User Tools

Site Tools


cs471:cs_471_-_configuration_management_with_puppet_supplement

Configuration Management with Puppet

Getting Started

- We'll get started with puppet by visiting http://www.debian-administration.org/articles/526.

- Next, we'll attempt a tutorial involving ntp at http://bitfieldconsulting.com/puppet-tutorial.

- After that, we'll attempt a tutorial involving user accounts at https://www.linux.com/learn/introduction-puppet-streamlined-system-configuration


Details

1 - Enabling puppetmaster/puppet (server/client) communication

A. On the puppet master (on your virtual Linux machine)

1. Stop the puppetmaster.

 /etc/init.d/puppetmaster stop

2. Remove any existing master certificates by running

 find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

3. Edit /etc/puppet/puppet.conf and append these lines to the end of the file, substituting your virtual Linux machine's fully qualified domain name for “belushi.monmouth.edu”: (If you don't know what your “fully qualified domain name” is, ask me.)

 # jchung setting dns_alt_names for puppetmaster
 # per https://docs.puppet.com/puppet/3.8/post_install.html
 # 3/2018
 # Change "belushi.monmouth.edu" below to match your virtual machine's fully qualified domain name.
 #
 dns_alt_names = belushi.monmouth.edu
 certname = belushi.monmouth.edu

4. Restart the puppetmaster.

 /etc/init.d/puppetmaster start

B. On the puppet agent (client) machines (your container)

1. Stop the puppet agent.

 sudo /etc/init.d/puppet stop

2. Remove any existing agent certificates by running

 sudo find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

3. Edit the /etc/puppet/puppet.conf file and append these lines to the end of the file, while making the needed substitutions on the server and certname lines:

 [agent]
 # Settings for agent (client) nodes
 # jchung, per https://docs.puppet.com/puppet/3.8/post_install.html
 # 3/2018
 # Change "belushi.monmouth.edu" below to match your VM's fully qualified domain name.
 # Change "wilder.monmouth.edu" below to match the puppet agent machine's FQDN (your container).
 #
 server = belushi.monmouth.edu
 report = true
 pluginsync = true
 certname = wilder.monmouth.edu

4. Restart the puppet agent.

 sudo /etc/init.d/puppet start

C. Sign node certificates on the puppet master

See https://docs.puppet.com/puppet/3.8/post_install.html.

After the steps taken above, when you run on your puppet master (Linux virtual machine),

 puppet cert list

you should see a list of incoming certificate requests from the puppet agent machines. At that point, you can run either

 puppet cert sign <NAME>
 
 or
 
 puppet cert sign --all

Until this step is completed, there will be no puppetmaster-to-puppet communication.


2 - Using puppet modules on puppetmaster to control puppet agents

A recommended approach to using puppet is to use task modules. For us, this involves creating module subdirectories under the /etc/puppet/modules directory. Each module subdirectory under /etc/puppet/modules also contains a manifests subdirectory into which we put our puppet manifests.

Do parts A, B, and C below ONLY on the puppetmaster machine (Linux virtual machine):

A. Create module subdirectories

Create the following subdirectory tree under the /etc/puppet/modules directory:

modules
|-- ntp
|   `-- manifests
|-- sudo
|   `-- manifests
`-- users
    `-- manifests


by running the following commands:


   cd /etc/puppet/modules
   mkdir -p ntp/manifests sudo/manifests users/manifests

B. Create module manifests in init.pp

In the special manifest file init.pp, put manifests in class definitions that match each module name.

  • In the /etc/puppet/modules/ntp/manifests/init.pp file, save the following:
# copied from http://bitfieldconsulting.com/puppet-tutorial
# jchung, 3/2018

# /etc/puppet/modules/ntp/manifests/init.pp

class ntp {
    package { "ntp": 
        ensure => installed 
    }

    service { "ntp":
        ensure => running,
    }
}
  • In the /etc/puppet/modules/sudo/manifests/init.pp file, save the following:
# Following instructions that used to be at
# http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern
# jchung, 3/2018

# /etc/puppet/modules/sudo/manifests/init.pp

class sudo {
    file { "/etc/sudoers":
        owner => 'root',
        group => 'root',
        mode  => '0440',
    }
}
  • In the /etc/puppet/modules/users/manifests/init.pp file, save the following:
# User manifest from
# https://www.linux.com/learn/introduction-puppet-streamlined-system-configuration
# jchung, 3/2018

# /etc/puppet/modules/users/manifests/init.pp

class users {
    user { 'norm':
        uid => '1003',
        ensure => 'present',
        gid => '100',
        home => '/home/norm',
        shell => '/bin/bash'
    }
}

C. Create site manifest in site.pp

  • The site.pp master manifest is where we define nodes (puppet agent nodes) and which puppetmaster modules will apply to those nodes.
  • In the /etc/puppet/manifests/site.pp file, erase everything and save the following:
# Following instructions that used to be at
# http://projects.puppetlabs.com/projects/puppet/wiki/Simplest_Puppet_Install_Pattern
# jchung, 3/2018

# /etc/puppet/manifests/site.pp

# All puppet agent nodes that pull from this puppetmaster will run the following modules:
node default {
     include sudo
     include ntp
     include users
}

D. On puppet agent machines (your container), download and apply manifests from puppetmaster

  • Assuming that you have successfully enabled puppetmaster/puppet communication in Section 2 above, you may now try downloading and applying the manifests from the puppetmaster machine.
  • You may need to enable the agent first:
    $ sudo puppet agent --enable
  • Normally, the puppet agent (client) machines communicate with their puppetmaster machines every 30 minutes.
    • You can force a puppet agent to check in with a puppetmaster immediately with the following command:
    # Substitute your puppetmaster host for belushi.monmouth.edu below:
    $ sudo puppet agent --test --noop --server=belushi.monmouth.edu
  • The output of the puppet agent --test... command will give indications of whether manifests would be applied successfully, whether manifests would be rejected due to syntax errors, or whether manifests would not be applied because no changes are needed on the puppet agent.
  • Because of the --noop option, no manifest-directed changes would actually be made on the puppet agent.
    • To actually apply manifests, omit the --noop option:
    # Substitute your puppetmaster host for belushi.monmouth.edu below:
    $ sudo puppet agent --test --server=belushi.monmouth.edu

Additional References

cs471/cs_471_-_configuration_management_with_puppet_supplement.txt · Last modified: 2018/03/23 01:16 by jchung

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki