Project

General

Profile

Feature #15511

Feature #15500: Update Puppet modules: 2018Q4 → 2019Q2 edition

Switch to another Puppet module to manage Postfix

Added by intrigeri over 1 year ago. Updated 5 months ago.

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Infrastructure
Target version:
Start date:
04/09/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:


Related issues

Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 06/30/2017

History

#1 Updated by intrigeri over 1 year ago

  • Blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#2 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.9 to Tails_3.12
  • Parent task changed from #15499 to #15500

#3 Updated by intrigeri 7 months ago

intrigeri wrote:

One option is to switch to https://github.com/camptocamp/puppet-postfix but quite some features are missing e.g.
https://gitlab.com/shared-puppet-modules-group/postfix/milestones/1.

Among those, the only feature we actually use is postfix::tlspolicy_snippet (https://gitlab.com/shared-puppet-modules-group/postfix/issues/8). It's simple enough to implement, be it upstream if they take it, or on our side.

Other than that, as of camptocamp-postfix 1.7.0, the migration seems mostly straightforward and will even give us a couple neat new features:

  • We satisfy all the dependencies (the dependency on alternatives is RH-only).
  • They add a postfix::canonical resource that can be used to deal more nicely with sender_canonical_maps.
  • The module seems to support all the features we need apart postfix::mailalias so we need to use the regular mailalias resource with notify => Exec['newaliases']. Would be nice to add this feature to the module though.
  • Everywhere we use postmap ourselves, we could switch to the nicer postfix::map resource.
  • Some parameters have a different name, e.g. for postfix::mta.

#4 Updated by intrigeri 7 months ago

  • The module seems to support all the features we need apart postfix::mailalias so we need to use the regular mailalias resource with notify => Exec['newaliases']. Would be nice to add this feature to the module though.

https://github.com/camptocamp/puppet-postfix/pull/233

#5 Updated by intrigeri 7 months ago

intrigeri wrote:

  • The module seems to support all the features we need apart postfix::mailalias so we need to use the regular mailalias resource with notify => Exec['newaliases']. Would be nice to add this feature to the module though.

https://github.com/camptocamp/puppet-postfix/pull/233

Merged upstream :)

#6 Updated by intrigeri 7 months ago

  • Blocks Feature #16218: Migrate some of our Schleuder lists to lizard added

#7 Updated by intrigeri 7 months ago

  • Priority changed from Normal to High

#8 Updated by intrigeri 7 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

Done & deployed. Resulting changes in /etc look good. I'll see when I do #16218 whether it works fine as well to configure a brand new system. Will wait & see whether email gets delivered (we have a monitoring check for the Postfix mailqueue).

#9 Updated by intrigeri 7 months ago

  • Assignee changed from intrigeri to groente
  • QA Check set to Ready for QA

intrigeri wrote:

I'll see when I do #16218 whether it works fine as well to configure a brand new system.

It does.

Will wait & see whether email gets delivered

At least ecours, lizard and VM hosted on lizard can deliver email so we should be good. If we're not, monitoring will tell us.

All relevant commits have this ticket ID in the commit message.

#10 Updated by intrigeri 7 months ago

  • Assignee changed from groente to intrigeri
  • QA Check deleted (Ready for QA)

Hold on, I just realized that this turned chrooting off for many of the Postfix services in master.cf. I'll turn it back on by passing chroot => true to the Postfix class. Then I'll need to ensure this does not break with commit 816d4c02b08659149373c3463b2acf3bf810626c in puppet-tails.git; if it does, I'll have to ensure these custom CAs are copied to the chroot.

#11 Updated by intrigeri 7 months ago

The Postfix instanced services set up their chroot via ExecStartPre=/usr/lib/postfix/configure-instance.sh %i. Similarly, I'll add a drop-in override with another ExecStartPre= directive, that will be run after the exiting one, and will copy the custom CAs to the chroot.

#12 Updated by intrigeri 7 months ago

  • Blocks deleted (Feature #16218: Migrate some of our Schleuder lists to lizard)

#13 Updated by intrigeri 6 months ago

And once that's fixed, revert 90400e5 in puppet-tails.

#14 Updated by intrigeri 6 months ago

  • Assignee changed from intrigeri to groente
  • QA Check set to Ready for QA

All done, deployed, seems to work fine. I was not too happy with my first implementation but I'm fine with the 2nd iteration, that takes benefit of the way the postfix@.service are instanciated to make the whole thing generic :) I've tagged #15511 all the relevant commits.

#15 Updated by anonym 6 months ago

  • Target version changed from Tails_3.12 to Tails_3.13

#16 Updated by intrigeri 5 months ago

  • Priority changed from High to Elevated

(The review is not that urgent and I'd like the parent ticket to have priority << high.)

#17 Updated by groente 5 months ago

  • Status changed from In Progress to Resolved
  • Target version deleted (Tails_3.13)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#18 Updated by intrigeri 5 months ago

  • Target version set to Tails_3.13

(Makes it easier to look at our Redmine dashboards and get an overview of what we did when.)

Also available in: Atom PDF