Puppet

# Running Puppet on Solaris

Solaris was an early development target for Puppet, hence Puppet's

support for the platform is mature and stable.

Note: Facter 1.5.2 and below use /etc/release to determine

operating system version. Solaris 5.11 (OpenSolaris) doesn't use

/etc/release any more. This has been fixed in the

[facter git repo](http://projects.reductivelabs.com/projects/facter/repository/revisions/e6d987d333d79e11dd8782fad1286d8348419842),

but as of this writing (6 Feb 09), has not been packaged. You will

need to manually patch Facter if you want to use it on OpenSolaris

# InstallationOpen Solaris?

Puppet and facter are available in pkg(5) format from Code Nursery,

so all you have to do is to add them as a package provider, and

then install the package.

    # pkg set-publisher -O http://pkg.codenursery.com/ codenursery.com

    # pkg install puppet

This installs two smf(5) services:

-   svc:/network/puppet/client:default

-   svc:/network/puppet/master:default

which both are disabled by default. They require

/etc/puppet/puppet.conf to be present, so before trying to enable

either of them you need to create that file.

# Installation (Blastwave Package)

Puppet has Facter and Ruby as prerequisites, neither of which will

be found on a stock, default Solaris installation.

By far the easiest way to install puppet and its dependencies is to

use the blastwave (Community Software) archive, aka CSW

[http://www.blastwave.org](http://www.blastwave.org). The first

step is to install pkgutil, which allows you to retreive software

from the blastwave repositories.

Please follow the instructions located on the blastwave site

[http://www.blastwave.org/howto.html](http://www.blastwave.org/howto.html)

for installing pkgutil, then return here to continue installing

Puppet.

Now that you have pkgutil installed, you can use pkgutil to install

puppet. Pkgutil will resolve all of the dependencies, and install

those packages as well.

    # /opt/csw/bin/pkgutil -U

    # /opt/csw/bin/pkgutil --install puppet

Note that this not only installs puppet, it also turns on the

daemon which starts looking for a local puppet master server. To

stop this, after installation:

    # svcadm disable puppetd

Note: At the moment blastwave is going through some internal

turmoil. This has caused Gary Law, the puppet solaris package

maintainer, to temporarily postpone updating the blastwave

repositories with the latest version of puppet. He has however

provided the packages from his personal website:

[http://garylaw.net/packages/](http://garylaw.net/packages/). For

more information check out Gary's post here:

[Gary's google groups post](http://groups.google.com/group/puppet-users/browse_thread/thread/4722c4119e4e9540/c064f4436c98e89d?lnk=gst&q=solaris#c064f4436c98e89d)

# Installation (Sunfreeware + )Ruby Gems?

This is an alternative method for installing Puppet on Solaris 10.

Rather than depending on Blastwave, which is an entire package

framework, I prefer the simplest installation with the least steps

and dependencies.

\1) Install Ruby from the

 [Solaris Companion DVD](http://www.sun.com/software/solaris/freeware/)

 or

 [sunfreeware.com](ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/ruby-1.8.7p72-sol10-sparc-local.gz):

      pkgadd -d /cdrom/Solaris_Software_Companion/Solaris_sparc/Packages/ SFWruby

\2) Download and install the latest

 [RubyGems](http://www.rubygems.org) (Like perl's CPAN module, but

 for Ruby):

      $ wget http://rubyforge.org/frs/download.php/45905/rubygems-1.3.1.tgz

      $ gzcat rubygems-1.3.1.tgz | tar -xf -

      $ cd rubygems-1.3.1

      $ /opt/sfw/bin/ruby setup.rb

\3) Install the latest Puppet and it's dependencies via Ruby

 Gems?:

      /opt/sfw/bin/gem update

      /opt/sfw/bin/gem install puppet

Ruby Gems? will automatically download and install all packages and

pre-requisites.

\4) You'll have to write your own /etc/init.d/puppetd and

 /etc/init.d/puppetmasterd scripts, or modify the Blastwave SMF

 manifests. Other than that, puppet is pretty much installed.

# Installation (Cool Stack)

"Optimized Open Source Software Stack (Cool Stack) for the Sun

Solaris Operating System(TM). Cool Stack is a collection of some of

the most commonly used open source applications optimized for the

Sun Solaris OS"

1)

[Download](https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=CoolStack-1.3.1Fin-G-F@CDS-CDS_SMI)

and install CSKruby package for your platform (Sparc or x86)

    pkgadd -d CSKruby_1.3.1_sparc.pkg

\2) CSKruby will be installed to /opt/coolstack, so add that to

 your default path.

    export PATH=$PATH:/opt/coolstack/bin

\3) Install facter + puppet from Ruby Gem? -or- tarball

    gem install facter

    gem install puppet

OR

 $ wget http://reductivelabs.com/downloads/facter/facter-latest.tgz

    $ tar xvzf facter-1.5.7.tar.gz

    $ cd facter-1.5.7

    $ ./install.rb

    $ wget http://reductivelabs.com/downloads/puppet/puppet-0.25.0.tar.gz

    $ tar xvzf puppet-0.25.0.tar.gz

    $ cd puppet-0.25.0

    $ ./install.rb

\4) TODO: Will add SRV4 packaging instructions here \*soon\*

# Integrating Puppet with Jumpstart

## Solaris 10

post-install script:

    #!/bin/sh

    ### Setup

    mkdir /a/jumpstart

    mount jumpstartserver:/opt/solaris/jumpstart /a/jumpstart

    ### Blastwave support

    cd /a/jumpstart

    cp root.profile /a/.profile

    mkdir -p /a/usr/local/bin

    cp wget-`uname -p`.bin /a/usr/local/bin/wget

    chmod 755 /a/usr/local/bin/wget

    mkdir -p /a/opt/csw

    echo all | pkgadd -a admin.jumpstart -d pkg_get-3.8.1-all-CSW.pkg -R /a

    cp /a/jumpstart/pkg-get.conf /a/opt/csw/etc

    cp /a/var/pkg-get/admin-fullauto /a/var/pkg-get/admin

    ### Ruby from Blastwave

    cd /a/jumpstart

    mkdir -p /a/usr/local/sbin

    cp /a/jumpstart/ruby-install.sh /a/usr/local/sbin

    chmod 700 /a/usr/local/sbin/ruby-install.sh

    chroot /a /usr/local/sbin/ruby-install.sh

    ### Facter and Puppet from garylaw.net

    cp facter-1.3.8,REV=2007.09.23-SunOS5.8-all-CSW.pkg /a/tmp

    cp puppet-0.23.2,REV=2007.09.23-SunOS5.8-all-CSW.pkg /a/tmp

    cp admin.jumpstart /a/tmp

    cp /a/jumpstart/puppet-install.sh /a/usr/local/sbin

    chmod 700 /a/usr/local/sbin/puppet-install.sh

    chroot /a /usr/local/sbin/puppet-install.sh

    ## Puppet setup

    cp puppetd.conf /a/etc/puppet

    cd /a/var/svc/manifest/network

    ln -s ../../../../opt/csw/var/svc/manifest/puppetd.xml .

    cd /a/jumpstart

    ### Teardown

    cd /

    umount /a/jumpstart

    rmdir /a/jumpstart

root.profile

    umask 022

    PATH=/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/bin:/usr/ucb:/opt/SUNWspro/bin:/usr/local/bin:/usr/local/sbin:/opt/csw/bin:/opt/csw/sbin

    export PATH

    MANPATH=/usr/man:/usr/dt/man:/usr/openwin/share/man:/usr/local/man:/opt/SUNWspro/man:/opt/csw/man

    export MANPATH

    PS1="`whoami`@`hostname`# "

    export PS1

admin.jumpstart

    mail=

    instance=unique

    partial=nocheck

    runlevel=nocheck

    idepend=nocheck

    rdepend=nocheck

    space=nocheck

    setuid=nocheck

    conflict=nocheck

    action=nocheck

    basedir=default

pkg-get.conf

    url=http://www.gtlib.gatech.edu/pub/blastwave/unstable

ruby-install.sh -- pkg-get running inside a chroot requires a

working mnttab, and openssl (one of the Ruby dependencies) requires

a working /dev/random and /dev/urandom. On my Solaris 10 Jumpstart

installs, /dev/random and /dev/urandom exist in the chroot, but are

symlinks to missing entries in /devices.

    #!/bin/sh

    /sbin/mount -F mntfs mnttab /etc/mnttab

    mknod /devices/pseudo/random@0:random c 190 0

    mknod /devices/pseudo/random@0:urandom c 190 1

    PATH=$PATH:/usr/local/bin:/usr/local/sbin:/opt/csw/bin:/opt/csw/sbin

    export PATH

    pkg-get install ruby

puppet-install.sh -- these installs might not require a chroot, and

may work fine if installed similar to the pkg-get installation

above.

    #!/bin/sh

    /sbin/mount -F mntfs mnttab /etc/mnttab

    cd /tmp

    mkdir /etc/puppet

    echo all | pkgadd -a admin.jumpstart -d \

            facter-1.3.8,REV=2007.09.23-SunOS5.8-all-CSW.pkg

    echo all | pkgadd -a admin.jumpstart -d \

            puppet-0.23.2,REV=2007.09.23-SunOS5.8-all-CSW.pkg

puppet.conf

    [puppetd]

    # Make sure all log messages are sent to the right directory

    # This directory must be writable by the puppet user

    logdir=/opt/csw/var/puppet/log

    vardir=/opt/csw/var/puppet

    rundir=/opt/csw/var/puppet/run

    server=puppetserver.domain

    factsync=true

# Simple Puppetmaster install and configuration

To do

# Puppet on older versions of Solaris

Of course, blastwave will only work on Solaris 8+. However, Puppet

does work well with the Ruby from sunfreeware for at least Solaris

2.6 and 7, and people have even had success compiling pkg-get for

use with those platforms by pointing it to the sunfreeware

repository - however, your mileage may vary with that (not tested

by the person writing this paragraph). Certainly, using sunfreeware

packages and native sun packages on their own works quite well.

# Minimal Solaris Puppet Client Installation Instructions

This assumes Solaris 10 or later, you are **root**, with **bash**

and **wget** installed and in your PATH:-

## Step 1, install pkgutil

    exec bash

    wget -q -O - \

    http://ftp.math.purdue.edu/mirrors/opencsw.org/unstable/$(uname -p)/$(uname -r)/pkgutil-1.4,REV=2009.01.19-SunOS5.8-$(uname -p)-CSW.pkg.gz \

    | gunzip --stdout - > /tmp/pkgutil.pkg

    yes | pkgadd -d /tmp/pkgutil.pkg all

    /opt/csw/bin/pkgutil -U

## Step 2, install puppet

    yes | /opt/csw/bin/pkgutil -i CSWpuppet

This will install common, ruby, facter and any other required

dependencies, then puppet, and then start up puppetd with a blank

config (defaults to looking for a puppet server at

puppet.YOURDOMAIN)

## More Detailed Solaris Puppet Client Installation Instructions

Installation of the Puppet infrastructure onto a client machine

requires a number of prerequisites to be met first. This procedure

outlines the installation process for these prerequisites and

ultimately Puppet itself on the Solaris 10 platform. Note: This

guide assumes that LDAPNodes is being used for node storage. If

not, omit any steps that relate to LDAP and do whatever is needed

for your node storage mechanism of choice.

All Blastwave packages are installed under: /opt/csw

### Procedure

\1) Install Blastwave Support

    # pkgadd -d http://www.blastwave.org/pkg_get.pkg

\2) Verify that the pkg-get configuration file is configured for

 your region

\3) Install the complete wget package

    # /opt/csw/bin/pkg-get -i wget

\4) Configure pkg-get to support automation.

    # cp -p /var/pkg-get/admin-fullauto /var/pkg-get/admin

\5) Now we are going to install gnupg and an md5 utility so that we

 can do some security validation of Blastwave packages.

    # /opt/csw/bin/pkg-get -i gnupg textutils

\6) Next we will copy the Blastwave PGP public key to the local

 host.

    # /opt/csw/bin/wget --output-document=pgp.key http://www.blastwave.org/mirrors.html

Which should result in output like this:

    --10:39:55--  http://www.blastwave.org/mirrors.html

               => `pgp.key'

    Resolving www.blastwave.org... 131.188.30.245

    Connecting to www.blastwave.org[131.188.30.245]:80... connected.

    HTTP request sent, awaiting response... 200 OK

    Length: 16,060 [text/html]

    100%[====================================>] 16,060        52.41K/s

    10:39:56 (52.33 KB/s) - `pgp.key' saved [16060/16060]

\7) Next we will import the PGP key that we just copied.

    # gpg --import pgp.key

\8) Verify that the following two lines in

 /opt/csw/etc/pkg-get.conf are COMMENTED OUT.

    #use_gpg=false

    #use_md5=false

\9) Install the Ruby software (CSWruby) from Blastwave.

    # /opt/csw/bin/pkg-get -i ruby

Note: This will also install any Ruby prerequisites.

\10) Install the Ruby Gems? software (CSWrubygems) from Blastwave.

    # /opt/csw/bin/pkg-get -i rubygems

\11) Add /opt/csw/bin and /opt/csw/sbin to the root user's PATH.

\12) Install Reductive Labs facter gem package using the Ruby Gem?

 installation tool.

    # gem install facter

\13) Install Reductive Labs Puppet gem package using the Ruby Gem?

 installation tool. The current STABLE version is: 0.23.2.

    # gem install puppet --version '0.23.2'

\14) Create the puppet user and group:

Info for /etc/passwd:

    puppet:x:35001:35001:puppet user:/home/puppet:/bin/sh

Info for /etc/shadow:

    puppet:*LK*:::::::

Info for /etc/group:

    puppet::35001:

\15) Create the following core directories and set the

 permissions:

    # mkdir -p /sysprov/dist/apps /sysprov/runtime/puppet/prod/puppet/master

    # chown -R puppet:puppet /sysprov/dist /sysprov/runtime

\16) Grab this sample puppet.conf file and modify the attributes

 listed below. Copy the modified file to the

 /sysprov/runtime/puppet/prod/puppet/master directory on your host.

\17) Create a file containing the new LDAP entry information for

 your host. In this file you specify the Puppet class membership

 which is what Puppet uses to determine which configuration(s) to

 use on your host. In the example below, the device is a member of

 the sudo and syslog-ng classes. This means that whenever the

 puppetd process is running on your host, it will periodically check

 with the puppetmaster to see whether its configuration is out of

 date and apply the configuration for a machine in the sudo and

 syslog-ng puppet classes. Likewise, if you later modify the LDAP

 entry to include another puppetclass entry or remove an existing

 entry, the puppetmaster will apply that configuration instead.

Note: You should specify the fully qualified domain name. Puppet

will compare this value to the SSL certificate to ensure a match.

If you use a non-FQDN, you are going to run into issues.

    # puppettest

    dn: cn=puppettest.domain.edu,ou=Hosts,dc=puppet

    objectClass: device

    objectClass: ipHost

    objectClass: puppetClient

    objectClass: top

    cn: puppettest.domain.edu

    ipHostNumber: W.X.Y.Z

    description: Test puppet client

    l: statcomp

    puppetclass: sudo

    puppetclass: syslog-ng

\18) Add an LDAP entry for your host. YOUR-LDAP-ENTRY-FILENAME is

 the file created in the previous step.

    $ ldapadd -h ld.domain.edu -x -D uid=12345, ou=humans, dc=domain, dc=edu -W -f YOUR-LDAP-ENTRY-FILENAME -v

If you are modifying an existing entry use this instead:

    $ ldapmodify -h ld.domain.edu -x -D uid=12345, ou=humans, dc=domain, dc=edu -W -f YOUR-LDAP-ENTRY-FILENAME -v

\19) Verify that your LDAP entry exists.

    $ ldapsearch -h ld.domain.edu -x -b'dc=puppet'

\20) From the Puppet client machine, request SSL Client Certificate

 from the puppetmaster.

    # puppetd --server puppetmaster.domain.edu --waitforcert 60 --test --config=/sysprov/runtime/puppet/prod/puppet/master/puppet.conf

\21) Login to the puppetmaster and sign the certificates

    # sudo puppetca --list --config=/sysprov/runtime/puppet/prod/puppet/master/puppet.conf

Which should show:

    YOURHOSTNAME.domain.edu

    # sudo puppetca --sign YOURHOSTNAME.domain.edu --config=/sysprov/runtime/puppet/prod/puppet/master/puppet.conf

\22) On the Puppet client machine you can then start the puppetd

 process. If you pass in the -v and/or -d parameters (verbose and

 debug), then the process does not run in the background. Omit these

 parameters to daemonize the process.

    # puppetd --server puppetmaster.domain.edu --config=/sysprov/runtime/puppet/prod/puppet/master/puppet.conf

Example Using Verbose and Debug Mode:

    # puppetd -v -d --server puppetmaster.domain.edu --config=/sysprov/runtime/puppet/prod/puppet/master/puppet.conf

\23) That is it. You should be able to check the system log to see

 whether your client is receiving updates from the puppetmaster.

    # tail -f /var/adm/messages

    Dec 17 09:06:39 cheshire puppetd[23486]: [ID 702911 daemon.notice] Starting configuration run

    Dec 17 09:07:00 cheshire puppetd[23486]: [ID 702911 daemon.notice] (//sudo/File[/sysprov/dist/apps/sudo]/ensure) created

    Dec 17 09:07:24 cheshire puppetd[23486]: [ID 702911 daemon.notice] (//sudo/File[/sysprov/dist/apps/sudo/UCRsudo]/ensure) created

    Dec 17 09:07:33 cheshire puppetd[23486]: [ID 702911 daemon.notice] (//sudo/Package[UCRsudo]/ensure) created

    Dec 17 09:07:33 cheshire puppetd[23486]: [ID 702911 daemon.notice] Finished configuration run in 54.72 seconds