Table of Contents
puppet
cfengine
Sistema para centralizar configuraciones e instalacion de paquetes…
Instalación y configuración del servidor
sudo aptitude update; sudo aptitude install puppetmaster -R
1. Archivos de configuracion
1.2 Manifiesto
/etc/puppet/manifests/site.pp import 'nodes/*' $puppetserver = 'puppet_server.domain.com'
1.2 Nodos
sudo mkdir /etc/puppet/manifests/nodes/
/etc/puppet/manifests/nodes/puppet_client_1.domain.com.pp node 'puppet_client_1.domain.com'{ include modulo1 include modulo2 } /etc/puppet/manifests/nodes/puppet_client_2.domain.com.pp node 'puppet_client_2.domain.com'{ include modulo1 include modulo2 } ...
1.3 Modulos
sudo mkdir -p /etc/puppet/modules/modulo1/{files,templates,manifests}
/etc/puppet/modules/modulo1/files/modulo1.txt
Simplemente un archivo vacio
/etc/puppet/modules/modulo1/manifests/init.pp class modulo1 { package { sudo: ensure => present, } file { "/tmp/modulo1.txt": owner => "root", group => "root", mode => 0440, source => "puppet:///modules/modulo1/modulo1.txt", } }
En este ejemplo:
* Instalamos (si no lo esta) el paquete 'sudo'
* Copiamos el archivo:
puppet_server.domain.com:/etc/puppet/modules/modulo1/files/modulo1.txt
A:
puppet_client_1.domain.com:/tmp/modulo1.txt
Notese que la URL es:
puppet:///modules/modulo1/modulo1.txt
* Importante: el archivo (/etc/puppet/modules/modulo1/files/modulo1.txt) debe ser accesible por el usuario 'puppet', que es el que ejecuta el cliente
2. Arrancar/reiniciar/parar servicio
- Habilitar debug
sudo cp /etc/default/puppetmaster /etc/default/puppetmaster.old sudo vim /etc/default/puppetmaster
Y asegurarnos que la siguiente linea queda asi:
... DAEMON_OPTS="--verbose" ...
Recargar configuracion (NO hace falta reiniciar):
sudo /etc/init.d/puppetmaster force-reload Restarting puppet master.
Comprobar:
ps aux | grep puppetmaster puppet 14997 0.5 7.2 136952 37012 ? Ssl 09:59 0:00 /usr/bin/ruby1.8 /usr/bin/puppet master --verbose --masterport=8140
- Arrancar/parar/reiniciar
sudo /etc/init.d/puppetmaster start|stop|restart * Recargar configuracion (NO hace falta reiniciar):
sudo /etc/init.d/puppetmaster force-reload
3. Logs
/var/log/puppet/masterhttp.log /var/log/daemon.log
Instalación y configuración del nodo (cliente)
1. Instalar paquetes
sudo aptitude update; sudo aptitude install puppet -R
2. Configurar para que se puede arrancar como demonio:
sudo mv /etc/default/puppet /etc/default/puppet.old sudo vim /etc/default/puppet
# Start puppet on boot? START=yes # Startup options DAEMON_OPTS="--verbose"
Si quisieramos redirigir el log a otro archivo podriamos usar la siguiente config, pero a mi no me va del todo bien (hay mensajes que creo que no se registran, aparece continuamente una entrada diciendo que el log se reabre…)
# Start puppet on boot? START=yes # Startup options DAEMON_OPTS="--verbose --logdest /var/log/puppet.log"
3. Definir el nombre del servidor al que se conecta:
sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.old sudo vim /etc/puppet/puppet.conf
Y anyadirle:
server=puppet_server.domain.com
4. Arrancar el cliente:
OJO para que todo vaya bien probablemente el nodo deberia estar definido en el servidor previamente
sudo /etc/init.d/puppet restart Restarting puppet agent.
5. Comprobar logs:
sudo tail -F /var/log/daemon.log May 29 15:04:03 test5 puppet-master[1931]: Caught TERM; calling stop May 29 15:04:05 test5 puppet-master[11049]: Reopening log files May 29 15:04:05 test5 puppet-master[11049]: Starting Puppet master version 2.6.2 May 29 15:04:14 test5 puppet-agent[10852]: Caught TERM; calling stop May 29 15:04:16 test5 puppet-agent[11081]: Reopening log files May 29 15:04:16 test5 puppet-agent[11081]: Starting Puppet client version 2.6.2 May 29 15:04:17 test5 puppet-master[11049]: Compiled catalog for test5.jj.com in environment production in 0.21 seconds May 29 15:04:17 test5 puppet-agent[11081]: (/Stage[main]/Test3/File[/tmp/test3.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e' May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test3/Package[bzip2]/ensure) change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install bzip2' returned 100: Reading package lists...#012Building dependency tree...#012Reading state information...#012Suggested packages:#012 bzip2-doc#012The following NEW packages will be installed:#012 bzip2#0120 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.#012Need to get 50.5 kB of archives.#012After this operation, 164 kB of additional disk space will be used.#012WARNING: The following packages cannot be authenticated!#012 bzip2#012E: There are problems and -y was used without --force-yes May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test4/File[/tmp/test4.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e' May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test2/File[/tmp/test2.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e' May 29 15:04:18 test5 puppet-agent[11081]: Finished catalog run in 1.04 seconds
Explicación
May 29 15:04:17 test5 puppet-agent[11081]: (/Stage[main]/Test3/File[/tmp/test3.txt]/ensure) defined content as '{md5}d41d8cd98f00b204e9800998ecf8427e'
Se ha ejecutado el manifiesto 'Test3'. Dependiendo de lo que incluya puede conllevar mas lineas, como por ejemplo instalar el paquete 'bzip2':
May 29 15:04:18 test5 puppet-agent[11081]: (/Stage[main]/Test3/Package[bzip2]/ensure) change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install bzip2' returned 100: Reading package lists...#012Building dependency tree...#012Reading state information...#012Suggested packages:#012 bzip2-doc#012The following NEW packages will be installed:#012 bzip2#0120 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.#012Need to get 50.5 kB of archives.#012After this operation, 164 kB of additional disk space will be used.#012WARNING: The following packages cannot be authenticated!#012 bzip2#012E: There are problems and -y was used without --force-yes
Arrancar servicios para probar
- Cliente
puppet agent --server=puppet_server.domain.com --no-daemonize --verbose --onetime
- Servidor
puppet master --verbose --no-daemonize
Firmar peticiones de nodos (certificados)
http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security
Este paso es necesario para poder conectar un nodo al servidor. Una vez arrancados nodo y servidor:
1. (Servidor) Ver peticiones pendientes:
sudo puppet cert --list dns.jj.com (CF:DD:8D:0F:82:31:E6:7A:7C:27:03:C1:3D:24:95:A2)
En los logs:
sudo tail -F /var/log/daemon.log May 30 11:31:15 puppet puppet-master[1958]: dns.jj.com has a waiting certificate request May 30 11:31:15 puppet puppet-master[1958]: Could not find certificate for 'dns.jj.com'
2. (Servidor) Firmarla:
sudo puppet cert --sign dns.jj.com notice: Signed certificate request for dns.jj.com notice: Removing file Puppet::SSL::CertificateRequest dns.jj.com at '/var/lib/puppet/ssl/ca/requests/dns.jj.com.pem'
Revocar certificado
2 formas:
sudo puppet cert --clean dns.jj.com
o
sudo puppetca --clean dns.jj.com
notice: Revoked certificate with serial 3 notice: Removing file Puppet::SSL::Certificate dns.jj.com at '/var/lib/puppet/ssl/ca/signed/dns.jj.com.pem' notice: Removing file Puppet::SSL::Certificate dns.jj.com at '/var/lib/puppet/ssl/certs/dns.jj.com.pem'
Arrancar puppetmaster como otro usuario
sudo cp /etc/init.d/puppetmaster /etc/init.d/puppetmaster.bak sudo vim /etc/init.d/puppetmaster
Y cambiar solo esta linea:
chown USUARIO:USUARIO /var/run/puppet
sudo cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak sudo vim /etc/puppet/puppet.conf
Y anyadir esta linea en la seccion [main]:
[main] ... user=usuario
Reiniciar:
sudo /etc/init.d/puppetmaster restart
Instalar modulos
Errores / bugs
err: Could not call revoke: Cannot convert into OpenSSL::BN
sudo rm -fr /var/lib/puppet/ssl/ca/requests/mysql-monitor-1.dev.jj.com.pem
- La funcion split() no va bien en la version 2.6. Actualizar a la 2.7.x (me funciona en la 2.7.18)
http://docs.puppetlabs.com/references/latest/function.html#split
Could not request certificate: The certificate retrieved from the master does not match the agent's private key.#012Certificate fingerprint: FB:8A:80:D1:51:E1:7B:A6:79:64:1F:56:E8:1B:D9:68#012To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.#012On the master:#012 puppet cert clean mumble-1.dev.local.jamgo.org#012On the agent:#012 rm -f /var/lib/puppet/ssl/certs/mumble-1.dev.local.jamgo.org.pem#012 puppet agent -t
1. (Servidor) Eliminar el certificado:
sudo rm -fr /var/lib/puppet/ssl/ca/signed/mumble-1.dev.local.jamgo.org.pem
2. (Cliente) Eliminar certificados:
sudo su rm -fr /var/lib/puppet/ssl/*