - -Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. From c182df02d58f0c26e1b1f3e24b1b127814bef495 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 15:03:02 +0100 Subject: [PATCH 11/13] move service startup documentation --- _toc.yml | 3 +- admin-guide/configuration/services.md | 81 ++++++ rhel8/index.md | 2 - rhel8/software.md | 355 -------------------------- 4 files changed, 82 insertions(+), 359 deletions(-) create mode 100644 admin-guide/configuration/services.md delete mode 100644 rhel8/software.md diff --git a/_toc.yml b/_toc.yml index 979c4687..c7b0417d 100644 --- a/_toc.yml +++ b/_toc.yml @@ -39,7 +39,7 @@ chapters: - file: admin-guide/configuration/packages - file: admin-guide/configuration/package_updates - file: admin-guide/configuration/package_repositories -# - file: admin-guide/configuration/services + - file: admin-guide/configuration/services - file: admin-guide/configuration/mount - file: admin-guide/configuration/distribute_files - file: admin-guide/configuration/vgroot @@ -133,7 +133,6 @@ chapters: - file: rhel8/index sections: - file: rhel8/installation - - file: rhel8/software - file: rhel8/nvidia - file: rhel8/kerberos - file: rhel8/desktop diff --git a/admin-guide/configuration/services.md b/admin-guide/configuration/services.md new file mode 100644 index 00000000..963c0257 --- /dev/null +++ b/admin-guide/configuration/services.md @@ -0,0 +1,81 @@ +# Managing Services with Systemd + +Hiera can also be used to manage services and to automate reoccuring tasks with timers. + +## Enabling/Starting a Service + +If the software already comes with an systemd unit file, then it is sufficient to just enable it in Hiera by using the `base::services` key: + +``` +base::services: + netdata: + enable: true +``` +The key inside is the `systemd` service name without the `.service` suffix. + +## Disabling/Stopping a Service + +To stop and disable an already running service, disable it in the `base::services` Hiera key with `enable: false`: +``` +base::services: + netdata: + enable: false +``` + +## Systemd Timers +To have custom executables run regulary on given time/interval, you may use the `base::timers` Hiera key: + +``` +base::timers: + 'timer_test': + description: 'test timers' + command: '/usr/bin/logger foo' + on_calendar: '*:*:10' + persistence: false +``` + +For each timer following keys are mandatory + +- `description` for a short explaination what it is about +- `command` for the command to run +- `on_calendar` defining when it should run using the [`systemd` calendar event format](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events), (alternatively see also chapter "CALENDAR EVENTS" of `man systemd.date`) + +Optional is +- `persistence` which signals if the timer should run immediately after boot when the node was switched of on the last scheduled run time (default is `false`) + +## Manage Services with Custom Unit Files + +It is also possible to provide a full systemd unit file if there is none already. For this define the different secions and their content with subkeys below the `options` key as in below example: + +``` +# The following service stops users from accessing the node +# before the home directory is mounted +base::services: + 'wait_for_home': + enable: true + options: + Unit: + Before: 'systemd-user-sessions.service' + Install: + WantedBy: 'multi-user.target' + RequiredBy: 'multi-user.target' + Service: + Type: 'oneshot' + ExecStart: '/opt/pli/libexec/waitformount -m /das/home' + RemainAfterExit: 'true' +``` + +## Enhance a Service with a Dropin Unit File +It is possible to fine-tune already existing `systemd` unit files with dropins. These are placed as `.conf` files in `/etc/systemd/system/$SERVICE.service.d/`. + +With the `dropin: true` setting the content of the `options` parameter is written into the according dropin directory: +``` +base::services: + 'name_of_enhanced_service': + enable: true + dropin: true + options: + ... +``` +If there are multiple dropins, you might also name them individually with the `dropin_name` parameter. + diff --git a/rhel8/index.md b/rhel8/index.md index 1174521a..796f1e53 100644 --- a/rhel8/index.md +++ b/rhel8/index.md @@ -154,9 +154,7 @@ which is IMHO OK to not allow a normal user to do changes there. ## Documenatation * [Installation](installation) -* [Software and Package Management](software) * [CUDA and Nvidia Drivers](nvidia) * [Kerberos](kerberos) * [Desktop](desktop) * [Vendor Documentation](vendor_documentation) - diff --git a/rhel8/software.md b/rhel8/software.md deleted file mode 100644 index 920a26b1..00000000 --- a/rhel8/software.md +++ /dev/null @@ -1,355 +0,0 @@ -# Software and Package Management for RHEL 8 - -How to add packages and package repositories and what repositories are available is documented here. - -## Package Installation - -### Install Packages with Hiera Package Groups - -The packages automatically installed onto a system by Puppet are managed in the Hiera list `base::package_groups`. It contains the names of the package groups to be installed. Items can be added at all levels of the Hiera hierarchy and are merged. - -The package groups itself are Hieara lists named `base::pkg_group::$USE_CASE`. -Here list all the packages you want to install. - -Currently there exist the following package groups in the main [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml): - -- `base::pkg_group::system_tools` (installed by default) -- `base::pkg_group::daq_buffer` -- `base::pkg_group::desktop_settings` -- `base::pkg_group::dev` -- `base::pkg_group::login_server` -- `base::pkg_group::qt5` -- `base::pkg_group::root` - -but further ones can be created in Hiera at lower hierachies and added to `base::package_groups`, for example - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk' - - 'java-11-openjdk' - - 'java-17-openjdk' - -base::package_groups: - - 'java' -``` - - - -### Install a Group of Packages - -To add a RedHat predefined group of packages (checkout out `dnf grouplist --hidden`) prepend the name of it with a `@`, e.g. for "Java Platform" it would be `@Java Platform`: - -``` -base::pkg_group::java: - - '@Java Platform' -``` - -### Install Latest Package Version - -Puppet by default only checks if a package is installed and only installs it if missing. -To ensure that always the latest available package version is installed, append the `:latest` tag to the package name in the package group: - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk' - - 'java-11-openjdk' - - 'java-17-openjdk:latest' -``` - -### Install Packages only on Given OS Version - - Certain packages are only used on a given OS Version, so a `os=` with the OS name and the major version selects a package only for given OS, where as a `os!` will filter away given package on hosts with given OS, so they are not installed there. - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk:os=redhat7' - - 'java-11-openjdk' - - 'java-17-openjdk:os!redhat7' -``` - -Note that this tag can be combined with the `latest` and `absent` tag. - -### Install Module Stream - -RHEL 8 introduced the concept of [module streams](https://docs.pagure.org/modularity/). -A specific stream can be selected with the `stream` tag: -``` -base::pkg_group::nodejos: - - 'nodejs:stream=12' -``` - -### Remove Packages - -To remove an already installed package, append the `:absent` tag to the package name in the package group: - -``` -base::pkg_group::java: - - 'java-1.8.0-openjdk:absent' - - 'java-11-openjdk' - - 'java-17-openjdk' -``` - -### Ignore Packages - -To make packages unavailable for installation, even though provided by the package repositories, add them in Hiera to the list `base::package_exclude`: -``` -base::package_exclude: - - 'epics-base-7.0.6*' -``` -This list is merged over the full Hiera hierachy, so there is no need to copy exclusions from higher levels when creating an exclusion on a low level. - -This list can also be used to opt out packages from other, maybe inherited package groups. But unlike the `:absent` tag in a package list it will not uninstall a package when found. - -### Install Debuginfo Packages - -The package repositories for debuginfo packages are disabled by default. To spontaneously install such a package, do - -``` -dnf --enablerepo '*_debug' install ... -``` - -### Legacy Package Installation - -The legacy Hiera lists for package groups is `yum_client::pkg_group::$USE_CASE` and supports the `latest` and `absent` tag, but not the filtering by operating system version. - -Then `yum_client::package_groups` is the Hiera list to contain the package groups to be installed. - -Please migrate them to the equivalent `base::*` list. You can have both of them available at the same time, with possibly the same content. - -### Missing Package - -If there is no such package in the repositories, then - -``` -Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install non-existing-package-for-test' returned 1: Error: Unable to find a match: non-existing-package-for-test -``` - -## Managing Services with Systemd - -Hiera can also be used to manage services and to automate reoccuring tasks with timers. - -### Enabling/Starting a Service - -If the software already comes with an systemd unit file, then it is sufficient to just enable it in Hiera by using the `base::services` key: - -``` -base::services: - netdata: - enable: true -``` -The key inside is the `systemd` service name without the `.service` suffix. - -### Disabling/Stopping a Service - -To stop and disable an already running service, disable it in the `base::services` Hiera key with `enable: false`: -``` -base::services: - netdata: - enable: false -``` - -### Systemd Timers -To have custom executables run regulary on given time/interval, you may use the `base::timers` Hiera key: - -``` -base::timers: - 'timer_test': - description: 'test timers' - command: '/usr/bin/logger foo' - on_calendar: '*:*:10' - persistence: false -``` - -For each timer following keys are mandatory - -- `description` for a short explaination what it is about -- `command` for the command to run -- `on_calendar` defining when it should run using the [`systemd` calendar event format](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events), (alternatively see also chapter "CALENDAR EVENTS" of `man systemd.date`) - -Optional is -- `persistence` which signals if the timer should run immediately after boot when the node was switched of on the last scheduled run time (default is `false`) - -### Manage Services with Custom Unit Files - -It is also possible to provide a full systemd unit file if there is none already. For this define the different secions and their content with subkeys below the `options` key as in below example: - -``` -# The following service stops users from accessing the node -# before the home directory is mounted -base::services: - 'wait_for_home': - enable: true - options: - Unit: - Before: 'systemd-user-sessions.service' - Install: - WantedBy: 'multi-user.target' - RequiredBy: 'multi-user.target' - Service: - Type: 'oneshot' - ExecStart: '/opt/pli/libexec/waitformount -m /das/home' - RemainAfterExit: 'true' -``` - -### Enhance a Service with a Dropin Unit File -It is possible to fine-tune already existing `systemd` unit files with dropins. These are placed as `.conf` files in `/etc/systemd/system/$SERVICE.service.d/`. - -With the `dropin: true` setting the content of the `options` parameter is written into the according dropin directory: -``` -base::services: - 'name_of_enhanced_service': - enable: true - dropin: true - options: - ... -``` -If there are multiple dropins, you might also name them individually with the `dropin_name` parameter. - -## Management of Package Repositories - -### Package Repository Lists -Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed. -The default list (except for nodes with the `bootpc` and `appliances::lenovo::*` Puppet roles) is `rpm_repos::default` (legacy: `yum_client::repositories`). - -If repositories are managed in Hiera, feel free to add them to `rpm_repos::default` like -``` -rpm_repos::default: - - 'gfa' -``` - -Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node. - -If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml) and then to install it only when needed. An example is `profile::telegraf` which only installes the repositories listed in `rpm_repos::influx` when needed. - -### Package Repository Definition - -An individual package repository is configured in Hiera within the namespace `rpm_repos::repo::*`, like following example: - -``` -rpm_repos::repo::epel_rhel8: - name: 'epel' - descr: "Extra Packages for Enterprise Linux 8" - baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/' - gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg' - disable: false - gpgcheck: true - osversion: 8 - exclude: - - "slurm*" -``` - -The legacy namespace `yum_client::repo::*` is currently used for RHEL7 repositories to be backward compatible as some Hiera configuration with higher precedence overwrites certain stuff. - -#### Package Repository Name - -The reference name used in Hiera (the part after `rpm_repos::repo::` should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the `gfa` repository which has different URLs on different `sysdb` environments. - -Note for `name` attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there. - -#### Package Repository URL - -Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries. - -If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node. - -Also feel free to define all your package repositories in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml). - -#### Select Package Repository by OS Version - -Usually a package repository only serves packages for one major OS version. This can be stated by the `osversion` attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured. - -If the `osversion` attribute is not set, then it is always installed. - -#### Package Repository GPG Verification -GPG verification is optional, so `gpgkey` may not be defined and `gpgcheck` is `false` by default. But ideally the packages are signed and checked for tampering and corruption. - -#### Exclude Packages -If certain packages provided by given repository should be ignored on the nodes, then add them to the `exclude` list. - - - -### Using Specific Package Repository Snapshot -Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7) and https://repos.psi.ch/rhel8 (RHEL 8) have snapshots which can be used to freeze the available package versions to a given date. - -The tags are different per major OS version and are definied in the Hiera hash `rpm_repos::tag`, below you see the default: - -``` -yum_client::repo_tag: 'prod' - -rpm_repos::tag: - redhat7: "%{lookup('yum_client::repo_tag')}" - redhat8: 'rhel-8' -``` - -So for RHEL 7 the default is `prod` and can be overriden on `yum_client::repo_tag` (backwards compatibility) or on the `redhat7` attribute of `rpm_repos::tag`. - -To fix to a specific snapshot on RHEL 8, the `redhat8` attribute has to be set on `rpm_repos::tag`, the default is `rhel-8` which points to the latest snapshot. - -The available tags your find at -- [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out) -- [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7 - -### Package Repositories made Available by the Linux Group - -Availabe on all systems are: -- RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories -- [Extra Packages for Enterprise Linux (EPEL) repositories](https://docs.fedoraproject.org/en-US/epel/) -- Puppet 7 repository -- Auristor repository for YFS and AFS related packages -- Google Chrome repository -- pli-misc (not tagged for RHEL7, but on RHEL 8) -- Code (Visual Studio Code from Microsoft) -- Microsoft Teams -- PowerScript et. al. (Microsoft) -- HashiCorp (`vault`, `terraform`, `vagrant`, ...) -- Oracle Instant Client 19 and 21 -- Opera - - -Predefined and used when needed are: -- Influx (`influxdb`, `telegraf`, ...) -- CUDA -- Nomachine - -To be added/defined in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml)? -- GPFS -- Epics (available for RHEL7) - - -### pli-misc Repository - -A small list of packages managed by the Linux Team. - -- make v4.3 from [CentOS](https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/make-4.3-7.el9.x86_64.html) as v4.2.1 has been reported to to make trouble -- latest [Zoom client](https://zoom.us/download?os=linux) -- latest [Webex client](https://www.webex.com/downloads.html) -- latest [Slack client](https://slack.com/downloads/linux) -- latest [NoMachine Enterprise Client](https://downloads.nomachine.com/download/?id=11) -- latest [Real VNC Viewer](https://www.realvnc.com/en/connect/download/viewer/), recommended for VNC remote access to Windows machines -- `pli-assets` containing the PSI and the Customer Self Service logo, any hints about the source rpm are welcome -- [mod_gearman v4.0.1](https://mod-gearman.org/download/v4.0.1/rhel8/x86_64/) -- lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter ([SRPM](https://git.psi.ch/linux-infra/lightdm-gtk-rpm), [PR](https://github.com/Xubuntu/lightdm-gtk-greeter/pull/121)) which allows to limit the presented keyboard layouts -- Code Beamer Office pluging v9.5.0 managed by Gilles Martin -- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou -- [pam_single_kcm_cache PAM Module](https://github.com/paulscherrerinstitute/pam_single_kcm_cache) managed by Konrad Bucheli -- [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available -- [bob](https://git.psi.ch/linux-infra/bob) - -### Package Repositories made Available by other PSI Groups - -- `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT -- `nxserver` for NoMachine NX - - -## Automated Package Updates - -The automatic updates are controlled in Hiera: - -| Hiera key | default | comments | -|-----------------------------------|----------|-------------------------------------------------------------------------------| -| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates | -| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates | -| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed | -| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically | - -Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates. From 034e9921a419683e9fce4cbfa7fe68ffd1eeed70 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 15:04:29 +0100 Subject: [PATCH 12/13] move service startup documentation --- admin-guide/configuration.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/admin-guide/configuration.md b/admin-guide/configuration.md index 0e78acb7..98c36749 100644 --- a/admin-guide/configuration.md +++ b/admin-guide/configuration.md @@ -9,7 +9,7 @@ Here starts a so far small collections of configuration guides for sysadmins of - [Package Installation](configuration/packages) - [Automated Package Updates](configuration/package_updates) - [Selecting Package Repositories](configuration/package_repositories) -- [Managing Services with Systemd)](configuration/services) +- [Managing Services with Systemd](configuration/services) ## Basic Setup - [Mounting Volumes](configuration/mount) @@ -19,9 +19,6 @@ Here starts a so far small collections of configuration guides for sysadmins of - [Custom Nameservers](configuration/custom_nameservers) - [Puppent Agent run frequency](configuration/puppet_agent) -## Logging -- [Setup Central Logging to Elastic](configuration/central_logging_elastic) - ## Desktop - [Keyboard Layout](configuration/keyboard_layout) - [Autologin](configuration/autologin) @@ -29,6 +26,8 @@ Here starts a so far small collections of configuration guides for sysadmins of - [Banner Message](configuration/banner_message) - [Alternative Desktops/Window Managers](configuration/alternative_desktops) +## Logging +- [Setup Central Logging to Elastic](configuration/central_logging_elastic) ## Special Installations - [SSH Host Hopping as Root (e.g. between cluster members)](configuration/ssh_host_hopping) From 1dc1e28e97e03b8468e3f9dd5e5247a315708410 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 15:06:34 +0100 Subject: [PATCH 13/13] move service startup documentation --- admin-guide/configuration/package_updates.md | 1 - 1 file changed, 1 deletion(-) diff --git a/admin-guide/configuration/package_updates.md b/admin-guide/configuration/package_updates.md index 41165fda..8c4dadd3 100644 --- a/admin-guide/configuration/package_updates.md +++ b/admin-guide/configuration/package_updates.md @@ -16,4 +16,3 @@ Note that the updates run on midnight, for `weekly` from Sunday to Monday. There There will be no updates if you fix the package source to a snapshot/repo tag i.e. `rpm_repos::tag` or `yum_client::repo_tag` setting in Hiera point to a specfic snapshot. ----