Update CAS to 7.0
Open, MediumPublic
Actions

Assigned To

None

Authored By

	• MoritzMuehlenhoff
	Fri, Jun 14, 6:40 AM

Description

Details

Subject	Repo	Branch	Lines +/-
R:idp New CAS 7 hosts.	operations/puppet	production	+35 -1
R:idp_test: hardend_tls to false.	operations/puppet	production	+2 -0
R:idp_test Remove references to host that does not yet exist.	operations/puppet	production	+1 -2
R:idp_test: Separate testing environment for CAS 7	operations/puppet	production	+29 -1
Move fonts to CSS directory.	operations/software/cas-overlay-template	master	+1 -1
Update Thymeleaf syntax to remove deprecation warning.	operations/software/cas-overlay-template	master	+4 -4
IDP-Test: Switch to CAS 7 on idp-test1002	operations/dns	master	+1 -1
C:apereo_cas check for tomcat 10 on CAS 7 only variables.	operations/puppet	production	+74 -64
Remove apereo spec test	operations/puppet	production	+0 -184
C:apereo_cas oauth session encryption	operations/puppet	production	+6 -0
C:apereo_cas Add dummy secrets for CAS 7	labs/private	master	+4 -0
C:apereo_cas Additional secrets required for CAS7	labs/private	master	+4 -0
C:apereo_cas Add CAS 7 properties	operations/puppet	production	+5 -0
Downgrade SpringBoot version to match CAS 7.0.4.1 requirements.	operations/software/cas-overlay-template	master	+18 -3
P:idp Allow upgrade to Tomcat 10.	operations/puppet	production	+22 -3
Update Debian packaging to work with Tomcat 10.	operations/software/cas-overlay-template	master	+16 -15
profile::java: Add support for Java 21	operations/puppet	production	+9 -0
Update Debian package dependencies for CAS 7.X	operations/software/cas-overlay-template	master	+2 -7
P:idp::build Add fakeroot build dependency.	operations/puppet	production	+2 -1
cas::build: Fix creation of build directory	operations/puppet	production	+1 -3
idp::build: Make the rsync setup depend on the OS	operations/puppet	production	+15 -14
Upgrade to CAS 7.0.4.1	operations/software/cas-overlay-template	master	+329 -78
idp::build: Install Java 21 on Bookworm	operations/puppet	production	+10 -4
Add a build hook for Java 21	operations/puppet	production	+16 -0
Add component/jdk21 for Bookworm	operations/puppet	production	+1 -0

Related Objects

Mentioned In: rLPRI954d32990f24: C:apereo_cas Add dummy secrets for CAS 7
rLPRIfc14ed820df2: C:apereo_cas Additional secrets required for CAS7

Event Timeline

• MoritzMuehlenhoff created this task.Fri, Jun 14, 6:40 AM

I've run a test build, Java 21 is a hard requirement, it cannot be older or newer.
Otherwise the overlay upgrade contains only minor changes. I have not tested the functionality.

I'll look into a Java 21 backport for Bookworm.

Change #1046601 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add component/jdk21 for Bookworm

https://gerrit.wikimedia.org/r/1046601

gerritbot added a project: Patch-For-Review.Mon, Jun 17, 8:55 AM

Change #1046601 merged by Muehlenhoff:

[operations/puppet@production] Add component/jdk21 for Bookworm

https://gerrit.wikimedia.org/r/1046601

Maintenance_bot removed a project: Patch-For-Review.Mon, Jun 17, 9:30 AM

In T367487#9891993, @SLyngshede-WMF wrote:

I've run a test build, Java 21 is a hard requirement, it cannot be older or newer.
Otherwise the overlay upgrade contains only minor changes. I have not tested the functionality.

A preliminary backport of Java 21 is now available in component/jdk21, it can already be used to build CAS 7.0.
(It's preliminary package since I had to use a bootstrap package (Bookworm has Java 17, but Java 21 needs Java 20/21 to build, while Java 20 needs Java 19/20 to build etc. pp). Now that the bootstrap dep is imported to the component,I'll next rebuild openjdk-21 using this bootstrap package)

Change #1046612 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add a build hook for Java 21

https://gerrit.wikimedia.org/r/1046612

gerritbot added a project: Patch-For-Review.Mon, Jun 17, 10:02 AM

Change #1046612 merged by Muehlenhoff:

[operations/puppet@production] Add a build hook for Java 21

https://gerrit.wikimedia.org/r/1046612

Maintenance_bot removed a project: Patch-For-Review.Mon, Jun 17, 10:30 AM

Change #1047013 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Upgrade to CAS 7.0.4.1

https://gerrit.wikimedia.org/r/1047013

gerritbot added a project: Patch-For-Review.Tue, Jun 18, 7:53 AM

Mentioned in SAL (#wikimedia-operations) [2024-06-18T10:30:52Z] <moritzm> upload openjdk-21 21.0.3+9-2~deb12u2 for bookworm/wikimedia (secondary rebuild on build2001 following the initial bootstrap build) https://phabricator.wikimedia.org/T367487

Change #1047044 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] idp::build: Install Java 21 on Bookworm

https://gerrit.wikimedia.org/r/1047044

Change #1047044 merged by Muehlenhoff:

[operations/puppet@production] idp::build: Install Java 21 on Bookworm

https://gerrit.wikimedia.org/r/1047044

Change #1047013 merged by Slyngshede:

[operations/software/cas-overlay-template@master] Upgrade to CAS 7.0.4.1

https://gerrit.wikimedia.org/r/1047013

Maintenance_bot removed a project: Patch-For-Review.Tue, Jun 18, 11:30 AM

Change #1047051 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] idp::build: Make the rsync setup depend on the OS

https://gerrit.wikimedia.org/r/1047051

gerritbot added a project: Patch-For-Review.Tue, Jun 18, 11:33 AM

Change #1047053 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:idp Allow upgrade to Tomcat 10.

https://gerrit.wikimedia.org/r/1047053

Change #1047051 merged by Muehlenhoff:

[operations/puppet@production] idp::build: Make the rsync setup depend on the OS

https://gerrit.wikimedia.org/r/1047051

Change #1047063 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] cas::build: Fix creation of build directory

https://gerrit.wikimedia.org/r/1047063

Change #1047063 merged by Muehlenhoff:

[operations/puppet@production] cas::build: Fix creation of build directory

https://gerrit.wikimedia.org/r/1047063

Change #1047064 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:idp::build Add fakeroot build dependency.

https://gerrit.wikimedia.org/r/1047064

Change #1047066 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Update Debian package dependencies for CAS 7.X

https://gerrit.wikimedia.org/r/1047066

Change #1047064 abandoned by Slyngshede:

[operations/puppet@production] P:idp::build Add fakeroot build dependency.

Reason:

Not needed when building using sudo

https://gerrit.wikimedia.org/r/1047064

Change #1047066 merged by Slyngshede:

[operations/software/cas-overlay-template@master] Update Debian package dependencies for CAS 7.X

https://gerrit.wikimedia.org/r/1047066

Change #1047086 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] profile::java: Add support for Java 21

https://gerrit.wikimedia.org/r/1047086

Change #1047254 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Update Debian packaging to work with Tomcat 10.

https://gerrit.wikimedia.org/r/1047254

Change #1047086 merged by Muehlenhoff:

[operations/puppet@production] profile::java: Add support for Java 21

https://gerrit.wikimedia.org/r/1047086

Change #1047254 merged by Slyngshede:

[operations/software/cas-overlay-template@master] Update Debian packaging to work with Tomcat 10.

https://gerrit.wikimedia.org/r/1047254

Icinga downtime and Alertmanager silence (ID=d9d9df4b-e647-4f8e-8b55-811d9f86d7d0) set by slyngshede@cumin1002 for 5 days, 0:00:00 on 1 host(s) and their services with reason: CAS 7 upgrade

idp-test1002.wikimedia.org

Change #1047053 merged by Slyngshede:

[operations/puppet@production] P:idp Allow upgrade to Tomcat 10.

https://gerrit.wikimedia.org/r/1047053

Maintenance_bot removed a project: Patch-For-Review.Wed, Jun 19, 12:30 PM

Change #1047909 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Downgrade SpringBoot version to match CAS 7.0.4.1 requirements.

https://gerrit.wikimedia.org/r/1047909

gerritbot added a project: Patch-For-Review.Thu, Jun 20, 8:13 AM

Change #1047909 merged by Slyngshede:

[operations/software/cas-overlay-template@master] Downgrade SpringBoot version to match CAS 7.0.4.1 requirements.

https://gerrit.wikimedia.org/r/1047909

Maintenance_bot removed a project: Patch-For-Review.Thu, Jun 20, 12:30 PM

Change #1048445 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] C:apereo_cas Add CAS 7 properties

https://gerrit.wikimedia.org/r/1048445

gerritbot added a project: Patch-For-Review.Fri, Jun 21, 1:25 PM

Change #1049095 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[labs/private@master] PAC4J secrets, required for CAS7

https://gerrit.wikimedia.org/r/1049095

Change #1048445 merged by Slyngshede:

[operations/puppet@production] C:apereo_cas Add CAS 7 properties

https://gerrit.wikimedia.org/r/1048445

Change #1049103 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] C:apereo_cas PAC4J replication secrets

https://gerrit.wikimedia.org/r/1049103

Change #1049095 merged by Slyngshede:

[labs/private@master] C:apereo_cas Additional secrets required for CAS7

https://gerrit.wikimedia.org/r/1049095

SLyngshede-WMF mentioned this in rLPRIfc14ed820df2: C:apereo_cas Additional secrets required for CAS7.Mon, Jun 24, 10:50 AM

Change #1049129 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[labs/private@master] C:apereo_cas Add dummy secrets for CAS 7

https://gerrit.wikimedia.org/r/1049129

Change #1049129 merged by Slyngshede:

[labs/private@master] C:apereo_cas Add dummy secrets for CAS 7

https://gerrit.wikimedia.org/r/1049129

Change #1049103 merged by Slyngshede:

[operations/puppet@production] C:apereo_cas oauth session encryption

https://gerrit.wikimedia.org/r/1049103

SLyngshede-WMF mentioned this in rLPRI954d32990f24: C:apereo_cas Add dummy secrets for CAS 7.Mon, Jun 24, 11:21 AM

Maintenance_bot removed a project: Patch-For-Review.Mon, Jun 24, 11:30 AM

Change #1049134 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] C:apereo_cas check for tomcat 10 on CAS 7 only variables.

https://gerrit.wikimedia.org/r/1049134

gerritbot added a project: Patch-For-Review.Mon, Jun 24, 11:54 AM

Change #1049139 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove apereo spec test

https://gerrit.wikimedia.org/r/1049139

• MoritzMuehlenhoff triaged this task as Medium priority.Mon, Jun 24, 1:03 PM

Change #1049139 merged by Muehlenhoff:

[operations/puppet@production] Remove apereo spec test

https://gerrit.wikimedia.org/r/1049139

Change #1049134 merged by Slyngshede:

[operations/puppet@production] C:apereo_cas check for tomcat 10 on CAS 7 only variables.

https://gerrit.wikimedia.org/r/1049134

Change #1049456 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/dns@master] IDP-Test: Switch to CAS 7 on idp-test1002

https://gerrit.wikimedia.org/r/1049456

Change #1049456 merged by Slyngshede:

[operations/dns@master] IDP-Test: Switch to CAS 7 on idp-test1002

https://gerrit.wikimedia.org/r/1049456

Change #1049492 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Update Thymeleaf syntax to remove deprecation warning.

https://gerrit.wikimedia.org/r/1049492

Change #1049508 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/cas-overlay-template@master] Move fonts to CSS directory.

https://gerrit.wikimedia.org/r/1049508

Change #1049492 merged by Slyngshede:

[operations/software/cas-overlay-template@master] Update Thymeleaf syntax to remove deprecation warning.

https://gerrit.wikimedia.org/r/1049492

Change #1049508 merged by Slyngshede:

[operations/software/cas-overlay-template@master] Move fonts to CSS directory.

https://gerrit.wikimedia.org/r/1049508

Maintenance_bot removed a project: Patch-For-Review.Tue, Jun 25, 11:30 AM

Change #1049761 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] R:idp New CAS 7 hosts.

https://gerrit.wikimedia.org/r/1049761

gerritbot added a project: Patch-For-Review.Wed, Jun 26, 6:44 AM

Change #1049883 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] R:idp_test: Separate testing environment for CAS 7

https://gerrit.wikimedia.org/r/1049883

Change #1049883 merged by Slyngshede:

[operations/puppet@production] R:idp_test: Separate testing environment for CAS 7

https://gerrit.wikimedia.org/r/1049883

Cookbook cookbooks.sre.hosts.reimage was started by slyngshede@cumin1002 for host idp-test1004.wikimedia.org with OS bookworm

Cookbook cookbooks.sre.hosts.reimage started by slyngshede@cumin1002 for host idp-test1004.wikimedia.org with OS bookworm executed with errors:

idp-test1004 (FAIL)
- Removed from Puppet and PuppetDB if present and deleted any certificates
- Removed from Debmonitor if present
- Forced PXE for next reboot
- Host rebooted via gnt-instance
- Host up (Debian installer)
- Add puppet_version metadata to Debian installer
- Set boot media to disk
- Host up (new fresh bookworm OS)
- Generated Puppet certificate
- Signed new Puppet certificate
- Run Puppet in NOOP mode to populate exported resources in PuppetDB
- The reimage failed, see the cookbook logs for the details,You can also try typing "install-console" idp-test1004.wikimedia.org to get a root shellbut depending on the failure this may not work.

Change #1050266 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] R:idp_test Remove references to host that does not yet exist.

https://gerrit.wikimedia.org/r/1050266

Change #1050266 abandoned by Slyngshede:

[operations/puppet@production] R:idp_test Remove references to host that does not yet exist.

Reason:

We'll just create idp-test2004 and then reimage idp-test1004

https://gerrit.wikimedia.org/r/1050266

Change #1050269 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] R:idp_test: hardend_tls to false.

https://gerrit.wikimedia.org/r/1050269

Change #1050269 merged by Slyngshede:

[operations/puppet@production] R:idp_test: hardend_tls to false.

https://gerrit.wikimedia.org/r/1050269

Cookbook cookbooks.sre.hosts.reimage was started by slyngshede@cumin1002 for host idp-test2004.wikimedia.org with OS bookworm

Cookbook cookbooks.sre.hosts.reimage started by slyngshede@cumin1002 for host idp-test2004.wikimedia.org with OS bookworm completed:

idp-test2004 (PASS)
- Removed from Puppet and PuppetDB if present and deleted any certificates
- Removed from Debmonitor if present
- Forced PXE for next reboot
- Host rebooted via gnt-instance
- Host up (Debian installer)
- Add puppet_version metadata to Debian installer
- Set boot media to disk
- Host up (new fresh bookworm OS)
- Generated Puppet certificate
- Signed new Puppet certificate
- Run Puppet in NOOP mode to populate exported resources in PuppetDB
- Found Nagios_host resource for this host in PuppetDB
- Downtimed the new host on Icinga/Alertmanager
- First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202406270940_slyngshede_1336576_idp-test2004.out
- configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
- Rebooted
- Automatic Puppet run was successful
- Forced a re-check of all Icinga services for the host
- Icinga status is optimal
- Icinga downtime removed
- Updated Netbox data from PuppetDB