| Version 6 (modified by , 8 years ago) ( diff ) | 
|---|
Jessie Stretch Upgrade Page
Good bye syslog
With stretch, syslog has been purged. That means all services and programs that depend on it have been modified (fail2ban, many of the mf-scripts, etc).
Root gpg key and monkeysphere
All of our servers can easily ssh between themselves through the monkeysphere. For the monkeysphere to work, the root user on each machine has to maintain an ssh-agent.
Prior to stretch, we could not load a monkeysphere key into ssh-agent that didn't have a password (so we set the password to 'monkeys' for all keys). With stretch, you can't load a key into ssh-agent in an automated way that has a password. Sigh. Also, you cannot automate the change of a gpg key password.
As a result: upon upgrading sites to stretch, you must manually remove the password for the root user's gpg key:
gpg --change-passphrase root@$(hostname).mayfirst.org
The current password is: monkeys
If you don't, you will get this warning when you run puppet:
remote: Error: gpg --pinentry-mode loopback --passphrase '' --export-secret-keys --armour 1>/dev/null 2>/dev/null returned 2 instead of one of [0] remote: Error: /Stage[main]/Mayfirst::M_minimal/M_gpg::Private_key[root]/Exec[admin:please-manually-change-passphrase-from-monkeys-to-empty-for-root-user-on-this-host]/returns: change from notrun to 0 failed: gpg --pinentry-mode loopback --passphrase '' --export-secret-keys --armour 1>/dev/null 2>/dev/null returned 2 instead of one of [0]
Predictable Network Interfaces Names
With Stretch, network interfaces get predictable interface names.
To keep our tried and true eth0, puppet will start adding a udev rule for stretch machines. (You would think systemd-network would allow us to simply add a .link file to /etc/systemd/network - but alas this doesn't seem to work without also adding a udev rule - so why bother with the .link file?.)
IMPORTANT: This udev rule is added automatically and should work fine for most non-physical servers (it takes the mac address from puppet's factor and names it eth0), but physical servers, servers running docker or any server with unusual network devices need a change to their .pp file or their networking will get screwed up since facter has no idea which mac address should be used for the real network device. For these cases change:
class { "mayfirst::m_interface": }
To:
class { "mayfirst::m_interface": 
  mac => "03:AB:blah blah mac address"
}
If you want to add additional network devices, you need to make the above change for the eth0 device and then add define statements:
mayfirst::m_interface::name { "03:AB:blah blah mac address":
  iface_name => "eth1"
}

