Add web and webstatic to Puppet
[cacert-infradocs.git] / docs / lxcsetup.rst
1 =====================================================
2 Setup of a new CAcert LXC container with Puppet agent
3 =====================================================
4
5 Preparation
6 ===========
7
8 Network considerations
9 ----------------------
10
11 - Decide on a hostname for the container. The hostname should be short and
12 correspond to the functionality provided by the container.
13 - Define an IPv4 address from the :ip:v4range:`213.154.225.224/27` subnet if
14 the container should be reachable from the outside via IPv4. If the services
15 provide HTTP or HTTPS services you will not need a dedicated IP address
16 because virtual hosting and SNI can be used via :doc:`systems/proxyin`
17 - Define an IPv6 address in the :ip:v6range:`2001:7b8:616:162:2::/80` subnet.
18 There is no reason not to use IPv6 for new services.
19 - Define an IPv4 address in the :ip:v4range:`172.16.2.0/24` subnet if the
20 container should be reachable from other CAcert machines than
21 :doc:`systems/infra02` or other :doc:`systems`.
22 - Define an IPv4 address in the :ip:v4range:`10.0.0.0/24` subnet. Containers
23 that are only used by other containers do not need any other IP addresses
24 than this one.
25
26 .. note::
27
28 Please use the same last octet for all IP addresses of a container if
29 possible
30
31 Storage considerations
32 ----------------------
33
34 - Define the size of the LVM volume for the root filesystem. Be conservative,
35 volume size can be increased on demand.
36
37 OS considerations
38 -----------------
39
40 - Define the OS userland version for the container. Use the latest Debian
41 stable release if there are no good reasons not to.
42
43 Setup
44 =====
45
46 - Define machine parameters for in lxc-setup.ini
47 - Run :command:`lxc-setup` (uses lxc-create/debootstrap and makes sure that
48 systemd-sysv is not setup in the containers)
49 - Define firewall rules in a separate file in :file:`/etc/ferm/ferm.d/` on
50 :doc:`systems/infra02`.
51
52 Setup puppet-agent
53 ------------------
54
55 - define puppet configuration for the new container in Hiera / sitemodules in
56 the `cacert-puppet Repository`_ on :doc:`systems/git`
57 - see `Puppet agent installation`_ for agent setup (install the agent from
58 official Puppet repositories)
59 - make sure that DNS resolution is performed by :doc:`systems/infra02`. The
60 :file:`/etc/resolv.conf` should contain the following lines:
61
62 .. code-block:: text
63
64 search infra.cacert.org intra.cacert.org
65 nameserver 10.0.0.1
66
67 - set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
68 the name of the file in :file:`hieradata/nodes/` for the system:
69
70 .. code-block:: ini
71
72 [main]
73 certname = <system>
74
75 - run:
76
77 .. code-block:: sh
78
79 root@system: puppet agent --test --noop
80
81 to create a new certificate for the system and send a signing request to the
82 :doc:`puppet master <systems/puppet>`
83 - sign the system certificate on the :doc:`puppet master <systems/puppet>`
84 using:
85
86 .. code-block:: sh
87
88 root@puppet: puppet cert sign <system>
89
90 - run:
91
92 .. code-block:: sh
93
94 root@system: puppet agent --test --noop
95
96 on the system to see whether the catalog for the machine compiles and what it
97 would change
98 - apply the catalog with:
99
100 .. code-block:: sh
101
102 root@system: puppet agent --test
103
104 - start the puppet agent using:
105
106 .. code-block:: sh
107
108 root@system: /etc/init.d/puppet start
109
110 .. _Puppet agent installation: https://puppet.com/docs/puppet/5.4/install_linux.html
111 .. _cacert-puppet Repository: https://git.cacert.org/gitweb/?p=cacert-puppet.git
112
113 Post-Setup task
114 ===============
115
116 - Document the new container in a file of the :file:`docs/systems` directory of
117 the `Infrastructure documentation
118 <https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_.
119 - Setup machine-admin alias on :doc:`systems/email`.