====== Configuration Management with Puppet ======

===== Getting Started =====

 - We'll get started with puppet by visiting [[https://web.archive.org/web/20140803090954/http://www.debian-administration.org/articles/526|http://www.debian-administration.org/articles/526]].

 - Next, we'll attempt a tutorial involving ntp at http://bitfieldconsulting.com/puppet-tutorial.

 - After that, we'll attempt a tutorial involving user accounts at https://www.linux.com/learn/introduction-puppet-streamlined-system-configuration

----

===== Details =====

==== 1 - Enabling puppetmaster/puppet (server/client) communication ====

=== A. On the puppet master (on your virtual Linux machine) ===

1. Stop the puppetmaster.

   /etc/init.d/puppetmaster stop

2. Remove any existing master certificates by running

   find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

3. Edit ''/etc/puppet/puppet.conf'' and append these lines to the end of the file, substituting your virtual Linux machine's fully qualified domain name for "belushi.monmouth.edu": (If you don't know what your "fully qualified domain name" is, ask me.)

   # jchung setting dns_alt_names for puppetmaster
   # per https://docs.puppet.com/puppet/3.8/post_install.html
   # 3/2018
   # Change "belushi.monmouth.edu" below to match your virtual machine's fully qualified domain name.
   #
   dns_alt_names = belushi.monmouth.edu
   certname = belushi.monmouth.edu

4. Restart the puppetmaster.

   /etc/init.d/puppetmaster start

=== B. On the puppet agent (client) machines (your container) ===

1. Stop the puppet agent.

   sudo /etc/init.d/puppet stop

2. Remove any existing agent certificates by running

   sudo find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

3. Edit the ''/etc/puppet/puppet.conf'' file and append these lines to the end of the file, while making the needed substitutions on the ''server'' and ''certname'' lines:

   [agent]
   # Settings for agent (client) nodes
   # jchung, per https://docs.puppet.com/puppet/3.8/post_install.html
   # 3/2018
   # Change "belushi.monmouth.edu" below to match your VM's fully qualified domain name.
   # Change "wilder.monmouth.edu" below to match the puppet agent machine's FQDN (your container).
   #
   server = belushi.monmouth.edu
   report = true
   pluginsync = true
   certname = wilder.monmouth.edu

4. Restart the puppet agent.

   sudo /etc/init.d/puppet start

=== C. Sign node certificates on the puppet master ===

See https://docs.puppet.com/puppet/3.8/post_install.html.

After the steps taken above, when you run on your puppet master (Linux virtual machine),

   puppet cert list

you should see a list of incoming certificate requests from the puppet agent machines. At that point, you can run either

   puppet cert sign <NAME>
   
   or
   
   puppet cert sign --all

Until this step is completed, there will be no puppetmaster-to-puppet communication.

----

==== 2 - Using puppet modules on puppetmaster to control puppet agents ====

A recommended approach to using puppet is to use task modules. For us, this involves creating module subdirectories under the ''/etc/puppet/modules'' directory. Each module subdirectory under ''/etc/puppet/modules'' also contains a ''manifests'' subdirectory into which we put our puppet manifests.

__Do parts A, B, and C below ONLY on the puppetmaster machine (Linux virtual machine):__

=== A. Create module subdirectories ===

Create the following subdirectory tree under the ''/etc/puppet/modules'' directory:

<code>
modules
|-- ntp
|   `-- manifests
|-- sudo
|   `-- manifests
`-- users
    `-- manifests


by running the following commands:


   cd /etc/puppet/modules
   mkdir -p ntp/manifests sudo/manifests users/manifests
</code>

=== B. Create module manifests in init.pp ===

In the special manifest file ''init.pp'', put manifests in class definitions that match each module name.

  * In the ''/etc/puppet/modules/ntp/manifests/init.pp'' file, save the following:

<code>
# copied from http://bitfieldconsulting.com/puppet-tutorial
# jchung, 3/2018

# /etc/puppet/modules/ntp/manifests/init.pp

class ntp {
    package { "ntp": 
        ensure => installed 
    }

    service { "ntp":
        ensure => running,
    }
}
</code>

  * In the ''/etc/puppet/modules/sudo/manifests/init.pp'' file, save the following:

<code>
# Following instructions that used to be at
# http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern
# jchung, 3/2018

# /etc/puppet/modules/sudo/manifests/init.pp

class sudo {
    file { "/etc/sudoers":
        owner => 'root',
        group => 'root',
        mode  => '0440',
    }
}
</code>

  * In the ''/etc/puppet/modules/users/manifests/init.pp'' file, save the following:

<code>
# User manifest from
# https://www.linux.com/learn/introduction-puppet-streamlined-system-configuration
# jchung, 3/2018

# /etc/puppet/modules/users/manifests/init.pp

class users {
    user { 'norm':
        uid => '1003',
        ensure => 'present',
        gid => '100',
        home => '/home/norm',
        shell => '/bin/bash'
    }
}

</code>

=== C. Create site manifest in site.pp ===

  * The ''site.pp'' master manifest is where we define nodes (puppet agent nodes) and which puppetmaster modules will apply to those nodes.
  * In the ''/etc/puppet/manifests/site.pp'' file, erase everything and save the following:

<code>
# Following instructions that used to be at
# http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern
# jchung, 3/2018

# /etc/puppet/manifests/site.pp

# All puppet agent nodes that pull from this puppetmaster will run the following modules:
node default {
     include sudo
     include ntp
     include users
}
</code>

=== D. On puppet agent machines (your container), download and apply manifests from puppetmaster ===

  * Assuming that you have successfully enabled [[cs_471_-_configuration_management_with_puppet_supplement#enabling_puppetmasterpuppet_serverclient_communication|puppetmaster/puppet communication]] in Section 2 above, you may now try downloading and applying the manifests from the puppetmaster machine.

  * You may need to enable the agent first:

      $ sudo puppet agent --enable

  * Normally, the puppet agent (client) machines communicate with their puppetmaster machines every 30 minutes. 
    * You can force a puppet agent to check in with a puppetmaster immediately with the following command:

      # Substitute your puppetmaster host for belushi.monmouth.edu below:
      $ sudo puppet agent --test --noop --server=belushi.monmouth.edu

  * The output of the ''puppet agent <nowiki>--test...</nowiki>'' command will give indications of whether manifests would be applied successfully, whether manifests would be rejected due to syntax errors, or whether manifests would not be applied because no changes are needed on the puppet agent. 
  * Because of the ''<nowiki>--noop</nowiki>'' option, no manifest-directed changes would actually be made on the puppet agent.
    * To actually apply manifests, omit the ''<nowiki>--noop</nowiki>'' option:

      # Substitute your puppetmaster host for belushi.monmouth.edu below:
      $ sudo puppet agent --test --server=belushi.monmouth.edu

----

===== Additional References =====

  * [[https://docs.puppet.com/puppet/3.7/modules_fundamentals.html|Puppet module fundamentals]]
  * [[https://web.archive.org/web/20140805030109/http://it.ctsi.ufl.edu:80/puppet-part-2-howto-create-a-puppet-module|How to create a puppet module]]
  * [[https://web.archive.org/web/20140601132906/http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern|Simple puppet pattern]]
  * [[https://docs.puppet.com/background/ssl/index.html|Certificates and security]]
  * [[https://groups.google.com/forum/?fromgroups=#!topic/puppet-users/gXpt-YjROMw|Creating a user and assigning a password hash]]
  * [[https://www.linuxjournal.com/content/managing-linux-using-puppet|Managing Linux Using Puppet]]