The tutorial below is heavily drawn from Melissa Anderson's Digital Ocean tutorial here, but I tend to find writing something down helps it stick, so here goes.
Prerequisites
You will need 3 Ubuntu 16.04 Servers, each with a non-root user with sudo privileges. I used virtual machines rather than physical hardware.
DNS
Each puppet client, known as an 'agent' needs to be able to locate the puppet master. This is done using DNS. By default a puppet agent will lookup 'puppet' so for simplicity add the IP of the master to your /etc/hosts file-
nano /etc/hosts
Add the following, editing to include the correct IP-
10.0.97.50 puppet
Configuring the Puppet Master
Firstly we will need to install the puppet repository-
curl -O https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb sudo dpkg -i puppetlabs-release-pc1-xenial.deb sudo apt-get update
And then install the puppetserver package-
sudo apt-get install puppetserver
The tutorial recommends on increasing the available RAM to the puppetmaster to 3 Gb. This seems a little excessive, but OK-
Open the file-
sudo nano /etc/default/puppetserver
Edit the contents to include 3g-
JAVA_ARGS="-Xms3g -Xmx3g -XX:MaxPermSize=256m"
Start the service-
sudo systemctl start puppetserver
Check to make sure the Puppet Master is running without any issues-
sudo systemctl status puppetserver
If its running, enable it on bootup-
sudo systemctl enable puppetserver
Configuring the Puppet Agents
The following instructions will need repeating on all agents.
We will also need to install the puppet repository on the agents-
curl -O https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb sudo dpkg -i puppetlabs-release-pc1-xenial.deb sudo apt-get update
And then install the puppet package-
sudo apt-get install puppet
Start the service-
sudo systemctl start puppet
And enable it on bootup-
sudo systemctl enable puppet
Signing Agent Certificates
For security, puppet uses certificates to verify the agents are who they say they are. When a new agent contacts the master, it's necessary to verify the certificate before it can pull a configuration. There are certain ways to automate this, but for now we will do it manually.
To list all certificate requests run the following command-
sudo /opt/puppetlabs/bin/puppet cert list
You should see something like the following. If a row is prefixed with a '+' it means its already been signed-
"sys01-puppet-agent-01" (SHA256) 25:79:4C:97:7B:19:EB:ED:C5:03:AC:7C:AA:BA:73:2D:F9:98:11:CC:74:01:F4:7B:00:84:08:CF:59:F6:28:EF "sys01-puppet-agent-02" (SHA256) 77:BB:A2:A3:18:EA:DC:5D:F5:78:17:8C:FA:14:67:1D:85:A8:57:4B:2E:0A:18:3B:E6:8C:2B:D3:FA:EA:F0:03
To sign a certificate you can run the command below. In a high security environment you'd want to verify the fingerprint, but for now lets just go ahead-
/opt/puppetlabs/bin/puppet cert sign sys01-puppet-agent-01
You should see the following-
Signing Certificate Request for: "sys01-puppet-agent-01" (SHA256) 25:79:4C:97:7B:19:EB:ED:C5:03:AC:7C:AA:BA:73:2D:F9:98:11:CC:74:01:F4:7B:00:84:08:CF:59:F6:28:EF Notice: Signed certificate request for sys01-puppet-agent-01 Notice: Removing file Puppet::SSL::CertificateRequest sys01-puppet-agent-01 at '/etc/puppetlabs/puppet/ssl/ca/requests/sys01-puppet-agent-01.pem'
You can also sign all pending requests at once-
sudo /opt/puppetlabs/bin/puppet cert sign --all
Starting to manage the agents
Now the agents are connected and authorised we can start managing them via the puppet master. A configuration is saved in a file known as a manifest, and these files end in .pp
Lets create the default manifest-
sudo nano /etc/puppetlabs/code/environments/production/manifests/site.pp
Enter the following-
file {'/tmp/it_works.txt': # resource type file and filename
ensure => present, # make sure it exists
mode => '0644', # file permissions
content => "It works on ${ipaddress_eth0}!\n", # Print the eth0 IP fact
}
By default each agent will 'pull' its configuration every 30 minutes, however it's possible to force it by running the following command on an agent.
sudo /opt/puppetlabs/bin/puppet agent --test
You should see the following output-
Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for sys01-puppet-agent-01 Info: Applying configuration version '1496184394'
And you can then cat /tmp/it_works.txt to verify it's worked-
root@SYS01-PUPPET-AGENT-01:/home/matthew# cat /tmp/it_works.txt It works on !
Note: For some reason my 'fact' hasn't substituted. This is something I will look into.
For the second agent, you can wait half an hour (or less, depending on when it last updated), and it_works.txt should work without any user input on the agent itself.
Conclusion
The above tutorial covers the very basics of using Puppet. A big thanks to Melissa Anderson for the original content that helped me get to grips with it.
Having studied some of the documentation and walked through the above steps, it appears logical to use and I've not been overwhelmed by jargon or buzzwords, so far.
I currently have several VMs that are all manually managed, so I'm looking forward to using this tool to make things easier, and reproducible.
Having studied some of the documentation and walked through the above steps, it appears logical to use and I've not been overwhelmed by jargon or buzzwords, so far.
I currently have several VMs that are all manually managed, so I'm looking forward to using this tool to make things easier, and reproducible.
No comments:
Post a Comment