1.1.1.1   Overview¶

Pakrat <https://github.com/ryanuber/pakrat> is a Python-based tool for mirroring and versioning Yum repositories. In our investigation/setup we are running it with a wrapper script via CRON (originally this was weekly but we’ve moved to daily). Each time the wrapper script runs Pakrat syncs several repos and then uses createrepo to rebuild the Yum metadata for the repo. Apache is used to serve out the repos.

Each repo synced by Pakrat consists of:

• a top-level ‘Packages’ directory - stores RPMs
• sub-folders for each versioned snapshot - looks like a Yum repo and contains metadata for a given point in time
• a ‘latest’ symlink pointing to the most recent snapshot (we’re not using this symlink)

Each repo snapshot consists of a symlink to the top-level ‘Packages’ directory and a unique ‘repodata’ metadata sub-folder. The ‘repodata’ is created immediately after syncing on a given date and it only refers to RPMs that are available in ‘Packages’ at that the time. As long as ‘repodata’ is not recreated in a given snapshot folder machines using that repo will not be able to access additional RPMs added to ‘Packages’ in the intervening time.

Here’s a diagram of the structure of a repo:

• repobase/
  • 2017-07-10/
    • Packages -> ../Packages
    • repodata/
  • 2017-07-17/
    • Packages -> ../Packages
    • repodata/
  • ...
  • 2017-07-31/
    • Packages -> ../Packages
    • repodata/
  • latest -> 2017-07-31
  • Packages/

In our investigation/setup we point Yum clients to a specific snapshot so that they are in a consistent, repeatable state. We have the ability to point test clients to a newer snapshot. We have Pakrat set to sync monthly.

1.1.1.2   Storage baselining (~7/3/2017 - 9/20/2017; includes CentOS 7.3 & 7.4)¶

1.1.1.3   Storage baselining (~7/3/2017 - 7/8/2017)¶

1.1.1.4   Puppet Implementation¶

• modules:
  • ‘apache’, from Puppet Forge
  • ‘apache_config’, includes default config, firewall, and vhost
  • ‘pakrat’, includes base installation, wrapper, cron, and storage config
• profiles
  • ‘pakrat’, includes pakrat module
  • ‘yum_server’, includes elements of apache_config
• roles
  • ‘pakrat_yum_server’, uses profile::pakrat and profile::yum_server

1.1.1.5   Daily Ops¶

• Note: This should be fleshed out a little more in the near-term, as necessary. If we elect to stick with Pakrat long-term then we can expand it even more.
• When/how to run the Pakrat repo sync?
  • The Pakrat repo sync wrapper script is installed at /root/cron/pakrat.sh.
    • It depends on a pakrat.config file in the same directory.
  • The wrapper script is run daily by cron at 4:25pm.
  • The wrapper script can also be run manually.
  • Resiliency/details:
    • Repos will be given a pathname that ends with the Unix epoch timestamp so there should be no problem with running the script more than once per day.
    • The wrapper script will exit if it detects that it is already being run (just in case there are issues with Pakrat/Yum under the hood that would make simultaneous runs problematic).
• How to add additional repos for Pakrat to sync?
  • Recommended procedures:

    • Establish the client configuration for the repository on the

      Pakrat-Yum server.

    • XXXXXXXXX
  • NOTE: If/when we start dealing more with GPG keys we will need to update this procedure slightly. See also LSST-1031 <https://jira.ncsa.illinois.edu/browse/LSST-1031>.

1.1.1.6   Improvements - High Priority¶

• GPFS

  • overall:
    • size: Dan suggests ~50TB but look at baselining data from object-data06
      • synced daily for ~117 days leads to 50G of storage
    • location: Andy says just inside GPFS root for now; mkdir -p pakrat/production (just in case)
    • refactor Puppet code (apache_config) and Pakrat scripts to look for this location
    • implement GPFS code in Puppet to make sure it is mounted
  • add error checking into Pakrat script to handle case where GPFS is not available
  • after further consideration, probably best to back up to GPFS but still store on disk (what happens if GPFS is broken and our goal is to push out a patch...?)

• create more verbose timestamp via wrapper so that we can run Pakrat multiple times a day if necessary

  • ran it twice in one day once (into the same snapshot) and encountered the errors described below for the elasticsearch-1.7 and influxdb repos
    • initially thought they were related to running Pakrat twice into the same output repo path but they are persisting on the regularly weekly runs and after adding the Unix epoch timestamp to the repo paths

• fix the following issue: packages with unexpected filenames do not appear in local Pakrat-generated metadata:

  • the particularly metadata issue we are concerned about is as follows and (so far) only affects the elasticsearch-1.7 and influxdb repos:

    • results in errors in Pakrat output such as this:
      • Cannot read file: /repos/centos/7/x86_64/influxdb/2017-08-14/Packages/chronograf-1.3.0-1.x86_64.rpm

  • • these errors correspond to the following scenario:

      • as listed in the *primary.xml metadata from the SOURCE repository

      • version/release info in ‘href’ parameter of ‘location’ key does not match various versions shown in ‘rpm-sourcerpm’ key:

        • rpm:sourcerpm <http://rpmsourcerpm> (hard to imagine this is relevant)
        • rpm:provides <http://rpmprovides> - rpm:entry <http://rpmentry> (e.g., rel=)

      • more specifically, the rpm name does NOT have a release segment in it

      • e.g., ‘elasticsearch-1.7.0.noarch.rpm’ is the RPM and it does not have a release in it’s name (e.g., *1.7.0-1.noarch.rpm) but SOURCE metadata indicates it is release -1:

        • <rpm:sourcerpm <http://rpmsourcerpm>>elasticsearch-1.7.0-1.src.rpm</rpm:sourcerpm <http://rpmsourcerpm>>

          <rpm:header-range <http://rpmheader-range> start=”880” end=”19168”/>

          <rpm:provides <http://rpmprovides>>

          <rpm:entry <http://rpmentry> name=”elasticsearch” flags=”EQ” epoch=”0” ver=”1.7.0”rel=”1”/>

          <rpm:entry <http://rpmentry> name=”config(elasticsearch)” flags=”EQ” epoch=”0” ver=”1.7.0” rel=”1”/>

          </rpm:provides <http://rpmprovides>>

      • Pakrat downloads the RPMs but does not include them in its local metadata (e.g., the only elasticsearch RPM that appears in Pakrat’s metadata is 1.7.4-1, because that is the only RPM that has a properly-formatted name, including the release)

        • thus they would be unknown to Yum clients going through Pakrat

  • possible fixes:

    • work with the vendor to release properly named RPMs
    • improve Pakrat to address this scenario (i.e., use the source metadata to fix its local metadata)
      • or is this an issue for the makerepo command
    • see if Katello has the same issue or not
    • mv or cp (or make symlinks for) the badly named RPMs after Pakrat downloads them; this may ensure that Pakrat includes them in its metadata
      • could probably script this fix, i.e., when Pakrat sync uncovers one of these errors, look for RPM without release in its name and copy it to the version that it is looking for so that the next run can include it in its metadata (perhaps even schedule another run of the repo at the end)
      • if we start cleaning out old “snapshots” and RPMs that are no longer used, then we may also have to build a workaround into that process
        • although it’s possible that the worst that would happen is that after a clean out, several badly named RPMs are redownloaded during the next Pakrat sync
        • using symlinks may help us here:
          • register the targets of all symlinks ahead of the cleanup
          • only remove a target if you are also going to remove the symlink

• find and implement additional repos

  • search /etc/yum.repos.d using xdsh
  • search for the following terms in Puppet:
    • yum
    • • adm::puppetdb
      • base::puppet
    • rpm
    • package
  • • tar
    • wget
    • curl
    • .com
    • .edu
    • git
  • sync all repos in Pakrat
  • redo Puppet implementation for Yum clients

1.1.1.7   Improvements - Low Priority (e.g., only if we adopt Pakrat as a permanent solution)¶

• Apache:
  • move vhost stuff into Hiera
  • move firewall networks into Hiera
  • should I eliminate apache_config module? move all Hiera references and ‘apache’ module references into profile?
• Pakrat:
  • move config (.config file, cron stuff) into Hiera
  • is my approach for installing OK?
  • • how to handle the dependency that fails to install initially?
  • improve verification/notification/fix when Pakrat sync is broken
    • fix postfix for cron (this is a larger issue)
    • are we sure that cron scheduling via crontab (as opposed to file-based /etc/cron.d scheduling) will result in emails for any output? yes
  • how to know which RPM versions are included in each snapshot?
    • look at *-primary.xml.gz / *-other.xml.gz; zcat piped to some xml parser?
  • document troubleshooting/monitoring for Pakrat

1.1.2.1   Overview¶

Katello <https://theforeman.org/plugins/katello/> is a plug-in for Foreman that is used to manage content, specifically local Yum and Puppet repositories. Katello is an integrated control interface and UI for Pulp and also Candlepin (RH subscription management). These products are all components of the RedHat Satellite platform.

1.1.2.2   Decision to Not Use Katello (October 2017)¶

Areas where it possibly offers benefits or at least different features as compared to the alternative (Puppet w/ Git and Pakrat, then Foreman or xCAT):

1. Integrated change control for Yum and Puppet.
2. Ability to schedule releases of content.
3. GUI for managing Yum repo syncing and management.
4. Flexibility in managing which RPMs are offered in Yum repos.
5. Ability to discard old Yum RPMs.
6. Manages RHEL subscriptions.
7. Handles syncing from Foreman/Katello ‘master’ to Katello ‘capsule’ (a Foreman Smart Proxy with Katello content services):

• • https://theforeman.org/plugins/katello/2.4/user_guide/capsules/index.html

Reasons we have elected not to investigate Katello further at this time:

• Install and design seems overly complicated.
  • You must install Katello before installing Foreman, then run the foreman-installer with a special flag in order to install Foreman for use with Katello (link <https://theforeman.org/plugins/katello/nightly/installation/index.html>).
  • Creates the need to consult both Katello’s documentation and Foreman’s documentation for some considerations.
• The above features don’t seem to offer anything critical that we need and which we haven’t already solved with Pakrat and our current Puppet/Git change control process.
  • 1. We already have integrated change control, via Git, for Yum and Puppet. In fact, it’s not clear whether or not Katello’s state can be captured by Git.
    2. We don’t really need to schedule the release of content. Our focus is more likely to be on scheduling patching or allowing a NHC process to do rolling patching.
    3. A GUI is probably not necessary. Our Git/Puppet work is done in the CL already. We will likely investigate the Hammer CLI for Foreman as well.
    4. This is a little tricky with Pakrat, although presumably we could set certain RPMs to the side and recreate/edit metadata.
    5. We can generate a manual process for discarding old Yum RPMs from Pakrat, although it might not be worth it. Space is cheap.
    6. We do not currently use RHEL.
    7. We could set up a Yum-Pakrat ‘master’ and have each Smart Proxy/Yum-Pakrat slave sync from it.

In summary, it doesn’t appear that the benefits of Katello outweigh the extra complications it seems to present.