Hands-on: getting your feet wet with puppet

June 5th, 2012 Puppet Camp Southeast Asia Kuala Lumpur, Malaysia Walter Heck, OlinData

PuppetDB, Exported Resources, 3rd party open source modules, git submodules, inventory service

Overview

•  Introduction OlinData •  Checkup •  Set up puppet & puppetdb •  Set up a 2nd node •  Add an open source puppet module •  Implement it and show exported resources usage •  Future of Puppet in South East Asia

Introduction OlinData

• OlinData ▫  MySQL Consulting ▫  Tribily Server Monitoring as a Service (http://tribily.com)

▫  Puppet training and consulting •  Founded in 2008 ▫  Setup to be run remotely and location independent •  Started using Puppet in 2010 ▫  Official puppetlabs partner since 02-2012 ▫  Experience with large, medium and small

infrastructures

Checkup

• Who is using puppet? Who's going to? Haven't decided yet?

• Who is using puppet in production? ▫ Stored configs? Open source modules? Exported resources? Inventory service?

Prerequisites

• Good mood for tinkering

• VirtualBox Debian 6.0.4 64bit VM • Internet connection (preferrably > 28k8)

Doing the minimum prep

• Get repository .deb package and install it ▫  This should be automated into your bootstrapping of course!

# wget http://apt.puppetlabs.com/puppetlabs-release_1.0-3_all.deb # dpkg -i puppetlabs-release_1.0-3_all.deb # aptitude update # aptitude install puppetmaster-passenger puppet puppetdb \

puppetdb-terminus

Adjust puppet config files

•  /etc/puppet/puppetdb.conf •  /etc/puppet/puppet.conf •  /etc/puppet/routes.yaml

[main] server = debian-puppetcamp.example.com port = 8081

[master] storeconfigs = true storeconfigs_backend = puppetdb

master: facts: terminus: puppetdb cache: yaml

Add permissions for inventory service

•  Add permissions to auth.conf #NOTE: refine this on a production server! path /facts auth any method find, search allow *

Set up SSL certs

•  Run the ssl generating script •  Set the generated password in jetty config file •  Set ownership for /etc/puppetdb/ssl

#/usr/sbin/puppetdb-ssl-setup

#cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt #vim /etc/puppetdb/conf.d/jetty.ini

[..] key-password=tP35htAMH8PUcYVtCAmSVhYbf trust-password=tP35htAMH8PUcYVtCAmSVhYbf

#chown -R puppetdb:puppetdb /etc/puppetdb/ssl

Check ssl certs

•  Check ssl certs for puppetdb against puppet # keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry debian-puppetcamp.example.com, Jun 4, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24

# puppet cert fingerprint debian-puppetcamp.example.com --digest=md5 debian-puppetcamp.example.com D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24

Restart

•  Restart apache/passenger & puppetdb •  Sit back and watch puppetdb log

# /etc/init.d/puppetdb restart && apache2ctl restart

2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC username was not set in config! 2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC password was not set in config! 2012-06-04 18:02:23,050 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose start 2012-06-04 18:02:23,109 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose end 2012-06-04 18:02:23,160 INFO [main] [cli.services] Starting broker 2012-06-04 18:02:24,890 INFO [main] [journal.Journal] ignoring zero length, partially initialised journal data file: db-1.log number = 1 , length = 0 2012-06-04 18:02:25,051 INFO [main] [cli.services] Starting 1 command processor threads 2012-06-04 18:02:25,063 INFO [main] [cli.services] Starting query server 2012-06-04 18:02:25,064 INFO [main] [cli.services] Starting database compactor (60 minute interval) 2012-06-04 18:02:25,087 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog 2012-06-04 18:02:25,090 INFO [clojure-agent-send-off-pool-1] [mortbay.log] jetty-6.1.x 2012-06-04 18:02:25,140 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SocketConnector@debian-puppetcamp.example.com:8080 2012-06-04 18:02:25,885 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SslSocketConnector@debian-puppetcamp.example.com:8081

Test run!

•  Check for listening connections •  Run puppet

#netstat -ln | grep 808 tcp6 0 0 127.0.1.1:8080 :::* LISTEN tcp6 0 0 127.0.1.1:8081 :::* LISTEN

# puppet agent -t No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338804503' notice: Finished catalog run in 0.09 seconds

#netstat -ln | grep 808 tcp6 0 0 127.0.1.1:8080 :::* LISTEN tcp6 0 0 127.0.1.1:8081 :::* LISTEN

Create git repo/get submodule

•  Create a git repo of our puppet repository # git init Initialized empty Git repository in /etc/puppet/.git/ # git add * # git commit -m 'initial commit' [master (root-commit) bf0eff5] initial commit Committer: root <root@debian-puppetcamp.example.com> 6 files changed, 157 insertions(+), 0 deletions(-) create mode 100755 auth.conf create mode 100644 fileserver.conf create mode 100644 puppet.conf create mode 100644 puppetdb.conf create mode 100644 routes.yaml

The first beginnings of a new world

•  Add 2 nodes to /etc/puppet/manifests/site.pp node 'debian-puppetcamp.example.com' {

file { '/tmp/puppet.txt': ensure => present, content => "This is host ${::hostname}\n" }

} node 'debian-node.example.com' {

file { '/tmp/puppet.txt': ensure => present, content => "This is host ${::hostname}\n" }

}

Adding a node

•  Install puppet •  Point to puppetmaster

# aptitude install puppet

# vim /etc/hosts <ip_of_puppetmaster> puppet

Signing the node

•  Run puppet once to generate cert request •  Sign the request on the master

# puppetd -t info: Creating a new SSL key for debian-node.example.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for debian-node.example.com info: Certificate Request fingerprint (md5): 17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled

# puppet cert --list --all debian-node.example.com (17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9) + debian-puppetcamp.example.com (64:A6:C8:9F:FC:50:3E:79:9D:0D:19:04:4B:29:68:D1) (alt names: DNS:debian-puppetcamp.example.com, DNS:puppet, DNS:puppet.example.com) # puppet cert --sign debian-node.example.com notice: Signed certificate request for debian-node.example.com notice: Removing file Puppet::SSL::CertificateRequest debian-node.example.com at '/var/lib/puppet/ssl/ca/requests/debian-node.example.com.pem'

Run puppet and check result

•  Run puppet on node •  Check result •  Say “YEAH!”

# puppetd -t warning: peer certificate won't be verified in this SSL session info: Caching certificate for debian-node.example.com No LSB modules are available. info: Caching certificate_revocation_list for ca info: Caching catalog for debian-node.example.com info: Applying configuration version '1338822174' notice: /Stage[main]//Node[debian-node.example.com]/File[/tmp/puppet.txt]/ensure: created info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.06 seconds

# cat /tmp/puppet.txt This is Host debian-node

Adding a git submodule

•  Clone the firewall submodule from github •  Commit it to the main repo

# git submodule add https://github.com/puppetlabs/puppetlabs-firewall.git modules/firewall Cloning into modules/firewall... remote: Counting objects: 1065, done. remote: Compressing objects: 100% (560/560), done. remote: Total 1065 (delta 384), reused 1012 (delta 341) Receiving objects: 100% (1065/1065), 158.69 KiB | 117 KiB/s, done. Resolving deltas: 100% (384/384), done.

# git add * && git commit -m 'Added 2 node defs and firewall submodule' [master d0bab6f] Added 2 node defs and firewall submodule Committer: root <root@debian-puppetcamp.example.com> 3 files changed, 17 insertions(+), 0 deletions(-) create mode 100644 .gitmodules create mode 100644 manifests/site.pp create mode 160000 modules/firewall

Using the new firewall submodule

•  Adjust manifests/site.pp node 'basenode' {

@@firewall { "200 allow conns to the puppetmaster from ${::fqdn}": chain => 'INPUT', action => 'accept', proto => 'tcp', dport => 8140, source => $::ipaddress_eth1, tag => 'role:puppetmaster' }

} #Our puppet master node 'debian-puppetcamp.example.com' inherits basenode {

# Gather all Firewall rules here Firewall<<| tag == 'role:puppetmaster' |>>

} # Our sample node node 'debian-node.example.com' inherits basenode { }

Running puppet agent

•  Execute puppet runs on both nodes root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338825096' notice: /Firewall[200 allow conns to the puppetmaster from debian-puppetcamp.example.com]/ensure: created notice: Finished catalog run in 0.47 seconds

root@debian-node:~# puppetd -t No LSB modules are available. info: Caching catalog for debian-node.example.com info: Applying configuration version '1338825096' notice: Finished catalog run in 0.03 seconds

root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338825096' notice: /Firewall[200 allow conns to the puppetmaster from debian-node.example.com]/ensure: created notice: Finished catalog run in 0.22 seconds

Checking results

•  Iptables on puppetmaster # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.0.111 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-node.example.com */ ACCEPT tcp -- 192.168.0.109 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-puppetcamp.example.com */ [..]

Inventory service

• Query for all nodes having debian squeeze • Query for facts about a certain node

root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts_search/search?facts.lsbdistcodename=squeeze\&facts.operatingsystem=Debian --- - debian-puppetcamp.example.com - debian-node.example.com

root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/debian-puppetcamp.example.com --- !ruby/object:Puppet::Node::Facts expiration: 2012-06-04 18:38:21.174542 +08:00 name: debian-puppetcamp.example.com values: productname: VirtualBox Kernelmajversion: "2.6" ipaddress_eth0: 10.0.2.15 kernelversion: 2.6.32 [..]

OlinData and Puppet

•  Training ▫  Upcoming trainings: �  Singapore – August 6-8 �  Hyderabad – July 11-14 ▫  Cheaper then in the West (50% or more discount!) ▫  Expanding to 5 countries in 5 months

•  Consulting ▫  Remote consulting worldwide ▫  Ongoing hands-on engineering ▫  Start from scratch or improve existing environment

Walter Heck (walterheck@olindata.com)

@walterheck / @olindata

#PuppetCampSEA

http://www.olindata.com

Like us on Facebook: http://fb.me/olindata