Installation
- Puppet v4.10.1
Client
- Le client doit faire un ping du serveur puppet, au pire renseigner le fichier /etc/hosts.
Debian
- Dépôt
apt-get install ca-certificates wget https://apt.puppetlabs.com/puppetlabs-release-pc1-jessie.deb dpkg -i puppetlabs-release-pc1-jessie.deb apt-get update
- amd64 :
apt-get install puppet-agent
- Pour un conteneur lxc, vu que systemd ne fonctionne pas
wget https://raw.githubusercontent.com/jbsky/jbsky/master/proxmox/init.d/puppet-agent chmod +x puppet-agent mv puppet-agent /etc/init.d/ insserv puppet-agent
CentOS
rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm yum install puppet-agent
From Source
- Pour arm, stretch…
apt-get install hiera facter wget https://downloads.puppetlabs.com/puppet/puppet-4.10.0.tar.gz tar xvf puppet-4.10.0.tar.gz cd puppet-4.10.0 ruby ./install.rb
- systemd
cat > /etc/systemd/system/puppet-agent << EOF [Unit] Description=Puppet Agent Daemon After=networking.service [Service] Type=simple ExecStart=/usr/bin/puppet agent --waitforcert=500 --config=/etc/puppetlabs/puppet/puppet.conf --debug [Install] WantedBy=multi-user.target EOF
Fichier de config
cat > /etc/puppetlabs/puppet/puppet.conf << EOF [main] certname = `hostname -A | tr "[:upper:]" "[:lower:]"` server = puppet environment = production runinterval = 1h EOF
Nettoyage
find /etc/puppetlabs/puppet/ssl -name `hostname -A` -delete puppet agent -t
- sur le serveur
puppet cert clean fqdn
Serveur
apt-get install puppetserver ruby-passenger
cat > cat /etc/puppetlabs/puppet/puppet.conf << EOF [master] vardir = /opt/puppetlabs/server/data/puppetserver logdir = /var/log/puppetlabs/puppetserver rundir = /var/run/puppetlabs/puppetserver pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid codedir = /etc/puppetlabs/code dns_alt_names = `hostname -A | tr "[:upper:]" "[:lower:]"`,`hostname | tr "[:upper:]" "[:lower:]"` factpath=\$vardir/lib/facter templatedir=\$confdir/templates pluginsync = true [main] certname = `hostname -A` server = `hostname -A` environment = production runinterval = 1h EOF
- fixer la quantité de RAM dans le fichier /etc/default/puppetserver
JAVA_ARGS="-Xms1g -Xmx1g -XX:MaxPermSize=256m"
Configuration
Inscription des clients
- À exécuter sur le serveur
/opt/puppetlabs/bin/puppet cert list /opt/puppetlabs/bin/puppet cert sign --all
Test de l’agent
- À exécuter sur le client :
/opt/puppetlabs/bin/puppet agent --test
- Lister la configuration
puppet config print facter --show-legacy
Fonctionnement Général
- Tout se passe sur le serveur. Le point de départ de lecture de pupper est le fichier :
/etc/puppetlabs/code/environments/production/manifests/site.pp
- site.pp la liste des nodes avec les classes à appliquer.
- En général, on va réutiliser les modules déjà créés, « ne pas réinventer la roue! ».
Les modules
Pour créer un module, il faut :
- un répertoire du nom du modules avec le sous répertoire manifests
- un fichier fichier init.pp dans le répertoire manifests.
À installer de base :
puppet module install puppetlabs-stdlib puppet module install puppetlabs-concat
exemple : default
- Création des dossier templates & manifests
mkdir -p /etc/puppetlabs/code/environments/production/modules/defaults/{templates,manifests}
- Le fichier suivant contient toutes les classes
cat > /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults {
include ::defaults::motd
include ::defaults::install
# include ::defaults::purge
include ::defaults::bashrc
include ::defaults::liquidprompt
include ::defaults::apt
}
EOF
installer/purger les paquets
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::install {
# Check OS and request the appropriate function
case \$::operatingsystem {
'Debian' : {
\$packages_list = [
'snmpd',
'nano',
'lsof',
'bash-completion',
'git',
]
}
}
package {
\$packages_list:
ensure => 'installed';
}
}
class defaults::purge {
# Check OS and request the appropriate function
case \$::operatingsystem {
'Debian' : {
\$packages_list = [
'rpcbind' # Proxmox require
]
}
}
package {
\$packages_list:
ensure => 'purged';
}
}
EOF
mettre à jour le message d’accueil
- Installation du paquet pour taguer le nom dans motd.
apt-get install figlet
template
cat > /etc/puppetlabs/code/environments/production/modules/default/templates/motd.erb << EOF <%= @ascii %> ================================================================================ The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. ================================================================================ <%= @virtual %> : <%= @fqdn %> <%= @operatingsystem %> <%= @full %> <%= @architecture %> uptime : <%= @uptime %> RAM : <%= @memoryfree.to_i %>/<%= @memorysize.to_i %> swap : <%= @swapfree_mb.to_i %>/<%= @swapsize.to_i %> EOF
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::motd
{
\$ascii = generate('/bin/sh', '-c', "/usr/bin/figlet -c -w 60 \${hostname}")
file {
'/etc/motd':
ensure => present,
content => template("defaults/motd.erb"),
mode => "644",
owner => root,
group => root;
}
}
EOF
installer liquidprompt
template
wget https://raw.githubusercontent.com/nojhan/liquidprompt/master/liquidprompt mv liquidprompt /etc/puppetlabs/code/environments/production/modules/default/templates/
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::liquidprompt
{
file {
'/usr/local/sbin/liquidprompt':
ensure => present,
content => template("defaults/liquidprompt"),
mode => "770",
owner => root,
group => root;
}
}
EOF
mettre a jour /root/.bashrc
template
cat >> /etc/puppetlabs/code/environments/production/modules/default/templates/bashrc << EOF PATH=\$PATH:/opt/puppetlabs/bin if [ -f /etc/bashrc ]; then . /etc/bashrc elif [ -f /etc/bash.bashrc ]; then . /etc/bash.bashrc fi # The following lines are only for interactive shells \$- = *i* || return # Use Bash completion, if installed if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi # Use Liquid Prompt source /usr/local/sbin/liquidprompt EOF
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::bashrc
{
file {
'/root/.bashrc':
ensure => present,
content => template("defaults/bashrc"),
mode => "644",
owner => root,
group => root;
}
}
EOF
mettre à jour le fichier sources.list
class
cat >> /etc/puppetlabs/code/environments/production/modules/defaults/manifests/init.pp << EOF
class defaults::apt
{
# Check OS and request the appropriate function
case \$::operatingsystem {
'Debian' : {
case \$::operatingsystemmajrelease {
"7" : { \$lsbdistcodename="wheezy"}
"8" : { \$lsbdistcodename="jessie"}
"9" : { \$lsbdistcodename="stretch"}
default:{ \$lsbdistcodename="stable"}
}
case \$::architecture {
default: { \$arch = 'defaults/sources.list' }
}
file {
'/etc/apt/sources.list':
ensure => present,
content => template(\$arch),
mode => "644",
owner => root,
group => root;
}
}
}
}
EOF
template
cat > /etc/puppetlabs/code/environments/production/modules/default/templates/motd.erb << EOF deb http://ftp.fr.debian.org/debian <%= @lsbdistcodename %> main contrib non-free deb http://ftp.fr.debian.org/debian <%= @lsbdistcodename %>-updates main contrib non-free deb http://security.debian.org <%= @lsbdistcodename %>/updates main contrib non-free deb http://ftp.fr.debian.org/debian <%= @lsbdistcodename %>-backports main contrib non-free EOF
ntp
puppet module install puppetlabs-ntp
dhcp
puppet module install theforeman-dhcp
site.pp
Toute machine n’appartenant pas à un noeud appartient à default.
- Exemple de configuration avec DHCP failover, NTP et les tweaks par default.
node default {
class { '::ntp':
servers => [ '${SVR_NTP_IP}' ],
restrict => [
'default ignore',
'-6 default ignore',
'127.0.0.1',
'-6 ::1',
'${SVR_NTP_IP} nomodify notrap nopeer noquery',
],
}
include [
'::ntp',
'::defaults',
]
}
node '${SVR_NTP_FQDN}'
{ class { '::ntp':
servers => [ 'ntp.midway.ovh', 'ntp.unice.fr' ],
restrict => [],
};
include [
'::ntp',
'::defaults',
]
}
node '${SRV_DHCP_FQDN}'
{
class { 'dhcp':
dnsdomain => [
'domaine.local',
'0.168.192.in-addr.arpa',
],
nameservers => ['192.168.0.1'],
interfaces => ['eth0'],
ntpservers => ['192.168.0.10','192.168.0.11'],
}
dhcp::pool{ 'dhcp.domaine.local':
network => '192.168.0.0',
mask => '255.255.255.0',
range => ['192.168.0.200 192.168.0.220'],
gateway => '192.168.0.254',
failover=> 'dhcp-failover',
}
dhcp::host {
'WIFI_PC': mac=>"00:7c:07:01:07:01",ip=>"192.168.0.100";
}
class { '::dhcp::failover':
peer_address => '192.168.0.21',
role => 'primary',
address => '192.168.0.20',
port => '520',
max_response_delay => '60',
max_unacked_updates => '10',
mclt => '300',
load_split => '128',
load_balance =>'3',
};
include [
'::dhcp::failover',
'::defaults',
'::ntp',
]
}