Administration Système Centraliser : Puppet

Installation

  • Puppet v4.10.1

Client

  • Le client doit faire un ping du serveur puppet, au pire renseigner le fichier /etc/hosts.

Debian

  • Dépôt
apt-get install ca-certificates
wget https://apt.puppetlabs.com/puppetlabs-release-pc1-jessie.deb
dpkg -i puppetlabs-release-pc1-jessie.deb
apt-get update
  • amd64 :
apt-get install puppet-agent
  • Pour un conteneur lxc, vu que systemd ne fonctionne pas
wget https://raw.githubusercontent.com/jbsky/jbsky/master/proxmox/init.d/puppet-agent
chmod +x puppet-agent
mv puppet-agent /etc/init.d/
insserv puppet-agent

CentOS

rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum install puppet-agent

From Source

  • Pour arm, stretch…
apt-get install hiera facter
wget https://downloads.puppetlabs.com/puppet/puppet-4.10.0.tar.gz
tar xvf puppet-4.10.0.tar.gz
cd puppet-4.10.0
ruby ./install.rb

  • systemd
cat > /etc/systemd/system/puppet-agent << EOF
[Unit]
Description=Puppet Agent Daemon
After=networking.service

[Service]
Type=simple
ExecStart=/usr/bin/puppet agent --waitforcert=500 --config=/etc/puppetlabs/puppet/puppet.conf --debug

[Install]
WantedBy=multi-user.target
EOF

Fichier de config

cat > /etc/puppetlabs/puppet/puppet.conf << EOF
[main]
certname = `hostname -A | tr "[:upper:]" "[:lower:]"`
server = puppet
environment = production
runinterval = 1h
EOF

Nettoyage

find /etc/puppetlabs/puppet/ssl -name `hostname -A` -delete
puppet agent -t

  • sur le serveur
puppet cert clean fqdn

Serveur

apt-get install puppetserver ruby-passenger
cat > cat /etc/puppetlabs/puppet/puppet.conf << EOF
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names = `hostname -A | tr "[:upper:]" "[:lower:]"`,`hostname | tr "[:upper:]" "[:lower:]"`

factpath=\$vardir/lib/facter
templatedir=\$confdir/templates
pluginsync = true

[main]
certname = `hostname -A`
server = `hostname -A`
environment = production
runinterval = 1h
EOF
  • fixer la quantité de RAM dans le fichier /etc/default/puppetserver
JAVA_ARGS="-Xms1g -Xmx1g -XX:MaxPermSize=256m"

Configuration

Inscription des clients

  • À exécuter sur le serveur
/opt/puppetlabs/bin/puppet cert list
/opt/puppetlabs/bin/puppet cert sign --all

Test de l’agent

  • À exécuter sur le client :
/opt/puppetlabs/bin/puppet agent --test
  • Lister la configuration
puppet config print
facter --show-legacy

Fonctionnement Général

  • Tout se passe sur le serveur. Le point de départ de lecture de pupper est le fichier :
/etc/puppetlabs/code/environments/production/manifests/site.pp
  • site.pp la liste des nodes avec les classes à appliquer.
  • En général, on va réutiliser les modules déjà créés, « ne pas réinventer la roue! ».

Les modules

Pour créer un module, il faut :

  • un répertoire du nom du modules avec le sous répertoire manifests
  • un fichier fichier init.pp dans le répertoire manifests.

À installer de base :

puppet module install puppetlabs-stdlib
puppet module install puppetlabs-concat

exemple : default

  • Création des dossier templates & manifests
mkdir -p /etc/puppetlabs/code/environments/production/modules/defaults/{templates,manifests}
  • Le fichier suivant contient toutes les classes
cat > /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults {
    include ::defaults::motd
    include ::defaults::install
#    include ::defaults::purge
    include ::defaults::bashrc
    include ::defaults::liquidprompt
    include ::defaults::apt
}
EOF 

installer/purger les paquets

class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::install {
    # Check OS and request the appropriate function
    case \$::operatingsystem {
        'Debian' : {
            \$packages_list = [ 
                'snmpd',
                'nano',
                'lsof',
                'bash-completion',
                'git',
                ]
        }
    }
    package {
        \$packages_list:
        ensure => 'installed';
    }
}

class defaults::purge {
    # Check OS and request the appropriate function
    case \$::operatingsystem {
        'Debian'  : {
             \$packages_list = [ 
                'rpcbind' # Proxmox require
            ]
        }
    }
    package {
        \$packages_list:
        ensure => 'purged';
    }
}
EOF

mettre à jour le message d’accueil

  • Installation du paquet pour taguer le nom dans motd.
apt-get install figlet
template
cat > /etc/puppetlabs/code/environments/production/modules/default/templates/motd.erb << EOF
<%= @ascii %>
================================================================================
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. 
================================================================================
<%= @virtual %> : <%= @fqdn %>
<%= @operatingsystem %> <%= @full %> <%= @architecture %> 
uptime : <%= @uptime %>
RAM  : <%= @memoryfree.to_i %>/<%= @memorysize.to_i %> 
swap : <%= @swapfree_mb.to_i %>/<%= @swapsize.to_i %>
EOF
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::motd
{
    \$ascii = generate('/bin/sh', '-c', "/usr/bin/figlet -c -w 60 \${hostname}")
    file {
        '/etc/motd':
            ensure => present,
            content => template("defaults/motd.erb"),
            mode => "644",
            owner => root,
            group => root;
    }
}
EOF

installer liquidprompt

template
wget https://raw.githubusercontent.com/nojhan/liquidprompt/master/liquidprompt
mv liquidprompt /etc/puppetlabs/code/environments/production/modules/default/templates/
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::liquidprompt
{
    file {
        '/usr/local/sbin/liquidprompt':
            ensure => present,
            content => template("defaults/liquidprompt"),
            mode => "770",
            owner => root,
            group => root;
    }
}
EOF

mettre a jour /root/.bashrc

template
cat >> /etc/puppetlabs/code/environments/production/modules/default/templates/bashrc << EOF
PATH=\$PATH:/opt/puppetlabs/bin
if [ -f /etc/bashrc ]; then
   . /etc/bashrc
elif [ -f /etc/bash.bashrc ]; then
   . /etc/bash.bashrc
fi
# The following lines are only for interactive shells
 \$- = *i*  || return
# Use Bash completion, if installed
if [ -f /etc/bash_completion ]; then
   . /etc/bash_completion
fi
# Use Liquid Prompt
source /usr/local/sbin/liquidprompt
EOF
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::bashrc
{
    file {
        '/root/.bashrc':
            ensure => present,
            content => template("defaults/bashrc"),
            mode => "644",
            owner => root,
            group => root;
    }
}
EOF

mettre à jour le fichier sources.list

class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::apt
{
    # Check OS and request the appropriate function
    case \$::operatingsystem {
        'Debian' : {
            case \$::operatingsystemmajrelease {
                "7" : { \$lsbdistcodename="wheezy"}
                "8" : { \$lsbdistcodename="jessie"}
                "9" : { \$lsbdistcodename="stretch"}
                default:{   \$lsbdistcodename="stable"}
            }
             case \$::architecture {
                default:           { \$arch = 'defaults/sources.list' }
                }
            file {
                '/etc/apt/sources.list':
                    ensure => present,
                    content => template(\$arch),
                    mode => "644",
                    owner => root,
                    group => root;
            }   
        }
    }
}
EOF
template
cat > /etc/puppetlabs/code/environments/production/modules/default/templates/motd.erb << EOF
deb http://ftp.fr.debian.org/debian <%= @lsbdistcodename %>  main contrib non-free
deb http://ftp.fr.debian.org/debian <%= @lsbdistcodename %>-updates main contrib non-free
deb http://security.debian.org <%= @lsbdistcodename %>/updates main contrib non-free
deb http://ftp.fr.debian.org/debian <%= @lsbdistcodename %>-backports main contrib non-free
EOF

ntp

puppet module install puppetlabs-ntp

dhcp

puppet module install theforeman-dhcp

site.pp

Toute machine n’appartenant pas à un noeud appartient à default.

  • Exemple de configuration avec DHCP failover, NTP et les tweaks par default.
node default {
    class  { '::ntp':
      servers => [ '${SVR_NTP_IP}' ],
      restrict  => [
        'default ignore',
        '-6 default ignore',
        '127.0.0.1',
        '-6 ::1',
        '${SVR_NTP_IP} nomodify notrap nopeer noquery',
       ],
    }
    include [
        '::ntp',
        '::defaults',
     ]
}

node '${SVR_NTP_FQDN}' 
{   class { '::ntp':
        servers => [ 'ntp.midway.ovh', 'ntp.unice.fr' ],
        restrict   => [],
    };
    include [
        '::ntp',
        '::defaults',
        ]
}

node '${SRV_DHCP_FQDN}' 
{
    class { 'dhcp':
      dnsdomain    => [
        'domaine.local',
        '0.168.192.in-addr.arpa',
        ],
      nameservers  => ['192.168.0.1'],
      interfaces   => ['eth0'],
      ntpservers   => ['192.168.0.10','192.168.0.11'],
    }

    dhcp::pool{ 'dhcp.domaine.local':
      network => '192.168.0.0',
      mask    => '255.255.255.0',
      range   => ['192.168.0.200 192.168.0.220'],
      gateway => '192.168.0.254',
      failover=> 'dhcp-failover',
    }

    dhcp::host {
        'WIFI_PC': mac=>"00:7c:07:01:07:01",ip=>"192.168.0.100";
    }

    class { '::dhcp::failover':
        peer_address => '192.168.0.21',
        role                => 'primary',
        address             => '192.168.0.20',
        port                => '520',
        max_response_delay  => '60',
        max_unacked_updates => '10',
        mclt                => '300',
        load_split          => '128',
        load_balance        =>'3',
    };
    include [
        '::dhcp::failover',
        '::defaults',
        '::ntp',
    ] 
}