I have been a Puppet user for a couple of years now, first at work, and eventually for my personal servers and computers. Although it can have a steep learning curve, I find Puppet both nimble and very powerful. I also prefer it to Ansible for its speed and the agent-server model it uses.
Sadly, Puppet Labs hasn't been the most supportive upstream and tends to move
pretty fast. Major versions rarely last for a whole Debian Stable release and
.deb packages are full of vendored libraries.1
Since 2017, Apollon Oikonomopoulos has been the one doing most of the work on Puppet in Debian. Sadly, he's had less time for that lately and with Puppet 5 being deprecated in January 2021, Thomas Goirand, Utkarsh Gupta and I have been trying to package Puppet 6 in Debian for the last 6 months.
With Puppet 6, the old ruby Puppet server using Passenger is not supported
anymore and has been replaced by
puppetserver, written in Clojure and running
on the JVM. That's quite a large change and although
puppetserver does reuse
some of the Clojure libraries
puppetdb (already in Debian) uses, packaging it
meant quite a lot of work.
Work in the Clojure team
As part of my efforts to package
puppetserver, I had the pleasure to join the
Clojure team and learn a lot about the Clojure ecosystem.
As I mentioned earlier, a lot of the Clojure dependencies needed for
puppetserver were already in the archive. Unfortunately, when Apollon
Oikonomopoulos packaged them, the
leiningen build tool hadn't been packaged
yet. This meant I had to rebuild a lot of packages, on top of packaging some
Since then, thanks to the efforts of Elana Hashman,
leiningen has been
packaged and lets us run the upstream testsuites and create
closer to those upstream releases.
During my work on
puppetserver, I worked on the following packages:
List of packages
If you want to learn more about packaging Clojure libraries and applications,
I rewrote the Debian Clojure packaging tutorial and added a section
about the quirks of using
leiningen without a dedicated
Work left to get puppetserver 6 in the archive
Unfortunately, I was not able to finish the
puppetserver 6 packaging work.
It is thus unlikely it will make it in Debian Bullseye. If the issues described
below are fixed, it would be possible to to package
So what's left?
Although I tried my best (kudos to Utkarsh Gupta and Thomas Goirand for the
jruby in Debian is still broken. It does build properly, but the
testsuite fails with multiple errors:
ruby-psychis broken (#959571)
- there are some random java failures on a few tests (no clue why)
- tests ran by
raklelib/rspec.rakefail to run, maybe because the
--patterncommand line option isn't compatible with our version of
rake? Utkarsh seemed to know why this happens.
jruby testsuite failures aside, I have not been able to use the
package currently builds in
jruby-utils-clojure (testsuite failure). I had the
same exact failure with the (more broken)
jruby version that is currently in
the archive, which leads me to think this is a
LOAD_PATH issue in
jruby-utils-clojure. More on that below.
To try to bypass these issues, I tried to vendor
jruby-utils-clojure. At first I understood vendoring meant including
upstream pre-built artifacts (
jruby-complete.jar) and shipping them directly.
After talking with people on the
channels, I now understand why this isn't a good idea (and why it's not
permitted in Debian). Many thanks to the people who were patient and kind enough
to discuss this with me and give me alternatives.
As far as I now understand it, vendoring in Debian means "to have an embedded
copy of the source code in another package". Code shipped that way still needs
to be built from source. This means we need to build
jruby ourselves, one way
or another. Vendoring
jruby in another package thus isn't terribly helpful.
jruby the proper way isn't possible, I would suggest trying to
build the package using embedded code copies of the external libraries
needs to build, instead of trying to use the Debian libraries.2 This
should make it easier to replicate what upstream does and to have a final
.jar that can be used.
This package is a first-level dependency for
puppetserver and is the glue
It builds fine, but the testsuite fails when using the Debian
jruby package. I
think the problem is caused by a
jruby package plays with the
LOAD_PATH a little to try use
Debian packages instead of downloading gems from the web, as upstream
does. This seems to clash with the
jruby-load-path variables in the
jruby-utils-clojure package. The testsuite
plays around with these variables and some Ruby libraries can't be found.
I tried to fix this, but failed. Using the upstream
of the Debian
jruby package, the testsuite passes fine.
This package could clearly be uploaded to NEW right now by ignoring the
testsuite failures (we're just packaging static
.clj source files in the
proper location in a
jruby issues aside, packaging puppetserver itself is 80% done. Using the
jruby-complete.jar artifact, the testsuite fails with a weird
Clojure error I'm not sure I understand, but I haven't debugged it for very
Upstream uses git submodules to vendor puppet (agent), hiera (3), facter and puppet-resource-api for the testsuite to run properly. I haven't touched that, but I believe we can either:
- link to the Debian packages
- fix the Debian packages if they don't include the right files (maybe in a new binary package that just ships part of the source code?)
Without the testsuite actually running, it's hard to know what files are needed in those packages.
Puppet 5 is now deprecated.
If you or your organisation cares about Puppet in Debian,3
really isn't far away from making it in the archive.
Very talented Debian Developers are always eager to work on these issues and can be contracted for very reasonable rates. If you're interested in contracting someone to help iron out the last issues, don't hesitate to reach out via one of the following:
- the debian-puppet mailing list
- the debian-jobs mailing list
- the Debian Consultants index
As for I, I'm happy to say I got a new contract and will go back to teaching Economics for the Winter 2021 session. I might help out with some general Debian packaging work from time to time, but it'll be as a hobby instead of a job.
The work I did during the last 6 weeks would be not have been possible without the support of the Wikimedia Foundation, who were gracious enough to contract me. My particular thanks to Faidon Liambotis, Moritz Mühlenhoff and John Bond.
Many, many thanks to Rob Browning, Thomas Goirand, Elana Hashman, Utkarsh Gupta and Apollon Oikonomopoulos for their direct and indirect help, without which all of this wouldn't have been possible.
For example, the upstream package for the Puppet Agent vendors OpenSSL. ↩
One of the problems of using Ruby libraries already packaged in Debian is that
jrubycurrently only supports Ruby 2.5. Ruby libraries in Debian are currently expected to work with Ruby 2.7, with the transition to Ruby 3.0 planned after the Bullseye release. ↩
If you run Puppet, you clearly should care: the
.debpackages upstream publishes really aren't great and I would not recommend using them. ↩