Hands-on: getting your feet wet with puppetPuppetDB, Exported Resources, 3rd party open source modules, git submodules, inventory service

June 5th, 2012 Puppet Camp Southeast Asia Kuala Lumpur, Malaysia Walter Heck, OlinData

Overview Introduction OlinData Checkup Set up puppet & puppetdb Set up a 2nd node Add an open source puppet module Implement it and show exported resources usage

Future of Puppet in South East Asia

Introduction OlinData OlinData MySQL Consulting Tribily Server Monitoring as a Service (http://tribily.com) Puppet training and consulting

Founded in 2008 Setup to be run remotely and location independent

Started using Puppet in 2010 Official puppetlabs partner since 02-2012 Experience with large, medium and small infrastructures

Checkup

Who is using puppet? Who's going to? Haven't decided yet? Who is using puppet in production? Stored configs? Open source modules? Exported resources? Inventory service?

Prerequisites Good mood for tinkering VirtualBox Debian 6.0.4 64bit VM Internet connection (preferrably > 28k8)

Doing the minimum prep

Get repository .deb package and install it This should be automated into your bootstrapping of course!# # # # wget http://apt.puppetlabs.com/puppetlabs-release_1.0-3_all.deb dpkg -i puppetlabs-release_1.0-3_all.deb aptitude update aptitude install puppetmaster-passenger puppet puppetdb \ puppetdb-terminus

Adjust puppet config files /etc/puppet/puppetdb.conf[main] server = debian-puppetcamp.example.com port = 8081

/etc/puppet/puppet.conf[master] storeconfigs = true storeconfigs_backend = puppetdb

/etc/puppet/routes.yamlmaster: facts: terminus: puppetdb cache: yaml

Add permissions for inventory service Add permissions to auth.conf#NOTE: refine this on a production server! path /facts auth any method find, search allow *

Set up SSL certs Run the ssl generating script#/usr/sbin/puppetdb-ssl-setup

Set the generated password in jetty config file#cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt #vim /etc/puppetdb/conf.d/jetty.ini [..] key-password=tP35htAMH8PUcYVtCAmSVhYbf trust-password=tP35htAMH8PUcYVtCAmSVhYbf

Set ownership for /etc/puppetdb/ssl#chown -R puppetdb:puppetdb /etc/puppetdb/ssl

Check ssl certs Check ssl certs for puppetdb against puppet# keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry debian-puppetcamp.example.com, Jun 4, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24 # puppet cert fingerprint debianpuppetcamp.example.com --digest=md5 debian-puppetcamp.example.com D7:F1:03:5F:E0:1A:C3:DB:E1:23:C4:CE:43:FA:24:24

Restart Restart apache/passenger & puppetdb# /etc/init.d/puppetdb restart && apache2ctl restart

Sit back and watch puppetdb log2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC username was not set in config! 2012-06-04 18:02:22,154 WARN [main] [bonecp.BoneCPConfig] JDBC password was not set in config! 2012-06-04 18:02:23,050 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose start 2012-06-04 18:02:23,109 INFO [BoneCP-pool-watch-thread] [HSQLDB37B6BA305B.ENGINE] checkpointClose end 2012-06-04 18:02:23,160 INFO [main] [cli.services] Starting broker 2012-06-04 18:02:24,890 INFO [main] [journal.Journal] ignoring zero length, partially initialised journal data file: db-1.log number = 1 , length = 0 2012-06-04 18:02:25,051 INFO [main] [cli.services] Starting 1 command processor threads 2012-06-04 18:02:25,063 INFO [main] [cli.services] Starting query server 2012-06-04 18:02:25,064 INFO [main] [cli.services] Starting database compactor (60 minute interval) 2012-06-04 18:02:25,087 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog 2012-06-04 18:02:25,090 INFO [clojure-agent-send-off-pool-1] [mortbay.log] jetty-6.1.x 2012-06-04 18:02:25,140 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SocketConnector@debian-puppetcamp.example.com:8080 2012-06-04 18:02:25,885 INFO [clojure-agent-send-off-pool-1] [mortbay.log] Started SslSocketConnector@debian-puppetcamp.example.com:8081

Test run! Check for listening connections#netstat -ln | grep 808 tcp6 0 0 127.0.1.1:8080 tcp6 0 0 127.0.1.1:8081 :::* :::* LISTEN LISTEN

Run puppet# puppet agent -t No LSB modules are available. info: Caching catalog for debianpuppetcamp.example.com info: Applying configuration version '1338804503' notice: Finished catalog run in 0.09 seconds

Create git repo/get submodule Create a git repo of our puppet repository# git init Initialized empty Git repository in /etc/puppet/.git/ # git add * # git commit -m 'initial commit' [master (root-commit) bf0eff5] initial commit Committer: root 6 files changed, 157 insertions(+), 0 deletions(-) create mode 100755 auth.conf create mode 100644 fileserver.conf create mode 100644 puppet.conf create mode 100644 puppetdb.conf create mode 100644 routes.yaml

The first beginnings of a new world Add 2 nodes to /etc/puppet/manifests/site.ppnode 'debian-puppetcamp.example.com' { file { '/tmp/puppet.txt': ensure => present, content => "This is host ${::hostname}\n" } } node 'debian-node.example.com' { file { '/tmp/puppet.txt': ensure => present, content => "This is host ${::hostname}\n" } }

Adding a node Install puppet# aptitude install puppet

Point to puppetmaster# vim /etc/hosts puppet

Signing the node Run puppet once to generate cert request# puppetd -t info: Creating a new SSL key for debian-node.example.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for debian-node.example.com info: Certificate Request fingerprint (md5): 17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled

Sign the request on the master# puppet cert --list --all debian-node.example.com (17:E0:87:45:F7:05:44:EE:F2:65:89:7B:56:62:CA:A9) + debian-puppetcamp.example.com (64:A6:C8:9F:FC:50:3E:79:9D:0D:19:04:4B:29:68:D1) (alt names: DNS:debian-puppetcamp.example.com, DNS:puppet, DNS:puppet.example.com) # puppet cert --sign debian-node.example.com notice: Signed certificate request for debian-node.example.com notice: Removing file Puppet::SSL::CertificateRequest debian-node.example.com at '/var/lib/puppet/ssl/ca/requests/debian-node.example.com.pem'

Run puppet and check result Run puppet on node# puppetd -t warning: peer certificate won't be verified in this SSL session info: Caching certificate for debian-node.example.com No LSB modules are available. info: Caching certificate_revocation_list for ca info: Caching catalog for debian-node.example.com info: Applying configuration version '1338822174' notice: /Stage[main]//Node[debian-node.example.com]/File[/tmp/puppet.txt]/ensure: created info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.06 seconds

Check result# cat /tmp/puppet.txt This is Host debian-node

Say YEAH!

Adding a git submodule Clone the firewall submodule from github# git submodule add https://github.com/puppetlabs/puppetlabsfirewall.git modules/firewall Cloning into modules/firewall... remote: Counting objects: 1065, done. remote: Compressing objects: 100% (560/560), done. remote: Total 1065 (delta 384), reused 1012 (delta 341) Receiving objects: 100% (1065/1065), 158.69 KiB | 117 KiB/s, done. Resolving deltas: 100% (384/384), done.

Commit it to the main repo# git add * && git commit -m 'Added 2 node defs and firewall submodule' [master d0bab6f] Added 2 node defs and firewall submodule Committer: root 3 files changed, 17 insertions(+), 0 deletions(-) create mode 100644 .gitmodules create mode 100644 manifests/site.pp create mode 160000 modules/firewall

Using the new firewall submodule Adjust manifests/site.ppnode 'basenode' { @@firewall { "200 allow conns to the puppetmaster from ${::fqdn}": chain => 'INPUT', action => 'accept', proto => 'tcp', dport => 8140, source => $::ipaddress_eth1, tag => 'role:puppetmaster' } } #Our puppet master node 'debian-puppetcamp.example.com' inherits basenode { # Gather all Firewall rules here Firewall } # Our sample node node 'debian-node.example.com' inherits basenode { }

Running puppet agent Execute puppet runs on both nodesroot@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338825096' notice: /Firewall[200 allow conns to the puppetmaster from debianpuppetcamp.example.com]/ensure: created notice: Finished catalog run in 0.47 seconds root@debian-node:~# puppetd -t No LSB modules are available. info: Caching catalog for debian-node.example.com info: Applying configuration version '1338825096' notice: Finished catalog run in 0.03 seconds root@debian-puppetcamp:/etc/puppet# puppetd -t info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb No LSB modules are available. info: Caching catalog for debian-puppetcamp.example.com info: Applying configuration version '1338825096' notice: /Firewall[200 allow conns to the puppetmaster from debiannode.example.com]/ensure: created notice: Finished catalog run in 0.22 seconds

Checking results Iptables on puppetmaster# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.0.111 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-node.example.com */ ACCEPT tcp -- 192.168.0.109 anywhere multiport dports 8140 /* 200 allow conns to the puppetmaster from debian-puppetcamp.example.com */ [..]

Inventory service Query for all nodes having debian squeezeroot@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts_search/search? facts.lsbdistcodename=squeeze\&facts.operatingsystem=Debian --- debian-puppetcamp.example.com - debian-node.example.com

Query for facts about a certain noderoot@debian-puppetcamp:/etc/puppet# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/debian-puppetcamp.example.com --- !ruby/object:Puppet::Node::Facts expiration: 2012-06-04 18:38:21.174542 +08:00 name: debian-puppetcamp.example.com values: productname: VirtualBox Kernelmajversion: "2.6" ipaddress_eth0: 10.0.2.15 kernelversion: 2.6.32 [..]

Questions?

OlinData and Puppet Training Upcoming trainings:Singapore August 6-8 Hyderabad July 11-14

Cheaper then in the West (50% or more discount!) Expanding to 5 countries in 5 months

Consulting Remote consulting worldwide Ongoing hands-on engineering Start from scratch or improve existing environment

Walter Heck (walterheck@olindata.com) @walterheck / @olindata #PuppetCampSEA http://www.olindata.com Like us on Facebook: http://fb.me/olindata