Puppet

Introduction

Put simply, Puppet is a system for automating system administration tasks. To learn more, read our big picture overview of Puppet, or take a deeper look at what Puppet can do with the Puppet Introduction. There's also a Puppet Brochure which gives the highlights of Puppet's functionality. (taken from Puppet homepage)

Installation

Puppetmasterd

# emerge -av puppet

Puppet-0.23.0 ebuild creates puppetd.conf and puppetmasterd.conf under /etc/puppet. The configuration file should be puppet.conf so delete the others:

# rm /etc/puppet/puppetmasterd.conf /etc/puppet/puppetd.conf

Create puppet.conf /etc/puppet/puppet.conf:

[main]
  vardir = /var/lib/puppet
  logdir = /var/log/puppet
  rundir = /var/run/puppet
  ssldir = $vardir/ssl
[puppetd]
  classfile = $vardir/classes.txt
  localconfig = $vardir/localconfig

Create site.pp /etc/puppet/manifests/site.pp:

# Create "/tmp/testfile" if it doesn't exist.
class test_class {
  file { "/tmp/testfile":
    ensure => present,
    mode   => 644,
    owner  => root,
    group  => root
  }
}

# the node name has to match the host name of the node
# you can also specify a node default that will get applied
# to all nodes where there is no configuration
node gandalf {
      include test_class
}

# rc-update add puppetmaster default
# /etc/init.d/puppetmaster start

Puppetd

# rm /etc/puppet/puppetmasterd.conf /etc/puppet/puppetd.conf

Create puppet.conf /etc/puppet/puppet.conf:

[main]
  server = yourpuppetmasterdserver
  vardir = /var/lib/puppet
  logdir = /var/log/puppet
  rundir = /var/run/puppet
  ssldir = $vardir/ssl
[puppetd]
  classfile = $vardir/classes.txt
  localconfig = $vardir/localconfig

Test

You need to sign your certifcate:

1. on the server: Start the puppetmasterd

2. on the client:

# puppetd --waitforcert 60 --verbose --debug
debug: Calling puppetca.getcert
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate

3. Run puppetca -l on the server, you should see your request:

# puppetca --list
gandalf
# puppetca --sign gandalf

4. At the next run your puppetd should create /tmp/testfile

Examples

Package

class wine {
  package{'xwinfino':
    name => 'xwininfo',
    category => 'x11-apps',
    ensure => present,
  }
}

File permission/File with source/Directory

file {'sshd_config':
  path => '/etc/ssh/sshd_config',
  owner => root,
  group => root,
  mode => 600,
  hasstatus => true,
  source = "puppet://$server/global/sshd_config"
  subscribe => Service['sshd']
}

service{'sshd':
  enable => true,
  ensure => running,
  require => Package['openssh'],
}

package{'openssh':
  category => 'net-misc',
  name => 'openssh',
  ensure => present
}

File:

Source means if you have setup the fileserver.conf in your puppetmasterd, then your client will be able to download that file, change the permissions and so forth, and with subscription, it will restart your service.

Service:

Enable means puppet will check your runlevel, and if the services hasnt been defined to run at this runlevel, it will ensure it has been defiend to run at this runlevel.

hasstatus set it true if /etc/init.d/scriptname supports status command. If you havent setup it will try to check the service with ps.

Package:

 Ensure => latest,installed,present,absent

Latest:

Will emerge your package at run if there is a newer version

Installed:

Will emerge your package if it isnt installed.

Present:

If the package isnt present it will do nothing, if it is it will perform the class' actions.

Absent:

It will unmerge your app.

file {'/data':
  ensure => directory,
  owner => root,
  group => root,
  mode => 755,
}

Node configs

Every node should at least an empty configuration:

  node lisa {
  }
  node 'fqdn.yourdomain.com' {
  }

I've setup some standard rules like: desktop-linux,server linux:

class desktop-linux {
  include xorg_config
}
class server-linux {
  include timezone-sync
}

Then you can setup server called lisa as server:

  node lisa {
    include server-linux
  }

Schedule

class sync {
  schedule{ daily:
  range => "2 - 4",
  repeat => 1,
  }
  exec {"/usr/bin/emerge --sync --quiet":
    schedule => daily
  }
}

Every exec which have daily schedule will be executed between 2-4AM, repeat => 1, so puppet will run only one time.

Mount options

class fs_check {
  mount { "/tmp":
    atboot => yes,
    device => "/dev/rootvg/tmp",
    ensure => mounted,
    fstype => xfs,
    remounts => true,
    pass => 1,
    dump => 0,
    options => "noexec,nosuid,nodev,noatime"
  }
}

After the mount options changed, the system will try to remount it.

User

class check_user {
  user { superfly:
    ensure => 'present',
     home => '/home/superfly',
     shell => '/bin/zsh',
     password => 'password', 
     groups => ['wheel','users']
   }
}