Renew certificate for git
[cacert-infradocs.git] / docs / lxcsetup.rst
1 =====================================================
2 Setup of a new CAcert LXC container with Puppet agent
3 =====================================================
4
5 Preparation
6 ===========
7
8 Network considerations
9 ----------------------
10
11 - Decide on a hostname for the container. The hostname should be short and
12 correspond to the functionality provided by the container.
13 - Define an IPv4 address from the :ip:v4range:`213.154.225.224/27` subnet if
14 the container should be reachable from the outside via IPv4. If the services
15 provide HTTP or HTTPS services you will not need a dedicated IP address
16 because virtual hosting and SNI can be used via :doc:`systems/proxyin`
17 - Define an IPv6 address in the :ip:v6range:`2001:7b8:616:162:2::/80` subnet.
18 There is no reason not to use IPv6 for new services.
19 - Define an IPv4 address in the :ip:v4range:`172.16.2.0/24` subnet if the
20 container should be reachable from other CAcert machines than
21 :doc:`systems/infra02` or other :doc:`systems`.
22 - Define an IPv4 address in the :ip:v4range:`10.0.0.0/24` subnet. Containers
23 that are only used by other containers do not need any other IP addresses
24 than this one.
25
26 .. note::
27
28 Please use the same last octet for all IP addresses of a container if
29 possible
30
31 Storage considerations
32 ----------------------
33
34 - Define the size of the LVM volume for the root filesystem. Be conservative,
35 volume size can be increased on demand.
36
37 OS considerations
38 -----------------
39
40 - Define the OS userland version for the container. Use the latest Debian
41 stable release if there are no good reasons not to.
42
43 Setup
44 =====
45
46 - Define machine parameters for in lxc-setup.ini
47 - Run :command:`lxc-setup` (uses lxc-create/debootstrap and makes sure that
48 systemd-sysv is not setup in the containers)
49 - Define firewall rules in a separate file in :file:`/etc/ferm/ferm.d/` on
50 :doc:`systems/infra02`.
51
52 Setup puppet-agent
53 ------------------
54
55 - define puppet configuration for the new container in Hiera / sitemodules in
56 the `cacert-puppet Repository`_ on :doc:`systems/git`
57 - see `Puppet agent installation`_ for agent setup (install the agent from
58 official Puppet repositories)
59 - define the puppet master IP address in :file:`/etc/hosts`:
60
61 .. code-block:: text
62
63 10.0.0.200 puppet
64
65 - set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
66 the name of the file in :file:`hieradata/nodes/` for the system:
67
68 .. code-block:: ini
69
70 [main]
71 certname = <system>
72
73 - run:
74
75 .. code-block:: sh
76
77 root@system: puppet agent --test --noop
78
79 to create a new certificate for the system and send a signing request to the
80 :doc:`puppet master <systems/puppet>`
81 - sign the system certificate on the :doc:`puppet master <systems/puppet>`
82 using:
83
84 .. code-block:: sh
85
86 root@puppet: puppet cert sign <system>
87
88 - run:
89
90 .. code-block:: sh
91
92 root@system: puppet agent --test --noop
93
94 on the system to see whether the catalog for the machine compiles and what it
95 would change
96 - apply the catalog with:
97
98 .. code-block:: sh
99
100 root@system: puppet agent --test
101
102 - start the puppet agent using:
103
104 .. code-block:: sh
105
106 root@system: /etc/init.d/puppet start
107
108 .. _Puppet agent installation: https://puppet.com/docs/puppet/5.4/install_linux.html
109 .. _cacert-puppet Repository: https://git.cacert.org/gitweb/?p=cacert-puppet.git
110
111 Post-Setup task
112 ===============
113
114 - Document the new container in a file of the :file:`docs/systems` directory of
115 the `Infrastructure documentation
116 <https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_.
117 - Setup machine-admin alias on :doc:`systems/email`.