Puppet: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (→docus) |
|||
(34 dazwischenliegende Versionen von 4 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
+ | =weiter howtos= | ||
+ | *[[puppet handling]] | ||
+ | *[[Templates]] | ||
+ | *[[neuste version & Future passer]] | ||
+ | *[[NFS Server verteilen]] | ||
+ | |||
=puppet grundlagen= | =puppet grundlagen= | ||
Zeile 28: | Zeile 34: | ||
tcp6 0 0 :::22 :::* LISTEN 916/sshd | tcp6 0 0 :::22 :::* LISTEN 916/sshd | ||
==installation vom puppetmaster== | ==installation vom puppetmaster== | ||
+ | *[[puppet von puppetlabs]] | ||
+ | *[[puppet mit github]] | ||
root@puppet:~# apt-get update | root@puppet:~# apt-get update | ||
root@puppet:~# apt-get install puppetmaster -y | root@puppet:~# apt-get install puppetmaster -y | ||
Zeile 53: | Zeile 61: | ||
root@puppet:~# service puppetmaster restart | root@puppet:~# service puppetmaster restart | ||
* Restarting puppet master | * Restarting puppet master | ||
+ | |||
==installation der puppetclients== | ==installation der puppetclients== | ||
auf tac | auf tac | ||
Zeile 62: | Zeile 71: | ||
==puppetd dämon starten== | ==puppetd dämon starten== | ||
tac und tic | tac und tic | ||
+ | |||
+ | root@tac:~# puppet agent --enable | ||
root@tac:~# service puppet restart | root@tac:~# service puppet restart | ||
* Restarting puppet agent | * Restarting puppet agent | ||
+ | root@tac:~# puppet agent --enable | ||
root@tic:~# service puppet restart | root@tic:~# service puppet restart | ||
* Restarting puppet agent | * Restarting puppet agent | ||
Zeile 74: | Zeile 86: | ||
5 S root 2551 1 0 80 0 - 46188 futex_ 11:15 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet agent | 5 S root 2551 1 0 80 0 - 46188 futex_ 11:15 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet agent | ||
0 S root 2571 1517 0 80 0 - 3313 pipe_w 11:17 pts/0 00:00:00 grep --color=auto puppe | 0 S root 2571 1517 0 80 0 - 3313 pipe_w 11:17 pts/0 00:00:00 grep --color=auto puppe | ||
+ | ==mehrer puppet master== | ||
+ | einen bestimmten puppet master festlegen | ||
+ | |||
+ | in/etc/puppet/puppet.conf | ||
+ | ##xinux### | ||
+ | server = pupmaster.xinux.org | ||
+ | ##xinux### | ||
+ | einfügen | ||
+ | |||
+ | bei 2 puppet server im gleichen netz müssen anscheinend die zertifikate gelöscht werden | ||
+ | cd /var/lib/puppet/ssl/ | ||
+ | |||
+ | rm -R* | ||
==auf dem puppet master warten zwei clients auf bestätigung== | ==auf dem puppet master warten zwei clients auf bestätigung== | ||
root@puppet:~# puppet ca list | root@puppet:~# puppet ca list | ||
Zeile 113: | Zeile 138: | ||
=client hinzufügen= | =client hinzufügen= | ||
+ | ==befehle um client hinzuzufügen== | ||
+ | auf client: | ||
+ | *puppet agent --server puppetmaster --waitforcert 60 --test | ||
+ | auf master: | ||
+ | *puppet cert --list | ||
+ | *puppet cert --sign puppetclient | ||
+ | *https://shapeshed.com/connecting-clients-to-a-puppet-master/ | ||
+ | |||
tuc | tuc | ||
root@tuc:~# dpkg -l | grep apache2 | root@tuc:~# dpkg -l | grep apache2 | ||
Zeile 134: | Zeile 167: | ||
Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem' | Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem' | ||
"-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n" | "-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n" | ||
+ | ==client wieder austragen== | ||
+ | puppet cert clean isabella.xinux.org | ||
+ | |||
==wieder auf dem neuen client== | ==wieder auf dem neuen client== | ||
root@tuc:~# puppet agent --enable | root@tuc:~# puppet agent --enable | ||
Zeile 204: | Zeile 240: | ||
Info: mount[files]: allowing * access | Info: mount[files]: allowing * access | ||
Notice: Finished catalog run in 0.15 seconds | Notice: Finished catalog run in 0.15 seconds | ||
+ | |||
+ | =Puppet-Agent Installation Windows= | ||
+ | ==Download== | ||
+ | *https://downloads.puppetlabs.com/windows/puppet-agent-x64-latest.msi | ||
+ | |||
+ | ==Installation== | ||
+ | [[Datei:puppet-windows.png]] | ||
+ | |||
+ | ==Zertifikat auf Master freigeben== | ||
+ | *puppet ca list | ||
+ | <pre> | ||
+ | tuc.xinux.org (SHA256) 97:1D:EA:6A:47:6A:08:01:1F:33:FE:B7:A8:9B:F3:2C:C3:6B:D6:6D:35:37:70:D9:E7:7D:7D:77:9B:F9:E1:76 | ||
+ | </pre> | ||
+ | *puppet ca sign tuc.xinux.org | ||
+ | <pre> | ||
+ | Notice: Signed certificate request for tuc.xinux.org | ||
+ | Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem' | ||
+ | "-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n" | ||
+ | </pre> | ||
+ | |||
+ | ==Benutzung== | ||
+ | [[Datei:puppet-windows-2.png]] | ||
+ | |||
+ | =bestpractice= | ||
+ | *[[bacula-fd über puppet]] | ||
Zeile 211: | Zeile 272: | ||
+ | |||
+ | ==vortrag== | ||
+ | https://www.heinlein-support.de/sites/default/files/Puppet-Konfigurationsmanagement-Vortrag.pdf | ||
+ | ==password== | ||
+ | *http://razius.com/articles/generating-password-hashes-for-puppet/ | ||
+ | |||
+ | ==cookbook== | ||
+ | *http://www.puppetcookbook.com/ | ||
==fileserver== | ==fileserver== | ||
− | https://docs.puppetlabs.com/guides/file_serving.html | + | *https://docs.puppetlabs.com/guides/file_serving.html |
+ | ==mounts== | ||
+ | *https://awaseroot.wordpress.com/2012/11/03/puppet-module-for-etcfstab-mounts/ | ||
+ | |||
+ | ==manifest== | ||
*https://docs.puppetlabs.com/learning/manifests.html | *https://docs.puppetlabs.com/learning/manifests.html | ||
+ | ==apt== | ||
+ | *http://stackoverflow.com/questions/22571622/run-all-add-apt-repository-commands-first-then-run-a-single-apt-get-update | ||
+ | ==debian== | ||
*https://docs.puppetlabs.com/guides/install_puppet/install_debian_ubuntu.html | *https://docs.puppetlabs.com/guides/install_puppet/install_debian_ubuntu.html | ||
+ | |||
+ | ==ubuntu== | ||
*https://www.howtoforge.com/puppet-ubuntu-14.04 | *https://www.howtoforge.com/puppet-ubuntu-14.04 | ||
+ | ==templates== | ||
+ | *https://docs.puppetlabs.com/guides/templating.html | ||
+ | ==facts== | ||
+ | *http://docs.puppetlabs.com/facter/latest/custom_facts.html?parent=Patterns#adding-custom-facts-to-facter | ||
+ | |||
+ | ==artikel== | ||
*https://www.jerger.org/blog-lang/-/blogs/puppetmaster-einer-sie-alle-zu-knechten- | *https://www.jerger.org/blog-lang/-/blogs/puppetmaster-einer-sie-alle-zu-knechten- | ||
+ | *http://www.linux-magazin.de/Ausgaben/2008/10/Puppenspiel | ||
+ | *http://www.myanubix.de/2015/01/02/schnelleinstieg-in-puppet/ | ||
+ | *http://www.myanubix.de/2015/01/03/osx-system-provisioning-mit-puppet/ | ||
=video= | =video= | ||
*https://www.youtube.com/watch?v=l86W-WKzhBo | *https://www.youtube.com/watch?v=l86W-WKzhBo |
Aktuelle Version vom 8. September 2022, 19:52 Uhr
weiter howtos
puppet grundlagen
auf allen maschinen läuft ubuntu 14.04
szenario
der spätere master server "puppet"
root@puppet:~# host tac tac.xinux.org has address 192.168.244.52 root@puppet:~# host tic tic.xinux.org has address 192.168.244.53
der client "tac"
root@tac:~# host puppet puppet.xinux.org has address 192.168.244.51
root@tac:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::22 :::* LISTEN 913/sshd
der client "tic"
root@tic:~# host puppet puppet.xinux.org has address 192.168.244.51
root@tic:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 916/sshd tcp6 0 0 :::22 :::* LISTEN 916/sshd
installation vom puppetmaster
root@puppet:~# apt-get update root@puppet:~# apt-get install puppetmaster -y
das konfigurationsverzeichnis
root@puppet:/etc/puppet# ls auth.conf etckeeper-commit-post etckeeper-commit-pre files fileserver.conf manifests modules puppet.conf templates
das standard site manifest
das verzeichnis ist leer
root@puppet:/etc/puppet# cd manifests/ root@puppet:/etc/puppet/manifests# ls
beispiel apache
root@puppet:/etc/puppet/manifests# cat site.pp package { 'apache2' : ensure => installed } service { 'apache2' : ensure => true, enable => true, require => Package['apache2'] }
restarten des service
root@puppet:~# service puppetmaster restart * Restarting puppet master
installation der puppetclients
auf tac
root@tac:~# apt-get update root@tac:~# apt-get install -y puppet
auf tic
root@tic:~# apt-get update root@tic:~# apt-get install -y puppet
puppetd dämon starten
tac und tic
root@tac:~# puppet agent --enable root@tac:~# service puppet restart * Restarting puppet agent root@tac:~# puppet agent --enable root@tic:~# service puppet restart * Restarting puppet agent
kontrolle
root@tac:~# ps -elf | grep puppet 5 S root 2711 1 0 80 0 - 46195 futex_ 11:15 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet agent 0 S root 2734 1516 0 80 0 - 3313 pipe_w 11:17 pts/0 00:00:00 grep --color=auto puppet
root@tic:~# ps -elf | grep puppet 5 S root 2551 1 0 80 0 - 46188 futex_ 11:15 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet agent 0 S root 2571 1517 0 80 0 - 3313 pipe_w 11:17 pts/0 00:00:00 grep --color=auto puppe
mehrer puppet master
einen bestimmten puppet master festlegen
in/etc/puppet/puppet.conf
##xinux### server = pupmaster.xinux.org ##xinux###
einfügen
bei 2 puppet server im gleichen netz müssen anscheinend die zertifikate gelöscht werden
cd /var/lib/puppet/ssl/
rm -R*
auf dem puppet master warten zwei clients auf bestätigung
root@puppet:~# puppet ca list tac.xinux.org (SHA256) 22:86:C4:D0:08:D6:79:AD:41:36:CC:50:F8:3E:2F:E2:DE:92:4D:E9:0A:27:12:45:9F:96:AD:44:F4:42:99:89 tic.xinux.org (SHA256) E8:26:23:54:8D:AE:09:04:BD:7A:08:73:D6:7B:46:83:8B:A7:24:8A:46:CE:21:05:FC:F1:D5:06:FA:B4:C4:29
signieren der clients
root@puppet:~# puppet ca sign tac.xinux.org Notice: Signed certificate request for tac.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tac.xinux.org at '/var/lib/puppet/ssl/ca/requests/tac.xinux.org.pem' "-----BEGIN CERTIFICATE-----\.... \n-----END CERTIFICATE-----\n" root@puppet:~# puppet ca sign tic.xinux.org Notice: Signed certificate request for tic.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tic.xinux.org at '/var/lib/puppet/ssl/ca/requests/tic.xinux.org.pem' "-----BEGIN CERTIFICATE-----\n.... \n-----END CERTIFICATE-----\n"
kontrolle
root@puppet:~# puppet ca list
die clients produktiv stellen
root@tac:~# puppet agent --enable root@tac:~# service puppet restart root@tic:~# puppet agent --enable root@tac:~# service puppet restart
apache läuft
tac
root@tac:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::22 :::* LISTEN 913/sshd tcp6 0 0 :::80 :::* LISTEN 4670/apache2
tic
root@tic:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 916/sshd tcp6 0 0 :::22 :::* LISTEN 916/sshd tcp6 0 0 :::80 :::* LISTEN 3772/apache2
client hinzufügen
befehle um client hinzuzufügen
auf client:
- puppet agent --server puppetmaster --waitforcert 60 --test
auf master:
- puppet cert --list
- puppet cert --sign puppetclient
- https://shapeshed.com/connecting-clients-to-a-puppet-master/
tuc
root@tuc:~# dpkg -l | grep apache2 root@tuc:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 904/sshd tcp6 0 0 :::22 :::* LISTEN 904/sshd
puppet client installation
root@tuc:~# apt-get update root@tuc:~# apt-get install -y puppet
testweise starten
root@tuc:~# puppet agent --test Exiting; no certificate found and waitforcert is disabled
zurück auf den server
root@puppet:~# puppet ca list tuc.xinux.org (SHA256) 97:1D:EA:6A:47:6A:08:01:1F:33:FE:B7:A8:9B:F3:2C:C3:6B:D6:6D:35:37:70:D9:E7:7D:7D:77:9B:F9:E1:76
signieren
root@puppet:~# puppet ca sign tuc.xinux.org Notice: Signed certificate request for tuc.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem' "-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n"
client wieder austragen
puppet cert clean isabella.xinux.org
wieder auf dem neuen client
root@tuc:~# puppet agent --enable root@tuc:~# service puppet restart
kontrolle der logs
root@tuc:~# tail -f /var/log/syslog | grep puppet-agent Feb 20 12:24:31 tuc puppet-agent[2511]: Reopening log files Feb 20 12:26:32 tuc puppet-agent[2511]: Did not receive certificate Feb 20 12:27:50 tuc puppet-agent[2577]: Enabling Puppet. Feb 20 12:28:32 tuc puppet-agent[2511]: Starting Puppet client version 3.4.3 Feb 20 12:28:45 tuc puppet-agent[2594]: (/Stage[main]/Main/Package[apache2]/ensure) ensure changed 'purged' to 'present' Feb 20 12:28:45 tuc puppet-agent[2594]: Finished catalog run in 11.35 seconds Feb 20 12:29:01 tuc puppet-agent[2511]: Caught TERM; calling stop Feb 20 12:29:02 tuc puppet-agent[3756]: Reopening log files Feb 20 12:29:02 tuc puppet-agent[3756]: Starting Puppet client version 3.4.3 Feb 20 12:29:03 tuc puppet-agent[3762]: Finished catalog run in 0.06 seconds
das ergebnis
root@tuc:~# dpkg -l | grep apache2 ii apache2 2.4.7-1ubuntu4.1 amd64 Apache HTTP Server ii apache2-bin 2.4.7-1ubuntu4.1 amd64 Apache HTTP Server (binary files and modules) ii apache2-data 2.4.7-1ubuntu4.1 all Apache HTTP Server (common files) root@tuc:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 904/sshd tcp6 0 0 :::22 :::* LISTEN 904/sshd tcp6 0 0 :::80 :::* LISTEN 3573/apache2
erste versuche
package { 'apache2' : ensure => installed } service { 'apache2' : ensure => true, enable => true, require => Package['apache2'] } file {'testfile': path => '/tmp/testfile', ensure => present, mode => 0640, content => "I'm a test file.", } file { '/etc/ssh/sshd_config': ensure => file, mode => 600, source => 'puppet:///modules/ssh/sshd_config', } service { 'ssh': ensure => running, provider => 'upstart', hasrestart => true, hasstatus => true, subscribe => File['/etc/ssh/sshd_config'], enable => true, }
apply auf dem master
root@puppet:~# puppet apply --verbose /etc/puppet/manifests/site.pp Notice: Compiled catalog for puppet.xinux.org in environment production in 0.13 seconds Info: Applying configuration version '1424454643' Info: mount[files]: allowing * access Notice: Finished catalog run in 0.15 seconds
Puppet-Agent Installation Windows
Download
Installation
Zertifikat auf Master freigeben
- puppet ca list
tuc.xinux.org (SHA256) 97:1D:EA:6A:47:6A:08:01:1F:33:FE:B7:A8:9B:F3:2C:C3:6B:D6:6D:35:37:70:D9:E7:7D:7D:77:9B:F9:E1:76
- puppet ca sign tuc.xinux.org
Notice: Signed certificate request for tuc.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem' "-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n"
Benutzung
bestpractice
docus
errors
vortrag
https://www.heinlein-support.de/sites/default/files/Puppet-Konfigurationsmanagement-Vortrag.pdf
password
cookbook
fileserver
mounts
manifest
apt
debian
ubuntu
templates
facts
artikel
- https://www.jerger.org/blog-lang/-/blogs/puppetmaster-einer-sie-alle-zu-knechten-
- http://www.linux-magazin.de/Ausgaben/2008/10/Puppenspiel
- http://www.myanubix.de/2015/01/02/schnelleinstieg-in-puppet/
- http://www.myanubix.de/2015/01/03/osx-system-provisioning-mit-puppet/