T184564: Plan Puppet 5 upgrade | Not yet
The Puppet maintainers in Debian have done amazing work and Bookworm will introduce a current stack:
- puppetserver 7.9.5 https://tracker.debian.org/pkg/puppetserver
- puppetdb 7.12.1 https://tracker.debian.org/pkg/puppetdb
- facter 4.3.0 https://tracker.debian.org/pkg/facter
- hiera 3.10.0 https://tracker.debian.org/pkg/hiera
- puppet-agent 7.23.0 https://tracker.debian.org/pkg/puppet-agent
Based on a discussion with John and myself the plan to move towards Puppet 7 would leads towards installing the new setup in parallel:
- We already have a pair of puppetdb servers running on Bookworm on new hardware (puppetdb1003/puppetdb2003). With this there's also general compability of our Puppet tree with current facter and puppet-agent (there will be a need for more fine-tuning and some uses cases used by other roles, but the general support is present)
- There's new hardware (puppetmaster[12]004/[12]005) meant to replace the old puppetmaster[12]00[12] servers. We can install puppetmaster[12]005 with Bookworm as the new puppetserver 7 frontends and puppetmaster[12]004 as the new puppetserver backends,
- Create a separate Ganeti VM for puppetboard and serve is under a distinct URL like puppetboard7.wikimedia.org
- Modify puppet-merge on puppetmaster[12]001 to sync every puppet change also towards puppetmaster[12]00[45]
- Configure an additional/separate puppetdb 7 backend in Cumin
- Modify the agent configuration to use a separate puppet7 CNAME (and create it)
- Write a cookbook to remove a host from the Puppet 5 masters, add them for the Puppet 7 masters and modify agent config to use the puppet7 CNAME
- Modify PCC to also compile every patch with Puppet 7 in parallel
Once there is two setups in parallel we can:
- Use the cookbook to move the sretest* servers (and some other hosts like idp-test and some other canaries towards Puppet 7 (Buster/Bullseye/Bookworm on the agent side), test and fix up all issues
- Use the cookbook to move ulsfo towards the Puppet 7 setup (and observe/fix for some time)
- Use the cookbook to move all the remaining servers to Puppet 7
- Migrate config-master over to puppetmaster1005
- Reimage puppetmaster[12]003 with Bookworm
- Decom puppetmaster[12]00[12] and the old puppetboard VM
Blockers To an upgrade
- update the current infrastructure to the latest 5.5 version T265139
- update the puppet compiler T236373
- migrate any scripts away from deprecated CA functions and certificate authority api and subcommands
- ensure manifests use the correct name space PUP-4242
- Check if we prefer the chatty tidy behaviour PUP-8667
- drop the pluginsync config PUP-8532
- upgrade puppetdb servers
- migrate puppet master away from webrick to clojure app PUP-8591
- migrate puppet CA (likley the same work as moving to clojure) PUP-8912
- update puppet agents
- update CI jobs to have a minimum ruby version of 2.3. This implies no jessie agents
- Remove any features or functions deprecated in puppet 5.5 (including hiera version3 and hiera_* functions)
puppet forge core type
when puppet version 6 was released a bunch of core resource types where removed from the puppet code base and spun of as external forge modules. We should be aware of any resource we are using which fall into this catagory and either migrate to a different module/type or add the core modules to our code base when we upgrade
- migrate all cron types to systemd::timer::job
- if still using nagios migrate to puppetlabs/nagios_core as nagios types are no longer core puppet
- Check if which other native types need to be migrated
Benefits to explore (some of theses benefits have be realized by updating to the latest 5.5 branch)
- explore rich_data type T236481
- deferred functions
- puppet ssl command
- A sane API for custom type/providers
- Check if we still need to systemd reload-daemon our self PUP-3483
- group_by/partition_by
- ECC keys PUP-2606
- Scriptable external_trusted_facts PUP-9994
- resubmit_facts could be usefull for cumin? PUP-5934
- can makr packages as manule PUP-6631 T195981
- use a stubbed facter implementation https://github.com/ekohl/voxpupuli-test/commit/5d5bd4791d212ae72c0e295bae25818381bbd8cd