===================== Puppet study: take 3 ===================== Overview: ========= Third time's the charm? Any rate, need to know/understand puppet as one of two things is going to happen within two months. Either we're going to have a new puppet environment at MPI or I'm going to be taking over the project ... and we'll have a new puppet enviornment at MPI. So, here's the project plan: 1. Review class notes from earlier this year 2. Study the pro puppet book that I have on kindle. 3. Install/play with puppet enterprises in kvm farm 4. Revamp the puppet install on my home network: a. Increase security through automated config management b. Rollout ossec on all nodes via puppet Lessons learned: ================ * Firewall: On puppet master, port 8140 needs to be open:: iptables -A INPUT -p tcp -m state --state NEW --dport 8140 -j ACCEPT * Puppet SSL information maintained under /var/lib/puppet/ssl Interesting commands: ===================== puppet master --genconfig > puppet.conf Regenerate a default puppet.conf puppet master --verbose --no-daemonize Run puppet master in the foreground. Useful for watching initial configuration/ssl output. puppet agent --test --server=${puppet-master} Initial client connection to puppet master. Creates/sends CSR. puppet cert list Run on the puppet master, lists out the certs to be signed. puppet cert sign ${fqdn} Run on the puppet master, signs the CSR from ${fqdn} puppet master $* Commands run on the puppet master puppet agent $* Commands run on the puppet agent. Interesting urls: ================= http://docs.puppetlabs.com/references/stable/type.html Full list of puppet types https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm EPEL repo for rhel6 https://dl.fedoraproject.org/pub/epel/epel-release-latest-5.noarch.rpm EPEL repo for rhel5 https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm Puppet labs repos for rhel6 https://yum.puppetlabs.com/puppetlabs-release-el-5.noarch.rpm Puppet labs repos for rhel5 11/15/15: ========= Reviewed the class notes. Most of it struck a chord; but, there's a long way from "I remember that" to being able to hack out DSL like I do shell scripts. One telling point: * Testing: * Create a tests directory under ${basemodulepath}. Tests is a standard, not a requirement. nothing in puppet is looking for tests subdir * init.pp contains ``include ${module_to_be_tested}`` * ``puppet apply --noop ${base}/tests/init.pp`` I remember from take2 that the installation in chapter 1 wasn't qute right and that I had to redo it in chapter 2. Wondering if I should read the whole damn book cover to cover first before going back through it again. That definitely applies to chapter 1. Great; puppet ver 4 is out so I'm going to have to deconflict my current book with that... Installation process: --------------------- Documentation only; skipping until chapter 2. Using centos as the example: 1. Install EPEL repos:: yum install \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm 2. Install Puppet Labs repos:: yum install https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm 3. On puppet master, install packages:: yum install puppet puppet-server facter 4. On puppet clients, install packages:: yum install puppet facter Configuration: -------------- * Configure puppet master: * In client/server mode, clients get puppet configuration from master so only configure the master. * Run puppet master in foreground to generate ssl information * Connect first client ``puppet agent --test --server=${server}`` * Sign the cert on the puppet master: ``puppet cert sign ${fqdn}``