Setup of a new CAcert LXC container with Puppet agent

Todo

Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.

Preparation

Network considerations

  • Decide on a hostname for the container. The hostname should be short and correspond to the functionality provided by the container.

  • Define an IPv4 address from the 213.154.225.224/27 subnet if the container should be reachable from the outside via IPv4. If the services provide HTTP or HTTPS services you will not need a dedicated IP address because virtual hosting and SNI can be used via Proxyin

  • Define an IPv6 address in the 2001:7b8:616:162:2::/80 subnet. There is no reason not to use IPv6 for new services.

  • Define an IPv4 address in the 172.16.2.0/24 subnet if the container should be reachable from other CAcert machines than Infra02 or other Non-Critical Systems.

  • Define an IPv4 address in the 10.0.0.0/24 subnet. Containers that are only used by other containers do not need any other IP addresses than this one.

Note

Please use the same last octet for all IP addresses of a container if possible

Storage considerations

  • Define the size of the LVM volume for the root filesystem. Be conservative, volume size can be increased on demand.

OS considerations

  • Define the OS userland version for the container. Use the latest Debian stable release if there are no good reasons not to.

Setup

  • Define machine parameters for in lxc-setup.ini

  • Run lxc-setup (uses lxc-create/debootstrap and makes sure that systemd-sysv is not setup in the containers)

  • Define firewall rules in a separate file in /etc/ferm/ferm.d/ on Infra02.

Setup puppet-agent

  • define puppet configuration for the new container in Hiera / sitemodules in the cacert-puppet Repository on Git

  • see Puppet agent installation for agent setup (install the agent from official Puppet repositories)

  • make sure that DNS resolution is performed by Infra02. The /etc/resolv.conf should contain the following lines:

    search infra.cacert.org intra.cacert.org
    nameserver 10.0.0.1
    
  • set the certname in /etc/puppetlabs/puppet/puppet.conf to match the name of the file in hieradata/nodes/ for the system:

    [main]
    certname = <system>
    
  • run:

    root@system:  puppet agent --test --noop
    

    to create a new certificate for the system and send a signing request to the puppet master

  • sign the system certificate on the puppet master using:

    root@puppet:  puppet cert sign <system>
    
  • run:

    root@system:  puppet agent --test --noop
    

    on the system to see whether the catalog for the machine compiles and what it would change

  • apply the catalog with:

    root@system:  puppet agent --test
    
  • start the puppet agent using:

    root@system:  /etc/init.d/puppet start
    

Post-Setup task