Puppet getting started - Heinlein Support ?· Puppet getting started ... Use Puppets package resource…

Download Puppet getting started - Heinlein Support ?· Puppet getting started ... Use Puppets package resource…

Post on 17-Jul-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>Puppetgettingstarted</p><p>BestpracticesonhowtoturnYourenvironment</p><p>intoaPuppetmanagedenvironment</p><p>SecureLinuxAdministrationConference2013Berlin20130606</p><p>BerndStrenreuthermailto:slac@stroessenreuther.info</p><p>mailto:slac@stroessenreuther.info</p></li><li><p>License</p><p> Youmayuse,changeorredistributethisdocumentunderthecreativecommonslicensehttp://creativecommons.org/licenses/bysa/3.0/</p><p>http://creativecommons.org/licenses/by-sa/3.0/</p></li><li><p>Agenda</p><p>1. BestPracticesSomethingstoconsiderwhenintroducingpuppetinYourenvironment</p><p>2. YourQuestions</p></li><li><p>Stopthinkingprocedural!</p><p> Startthinkingdeclarativ!</p><p> Avoidexecwhereeverpossible!!</p></li><li><p>ExampleManifest:SSH</p><p>classssh{package{'opensshserver':ensure=&gt;installed;}file{'/etc/ssh/sshd_config':owner=&gt;'root',group=&gt;'root',mode=&gt;'0644',source=&gt;'puppet:///ssh/sshd_config',require=&gt;Package['opensshserver'],notify=&gt;Service['ssh'];}service{'ssh':ensure=&gt;running,enable=&gt;true,require=&gt;File['/etc/ssh/sshd_config'];}}</p></li><li><p>Moduleinheritance:site.pp</p><p>nodedefault{fail"${fqdn}hasnopuppetmodulesassignedto,nonodedefinitionmatching"}</p><p>nodebasenode{include'ssh'include'adminusers'}</p><p>node/webserver[09].example.com/inheritsbasenode{include'httpd'}</p><p>#includingdefinitionsfromfileanother_config.ppimport'another_config'</p></li><li><p>PuppetInfrastructure</p><p>ImagesfromOpenClipart.org,releasedtothepublicdomain.Thankstothecontributors!</p><p>PuppetMaster</p><p>PuppetAgents</p><p>pull</p></li><li><p>WhichversionofPuppettouse?</p><p> Atleast2.7.x</p><p> IfYourdistributionprovidesonlyelderversions,YoucanusethePuppetLabsReposathttp://apt.puppetlabs.com/orhttp://yum.puppetlabs.com/</p><p> Useversionpinning,ifrequired,seehttp://docs.puppetlabs.com/guides/upgrading.html</p><p>http://apt.puppetlabs.com/http://yum.puppetlabs.com/http://docs.puppetlabs.com/guides/upgrading.html</p></li><li><p>ConfigurationManagementSoftwareDistribution</p><p> DonottransportsoftwareproductsoverPuppetmechanismsontotheagents</p><p> Instead: Putsoftwareintorpmordebpackages Putpackagesintoarepository UsePuppetspackageresourcetoinstall IfYoudonotyethavealocalrepository,Youmightwantto</p><p>havealookatmrepohttp://dag.wieers.com/homemade/mrepo/(supportsyumandapt)</p><p>http://dag.wieers.com/home-made/mrepo/</p></li><li><p>HowtostartmyPuppetrollout?</p><p> Withnothing!</p><p> YoucanbringthePuppetAgentontoanode,connectittoPuppetMaster,haveitrunningandhaveitconfigurenothing.(Notevenasinglefileorservice!)</p><p> Youcanputmoreandmoreresources(files,services,users,)undercontrolofPuppetafterwardsandstepbystep</p></li><li><p>WhichconfigurationfilesandservicesshouldIputundercontrolofPuppetfirst?</p><p> Configureonenoncritcalserviceonviewmachinesfirst.</p><p> Dothequickwinsnext</p><p> EyecatchingheadersineveryPuppetmanagedconfigfilearehelpful</p></li><li><p>ShouldIuseaVersionControlSystem?</p><p> IfYoualreadyhaveoneforYourconfigfiles,Youdonotwanttomiss!</p><p> IfYoudonothaveone,introducingittogetherwithPuppetistheidealtime.</p><p> Keepsite.ppandallYourPuppetmodulesthere</p><p> Usemeaningfulcommitmessages: UsenottoomanywordsonwhatYoudidchange TellwhyYoudidchangeit Onelineoftextisoftenenough</p></li><li><p>ConnectingtheVersionControlSystemtothePuppetMaster</p><p> ChangesinversioncontrolsystemshouldbeautomaticallyavailableonthePuppetmaster</p><p> Usehookscripts postcommithooke.g.inSubversion postupdatehooke.g.inGit</p></li><li><p>StagingofPuppetModules</p><p> Onlytestedandapprovedversionsofmodulesshouldbeappliedtoproductivemachines</p><p> Productiveversionanddevelopmentversionofonemoduleshouldliveintheversioncontrolsystem</p><p> Distinguishbydifferentbranches(orbytags)</p><p> Puppetprovidesenvironmentsfordifferenttypesofagents</p><p> Hookscriptneedstocheckouttherightbranch(ortag)intotheaccordingPuppetenvironment</p></li><li><p>PuppetEnvironments:Configonthemaster</p><p> extractof/etc/puppet/puppet.conf:[main]#....[test]manifest=/etc/puppet/test/manifests/site.ppmodulepath=/etc/puppet/test/modules[production]manifest=/etc/puppet/production/manifests/site.ppmodulepath=/etc/puppet/production/modules</p></li><li><p>PuppetEnvironments:Configontheagent</p><p> extractof/etc/puppet/puppet.conf:[main]#....pluginsync=truereport=true[agent]environment=test</p></li><li><p>Exampleworkfowwithbranches(1/2)</p><p> Youhave2longlivingbranches masterforYourtestmachines productionforYourproductivemachines</p></li><li><p>Exampleworkfowwithbranches(2/2)</p><p>1. YouwanttochangeaPuppetmodule</p><p>2. Createanewdevelopmentbranchfeature01basedonmaster</p><p>3. DoYourchangesinfeature01,mergethembacktomaster</p><p>4. RolloutbyPuppetontoYourtestmachines:ApproveYourchangesthere</p><p>5. Ifenhancementsorbugfixesrequired:goto3.</p><p>6. Ifok:mergebranchfeature01ontoproduction</p><p>7. Puppetagenttestnoop</p><p>8. RolloutbyPuppetontoYourproductivemachines</p><p>9. Deletefeature01branch</p></li><li><p>precommitHook/prereceiveHook</p><p> Dosyntaxchecksasearlyaspossible:Oncommitpuppetparservalidatepuppetlintcat|erbPxT|rubyc</p><p> Savetime!</p><p> Nevergetcheckedinfilesthatdonotevencompileorviolateagreedcodingstyle</p><p> Samples:http://projects.puppetlabs.com/projects/1/wiki/Subversion_Commit_Hooks_Patterns</p><p>https://puppetlabs.com/blog/usingpuppetlinttosaveyourselffromstylefauxpas/</p><p>http://projects.puppetlabs.com/projects/1/wiki/Subversion_Commit_Hooks_Patternshttps://puppetlabs.com/blog/using-puppet-lint-to-save-yourself-from-style-faux-pas/</p></li><li><p>PuppetsModulePath</p><p> BydefaulteachPuppetenvironmenthasexactlyonemodulepath</p><p> Formostsetupstooflatandconfusing</p><p> Useatleasttwo: Oneforthirdpartymodules(e.g.PuppetForge) OneforYourownmodules</p></li><li><p>MultipleModulePathEntries</p><p> extractof/etc/puppet/puppet.confonPuppetmaster:[main]#....</p><p>[test]manifest=/etc/puppet/test/manifests/site.ppmodulepath=/etc/puppet/test/modules/site:/etc/puppet/test/modules/thirdparty</p><p>[production]manifest=/etc/puppet/production/manifests/site.ppmodulepath=/etc/puppet/production/modules/site:/etc/puppet/production/modules/thirdparty</p></li><li><p>WheretoassignPuppetmodulestonodes(1/3)</p><p> Manuallyinsite.ppnodebasenode{include'ssh'include'adminusers'}</p><p>nodewebserversinheritsbasenode{include'httpd'}</p><p>node'webserver1.example.com'inheritswebservers{}node'webserver2.example.com'inheritswebservers{}</p></li><li><p>WheretoassignPuppetmodulestonodes(2/3)</p><p> Byconvention Strictnamingconventionforhostnamesrequired Regularexpressionsareallowedinsite.pp</p><p>nodebasenode{include'ssh'include'adminusers'}</p><p>node/webserver[09].example.com/inheritsbasenode{include'httpd'}</p></li><li><p>WheretoassignPuppetmodulestonodes(3/3)</p><p> InYourCMDBbyusingExternalNodeClassifiers(ENC)</p><p>http://docs.puppetlabs.com/guides/external_nodes.html</p><p>http://docs.puppetlabs.com/guides/external_nodes.html</p></li><li><p>PuppetAgentsintheDMZ(1/6)</p><p>HowdoIgettheserversinmyDMZconnectedtoPuppetifthesecuritypolicyofmycompanydoesnotallowconnectionsfromoutside(DMZ)toinside(tomyPuppetmaster)?</p><p> YoucanuseaRemoteSSHTunnelforthis</p><p> CreateanuserforthistaskonYourPuppetmasterandallofYourDMZagents</p><p> EnablekeyauthenticationforSSHfrommasterto</p><p>[puppetuser@master~]$sshkeygen[puppetuser@master~]$sshcopyid</p></li><li><p>PuppetAgentsintheDMZ(2/6)</p><p> ConfigurereverseSSHTunnelsforallconnectionstoDMZagents</p><p>[puppetuser@master~]$cat~.ssh/configHost*RemoteForward8140127.0.0.1:8140StrictHostKeyCheckingnoBatchModeyes</p><p> TellPuppetonDMZagentstousePuppetmasteratlocalhost</p><p>[puppetuser@dmzagent~]$cat/etc/puppet/puppet.conf#...[agent]server=localhost#...</p></li><li><p>PuppetAgentsintheDMZ(3/6)</p><p> AllowpuppetuseronDMZagentstorunPuppetasrootbysudo</p><p>[puppetuser@master~]$cat/etc/sudoers#...Defaults:puppetuser!requirettypuppetuserALL=(root)NOPASSWD:/usr/bin/puppet</p><p> AddaforcedcommandtotheSSHkeythatYoujustcreated(YoumayalsorestrictIPstoYourPuppetmasters)</p><p>[puppetuser@dmzagent~]$cat~/.ssh/authorized_keysfrom="10.0.0.10,10.0.0.11",command="/usr/bin/sudoH/usr/bin/puppetagenttest",noX11forwarding,noagentforwardingsshrsaAAAAB3NzaC12[...]tooxPKT/BSGNw==puppetpushaccount</p></li><li><p>PuppetAgentsintheDMZ(4/6)</p><p> UseavariablepuppetmasterinallYourfileresourcesfilledinsite.pp:</p><p>nodebasenode{$puppetmaster=$network_zone_int_ext?{'ext'=&gt;'localhost',default=&gt;$servername}}</p><p> UsedineveryfileresourceinallYourmodulesfile{'/etc/foo':source=&gt;"puppet://$::puppetmaster/modules/mymod/foo",owner=&gt;'root;}</p></li><li><p>PuppetAgentsintheDMZ(5/6)</p><p> Wherenetwork_zone_int_extcanbeacustomfactdefinedinmymod/lib/facter/network_zone_int_ext.rb</p><p>require'facterFacter.add("network_zone_int_ext")dosetcodedonetwork_zone_int_ext="int"ifFacter.value(:ipaddress).match(/^(10\.1\.|10\.2\.)/)network_zone_int_ext="ext"elsenetwork_zone_int_ext="int"endendend</p></li><li><p>PuppetAgentsintheDMZ(6/6)</p><p> SetupacronjobforpuppetuseronPuppetmaster,thatregularlycallsasshtoeveryDMZagent</p><p> ThelistofallDMZagentscanautomaticallybefilledbyaexportedresource</p></li><li><p>PuppetForge</p><p> ApublicrepositoryforPuppetModules</p><p> https://forge.puppetlabs.com/</p><p> Qualityofmodulesdiffersverymuch</p><p>https://forge.puppetlabs.com/</p></li><li><p>Anymorequestions?</p><p> Nowisagoodtimetoask</p><p> Grabmeontheconference</p><p> Illbearoundheretodayandtomorrow</p><p> HearMartinAlfke'stalkPuppetAdvancedtomorrow</p></li><li><p>Appendix</p></li><li><p>hiera</p><p> Ahierachicalstoreforname=valuepairs</p><p> ThehierachycanbeconfiguredaccordingtoYourneeds</p><p> Themostspecificentryistaken</p><p> Caneasilybequeriedbypuppet Putvariableshere</p><p> IdealifYouhavemanycommonserversandviewexceptions</p></li><li><p>Facts</p><p> Puppetqueriesmanydetailsofthesystemitconfigures,facterputstheseintosinglevariables</p><p> Theycanbeusedintemplatesandmanifests[booboo@dunno~]$facterarchitecture=&gt;i386domain=&gt;example.comfqdn=&gt;dunno.example.comhardwareisa=&gt;i686hostname=&gt;dunnointerfaces=&gt;eth0,lo,peth0,sit0,veth1,vif0_0,vif0_1ipaddress=&gt;10.0.0.182ipaddress_eth0=&gt;10.0.0.182ipaddress_lo=&gt;127.0.0.1is_virtual=&gt;false...</p></li><li><p>Facterexample</p><p> Yourhostshaveaproductivenetworkinterfaceandoneformanagement</p><p> YouwantYourapachetolistenonlyontheproductiveinterface</p><p> Unabletouse:</p><p>Listen80</p><p> Useinstead:</p><p>Listen:80</p></li><li><p>CustomFacts</p><p> E.g.stageordatacenter</p><p> Writealittlebitofrubycode</p><p> Putitinto/lib/facter/.rb</p><p> Setin/etc/puppet/puppet.confattheagent:[main]#....pluginsync=true</p></li><li><p>ExportedResources</p><p> WheneverYouaddanewhostundercontrolofPuppetYoumightwanttoaddbasicmonitorings(diskspace,CPUusage,)toYourmonitoringsystem(runningonanothernode)</p><p> WheneverYouaddYourPuppetmoduleapachetoahostYouneedtoconfigurearegularcheckofHTTPonthishostinYourmonitoringsystem</p><p> LetPuppetdothisforYouautomatically!</p><p> Soundsuseful?UseExportetResourcestoconfigurethis.</p></li><li><p>ExportedResourcesExample(monitoredmachine)</p><p>classapache{service{'httpd':ensure=&gt;running,enable=&gt;true,hasstatus=&gt;true;}@@nagios_service{check_http_${hostname}:check_command=&gt;'check_http_port_path!80!/',use=&gt;'genericservice',host_name=&gt;$hostname,notification_period=&gt;'24x7',service_description=&gt;'HTTPGET/',target=&gt;'/etc/icinga/objects.puppet.autogen/services.http.cfg;}}</p></li><li><p>ExportedResourcesExample(monitoringmachine)</p><p>classicingaserver{file{'/etc/icinga/objects.puppet.autogen/services.http.cfg':owner=&gt;'root',group=&gt;'root',mode=&gt;'0644';}</p><p>#collectresources#andpopulate#/etc/icinga/objects.puppet.autogen/*.cfgNagios_service}</p></li><li><p>ExportedResourcesExample:Result</p><p>[booboo@icingaserver~]$catservices.http.cfg#HEADER:Thisfilewasautogeneratedat#HEADER:FriDec1413:53:26+01002012#HEADER:bypuppet.Whileitcanstillbemanaged#HEADER:manually,itisdefinitelynotrecommended.</p><p>defineservice{##PUPPET_NAME(called'_naginator_name'in##themanifest)check_http_dunno1usegenericserviceservice_descriptionHTTPGET/check_commandcheck_http_port_path!80!/host_namedunno1notification_period24x7}</p></li><li><p>VersionControl:Exampleworkfowwithtags(1/2)</p><p> OftenusedwithSubversion</p><p> Basicsetup: MostofthetimeYouhavenobranchbesidetrunk SetupanownprojectforeachPuppetmodule</p><p>plusoneformainmanifests(plusoneforhieradata) Writeapostcommithookscriptthatchecksouttrunkinto</p><p>Puppetsenvironmenttestandthelatesttagofeachprojectintoproductionenvironment</p><p> UsedefinednamesforYourtags,e.g.YYYYMMDD_hhmm</p></li><li><p>VersionControl:Exampleworkfowwithtags(2/2)</p><p>1. YouwanttochangeaPuppetmodule</p><p>2. CommitYourchanges(intotrunk)</p><p>3. RolloutbyPuppetontoYourtestmachines:ApproveYourchangesthere</p><p>4. Ifenhancementsorbugfixesrequired:goto2.</p><p>5. Ifok:checkforotherchangesonthismodulenotyettagged(svndiff)</p><p>6. taglastversionofthechangedPuppetmodule(Subversionproject)</p><p>7. puppetdtestnoop</p><p>8. RolloutbyPuppetontoYourproductivemachines</p><p>Folie 1Folie 2Folie 3Folie 4Folie 5Folie 6Folie 7Folie 8Folie 9Folie 10Folie 11Folie 12Folie 13Folie 14Folie 15Folie 16Folie 17Folie 18Folie 19Folie 20Folie 21Folie 22Folie 23Folie 24Folie 25Folie 26Folie 27Folie 28Folie 29Folie 30Folie 31Folie 32Folie 33Folie 34Folie 35Folie 36Folie 37Folie 38Folie 39Folie 40Folie 41Folie 42Folie 43</p></li></ul>