Setup of a new CAcert LXC container with Puppet agent

Todo

Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.

Preparation

Network considerations

• Decide on a hostname for the container. The hostname should be short and correspond to the functionality provided by the container.

• Define an IPv4 address from the 213.154.225.224/27 subnet if the container should be reachable from the outside via IPv4. If the services provide HTTP or HTTPS services you will not need a dedicated IP address because virtual hosting and SNI can be used via Proxyin

• Define an IPv6 address in the 2001:7b8:616:162:2::/80 subnet. There is no reason not to use IPv6 for new services.

• Define an IPv4 address in the 172.16.2.0/24 subnet if the container should be reachable from other CAcert machines than Infra02 or other Non-Critical Systems.

• Define an IPv4 address in the 10.0.0.0/24 subnet. Containers that are only used by other containers do not need any other IP addresses than this one.

Note

Please use the same last octet for all IP addresses of a container if possible

Storage considerations

• Define the size of the LVM volume for the root filesystem. Be conservative, volume size can be increased on demand.

OS considerations

• Define the OS userland version for the container. Use the latest Debian stable release if there are no good reasons not to.

Setup

sudo env http_proxy=http://proxyout:3128 https_proxy=http://proxyout:3128 \
  lxc-create --name=<container> --template=debian \
  --bdev=lvm --vgname=<host> --thinpool=containerpool \
  --lvname=container_<container> --fssize=15G \
  --logfile=/root/lxccreate_<container>.log --logpriority=INFO \
  -- \
  --release=bullseye \
  --packages=bc,curl,passwd,psmisc,python3,python3-apt,sudo,tmux,vim,whiptail,xz-utils,zsh

sudo lxc-exec <container> apt autoremove --purge isc-dhcp-client

Setup puppet-agent

• define puppet configuration for the new container in Hiera / sitemodules in the CAcert Git repository cacert-puppet on Git

• see Puppet agent installation for agent setup (install the agent from official Puppet repositories)

• make sure that DNS resolution is performed by Infra02. The /etc/resolv.conf should contain the following lines:

  search infra.cacert.org intra.cacert.org
  nameserver 10.0.0.1
  

• set the certname in /etc/puppetlabs/puppet/puppet.conf to match the name of the file in hieradata/nodes/ for the system:

  [main]
  certname = <system>
  

• run:

  root@system:  puppet agent --test --noop
  

  to create a new certificate for the system and send a signing request to the puppet master

• sign the system certificate on the puppet master using:

  root@puppet:  puppet cert sign <system>
  

• run:

  root@system:  puppet agent --test --noop
  

  on the system to see whether the catalog for the machine compiles and what it would change

• apply the catalog with:

  root@system:  puppet agent --test
  

• start the puppet agent using:

  root@system:  /etc/init.d/puppet start
  

Post-Setup task

• Document the new container in a file of the docs/systems directory of the Infrastructure documentation repository

• Setup machine-admin alias on Email.