PuppetCamp SEA 1 - Use of Puppet

  • 169 views
Uploaded on

Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.

Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
169
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Hands-on: getting your feet wet with puppetPuppetDB, Exported Resources, 3rd party open source modules, git submodules, inventory service June 5th, 2012 Puppet Camp Southeast Asia Kuala Lumpur, Malaysia Walter Heck, OlinData
  • 2. Overview•  Introduction OlinData•  Checkup•  Set up puppet & puppetdb•  Set up a 2nd node•  Add an open source puppet module•  Implement it and show exported resources usage•  Future of Puppet in South East Asia
  • 3. Introduction OlinData•  OlinData ▫  MySQL Consulting ▫  Tribily Server Monitoring as a Service (http://tribily.com) ▫  Puppet training and consulting•  Founded in 2008 ▫  Setup to be run remotely and location independent•  Started using Puppet in 2010 ▫  Official puppetlabs partner since 02-2012 ▫  Experience with large, medium and small infrastructures
  • 4. Checkup• Who is using puppet? Whos going to? Havent decided yet?• Who is using puppet in production? ▫ Stored configs? Open source modules? Exported resources? Inventory service?
  • 5. Prerequisites• Good mood for tinkering• VirtualBox Debian 6.0.4 64bit VM• Internet connection (preferrably > 28k8)
  • 6. Doing the minimum prep• Get repository .deb package and install it ▫  This should be automated into your bootstrapping of course!# wget http://apt.puppetlabs.com/puppetlabs-release_1.0-3_all.deb# dpkg -i puppetlabs-release_1.0-3_all.deb# aptitude update# aptitude install puppetmaster-passenger puppet puppetdb puppetdb-terminus
  • 7. Adjust puppet config files•  /etc/puppet/puppetdb.conf [main] server = debian-puppetcamp.example.com port = 8081•  /etc/puppet/puppet.conf [master] storeconfigs = true storeconfigs_backend = puppetdb•  /etc/puppet/routes.yaml master: facts: terminus: puppetdb cache: yaml
  • 8. Add permissions for inventory service•  Add permissions to auth.conf #NOTE: refine this on a production server! path /facts auth any method find, search allow *
  • 9. Set up SSL certs•  Run the ssl generating script #/usr/sbin/puppetdb-ssl-setup•  Set the generated password in jetty config file #cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt #vim /etc/puppetdb/conf.d/jetty.ini [..] key-password=tP35htAMH8PUcYVtCAmSVhYbf trust-password=tP35htAMH8PUcYVtCAmSVhYbf•  Set ownership for /etc/puppetdb/ssl #chown -R puppetdb:puppetdb /etc/puppetdb/ssl
  • 10. Check ssl certs•  Check ssl certs for puppetdb against puppet # keytool -list -keystore /etc/puppetdb/ssl/ keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry debian-puppetcamp.example.com, Jun 4, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24 # puppet cert fingerprint debian- puppetcamp.example.com --digest=md5 debian-puppetcamp.example.com D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24
  • 11. Restart•  Restart apache/passenger & puppetdb # /etc/init.d/puppetdb restart && apache2ctl restart•  Sit back and watch puppetdb log 2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC username was not set in config! 2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC password was not set in config! 2012-06-04 18:02:23,050 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose start 2012-06-04 18:02:23,109 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose end 2012-06-04 18:02:23,160 INFO [main] [cli.services] Starting broker 2012-06-04 18:02:24,890 INFO [main] [journal.Journal] ignoring zero length, partially initialised journal data file: db-1.log number = 1 , length = 0 2012-06-04 18:02:25,051 INFO [main] [cli.services] Starting 1 command processor threads 2012-06-04 18:02:25,063 INFO [main] [cli.services] Starting query server 2012-06-04 18:02:25,064 INFO [main] [cli.services] Starting database compactor (60 minute interval) 2012-06-04 18:02:25,087 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog 2012-06-04 18:02:25,090 INFO [clojure-agent-send-off-pool-1] [mortbay.log] jetty-6.1.x 2012-06-04 18:02:25,140 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SocketConnector@debian-puppetcamp.example.com:8080 2012-06-04 18:02:25,885 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SslSocketConnector@debian-puppetcamp.example.com:8081
  • 12. Test run!•  Check for listening connections #netstat -ln | grep 808 tcp6 0 0 127.0.1.1:8080 :::* LISTEN tcp6 0 0 127.0.1.1:8081 :::* LISTEN•  Run puppet # puppet agent -t No LSB modules are available. info: Caching catalog for debian- puppetcamp.example.com info: Applying configuration version 1338804503 notice: Finished catalog run in 0.09 seconds
  • 13. Create git repo/get submodule•  Create a git repo of our puppet repository # git init Initialized empty Git repository in /etc/puppet/.git/ # git add * # git commit -m initial commit [master (root-commit) bf0eff5] initial commit Committer: root <root@debian-puppetcamp.example.com> 6 files changed, 157 insertions(+), 0 deletions(-) create mode 100755 auth.conf create mode 100644 fileserver.conf create mode 100644 puppet.conf create mode 100644 puppetdb.conf create mode 100644 routes.yaml
  • 14. The first beginnings of a new world•  Add 2 nodes to /etc/puppet/manifests/site.pp node debian-puppetcamp.example.com { file { /tmp/puppet.txt: ensure => present, content => "This is host ${::hostname}n" } } node debian-node.example.com { file { /tmp/puppet.txt: ensure => present, content => "This is host ${::hostname}n" } }
  • 15. Adding a node•  Install puppet # aptitude install puppet•  Point to puppetmaster # vim /etc/hosts <ip_of_puppetmaster> puppet
  • 16. Signing the node•  Run puppet once to generate cert request# puppetd -tinfo: Creating a new SSL key for debian-node.example.comwarning: peer certificate wont be verified in this SSL sessioninfo: Caching certificate for cawarning: peer certificate wont be verified in this SSL sessionwarning: peer certificate wont be verified in this SSL sessioninfo: Creating a new SSL certificate request for debian-node.example.cominfo: Certificate Request fingerprint (md5): 17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9warning: peer certificate wont be verified in this SSL sessionwarning: peer certificate wont be verified in this SSL sessionwarning: peer certificate wont be verified in this SSL sessionExiting; no certificate found and waitforcert is disabled•  Sign the request on the master# puppet cert --list --all debian-node.example.com (17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9)+ debian-puppetcamp.example.com (64:A6:C8:9F:FC:50:3E:79:9D:0D:19:04:4B:29:68:D1) (alt names:DNS:debian-puppetcamp.example.com, DNS:puppet, DNS:puppet.example.com)# puppet cert --sign debian-node.example.comnotice: Signed certificate request for debian-node.example.comnotice: Removing file Puppet::SSL::CertificateRequest debian-node.example.com at /var/lib/puppet/ssl/ca/requests/debian-node.example.com.pem
  • 17. Run puppet and check result•  Run puppet on node # puppetd -t warning: peer certificate wont be verified in this SSL session info: Caching certificate for debian-node.example.com No LSB modules are available. info: Caching certificate_revocation_list for ca info: Caching catalog for debian-node.example.com info: Applying configuration version 1338822174 notice: /Stage[main]//Node[debian-node.example.com]/File[/tmp/puppet.txt]/ensure: created info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.06 seconds•  Check result # cat /tmp/puppet.txt This is Host debian-node•  Say “YEAH!”
  • 18. Adding a git submodule•  Clone the firewall submodule from github # git submodule add https://github.com/puppetlabs/puppetlabs- firewall.git modules/firewall Cloning into modules/firewall... remote: Counting objects: 1065, done. remote: Compressing objects: 100% (560/560), done. remote: Total 1065 (delta 384), reused 1012 (delta 341) Receiving objects: 100% (1065/1065), 158.69 KiB | 117 KiB/s, done. Resolving deltas: 100% (384/384), done.•  Commit it to the main repo # git add * && git commit -m Added 2 node defs and firewall submodule [master d0bab6f] Added 2 node defs and firewall submodule Committer: root <root@debian-puppetcamp.example.com> 3 files changed, 17 insertions(+), 0 deletions(-) create mode 100644 .gitmodules create mode 100644 manifests/site.pp create mode 160000 modules/firewall
  • 19. Using the new firewall submodule•  Adjust manifests/site.pp node basenode { @@firewall { "200 allow conns to the puppetmaster from ${::fqdn}": chain => INPUT, action => accept, proto => tcp, dport => 8140, source => $::ipaddress_eth1, tag => role:puppetmaster } } #Our puppet master node debian-puppetcamp.example.com inherits basenode { # Gather all Firewall rules here Firewall<<| tag == role:puppetmaster |>> } # Our sample node node debian-node.example.com inherits basenode { }
  • 20. Running puppet agent•  Execute puppet runs on both nodes root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version 1338825096 notice: /Firewall[200 allow conns to the puppetmaster from debian- puppetcamp.example.com]/ensure: created notice: Finished catalog run in 0.47 seconds root@debian-node:~# puppetd -t No LSB modules are available. info: Caching catalog for debian-node.example.com info: Applying configuration version 1338825096 notice: Finished catalog run in 0.03 seconds root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version 1338825096 notice: /Firewall[200 allow conns to the puppetmaster from debian- node.example.com]/ensure: created notice: Finished catalog run in 0.22 seconds
  • 21. Checking results•  Iptables on puppetmaster # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.0.111 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-node.example.com */ ACCEPT tcp -- 192.168.0.109 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-puppetcamp.example.com */ [..]
  • 22. Inventory service•  Query for all nodes having debian squeeze root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet: 8140/production/facts_search/search?facts.lsbdistcodename=squeeze &facts.operatingsystem=Debian --- - debian-puppetcamp.example.com - debian-node.example.com•  Query for facts about a certain node root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/debian-puppetcamp.example.com --- !ruby/object:Puppet::Node::Facts expiration: 2012-06-04 18:38:21.174542 +08:00 name: debian-puppetcamp.example.com values: productname: VirtualBox Kernelmajversion: "2.6" ipaddress_eth0: 10.0.2.15 kernelversion: 2.6.32 [..]
  • 23. OlinData and Puppet•  Training ▫  Upcoming trainings: –  Singapore – August 6-8 –  Hyderabad – July 11-14 ▫  Cheaper then in the West (50% or more discount!) ▫  Expanding to 5 countries in 5 months•  Consulting ▫  Remote consulting worldwide ▫  Ongoing hands-on engineering ▫  Start from scratch or improve existing environment
  • 24. Walter Heck (walterheck@olindata.com) @walterheck / @olindata #PuppetCampSEA http://www.olindata.comLike us on Facebook: http://fb.me/olindata