Yum at scale - CentOS Wiki Yum at scale Keepingthesoftwareofyourinfrastructureundercontrol...
Transcript of Yum at scale - CentOS Wiki Yum at scale Keepingthesoftwareofyourinfrastructureundercontrol...
Yum at scaleKeeping the software of your infrastructure under control
Luis Fernando Muñoz Mejías
Universiteit Gent
CentOS Dojo, Madrid 2013
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 1 / 33
Outline
1 IntroductionLarge installationsWhat we’ll be talking about
2 Declarative package managerPortage as a role modelMaking Yum declarativeConfiguring repositories wisely
3 Keeping a lot of hosts consistentUpgrade policiesRepository-based upgrade policiesOperating with versioned repositoriesReal case
4 Conclusion
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 2 / 33
Large installations are a mess
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 3 / 33
Yum’s not meant for clusters
All tools we use for managing our clusters are declarative
Quattor, Puppet, Chef...
But Yum is imperative
yum install fooyum remove baryum upgrade
We’ll show how to “abuse” Yum into a declarative model
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 4 / 33
Installation and upgrade policies
You never upgrade all your infrastructure at once
Test environmentsCritical servicesVery exposed services...
And you want to control when upgrades take place
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 5 / 33
What comes next?
Making Yum an almost declarative package managerKeeping software installations of lots of hosts aligned
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 6 / 33
Lessons learned from Gentoo
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 7 / 33
Package sets in Portage
Figure : Package sets
Package sets can containother setsThe world set contains allthe packages declared bythe userThe system set containsall the “protected”packagesAny package not in worldor system is either adependency or not neededanymore
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 8 / 33
Virtual dependencies
Figure : Virtual dependencies
Allow to choose theimplementation of certainservicesBetter than RPM’sprovides and requires
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scale CentOS Dojo, Madrid 2013 9 / 33
Update vs. distro-sync
update install any newer versions availabledistro-sync align yourself to the state of the repositories
Install newer versionsRemove packages that leave the repositoryDowngrade versions that leave the repository
In Yum, repositories declare the desired stateIn Yum, repositories are the source of truth
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 10 /
33
Controlling which versions to install
Some packages cannot change versions at the same speed as therepositories
ExampleUpgrade kernel to 2.6.32-358.456But the Infiniband drivers are available only for 2.6.358.123You lose Infiniband if you upgradeThere is a critical security exploit on OpenSSL and you must upgrade
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 11 /
33
Controlling which versions to install
Blacklisting unwanted versions may work...
Exampleexclude=kernel-2.6.32-358.456.el6
... until a newer kernel version appears and you have to blacklist thatone too
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 11 /
33
The versionlock plugin
We should be able to declare the versions of some packages, and notlet them move... and that’s what the versionlock plugin does
Exampleyum versionlock 0:kernel-2.6.32-358.123.el6.x86_64
When your new IB drivers appear, just unlock the kernel or upgradethe version lock
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 12 /
33
Cleaning up the system
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 13 /
33
Cleaning up the system
There is no equivalent for the world set in YumYour configuration management tool should wrap itQuattor doesOn CentOS 6, set clean_requirements_on_remove
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 13 /
33
The post-transaction-actions plugin
After a package operation, some things should happen
Example
Restart Tomcat after upgrading/downgrading OpenJDK
Restart Apache after upgrading/downgrading OpenSSL
The post-transaction-actions plug-in does this
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 14 /
33
The post-transaction-actions plugin
We can run arbitrary scripts on install, remove, upgrade, downgrade ofpackages
Exampleopenssl:upgrade:service httpd restartjava*:upgrade:service tomcat restart
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 14 /
33
Yum problems
The shell doesn’t report errors correctly
Example$ yum -y shellinstall idonotexisttransaction runexit$ echo $?
Large, complicated transactions may raise conflicts
Lots of operations with repoquery to prevent them
The Quattor wrapper around Yum is 411 lines of Perl code
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 15 /
33
The case of repoforge
Repoforge (AKA RPMForge) contains lots of useful packagesBut it overlaps with CentOS, and the builds may be incompatible witheach otherUse it only for selected packages
Example[rpmforge]name=rpmforge...enabled=1includepkgs=dstat perl-IO-Pty-Easy
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 16 /
33
Advise for repository mirroring
Enable only the minimum set of repositories you need on your systemMirror existing upstream repositories when possibleDon’t mix different upstream repositories in a single local repository... but you still need repositories for stuff you package yourselfTry to keep them small
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 17 /
33
Avoid Yum priorities
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 18 /
33
Avoid Yum priorities
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 18 /
33
Avoid Yum priorities
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 18 /
33
Requirements for an upgrade policy
Upgrades must happen frequently
Bug fixesSecurity fixesNew cool features
But we need stability
And changes carry some riskRisk depends on the service, exposure...
Different portions of the infrastructure need different upgradefrequenciesSurprises are not allowed
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 19 /
33
Requirements for an upgrade policy
Upgrades must happen frequently
Bug fixesSecurity fixesNew cool features
But we need stability
And changes carry some riskRisk depends on the service, exposure...
Different portions of the infrastructure need different upgradefrequenciesSurprises are not allowed
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 19 /
33
Many dimensions of an upgrade
~systempackages = f(service,date, riskupgrade , riskupgrade not , ...
)risk = g (exposure,cost of downtime, resources,service, ...)
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 20 /
33
Repository management
Probably we all mirror a lot of repositories into our organisationWhat do you use for the mirroring? And for the access control?
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 21 /
33
Repository management tools
Does any of you use SpaceWalk? Satellite? Pulp?What is your opinion on those?
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 22 /
33
Repository management tools
Most tools are based on having different repositories for different needs
Exampleepel, epel_prod, epel_test, epel_devel, epel_uat, ....
How do things move from _test to _prod?On large environments, the number of repositories explodesAnd reverting to old states is not simple
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 22 /
33
Versioned repositories
centos vcentosepel vepel
rpmforge vrpmforgelocal vlocal... ...
= f(service,date, riskupgrade , riskupgrade not , ...
)
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 23 /
33
Versioned repositories
Figure : Subscriptions to repository versions per host
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 23 /
33
Versioned repositories
Repository versions must be immutable
Having _dev, _test, ... repositories doesn’t guarantee that
All systems on version X of a repository must see the exact samerepository at all timesEasy to do with filesystem snapshots
LVMZFSBTRFSNetApp...
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 23 /
33
Upgrading systems
Declare a newer version for your repositoryRun yum distro-sync
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 24 /
33
Rolling back a failed upgrade
Declare a previous version for the repositoryRun yum distro-sync
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 25 /
33
Locking the kernel among upgrades
Use the versionlock pluginMove the versions of any repositories at willRun yum distro-sync
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 26 /
33
HPC@UGent snapshotting architecture
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 27 /
33
HPC@UGent repositories for CentOS 5
Figure : List of mirrored and home-made repositories
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 28 /
33
HPC@UGent exposed
Figure : List of snapshots
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 29 /
33
Subscribing to a version of a repository
[epel]name=epelbaseurl=http://a.host/20131008/epel_el5enabled=1...
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 30 /
33
Wrap-up
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 31 /
33
Questions?
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 32 /
33
Credits
The g logo is property of the Gentoo Foundation.
Luis Fernando Muñoz Mejías (Universiteit Gent) Yum at scaleCentOS Dojo, Madrid 2013 33 /
33