Puppet
Version vom 8. Oktober 2015, 06:49 Uhr von David (Diskussion | Beiträge) (Änderungen von David (Diskussion) wurden auf die letzte Version von Thomas zurückgesetzt)
weiter howtos
puppet grundlagen
auf allen maschinen läuft ubuntu 14.04
szenario
der spätere master server "puppet"
root@puppet:~# host tac tac.xinux.org has address 192.168.244.52 root@puppet:~# host tic tic.xinux.org has address 192.168.244.53
der client "tac"
root@tac:~# host puppet puppet.xinux.org has address 192.168.244.51
root@tac:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::22 :::* LISTEN 913/sshd
der client "tic"
root@tic:~# host puppet puppet.xinux.org has address 192.168.244.51
root@tic:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 916/sshd tcp6 0 0 :::22 :::* LISTEN 916/sshd
installation vom puppetmaster
root@puppet:~# apt-get update root@puppet:~# apt-get install puppetmaster -y
das konfigurationsverzeichnis
root@puppet:/etc/puppet# ls auth.conf etckeeper-commit-post etckeeper-commit-pre files fileserver.conf manifests modules puppet.conf templates
das standard site manifest
das verzeichnis ist leer
root@puppet:/etc/puppet# cd manifests/ root@puppet:/etc/puppet/manifests# ls
beispiel apache
root@puppet:/etc/puppet/manifests# cat site.pp
package {
'apache2' :
ensure => installed
}
service {
'apache2' :
ensure => true,
enable => true,
require => Package['apache2']
}
restarten des service
root@puppet:~# service puppetmaster restart * Restarting puppet master
installation der puppetclients
auf tac
root@tac:~# apt-get update root@tac:~# apt-get install -y puppet
auf tic
root@tic:~# apt-get update root@tic:~# apt-get install -y puppet
puppetd dämon starten
tac und tic
root@tac:~# puppet agent --enable root@tac:~# service puppet restart * Restarting puppet agent root@tac:~# puppet agent --enable root@tic:~# service puppet restart * Restarting puppet agent
kontrolle
root@tac:~# ps -elf | grep puppet 5 S root 2711 1 0 80 0 - 46195 futex_ 11:15 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet agent 0 S root 2734 1516 0 80 0 - 3313 pipe_w 11:17 pts/0 00:00:00 grep --color=auto puppet
root@tic:~# ps -elf | grep puppet 5 S root 2551 1 0 80 0 - 46188 futex_ 11:15 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet agent 0 S root 2571 1517 0 80 0 - 3313 pipe_w 11:17 pts/0 00:00:00 grep --color=auto puppe
auf dem puppet master warten zwei clients auf bestätigung
root@puppet:~# puppet ca list tac.xinux.org (SHA256) 22:86:C4:D0:08:D6:79:AD:41:36:CC:50:F8:3E:2F:E2:DE:92:4D:E9:0A:27:12:45:9F:96:AD:44:F4:42:99:89 tic.xinux.org (SHA256) E8:26:23:54:8D:AE:09:04:BD:7A:08:73:D6:7B:46:83:8B:A7:24:8A:46:CE:21:05:FC:F1:D5:06:FA:B4:C4:29
signieren der clients
root@puppet:~# puppet ca sign tac.xinux.org Notice: Signed certificate request for tac.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tac.xinux.org at '/var/lib/puppet/ssl/ca/requests/tac.xinux.org.pem' "-----BEGIN CERTIFICATE-----\.... \n-----END CERTIFICATE-----\n" root@puppet:~# puppet ca sign tic.xinux.org Notice: Signed certificate request for tic.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tic.xinux.org at '/var/lib/puppet/ssl/ca/requests/tic.xinux.org.pem' "-----BEGIN CERTIFICATE-----\n.... \n-----END CERTIFICATE-----\n"
kontrolle
root@puppet:~# puppet ca list
die clients produktiv stellen
root@tac:~# puppet agent --enable root@tac:~# service puppet restart root@tic:~# puppet agent --enable root@tac:~# service puppet restart
apache läuft
tac
root@tac:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd tcp6 0 0 :::22 :::* LISTEN 913/sshd tcp6 0 0 :::80 :::* LISTEN 4670/apache2
tic
root@tic:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 916/sshd tcp6 0 0 :::22 :::* LISTEN 916/sshd tcp6 0 0 :::80 :::* LISTEN 3772/apache2
client hinzufügen
tuc
root@tuc:~# dpkg -l | grep apache2 root@tuc:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 904/sshd tcp6 0 0 :::22 :::* LISTEN 904/sshd
puppet client installation
root@tuc:~# apt-get update root@tuc:~# apt-get install -y puppet
testweise starten
root@tuc:~# puppet agent --test Exiting; no certificate found and waitforcert is disabled
zurück auf den server
root@puppet:~# puppet ca list tuc.xinux.org (SHA256) 97:1D:EA:6A:47:6A:08:01:1F:33:FE:B7:A8:9B:F3:2C:C3:6B:D6:6D:35:37:70:D9:E7:7D:7D:77:9B:F9:E1:76
signieren
root@puppet:~# puppet ca sign tuc.xinux.org Notice: Signed certificate request for tuc.xinux.org Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem' "-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n"
client wieder austragen
puppet cert clean isabella.xinux.org
wieder auf dem neuen client
root@tuc:~# puppet agent --enable root@tuc:~# service puppet restart
kontrolle der logs
root@tuc:~# tail -f /var/log/syslog | grep puppet-agent Feb 20 12:24:31 tuc puppet-agent[2511]: Reopening log files Feb 20 12:26:32 tuc puppet-agent[2511]: Did not receive certificate Feb 20 12:27:50 tuc puppet-agent[2577]: Enabling Puppet. Feb 20 12:28:32 tuc puppet-agent[2511]: Starting Puppet client version 3.4.3 Feb 20 12:28:45 tuc puppet-agent[2594]: (/Stage[main]/Main/Package[apache2]/ensure) ensure changed 'purged' to 'present' Feb 20 12:28:45 tuc puppet-agent[2594]: Finished catalog run in 11.35 seconds Feb 20 12:29:01 tuc puppet-agent[2511]: Caught TERM; calling stop Feb 20 12:29:02 tuc puppet-agent[3756]: Reopening log files Feb 20 12:29:02 tuc puppet-agent[3756]: Starting Puppet client version 3.4.3 Feb 20 12:29:03 tuc puppet-agent[3762]: Finished catalog run in 0.06 seconds
das ergebnis
root@tuc:~# dpkg -l | grep apache2 ii apache2 2.4.7-1ubuntu4.1 amd64 Apache HTTP Server ii apache2-bin 2.4.7-1ubuntu4.1 amd64 Apache HTTP Server (binary files and modules) ii apache2-data 2.4.7-1ubuntu4.1 all Apache HTTP Server (common files) root@tuc:~# netstat -lntp Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 904/sshd tcp6 0 0 :::22 :::* LISTEN 904/sshd tcp6 0 0 :::80 :::* LISTEN 3573/apache2
erste versuche
package {
'apache2' :
ensure => installed
}
service {
'apache2' :
ensure => true,
enable => true,
require => Package['apache2']
}
file {'testfile':
path => '/tmp/testfile',
ensure => present,
mode => 0640,
content => "I'm a test file.",
}
file { '/etc/ssh/sshd_config':
ensure => file,
mode => 600,
source => 'puppet:///modules/ssh/sshd_config',
}
service { 'ssh':
ensure => running,
provider => 'upstart',
hasrestart => true,
hasstatus => true,
subscribe => File['/etc/ssh/sshd_config'],
enable => true,
}
apply auf dem master
root@puppet:~# puppet apply --verbose /etc/puppet/manifests/site.pp Notice: Compiled catalog for puppet.xinux.org in environment production in 0.13 seconds Info: Applying configuration version '1424454643' Info: mount[files]: allowing * access Notice: Finished catalog run in 0.15 seconds
bestpractice
docus
errors
vortrag
https://www.heinlein-support.de/sites/default/files/Puppet-Konfigurationsmanagement-Vortrag.pdf
password
cookbook
fileserver
mounts
manifest
apt
debian
ubuntu
templates
facts
artikel
- https://www.jerger.org/blog-lang/-/blogs/puppetmaster-einer-sie-alle-zu-knechten-
- http://www.linux-magazin.de/Ausgaben/2008/10/Puppenspiel
- http://www.myanubix.de/2015/01/02/schnelleinstieg-in-puppet/
- http://www.myanubix.de/2015/01/03/osx-system-provisioning-mit-puppet/