RobertHarker
harkeratharkerdotcom
URL:
http://www.harker.com/puppet/BayLISA100715.html
Revsion
2010072501
WhatIsPuppet
Puppetisaconfigurationmanagementtool
WrittenbyLukeKanies
SupportedbyPuppetLabs(formerlyReductiveLabs)
Client/Servermodel
WritteninRuby
PuppetLanguage
Puppetdecouplesthesyntaxoftheconfigurationmanagementtoolfromthesyntaxoftheunderlying
OSandapplications
Thisallowsyoutodefineahighlevelidealikeuser,application,orserviceandpuppetwilltranslate
thatintothecommandsrequiredbytheclientOS
Configurationinformationisspecifiedin"recipes"
Recipefilesendwith.pp
Therecipesdefinewhatthesystemshouldlooklike(beconfiguredas)
PuppetthenissuesOS/applicationsspecificcommandstochangetheconfigurationtomatchthe
desiredresult
Recipesarewritteninruby
HowPuppetWorks
Puppethasapassiveservercalledthe"puppetmaster":
RunstheRPCXML/HTTPSserverlisteningonport8140
Actsathecertificateauthorityforthepuppetclients
Hasrecipestheclientscandownload
Hasrepositoriesoffilestheclientscandownload
Puppetclientspullconfigurationinformationfromthepuppetmaster
Clientfirstcollectslocalhostconfigurationinformationusingfactor
Clientthenrequestsamasterrecipetoconfiguretheclient
Thismasterrecipethenpullsinadditionalrecipesbasedontheclient'sconfiguration
Thepuppetclientthentranslatesthisinformationintohostspecificcommandstorun
PuppetisaDeclarativeLanguage
Configurationcomponentsareorganizedintoresources
Resourcesaregroupedintocollections
Resourcesaremadeupofatype,titleandaseriesofattributes:
file{"/etc/hosts":
owner=>"root";
group=>"root:
}
Typeisfile
Titleis/etc/hosts
Attributesdefinetheownerandgroupisroot
InstallingPuppet
IuseRHEL/CentOSsoIusetheFedoraProjectEPELrepository
rpmivhhttp://download.fedora.redhat.com/pub/epel/5/x86_64/epelrelease53.noarch.rpm
Ithenuseyumonthepuppetmaster:
yuminstallpuppetpuppetserver
AndoneachclientIinstalljusttheclient:
yuminstallpuppet
Makesurethepuppetuserexists:
idpuppet
CreatingaSimplePuppetConfiguration
Thepuppetmasterisconfiguredintwoplaces:
/etc/puppet/puppet.conf
/etc/puppet/manifests/site.pp
Youdonottypicallyneedtochangethepuppet.conffile
Thesite.pppullsinallofthepuppetrecipes
Thesimplestsite.ppfileis:
file{"/etc/hosts":
owner=>"root",
group=>"root",
mode=>"644",
}
RunningthePuppetMaster
Thepuppetmasterdrunsonlyonthepuppetmaster:
chkconfigpuppetmasterdon
servicepuppetmasterdstart
Lookforerrorin:
/var/log/puppet/masterhttp.log
RunningthePuppetclient
Normallythepuppetclientrunsasadaemon
Youcanrunitmanually
puppetdvtest
Ifwebreakthehostsfile:
chmod664/etc/hosts
Andrunpuppetinverbosemode:
puppetdvnodaemonize
Weshouldsee:
notice:StartingPuppetclientversion0.25.5
info:Cachingcatalogforpuppet.kvm.harker.com
info:Applyingconfigurationversion'1279238728'
notice://sysfiles/File[/etc/hosts]/mode:modechanged'664'to'644'
notice:Finishedcatalogrunin0.02seconds
PuppetDefaultsInThesite.ppFile
import"classes"
import"modules"
import"nodes"
#Thefilebucketoptionallowsforfilebackupstotheserver
filebucket{main:server=>'puppet.kvm.harker.com'}
#Setglobaldefaultsincludingbackingupallfilestothemain
#filebucketandaddsaglobalpath
File{backup=>main}
Exec{path=>"/usr/bin:/usr/sbin/:/bin:/sbin"}
PuppetNodesandClasses
Puppethasthreetypesofrecipefiles:
Nodes:hostornodecontrol(configuration)files
Classes:actionfilesthatdefinewhattodo
Modules:Reusableclasses
PuppetClasses
Puppetclassesdefinehowtoinstallandconfigurefiles,applications,services,etc...
Aclassisdefinedwith:
classTitle{
}
Resourcesarethenaddedtotheclass
Aclasscanhavemultipleresources:
#/etc/puppet/manifests/classes/sysfiles.pp
classsysfiles{
file{"/etc/hosts":
owner=>"root",
group=>"root",
mode=>"644",
}
file{"/etc/passwd":
owner=>"root",
group=>"root",
mode=>"644",
}
}
Thisclassisthenincludedinanodedefinitionwith:
includesysfiles
TheNodesFile
Thenodesdefineswhatclassesandmodulesareappliedtowhichhosts
Typicallythenodedefinitionsareputinanode.ppfile:
/etc/puppet/nodes.pp
Thedefaultnodeisusedifthereisnomatchforaspecifichost
Asimplesite.ppfilethatincludesthesysfilesclass:
#/etc/puppet/manifests/nodes.pp
nodedefault{
includesysfiles
}
Nodeshaveinheritance
Acomplexnodecanbeconfiguredbyinheritingasimplernode
Istartwithabasenodethatallhostsinherit
ThisincludesthingsIwantdoneonallnodes:
Applicationsinstalledorremoved
Servicesenabledordisabled
Sitewideconfigurationfiles
Youcanthenmakeamorecomplexnodebasedonthisinheritance
Webserver=basenode+apache
MySQLserver=basenode+MySQL
Youcanthenmakeaspecificnodeorhost:
fooMysql=MySQLserver+foospecificadditions
barMysql=MySQLserver+barspecificadditions
Twocautions:
Youcannotredefineresources
Oncearesourceisaddeditisverydifficulttoremoveit
AClassToInstallanApplication/Service
#/etc/puppet/manifests/classes/ntpd.pp
classntp{
package{ntp:ensure=>present}
file{"/etc/ntp.conf":
owner =>root,
group =>root,
mode =>444,
backup=>false,
source =>"puppet:///files/etc/ntp.conf",
require=>Package["ntp"],
}
service{"ntpd":
enable=>true,
ensure=>running,
subscribe=>[Package[ntp],File["/etc/ntp.conf"],],
}
}
PuppetModules
Apuppetmoduleisaportablecollectionofclasses,configurationresources,templatesandfilesthat
configuresaparticularapplicationorfunction
Youtypicallymakeamodulessubdirectory:
mkdirp/etc/puppet/modules
Thenasubdirectoryforeachmodule
mkdirp/etc/puppet/modules/sudo
Inamanifestsubdirectorypuppetrelatedfilesgetadded:
mkdirp/etc/puppet/modules/ntpd/manifests
Youwouldthenaddthentpd.ppfile:
mv/etc/puppet/manifests/classes/ntpd.pp/etc/puppet/modules/ntpd/manifests/ntpd.pp
Youcanalsohaveamoduleinstallfiles:
/etc/puppet/modules/ntpd/files
PuppetTemplates
Modulescanalsoeditfilesonthefly:
/etc/puppet/modules/ntpd/templates
In/etc/puppet/modules/ntpd/templates/ntp.conf:
#/etc/ntp.conf,configurationforntpd
...
fudge127.127.1.0stratum<%=local_stratum%>
...
includefile/etc/ntp.server.conf
includefile/etc/ntp.client.conf
Thentp.pprecipefile:
...
$local_stratum=$ntp_local_stratum?{
''=>13,
default=>$ntp_local_stratum,
}
config_file{"/etc/ntp.conf":
content=>template("ntp/ntp.conf"),
require=>Package[$ntp_package];
}
...
SomePontificating:
WhyIdislikeKickstart/Jumpstart
Bothareonetimetools
Theylockalotofconfigurationchoicesintotheirconfigfiles
Youcan'trerunthemwithoutreinstallingthesystem
Therealproblem:
OK,Ihavekickstartedthesystem.NowIwantto:
Addanadditionalpackage
Changeaconfigfile
Addauser
Andtheansweris:Wethenrun[ssh|script|rsync|cfengine|puppet]...
Ifyouaregoingtomaintainthesystemwithatoolafteryoukickstarttheserverthenwhydon'tyou
simplyusethattoolforalloftheconfigurationafteraminimalcorekickstartinstall?
Periodicallyrebuildingservers:
Oneoftheproblemswithconfigurationmanagementsystemsisthattheyarenotalwaysused
Youdeploytheserverwithpuppet,thensotimelaterinanemergencyyousshtotheboxandmakea
change.
Unlessyouupdatethepuppetconfiguration,youcannolongerusepuppettorebuildtheboxifthe
servercrashes.
Layoutpartitionssotheboxcanberebuilt:
OSononepartition
Datadirectoriesonaseparatepartition
Logsifcriticalonathird
Rebuildyourserversperiodically
Thisispainfulthefirstdozentimesbecausepeoplecheat
Bydoingthisregularly,itkeepsyouhonest
Thewrongtimetodiscoverthatpuppetcannotrebuildyourserverisnotafterthatserverhascrashed
Mucheasiertodoitinaplannedmaintenancewindow
Usepuppetinallofyourenvironments
Production
Staging
Developmentbuild/test
Bygivingdevelopersandstagingthesameenvironmentasproductionyouavoidgremlinslikemissing
packages,differentlibraries,differentkernelversions,differentpatches
Developmentandstagingmayhaveadditionalrequirementsthanproduction.
Addthemtothepuppetconfiguration
RebuildStaginganddevelopmentbuild/testserversbeforeeach(major?)codedeploy.