From 3dce08113cd98ad2458090ff1aa1cc7bc65334e3 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 9 Nov 2023 14:47:55 +0100 Subject: [PATCH] move package repo management documentation --- _toc.yml | 2 +- .../configuration/package_repositories.md | 150 ++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 admin-guide/configuration/package_repositories.md diff --git a/_toc.yml b/_toc.yml index 4974d33d..979c4687 100644 --- a/_toc.yml +++ b/_toc.yml @@ -38,7 +38,7 @@ chapters: - file: admin-guide/configuration/icinga2 - file: admin-guide/configuration/packages - file: admin-guide/configuration/package_updates -# - file: admin-guide/configuration/package_repositories + - file: admin-guide/configuration/package_repositories # - file: admin-guide/configuration/services - file: admin-guide/configuration/mount - file: admin-guide/configuration/distribute_files diff --git a/admin-guide/configuration/package_repositories.md b/admin-guide/configuration/package_repositories.md new file mode 100644 index 00000000..592abc73 --- /dev/null +++ b/admin-guide/configuration/package_repositories.md @@ -0,0 +1,150 @@ +# Management of Package Repositories + +## Package Repository Lists +Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed. +The default list (except for nodes with the `bootpc` and `appliances::lenovo::*` Puppet roles) is `rpm_repos::default` (legacy: `yum_client::repositories`). + +If repositories are managed in Hiera, feel free to add them to `rpm_repos::default` like +``` +rpm_repos::default: + - 'gfa' +``` + +Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node. + +If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml) and then to install it only when needed. An example is `profile::telegraf` which only installes the repositories listed in `rpm_repos::influx` when needed. + +## Package Repository Definition + +An individual package repository is configured in Hiera within the namespace `rpm_repos::repo::*`, like following example: + +``` +rpm_repos::repo::epel_rhel8: + name: 'epel' + descr: "Extra Packages for Enterprise Linux 8" + baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/' + gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg' + disable: false + gpgcheck: true + osversion: 8 + exclude: + - "slurm*" +``` + +The legacy namespace `yum_client::repo::*` is currently used for RHEL7 repositories to be backward compatible as some Hiera configuration with higher precedence overwrites certain stuff. + +### Package Repository Name + +The reference name used in Hiera (the part after `rpm_repos::repo::` should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the `gfa` repository which has different URLs on different `sysdb` environments. + +Note for `name` attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there. + +### Package Repository URL + +Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries. + +If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node. + +Also feel free to define all your package repositories in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml). + +### Select Package Repository by OS Version + +Usually a package repository only serves packages for one major OS version. This can be stated by the `osversion` attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured. + +If the `osversion` attribute is not set, then it is always installed. + +### Package Repository GPG Verification +GPG verification is optional, so `gpgkey` may not be defined and `gpgcheck` is `false` by default. But ideally the packages are signed and checked for tampering and corruption. + +### Exclude Packages +If certain packages provided by given repository should be ignored on the nodes, then add them to the `exclude` list. + + + +## Using Specific Package Repository Snapshot +Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7), https://repos.psi.ch/rhel8 (RHEL 8) and https://repos.psi.ch/rhel9 (RHEL 9) have snapshots which can be used to freeze the available package versions to a given date. + +The tags are different per major OS version and are definied in the Hiera hash `rpm_repos::tag`, below you see the default: + +``` +yum_client::repo_tag: 'prod' + +rpm_repos::tag: + redhat7: "%{lookup('yum_client::repo_tag')}" + redhat8: 'rhel-8' + redhat9: 'rhel-9' +``` + +So for RHEL 7 the default is `prod` and can be overriden on `yum_client::repo_tag` (backwards compatibility) or on the `redhat7` attribute of `rpm_repos::tag`. + +To fix to a specific snapshot on RHEL 8, the `redhat8` attribute has to be set on `rpm_repos::tag`, the default is `rhel-8` which points to the latest snapshot. + +The available tags your find at +- [https://repos.psi.ch/rhel9/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 9 +- [https://repos.psi.ch/rhel8/tags/](https://repos.psi.ch/rhel8/tags/) for RHEL 8 (note the `prod` tag will phase out) +- [https://repos.psi.ch/rhel7/tags/](https://repos.psi.ch/rhel7/tags/) for RHEL 7 + +### Package Repositories made Available by the Linux Group + +Availabe on all systems are: +- RedHat [BaseOS](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/baseos-repository), [AppStream](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/appstream-repository) and [CodeReady](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/package_manifest/codereadylinuxbuilder-repository) repositories +- [Extra Packages for Enterprise Linux (EPEL) repositories](https://docs.fedoraproject.org/en-US/epel/) +- Puppet 7 repository +- Auristor repository for YFS and AFS related packages (RHEL 7 and 8 only) +- Google Chrome repository +- pli-misc (not tagged for RHEL7, but on RHEL 8/9) +- Code (Visual Studio Code from Microsoft) +- Microsoft Teams +- PowerScript et. al. (Microsoft) +- HashiCorp (`vault`, `terraform`, `vagrant`, ...) +- Oracle Instant Client 19 and 21 +- Opera + + +Predefined and used when needed are: +- Influx (`influxdb`, `telegraf`, ...) +- CUDA +- Nomachine + +To be added/defined in [`common.yaml`](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/data/common.yaml)? +- GPFS +- Epics (available for RHEL7) + + +### pli-misc Repository + +A small list of packages managed by the Linux Team. + +- *RHEL8*: make v4.3 from [CentOS](https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/make-4.3-7.el9.x86_64.html) as v4.2.1 has been reported to to make trouble +- latest [Zoom client](https://zoom.us/download?os=linux) +- latest [Webex client](https://www.webex.com/downloads.html) +- latest [Slack client](https://slack.com/downloads/linux) +- latest [NoMachine Enterprise Client](https://downloads.nomachine.com/download/?id=11) +- latest [Real VNC Viewer](https://www.realvnc.com/en/connect/download/viewer/), recommended for VNC remote access to Windows machines +- `pli-assets` containing the PSI and the Customer Self Service logo, any hints about the source rpm are welcome +- *RHEL8*: [mod_gearman v4.0.1](https://mod-gearman.org/download/v4.0.1/rhel8/x86_64/) +- *RHEL8*: lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter ([SRPM](https://git.psi.ch/linux-infra/lightdm-gtk-rpm), [PR](https://github.com/Xubuntu/lightdm-gtk-greeter/pull/121)) which allows to limit the presented keyboard layouts +- Code Beamer Office pluging v9.5.0 managed by Gilles Martin +- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou +- [pam_single_kcm_cache PAM Module](https://github.com/paulscherrerinstitute/pam_single_kcm_cache) managed by Konrad Bucheli +- [nvidia-detect](http://elrepo.org/tiki/nvidia-detect) copied over from ElRepo to make it generally available +- [bob](https://git.psi.ch/linux-infra/bob) + +### Package Repositories made Available by other PSI Groups + +- `tivoli`, IBM backup software for Arema, managed by Datacenter and DB Services, AIT +- `nxserver` for NoMachine NX + + +## Automated Package Updates + +The automatic updates are controlled in Hiera: + +| Hiera key | default | comments | +|-----------------------------------|----------|-------------------------------------------------------------------------------| +| base::automatic_updates::interval | weekly | valid are `daily`, `weekly` and `never` which disables the automatic updates | +| base::automatic_updates::type | security | `security` installs only security updates whereas `all` installs all updates | +| base::automatic_updates::exclude | [] | list of packages not to update, wildcards like "*" are allowed | +| base::automatic_updates::kernel | false | define if new kernel packages also should be installed automatically | + +Note that the updates run on midnight, for `weekly` from Sunday to Monday. There is no automatic reboot, e.g. for kernel updates.