Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.
1. Hands-on: getting your feet wet
with puppet
PuppetDB, Exported Resources, 3rd party open source modules,
git submodules, inventory service
June 5th, 2012
Puppet Camp Southeast Asia
Kuala Lumpur, Malaysia
Walter Heck, OlinData
2. Overview
• Introduction OlinData
• Checkup
• Set up puppet & puppetdb
• Set up a 2nd node
• Add an open source puppet module
• Implement it and show exported resources usage
• Future of Puppet in South East Asia
3. Introduction OlinData
• OlinData
▫ MySQL Consulting
▫ Tribily Server Monitoring as a Service (http://tribily.com)
▫ Puppet training and consulting
• Founded in 2008
▫ Setup to be run remotely and location independent
• Started using Puppet in 2010
▫ Official puppetlabs partner since 02-2012
▫ Experience with large, medium and small
infrastructures
4. Checkup
• Who is using puppet? Who's going to?
Haven't decided yet?
• Who is using puppet in production?
▫ Stored configs? Open source
modules? Exported resources?
Inventory service?
5. Prerequisites
• Good mood for tinkering
• VirtualBox Debian 6.0.4 64bit VM
• Internet connection (preferrably > 28k8)
6. Doing the minimum prep
• Get repository .deb package and
install it
▫ This should be automated into your bootstrapping of course!
# wget http://apt.puppetlabs.com/puppetlabs-release_1.0-3_all.deb
# dpkg -i puppetlabs-release_1.0-3_all.deb
# aptitude update
# aptitude install puppetmaster-passenger puppet puppetdb
puppetdb-terminus
8. Add permissions for inventory service
• Add permissions to auth.conf
#NOTE: refine this on a production server!
path /facts
auth any
method find, search
allow *
9. Set up SSL certs
• Run the ssl generating script
#/usr/sbin/puppetdb-ssl-setup
• Set the generated password in jetty config file
#cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt
#vim /etc/puppetdb/conf.d/jetty.ini
[..]
key-password=tP35htAMH8PUcYVtCAmSVhYbf
trust-password=tP35htAMH8PUcYVtCAmSVhYbf
• Set ownership for /etc/puppetdb/ssl
#chown -R puppetdb:puppetdb /etc/puppetdb/ssl
10. Check ssl certs
• Check ssl certs for puppetdb against puppet
# keytool -list -keystore /etc/puppetdb/ssl/
keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
debian-puppetcamp.example.com, Jun 4, 2012,
PrivateKeyEntry,
Certificate fingerprint (MD5):
D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24
# puppet cert fingerprint debian-
puppetcamp.example.com --digest=md5
debian-puppetcamp.example.com
D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24
11. Restart
• Restart apache/passenger & puppetdb
# /etc/init.d/puppetdb restart && apache2ctl restart
• Sit back and watch puppetdb log
2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC username was not set in
config!
2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC password was not set in
config!
2012-06-04 18:02:23,050 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE]
checkpointClose start
2012-06-04 18:02:23,109 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE]
checkpointClose end
2012-06-04 18:02:23,160 INFO [main] [cli.services] Starting broker
2012-06-04 18:02:24,890 INFO [main] [journal.Journal] ignoring zero length, partially
initialised journal data file: db-1.log number = 1 , length = 0
2012-06-04 18:02:25,051 INFO [main] [cli.services] Starting 1 command processor threads
2012-06-04 18:02:25,063 INFO [main] [cli.services] Starting query server
2012-06-04 18:02:25,064 INFO [main] [cli.services] Starting database compactor (60 minute
interval)
2012-06-04 18:02:25,087 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Logging to
org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog
2012-06-04 18:02:25,090 INFO [clojure-agent-send-off-pool-1] [mortbay.log] jetty-6.1.x
2012-06-04 18:02:25,140 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started
SocketConnector@debian-puppetcamp.example.com:8080
2012-06-04 18:02:25,885 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started
SslSocketConnector@debian-puppetcamp.example.com:8081
12. Test run!
• Check for listening connections
#netstat -ln | grep 808
tcp6 0 0 127.0.1.1:8080 :::* LISTEN
tcp6 0 0 127.0.1.1:8081 :::* LISTEN
• Run puppet
# puppet agent -t
No LSB modules are available.
info: Caching catalog for debian-
puppetcamp.example.com
info: Applying configuration version '1338804503'
notice: Finished catalog run in 0.09 seconds
14. The first beginnings of a new world
• Add 2 nodes to /etc/puppet/manifests/site.pp
node 'debian-puppetcamp.example.com' {
file { '/tmp/puppet.txt':
ensure => present,
content => "This is host ${::hostname}n"
}
}
node 'debian-node.example.com' {
file { '/tmp/puppet.txt':
ensure => present,
content => "This is host ${::hostname}n"
}
}
15. Adding a node
• Install puppet
# aptitude install puppet
• Point to puppetmaster
# vim /etc/hosts
<ip_of_puppetmaster> puppet
16. Signing the node
• Run puppet once to generate cert request
# puppetd -t
info: Creating a new SSL key for debian-node.example.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for debian-node.example.com
info: Certificate Request fingerprint (md5): 17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
• Sign the request on the master
# puppet cert --list --all
debian-node.example.com (17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9)
+ debian-puppetcamp.example.com (64:A6:C8:9F:FC:50:3E:79:9D:0D:19:04:4B:29:68:D1) (alt names:
DNS:debian-puppetcamp.example.com, DNS:puppet, DNS:puppet.example.com)
# puppet cert --sign debian-node.example.com
notice: Signed certificate request for debian-node.example.com
notice: Removing file Puppet::SSL::CertificateRequest debian-node.example.com at '/var/lib/puppet/
ssl/ca/requests/debian-node.example.com.pem'
17. Run puppet and check result
• Run puppet on node
# puppetd -t
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for debian-node.example.com
No LSB modules are available.
info: Caching certificate_revocation_list for ca
info: Caching catalog for debian-node.example.com
info: Applying configuration version '1338822174'
notice: /Stage[main]//Node[debian-node.example.com]/File[/tmp/puppet.txt]/ensure: created
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.06 seconds
• Check result
# cat /tmp/puppet.txt
This is Host debian-node
• Say “YEAH!”
18. Adding a git submodule
• Clone the firewall submodule from github
# git submodule add https://github.com/puppetlabs/puppetlabs-
firewall.git modules/firewall
Cloning into modules/firewall...
remote: Counting objects: 1065, done.
remote: Compressing objects: 100% (560/560), done.
remote: Total 1065 (delta 384), reused 1012 (delta 341)
Receiving objects: 100% (1065/1065), 158.69 KiB | 117 KiB/s,
done.
Resolving deltas: 100% (384/384), done.
• Commit it to the main repo
# git add * && git commit -m 'Added 2 node defs and firewall submodule'
[master d0bab6f] Added 2 node defs and firewall submodule
Committer: root <root@debian-puppetcamp.example.com>
3 files changed, 17 insertions(+), 0 deletions(-)
create mode 100644 .gitmodules
create mode 100644 manifests/site.pp
create mode 160000 modules/firewall
19. Using the new firewall submodule
• Adjust manifests/site.pp
node 'basenode' {
@@firewall { "200 allow conns to the puppetmaster from ${::fqdn}":
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => 8140,
source => $::ipaddress_eth1,
tag => 'role:puppetmaster'
}
}
#Our puppet master
node 'debian-puppetcamp.example.com' inherits basenode {
# Gather all Firewall rules here
Firewall<<| tag == 'role:puppetmaster' |>>
}
# Our sample node
node 'debian-node.example.com' inherits basenode {
}
20. Running puppet agent
• Execute puppet runs on both nodes
root@debian-puppetcamp:/etc/puppet# puppetd -t
info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb
No LSB modules are available.
info: Caching catalog for debian-puppetcamp.example.com
info: Applying configuration version '1338825096'
notice: /Firewall[200 allow conns to the puppetmaster from debian-
puppetcamp.example.com]/ensure: created
notice: Finished catalog run in 0.47 seconds
root@debian-node:~# puppetd -t
No LSB modules are available.
info: Caching catalog for debian-node.example.com
info: Applying configuration version '1338825096'
notice: Finished catalog run in 0.03 seconds
root@debian-puppetcamp:/etc/puppet# puppetd -t
info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb
No LSB modules are available.
info: Caching catalog for debian-puppetcamp.example.com
info: Applying configuration version '1338825096'
notice: /Firewall[200 allow conns to the puppetmaster from debian-
node.example.com]/ensure: created
notice: Finished catalog run in 0.22 seconds
21. Checking results
• Iptables on puppetmaster
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.0.111 anywhere multiport dports
8140 /* 200 allow conns to the puppetmaster from debian-node.example.com */
ACCEPT tcp -- 192.168.0.109 anywhere multiport dports
8140 /* 200 allow conns to the puppetmaster from debian-puppetcamp.example.com */
[..]
22. Inventory service
• Query for all nodes having debian squeeze
root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:
8140/production/facts_search/search?facts.lsbdistcodename=squeeze
&facts.operatingsystem=Debian
---
- debian-puppetcamp.example.com
- debian-node.example.com
• Query for facts about a certain node
root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml"
https://puppet:8140/production/facts/debian-puppetcamp.example.com
--- !ruby/object:Puppet::Node::Facts
expiration: 2012-06-04 18:38:21.174542 +08:00
name: debian-puppetcamp.example.com
values:
productname: VirtualBox
Kernelmajversion: "2.6"
ipaddress_eth0: 10.0.2.15
kernelversion: 2.6.32
[..]
23.
24. OlinData and Puppet
• Training
▫ Upcoming trainings:
– Singapore – August 6-8
– Hyderabad – July 11-14
▫ Cheaper then in the West (50% or more discount!)
▫ Expanding to 5 countries in 5 months
• Consulting
▫ Remote consulting worldwide
▫ Ongoing hands-on engineering
▫ Start from scratch or improve existing environment