Table of Contents

puppet

cfengine

Sistema para centralizar configuraciones e instalacion de paquetes…

Instalación y configuración del servidor

sudo aptitude update; sudo aptitude install puppetmaster -R

1. Archivos de configuracion

1.2 Manifiesto

/etc/puppet/manifests/site.pp

import 'nodes/*'
$puppetserver = 'puppet_server.domain.com'

1.2 Nodos

sudo mkdir /etc/puppet/manifests/nodes/
/etc/puppet/manifests/nodes/puppet_client_1.domain.com.pp

node 'puppet_client_1.domain.com'{
	include modulo1
	include modulo2
}

/etc/puppet/manifests/nodes/puppet_client_2.domain.com.pp

node 'puppet_client_2.domain.com'{
	include modulo1
	include modulo2
}

...

1.3 Modulos

sudo mkdir -p /etc/puppet/modules/modulo1/{files,templates,manifests}
/etc/puppet/modules/modulo1/files/modulo1.txt

Simplemente un archivo vacio

/etc/puppet/modules/modulo1/manifests/init.pp

class modulo1 {
	package { sudo:
		ensure => present,
	}
	file { "/tmp/modulo1.txt":
		owner => "root",
		group => "root",
		mode => 0440,
		source => "puppet:///modules/modulo1/modulo1.txt",
	}
}

En este ejemplo:

* Instalamos (si no lo esta) el paquete 'sudo'
* Copiamos el archivo:

puppet_server.domain.com:/etc/puppet/modules/modulo1/files/modulo1.txt

A:

puppet_client_1.domain.com:/tmp/modulo1.txt

Notese que la URL es:

puppet:///modules/modulo1/modulo1.txt

* Importante: el archivo (/etc/puppet/modules/modulo1/files/modulo1.txt) debe ser accesible por el usuario 'puppet', que es el que ejecuta el cliente

2. Arrancar/reiniciar/parar servicio

sudo cp /etc/default/puppetmaster /etc/default/puppetmaster.old
sudo vim /etc/default/puppetmaster

Y asegurarnos que la siguiente linea queda asi:

...
DAEMON_OPTS="--verbose"
...

Recargar configuracion (NO hace falta reiniciar):

sudo /etc/init.d/puppetmaster force-reload
Restarting puppet master.

Comprobar:

ps aux | grep puppetmaster
puppet   14997  0.5  7.2 136952 37012 ?        Ssl  09:59   0:00 /usr/bin/ruby1.8 /usr/bin/puppet master --verbose --masterport=8140
sudo /etc/init.d/puppetmaster start|stop|restart

* Recargar configuracion (NO hace falta reiniciar):
sudo /etc/init.d/puppetmaster force-reload

3. Logs

/var/log/puppet/masterhttp.log
/var/log/daemon.log

Instalación y configuración del nodo (cliente)

1. Instalar paquetes

sudo aptitude update; sudo aptitude install puppet -R

2. Configurar para que se puede arrancar como demonio:

sudo mv /etc/default/puppet /etc/default/puppet.old
sudo vim /etc/default/puppet
# Start puppet on boot?
START=yes

# Startup options
DAEMON_OPTS="--verbose"

Si quisieramos redirigir el log a otro archivo podriamos usar la siguiente config, pero a mi no me va del todo bien (hay mensajes que creo que no se registran, aparece continuamente una entrada diciendo que el log se reabre…)

# Start puppet on boot?
START=yes

# Startup options
DAEMON_OPTS="--verbose --logdest /var/log/puppet.log"

3. Definir el nombre del servidor al que se conecta:

sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.old
sudo vim /etc/puppet/puppet.conf

Y anyadirle:

server=puppet_server.domain.com

4. Arrancar el cliente:

OJO para que todo vaya bien probablemente el nodo deberia estar definido en el servidor previamente

sudo /etc/init.d/puppet restart
Restarting puppet agent.

5. Comprobar logs:

sudo tail -F /var/log/daemon.log

May 29 15:04:03 test5 puppet-master[1931]: Caught TERM; calling stop
May 29 15:04:05 test5 puppet-master[11049]: Reopening log files
May 29 15:04:05 test5 puppet-master[11049]: Starting Puppet master version 2.6.2
May 29 15:04:14 test5 puppet-agent[10852]: Caught TERM; calling stop
May 29 15:04:16 test5 puppet-agent[11081]: Reopening log files
May 29 15:04:16 test5 puppet-agent[11081]: Starting Puppet client version 2.6.2
May 29 15:04:17 test5 puppet-master[11049]: Compiled catalog for test5.jj.com in environment production in 0.21 seconds
May 29 15:04:17 test5 puppet-agent[11081]: (/Stage[main]/Test3/File[/tmp/test3.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test3/Package[bzip2]/ensure) change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install bzip2' returned 100: Reading package lists...#012Building dependency tree...#012Reading state information...#012Suggested packages:#012  bzip2-doc#012The following NEW packages will be installed:#012  bzip2#0120 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.#012Need to get 50.5 kB of archives.#012After this operation, 164 kB of additional disk space will be used.#012WARNING: The following packages cannot be authenticated!#012  bzip2#012E: There are problems and -y was used without --force-yes
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test4/File[/tmp/test4.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test2/File[/tmp/test2.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
May 29 15:04:18 test5 puppet-agent[11081]: Finished catalog run in 1.04 seconds

Explicación

May 29 15:04:17 test5 puppet-agent[11081]: (/Stage[main]/Test3/File[/tmp/test3.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'

Se ha ejecutado el manifiesto 'Test3'. Dependiendo de lo que incluya puede conllevar mas lineas, como por ejemplo instalar el paquete 'bzip2':

May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test3/Package[bzip2]/ensure) change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install bzip2' returned 100: Reading package lists...#012Building dependency tree...#012Reading state information...#012Suggested packages:#012  bzip2-doc#012The following NEW packages will be installed:#012  bzip2#0120 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.#012Need to get 50.5 kB of archives.#012After this operation, 164 kB of additional disk space will be used.#012WARNING: The following packages cannot be authenticated!#012  bzip2#012E: There are problems and -y was used without --force-yes

Arrancar servicios para probar

puppet agent --server=puppet_server.domain.com --no-daemonize --verbose --onetime
puppet master --verbose --no-daemonize

Firmar peticiones de nodos (certificados)

http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security

Este paso es necesario para poder conectar un nodo al servidor. Una vez arrancados nodo y servidor:

1. (Servidor) Ver peticiones pendientes:

sudo puppet cert --list
dns.jj.com (CF:DD:8D:0F:82:31:E6:7A:7C:27:03:C1:3D:24:95:A2)

En los logs:

sudo tail -F /var/log/daemon.log
May 30 11:31:15 puppet puppet-master[1958]: dns.jj.com has a waiting certificate request
May 30 11:31:15 puppet puppet-master[1958]: Could not find certificate for 'dns.jj.com'

2. (Servidor) Firmarla:

sudo puppet cert --sign dns.jj.com
notice: Signed certificate request for dns.jj.com
notice: Removing file Puppet::SSL::CertificateRequest dns.jj.com at '/var/lib/puppet/ssl/ca/requests/dns.jj.com.pem'

Revocar certificado

2 formas:

sudo puppet cert --clean dns.jj.com

o

sudo puppetca --clean dns.jj.com
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate dns.jj.com at '/var/lib/puppet/ssl/ca/signed/dns.jj.com.pem'
notice: Removing file Puppet::SSL::Certificate dns.jj.com at '/var/lib/puppet/ssl/certs/dns.jj.com.pem'

Arrancar puppetmaster como otro usuario

sudo cp /etc/init.d/puppetmaster /etc/init.d/puppetmaster.bak
sudo vim /etc/init.d/puppetmaster

Y cambiar solo esta linea:

chown USUARIO:USUARIO /var/run/puppet
sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak
sudo vim /etc/puppet/puppet.conf

Y anyadir esta linea en la seccion [main]:

[main]
...
user=usuario

Reiniciar:

sudo /etc/init.d/puppetmaster restart

Instalar modulos

http://docs.puppetlabs.com/puppet/2.7/reference/modules_installing.html

Errores / bugs

err: Could not call revoke: Cannot convert into OpenSSL::BN

sudo rm -fr /var/lib/puppet/ssl/ca/requests/mysql-monitor-1.dev.jj.com.pem

http://docs.puppetlabs.com/references/latest/function.html#split


Could not request certificate: The certificate retrieved from the master does not match the agent's private key.#012Certificate fingerprint: FB:8A:80:D1:51:E1:7B:A6:79:64:1F:56:E8:1B:D9:68#012To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.#012On the master:#012 puppet cert clean mumble-1.dev.local.jamgo.org#012On the agent:#012 rm -f /var/lib/puppet/ssl/certs/mumble-1.dev.local.jamgo.org.pem#012 puppet agent -t

1. (Servidor) Eliminar el certificado:

sudo rm -fr /var/lib/puppet/ssl/ca/signed/mumble-1.dev.local.jamgo.org.pem

2. (Cliente) Eliminar certificados:

sudo su
rm -fr /var/lib/puppet/ssl/*