Installing puppet
apt-get -y install ntp
dpkg -i puppetlabs-release-pc1-xenial.deb
gpg --keyserver pgp.mit.edu --recv-key 7F438280EF8D349F
apt-get update
Puppet agent
apt-get install puppet-agent
Edit /etc/puppetlabs/puppet/puppet.conf
to add the [master]
section
puppet agent -t -d
Note this does apply the changes!
Then you can start the puppet service
export PATH=$PATH:/opt/puppetlabs/bin
Puppet server
apt-get install puppetserver
You will probably also want to install apt-get install puppetdb puppetdb-termini
and start the puppetdb service after configuring the PostgreSQL database.
To look at clients:
puppet cert list --all
To validate a new client run puppet cert --sign client
Using puppet locally
You don’t need to use a puppet server
Installing modules
The module page will tell you how to do this e.g.
puppet module install module_name --version version
However it’s probably a better idea to use librarian-puppet and define the modules in the Puppetfile
apt-get install ruby gem install librarian-puppet cd /etc/puppetlabs/code/environments/production librarian-puppet init
Once you have edited your Puppetfile
librarian-puppet install
Running a manifest
Manual run
puppet apply --verbose --detailed-exitcodes /etc/puppetlabs/code/environments/production/manifests/manifest.pp
Managed run
The control of what is install is via the file /etc/puppetlabs/code/environments/production/manifests/site.pp
Best practice indicates that you use small modules to define your installation.
Example site.pp
node default { include serverdefault } node mynode { }
You can then check it with puppet agent --noop
Note that --test
actually applies the changes.
Running over ssh
Not recommended!
For your ssh user create .ssh/config which contains the following:
Host * RemoteForward %h:8140 localhost:8140
you can then set up a tunnel via ssh -N client &
(assuming that you can ssh to the client as normal!)
On the client you then need to define the puppet server as localhost in /etc/hosts
, then puppet agent --test --server puppetserver
as usual.
Then you can run the agent as usual – don’t forget to start the service.
Config
With the current version you should use an environment specific heira.yaml e.g. /etc/puppetlabs/code/environment/production/hiera.yaml
The recommended approach is to use roles and profiles to define how each node should be configured (out of scope of this post) https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html
Encrypted
See https://github.com/voxpupuli/hiera-eyaml but check your puppet version
gem install hiera-eyaml
puppetserver gem install hiera-eyaml
See https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
Test using something like puppet apply -e '$var = lookup(config::testprop) notify {$var: }'
where config::testprop
is defined in your secure.eyaml file
Host specific config
The hieradata for this node is defined in the hierarchy as:
/etc/puppetlabs/code/environments/production/hieradata/nodes/nodename.yaml
Groups of nodes
You can use multiple node names or a regex in your site.pp (remember only one node definition will be matched)
Another alternative is to use facts, either existing or custom, to define locations in your hiera hierarchy
If this is too crude then you can use an ENC
A very skeleton python enc program is given below:
#!/usr/bin/env python import sys import re from yaml import load, dump n = sys.argv[1] node = { 'parameters' : { "config::myparam" : 'myvalue' } } dump(node, sys.stdout, default_flow_style=False, explicit_start=True, indent=10 )
Puppet setup
Add the following section to /etc/puppetlabs/puppet/puppet.conf
[main]
server = puppetmaster
certname = nodename.mydomain
environment = production
runinterval = 1h
Modules
Detailed module writing is out of scope of this post but a quick start is as follows:
puppet module generate wrighting-serverdefault
Then edit manifests/init.pp