192020-07-19 22:32:49ClintonEbadicondensed a bit182020-07-19 22:01:36ClintonEbadifixed triggering apt update before installing packages, but this breaks new things!172020-07-19 21:56:47ClintonEbadi"fixed" ntp port failure by using raw port number162020-07-19 08:05:27ClintonEbadihave to switch to iptables-legacy before doing anything, fixes fail2ban chain problems152020-07-19 07:10:44ClintonEbadiafs builds, still have other issues142020-03-10 02:47:17ClintonEbadiphp 5.6 is not actually gone, packages just weren't available in first run132020-03-10 02:41:36ClintonEbadiphp 5.6 is not in buster, even in sury122020-03-10 02:35:52ClintonEbadifail2ban breaks puppet-firewall on buster, cool112020-03-08 05:11:57ClintonEbadipunting on ssmtp for this release cycle102020-03-08 05:11:09ClintonEbadiI think I fixed the openafs initial build failure92020-03-08 02:48:13ClintonEbadimail is VERY FUN82020-03-07 23:20:44ClintonEbadiremove firewall b0rked section: it was just because we needed to update puppetlabs-firewall to a version with buster support, forces iptables-legacy instead of iptables-nft72020-03-07 04:46:50ClintonEbadimore broken bits62020-03-07 04:37:26ClintonEbadi52020-03-07 04:34:12ClintonEbadi42020-03-07 04:33:31ClintonEbadikernel was outdated after booting, note so I remember to add this to common steps32020-03-07 04:23:32ClintonEbadia few hiccups, as expected22020-03-07 03:52:54ClintonEbadifinally realized why we have to add domain hcoop.net resolv.conf before installing12020-03-07 02:56:17ClintonEbadinew buster test serverServer busted.hcoop.net is a virtual machine at DigitalOcean that was created to work on the Debian Stretch to Buster upgrade. It's name is just an allusion to it being broken by design.

Newer kernel and some other base packages are available right out of the bat, need to upgrade so we can have working kernel headers for the afs build and whatnot. Added to general setup notes. Puppet does not support NFT, even using iptables-nft which is default iptables implementation in Debian 10. Before the first reboot, switch the implementation to iptables-legacy. We have to manually install gnupg; the rule we use to force an apt-get update when adding new sources makes it impossible for Apt::Key to install gnupg and verify keys, game over. > /etc/resolv.conf apt update && apt upgrade -y && apt install gnupg -y update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy wget https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg -i puppet6-release-buster.deb && apt update && apt install puppet-agent reboot # after reboot: /opt/puppetlabs/bin/puppet agent --test --onetime --noop --waitforcert 15]]>

We can't really get around manually opening the firewall for the agent on the puppetmaster... at our scale this isn't a big deal anyway. Like others, had to set domain hcoop.net manually in /etc/resolv.conf. It looks like the only reason we need this is for the initial puppet connection. So I tried setting the agent config at /etc/puppetlabs/puppet/puppet.conf to: But the cert for the master only has the fqdn of its concrete hostname, and the alias puppet with no domain If we could regenerate this to also include CN:puppet.hcoop.net, the manual edit that needed to be done would at least be more related to the limitation in our infrastructure that mandates it...

GNU mailutils now provides /usr/bin/mail instead of bsd-mailx. It treats addresses a bit differently, appending the hostname. So mail -s "foo" root goes to root@busted.hcoop.net instead of just root which is then rewritten to logs@hcoop.net. The message then gets stuck in exim forever until it gets frozen and purged. Not sure we want to switch back to bsd-mailx over this though, for now keep mailutils as the default provider.

After adding logic to hcoop::service::apt to force an `apt-get update' after any sources change before installing packages: ~> Class['apt::update'] -> Package <| |>]]>A new problem arose: Error: Could not find a suitable provider for apt_key, because the apt::key type needs Package['gnupg'] to verify keys in order to add the repository, and it can't install it because it can't verify the keys of the custom repos... Worked around by installing, not sure of general fix ... might be able to force installation of gnupg before Apt::Key in the hcoop::service::apt class ... but I think that might create a dependency cycle.

minor issue, but might want to address. We're still installing to just /usr/lib instead of /usr/lib/x86_64-linux-gnu/ (need to update package to comply with multiarch)

We need to switch to msmtp Switching to msmtp proved to be difficult, lowuid rewriting to send mails to logs@ alias is not working, and can't work as far as I can tell. I ended up just backporting ssmtp since it's not removed from Debian, but just didn't get moved into buster (it's also just a bit unmaintained). It might be easier to just set up exim in satellite mode going forward instead.

CategorySystemAdministration