summaryrefslogtreecommitdiff
path: root/.html/devops
diff options
context:
space:
mode:
Diffstat (limited to '.html/devops')
-rw-r--r--.html/devops/_list.html96
-rw-r--r--.html/devops/autodeploy.html131
-rw-r--r--.html/devops/continuous-signing.html93
-rw-r--r--.html/devops/glassfish-and-upstart.html231
-rw-r--r--.html/devops/index.html96
-rw-r--r--.html/devops/puppet-2.7-to-3.1.html147
-rw-r--r--.html/devops/self-daemonization-sucks.html162
7 files changed, 956 insertions, 0 deletions
diff --git a/.html/devops/_list.html b/.html/devops/_list.html
new file mode 100644
index 0000000..f4f4354
--- /dev/null
+++ b/.html/devops/_list.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ ls /devops
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ <span class="list-crumb">list</span>
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="listing">
+ <h1><code>ls /devops</code></h1>
+
+
+
+
+ <div id="pages">
+ <h2>Pages</h2>
+ <ul>
+
+ <li><a href="continuous-signing">Code Signing on Build Servers</a></li>
+
+ <li><a href="glassfish-and-upstart">Glassfish and Upstart</a></li>
+
+ <li><a href="puppet-2.7-to-3.1">Notes on upgrading Puppet from 2.7 to 3.1</a></li>
+
+ <li><a href="autodeploy">Notes towards automating deployment</a></li>
+
+ <li><a href="self-daemonization-sucks">Self-daemonizing code is awful</a></li>
+
+ </ul>
+ </div>
+
+
+
+ </div>
+
+
+
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops">See this directory on Bitbucket</a>.
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
diff --git a/.html/devops/autodeploy.html b/.html/devops/autodeploy.html
new file mode 100644
index 0000000..67644a2
--- /dev/null
+++ b/.html/devops/autodeploy.html
@@ -0,0 +1,131 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ Notes towards automating deployment
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ autodeploy
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="article">
+ <h1 id="notes-towards-automating-deployment">Notes towards automating deployment</h1>
+<p>This is mostly aimed at the hosted-apps folks; deploying packaged software for
+end users requires a slightly different approach.</p>
+<h2 id="assumptions">Assumptions</h2>
+<ol>
+<li>
+<p>You have one or more <em>services</em> to deploy. (If not, what are you doing
+here?)</p>
+</li>
+<li>
+<p>Your services are tracked in <em>source control</em>. (If not, go sort that out,
+then come back. No, seriously, <em>now</em>.)</p>
+</li>
+<li>
+<p>You will be deploying your services to one or more <em>environments</em>. An
+environment is an abstract thing: think “production,” not
+“web01.public.example.com.” (If not, where, exactly, will your service run?)</p>
+</li>
+<li>
+<p>For each service, in each environment, there are one or more <em>servers</em> to
+host the service. These servers are functionally identical. (If not, go pave
+them and rebuild them using Puppet, Chef, CFengine, or, hell, shell scripts
+and duct tape. An environment full of one-offs is the kind of hell I wouldn't
+wish on my worst enemy.)</p>
+</li>
+<li>
+<p>For each service, in each environment, there is a canonical series of steps
+that produce a “deployed” system.</p>
+</li>
+</ol>
+<hr>
+<ol>
+<li>Decide what code should be deployed. (This is a version control activity.)</li>
+<li>Get the code onto the fucking server.</li>
+<li>Decide what configuration values should be deployed. (This is also a
+ version control activity, though possibly not in the same repositories as
+ the code.)</li>
+<li>Get the configuration onto the fucking server.</li>
+<li>Get the code running with the configuration.</li>
+<li>Log to fucking syslog.</li>
+<li>When the machine reboots, make sure the code comes back running the same
+ configuration.</li>
+</ol>
+ </div>
+
+
+
+<div id="comments">
+<div id="disqus_thread"></div>
+<script type="text/javascript">
+ /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
+ var disqus_shortname = 'grimoire'; // required: replace example with your forum shortname
+
+ /* * * DON'T EDIT BELOW THIS LINE * * */
+ (function() {
+ var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
+ dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
+ (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
+ })();
+</script>
+<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
+<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
+</div>
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops/autodeploy.md">See this page on Bitbucket</a> (<a href="https://bitbucket.org/ojacobson/grimoire.ca/history-node/master/wiki/devops/autodeploy.md">history</a>).
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
diff --git a/.html/devops/continuous-signing.html b/.html/devops/continuous-signing.html
new file mode 100644
index 0000000..5f61000
--- /dev/null
+++ b/.html/devops/continuous-signing.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ Code Signing on Build Servers
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ continuous-signing
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="article">
+ <h1 id="code-signing-on-build-servers">Code Signing on Build Servers</h1>
+<p>We sign things so that we can authenticate them later, but authentication is
+largely a conscious function. Computers are bad at answering "is this real".</p>
+<p>Major signing systems (GPG, jarsigner) require presentation of credentials at
+signing time. CI servers don't generally have safe tools for this.</p>
+ </div>
+
+
+
+<div id="comments">
+<div id="disqus_thread"></div>
+<script type="text/javascript">
+ /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
+ var disqus_shortname = 'grimoire'; // required: replace example with your forum shortname
+
+ /* * * DON'T EDIT BELOW THIS LINE * * */
+ (function() {
+ var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
+ dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
+ (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
+ })();
+</script>
+<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
+<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
+</div>
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops/continuous-signing.md">See this page on Bitbucket</a> (<a href="https://bitbucket.org/ojacobson/grimoire.ca/history-node/master/wiki/devops/continuous-signing.md">history</a>).
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
diff --git a/.html/devops/glassfish-and-upstart.html b/.html/devops/glassfish-and-upstart.html
new file mode 100644
index 0000000..0d03620
--- /dev/null
+++ b/.html/devops/glassfish-and-upstart.html
@@ -0,0 +1,231 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ Glassfish and Upstart
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ glassfish-and-upstart
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="article">
+ <h1 id="glassfish-and-upstart">Glassfish and Upstart</h1>
+<p><strong>Warning</strong>: the article you're about to read is largely empirical. Take
+everything in it in a grain of salt, and <em>verify it yourself</em> before putting
+it into production. You have been warned.</p>
+<p>The following observations apply to Glassfish 3.1.2.2. Other versions probably
+act similarly, but check the docs.</p>
+<h2 id="asadmin-create-service"><code>asadmin create-service</code></h2>
+<p>Glassfish is capable of emitting SysV init scripts for the DAS, or for any
+instance. These init scripts wrap <code>asadmin start-domain</code> and <code>asadmin
+start-local-instance</code>. However, the scripts it emits are (justifiably)
+minimalist, and it makes some very strong assumptions about the layout of your
+system's rc.d trees and about your system's choice of runlevels. The minimal
+init scripts avoid any integration with platform “enhancements” (such as
+Redhat's <code>/var/lock/subsys</code> mechanism and <code>condrestart</code> convention, or
+Debian's <code>start-stop-daemon</code> helpers) in the name of portability, and the
+assumptions it makes about runlevels and init layout are becoming
+incrementally more fragile as more distributions switch to alternate init
+systems with SysV compatiblity layers.</p>
+<h2 id="fork-and-expect">Fork and <code>expect</code></h2>
+<p>Upstart's process tracking mechanism relies on services following one of three
+forking models, so that it can accurately track which children of PID 1 are
+associated with which services:</p>
+<ul>
+<li>
+<p>No <code>expect</code> stanza: The service's “main” process is expected not to fork at
+ all, and to remain running. The process started by upstart is the “main”
+ process.</p>
+</li>
+<li>
+<p><code>expect fork</code>: The service is expected to call <code>fork()</code> or <code>clone()</code> once.
+ The process started by upstart itself is not the “main” process, but its
+ first child process is.</p>
+</li>
+<li>
+<p><code>expect daemon</code>: The service is expected to call <code>fork()</code> or <code>clone()</code>
+ twice. The first grandchild process of the one started by upstart itself is
+ the “main” process. This corresponds to classical Unix daemons, which fork
+ twice to properly dissociate themselves from the launching shell.</p>
+</li>
+</ul>
+<p>Surprisingly, <code>asadmin</code>-launched Glassfish matches <em>none</em> of these models, and
+using <code>asadmin start-domain</code> to launch Glassfish from Upstart is not, as far
+as I can tell, possible. It's tricky to debug why, since JVM thread creation
+floods <code>strace</code> with chaff, but I suspect that either <code>asadmin</code> or Glassfish
+itself is forking too many times.</p>
+<p>From <a href="https://java.net/projects/glassfish/lists/dev/archive/2012-02/message/9">this mailing list
+thread</a>,
+though, it appears to be safe to launch Glassfish directly, using <code>java -jar
+GLASSFISH_ROOT/modules/glassfish.jar -domain DOMAIN</code>. This fits nicely into
+Upstart's non-forking expect mode, but you lose the ability to pass VM
+configuration settings to Glassfish during startup. Any memory settings or
+Java environment properties you want to pass to Glassfish have to be passed to
+the <code>java</code> command manually.</p>
+<p>You also lose <code>asadmin</code>'s treatment of Glassfish's working directory. Since
+Upstart can configure the working directory, this isn't a big deal.</p>
+<h2 id="sigterm-versus-asadmin-stop-domain"><code>SIGTERM</code> versus <code>asadmin stop-domain</code></h2>
+<p>Upstart always stops services by sending them a signal. While you can dictate
+which signal it uses, you cannot replace signals with another mechanims.
+Glassfish shuts down abruptly when it recieves <code>SIGTERM</code> or <code>SIGINT</code>, leaving
+some ugly noise in the logs and potentially aborting any transactions and
+requests in flight. The Glassfish developers believe this is harmless and that
+the server's operation is correct, and that's probably true, but I've not
+tested its effect on outward-facing requests or on in-flight operations far
+enough to be comfortable with it.</p>
+<p>I chose to run a “clean”(er) shutdown using <code>asadmin stop-domain</code>. This fits
+nicely in Upstart's <code>pre-stop</code> step, <em>provided you do not use Upstart's
+<code>respawn</code> feature</em>. Upstart will correctly notice that Glassfish has already
+stopped after <code>pre-stop</code> finishes, but when <code>respawn</code> is enabled Upstart will
+treat this as an unexpected termination, switch goals from <code>stop</code> to
+<code>respawn</code>, and restart Glassfish.</p>
+<p>(The Upstart documentation claims that <code>respawn</code> does not apply if the tracked
+process exits during <code>pre-stop</code>. This may be true in newer versions of
+Upstart, but the version used in Ubuntu 12.04 does restart Glassfish if it
+stops during <code>pre-stop</code>.)</p>
+<p>Yes, this does make it impossible to stop Glassfish, ever, unless you set a
+respawn limit.</p>
+<p>Fortunately, you don't actually want to use <code>respawn</code> to manage availability.
+The <code>respawn</code> mode cripples your ability to manage the service “out of band”
+by forcing Upstart to restart it as a daemon every time it stops for any
+reason. This means you cannot stop a server with <code>SIGTERM</code> or <code>SIGKILL</code>; it'll
+immediately start again.</p>
+<h2 id="initctl-reload"><code>initctl reload</code></h2>
+<p>It sends <code>SIGHUP</code>. This does not reload Glassfish's configuration. Deal with
+it; use <code>initctl restart</code> or <code>asadmin restart-domain</code> instead. Most of
+Glassfish's configuration can be changed on the fly with <code>asadmin set</code> or
+other commands anyways, so this is not a big limitation.</p>
+<h2 id="instances">Instances</h2>
+<p>Upstart supports “instances” of a service. This slots nicely into Glassfish's
+ability to host multiple domains and instances on the same physical hardware.
+I ended up with a generic <code>glassfish-domain.conf</code> Upstart configuration:</p>
+<pre><code>description "Glassfish DAS"
+console log
+
+instance $DOMAIN
+
+setuid glassfish
+setgid glassfish
+umask 0022
+chdir /opt/glassfish3
+
+exec /usr/bin/java -jar /opt/glassfish3/glassfish/modules/glassfish.jar -domain "${DOMAIN}"
+
+pre-stop exec /opt/glassfish3/bin/asadmin stop-domain "${DOMAIN}"
+</code></pre>
+<p>Combined with a per-domain wrapper:</p>
+<pre><code>description "Glassfish 'example' domain"
+console log
+
+# Consider using runlevels here.
+start on started networking
+stop on deconfiguring-networking
+
+pre-start script
+ start glassfish-domain DOMAIN=example
+end script
+
+post-stop script
+ stop glassfish-domain DOMAIN=example
+end script
+</code></pre>
+<h2 id="possible-refinements">Possible refinements</h2>
+<ul>
+<li>
+<p>Pull system properties and VM flags from the domain's own <code>domain.xml</code>
+ correctly. It might be possible to abuse the (undocumented, unsupported, but
+ helpful) <code>--_dry-run</code> argument from <code>asadmin start-domain</code> for this, or it
+ might be necessary to parse <code>domain.xml</code> manually, or it may be possible to
+ exploit parts of Glassfish itself for this.</p>
+</li>
+<li>
+<p>The <code>asadmin</code> cwd is actually the domain's <code>config</code> dir, not the Glassfish
+ installation root.</p>
+</li>
+<li>
+<p>Something something something password files.</p>
+</li>
+<li>
+<p>Syslog and logrotate integration would be useful. The configurations above
+ spew Glassfish's startup output and stdout to
+ <code>/var/log/upstart/glassfish-domain-FOO.log</code>, which may not be rotated by
+ default.</p>
+</li>
+</ul>
+ </div>
+
+
+
+<div id="comments">
+<div id="disqus_thread"></div>
+<script type="text/javascript">
+ /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
+ var disqus_shortname = 'grimoire'; // required: replace example with your forum shortname
+
+ /* * * DON'T EDIT BELOW THIS LINE * * */
+ (function() {
+ var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
+ dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
+ (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
+ })();
+</script>
+<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
+<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
+</div>
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops/glassfish-and-upstart.md">See this page on Bitbucket</a> (<a href="https://bitbucket.org/ojacobson/grimoire.ca/history-node/master/wiki/devops/glassfish-and-upstart.md">history</a>).
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
diff --git a/.html/devops/index.html b/.html/devops/index.html
new file mode 100644
index 0000000..f4f4354
--- /dev/null
+++ b/.html/devops/index.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ ls /devops
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ <span class="list-crumb">list</span>
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="listing">
+ <h1><code>ls /devops</code></h1>
+
+
+
+
+ <div id="pages">
+ <h2>Pages</h2>
+ <ul>
+
+ <li><a href="continuous-signing">Code Signing on Build Servers</a></li>
+
+ <li><a href="glassfish-and-upstart">Glassfish and Upstart</a></li>
+
+ <li><a href="puppet-2.7-to-3.1">Notes on upgrading Puppet from 2.7 to 3.1</a></li>
+
+ <li><a href="autodeploy">Notes towards automating deployment</a></li>
+
+ <li><a href="self-daemonization-sucks">Self-daemonizing code is awful</a></li>
+
+ </ul>
+ </div>
+
+
+
+ </div>
+
+
+
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops">See this directory on Bitbucket</a>.
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
diff --git a/.html/devops/puppet-2.7-to-3.1.html b/.html/devops/puppet-2.7-to-3.1.html
new file mode 100644
index 0000000..ca53067
--- /dev/null
+++ b/.html/devops/puppet-2.7-to-3.1.html
@@ -0,0 +1,147 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ Notes on upgrading Puppet from 2.7 to 3.1
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ puppet-2.7-to-3.1
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="article">
+ <h1 id="notes-on-upgrading-puppet-from-27-to-31">Notes on upgrading Puppet from 2.7 to 3.1</h1>
+<h2 id="bad">Bad</h2>
+<ul>
+<li>
+<p>As usual, you have to upgrade the puppet master first. 2.7 agents can speak
+ to 3.1 masters just fine, but 3.1 agents cannot speak to 2.7 masters.</p>
+</li>
+<li>
+<p>I tried to upgrade the Puppet master using both <code>puppet agent</code> (failed when
+ package upgrades shut down the puppet master) and <code>puppet apply</code> (failed for
+ Ubuntu-specific reasons outlined below)</p>
+</li>
+<li>
+<p><a href="https://projects.puppetlabs.com/issues/19308">This bug</a>.</p>
+</li>
+<li>
+<p>You more or less can't upgrade Puppet using Puppet.</p>
+</li>
+</ul>
+<h2 id="good">Good</h2>
+<ul>
+<li>
+<p>My 2.7 manifests worked perfectly under 3.1.</p>
+</li>
+<li>
+<p>Puppet's CA and SSL certs survived intact and required no maintenance after
+ the upgrade.</p>
+</li>
+<li>
+<p>The Hiera integration into class parameters works as advertised and really
+ does help a lot.</p>
+</li>
+<li>
+<p>Once I figured out how to execute it, the upgrade was pretty smooth.</p>
+</li>
+<li>
+<p>No Ruby upgrade!</p>
+</li>
+<li>
+<p>Testing the upgrade in a VM sandbox meant being able to fuck up safely.
+ <a href="http://www.vagrantup.com">Vagrant</a> is super awesome.</p>
+</li>
+</ul>
+<h2 id="package-management-sucks">Package Management Sucks</h2>
+<p>Asking Puppet to upgrade Puppet went wrong on Ubuntu because of the way Puppet
+is packaged: there are three (ish) Puppet packages, and Puppet's resource
+evaluation bits try to upgrade and install one package at a time. Upgrading
+only “puppetmaster” upgraded “puppet-common” but not “puppet,” causing Apt to
+remove “puppet”; upgrading only “puppet” similarly upgraded “puppet-copmmon”
+but not “puppetmaster,” causing Apt to remove “puppetmaster.”</p>
+<p>The Puppet aptitude provider (which I use instead of apt-get) for Package
+resources also doesn't know how to tell aptitude what to do with config files
+during upgrades. This prevented Puppet from being able to upgrade pacakges
+even when running standalone (via <code>puppet apply</code>).</p>
+<p>Finally, something about the switchover from Canonical's Puppet .debs to
+Puppetlabs' .debs caused aptitude to consider all three packages “broken”
+after a manual upgrade ('aptitude upgrade puppet puppetmaster'). Upgrading the
+packages a second time corrected it; this is the path I eventually took with
+my production puppetmaster and nodes.</p>
+ </div>
+
+
+
+<div id="comments">
+<div id="disqus_thread"></div>
+<script type="text/javascript">
+ /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
+ var disqus_shortname = 'grimoire'; // required: replace example with your forum shortname
+
+ /* * * DON'T EDIT BELOW THIS LINE * * */
+ (function() {
+ var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
+ dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
+ (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
+ })();
+</script>
+<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
+<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
+</div>
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops/puppet-2.7-to-3.1.md">See this page on Bitbucket</a> (<a href="https://bitbucket.org/ojacobson/grimoire.ca/history-node/master/wiki/devops/puppet-2.7-to-3.1.md">history</a>).
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
diff --git a/.html/devops/self-daemonization-sucks.html b/.html/devops/self-daemonization-sucks.html
new file mode 100644
index 0000000..14e2c01
--- /dev/null
+++ b/.html/devops/self-daemonization-sucks.html
@@ -0,0 +1,162 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>
+ The Codex »
+ Self-daemonizing code is awful
+ </title>
+
+ <link
+ rel='stylesheet'
+ type='text/css'
+ href='http://fonts.googleapis.com/css?family=Buenard:400,700&amp;subset=latin,latin-ext'>
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/reset.css">
+ <link
+ rel="stylesheet"
+ type="text/css"
+ href="../media/css/grimoire.css">
+</head>
+<body>
+
+<div id="shell">
+
+ <ol id="breadcrumbs">
+
+ <li class="crumb-0 not-last">
+
+ <a href="../">index</a>
+
+ </li>
+
+ <li class="crumb-1 not-last">
+
+ <a href="./">devops</a>
+
+ </li>
+
+ <li class="crumb-2 last">
+
+ self-daemonization-sucks
+
+ </li>
+
+ </ol>
+
+
+
+ <div id="article">
+ <h1 id="self-daemonizing-code-is-awful">Self-daemonizing code is awful</h1>
+<p>The classical UNIX approach to services is to implement them as “daemons,”
+programs that run without a terminal attached and provide some service. The
+key feature of a classical daemon is that, when started, it carefully
+detaches itself from its initial environment and terminal, then continues
+running in the background.</p>
+<p>This is awful and I'm glad modern init replacements discourage it.</p>
+<h2 id="process-tracking">Process Tracking</h2>
+<p>Daemons don't exist in a vacuum. Administrators and owners need to be able to
+start and stop daemons reliably, and check their status. The classic
+self-daemonization approach makes this impossible.</p>
+<p>Traditionally, daemons run as children of <code>init</code> (pid 1), even if they start
+out as children of some terminal or startup process. Posix only provides
+deterministic APIs for processes to manage their children and their immediate
+parents; the classic daemonisation protocol hands the newly-started daemon
+process off from its original parent process, which knows how to start and
+stop it, to an unsuspecting <code>init</code>, which has no idea how this specific
+daemon is special.</p>
+<p>The standard workaround has daemons write their own PIDs to a file, but a
+file is “dead” data: it's not automatically updated if the daemon dies, and
+can linger long enough to contain the PID of some later, unrelated program.
+PID file validity checks generally suffer from subtle (or, sometimes, quite
+gross) race conditions.</p>
+<h2 id="complexity">Complexity</h2>
+<p>The actual <em>code</em> to correctly daemonize a process is surprisingly complex,
+given the individual interfaces' relative simplicity:</p>
+<ul>
+<li>
+<p>The daemon must start its own process group</p>
+</li>
+<li>
+<p>The daemon must detach from its controlling terminal</p>
+</li>
+<li>
+<p>The daemon should close (and may reopen) file handles inherited from its
+ parent process (generally, a shell)</p>
+</li>
+<li>
+<p>The daemon should ensure its working directory is predictable and
+ controllable</p>
+</li>
+<li>
+<p>The daemon should ensure its umask is predictable and controllable</p>
+</li>
+<li>
+<p>If the daemon uses privileged resources (such as low-numbered ports), it
+ should carefully manage its effective, real, and session UID and GIDs</p>
+</li>
+<li>
+<p>Daemons must ensure that all of the above steps happen in signal-safe ways,
+ so that a daemon can be shut down sanely even if it's still starting up</p>
+</li>
+</ul>
+<p>See <a href="http://www.freedesktop.org/software/systemd/man/daemon.html">this list</a>
+for a longer version. It's worse than you think.</p>
+<p>All of this gets even more complicated if the daemon has its own child
+processes, a pattern common to network services. Naturally, a lot of daemons
+in the real world get some of these steps wrong.</p>
+<h2 id="the-future">The Future</h2>
+<p><a href="http://supervisord.org">Supervisord</a>,
+<a href="http://ddollar.github.io/foreman/">Foreman</a>,
+<a href="http://upstart.ubuntu.com">Upstart</a>,
+<a href="https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/launchctl.1.html">Launchd</a>,
+<a href="http://www.freedesktop.org/wiki/Software/systemd/">systemd</a>, and <a href="http://cr.yp.to/daemontools.html">daemontools</a> all
+encourage services <em>not</em> to self-daemonize by providing a sane system for
+starting the daemon with the right parent process and the right environment
+in the first place.</p>
+<p>This is a great application of
+<a href="http://c2.com/cgi/wiki?DontRepeatYourself">DRY</a>, as the daemon management
+code only needs to be written once (in the daemon-managing daemon) rather
+than many times over (in each individual daemon). It also makes daemon
+execution more predictable, since daemons “in production” behave more like
+they do when run attached to a developer's console during debugging or
+development.</p>
+ </div>
+
+
+
+<div id="comments">
+<div id="disqus_thread"></div>
+<script type="text/javascript">
+ /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
+ var disqus_shortname = 'grimoire'; // required: replace example with your forum shortname
+
+ /* * * DON'T EDIT BELOW THIS LINE * * */
+ (function() {
+ var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
+ dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
+ (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
+ })();
+</script>
+<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
+<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
+</div>
+
+
+
+ <div id="footer">
+ <p>
+
+ The Codex —
+
+ Powered by <a href="http://markdoc.org/">Markdoc</a>.
+
+<a href="https://bitbucket.org/ojacobson/grimoire.ca/src/master/wiki/devops/self-daemonization-sucks.md">See this page on Bitbucket</a> (<a href="https://bitbucket.org/ojacobson/grimoire.ca/history-node/master/wiki/devops/self-daemonization-sucks.md">history</a>).
+
+ </p>
+ </div>
+
+</div>
+</body>
+</html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2026-01-02 10:41:22 +0000