Table of Contents
Configuration Management with Puppet
Getting Started
- We'll get started with puppet by visiting http://www.debian-administration.org/articles/526.
- Next, we'll attempt a tutorial involving ntp at http://bitfieldconsulting.com/puppet-tutorial.
- After that, we'll attempt a tutorial involving user accounts at https://www.linux.com/learn/introduction-puppet-streamlined-system-configuration
Details
1 - Enabling puppetmaster/puppet (server/client) communication
A. On the puppet master (on your virtual Linux machine)
1. Stop the puppetmaster.
/etc/init.d/puppetmaster stop
2. Remove any existing master certificates by running
find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete
3. Edit /etc/puppet/puppet.conf
and append these lines to the end of the file, substituting your virtual Linux machine's fully qualified domain name for “belushi.monmouth.edu”: (If you don't know what your “fully qualified domain name” is, ask me.)
# jchung setting dns_alt_names for puppetmaster # per https://docs.puppet.com/puppet/3.8/post_install.html # 3/2018 # Change "belushi.monmouth.edu" below to match your virtual machine's fully qualified domain name. # dns_alt_names = belushi.monmouth.edu certname = belushi.monmouth.edu
4. Restart the puppetmaster.
/etc/init.d/puppetmaster start
B. On the puppet agent (client) machines (your container)
1. Stop the puppet agent.
sudo /etc/init.d/puppet stop
2. Remove any existing agent certificates by running
sudo find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete
3. Edit the /etc/puppet/puppet.conf
file and append these lines to the end of the file, while making the needed substitutions on the server
and certname
lines:
[agent] # Settings for agent (client) nodes # jchung, per https://docs.puppet.com/puppet/3.8/post_install.html # 3/2018 # Change "belushi.monmouth.edu" below to match your VM's fully qualified domain name. # Change "wilder.monmouth.edu" below to match the puppet agent machine's FQDN (your container). # server = belushi.monmouth.edu report = true pluginsync = true certname = wilder.monmouth.edu
4. Restart the puppet agent.
sudo /etc/init.d/puppet start
C. Sign node certificates on the puppet master
See https://docs.puppet.com/puppet/3.8/post_install.html.
After the steps taken above, when you run on your puppet master (Linux virtual machine),
puppet cert list
you should see a list of incoming certificate requests from the puppet agent machines. At that point, you can run either
puppet cert sign <NAME> or puppet cert sign --all
Until this step is completed, there will be no puppetmaster-to-puppet communication.
2 - Using puppet modules on puppetmaster to control puppet agents
A recommended approach to using puppet is to use task modules. For us, this involves creating module subdirectories under the /etc/puppet/modules
directory. Each module subdirectory under /etc/puppet/modules
also contains a manifests
subdirectory into which we put our puppet manifests.
Do parts A, B, and C below ONLY on the puppetmaster machine (Linux virtual machine):
A. Create module subdirectories
Create the following subdirectory tree under the /etc/puppet/modules
directory:
modules |-- ntp | `-- manifests |-- sudo | `-- manifests `-- users `-- manifests by running the following commands: cd /etc/puppet/modules mkdir -p ntp/manifests sudo/manifests users/manifests
B. Create module manifests in init.pp
In the special manifest file init.pp
, put manifests in class definitions that match each module name.
- In the
/etc/puppet/modules/ntp/manifests/init.pp
file, save the following:
# copied from http://bitfieldconsulting.com/puppet-tutorial # jchung, 3/2018 # /etc/puppet/modules/ntp/manifests/init.pp class ntp { package { "ntp": ensure => installed } service { "ntp": ensure => running, } }
- In the
/etc/puppet/modules/sudo/manifests/init.pp
file, save the following:
# Following instructions that used to be at # http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern # jchung, 3/2018 # /etc/puppet/modules/sudo/manifests/init.pp class sudo { file { "/etc/sudoers": owner => 'root', group => 'root', mode => '0440', } }
- In the
/etc/puppet/modules/users/manifests/init.pp
file, save the following:
# User manifest from # https://www.linux.com/learn/introduction-puppet-streamlined-system-configuration # jchung, 3/2018 # /etc/puppet/modules/users/manifests/init.pp class users { user { 'norm': uid => '1003', ensure => 'present', gid => '100', home => '/home/norm', shell => '/bin/bash' } }
C. Create site manifest in site.pp
- The
site.pp
master manifest is where we define nodes (puppet agent nodes) and which puppetmaster modules will apply to those nodes. - In the
/etc/puppet/manifests/site.pp
file, erase everything and save the following:
# Following instructions that used to be at # http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern # jchung, 3/2018 # /etc/puppet/manifests/site.pp # All puppet agent nodes that pull from this puppetmaster will run the following modules: node default { include sudo include ntp include users }
D. On puppet agent machines (your container), download and apply manifests from puppetmaster
- Assuming that you have successfully enabled puppetmaster/puppet communication in Section 2 above, you may now try downloading and applying the manifests from the puppetmaster machine.
- You may need to enable the agent first:
$ sudo puppet agent --enable
- Normally, the puppet agent (client) machines communicate with their puppetmaster machines every 30 minutes.
- You can force a puppet agent to check in with a puppetmaster immediately with the following command:
# Substitute your puppetmaster host for belushi.monmouth.edu below: $ sudo puppet agent --test --noop --server=belushi.monmouth.edu
- The output of the
puppet agent --test...
command will give indications of whether manifests would be applied successfully, whether manifests would be rejected due to syntax errors, or whether manifests would not be applied because no changes are needed on the puppet agent. - Because of the
--noop
option, no manifest-directed changes would actually be made on the puppet agent.- To actually apply manifests, omit the
--noop
option:
# Substitute your puppetmaster host for belushi.monmouth.edu below: $ sudo puppet agent --test --server=belushi.monmouth.edu