Saturday, December 1, 2012

Installing and user creation in puppet

Today i will be demonstrating how to install puppet  and  add a user in  a linux server ( I will be using  CentOS release 6.3 (Final) ) using puppet .

Puppet is an open source tool used for managing users,package,cron,service etc , which most of the time is run in  a client-server model .The server is called puppet master and client is called puppet agent.
The good thing about puppet is we need not worry about the distribution we are using i.e when we are installing a package for example we use yum for cent-os/red-hat , apt-get for ubuntu , in an puppet environment this is taken care automatically using a tool called 'facter', when the agent connect to the server it looks at the facts of the agent and decides about the command(s) it has to use internally.Puppet runs every 30 min and looks for any changes in the catalog .

[root@puppet ~]# facter
architecture => x86_64
augeasversion => 0.9.0
boardmanufacturer => Intel Corporation
boardproductname => 440BX Desktop Reference Platform
boardserialnumber => None
domain => spqr.com
facterversion => 1.6.14
fqdn => puppet.spqr.com
hardwareisa => x86_64
hardwaremodel => x86_64
hostname => puppet
id => root
interfaces => eth0,lo
ipaddress => 192.168.229.131
ipaddress_eth0 => 192.168.229.131
ipaddress_lo => 127.0.0.1
is_virtual => true
kernel => Linux
kernelmajversion => 2.6
kernelrelease => 2.6.32-279.el6.x86_64
kernelversion => 2.6.32
macaddress => XXXXX
macaddress_eth0 => XXXXX
manufacturer => VMware, Inc.
memoryfree => 396.71 MB
memorysize => 489.80 MB
memorytotal => 489.80 MB
netmask => 255.255.255.0
netmask_eth0 => 255.255.255.0
netmask_lo => 255.0.0.0
network_eth0 => 192.168.229.0
network_lo => 127.0.0.0
operatingsystem => CentOS
operatingsystemrelease => 6.3
osfamily => RedHat
path => /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
physicalprocessorcount => 1
processor0 => Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz
processorcount => 1
productname => VMware Virtual Platform
ps => ps -ef
puppetversion => 3.0.1
rubysitedir => /usr/lib/ruby/site_ruby/1.8
rubyversion => 1.8.7
selinux => false
serialnumber => VMware-56 4d dd 0e dc 32 e8 fd-1a 8d fb f0 58 48 7a 76
swapfree => 991.99 MB
swapsize => 991.99 MB
timezone => IST
type => Other
uniqueid => a8c083e5
uptime => 1 day
uptime_days => 1
uptime_hours => 31
uptime_seconds => 114384
virtual => vmware
[root@puppet ~]#

Puppet can be installed by first enabling the repo , you can do it from the below command.

* rpm -ivh http://yum.puppetlabs.com/el/6/products/i386/puppetlabs-release-6-6.noarch.rpm

Now install puppet-server on the master & puppet on the agent nodes.
* yum install puppet-server.
* yum install puppet.

Once the installation is complete we have to start the puppet service on the master , its better the start the service  in a foreground for the first time as it runs as a daemon by default.

[root@puppet ~]# puppet master --verbose --no-daemonize
Starting Puppet master version 3.0.1
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[^/node/([^/]+)$]: allowing 'method' find
Info: access[^/node/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[/report]: allowing 'method' save
Info: access[/report]: allowing * access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication any
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication any

This will now start the puppet master.

Once the master is up and running we can connect our first node to the master , puppet uses 128 bit SSL encryption and TCP port 8140 for communication.

Start the agent and connect it to the master

puppet agent --server=puppet.spqr.com --no-daemonize.

The above command will generate the SSL certificate and send it to puppet master for signature.This will also create the SSL dir under /var/lib/puppet/ but can be changed acc to your needs in the puppet.conf file .

puppet cert --list  will the list the nodes which have asked the the master for signature.

puppet cert --sign 'node name' can be used to sign the certificate or use the --all option if you have multiple requests

Now the connection is Established we have to add the agent in the node.pp file in the master to make it read the agents configuration .

[root@puppet ~]# cat /etc/puppet/manifests/nodes.pp
node 'node2.spqr.com'  {
}

Adding the agent in node.pp file is not sufficient  enough we have to import this node.pp via a file 'site.pp' this file is the main file in puppet

[root@puppet ~]# cat  /etc/puppet/manifests/site.pp
import 'nodes.pp'

Now its time to add our first module , to start creating users on the nodes.

The default path of all modules will be /etc/puppet/modules/ unlike files modules will be directly imported , hence we need not use the import function for any modules .

mkdir -p /etc/puppet/modules/users/{files,manifests,templates}

we will name our modules as users , manifests is the main Dir under any modules which contains all configuration files .

For creating an user via puppet we use something called virtual resource , and this virtual resource can be later used using the realize function

Create a file called virtual.pp which contains all the info about all the users.

class users::virtual {
@user { 'user1':
    comment     => 'user1',
    uid         => '2000',
    ensure      => 'present',
    home        => '/home/user1',
    shell       => '/bin/bash',
    managehome  => true
}
@user { 'user2':
    comment     => 'user2',
    uid         => '2001',
    ensure      => 'present',
    home        => '/home/user2',
    shell       => '/bin/bash',
    managehome  => true
}
@user { 'user3':
    comment     => 'user3',
    uid         => '2002',
    ensure      => 'present',
    home        => '/home/user3',
    shell       => '/bin/bash',
    managehome  => true
}
}

Here the name of the class is virtual , and class users::virtual says puppet to read the virtual.pp file inside the module users.

As told earlier , adding the entries in virtual.pp alone is not enough for the user to gain access to any box , we have to enable it using the realize function.

Also note that in the real time environment  an tester may not need access to a production box and a developer may not need access to any test box . so we will be creating 2 class one each for tester , dev.

touch test.pp dev.pp

Inside test.pp file realize the user(s) who are doing testing & dev.pp for users who are doing development .

cat dev.pp

class users::dev {
include users::virtual
realize (
User["user1"],
User["user2"],
)
}

Here we are including the virtual class inside the dev class , because the dev class needs to know where the users are actually defined.

cat test.pp

class users::test {
include users::virtual
realize (
User["user3"],
)
}

There is one last file ,but the most imp file which is the init.pp file , this file will be the main reference when you use the class users.


[root@puppet manifests]# cat init.pp
class users{
}

Assuming the 1st node we created is an production box and hence the user3 or class users::test should not be include in that node .


node 'node1.spqr.com'  {
include users::dev
}

Now user1 & user2 will be created on node1.

----------------------------------------------------------------------------------------------------------------------------------
Source - puppet labs.