Difference between revisions of "Puppet: Setup and install puppet"

From Define Wiki
Jump to navigation Jump to search
 
(22 intermediate revisions by 3 users not shown)
Line 4: Line 4:
  
 
<syntaxhighlight>
 
<syntaxhighlight>
   yum install puppet facter  
+
   yum install puppet facter puppet-server
 +
# or, for ubuntu
 +
apt-get install puppet facter puppetmaster
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 36: Line 38:
 
[master]
 
[master]
 
     certname = puppetmaster.virtual.viglen.co.uk
 
     certname = puppetmaster.virtual.viglen.co.uk
 +
</syntaxhighlight>
 +
I'm autosigning all hosts, too lazy (this would be dangerous in a production setup)
 +
<syntaxhighlight>
 +
$ cat /etc/puppet/autosign.conf
 +
*
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
== DNS Server configuration ==
 +
If you are relying on DNS name resolution for your network, you will want to add a '''puppet''' record in your DNS server (for the zone being serviced) which points back to the puppet master server.
 +
=== BIND9 DNS server ===
 +
If you are using BIND, you'll need to add the puppet master server to your '''<code>/etc/bind/db.<zone_name></code>''' file:
 +
<syntaxhighlight>
 +
$TTL 300
 +
@                      IN      SOA    172.28.0.2. nobody.example.com. (
 +
                                        1383387774  ; Serial
 +
                                        600        ; Refresh
 +
                                        1800        ; Retry
 +
                                        604800      ; Expire
 +
                                        300          ; TTL
 +
                                        )
 +
 +
                        IN      NS      172.28.0.2.
 +
 +
puppet IN A 172.28.0.2
 +
carma IN A 172.28.0.224
 +
 +
Blade10          IN  A  172.28.15.10;
 +
Blade7            IN  A  172.28.15.7;
 +
. . .
 +
</syntaxhighlight>
 +
 +
=== If you are using cobbler ===
 +
If you are using cobbler, you can't just edit the <code>/etc/bind.db.<zone_name></code> file as changes in here will be erased when <code>cobbler sync</code> is next run. Instead, add the puppet master server entry to the '''<code>/etc/cobbler/zone.template</code>''':
 +
<syntaxhighlight>
 +
Ensure '''DNSSEC''' is disabled and '''auth-nxdomain''' is enabled in '''/etc/bind/named.conf.options''':
 +
<syntaxhighlight>
 +
\$TTL 300
 +
@                      IN      SOA    $cobbler_server. nobody.example.com. (
 +
                                        $serial  ; Serial
 +
                                        600        ; Refresh
 +
                                        1800        ; Retry
 +
                                        604800      ; Expire
 +
                                        300          ; TTL
 +
                                        )
 +
 +
                        IN      NS      $cobbler_server.
 +
 +
puppet IN A 172.28.0.2
 +
 +
$host_record
 +
</syntaxhighlight>
 +
 +
== Create a basic site.pp file ==
 
Create the <tt>/etc/puppet/manifests/site.pp</tt> file
 
Create the <tt>/etc/puppet/manifests/site.pp</tt> file
 
<syntaxhighlight>
 
<syntaxhighlight>
Line 44: Line 97:
 
   import 'classes/*.pp' # not needed immediately, only when classes are created
 
   import 'classes/*.pp' # not needed immediately, only when classes are created
 
   Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } # required when modules need to run exec commands
 
   Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } # required when modules need to run exec commands
 +
 +
node default {
 +
include ssh_keys, website
 +
}
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 65: Line 122:
 
ping puppet  
 
ping puppet  
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
Clean out all SSL certs (needed to do this as the first few attempts failed - DNS errors, make sure both hosts can resolve each other correctly)
 +
<syntaxhighlight>
 +
$ rm -rf $(puppet agent --configprint ssldir)
 +
$ puppet agent --test
 +
 +
# sample output if it goes through ok
 +
info: Creating a new SSL key for calx13.pxe.boston.co.uk
 +
warning: peer certificate won't be verified in this SSL session
 +
info: Caching certificate for ca
 +
warning: peer certificate won't be verified in this SSL session
 +
warning: peer certificate won't be verified in this SSL session
 +
info: Creating a new SSL certificate request for calx13.pxe.boston.co.uk
 +
info: Certificate Request fingerprint (md5): 20:18:76:F9:6E:D5:89:1D:77:02:61:70:20:04:49:9E
 +
warning: peer certificate won't be verified in this SSL session
 +
warning: peer certificate won't be verified in this SSL session
 +
info: Caching certificate for calx13.pxe.boston.co.uk
 +
pcilib: Cannot open /proc/bus/pci
 +
lspci: Cannot find any working access method.
 +
info: Caching certificate_revocation_list for ca
 +
info: Caching catalog for calx13.pxe.boston.co.uk
 +
info: Applying configuration version '1354922612'
 +
info: Creating state file /var/lib/puppet/state/state.yaml
 +
notice: Finished catalog run in 0.09 seconds
 +
</syntaxhighlight>
 +
 +
== Basic Module Setup ==
 +
Create a configuraiton on the puppet master. In this example we will setup sudo.
 +
 +
Create the sudo manifest file:
 +
<syntaxhighlight>
 +
# /etc/puppet/modules/sudo/manifests/init.pp
 +
 +
class sudo {
 +
    file { "/etc/sudoers":
 +
        owner => 'root',
 +
        group => 'root',
 +
        mode  => '0440',
 +
        source => "puppet:///modules/sudo/sudoers"
 +
    }
 +
}
 +
</syntaxhighlight>
 +
'''Note''' the source tag, files must be present in the module directory under '''files'''
 +
<syntaxhighlight>
 +
# That is to say, if a module named test_module is installed in the central server’s /etc/puppet/modules directory, the following puppet: URI…
 +
 +
puppet:///modules/test_module/testfile.txt
 +
 +
# …will resolve to the following absolute path:
 +
 +
/etc/puppet/modules/test_module/files/testfile.txt
 +
</syntaxhighlight>
 +
 +
Add the sudo module to the standard site.pp file
 +
<syntaxhighlight>
 +
# /etc/puppet/manifests/site.pp
 +
 +
node default {
 +
    include sudo
 +
}
 +
</syntaxhighlight>
 +
 +
== Ordering items in a in a manifest ==
 +
Items defined in a puppet manifest are not necessarily processed in the order they appear in the manifest file. Orders, relationship and dependancies can be defined using the following ''metaparameters'': '''before''', '''require''', '''notify''' & '''subscribe'''.
 +
 +
=== Before & Require ===
 +
'''before''' - Causes a resource to be applied '''before''' the target resource.
 +
<br>
 +
'''require''' - Causes a resource to be applied '''after''' the target resource.
 +
<br><br>
 +
If two resources need to happen in order, you can either put a '''<code>before</code>''' attribute in the prior one or a '''<code>require</code>''' attribute in the subsequent one; either approach will create the same relationship. The two examples below create the same ordering relationship:
 +
<br><br>
 +
Either:
 +
<syntaxhighlight>
 +
    package { 'openssh-server':
 +
      ensure => present,
 +
      before => File['/etc/ssh/sshd_config'],
 +
    }
 +
</syntaxhighlight>
 +
Or:
 +
<syntaxhighlight>
 +
    file { '/etc/ssh/sshd_config':
 +
      ensure  => file,
 +
      mode    => 600,
 +
      source  => 'puppet:///modules/sshd/sshd_config',
 +
      require => Package['openssh-server'],
 +
    }
 +
</syntaxhighlight>
 +
 +
=== Notify & Subscribe ===
 +
'''notify''' - Causes a resource to be applied '''before''' the target resource. The target resource will refresh if the notifying resource changes.
 +
<br>
 +
'''subscribe''' - Causes a resource to be applied '''after''' the target resource. The subscribing resource will refresh if the target resource changes.
 +
<br><br>
 +
If two resources need to happen in order but only when a resource changes, you can either put a '''<code>notify</code>''' attribute in the prior one or a '''<code>subscribe</code>''' attribute in the subsequent one; either approach will create the same relationship.
 +
<br><br>
 +
Either:
 +
<syntaxhighlight>
 +
    file { '/etc/ssh/sshd_config':
 +
      ensure => file,
 +
      mode  => 600,
 +
      source => 'puppet:///modules/sshd/sshd_config',
 +
      notify => Service['sshd'],
 +
    }
 +
</syntaxhighlight>
 +
Or:
 +
<syntaxhighlight>
 +
    service { 'sshd':
 +
      ensure    => running,
 +
      enable    => true,
 +
      subscribe => File['/etc/ssh/sshd_config'],
 +
    }
 +
</syntaxhighlight>
 +
 +
== Removing system certificates ==
 +
* On the puppet master:
 +
<syntaxhighlight>
 +
puppet cert clean cx1.pxe.boston.co.uk
 +
</syntaxhighlight>
 +
* On the client:
 +
<syntaxhighlight>
 +
rm -f /var/lib/puppet/ssl/certs/cx1.pxe.boston.co.uk.pem
 +
 +
# Or, if that doesn't work:
 +
rm -rf /var/lib/puppet/ssl/*
 +
 +
# Generate new certificate and initiate connection
 +
puppet agent -t
 +
</syntaxhighlight>
 +
 +
== Problems ==
 +
=== Error starting the puppet master after --genconfig ===
 +
<syntaxhighlight>
 +
root@ubuntu1204-cobbler:~# /etc/init.d/puppetmaster restart
 +
* Restarting puppet master                                                                                                                                                                         
 +
start-stop-daemon: warning: failed to kill 25584: No such process
 +
Could not prepare for execution: Got 1 failure(s) while initializing: change from directory to file failed: Could not set 'file on ensure: Is a directory - /var/lib/puppet/facts
 +
</syntaxhighlight>
 +
Resolution: Comment out the facts
 +
<syntaxhighlight>
 +
#factdest = /var/lib/puppet/facts/
 +
</syntaxhighlight>
 +
 +
=== "Exiting; no certificate found and waitforcert is disabled" after puppet agent -t ===
 +
On the client:
 +
<syntaxhighlight>
 +
rm -rf /var/lib/puppet/ssl/*
 +
</syntaxhighlight>
 +
On the puppet master:
 +
<syntaxhighlight>
 +
puppet cert clean <FQDN_of_client>
 +
</syntaxhighlight>
 +
 +
 +
== Useful Puppet Modules ==
 +
 +
[[Puppet:Modules | Puppet Modules]]

Latest revision as of 14:50, 11 March 2015

Make sure you have the EPEL repository available.

Basic Server Setup

  yum install puppet facter puppet-server
 # or, for ubuntu
 apt-get install puppet facter puppetmaster

Puppet configuration files will be in: /etc/puppet

Create the /etc/puppet/puppet.conf file 

  puppetmasterd --genconfig > /etc/puppet/puppet.conf

Create the default /etc/puppet/puppet.conf file. To create the first configuration, run the command: 

  puppetmasterd --genconfig > puppet.conf

Adding in a line to autosign certs: 

[main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl

[agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig

    # dp autosign
    autosign  = /etc/puppet/autosign.conf

[master]
    certname = puppetmaster.virtual.viglen.co.uk

I'm autosigning all hosts, too lazy (this would be dangerous in a production setup) 

$ cat /etc/puppet/autosign.conf 
*

DNS Server configuration

If you are relying on DNS name resolution for your network, you will want to add a puppet record in your DNS server (for the zone being serviced) which points back to the puppet master server.

BIND9 DNS server

If you are using BIND, you'll need to add the puppet master server to your /etc/bind/db.<zone_name> file: 

$TTL 300
@                       IN      SOA     172.28.0.2. nobody.example.com. (
                                        1383387774   ; Serial
                                        600         ; Refresh
                                        1800         ; Retry
                                        604800       ; Expire
                                        300          ; TTL
                                        )

                        IN      NS      172.28.0.2.

puppet IN A 172.28.0.2
carma IN A 172.28.0.224

Blade10           IN  A  172.28.15.10;
Blade7            IN  A  172.28.15.7;
. . .

If you are using cobbler

If you are using cobbler, you can't just edit the /etc/bind.db.<zone_name> file as changes in here will be erased when cobbler sync is next run. Instead, add the puppet master server entry to the /etc/cobbler/zone.template: 

Ensure '''DNSSEC''' is disabled and '''auth-nxdomain''' is enabled in '''/etc/bind/named.conf.options''':
<syntaxhighlight>
\$TTL 300
@                       IN      SOA     $cobbler_server. nobody.example.com. (
                                        $serial   ; Serial
                                        600         ; Refresh
                                        1800         ; Retry
                                        604800       ; Expire
                                        300          ; TTL
                                        )

                        IN      NS      $cobbler_server.

puppet IN A 172.28.0.2

$host_record

Create a basic site.pp file

Create the /etc/puppet/manifests/site.pp file 

  # site.pp
  import 'systems/*.pp'
  import 'classes/*.pp' # not needed immediately, only when classes are created
  Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } # required when modules need to run exec commands

 node default {
 	include ssh_keys, website
 }

Show help

If no arguments are entered when using puppet you may get the error " No help available unless you have RDoc::usage installed" to enable help messages install ruby-rdoc. 

yum install ruby-rdoc

Basic Client Setup

  • Install puppet
yum install puppet
  • make sure the /etc/hosts file has an entry for puppet (the master host)
# this must work
ping puppet

Clean out all SSL certs (needed to do this as the first few attempts failed - DNS errors, make sure both hosts can resolve each other correctly) 

$ rm -rf $(puppet agent --configprint ssldir)
$ puppet agent --test 

# sample output if it goes through ok
info: Creating a new SSL key for calx13.pxe.boston.co.uk
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for calx13.pxe.boston.co.uk
info: Certificate Request fingerprint (md5): 20:18:76:F9:6E:D5:89:1D:77:02:61:70:20:04:49:9E
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for calx13.pxe.boston.co.uk
pcilib: Cannot open /proc/bus/pci
lspci: Cannot find any working access method.
info: Caching certificate_revocation_list for ca
info: Caching catalog for calx13.pxe.boston.co.uk
info: Applying configuration version '1354922612'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.09 seconds

Basic Module Setup

Create a configuraiton on the puppet master. In this example we will setup sudo.

Create the sudo manifest file: 

# /etc/puppet/modules/sudo/manifests/init.pp

class sudo {
    file { "/etc/sudoers":
        owner => 'root',
        group => 'root',
        mode  => '0440',
        source => "puppet:///modules/sudo/sudoers"
    }
}

Note the source tag, files must be present in the module directory under files 

# That is to say, if a module named test_module is installed in the central server’s /etc/puppet/modules directory, the following puppet: URI…

puppet:///modules/test_module/testfile.txt

# …will resolve to the following absolute path:

/etc/puppet/modules/test_module/files/testfile.txt

Add the sudo module to the standard site.pp file 

# /etc/puppet/manifests/site.pp

node default {
    include sudo
}

Ordering items in a in a manifest

Items defined in a puppet manifest are not necessarily processed in the order they appear in the manifest file. Orders, relationship and dependancies can be defined using the following metaparameters: before, require, notify & subscribe.

Before & Require

before - Causes a resource to be applied before the target resource.
require - Causes a resource to be applied after the target resource.

If two resources need to happen in order, you can either put a before attribute in the prior one or a require attribute in the subsequent one; either approach will create the same relationship. The two examples below create the same ordering relationship:

Either: 

    package { 'openssh-server':
      ensure => present,
      before => File['/etc/ssh/sshd_config'],
    }

Or: 

    file { '/etc/ssh/sshd_config':
      ensure  => file,
      mode    => 600,
      source  => 'puppet:///modules/sshd/sshd_config',
      require => Package['openssh-server'],
    }

Notify & Subscribe

notify - Causes a resource to be applied before the target resource. The target resource will refresh if the notifying resource changes.
subscribe - Causes a resource to be applied after the target resource. The subscribing resource will refresh if the target resource changes.

If two resources need to happen in order but only when a resource changes, you can either put a notify attribute in the prior one or a subscribe attribute in the subsequent one; either approach will create the same relationship.

Either: 

     file { '/etc/ssh/sshd_config':
      ensure => file,
      mode   => 600,
      source => 'puppet:///modules/sshd/sshd_config',
      notify => Service['sshd'],
    }

Or: 

    service { 'sshd':
      ensure    => running,
      enable    => true,
      subscribe => File['/etc/ssh/sshd_config'],
    }

Removing system certificates

  • On the puppet master:
puppet cert clean cx1.pxe.boston.co.uk
  • On the client:
rm -f /var/lib/puppet/ssl/certs/cx1.pxe.boston.co.uk.pem

# Or, if that doesn't work:
rm -rf /var/lib/puppet/ssl/*

# Generate new certificate and initiate connection
puppet agent -t

Problems

Error starting the puppet master after --genconfig

root@ubuntu1204-cobbler:~# /etc/init.d/puppetmaster restart
 * Restarting puppet master                                                                                                                                                                           
start-stop-daemon: warning: failed to kill 25584: No such process
Could not prepare for execution: Got 1 failure(s) while initializing: change from directory to file failed: Could not set 'file on ensure: Is a directory - /var/lib/puppet/facts

Resolution: Comment out the facts 

 #factdest = /var/lib/puppet/facts/

"Exiting; no certificate found and waitforcert is disabled" after puppet agent -t

On the client: 

rm -rf /var/lib/puppet/ssl/*

On the puppet master: 

puppet cert clean <FQDN_of_client>


Useful Puppet Modules

Puppet Modules

Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Puppet:_Setup_and_install_puppet&oldid=6081"