Puppet

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Debian version : 8.2
  • Puppet version : 3.7.2-4

Prerequisites

  • You have to open TCP port 8140 on puppet master
  • Configure NTP

Puppet installation

Server (master)

aptitude install puppetmaster -y

Client

Installation

aptitude install puppet -y

Configure the master

  • Edit /etc/puppet/puppet.conf, and add this line under main section
server=<IP or hostname>
  • If you use hostname, be sure this can be resolvable on both server and client

Certificate request

  • To secure connection, puppet use SSL tunneling, run this command to request a certificate to the server.
  • To do on client
root@puppets:~# puppet agent -t
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppets
Info: Certificate Request fingerprint (SHA256): 1C:E2:C2:3E:75:A0:A4:D8:43:74:59:E9:8E:F4:60:67:83:A9:A2:7F:D7:44:6B:EA:B8:E7:DE:04:42:DC:BE:B8
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
  • To do on master
root@puppetm:~# puppet ca list
  puppets  (SHA256) 1C:E2:C2:3E:75:A0:A4:D8:43:74:59:E9:8E:F4:60:67:83:A9:A2:7F:D7:44:6B:EA:B8:E7:DE:04:42:DC:BE:B8
root@puppetm:~# puppet ca sign puppets
Notice: Signed certificate request for puppets
Notice: Removing file Puppet::SSL::CertificateRequest puppets at '/var/lib/puppet/ssl/ca/requests/puppets.pem'
"-----BEGIN CERTIFICATE-----\nMIIFZTCCA02gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJQdXBw\nZXQgQ0E6IHB1cHBldG0wHhcNMTUxMDI5MTUxMjE1WhcNMjAxMDI4MTUxMjE1WjAS\nMRAwDgYDVQQDDAdwdXBwZXRzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC\nAgEAskiGwNdm3/sQhglKH5Fub1FZ8cobOXckYDauUQvMVhZl/6cqx/13...BLAH...6de9yRKl4qjDSIn6abBMWB9TspXl/FT2ZrykHUP3DQd5A=\n-----END CERTIFICATE-----\n"
  • Back on the client, enable agent
 puppet agent --enable

Enable Puppet on boot

  • Edit /etc/default/puppet
# Start puppet on boot?
START=yes

Puppet Management

Manage certificates

  • To do on puppet master

Generate new server certificate

  • Edit /etc/puppet/puppet.conf, under main section add these lines
certname = puppet
dns_alt_names = puppet,puppet.local.lab
  • Then run this command
puppet master --verbose --no-daemonize

List unsigned certificates

puppet cert list

Sign certificate

  • Sign single certificate
puppet cert sign hostname
  • Sign all certificates
puppet cert sign --all

Revoke certificate

puppet cert clean hostname

View All Signed Requests

puppet cert list --all

Lock puppet version

  • On server and clients, edit /etc/apt/preferences.d/00-puppet.pref
#Master
Package: puppet-common puppetmaster puppetmaster-common
Pin: version 3.7.*
Pin-Priority: 501
#Slave
Package: puppet puppet-common
Pin: version 3.7.*
Pin-Priority: 501

First Manifest

Hello World

Create a file containing Hello world in /tmp directory

Create the module

  • Create tree
mkdir -p /etc/puppet/modules/helloworld/manifests/
  • Edit the helloworld Module : /etc/puppet/modules/helloworld/manifests/init.pp
class helloworld 
{
        file 
        { 
                '/tmp/helloFile':
                content => "Hello World\n"
        }
}
  • Include class to the manifest : /etc/puppet/manifests/site.pp
include helloworld

Apply configuration

  • On slave, run this command
puppet agent -t

Create Nodes

  • Edit /etc/puppet/manifests/site.pp, and create your client node
node 'client1.local.lab' {
  include helloworld
  include puppet
  include snmp
  include ntp
}
node 'client2.local.lab' {
  include helloworld
  include puppet
}

Create class

  • Edit /etc/puppet/manifests/site.pp, and create your base class
class basenode {
  include puppet
  include snmp
  include ntp
}
node 'client1.local.lab' {
  include basenode
}
node 'client2.local.lab' {
  include basenode
  include helloworld
}

Foreman

Foreman is a complete lifecycle management tool for physical and virtual servers. It give system administrators the power to easily automate repetitive tasks, quickly deploy applications, and proactively manage servers, on-premise or in the cloud.

Foreman installation

Based on official Website

echo "deb http://deb.theforeman.org/ jessie 1.9" > /etc/apt/sources.list.d/foreman.list
echo "deb http://deb.theforeman.org/ plugins 1.9" >> /etc/apt/sources.list.d/foreman.list
wget -q http://deb.theforeman.org/pubkey.gpg -O- | apt-key add -

aptitude update && aptitude -y install foreman-installer
foreman-installer

Elliot
techUnit's cofounder