weiter howtos

puppet grundlagen

auf allen maschinen läuft ubuntu 14.04

szenario

der spätere master server "puppet"

root@puppet:~# host tac
tac.xinux.org has address 192.168.244.52
root@puppet:~# host tic
tic.xinux.org has address 192.168.244.53

der client "tac"

root@tac:~# host puppet
puppet.xinux.org has address 192.168.244.51

root@tac:~# netstat -lntp
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      913/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      913/sshd

der client "tic"

root@tic:~# host puppet
puppet.xinux.org has address 192.168.244.51

root@tic:~# netstat -lntp
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      916/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      916/sshd

installation vom puppetmaster

root@puppet:~# apt-get update 
root@puppet:~# apt-get install puppetmaster -y

das konfigurationsverzeichnis

root@puppet:/etc/puppet# ls 
auth.conf  etckeeper-commit-post  etckeeper-commit-pre  files  fileserver.conf  manifests  modules  puppet.conf  templates

das standard site manifest

das verzeichnis ist leer

root@puppet:/etc/puppet# cd manifests/
root@puppet:/etc/puppet/manifests# ls

beispiel apache

root@puppet:/etc/puppet/manifests# cat site.pp
package {
       'apache2' :
               ensure => installed
}
service {
       'apache2' :
               ensure => true,
               enable => true,
               require => Package['apache2']
}

restarten des service

root@puppet:~# service puppetmaster restart
 * Restarting puppet master

installation der puppetclients

auf tac

root@tac:~# apt-get update
root@tac:~# apt-get install -y puppet

auf tic

root@tic:~# apt-get update
root@tic:~# apt-get install -y puppet

puppetd dämon starten

tac und tic

root@tac:~# puppet agent --enable
root@tac:~# service puppet restart 
 * Restarting puppet agent  
root@tac:~# puppet agent --enable
root@tic:~# service puppet restart 
 * Restarting puppet agent

kontrolle

root@tac:~# ps -elf | grep puppet
5 S root      2711     1  0  80   0 - 46195 futex_ 11:15 ?        00:00:00 /usr/bin/ruby /usr/bin/puppet agent
0 S root      2734  1516  0  80   0 -  3313 pipe_w 11:17 pts/0    00:00:00 grep --color=auto puppet

root@tic:~# ps -elf | grep puppet
5 S root      2551     1  0  80   0 - 46188 futex_ 11:15 ?        00:00:00 /usr/bin/ruby /usr/bin/puppet agent
0 S root      2571  1517  0  80   0 -  3313 pipe_w 11:17 pts/0    00:00:00 grep --color=auto puppe

mehrer puppet master

einen bestimmten puppet master festlegen

in/etc/puppet/puppet.conf

##xinux###
server = pupmaster.xinux.org
##xinux###

einfügen

bei 2 puppet server im gleichen netz müssen anscheinend die zertifikate gelöscht werden

cd /var/lib/puppet/ssl/

rm -R*

auf dem puppet master warten zwei clients auf bestätigung

root@puppet:~# puppet ca list
 tac.xinux.org  (SHA256) 22:86:C4:D0:08:D6:79:AD:41:36:CC:50:F8:3E:2F:E2:DE:92:4D:E9:0A:27:12:45:9F:96:AD:44:F4:42:99:89
 tic.xinux.org  (SHA256) E8:26:23:54:8D:AE:09:04:BD:7A:08:73:D6:7B:46:83:8B:A7:24:8A:46:CE:21:05:FC:F1:D5:06:FA:B4:C4:29

signieren der clients

root@puppet:~# puppet ca sign tac.xinux.org
Notice: Signed certificate request for tac.xinux.org
Notice: Removing file Puppet::SSL::CertificateRequest tac.xinux.org at '/var/lib/puppet/ssl/ca/requests/tac.xinux.org.pem'
"-----BEGIN CERTIFICATE-----\.... \n-----END CERTIFICATE-----\n"
root@puppet:~# puppet ca sign tic.xinux.org
Notice: Signed certificate request for tic.xinux.org
Notice: Removing file Puppet::SSL::CertificateRequest tic.xinux.org at '/var/lib/puppet/ssl/ca/requests/tic.xinux.org.pem'
"-----BEGIN CERTIFICATE-----\n.... \n-----END CERTIFICATE-----\n"

kontrolle

root@puppet:~# puppet ca list

die clients produktiv stellen

root@tac:~# puppet agent --enable
root@tac:~# service puppet restart
root@tic:~# puppet agent --enable
root@tac:~# service puppet restart

apache läuft

tac

root@tac:~# netstat -lntp 
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      913/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      913/sshd        
tcp6       0      0 :::80                   :::*                    LISTEN      4670/apache2

tic

root@tic:~# netstat -lntp 
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      916/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      916/sshd        
tcp6       0      0 :::80                   :::*                    LISTEN      3772/apache2

client hinzufügen

befehle um client hinzuzufügen

auf client:

puppet agent --server puppetmaster --waitforcert 60 --test

auf master:

puppet cert --list
puppet cert --sign puppetclient
https://shapeshed.com/connecting-clients-to-a-puppet-master/

tuc

root@tuc:~# dpkg -l | grep apache2
root@tuc:~# netstat -lntp 
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      904/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      904/sshd

puppet client installation

root@tuc:~# apt-get update
root@tuc:~# apt-get install -y puppet

testweise starten

root@tuc:~# puppet agent --test
Exiting; no certificate found and waitforcert is disabled

zurück auf den server

root@puppet:~# puppet ca list
tuc.xinux.org  (SHA256) 97:1D:EA:6A:47:6A:08:01:1F:33:FE:B7:A8:9B:F3:2C:C3:6B:D6:6D:35:37:70:D9:E7:7D:7D:77:9B:F9:E1:76

signieren

root@puppet:~# puppet ca sign tuc.xinux.org
Notice: Signed certificate request for tuc.xinux.org
Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem'
"-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n"

client wieder austragen

puppet cert clean isabella.xinux.org

wieder auf dem neuen client

root@tuc:~# puppet agent --enable
root@tuc:~# service puppet restart

kontrolle der logs

root@tuc:~# tail -f /var/log/syslog  | grep puppet-agent 
Feb 20 12:24:31 tuc puppet-agent[2511]: Reopening log files
Feb 20 12:26:32 tuc puppet-agent[2511]: Did not receive certificate
Feb 20 12:27:50 tuc puppet-agent[2577]: Enabling Puppet.
Feb 20 12:28:32 tuc puppet-agent[2511]: Starting Puppet client version 3.4.3
Feb 20 12:28:45 tuc puppet-agent[2594]: (/Stage[main]/Main/Package[apache2]/ensure) ensure changed 'purged' to 'present'
Feb 20 12:28:45 tuc puppet-agent[2594]: Finished catalog run in 11.35 seconds
Feb 20 12:29:01 tuc puppet-agent[2511]: Caught TERM; calling stop
Feb 20 12:29:02 tuc puppet-agent[3756]: Reopening log files
Feb 20 12:29:02 tuc puppet-agent[3756]: Starting Puppet client version 3.4.3
Feb 20 12:29:03 tuc puppet-agent[3762]: Finished catalog run in 0.06 seconds

das ergebnis

root@tuc:~# dpkg -l | grep apache2
ii  apache2                             2.4.7-1ubuntu4.1              amd64        Apache HTTP Server
ii  apache2-bin                         2.4.7-1ubuntu4.1              amd64        Apache HTTP Server (binary files and modules)
ii  apache2-data                        2.4.7-1ubuntu4.1              all          Apache HTTP Server (common files)
root@tuc:~# netstat -lntp 
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      904/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      904/sshd        
tcp6       0      0 :::80                   :::*                    LISTEN      3573/apache2

erste versuche

package {
        'apache2' :
                ensure => installed
}
service {
        'apache2' :
                ensure => true,
                enable => true,
                require => Package['apache2']
}

 file {'testfile':
      path    => '/tmp/testfile',
      ensure  => present,
      mode    => 0640,
      content => "I'm a test file.",
    }


file { '/etc/ssh/sshd_config':
      ensure => file,
      mode   => 600,
      source => 'puppet:///modules/ssh/sshd_config',
}
    service { 'ssh':
      ensure    => running,
      provider   => 'upstart',
      hasrestart => true,
      hasstatus  => true,
      subscribe => File['/etc/ssh/sshd_config'],
      enable    => true,
    }

apply auf dem master

root@puppet:~# puppet apply --verbose /etc/puppet/manifests/site.pp
Notice: Compiled catalog for puppet.xinux.org in environment production in 0.13 seconds
Info: Applying configuration version '1424454643'
Info: mount[files]: allowing * access
Notice: Finished catalog run in 0.15 seconds

Puppet-Agent Installation Windows

Download

https://downloads.puppetlabs.com/windows/puppet-agent-x64-latest.msi

Installation

Zertifikat auf Master freigeben

puppet ca list

tuc.xinux.org  (SHA256) 97:1D:EA:6A:47:6A:08:01:1F:33:FE:B7:A8:9B:F3:2C:C3:6B:D6:6D:35:37:70:D9:E7:7D:7D:77:9B:F9:E1:76

puppet ca sign tuc.xinux.org

Notice: Signed certificate request for tuc.xinux.org
Notice: Removing file Puppet::SSL::CertificateRequest tuc.xinux.org at '/var/lib/puppet/ssl/ca/requests/tuc.xinux.org.pem'
"-----BEGIN CERTIFICATE-----\n ..... \n-----END CERTIFICATE-----\n"