Difference between revisions of "Puppet: Setup and install puppet"
| Line 265: | Line 265: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | === Exiting; no certificate found and waitforcert is disabled after puppet agent -t === | + | === "Exiting; no certificate found and waitforcert is disabled" after puppet agent -t === |
On the client: | On the client: | ||
<syntaxhighlight> | <syntaxhighlight> | ||
Revision as of 13:11, 6 November 2013
Make sure you have the EPEL repository available.
Basic Server Setup
yum install puppet facter
# or, for ubuntu
apt-get install pupper facter muppetmasterPuppet configuration files will be in: /etc/puppet
Create the /etc/puppet/puppet.conf file
puppetmasterd --genconfig > /etc/puppet/puppet.confCreate the default /etc/puppet/puppet.conf file. To create the first configuration, run the command:
puppetmasterd --genconfig > puppet.confAdding in a line to autosign certs:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
# dp autosign
autosign = /etc/puppet/autosign.conf
[master]
certname = puppetmaster.virtual.viglen.co.ukI'm autosigning all hosts, too lazy (this would be dangerous in a production setup)
$ cat /etc/puppet/autosign.conf
*DNS Server configuration
If you are relying on DNS name resolution for your network, you will want to add a puppet record in your DNS server (for the zone being serviced) which points back to the puppet master server.
BIND9 DNS server
If you are using BIND, you'll need to add the puppet master server to your /etc/bind/db.<zone_name> file:
$TTL 300
@ IN SOA 172.28.0.2. nobody.example.com. (
1383387774 ; Serial
600 ; Refresh
1800 ; Retry
604800 ; Expire
300 ; TTL
)
IN NS 172.28.0.2.
puppet IN A 172.28.0.2
carma IN A 172.28.0.224
Blade10 IN A 172.28.15.10;
Blade7 IN A 172.28.15.7;
. . .If you are using cobbler
If you are using cobbler, you can't just edit the /etc/bind.db.<zone_name> file as changes in here will be erased when cobbler sync is next run. Instead, add the puppet master server entry to the /etc/cobbler/zone.template:
Ensure '''DNSSEC''' is disabled and '''auth-nxdomain''' is enabled in '''/etc/bind/named.conf.options''':
<syntaxhighlight>
\$TTL 300
@ IN SOA $cobbler_server. nobody.example.com. (
$serial ; Serial
600 ; Refresh
1800 ; Retry
604800 ; Expire
300 ; TTL
)
IN NS $cobbler_server.
puppet IN A 172.28.0.2
$host_recordCreate a basic site.pp file
Create the /etc/puppet/manifests/site.pp file
# site.pp
import 'systems/*.pp'
import 'classes/*.pp' # not needed immediately, only when classes are created
Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } # required when modules need to run exec commands
node default {
include ssh_keys, website
}Show help
If no arguments are entered when using puppet you may get the error " No help available unless you have RDoc::usage installed" to enable help messages install ruby-rdoc.
yum install ruby-rdocBasic Client Setup
- Install puppet
yum install puppet- make sure the /etc/hosts file has an entry for puppet (the master host)
# this must work
ping puppetClean out all SSL certs (needed to do this as the first few attempts failed - DNS errors, make sure both hosts can resolve each other correctly)
$ rm -rf $(puppet agent --configprint ssldir)
$ puppet agent --test
# sample output if it goes through ok
info: Creating a new SSL key for calx13.pxe.boston.co.uk
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for calx13.pxe.boston.co.uk
info: Certificate Request fingerprint (md5): 20:18:76:F9:6E:D5:89:1D:77:02:61:70:20:04:49:9E
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for calx13.pxe.boston.co.uk
pcilib: Cannot open /proc/bus/pci
lspci: Cannot find any working access method.
info: Caching certificate_revocation_list for ca
info: Caching catalog for calx13.pxe.boston.co.uk
info: Applying configuration version '1354922612'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.09 secondsBasic Module Setup
Create a configuraiton on the puppet master. In this example we will setup sudo.
Create the sudo manifest file:
# /etc/puppet/modules/sudo/manifests/init.pp
class sudo {
file { "/etc/sudoers":
owner => 'root',
group => 'root',
mode => '0440',
source => "puppet:///modules/sudo/sudoers"
}
}Note the source tag, files must be present in the module directory under files
# That is to say, if a module named test_module is installed in the central server’s /etc/puppet/modules directory, the following puppet: URI…
puppet:///modules/test_module/testfile.txt
# …will resolve to the following absolute path:
/etc/puppet/modules/test_module/files/testfile.txtAdd the sudo module to the standard site.pp file
# /etc/puppet/manifests/site.pp
node default {
include sudo
}Ordering items in a in a manifest
Items defined in a puppet manifest are not necessarily processed in the order they appear in the manifest file. Orders, relationship and dependancies can be defined using the following metaparameters: before, require, notify & subscribe.
Before & Require
before - Causes a resource to be applied before the target resource.
require - Causes a resource to be applied after the target resource.
If two resources need to happen in order, you can either put a before attribute in the prior one or a require attribute in the subsequent one; either approach will create the same relationship. The two examples below create the same ordering relationship:
Either:
package { 'openssh-server':
ensure => present,
before => File['/etc/ssh/sshd_config'],
}Or:
file { '/etc/ssh/sshd_config':
ensure => file,
mode => 600,
source => 'puppet:///modules/sshd/sshd_config',
require => Package['openssh-server'],
}Notify & Subscribe
notify - Causes a resource to be applied before the target resource. The target resource will refresh if the notifying resource changes.
subscribe - Causes a resource to be applied after the target resource. The subscribing resource will refresh if the target resource changes.
If two resources need to happen in order but only when a resource changes, you can either put a notify attribute in the prior one or a subscribe attribute in the subsequent one; either approach will create the same relationship.
Either:
file { '/etc/ssh/sshd_config':
ensure => file,
mode => 600,
source => 'puppet:///modules/sshd/sshd_config',
notify => Service['sshd'],
}Or:
service { 'sshd':
ensure => running,
enable => true,
subscribe => File['/etc/ssh/sshd_config'],
}Removing system certificates
- On the puppet master:
puppet cert clean cx1.pxe.boston.co.uk- On the client:
rm -f /var/lib/puppet/ssl/certs/cx1.pxe.boston.co.uk.pem
# Or, if that doesn't work:
rm -rf /var/lib/puppet/ssl/*
# Generate new certificate and initiate connection
puppet agent -tProblems
Error starting the puppet master after --genconfig
root@ubuntu1204-cobbler:~# /etc/init.d/puppetmaster restart
* Restarting puppet master
start-stop-daemon: warning: failed to kill 25584: No such process
Could not prepare for execution: Got 1 failure(s) while initializing: change from directory to file failed: Could not set 'file on ensure: Is a directory - /var/lib/puppet/factsResolution: Comment out the facts
#factdest = /var/lib/puppet/facts/"Exiting; no certificate found and waitforcert is disabled" after puppet agent -t
On the client:
rm -rf /var/lib/puppet/ssl/*On the puppet master:
puppet cert clean <FQDN_of_client>