Erinevus lehekülje "Puppet kasutamine Debianiga" redaktsioonide vahel

Sissejuhatus

Puppet (ingl. k. nukk) http://reductivelabs.com/products/puppet/ võimaldab korraldada arvutite tarkvara ja seadistuste automatiseeritud haldust.

                  _____
                 |     | puppetmasterd
                 |_____| 8140/tcp
                    |
                    |
            ---|----|-------|------------|---
               |            |            |
             __|__        __|__        __|__
            |     |      |     |      |     |  puppetd
            |_____|      |_____|      |_____|  8139/tcp
             
             smtp1        smtp2        squid
                       puppet kliendid

• Puppetmaster (ingl. k. nukujuht) sisaldab klientide tarkvara ja seadistuste kirjeldust
• Kliendid teavad oma puppetmasteri aadressi
• Puppetmasteri ja klientide andmevahetus toimub üle 8140/tcp ja 8139/tcp pordi, kusjuures klient saab küsida serverilt muudatusi ja server saab saata kliendile muudatusi
• Andmevahetus on turvatud x509 sertifikaatide kasutamise abil

Tarkvara paigaldamine

Puppetmasterile ja Puppetitele tuleb paigaldada erinev tarkvara. Omakorda, seda tarkvara saab reeglina paigaldada kahel viisil, kas operatsioonisüsteemi paketihaldusest või Ruby paketihaldusest.

Debian Lenny

Operatsioonisüsteemi paketihaldusest

Puppet serverile ehk puppetmasterile tuleb paigadada pakett puppetmaster

 # apt-get install puppetmaster

Puppet kliendile tuleb paigaldada pakett puppet

 # apt-get install puppet

Ruby paketihaldusest

 # apt-get install rubygems

Gems süsteemi kasutamise kohta näeb näiteid öeldes

 # gem help examples

Puppet paigaldamiseks sobib öelda

 # gem install puppet

OpenBSD

OpenBSD 4.6 jaoks on olemas binaarse paketina Puppet tarkvara v. 0.24.4, mille paigaldamiseks sobib öelda

 # pkg_add ruby-puppet
 ruby-1.8.6.369p0:  complete
 ruby-facter-1.5.0: complete
 ruby-puppet-0.24.4p1: complete

Tulemusena paigaldatakse

• /etc/puppet - seadistusfailid
• /usr/local/share/examples/ruby-puppet - näited

Ruby Gems süsteemi abil tarkvara paigaldamine

 # gem query --local
 
 *** LOCAL GEMS ***
 
 facter (1.5.7)
 puppet (0.24.7)

FreeBSD

Üks võimalus on installida ruby-gems pakett /devel/ruby-gems ja anda käsk gem install puppet Kuid kna sellega millegpärast ei tulnud default konfifaile on targem paigaldada see portsudes sysutils/puppets harust

Puppeti startimiseks peale booti tuleb rc.conf'i lisada read

puppetd_enable="YES"
puppetmasterd_enable="YES"

konfiguratsioonid nagu puppet.conf näidis asuvad kaustas /usr/local/etc/puppet/

http://reductivelabs.com/trac/puppet/wiki/PuppetFreeBSD

Puppetmasteri ettevalmistamine

Puppetmasteri protsess töötab privilegeerimata kasutajana ja tema tööd juhivad seadistusfailid

• /etc/puppet/puppet.conf

 [main]
 logdir=/var/log/puppet
 vardir=/var/lib/puppet
 ssldir=/var/lib/puppet/ssl
 rundir=/var/run/puppet
 factpath=$vardir/lib/facter
 pluginsync=false
 
 [puppetmasterd]
 templatedir=/var/lib/puppet/templates

• /etc/puppet/fileserver.conf

 [files]
   path /etc/puppet/files
   allow 192.168.10.0/24

Moodulid

 # find /etc/puppet/modules -type f
 /etc/puppet/modules/sudo/files
 /etc/puppet/modules/sudo/files/sudoers
 /etc/puppet/modules/sudo/manifests
 /etc/puppet/modules/sudo/manifests/init.pp

kus

• /etc/puppet/modules/sudo/files/sudoers fail sisaldab väljajagatava /etc/sudoers faili sisu
• /etc/puppet/modules/sudo/manifests/init.pp sisaldab sudo mooduliga seotud metaandmeid

 # /etc/puppet/modules/sudo/manifests/init.pp
 
 class sudo {
 
   package { sudo: ensure => latest }
 
   file { "/etc/sudoers":
     owner => "root",
     group => "root",
     mode  => 440,
     source  => "puppet:///sudo/sudoers",
     require => Package["sudo"],
   }
 }

Puppeti seadistused

Moodulid ja node'id ühendab kokku kolm faili

 # find /etc/puppet/manifests -type f
 /etc/puppet/manifests/modules.pp
 /etc/puppet/manifests/nodes.pp
 /etc/puppet/manifests/site.pp

kus

• /etc/puppet/manifests/modules.pp

 # /etc/puppet/manifests/modules.pp
 
 import "sudo"

• /etc/puppet/manifests/nodes.pp

 # /etc/puppet/manifests/nodes.pp
 
 node basenode {
   include sudo
 }
 
 node 'puppet-1.auul' inherits basenode {
 }

• /etc/puppet/manifests/site.pp

 # /etc/puppet/manifests/site.pp
 
 import "modules"
 import "nodes"
 
 # The filebucket option allows for file backups to the server
 filebucket { main: server => 'puppet-master.auul' }
 
 # Set global defaults - including backing up all files to the main filebucket and adds a global path
 File { backup => main }
 Exec { path => "/usr/bin:/usr/sbin/:/bin:/sbin" }

Puppet kliendi ettevalmistamine

Selleks, et Puppeti kliendi protsess saaks teha vajalikke muudatusi töötab ta juurkasutajana ja tema tööd juhivad sellised failid

• /etc/puppet/puppet.conf

 [main]
 logdir=/var/log/puppet
 vardir=/var/lib/puppet
 ssldir=/var/lib/puppet/ssl
 rundir=/var/run/puppet
 factpath=$vardir/lib/facter
 pluginsync=false
 server=puppet-master.auul
 listen=true

 [puppetmasterd]
 templatedir=/var/lib/puppet/templates

• /etc/puppet/namespaceauth.conf

 [fileserver]
   allow *
 
 [pelementserver]
    allow *
 
 [puppetrunner]
   allow *
 
 [puppetbucket]
   allow *
 
 [puppetreports]
   allow *

Kliendi registreerimine Puppetmasteris

 # puppetca -l
 puppet-1.auul

Signeerimiseks tuleb öelda

 # puppetca -s puppet-1.auul
 Signed puppet-1.auul

Puppetmaster ja puppet kliendid hoiavad oma andmeid kataloogis

 /var/lib/puppet

Selleks, et klient küsiks puppetmasterilt oma seadistusi

 puppet-1:~# ps aux | grep pup
 root      8161  4.0 10.0  36652 25472 ?        Ssl  15:28   0:14 ruby /usr/sbin/puppetd -w 5
 puppet-1:~# kill -SIGUSR1 8161

Kliendi eemaldamiseks sobib öelda

 # puppetca --clean puppet-1.auul
 Removing /var/lib/puppet/ssl/ca/signed/puppet-1.auul.pem

puppetrun

Selleks, et töötaks, tuleb /usr/sbin/puppetrun failis teha real 240

 if Puppet[:node_terminus] = "ldap"

asendus = -> ==

 if Puppet[:node_terminus] == "ldap"

 # puppetrun -d --host puppet-3.auul
 Failed to load ruby LDAP library. LDAP functionality will not be available
 debug: Parsing /etc/puppet/puppet.conf
 debug: Puppet::Network::Client::Runner: defining puppetrunner.run
 Triggering puppet-3.auul
 debug: Calling puppetrunner.run
 puppet-3.auul finished with exit code 0
 Finished

Puppetmasteri kasutamine koos Apache veebiserveriga

Puppetmasterit on mõttekas kasutada koos Apache veebiserveriga sellistel kaalutlustel

• suurem jõudlus
• paindlikum sertifikaatide haldus, nt eraldi PKI haru sub CA suhtes antud puppeti hostide sertide jaoks
• saab moodustada parema käideldavusega süsteemi, nt kasutada mitut puppetmasteri eksemplari

Lisaks Apache veebiserverile tuleb paigaldada Mongrel tarkvara, mis esineb Ruby teekide kujul

# apt-get install apache2 mongrel

Kasulikud lisamaterjalid

• http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel

Puppetmasteri seadistamine

Erinevalt nö vanilla seadistusega Puppetmasterist tuleb antud juhul teha seadistusfaili /etc/default/puppetmaster kaks täiendust

SERVERTYPE=mongrel
PORT=18140

Apache seadistamine

Sobib kasutada nt sellist veebiserver seadistusfaili

ProxyRequests Off

<Proxy balancer://puppetmaster>
   BalancerMember http://127.0.0.1:18140
</Proxy>

<VirtualHost 10.0.9.227:8140>
   SSLEngine on
   SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
   SSLCertificateFile /var/lib/puppet/ssl/certs/fai-9-227.loomaaed.pem
   SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/fai-9-227.loomaaed.pem
   SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
   SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
   SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
   SSLVerifyClient optional
   SSLVerifyDepth  3
   SSLOptions +StdEnvVars

   RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
   RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

<Location /balancer-manager>
  SetHandler balancer-manager
  Order Allow,Deny
  Allow from 172.19
</Location>

<Location />
  SetHandler balancer-manager
  Order allow,deny
  Allow from all
 </Location>

ProxyPass /balancer-manager !
ProxyPass / balancer://puppetmaster:8140/
ProxyPassReverse / balancer://puppetmaster:8140/
ProxyPreserveHost on

</VirtualHost>

Puppetmasteri kasutamine koos LDAP kataloogiga

• http://projects.puppetlabs.com/projects/puppet/wiki/LDAP_Nodes

Misc

ralsh

 # ralsh user ntp
 user { 'ntp':
     password => '*',
     shell => '/bin/false',
     uid => '106',
     home => '/home/ntp',
     gid => '110',
     ensure => 'present'
 }

Facter

 # facter 
 architecture => amd64
 domain => auul
 facterversion => 1.5.1
 fqdn => puppet-1.auul
 hardwareisa => unknown
 hardwaremodel => x86_64
 hostname => puppet-1
 id => root
 interfaces => eth0
 ipaddress => 192.168.10.181
 ipaddress_eth0 => 192.168.10.181
 kernel => Linux
 kernelrelease => 2.6.26-2-amd64
 kernelversion => 2.6.26
 macaddress => 70:01:68:01:01:81
 macaddress_eth0 => 70:01:68:01:01:81
 ...

Kasulikud lisamaterjalid

• http://www.debian-administration.org/articles/526
• http://www.debian-administration.org/articles/528
• http://www.linuxjournal.com/magazine/automate-system-administration-tasks-puppet?page=0,0
• FAI kasutamine Debianiga
• http://projects.puppetlabs.com/projects/puppet/wiki/Certificates_And_Security
• http://projects.puppetlabs.com/projects/puppet/wiki/LDAP_Nodes