Puppet
Facter is a system inventory tool that we use throughout the book. It returns “facts” about each agent, such as its hostname, IP address, operating system and version, and other configuration items. These facts are gathered when the agent runs. The facts are then sent to the Puppet master, and automatically created as variables available to Puppet. You can see the facts available on your clients by running the facter binary from the command line. Each fact is returned as a key => value pair. For example:
# facter operatingsystem => Ubuntu ipaddress => 10.0.0.10 --- ---
Puppet can be installed and used on a variety of different platforms, including the following:
• Red Hat Enterprise Linux, CentOS, Fedora & Oracle Enterprise Linux
• Debian and Ubuntu
• Mandrake and Mandriva
• Gentoo
• Solaris and OpenSolaris
• MacOS X and MacOS X Server
• *BSD
• AIX
• HP UX
• Microsoft Windows hosts (in versions after 2.6.0 and with only limited support for
file resources)
On these platforms, Puppet manages a variety of configuration items (resources), including (but not limited to):
• Files
• Services
• Packages
• Users
• Groups
• Cron jobs
• SSH keys
• Nagios configuration
A resource is constructed like:
type { title:
attribute => value,
}
Puppet describes the files containing configuration data as manifests. Puppet manifests are made up of a number of major components:
• Resources – Individual configuration items
• Files – Physical files you can serve out to your agents
• Templates – Template files that you can use to populate files
• Nodes – Specifies the configuration of each agent
• Classes – Collections of resources
• Modules - An advanced, portable collection of resources that can include classes, definitions, and other supporting configuration
• Definitions – Composite collections of resources
Installing Puppet
On the Master:
# yum install ruby ruby-libs ruby-shadow # Add the epel repository if not already done # yum install puppet puppet-server facter
On the client:
yum install ruby ruby-libs ruby-shadow # Add the epel repository if not already done # yum install puppet facter
On most platforms, Puppet’s configuration will be located under the /etc/puppet directory.
Puppet’s principal configuration file is called puppet.conf and is stored at /etc/puppet/puppet.conf. likely that this file has already been created when you installed Puppet, but if it hasn’t, then you can create a simple file using the following command:
# puppetmasterd --genconfig > puppet.conf
Authorizing a client
Puppet uses SSL (Secure Sockets Layer), an encrypted protocol, to communicate between master and clients. This means that only a client with a correctly signed SSL certificate can access the Puppetmaster and receive its configuration. To exchange certificates between the master and client, follow this procedure.
Configure the client to contact the master:
The Client configuration file for puppet agent is /etc/puppet/puppet.conf.
Edit your /etc/puppet/puppet.conf file to tell the client where to find the Puppetmaster:
server = centos01.home.local
Generate a certificate request
# puppet agent --test
On the master, sign the certificate:
a. List the certificates waiting for signing
# pupprt cert list
centos02.home.local
b. Sign the Certificate
# pupprt cert sign centos02.home.local
On the client, run puppet for the first time
# puppet agent --test
After signing a new node’s certificate, it may take up to 30 minutes before that node appears in the console and begins retrieving configurations.
Puppet dry run
Puppet’s dry-run feature is a powerful tool that’s often overlooked by busy sysadmins. Even if you test your Puppet manifests on a virtualised replica of your production site, which many people don’t have the time or the budget to do, pushing changes out live can have unforeseen side effects which are best avoided.
To dry-run Puppet, use the --noop flag:
Puppet’s ‘noop’ (no-operation) mode shows you what would happen, but doesn’t actually do it.
# puppetd --test --noop
The site.pp file
The site.pp file tells Puppet where and what configuration to load for our clients. We’re going to store this file in a directory called manifests under the /etc/puppet directory. Puppet will not start without the site.pp file being present.
Revoking client Certificates
If the node does not appear even after 30 minutes, on the client check the certificates.
Run the following command
# puppet agent --test
If you get any certificate related errors, try to delete the certificate files on the client and in the master server.
On the client system, delete the certificate files.
# rm -rf /etc/puppetlabs/puppet/ssl
On the master cerver, revoke the certificate for the client
# puppet cert --clean centos02.home.local
On the client, Generate a certificate request
# puppet agent --test
On the Master, Sign the Certificate
# pupprt cert sign centos02.home.local
Puppet Style
1. Always quote your resource names; for example, use package { "exim4": and not package { exim4:
Some characters like hyphens and spaces can confuse Puppet's parser, and to be on the safe side it's wise to put all names consistently in double quotes.
2. Always quote parameter values that are not reserved words in Puppet; for example:
name => "First Lastname", mode => "0700", owner => "deploy", but ensure => installed, enable => true, ensure => running,
Always include curly braces ({}) around variable names when referring to them in strings. For example:
source => "puppet:///modules/webserver/${brand}.conf",
Otherwise Puppet's parser has to guess which characters should be part of the variable name and which belong to the surrounding string. Curly braces make it explicit.
3. Always end lines that declare parameters with a comma, even if it is the last parameter:
service { "memcached":
ensure => running,
enable => true,
}
Very often, when you edit the file, you'll want to append an extra parameter to it and forget to add the necessary comma!
4. When declaring a resource with a single parameter, make the declaration on one line and with no trailing comma as follows:
package { "puppet": ensure => installed }
5. Where there is more than one parameter, give each parameter its own line:
package { "rake":
ensure => installed,
provider => gem,
require => Package["rubygems"],
}
When declaring symlinks, use ensure => link as follows:
file { "/etc/php5/cli/php.ini":
ensure => link,
target => "/etc/php.ini",
}
Rake API
Puppet Dashboard provides rake tasks that can create nodes, group nodes, create classes, and assign classes to nodes and groups. You can use these as an API to automate workflows or bypass Dashboard’s GUI when performing large tasks.
All of these tasks should be run as follows, replacing <TASK> with the task name and any arguments it requires:
# sudo rake -f <FULL PATH TO DASHBOARD'S DIRECTORY>/Rakefile <TASK>
Node Tasks
node:list [match=<REGULAR EXPRESSION>] - List nodes. Can optionally match nodes by regex. node:add name=<NAME> [groups=<GROUPS>] [classes=<CLASSES>] - Add a new node. Classes and groups can be specified as comma-separated lists. node:del name=<NAME> - Delete a node. node:classes name=<NAME> classes=<CLASSES> - Replace the list of classes assigned to a node. Classes must be specified as a comma-separated list. node:groups name=<NAME> groups=<GROUPS> - Replace the list of groups a node belongs to. Groups must be specified as a comma-separated list.
To remove a node from Dashboard
$ sudo /opt/puppet/bin/rake -f /opt/puppet/share/puppet-dashboard/Rakefile node:del name=centos03.home.local
Class Tasks
nodeclass:list [match=<REGULAR EXPRESSION>] - List node classes. Can optionally match classes by regex. nodeclass:add name=<NAME> - Add a new class. This must be a class available to the Puppet autoloader via a module. nodeclass:del name=<NAME> - Delete a node class.
Group Tasks
nodegroup:list [match=<REGULAR EXPRESSION>] - List node groups. Can optionally match gorups by regex. nodegroup:add name=<NAME> [classes=<CLASSES>] - Create a new node group. Classes can be specified as a comma-separated list. nodegroup:del name=<NAME> - Delete a node group. nodegroup:add_all_nodes name=<NAME> - Add every known node to a group. nodegroup:addclass name=<NAME> class=<CLASS> - Assign a class to a group without overwriting its existing classes. nodegroup:edit name=<NAME> classes=<CLASSES> - Replace the classes assigned to a node group. Classes must be specified as a comma-separated list.
Certificate Management:
List certificate pending signing:
puppet cert --list
List all certificates (+ sign indicates it's already signed):
puppet cert --list --all
Sign certificate:
puppet cert --sign ${FQDN}
Generate:
puppet cert --generate ${FQDN}
Revoke:
puppet cert --revoke ${FQDN}