Hands-on: getting your feet wet with puppet

PuppetDB, Exported Resources, 3rd party open source modules, git submodules, inventory service

June 5th, 2012 Puppet Camp Southeast Asia Kuala Lumpur, Malaysia Walter Heck, OlinData

Overview
Introduction OlinData Checkup Set up puppet & puppetdb Set up a 2nd node Add an open source puppet module Implement it and show exported resources usage

Future of Puppet in South East Asia

Introduction OlinData
OlinData
MySQL Consulting Tribily Server Monitoring as a Service (http://tribily.com) Puppet training and consulting

Founded in 2008
Setup to be run remotely and location independent

Started using Puppet in 2010

Official puppetlabs partner since 02-2012 Experience with large, medium and small infrastructures

Checkup

Who is using puppet? Who's going to? Haven't decided yet? Who is using puppet in production? Stored configs? Open source modules? Exported resources? Inventory service?

Prerequisites Good mood for tinkering VirtualBox Debian 6.0.4 64bit VM Internet connection (preferrably > 28k8)

Doing the minimum prep

Get repository .deb package and install it

This should be automated into your bootstrapping of course!
# # # # wget http://apt.puppetlabs.com/puppetlabs-release_1.0-3_all.deb dpkg -i puppetlabs-release_1.0-3_all.deb aptitude update aptitude install puppetmaster-passenger puppet puppetdb \ puppetdb-terminus

Adjust puppet config files

/etc/puppet/puppetdb.conf
[main] server = debian-puppetcamp.example.com port = 8081

/etc/puppet/puppet.conf
[master] storeconfigs = true storeconfigs_backend = puppetdb

/etc/puppet/routes.yaml
master: facts: terminus: puppetdb cache: yaml

Add permissions for inventory service Add permissions to auth.conf

#NOTE: refine this on a production server! path /facts auth any method find, search allow *

Set up SSL certs

Run the ssl generating script
#/usr/sbin/puppetdb-ssl-setup

Set the generated password in jetty config file

#cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt #vim /etc/puppetdb/conf.d/jetty.ini [..] key-password=tP35htAMH8PUcYVtCAmSVhYbf trust-password=tP35htAMH8PUcYVtCAmSVhYbf

Set ownership for /etc/puppetdb/ssl

#chown -R puppetdb:puppetdb /etc/puppetdb/ssl

Check ssl certs

Check ssl certs for puppetdb against puppet
# keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry debian-puppetcamp.example.com, Jun 4, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24 # puppet cert fingerprint debianpuppetcamp.example.com --digest=md5 debian-puppetcamp.example.com D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24

Restart
Restart apache/passenger & puppetdb
# /etc/init.d/puppetdb restart && apache2ctl restart

Sit back and watch puppetdb log

2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC username was not set in config! 2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC password was not set in config! 2012-06-04 18:02:23,050 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose start 2012-06-04 18:02:23,109 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose end 2012-06-04 18:02:23,160 INFO [main] [cli.services] Starting broker 2012-06-04 18:02:24,890 INFO [main] [journal.Journal] ignoring zero length, partially initialised journal data file: db-1.log number = 1 , length = 0 2012-06-04 18:02:25,051 INFO [main] [cli.services] Starting 1 command processor threads 2012-06-04 18:02:25,063 INFO [main] [cli.services] Starting query server 2012-06-04 18:02:25,064 INFO [main] [cli.services] Starting database compactor (60 minute interval) 2012-06-04 18:02:25,087 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog 2012-06-04 18:02:25,090 INFO [clojure-agent-send-off-pool-1] [mortbay.log] jetty-6.1.x 2012-06-04 18:02:25,140 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SocketConnector@debian-puppetcamp.example.com:8080 2012-06-04 18:02:25,885 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SslSocketConnector@debian-puppetcamp.example.com:8081

Test run!
Check for listening connections
#netstat -ln | grep 808 tcp6 0 0 127.0.1.1:8080 tcp6 0 0 127.0.1.1:8081 :::* :::* LISTEN LISTEN

Run puppet
# puppet agent -t No LSB modules are available. info: Caching catalog for debianpuppetcamp.example.com info: Applying configuration version '1338804503' notice: Finished catalog run in 0.09 seconds

Create git repo/get submodule

Create a git repo of our puppet repository
# git init Initialized empty Git repository in /etc/puppet/.git/ # git add * # git commit -m 'initial commit' [master (root-commit) bf0eff5] initial commit Committer: root <root@debian-puppetcamp.example.com> 6 files changed, 157 insertions(+), 0 deletions(-) create mode 100755 auth.conf create mode 100644 fileserver.conf create mode 100644 puppet.conf create mode 100644 puppetdb.conf create mode 100644 routes.yaml

The first beginnings of a new world

Add 2 nodes to /etc/puppet/manifests/site.pp
node 'debian-puppetcamp.example.com' { file { '/tmp/puppet.txt': ensure => present, content => "This is host ${::hostname}\n" } } node 'debian-node.example.com' { file { '/tmp/puppet.txt': ensure => present, content => "This is host ${::hostname}\n" } }

Adding a node
Install puppet
# aptitude install puppet

Point to puppetmaster
# vim /etc/hosts <ip_of_puppetmaster> puppet

Signing the node

Run puppet once to generate cert request
# puppetd -t info: Creating a new SSL key for debian-node.example.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for debian-node.example.com info: Certificate Request fingerprint (md5): 17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled

Sign the request on the master

# puppet cert --list --all debian-node.example.com (17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9) + debian-puppetcamp.example.com (64:A6:C8:9F:FC:50:3E:79:9D:0D:19:04:4B:29:68:D1) (alt names: DNS:debian-puppetcamp.example.com, DNS:puppet, DNS:puppet.example.com) # puppet cert --sign debian-node.example.com notice: Signed certificate request for debian-node.example.com notice: Removing file Puppet::SSL::CertificateRequest debian-node.example.com at '/var/lib/puppet/ssl/ca/requests/debian-node.example.com.pem'

Run puppet and check result

Run puppet on node
# puppetd -t warning: peer certificate won't be verified in this SSL session info: Caching certificate for debian-node.example.com No LSB modules are available. info: Caching certificate_revocation_list for ca info: Caching catalog for debian-node.example.com info: Applying configuration version '1338822174' notice: /Stage[main]//Node[debian-node.example.com]/File[/tmp/puppet.txt]/ensure: created info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.06 seconds

Check result
# cat /tmp/puppet.txt This is Host debian-node

Say YEAH!

Adding a git submodule

Clone the firewall submodule from github
# git submodule add https://github.com/puppetlabs/puppetlabsfirewall.git modules/firewall Cloning into modules/firewall... remote: Counting objects: 1065, done. remote: Compressing objects: 100% (560/560), done. remote: Total 1065 (delta 384), reused 1012 (delta 341) Receiving objects: 100% (1065/1065), 158.69 KiB | 117 KiB/s, done. Resolving deltas: 100% (384/384), done.

Commit it to the main repo

# git add * && git commit -m 'Added 2 node defs and firewall submodule' [master d0bab6f] Added 2 node defs and firewall submodule Committer: root <root@debian-puppetcamp.example.com> 3 files changed, 17 insertions(+), 0 deletions(-) create mode 100644 .gitmodules create mode 100644 manifests/site.pp create mode 160000 modules/firewall

Using the new firewall submodule

Adjust manifests/site.pp
node 'basenode' { @@firewall { "200 allow conns to the puppetmaster from ${::fqdn}": chain => 'INPUT', action => 'accept', proto => 'tcp', dport => 8140, source => $::ipaddress_eth1, tag => 'role:puppetmaster' } } #Our puppet master node 'debian-puppetcamp.example.com' inherits basenode { # Gather all Firewall rules here Firewall<<| tag == 'role:puppetmaster' |>> } # Our sample node node 'debian-node.example.com' inherits basenode { }

Running puppet agent

Execute puppet runs on both nodes
root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338825096' notice: /Firewall[200 allow conns to the puppetmaster from debianpuppetcamp.example.com]/ensure: created notice: Finished catalog run in 0.47 seconds root@debian-node:~# puppetd -t No LSB modules are available. info: Caching catalog for debian-node.example.com info: Applying configuration version '1338825096' notice: Finished catalog run in 0.03 seconds root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338825096' notice: /Firewall[200 allow conns to the puppetmaster from debiannode.example.com]/ensure: created notice: Finished catalog run in 0.22 seconds

Checking results
Iptables on puppetmaster
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.0.111 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-node.example.com */ ACCEPT tcp -- 192.168.0.109 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-puppetcamp.example.com */ [..]

Inventory service
Query for all nodes having debian squeeze
root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts_search/search? facts.lsbdistcodename=squeeze\&facts.operatingsystem=Debian --- debian-puppetcamp.example.com - debian-node.example.com

Query for facts about a certain node

root@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/debian-puppetcamp.example.com --- !ruby/object:Puppet::Node::Facts expiration: 2012-06-04 18:38:21.174542 +08:00 name: debian-puppetcamp.example.com values: productname: VirtualBox Kernelmajversion: "2.6" ipaddress_eth0: 10.0.2.15 kernelversion: 2.6.32 [..]

Questions?

OlinData and Puppet

Training
Upcoming trainings:
Singapore August 6-8 Hyderabad July 11-14

Cheaper then in the West (50% or more discount!) Expanding to 5 countries in 5 months

Consulting
Remote consulting worldwide Ongoing hands-on engineering Start from scratch or improve existing environment

Walter Heck (walterheck@olindata.com) @walterheck / @olindata #PuppetCampSEA http://www.olindata.com Like us on Facebook: http://fb.me/olindata