[Pkg-puppet-devel] Bug#1079793: puppetserver 7 upgrade doesn't clean up old puppetmaster 5 files
Jérôme Charaoui
jerome at riseup.net
Tue Aug 27 15:11:19 BST 2024
Hello,
Just a note of caution: the upgrade from puppet-master to puppetserver
uses the same "puppet.conf" configuration, which sometimes has the
"vardir" setting defined to "/var/lib/puppet". If that's the case, then
this directory will not only contain the "old puppetmaster" files, but
also the new ones.
As for the ssl files, puppetserver has some heuristics to move the files
itself on upgrade, see the "puppetserver migrate" command. Since the
puppetserver CA files are quite sensitive and losing them can cause a
serious outage, my preference would be to *not* touch these at all with
the package maintscripts.
In general, I'm weary of dealing with this issue because the medicine
might end up being worse than the disease (a few stray files).
Maintainer's time is also scarce, and I'm also tempted to mention that
the 5.5 -> 7 upgrade ship in Debian has sailed...
Thanks,
-- Jérôme
Le 2024-08-27 à 09 h 50, Antoine Beaupre a écrit :
> Package: puppetserver
> Version: 7.9.5-2
> Severity: minor
>
> This is a followup for #1078911 which was interpreted as only an
> emergency fix to cleanup large report directories.
>
> But it seems to me there's more work to be done here: in that bug
> report, I described a situation where I had lots of old reports lying
> around from the old puppetmaster in /var/lib/puppet. I have also just
> realized I have "facts" from the previous puppetmaster here:
>
> anarcat at marcos:~$ sudo ls -al /var/lib/puppet/yaml/facts
> total 164
> drwxr-xr-x 2 puppet puppet 4096 4 avr 2023 .
> drwxr-x--- 3 puppet puppet 4096 22 jun 2020 ..
> -rw-rw---- 1 puppet puppet 19614 25 jan 2023 angela.anarc.at.yaml
> -rw-rw---- 1 puppet puppet 15192 25 jan 2023 curie.anarc.at.yaml
> -rw-rw---- 1 puppet puppet 13463 21 aoû 2020 emma.anarc.at.yaml
> -rw-rw---- 1 puppet puppet 14625 25 jan 2023 louise.anarc.at.yaml
> -rw-rw---- 1 puppet puppet 54690 25 jan 2023 marcos.anarc.at.yaml
> -rw-rw---- 1 puppet puppet 24955 25 jan 2023 tubman.anarc.at.yaml
>
> I'm not sure how to tell the "client" from the "server" stuff apart, so
> this is a bit tricky. But I even found an old CA in there... Perhaps we
> could move over or delete the files owned by "puppet" in there?
>
> anarcat at marcos:~$ sudo find /var/lib/puppet -user puppet -type d
> /var/lib/puppet
> /var/lib/puppet/bucket
> /var/lib/puppet/ssl
> /var/lib/puppet/ssl/private_keys
> /var/lib/puppet/ssl/certificate_requests
> /var/lib/puppet/ssl/public_keys
> /var/lib/puppet/ssl/private
> /var/lib/puppet/ssl/certs
> /var/lib/puppet/ssh_keys
> /var/lib/puppet/ssh_keys/curie.anarc.at
> /var/lib/puppet/ssh_keys/emma.anarc.at
> /var/lib/puppet/ssh_keys/angela.anarc.at
> /var/lib/puppet/preview
> /var/lib/puppet/yaml
> /var/lib/puppet/yaml/facts
> /var/lib/puppet/server_data
>
> Not sure how to untangle this, but we should at least have an upgrade
> procedure for this.
>
> -- System Information:
> Debian Release: 12.6
> APT prefers stable-security
> APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'unstable'), (1, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.1.0-23-amd64 (SMP w/12 CPU threads; PREEMPT)
> Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages puppetserver depends on:
> ii default-jre-headless 2:1.17-74
> ii facter 4.3.0-2
> ii hiera 3.10.0-1
> ii jruby 9.3.9.0+ds-8
> ii libclj-time-clojure 0.15.2-2
> ii libclj-yaml-clojure 0.7.2-1
> ii libclojure-java 1.11.1-2
> ii libcomidi-clojure 0.3.2-2
> ii libcommons-exec-java 1.3-2
> ii libcommons-io-java 2.11.0-2
> ii libcommons-lang-java 2.6-10
> ii libdropwizard-metrics-java 3.2.6-1
> ii libdujour-version-check-clojure 0.2.3-1
> ii libjruby-utils-clojure 4.0.3-4
> ii libkitchensink-clojure 3.2.1-1
> ii libliberator-clojure 0.15.3-1
> ii libprismatic-schema-clojure 1.2.0-4
> ii libpuppetlabs-http-client-clojure 2.1.1-1
> ii libpuppetlabs-i18n-clojure 0.9.2-2
> ii libpuppetlabs-ring-middleware-clojure 1.3.1-3
> ii libraynes-fs-clojure 1.5.2-1
> ii libsemver-clojure 0.3.0-2
> ii libshell-utils-clojure 1.0.2-3
> ii libslingshot-clojure 0.12.2-3
> ii libssl-utils-clojure 3.5.0-2
> ii libtrapperkeeper-authorization-clojure 1.0.0-4
> ii libtrapperkeeper-clojure 3.2.0-4
> ii libtrapperkeeper-comidi-metrics-clojure 0.1.2-2
> ii libtrapperkeeper-filesystem-watcher-clojure 1.2.2-3
> ii libtrapperkeeper-metrics-clojure 1.5.0-5
> ii libtrapperkeeper-scheduler-clojure 1.1.3-7
> ii libtrapperkeeper-status-clojure 1.1.1-4
> ii libtrapperkeeper-webserver-jetty9-clojure 4.4.1-5
> ii libyaml-snake-java 1.33-2
> ii puppet-agent 7.23.0-1
> ii ruby 1:3.1
> ii ruby-deep-merge 1.1.1-2
> ii ruby-fast-gettext 2.0.3-2
> ii ruby-gettext 3.3.3-2
> ii ruby-hocon 1.3.1-2
> ii ruby-locale 2.1.3-1
> ii ruby-puppet-resource-api 1.8.16-2
> ii ruby-puppetserver-ca-cli 2.4.0-4
> ii ruby-semantic-puppet 1.0.4-1
> ii ruby-text 1.3.1-1
>
> Versions of packages puppetserver recommends:
> ii puppet-module-puppetlabs-augeas-core 1.1.2-1
> ii puppet-module-puppetlabs-cron-core 1.1.0+dfsg1-1
> pn puppet-module-puppetlabs-host-core <none>
> pn puppet-module-puppetlabs-mount-core <none>
> pn puppet-module-puppetlabs-selinux-core <none>
> ii puppet-module-puppetlabs-sshkeys-core 2.3.0-1
>
> puppetserver suggests no packages.
>
> -- Configuration Files:
> /etc/puppet/puppetserver/conf.d/auth.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/auth.conf'
> /etc/puppet/puppetserver/conf.d/ca.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/ca.conf'
> /etc/puppet/puppetserver/conf.d/global.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/global.conf'
> /etc/puppet/puppetserver/conf.d/metrics.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/metrics.conf'
> /etc/puppet/puppetserver/conf.d/puppetserver.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/puppetserver.conf'
> /etc/puppet/puppetserver/conf.d/web-routes.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/web-routes.conf'
> /etc/puppet/puppetserver/conf.d/webserver.conf [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/conf.d/webserver.conf'
> /etc/puppet/puppetserver/logback.xml [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/logback.xml'
> /etc/puppet/puppetserver/request-logging.xml [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/request-logging.xml'
> /etc/puppet/puppetserver/services.d/bootstrap.cfg [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/services.d/bootstrap.cfg'
> /etc/puppet/puppetserver/services.d/ca.cfg [Errno 13] Permission non accordée: '/etc/puppet/puppetserver/services.d/ca.cfg'
>
> -- no debconf information
More information about the Pkg-puppet-devel
mailing list