zimoch/Controls-docs
0
0
Fork 0
forked from Controls/gitea-pages
Code Pull Requests Actions Activity
Files
06ed1ee252f19cae2dffca20b7ce2d7e71d1153a
Controls-docs/admin-guide/legacy/misc/projectpsi-puppet1.rst
T
ebner c488e8de62 "merged" admin-guide
2021-05-05 14:24:27 +02:00

1071 lines
33 KiB
ReStructuredText
Raw Blame History

Project `psi-puppet1`
=====================
Introduction
------------
This document describes the relaunch of the puppet service
infrastructure at PSI.
The whole project can be divided into two parts:
- The hard- and software setup for the puppet server and client.
(Described in this document.)
- Implementation of the configuration for puppet clients. (Described
in [[PuppetManifestsForSL53][Puppet Manifests For SL53]].)
Objectives
----------
- To get a stable, scalable and easy to manage puppet service
infrastructure.
- To gain a better overview of the various client configurations
configured by puppet.
- To keep a clear and up-to-date documentation.
- To keep the different configurations of the different SL releases
separated from each other, e.g. SL 5.1 does not overlap with SL 5.3.
- Also other users from AIT and GFA than the puppet administrator
should have the possibility to use puppet to configure their hosts.
- The different client configurations of the different puppet users
must not interfere with each other.
- To manage the changes to manifests and client configuration files.
- Easy recovery of files in case of data loss.
- Easy and fast reinstallation of an identical puppet server in case
of an irreparable server crash.
Description of the Basic Server Setup
-------------------------------------
- Hardware
Dell Power Edge 1750
- Operating System
SL51 32 bit Server
- Network configuration
Static IP for Production Server: 129.129.190.174/24
Hostname: psi-puppet1.psi.ch
- Required RPMS
- puppet-server (http://download.fedora.redhat.com/pub/epel/5/i386/repoview/)
- augeas-libs
- facter
- puppet (http://download.fedora.redhat.com/pub/epel/5/i386/repoview/)
- ruby
- ruby-augeas
- ruby-libs
- ruby-shadow
- ruby-irb (required for reading help)
- ruby-rdoc (required for reading help)
Procedure
---------
Create a Repository for Puppet Related RPMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
First make the directory in the SL51 installation tree::
# mkdir /afs/psi.ch/software/linux/dist/scientific/51/puppet-0247
Add the following RPMS to this repository and run `createrepo`::
puppet-server-0.24.7-4.el5.noarch.rpm
augeas-libs-0.3.5-1.el5.i386.rpm
facter-1.5.2-2.el5.noarch.rpm
puppet-0.24.7-4.el5.noarch.rpm
ruby-augeas-0.2.0-1.el5.i386.rpm
ruby-shadow-1.4.1-7.el5.i386.rpm
# cd /afs/psi.ch/software/linux/dist/scientific/51/puppet-0247
# createrepo .
To enable the access to this repo create the yum repo file
`/etc/yum.repos.d/puppet-0247.repo` on the puppet server::
[puppet-0247]
name=puppet-0247 for SL5
baseurl=http://linux.web.psi.ch/dist/scientific/5/puppet-0247/
enabled=1
Setup The Puppet Server
~~~~~~~~~~~~~~~~~~~~~~~
Basic Server Installation
.........................
Install SL51, class Server via PXE boot and kickstart.
Puppet-Server Installation
..........................
Install `puppet-server` with yum. This will also draw the required
dependencies::
# [root@psi-puppet1]
# yum install puppet-server
...
Finished Kernel Module Plugin
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
puppet-server noarch 0.24.7-4.el5 puppet-0247 25 k
Installing for dependencies:
augeas-libs i386 0.3.5-1.el5 puppet-0247 151 k
facter noarch 1.5.2-2.el5 puppet-0247 41 k
puppet noarch 0.24.7-4.el5 puppet-0247 548 k
ruby i386 1.8.5-5.el5_2.6 sl5update 279 k
ruby-augeas i386 0.2.0-1.el5 puppet-0247 17 k
ruby-libs i386 1.8.5-5.el5_2.6 sl5update 1.6 M
ruby-shadow i386 1.4.1-7.el5 puppet-0247 9.5 k
Transaction Summary
=============================================================================
Install 8 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
...
Configure The Puppet Server
...........................
The configuration files of the puppet server, directory
`/etc/puppet/`, are stored locally.
The puppet client configuration files are stored on AFS. The mountpoint on
psi-puppet1 is `/var/puppet/environments`, thus
create the directory `/var/puppet/environments`.
# mkdir -p /var/puppet/environments
For how to mount the AFS see section `Mount AFS Volumes` below.
The client configuration files in /var/puppet/environments are
described at [[PuppetManifestsForSL53][Puppet Manifests For SL53]].
The log is on the local disk in `/var/log/puppet`.
To set the logfile edit the line `PUPPETMASTER_OPTS`
in `/etc/rc.d/init.d/puppetmaster`. For testing also the
debug option `-d` is enabled::
PUPPETMASTER_OPTS="-v -d -l /var/log/puppet/puppetmaster.log"
Config file `puppet.conf`::
###########################################################################
# $Header: /etc/puppet/RCS/puppet.conf,v 1.3 2009/09/07 18:11:17 root Exp root $
#
# Puppetmaster Environments
# =========================
#
# Ref.: http://reductivelabs.com/trac/puppet/wiki/UsingMultipleEnvironments
#
# Marc Gasser, PSI
# last modified 2011-11-18
#
############################################################################
[main]
# Where Puppet stores dynamic and growing data.
# The default value is '/var/puppet'.
vardir = /var/puppet
# The Puppet log directory.
# The default value is '$vardir/log'.
# logdir = /afs/psi.ch/service/linux/puppet/var/log
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
# Whether log files should always flush to disk.
# The default value is false
autoflush = true
[puppetmasterd]
reports = store
#reports = store , tagmail, rrdgraph
# tagmap = $confdir/tagmail.conf
#rrddir = $vardir/rrd
#rrdinterval = $runinterval
#rrdgraph = true
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
# Note: The port that the client daemon listens on, defaults to
# 8139. However, at PSI we run puppetd via the psi-puppet
# script with run onetime option enabled.
# psi-puppet is triggered by cron.
#########################
####### SL 5 ########
#########################
### begin{ SL 5 (SL54), gasser_m
[DesktopSL5Unstable]
manifest = /var/puppet/environments/DesktopSL5Unstable/manifests/site.pp
modulepath = /var/puppet/environments/DesktopSL5Unstable/modules
[ServerSL5Unstable]
manifest = /var/puppet/environments/ServerSL5Unstable/manifests/site.pp
modulepath = /var/puppet/environments/ServerSL5Unstable/modules
[DesktopSL5Testing]
manifest = /var/puppet/environments/DesktopSL5Testing/manifests/site.pp
modulepath = /var/puppet/environments/DesktopSL5Testing/modules
[DesktopSL5Stable]
manifest = /var/puppet/environments/DesktopSL5Stable/manifests/site.pp
modulepath = /var/puppet/environments/DesktopSL5Stable/modules
[CPT]
manifest = /var/puppet/environments/CPT/manifests/site.pp
modulepath = /var/puppet/environments/CPT/modules
###}end SL 5 (SL54), gasser_m
### V.M. for sl53-c-ks.cfg
[CnodeSL5]
manifest = /var/puppet/environments/CnodeSL5/manifests/site.pp
modulepath = /var/puppet/environments/CnodeSL5/modules
[PHServerSL5]
manifest = /var/puppet/environments/PHServerSL5/manifests/site.pp
modulepath = /var/puppet/environments/PHServerSL5/modules
[EdgarDevelopment]
manifest = /var/puppet/environments/EdgarDevelopment/manifests/site.pp
modulepath = /var/puppet/environments/EdgarDevelopment/modules
[DerekDevelopment]
manifest = /var/puppet/environments/DerekDevelopment/manifests/site.pp
modulepath = /var/puppet/environments/DerekDevelopment/modules
[cray]
manifest = /var/puppet/environments/cray/manifests/site.pp
modulepath = /var/puppet/environments/cray/modules
### begin Heiner{
[HeinerDevelopment]
manifest = /var/puppet/environments/HeinerDevelopment/manifests/site.pp
modulepath = /var/puppet/environments/HeinerDevelopment/modules
[HeinerDevelopment54]
manifest = /var/puppet/environments/HeinerDevelopment54/manifests/site.pp
modulepath = /var/puppet/environments/HeinerDevelopment54/modules
[GFA]
manifest = /var/puppet/environments/GFA/manifests/site.pp
modulepath = /var/puppet/environments/GFA/modules
### }end Heiner
### begin Rene{
[GFADesktopSL5]
manifest = /var/puppet/environments/GFADesktopSL5/manifests/site.pp
modulepath = /var/puppet/environments/GFADesktopSL5/modules
[GFADesktopSL6]
manifest = /var/puppet/environments/GFADesktopSL6/manifests/site.pp
modulepath = /var/puppet/environments/GFADesktopSL6/modules
### }end Rene
### Services
[Web]
manifest = /var/puppet/environments/Web/manifests/site.pp
modulepath = /var/puppet/environments/Web/modules
[Virtual]
manifest = /var/puppet/environments/Virtual/manifests/site.pp
modulepath = /var/puppet/environments/Virtual/modules
[News]
manifest = /var/puppet/environments/News/manifests/site.pp
modulepath = /var/puppet/environments/News/modules
[MySQL]
manifest = /var/puppet/environments/MySQL/manifests/site.pp
modulepath = /var/puppet/environments/MySQL/modules
[Loadbalancer]
manifest = /var/puppet/environments/Loadbalancer/manifests/site.pp
modulepath = /var/puppet/environments/Loadbalancer/modules
[LlcLoadbalancer]
manifest = /var/puppet/environments/LlcLoadbalancer/manifests/site.pp
modulepath = /var/puppet/environments/LlcLoadbalancer/modules
[License]
manifest = /var/puppet/environments/License/manifests/site.pp
modulepath = /var/puppet/environments/License/modules
[FTP]
manifest = /var/puppet/environments/FTP/manifests/site.pp
modulepath = /var/puppet/environments/FTP/modules
[Elog]
manifest = /var/puppet/environments/Elog/manifests/site.pp
modulepath = /var/puppet/environments/Elog/modules
[Cups]
manifest = /var/puppet/environments/Cups/manifests/site.pp
modulepath = /var/puppet/environments/Cups/modules
[Archive]
manifest = /var/puppet/environments/Archive/manifests/site.pp
modulepath = /var/puppet/environments/Archive/modules
#########################
####### SL 6 ########
#########################
### begin{ SL 6 (gasser_m)
[DesktopSL6Unstable]
manifest = /var/puppet/environments/DesktopSL6Unstable/manifests/site.pp
modulepath = /var/puppet/environments/DesktopSL6Unstable/modules
[DesktopSL6Testing]
manifest = /var/puppet/environments/DesktopSL6Testing/manifests/site.pp
modulepath = /var/puppet/environments/DesktopSL6Testing/modules
[DesktopSL6Stable]
manifest = /var/puppet/environments/DesktopSL6Stable/manifests/site.pp
modulepath = /var/puppet/environments/DesktopSL6Stable/modules
###}end SL 6 (gasser_m)
### Markushin
[CnodeSL6]
manifest = /var/puppet/environments/CnodeSL6/manifests/site.pp
modulepath = /var/puppet/environments/CnodeSL6/modules
Config file `fileserver.conf`::
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom
# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
# [files]
# path /var/lib/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
#[facts]
# path /etc/puppet/facts
# allow *.psi.ch
[GFA5]
path /afs/psi.ch/project/slscomp/puppet/gfa5
allow *.psi.ch
[GFA6]
path /afs/psi.ch/project/slscomp/puppet/gfa6
allow *.psi.ch
Mount AFS Volumes on Puppet Server
..................................
The puppet manifests for clients are located on AFS::
/afs/psi.ch/service/linux/puppet/var/puppet/environments/
AFS is already mounted as `/afs` in this default SL5 server installation::
# mount
...
AFS on /afs type afs (rw)
Now, we want to remount
`/afs/psi.ch/service/linux/puppet/var/puppet/environments` on
`/var/puppet/environments`. Therefor the mount option `bind` is used,
which facilitates to remount parts of already mounted filesystems on
an alternative location in the file hierarchy.
The server also needs the permission on AFS to mount the environments
directory. Add the new server to the AFS group
svc.linux:puppet_hosts::
# pts ad -u <IP_ADDRESS> -g svc.linux:puppet_hosts
As shown below we do the remount in `/etc/rc.local`, which is executed
after all the other init scripts::
#!/bin/sh
touch /var/lock/subsys/local
# Puppet
mount -o bind /afs/psi.ch/service/linux/puppet/etc/puppet/environments /var/puppet/environments
# Restart Services depending on afs mounts
/etc/init.d/puppetmaster restart
Before the `rc.local` script can be applied the proper AFS permissions
have to be set to make the files readable for psi-puppet1. This was
done already before, see topic
[[PuppetServerPsiPuppet2ForSl51#4_1_3_Mount_AFS_Volumes_on_Puppe][Puppet
Server Psi Puppet 2 For SL51]], so we only have to put the IP address
of psi-puppet1 to the AFS group `svc_linux:puppet_hosts`::
# pts adduser 129.129.190.174 svc_linux:puppet_hosts
Configuring Puppet Reporting
............................
There are a number of different report processors available on the
puppetmaster. The default report, store, simply stores the report file
on the disk.
By default, each client is configured not to report back to the
master. It has to be enabled either by the report option in
`puppet.conf` or using `--report` on the command line.
`/etc/puppet/puppet.conf`::
[puppetd]
report = true
Command line::
# puppetd --report
Store Report Processor
,,,,,,,,,,,,,,,,,,,,,,
Enable the store reports by using the `reports`
configuration option in the puppemasterd section of the
`puppet.conf` file on the master.
`/etc/puppet/puppet.conf`::
[puppetmasterd]
reports = store
The default reports directory is `$vardir/reports`.
Tagmail Report Processor
,,,,,,,,,,,,,,,,,,,,,,,,
Enable the tagmail reports by using the `reports` configuration option
in the puppemasterd section of the `puppet.conf` file on the
master. The `tagmail.conf` file contains a list of tags and email
adresses. The special tags all and err are defined implicitly.
`/etc/puppet/puppet.conf`::
[puppetmasterd]
reports = tagmail
tagmap = $confdir/tagmail.conf
`/etc/puppet/tagmail.conf`::
all: marc.gasser@psi.ch
err: marc.gasser@psi.ch
Rrdgraph Report Processors
,,,,,,,,,,,,,,,,,,,,,,,,,,
To enable the `rrdgraph` reports, `rrdtool` and `rrdtool-ruby`
packages have to be installed.
Download the packages from the following repository:
`/etc/yum.repos.d/epeli386.repo`::
[epeli386]
name=epel i386
baseurl=http://download.fedora.redhat.com/pub/epel/5/i386/
enabled=0
# yumdownloader --enablerepo=epeli386 rrdtool.i386 rrdtool-ruby.i386
# yum install rrdtool-1.2.27-3.el5.i386.rpm
# yum install rrdtool-ruby-1.2.27-3.el5.i386.rpm
You might want to put them to your local repository, too.
**Note**: For the time being put them to `psi-beta`, because they
break dependencies in the other repositories.
Then, configure `puppet.conf` by adding the lines shown below in the
corresponding section. Here store, tagmail and rrdgraph are enabled.
`/etc/puppet/puppet.conf`::
[puppetmasterd]
reports = store, tagmail, rrdgraph
rrddir = $vardir/rrd
rrdinterval = $runinterval
rrdgraph = true
Install The Ganglia Monitor Daemon
..................................
Install `ganglia-gmond-3.0.6-4.slp5` and add the configuration
`/etc/gmond.conf` file as shown below::
/* This configuration is as close to 2.5.x default behavior as possible
The values closely match ./gmond/metric.h definitions in 2.5.x */
globals {
daemonize = yes
setuid = yes
user = nobody
debug_level = 0
max_udp_msg_len = 1472
mute = no
deaf = no
host_dmax = 0 /*secs */
cleanup_threshold = 300 /*secs */
gexec = no
}
/* If a cluster attribute is specified, then all gmond hosts are wrapped inside
* of a <CLUSTER> tag. If you do not specify a cluster tag, then all <HOSTS> will
* NOT be wrapped inside of a <CLUSTER> tag. */
cluster {
name = "puppet"
owner = "unspecified"
latlong = "unspecified"
url = "unspecified"
}
/* The host section describes attributes of the host, like the location */
host {
location = "unspecified"
}
/* Feel free to specify as many udp_send_channels as you like. Gmond
used to only support having a single channel */
udp_send_channel {
mcast_join = 239.129.190.89
port = 8649
}
/* You can specify as many udp_recv_channels as you like as well. */
udp_recv_channel {
mcast_join = 239.129.190.89
port = 8649
bind = 239.129.190.89
}
# udp_recv_channel {
# host = "puppet"
# port = 8649
# }
/* You can specify as many tcp_accept_channels as you like to share
an xml description of the state of the cluster */
tcp_accept_channel {
port = 8649
}
/* The old internal 2.5.x metric array has been replaced by the following
collection_group directives. What follows is the default behavior for
collecting and sending metrics that is as close to 2.5.x behavior as
possible. */
/* This collection group will cause a heartbeat (or beacon) to be sent every
20 seconds. In the heartbeat is the GMOND_STARTED data which expresses
the age of the running gmond. */
collection_group {
collect_once = yes
time_threshold = 20
metric {
name = "heartbeat"
}
}
/* This collection group will send general info about this host every 1200 secs.
This information doesn't change between reboots and is only collected once. */
collection_group {
collect_once = yes
time_threshold = 1200
metric {
name = "cpu_num"
}
metric {
name = "cpu_speed"
}
metric {
name = "mem_total"
}
/* Should this be here? Swap can be added/removed between reboots. */
metric {
name = "swap_total"
}
metric {
name = "boottime"
}
metric {
name = "machine_type"
}
metric {
name = "os_name"
}
metric {
name = "os_release"
}
metric {
name = "location"
}
}
/* This collection group will send the status of gexecd for this host every 300 secs */
/* Unlike 2.5.x the default behavior is to report gexecd OFF. */
collection_group {
collect_once = yes
time_threshold = 300
metric {
name = "gexec"
}
}
/* This collection group will collect the CPU status info every 20 secs.
The time threshold is set to 90 seconds. In honesty, this time_threshold could be
set significantly higher to reduce unneccessary network chatter. */
collection_group {
collect_every = 20
time_threshold = 90
/* CPU status */
metric {
name = "cpu_user"
value_threshold = "1.0"
}
metric {
name = "cpu_system"
value_threshold = "1.0"
}
metric {
name = "cpu_idle"
value_threshold = "5.0"
}
metric {
name = "cpu_nice"
value_threshold = "1.0"
}
metric {
name = "cpu_aidle"
value_threshold = "5.0"
}
metric {
name = "cpu_wio"
value_threshold = "1.0"
}
/* The next two metrics are optional if you want more detail...
... since they are accounted for in cpu_system.
metric {
name = "cpu_intr"
value_threshold = "1.0"
}
metric {
name = "cpu_sintr"
value_threshold = "1.0"
}
*/
}
collection_group {
collect_every = 20
time_threshold = 90
/* Load Averages */
metric {
name = "load_one"
value_threshold = "1.0"
}
metric {
name = "load_five"
value_threshold = "1.0"
}
metric {
name = "load_fifteen"
value_threshold = "1.0"
}
}
/* This group collects the number of running and total processes */
collection_group {
collect_every = 80
time_threshold = 950
metric {
name = "proc_run"
value_threshold = "1.0"
}
metric {
name = "proc_total"
value_threshold = "1.0"
}
}
/* This collection group grabs the volatile memory metrics every 40 secs and
sends them at least every 180 secs. This time_threshold can be increased
significantly to reduce unneeded network traffic. */
collection_group {
collect_every = 40
time_threshold = 180
metric {
name = "mem_free"
value_threshold = "1024.0"
}
metric {
name = "mem_shared"
value_threshold = "1024.0"
}
metric {
name = "mem_buffers"
value_threshold = "1024.0"
}
metric {
name = "mem_cached"
value_threshold = "1024.0"
}
metric {
name = "swap_free"
value_threshold = "1024.0"
}
}
collection_group {
collect_every = 40
time_threshold = 300
metric {
name = "bytes_out"
value_threshold = 4096
}
metric {
name = "bytes_in"
value_threshold = 4096
}
metric {
name = "pkts_in"
value_threshold = 256
}
metric {
name = "pkts_out"
value_threshold = 256
}
}
/* Different than 2.5.x default since the old config made no sense */
collection_group {
collect_every = 1800
time_threshold = 3600
metric {
name = "disk_total"
value_threshold = 1.0
}
}
collection_group {
collect_every = 40
time_threshold = 180
metric {
name = "disk_free"
value_threshold = 1.0
}
metric {
name = "part_max_used"
value_threshold = 1.0
}
}
# /etc/init.d/gmond start
See puppet at http://129.129.190.27/ganglia/. For the ganglia server
configuration ask Valeri Markushin.
Install The Networker Backup Client (Legato)
............................................
References:
- [[http://ait.web.psi.ch/services/central_backup/][Information for Backup Client Administrators]]
- [[http://ait.web.psi.ch/services/central_backup/nsr_install_lnx.html][Networker Client installation on Linux ]]
Install the Networker client packages, the client itself and the
manual pages. By default `yum` calculates a lot of dependencies
required for the GUI of Networker, which facilitates the
restore. However, the restore can also be done using the command line
interface, thus the whole X installation shall be skipped. To do so,
the packages have to be installed without dependencies.
Because `yum` does not provide an installation without dependencies,
`yumdownloader` is used to fetch the packages and `rpm -i --nodeps` to
install them.
First install `yumdownloader`::
# yum install yum-utils
Install the rest::
# yumdownloader --enablerepo=psi-beta lgtoclnt.i686 lgtoman.i686
# rpm -ivh --nodeps lgtoclnt-7.4.2-1.i686.rpm lgtoman-7.4.2-1.i686.rpm
Start the Networker daemon::
# service networker start
The `/nsr` directory is automatically created. Add the string
`bs1.psi.ch` in the file `/nsr/res/server`.
Restart the Networker daemon::
# service networker stop
# service networker start
Now, contact the backup server administrator, Marco Kohler, so he can
add the host and the directories of interest to the backup service.
The next steps are for facilitating the task of the backup server
administrator.
Create the file `~/nsradmin74_x.txt` with the following three lines::
update administrator:"isroot,host=psi-puppet1","isroot,host=localhost","isroot,host=bs1","user=root,host=localhost","user=administrator,host=bs1"
. type: NSR System Port Ranges
update administrator:"isroot,host=psi-puppet1","isroot,host=localhost","isroot,host=bs1","user=root,host=localhost","user=administrator,host=bs1"
Then execute the command below and check the output::
# nsradmin -i ~/nsradmin74_x.txt -p nsrexec
updated resource id 3.0.104.17.41.235.57.74.129.129.190.174(7)
updated resource id 9.0.104.17.41.235.57.74.129.129.190.174(2)
updated resource id 8.0.168.18.5.236.57.74.129.129.190.174(2)
updated resource id 9.0.168.18.5.236.57.74.129.129.190.174(2)
Current query set
updated resource id 7.0.104.17.41.235.57.74.129.129.190.174(2)
Finally, test if the installation was successful::
# service networker stop
# service networker start
# service networker status
+--o nsrexecd (5995)
**Note**: Open files will not necessarily be considered during the
backup run. It depends on their locking state.
How To Update the Networker Backup Client
.........................................
Because the Networker RPM is not cleanly packed, updating the client
requires deinstallation of the old and installation of the new
package.
First the old `/nsr` directory has to be deleted. Then repeat the
whole procedure shown in the previous section.
The Networker Administration Program
....................................
To start the Networker administration shell type the following
command::
# nsradmin -p nsrexec
The Networker Recover Tool
..........................
Check out the manpage of `recover`::
# man recover
Setup The Puppet Client
~~~~~~~~~~~~~~~~~~~~~~~
At this time the only difference between the old and the new client
configuration is the name of the puppet server in the file
`/etc/puppet/puppet.conf`, `psi-puppet1` instead of `pxeserv01`.
File `/etc/puppet/puppet.conf` on `vmmarctest1.psi.ch`::
[main]
vardir = /var/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
environment = development
[puppetd]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
factsync = true
server = psi-puppet1.psi.ch
Because the new puppet server refers to the same sources (files) as
the current productive server, we set the immutable to the file above,
otherwise next time `puppetd` is running the server entry will be
changed to `pxeserv01` again.
The sources are located at
`/afs/psi.ch/software/linux/dist/scientific/51/puppet/files/` on
AFS. This path is set in the file `/etc/puppet/fileserver.conf` on the
puppet server.
Make First Tests
~~~~~~~~~~~~~~~~
Start the puppetmaster::
# /etc/init.d/puppetmaster start
Test it with a client (the options are: keep process in the
foreground, run onetime and be verbose)::
# [root@vmmarctest1 ~]
# puppetd --no-daemonize -o -v
Or run the client in no operational mode, i.e. dry runs without
actually applying the configuration::
# puppetd --noop --no-daemonize -o -v
info: Loading fact sysconfig_psi
info: Loading fact sysconfig_psi-gfa
info: Creating a new certificate request for vmmarctest1.psi.ch
info: Creating a new SSL key at /var/puppet/ssl/private_keys/vmmarctest1.psi.ch.pem
warning: peer certificate won't be verified in this SSL session
notice: Got signed certificate
info: Retrieving facts
info: Loading fact sysconfig_psi
info: Loading fact sysconfig_psi-gfa
info: Caching catalog at /var/puppet/localconfig.yaml
notice: Starting catalog run
notice: //Node[default]/psi_localadmin/Exec[/usr/bin/psi-fix_file_permission >/dev/null]/returns: executed successfully
info: Filebucket[/var/puppet/clientbucket]: Adding /usr/share/texmf/dvips/config/config.ps(1611c4bb4b35341f1945059ff774c6df)
notice: //Node[default]/psi_base/File[/usr/share/texmf/dvips/config/config.ps]: Filebucketed to with sum 1611c4bb4b35341f1945059ff774c6df
notice: //Node[default]/psi_base/File[/usr/share/texmf/dvips/config/config.ps]/source: replacing from source puppet://psi-puppet1.psi.ch/51/Desktop/usr/share/texmf/dvips/config/config.ps with contents {md5}b265606dc098a5414f3acd71a8831ef1
notice: //Node[default]/psi_puppet/File[/etc/puppet/puppet.conf]/checksum: checksum changed '{md5}f2944bb81bfbe22b2a2ac4c9197563f3' to '{md5}be67850ccad5409063a56de9d5a516d3'
notice: //Node[default]/psi_puppet/File[/etc/puppet/puppet.conf]: Filebucketed to with sum be67850ccad5409063a56de9d5a516d3
err: //Node[default]/psi_puppet/File[/etc/puppet/puppet.conf]: Could not rename tmp /etc/puppet/puppet.conf for replacing: Operation not permitted - /etc/puppet/puppet.conf.puppettmp or /etc/puppet/puppet.conf
notice: //Node[default]/psi_puppet/File[/etc/puppet/puppet.conf]/source: replacing from source puppet://psi-puppet1.psi.ch/51/Desktop/etc/puppet/puppet.conf.testing with contents {md5}f2944bb81bfbe22b2a2ac4c9197563f3
info: Filebucket[/var/puppet/clientbucket]: Adding /etc/sysctl.conf(d5716d328f5b840eb4e13ae1d2896fe9)
notice: //Node[default]/psi_base/File[/etc/sysctl.conf]: Filebucketed to with sum d5716d328f5b840eb4e13ae1d2896fe9
notice: //Node[default]/psi_base/File[/etc/sysctl.conf]/source: replacing from source puppet://psi-puppet1.psi.ch/51/Desktop/etc/sysctl.conf with contents {md5}d576ff606d3f93df26965e7ef364bd07
notice: //Node[default]/psi_yum/Exec[/usr/sbin/psi-get-yumconf]/returns: executed successfully
notice: Finished catalog run in 6.22 seconds
So, this looks promising. Seems like the client could get it's
configuration from the new puppet server.
Only the file `/etc/puppet/puppet.conf` could not be changed, what is
ok because the immutable flag was set.
Next Steps
----------
- Verify migration order (server, client or vice versa)
- Finalize basic server setup (verify that no config agents compromise
the system, e.g. puppetd which could be executed by cron or during
boot time, etc.), check whether it makes sense to use DNS aliases
for the hostname.
- Shall server configuration files be stored locally or mounted from
AFS?
`psi-puppet1:/etc/rc.d/rc.local` has been prepared (not activated yet)
for the AFS mount::
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Puppet
#mount -o bind /afs/psi.ch/service/linux/puppet/etc/puppet-0.24.7-4 /etc/puppet
# Restart Services depending on afs mounts
#/etc/init.d/puppetmaster restart
The whole current puppetserver configuration from /etc/puppet/ was
copied to `/afs/psi.ch/service/linux/puppet/etc/puppet-0.24.7-4`.
- If mounted from AFS the question remains how root@psi-puppet1 gets
the permission to mount the mentioned AFS directory.
- Shall the client configuration manifests be stored locally or on
AFS?
Locally: `/var/puppet/environments/`
AFS: `/afs/psi.ch/service/linux/puppet/etc/puppet-0.24.7-4/environments/`
- Run the puppetmaster on hardware or vmware? Hardware.
- When the server is going to production the IP has to be changed, see
*Static IP for Production Server* above. Done.
- When the server is going to production the PSI firewall has to be
adjusted. (Refer to Tobias)
- Test with old client to new server, and new client to old server.
- Test with limited number of new client to new server.
View Git Blame Copy Permalink