====== puppet ======

cfengine

Sistema para centralizar configuraciones e instalacion de paquetes...

===== Instalación y configuración del servidor =====

  sudo aptitude update; sudo aptitude install puppetmaster -R

1. Archivos de configuracion

1.2 Manifiesto

<code>
/etc/puppet/manifests/site.pp

import 'nodes/*'
$puppetserver = 'puppet_server.domain.com'
</code>

1.2 Nodos

  sudo mkdir /etc/puppet/manifests/nodes/

<code>
/etc/puppet/manifests/nodes/puppet_client_1.domain.com.pp

node 'puppet_client_1.domain.com'{
	include modulo1
	include modulo2
}

/etc/puppet/manifests/nodes/puppet_client_2.domain.com.pp

node 'puppet_client_2.domain.com'{
	include modulo1
	include modulo2
}

...
</code>

1.3 Modulos

  sudo mkdir -p /etc/puppet/modules/modulo1/{files,templates,manifests}

  /etc/puppet/modules/modulo1/files/modulo1.txt

Simplemente un archivo vacio

<code>
/etc/puppet/modules/modulo1/manifests/init.pp

class modulo1 {
	package { sudo:
		ensure => present,
	}
	file { "/tmp/modulo1.txt":
		owner => "root",
		group => "root",
		mode => 0440,
		source => "puppet:///modules/modulo1/modulo1.txt",
	}
}
</code>

En este ejemplo:

* Instalamos (si no lo esta) el paquete 'sudo'\\
* Copiamos el archivo:
  puppet_server.domain.com:/etc/puppet/modules/modulo1/files/modulo1.txt
A:
  puppet_client_1.domain.com:/tmp/modulo1.txt
Notese que la URL es:
  puppet:///modules/modulo1/modulo1.txt
* **Importante**: el archivo (/etc/puppet/modules/modulo1/files/modulo1.txt) debe ser accesible por el usuario 'puppet', que es el que ejecuta el cliente

2. Arrancar/reiniciar/parar servicio

  * Habilitar debug

<code>
sudo cp /etc/default/puppetmaster /etc/default/puppetmaster.old
sudo vim /etc/default/puppetmaster
</code>

Y asegurarnos que la siguiente linea queda asi:

  ...
  DAEMON_OPTS="--verbose"
  ...

Recargar configuracion (NO hace falta reiniciar):

  sudo /etc/init.d/puppetmaster force-reload
  Restarting puppet master.

Comprobar:

  ps aux | grep puppetmaster
  puppet   14997  0.5  7.2 136952 37012 ?        Ssl  09:59   0:00 /usr/bin/ruby1.8 /usr/bin/puppet master --verbose --masterport=8140

  * Arrancar/parar/reiniciar

  sudo /etc/init.d/puppetmaster start|stop|restart
  
  * Recargar configuracion (NO hace falta reiniciar):

  sudo /etc/init.d/puppetmaster force-reload

3. Logs

  /var/log/puppet/masterhttp.log
  /var/log/daemon.log






===== Instalación y configuración del nodo (cliente) =====

1. Instalar paquetes

  sudo aptitude update; sudo aptitude install puppet -R

2. Configurar para que se puede arrancar como demonio:

  sudo mv /etc/default/puppet /etc/default/puppet.old
  sudo vim /etc/default/puppet

<code>
# Start puppet on boot?
START=yes

# Startup options
DAEMON_OPTS="--verbose"
</code>

Si quisieramos redirigir el log a otro archivo podriamos usar la siguiente config, pero a mi no me va del todo bien (hay mensajes que creo que no se registran, aparece continuamente una entrada diciendo que el log se reabre...)

<code>
# Start puppet on boot?
START=yes

# Startup options
DAEMON_OPTS="--verbose --logdest /var/log/puppet.log"
</code>


3. Definir el nombre del servidor al que se conecta:

  sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.old
  sudo vim /etc/puppet/puppet.conf

Y anyadirle:

  server=puppet_server.domain.com

4. Arrancar el cliente:

**OJO** para que todo vaya bien probablemente el nodo deberia estar definido en el servidor previamente

  sudo /etc/init.d/puppet restart
  Restarting puppet agent.

5. Comprobar logs:

<code>
sudo tail -F /var/log/daemon.log

May 29 15:04:03 test5 puppet-master[1931]: Caught TERM; calling stop
May 29 15:04:05 test5 puppet-master[11049]: Reopening log files
May 29 15:04:05 test5 puppet-master[11049]: Starting Puppet master version 2.6.2
May 29 15:04:14 test5 puppet-agent[10852]: Caught TERM; calling stop
May 29 15:04:16 test5 puppet-agent[11081]: Reopening log files
May 29 15:04:16 test5 puppet-agent[11081]: Starting Puppet client version 2.6.2
May 29 15:04:17 test5 puppet-master[11049]: Compiled catalog for test5.jj.com in environment production in 0.21 seconds
May 29 15:04:17 test5 puppet-agent[11081]: (/Stage[main]/Test3/File[/tmp/test3.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test3/Package[bzip2]/ensure) change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install bzip2' returned 100: Reading package lists...#012Building dependency tree...#012Reading state information...#012Suggested packages:#012  bzip2-doc#012The following NEW packages will be installed:#012  bzip2#0120 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.#012Need to get 50.5 kB of archives.#012After this operation, 164 kB of additional disk space will be used.#012WARNING: The following packages cannot be authenticated!#012  bzip2#012E: There are problems and -y was used without --force-yes
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test4/File[/tmp/test4.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test2/File[/tmp/test2.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
May 29 15:04:18 test5 puppet-agent[11081]: Finished catalog run in 1.04 seconds
</code>

**Explicación**

  May 29 15:04:17 test5 puppet-agent[11081]: (/Stage[main]/Test3/File[/tmp/test3.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'

Se ha ejecutado el manifiesto 'Test3'. Dependiendo de lo que incluya puede conllevar mas lineas, como por ejemplo instalar el paquete 'bzip2':

  May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test3/Package[bzip2]/ensure) change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install bzip2' returned 100: Reading package lists...#012Building dependency tree...#012Reading state information...#012Suggested packages:#012  bzip2-doc#012The following NEW packages will be installed:#012  bzip2#0120 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.#012Need to get 50.5 kB of archives.#012After this operation, 164 kB of additional disk space will be used.#012WARNING: The following packages cannot be authenticated!#012  bzip2#012E: There are problems and -y was used without --force-yes

===== Arrancar servicios para probar =====

  * Cliente

  puppet agent --server=puppet_server.domain.com --no-daemonize --verbose --onetime


  * Servidor

  puppet master --verbose --no-daemonize



===== Firmar peticiones de nodos (certificados) =====

http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security

Este paso es necesario para poder conectar un nodo al servidor. Una vez arrancados nodo y servidor:

1. (Servidor) Ver peticiones pendientes:

  sudo puppet cert --list
  dns.jj.com (CF:DD:8D:0F:82:31:E6:7A:7C:27:03:C1:3D:24:95:A2)

En los logs:

  sudo tail -F /var/log/daemon.log
  May 30 11:31:15 puppet puppet-master[1958]: dns.jj.com has a waiting certificate request
  May 30 11:31:15 puppet puppet-master[1958]: Could not find certificate for 'dns.jj.com'

2. (Servidor) Firmarla:

  sudo puppet cert --sign dns.jj.com
  notice: Signed certificate request for dns.jj.com
  notice: Removing file Puppet::SSL::CertificateRequest dns.jj.com at '/var/lib/puppet/ssl/ca/requests/dns.jj.com.pem'



===== Revocar certificado =====

2 formas:

  sudo puppet cert --clean dns.jj.com
o
  sudo puppetca --clean dns.jj.com

<code>
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate dns.jj.com at '/var/lib/puppet/ssl/ca/signed/dns.jj.com.pem'
notice: Removing file Puppet::SSL::Certificate dns.jj.com at '/var/lib/puppet/ssl/certs/dns.jj.com.pem'
</code>



===== Arrancar puppetmaster como otro usuario =====

<code>
sudo cp /etc/init.d/puppetmaster /etc/init.d/puppetmaster.bak
sudo vim /etc/init.d/puppetmaster
</code>

Y cambiar solo esta linea:

  chown USUARIO:USUARIO /var/run/puppet

<code>
sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak
sudo vim /etc/puppet/puppet.conf
</code>

Y anyadir esta linea en la seccion [main]:

<code>
[main]
...
user=usuario
</code>

Reiniciar:

  sudo /etc/init.d/puppetmaster restart



===== Instalar modulos =====

http://docs.puppetlabs.com/puppet/2.7/reference/modules_installing.html



===== Errores / bugs =====

**err: Could not call revoke: Cannot convert into OpenSSL::BN**

  sudo rm -fr /var/lib/puppet/ssl/ca/requests/mysql-monitor-1.dev.jj.com.pem

---------------------------------------------------------------------------------------------------------------------

  * La funcion split() no va bien en la version 2.6. Actualizar a la 2.7.x (me funciona en la 2.7.18)

http://docs.puppetlabs.com/references/latest/function.html#split

---------------------------------------------------------------------------------------------------------------------

**Could not request certificate: The certificate retrieved from the master does not match the agent's private key.#012Certificate fingerprint: FB:8A:80:D1:51:E1:7B:A6:79:64:1F:56:E8:1B:D9:68#012To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.#012On the master:#012  puppet cert clean mumble-1.dev.local.jamgo.org#012On the agent:#012  rm -f /var/lib/puppet/ssl/certs/mumble-1.dev.local.jamgo.org.pem#012  puppet agent -t**

1. (Servidor) Eliminar el certificado:

  sudo rm -fr /var/lib/puppet/ssl/ca/signed/mumble-1.dev.local.jamgo.org.pem

2. (Cliente) Eliminar certificados:

  sudo su
  rm -fr /var/lib/puppet/ssl/*