Simplest Puppet Install Pattern
Version 1 (Anonymous, 03/13/2010 08:02 pm)
| 1 | 1 | # Getting Started with a Simple Puppet Recipe |
|
|---|---|---|---|
| 2 | 1 | ||
| 3 | 1 | Using Puppet is largely about developing the Puppet manifests, |
|
| 4 | 1 | which describe the configuration of your system. |
|
| 5 | 1 | ||
| 6 | 1 | Once you have Puppet installed (see [[Installation Guide]] ) on at |
|
| 7 | 1 | least one server (the Puppetmaster), and at least one client, |
|
| 8 | 1 | you're ready to set up a minimal configuration and get started |
|
| 9 | 1 | using Puppet. |
|
| 10 | 1 | ||
| 11 | 1 | # A Simple Manifest: Managing Ownership of a File |
|
| 12 | 1 | ||
| 13 | 1 | For our first manifest, we'll manage a single element (in this |
|
| 14 | 1 | case, a file) on all of our hosts. |
|
| 15 | 1 | ||
| 16 | 1 | ## Step one: Create /etc/puppet/manifests/classes/sudo.pp |
|
| 17 | 1 | ||
| 18 | 1 | First, we'll create a class, which we'll call sudo, in the sudo.pp |
|
| 19 | 1 | manifest. We'll use this appropriately-named manifest for all |
|
| 20 | 1 | configuration information related to sudo, so next time we'll be |
|
| 21 | 1 | able to find the sudo stuff quickly. We'll start simple, and just |
|
| 22 | 1 | manage the sudoers file for now: |
|
| 23 | 1 | ||
| 24 | 1 | # /etc/puppet/manifests/classes/sudo.pp |
|
| 25 | 1 | ||
| 26 | 1 | class sudo { |
|
| 27 | 1 | file { "/etc/sudoers": |
|
| 28 | 1 | owner => "root", |
|
| 29 | 1 | group => "root", |
|
| 30 | 1 | mode => 440, |
|
| 31 | 1 | } |
|
| 32 | 1 | } |
|
| 33 | 1 | ||
| 34 | 1 | So now we have a class which will ensure that the owner, group, and |
|
| 35 | 1 | mode of the /etc/sudoers file will be set consistently across all |
|
| 36 | 1 | systems that belong to that class (but we haven't chosen which |
|
| 37 | 1 | computers belong in that class, yet). |
|
| 38 | 1 | ||
| 39 | 1 | ## Step two: Create /etc/puppet/manifests/site.pp |
|
| 40 | 1 | ||
| 41 | 1 | Now we'll create the site.pp manifest which is the master manifest. |
|
| 42 | 1 | Puppet will search for a manifest by this name by default. Here's |
|
| 43 | 1 | our file: |
|
| 44 | 1 | ||
| 45 | 1 | # /etc/puppet/manifests/site.pp |
|
| 46 | 1 | ||
| 47 | 1 | import "classes/*" |
|
| 48 | 1 | ||
| 49 | 1 | node default { |
|
| 50 | 1 | include sudo |
|
| 51 | 1 | } |
|
| 52 | 1 | ||
| 53 | 1 | With the import statement on the first line, we import all of the |
|
| 54 | 1 | class files located in the classes subdirectory of the Puppet home |
|
| 55 | 1 | directory (/etc/puppet/manifests/classes in this case). Since we |
|
| 56 | 1 | only have one other manifest (our sudo.pp), this will be the only |
|
| 57 | 1 | file imported. Later, if we add more manifests in the classes |
|
| 58 | 1 | subdirectory, we won't have to edit site.pp again to add them to |
|
| 59 | 1 | the import statement. |
|
| 60 | 1 | ||
| 61 | 1 | After we've imported our classes, we create a default node |
|
| 62 | 1 | definition. In essence, the default node definition will be applied |
|
| 63 | 1 | to any node that doesn't fall into any other node definition's |
|
| 64 | 1 | scope. In this case, since we have no other node definitions, all |
|
| 65 | 1 | nodes will follow this node definition and so any node will include |
|
| 66 | 1 | our sudo class. |
|
| 67 | 1 | ||
| 68 | 1 | ## Step three: Start the Puppetmaster |
|
| 69 | 1 | ||
| 70 | 1 | Now that we have a basic manifest configuration laid out, we can |
|
| 71 | 1 | start the Puppetmaster daemon. We'll start the server with the |
|
| 72 | 1 | --mkusers option, so it creates the puppet user and group: |
|
| 73 | 1 | ||
| 74 | 1 | master % sudo puppetmasterd --mkusers |
|
| 75 | 1 | ||
| 76 | 1 | This will background the daemon and send all of its logs to the |
|
| 77 | 1 | syslog facility. If you would prefer, you can add --verbose and the |
|
| 78 | 1 | daemon will stay in the foreground and its messages will go to the |
|
| 79 | 1 | terminal. |
|
| 80 | 1 | ||
| 81 | 1 | On Ubuntu and other Debian based distributions, starting the |
|
| 82 | 1 | Puppetmaster daemon works like this: |
|
| 83 | 1 | ||
| 84 | 1 | master % sudo /etc/init.d/puppetmaster restart |
|
| 85 | 1 | ||
| 86 | 1 | ## Step four: Run a client |
|
| 87 | 1 | ||
| 88 | 1 | It's usually best to start with your first client being |
|
| 89 | 1 | Puppetmaster server itself. However, since the Puppetmaster will be |
|
| 90 | 1 | talking to itself, that client will already have a certificate, so |
|
| 91 | 1 | no signing will be necessary to establish trust between the |
|
| 92 | 1 | Puppetmaster server and itself. In this example, we'll configure a |
|
| 93 | 1 | client that isn't the Puppetmaster server so we can demonstrate how |
|
| 94 | 1 | to establish cryptographic trust between the Puppetmaster server |
|
| 95 | 1 | and its new clients: |
|
| 96 | 1 | ||
| 97 | 1 | First, start puppetd on the client in verbose mode: |
|
| 98 | 1 | ||
| 99 | 1 | client% sudo puppetd --verbose |
|
| 100 | 1 | ||
| 101 | 1 | You should see a message about not receiving a certificate, and on |
|
| 102 | 1 | the server you should get a message about a request waiting for |
|
| 103 | 1 | you. On the server, we'll list the certificates waiting for |
|
| 104 | 1 | signatures: |
|
| 105 | 1 | ||
| 106 | 1 | master% sudo puppetca --list |
|
| 107 | 1 | ||
| 108 | 1 | You should see our client's name listed, so we can give the |
|
| 109 | 1 | Puppetmaster the command to sign its certificate (thus creating a |
|
| 110 | 1 | trust relationship that client): |
|
| 111 | 1 | ||
| 112 | 1 | master% sudo puppetca --sign <client> |
|
| 113 | 1 | ||
| 114 | 1 | Within two minutes (the default value for --waitforcert), the |
|
| 115 | 1 | client should connect again and receive its signed certificate. |
|
| 116 | 1 | Once the signed cert is in place, the client should ask for its |
|
| 117 | 1 | configuration; the server will compile it (and log that it has done |
|
| 118 | 1 | so) and pass the compiled configuration to the client. |
|
| 119 | 1 | ||
| 120 | 1 | Then, if the sudoers file had incorrect permissions, we should see |
|
| 121 | 1 | one or more messages indicating the corrections; but if everything |
|
| 122 | 1 | about the sudoers file is already correct, you'll just see messages |
|
| 123 | 1 | about starting and ending the configuration run. |
|
| 124 | 1 | ||
| 125 | 1 | If you restart puppetd without the --verbose option, it will |
|
| 126 | 1 | background itself and run periodically thereafter, checking with |
|
| 127 | 1 | the Puppetmaster server to see if there the manifests have |
|
| 128 | 1 | changed. |
|
| 129 | 1 | ||
| 130 | 1 | ## Caveat |
|
| 131 | 1 | ||
| 132 | 1 | This is half of the infrastructure for a working Puppet |
|
| 133 | 1 | installation. The other half of a hygienic and efficient |
|
| 134 | 1 | installation revolves around version-controlling the Puppet |
|
| 135 | 1 | manifests and the files Puppet will be managing. It also provides a |
|
| 136 | 1 | minimalist structure around which to build other Puppet classes. |
|
| 137 | 1 | ||
| 138 | 1 | ## Where to next |
|
| 139 | 1 | ||
| 140 | 1 | Have a look at the [[Advanced Puppet Recipe]] to see how we can |
|
| 141 | 1 | build on this basic recipe. |