How to stop configuring and start living or setting up Puppet in a school classroom on 25 computers

You can set up computers one at a time, but sometimes they get too much ...



It just so happened that I got a job as a teacher for one free course for schoolchildren on developing for Android, sponsored by one large corporation, and, naturally, I needed to master the appropriate technique in the amount of 25 laptops, 25 tablets, 2 desktops and a touch panel. Until recently, laptops were used with Windows 8.1, but few people were satisfied with the performance and stability of this OS when developing in Eclipse and Android Studio. After one year under Windows, our management decided to transfer all laptops to Xubuntu 14.04 to resolve these difficulties. An image has been prepared, customized for a specific model of notebooks that we used, and with all the necessary programs. Nakatil and work. One problem - there was no solution for centralized configuration management. My logical question about this was the answer that the introduction of such a system complicates the installation of Linux on laptops and, since everything is already done as it should, no changes will be needed after its installation. (oh, those optimists!)

In general, I decided that I personally needed centralized configuration management, and took it upon myself. After some deliberation, Puppet was chosen as being easier to set up and install (maybe I just came across instructions that failed Chef, I don’t know). For me, this simplicity was the main criterion, since I could not devote much time to this business.
')
Habré has already written a lot about Puppet, including instructions on how to install and configure it from scratch. I found as many as 3 pieces. However , the 1st describes some kind of too complicated case, the 2nd focuses more on the manifest files than on the Puppet installation itself. The third one is quite good, I used it as one of the sources of information, but, unfortunately, it is already outdated. Therefore decided, at the same time with setup and article on Habr to place. And a reminder for me and other instructions.

Since there are still many computers and repeating the same steps on each of them, you will end up with two simple shell scripts and also a brief instruction on how to use them. One run on the server, the other on each of the clients and voila. We get Puppet, configured and ready to work. The server here means the computer that will steer the rest, and the actual 25 laptops are the clients.

It is a pity that you can not pick up the centralized configuration management system to the tablets. Although it may be possible, but I just behind the times? Those who are reluctant to particularly understand how Puppet is configured, but just want to get a finished result, can scroll to the end of the article, where I posted ready-made scripts.

Configuring Puppet - process explanation

1. First we need to install the Puppet control server on the teacher’s computer:

sudo apt-get install -y puppetmaster 

2. Now install the service on the client:

 sudo apt-get install -y puppet 

3. In order for the client to know where to connect to it, you need to add the following lines to /etc/puppet/puppet.conf :

 [agent] server = mysuperserver node_name = cert certname = nameofworkstation 

Here, mysuperserver must be replaced with the domain name of your server, and nameofworkstation with the name that you decided to assign to this particular client. If your organization does not have DNS configured, you can add a server to /etc/hosts for each client. It is important! The SSL certificate that Puppet uses in the future is generated for the domain name of the server. If you specify IP in the configuration, you will get a failure at further stages.
4. Next, you need to perform a test run service on the client computer:

 puppet agent --test 

The client will be refused connection because there is no certificate, but at the same time he will create a request for a certificate on the server.
5. Appropriate team satisfy this request:
puppet cert sign nameofworkstation

Here in place of the nameofworkstation will be the name that you have prescribed for the client earlier when performing the 3rd item. A list of all currently requested certificate issuance by the server can be viewed with the command puppet cert --list .
6. After that, on the client, rerun the command:

 puppet agent --enable puppet agent --test 

The first command is needed to re-enable initial initialization, since by default Puppet only allows it to be executed once.
By completing this simple procedure, you will get a configured server and clients configured to receive configuration updates from it.

Ready scripts and instructions

Finally, I present to you 2 ready-made scripts that I used for myself. Server script:

 #!/bin/bash echo ============================================= echo   puppet echo ============================================= apt-get install -y puppetmaster echo ============================================= COMMAND=nope while [ "$COMMAND" != "end" ] do echo ============================================= echo   client.sh   .      ,  [ENTER] ,   .  Ctrl+C,    . echo ============================================= COMMAND=`read` echo ============================================= echo   echo ============================================= puppet cert sign --all done 

Client Script:

 #!/bin/bash #   2      MASTER_IP=192.168.0.100 SERVER_NAME=server echo ============================================= echo  ID  echo ============================================= sudo apt-get install -y uuid ID=`uuid` echo ============================================= echo    $SERVER_NAME  $MASTER_IP echo ============================================= echo $MASTER_IP $SERVER_NAME >> /etc/hosts echo ============================================= echo  puppet echo ============================================= sudo apt-get install -y puppet echo ============================================= echo      puppet echo ============================================= sudo cat >> /etc/puppet/puppet.conf << EOF [agent] server = $SERVER_NAME node_name = cert certname = workstation-$ID EOF echo ============================================= echo     echo ============================================= puppet agent --test echo ============================================= echo        [ENTER],        . echo ============================================= read -n 1 echo ============================================= echo   echo ============================================= puppet agent --enable puppet agent --test echo ============================================= echo  echo ============================================= 

Using them is very simple:
1. Modify client.sh to match your environment: the IP address of the server (you must make it static) and the name of the server (this should be the computer name that you set when you installed Ubuntu). These are the first 2 variables at the beginning of the file, you need to fix them.
2. server.sh starts on the server, then server.sh on each of the clients. After that, on the server, press Enter to allow the server to sign all client certificates.
3. Then press Enter on each of the clients so that they reconnect to the server with an already valid certificate and apply all available configurations.
4. Press Ctrl + C on the server to complete the process.
After performing this simple procedure, laptops will automatically connect to the server when it is turned on and every 10 minutes and check the available configurations. And, of course, apply them if they are. Beauty!
Note: In my opinion, a big minus of the client script is that if you start it again, it will add configs even if it has already been done before. Thus, if an error has occurred at some stage, then continuing the process after eliminating its causes by simply re-running the script is a bad idea. In the configuration files will be a mess. Ideally, it would be worthwhile to write a script so that it checks the contents of the configuration files and does not make changes if they have already been made. However, my inadequate level of bash and lack of time to improve this level did not allow me to overcome this shortcoming. If this is easily and simply given to someone, I will be glad to make the appropriate amendments in the comments.

Install VNC

Well, we set up Puppet, how about taking some of its buns? I personally want VNC access to be turned on on students' computers so that I can always connect to the computer of the desired student and see what he is doing there. And, if he does there something that all students should show, one could display the contents of his screen on an interactive panel, so that others take an example. To achieve these 2 goals, we first save the VNC password in the /etc/x11vnc.pass file with the following command (everything is done on the server):

 sudo x11vnc -storepasswd 1 /etc/x11vnc.pass 

Why instead of a serious password, some kind of pathetic one? Well, in puppet from the repositories of Ubuntu 14.04 there are two bugs ( first and second ), which lead to the fact that using it you can not upload binary files to client computers. It normally sends only files that are valid UTF-8 encoded text. The password - the unit was checked for the fact that its hash is normally distributed by Puppet to the clients. You can also search for passwords, the hash of which is valid UTF-8 text. I picked one for my class. You can try.

Well, then create on the server in the /etc/puppet/manifests/ site.pp file site.pp following content:

 package { "mc": ensure => installed, } package { "x11vnc": ensure => installed, } file { "/etc/x11vnc.pass": content => file("/etc/x11vnc.pass"), mode => 600, } $str = "start on login-session-start script /usr/bin/x11vnc -xkb -forever -auth /var/run/lightdm/root/:0 -display :0 -rfbauth /etc/x11vnc.pass -rfbport 5900 -bg -o /var/log/x11vnc.log end script " file { "/etc/init/x11vnc.conf": content => "$str", mode => 644, } 

It's all pretty obvious. Let me just say briefly that this manifest installs the mc and x11vnc , and creates a service that automatically starts VNC with the specified password when the login screen appears. (I used this answer in the configuration) Please note that choosing the name /etc/puppet/manifests/site.pp not my whim. This is the way in which Puppet stores the default manifest. Again, I am glad of any constructive criticism of my self-made manifesto (I love Habr for constructive criticism).

That's all. As a result, every time you run and every 10 minutes (the default value in Puppet), your clients will connect to the server, check if the configuration has been updated and, if updated, apply updates.
Thank you all for your attention.