Hello,
Just a note of caution: the upgrade from puppet-master to puppetserver
uses the same "puppet.conf" configuration, which sometimes has the
"vardir" setting defined to "/var/lib/puppet". If that's the case, then
this directory will not only contain the "old puppetmaster" files, but
also the new ones.
As for the ssl files, puppetserver has some heuristics to move the files
itself on upgrade, see the "puppetserver migrate" command. Since the
puppetserver CA files are quite sensitive and losing them can cause a
serious outage, my preference would be to *not* touch these at all with
the package maintscripts.
In general, I'm weary of dealing with this issue because the medicine
might end up being worse than the disease (a few stray files).
Maintainer's time is also scarce, and I'm also tempted to mention that
the 5.5 -> 7 upgrade ship in Debian has sailed...
Thanks,
-- Jérôme
Le 2024-08-27 à 09 h 50, Antoine Beaupre a écrit :
Package: puppetserver
Version: 7.9.5-2
Severity: minor
This is a followup for #1078911 which was interpreted as only an
emergency fix to cleanup large report directories.
But it seems to me there's more work to be done here: in that bug
report, I described a situation where I had lots of old reports lying
around from the old puppetmaster in /var/lib/puppet. I have also just
realized I have "facts" from the previous puppetmaster here:
anarcat@marcos:~$ sudo ls -al /var/lib/puppet/yaml/facts
total 164
drwxr-xr-x 2 puppet puppet 4096 4 avr 2023 .
drwxr-x--- 3 puppet puppet 4096 22 jun 2020 ..
-rw-rw---- 1 puppet puppet 19614 25 jan 2023 angela.anarc.at.yaml
-rw-rw---- 1 puppet puppet 15192 25 jan 2023 curie.anarc.at.yaml
-rw-rw---- 1 puppet puppet 13463 21 aoû 2020 emma.anarc.at.yaml
-rw-rw---- 1 puppet puppet 14625 25 jan 2023 louise.anarc.at.yaml
-rw-rw---- 1 puppet puppet 54690 25 jan 2023 marcos.anarc.at.yaml
-rw-rw---- 1 puppet puppet 24955 25 jan 2023 tubman.anarc.at.yaml
I'm not sure how to tell the "client" from the "server" stuff apart, so
this is a bit tricky. But I even found an old CA in there... Perhaps we
could move over or delete the files owned by "puppet" in there?
anarcat@marcos:~$ sudo find /var/lib/puppet -user puppet -type d
/var/lib/puppet
/var/lib/puppet/bucket
/var/lib/puppet/ssl
/var/lib/puppet/ssl/private_keys
/var/lib/puppet/ssl/certificate_requests
/var/lib/puppet/ssl/public_keys
/var/lib/puppet/ssl/private
/var/lib/puppet/ssl/certs
/var/lib/puppet/ssh_keys
/var/lib/puppet/ssh_keys/curie.anarc.at
/var/lib/puppet/ssh_keys/emma.anarc.at
/var/lib/puppet/ssh_keys/angela.anarc.at
/var/lib/puppet/preview
/var/lib/puppet/yaml
/var/lib/puppet/yaml/facts
/var/lib/puppet/server_data
Not sure how to untangle this, but we should at least have an upgrade
procedure for this.
-- System Information:
Debian Release: 12.6
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500,
'stable'), (1, 'unstable'), (1, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-23-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages puppetserver depends on:
ii default-jre-headless 2:1.17-74
ii facter 4.3.0-2
ii hiera 3.10.0-1
ii jruby 9.3.9.0+ds-8
ii libclj-time-clojure 0.15.2-2
ii libclj-yaml-clojure 0.7.2-1
ii libclojure-java 1.11.1-2
ii libcomidi-clojure 0.3.2-2
ii libcommons-exec-java 1.3-2
ii libcommons-io-java 2.11.0-2
ii libcommons-lang-java 2.6-10
ii libdropwizard-metrics-java 3.2.6-1
ii libdujour-version-check-clojure 0.2.3-1
ii libjruby-utils-clojure 4.0.3-4
ii libkitchensink-clojure 3.2.1-1
ii libliberator-clojure 0.15.3-1
ii libprismatic-schema-clojure 1.2.0-4
ii libpuppetlabs-http-client-clojure 2.1.1-1
ii libpuppetlabs-i18n-clojure 0.9.2-2
ii libpuppetlabs-ring-middleware-clojure 1.3.1-3
ii libraynes-fs-clojure 1.5.2-1
ii libsemver-clojure 0.3.0-2
ii libshell-utils-clojure 1.0.2-3
ii libslingshot-clojure 0.12.2-3
ii libssl-utils-clojure 3.5.0-2
ii libtrapperkeeper-authorization-clojure 1.0.0-4
ii libtrapperkeeper-clojure 3.2.0-4
ii libtrapperkeeper-comidi-metrics-clojure 0.1.2-2
ii libtrapperkeeper-filesystem-watcher-clojure 1.2.2-3
ii libtrapperkeeper-metrics-clojure 1.5.0-5
ii libtrapperkeeper-scheduler-clojure 1.1.3-7
ii libtrapperkeeper-status-clojure 1.1.1-4
ii libtrapperkeeper-webserver-jetty9-clojure 4.4.1-5
ii libyaml-snake-java 1.33-2
ii puppet-agent 7.23.0-1
ii ruby 1:3.1
ii ruby-deep-merge 1.1.1-2
ii ruby-fast-gettext 2.0.3-2
ii ruby-gettext 3.3.3-2
ii ruby-hocon 1.3.1-2
ii ruby-locale 2.1.3-1
ii ruby-puppet-resource-api 1.8.16-2
ii ruby-puppetserver-ca-cli 2.4.0-4
ii ruby-semantic-puppet 1.0.4-1
ii ruby-text 1.3.1-1
Versions of packages puppetserver recommends:
ii puppet-module-puppetlabs-augeas-core 1.1.2-1
ii puppet-module-puppetlabs-cron-core 1.1.0+dfsg1-1
pn puppet-module-puppetlabs-host-core <none>
pn puppet-module-puppetlabs-mount-core <none>
pn puppet-module-puppetlabs-selinux-core <none>
ii puppet-module-puppetlabs-sshkeys-core 2.3.0-1
puppetserver suggests no packages.
-- Configuration Files:
/etc/puppet/puppetserver/conf.d/auth.conf [Errno 13] Permission non accordée:
'/etc/puppet/puppetserver/conf.d/auth.conf'
/etc/puppet/puppetserver/conf.d/ca.conf [Errno 13] Permission non accordée:
'/etc/puppet/puppetserver/conf.d/ca.conf'
/etc/puppet/puppetserver/conf.d/global.conf [Errno 13] Permission non accordée:
'/etc/puppet/puppetserver/conf.d/global.conf'
/etc/puppet/puppetserver/conf.d/metrics.conf [Errno 13] Permission non
accordée: '/etc/puppet/puppetserver/conf.d/metrics.conf'
/etc/puppet/puppetserver/conf.d/puppetserver.conf [Errno 13] Permission non
accordée: '/etc/puppet/puppetserver/conf.d/puppetserver.conf'
/etc/puppet/puppetserver/conf.d/web-routes.conf [Errno 13] Permission non
accordée: '/etc/puppet/puppetserver/conf.d/web-routes.conf'
/etc/puppet/puppetserver/conf.d/webserver.conf [Errno 13] Permission non
accordée: '/etc/puppet/puppetserver/conf.d/webserver.conf'
/etc/puppet/puppetserver/logback.xml [Errno 13] Permission non accordée:
'/etc/puppet/puppetserver/logback.xml'
/etc/puppet/puppetserver/request-logging.xml [Errno 13] Permission non
accordée: '/etc/puppet/puppetserver/request-logging.xml'
/etc/puppet/puppetserver/services.d/bootstrap.cfg [Errno 13] Permission non
accordée: '/etc/puppet/puppetserver/services.d/bootstrap.cfg'
/etc/puppet/puppetserver/services.d/ca.cfg [Errno 13] Permission non accordée:
'/etc/puppet/puppetserver/services.d/ca.cfg'
-- no debconf information
