Deploy OpenSource Puppet 4 with multiple puppet masters. Part II. Puppet Masters Setup
→ Deploying OpenSource Puppet 4 with multiple Puppet masters. Part I. Preparatory
→ Deploying OpenSource Puppet 4 with multiple Puppet masters. Part III. Setting up puppet-db with Puppet
General server settings. On puppet-master01, puppet-master02 servers and puppet-db, add puppetlabs repositories:
On the puppet-master01, puppet-master02 servers, install the puppet server:
')
Check the address, port and authorization requirement in the /etc/puppetlabs/puppetserver/conf.d/webserver.conf file, the default should be:
On the puppet-db server, a puppet agent is sufficient:
The rest of the puppet-db install using Puppet.
In the /etc/puppetlabs/puppet/puppet.conf file add the settings of the certification server and the name of the puppet server to which they will apply (cluster name)
Also, these settings will need to be made for all puppet-agents on all managed nodes , incl. on puppet-db.
The certificate server must be running in a single instance . Make sure that the start of the certification service is enabled in the /etc/puppetlabs/puppetserver/services.d/ca.cfg file:
The line should NOT be commented out.
In the /etc/puppetlabs/puppet/puppet.conf file, you need to register alternative DNS names for puppet-master01, for this we add to the [main] section:
Further, these names will be stored in the server certificate.
Generate a certificate for puppet-master01, taking into account alternative DNS names:
Run the puppet server on puppet-master01:
On the other puppet-master servers except the first one, you need to disable the launch of the certification service in the /etc/puppetlabs/puppetserver/services.d/ca.cfg file. You need to comment out the certificate-service-service line, and uncomment the sertificate-authority-disabled-service:
Configure the list of DNS server names in the /etc/puppetlabs/puppet/puppet.conf file. To do this, add the following to the [main] section:
Request a certificate for puppet-master02 from puppet-master01:
Confirm the certificate request from the puppet-master02 agent on the puppet-master01 server:
Get the agent's response to puppet-master02:
On puppet-master01 in the list of certificates you should get something like this:
ATTENTION! Do not forget to copy the certificate of the certificate authority /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem from puppet-master01 to puppet-master02 in the same location with the same owner and rights.
Run the puppet server on puppet-master02:
On all puppet-master servers, install git and rubygems:
Put the user r10k into the puppet group:
Create a directory for the repository cache and give rights to the user r10k and the puppet group:
Create a directory with r10k settings:
Also on each puppet-master server you need to create a configuration file /etc/puppetlabs/r10k/r10k.yaml. Its content will depend on which provider you will use to work with the git repository.
This provider is available by default, and is suitable in those cases if you intend to use the git repository in a local directory without a git server; or the simplest git-server with ssh access.
The contents of the configuration file /etc/puppetlabs/r10k/r10k.yaml:
The Shellgit provider cannot take the username from the configuration file r10k.yaml, so to access the repository on gitolite with the necessary key, set the settings in /r10k/.ssh/config:
But it is better to use a rugged provider, then for each source in r10k.yaml you can specify a separate key and username. You can also work with repositories using the https protocol.
In Ubuntu, to work with ssh and https protocols in rugged mode, you need to compile the libssh2 library with openssl support instead of libgcrypt :
The libssh2 library version 1.5.0-2.dsc of xenial does not work :
Have to make a backport from yakkety. Install the necessary packages on puppet-master01:
and on puppet-master02 (packages needed to build rugged, via gem):
Download the libssh2 sources and unpack them:
Add to the package description additional information about our changes:
It is necessary to add the description to changelog like:
Increase changelog:
In the /libssh2-1.7.0/debian/control file, we will change all occurrences of libgcrypt20-dev to libssl-dev:
And build a new package with openssl support instead of libgcrypt:
Do not forget to remove libssh2-1-dev from the old version of libssh2-1:
Install the reassembled packages on puppet-master01 and puppet-master02 (the dev-package is needed to install rugged via gem):
Install r10k and rugged:
And create the configuration file /etc/puppetlabs/r10k/r10k.yaml on puppet-master01 and puppet-master02 with the following contents:
Initial repository setup. Clone the puppet-environments repository on your work computer:
Fill in the repository with the original content, which we take on puppet-master01:
Go to the repository and add a symbolic link for origin, which will be called production, according to the environment name in puppet:
And fix the changes:
Create a post-receive hook in the puppet-environments repository that will run r10k on puppet-master01 and puppet-master02, with the following contents:
Do not forget to make it executable:
Create a manifets directory and a .keep file so that git does not ignore the empty directory:
Send changes to the repository:
Further, git-hook using r10k will make the appropriate changes in / etc / puppetlabs / code / environments on each server. Check for changes on puppet-master01 and puppet-master02.
librarian-puppet.com
On the computer where we work with the repository, use gem to install librarian-puppet:
Delete the modules directory with all the attached files that were copied from the original Puppet repository:
We initialize librarian-puppet in the repository:
Comment out the metadata line in the Puppetfile. We'll give Puppetfile to the following form:
Create a .keep file in the modules directory so that git does not ignore the empty directory:
Add the files in git using the librarian-puppet init command, and send the changes to the puppet-master01 and puppet-master02 servers:
If everything has been configured correctly, then the modules listed in the Puppetfile should appear on the servers in the / etc / puppetlabs / code / environments / production / modules / directory.
Deploy OpenSource Puppet 4 with multiple puppet masters. Part III. Setting up puppet-db with Puppet
→ Deploying OpenSource Puppet 4 with multiple Puppet masters. Part III. Setting up puppet-db with Puppet
Configure puppet servers
General server settings. On puppet-master01, puppet-master02 servers and puppet-db, add puppetlabs repositories:
wget https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb sudo dpkg -i puppetlabs-release-pc1-xenial.deb sudo apt update On the puppet-master01, puppet-master02 servers, install the puppet server:
')
sudo apt install puppetserver Check the address, port and authorization requirement in the /etc/puppetlabs/puppetserver/conf.d/webserver.conf file, the default should be:
client-auth: want ssl-host: 0.0.0.0 ssl-port: 8140 On the puppet-db server, a puppet agent is sufficient:
sudo apt install puppet-agent The rest of the puppet-db install using Puppet.
General settings puppet agents
In the /etc/puppetlabs/puppet/puppet.conf file add the settings of the certification server and the name of the puppet server to which they will apply (cluster name)
[main] server = puppetmaster.example.com ca_server = puppet-master01.example.com Also, these settings will need to be made for all puppet-agents on all managed nodes , incl. on puppet-db.
Setting up the puppet-master01 node
The certificate server must be running in a single instance . Make sure that the start of the certification service is enabled in the /etc/puppetlabs/puppetserver/services.d/ca.cfg file:
puppetlabs.services.ca.certificate-authority-service/certificate-authority-service The line should NOT be commented out.
Configure a list of DNS server names
In the /etc/puppetlabs/puppet/puppet.conf file, you need to register alternative DNS names for puppet-master01, for this we add to the [main] section:
dns_alt_names = puppet-master01,puppet-master01.example.com,puppetmaster,puppetmaster.example.com Further, these names will be stored in the server certificate.
Generate a certificate for puppet-master01, taking into account alternative DNS names:
aspetrenko@puppet-master01:~$ sudo -i puppet cert generate puppet-master01.example.com --dns_alt_names=puppet-master01,puppet-master01.example.com,puppetmaster,puppetmaster.example.com Notice: puppet-master01.example.com.pem has a waiting certificate request Notice: Signed certificate request for puppet-master01.example.com.pem Notice: Removing file Puppet::SSL::CertificateRequest puppet-master01.example.com.pem at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-master01.example.com.pem.pem' Notice: Removing file Puppet::SSL::CertificateRequest puppet-master01.example.com.pem at '/etc/puppetlabs/puppet/ssl/certificate_requests/puppet-master01.example.com.pem.pem' Run the puppet server on puppet-master01:
sudo systemctl start puppetserver.service Setting up the puppet-master02 node
On the other puppet-master servers except the first one, you need to disable the launch of the certification service in the /etc/puppetlabs/puppetserver/services.d/ca.cfg file. You need to comment out the certificate-service-service line, and uncomment the sertificate-authority-disabled-service:
# To enable the CA service, leave the following line uncommented #puppetlabs.services.ca.certificate-authority-service/certificate-authority-service # To disable the CA service, comment out the above line and uncomment the line below puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service Configure the list of DNS server names in the /etc/puppetlabs/puppet/puppet.conf file. To do this, add the following to the [main] section:
dns_alt_names = puppet-master02,puppet-master02.example.com,puppetmaster,puppetmaster.example.com Request a certificate for puppet-master02 from puppet-master01:
aspetrenko@puppet-master02:~$ sudo -i puppet agent --test --waitforcert 60 Info: Creating a new SSL key for puppet-master02.example.com Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for puppet-master02.example.com Info: Certificate Request fingerprint (SHA256): 16:67:D9:84:A3:50:B6:43:35:08:FE:BA:05:77:7C:C5:E7:3E:A5:D6:D1:00:BE:11:63:AB:6E:93:B7:37:0A:33 Info: Caching certificate for ca Info: Caching certificate for puppet-master02.example.com Info: Caching certificate_revocation_list for ca Confirm the certificate request from the puppet-master02 agent on the puppet-master01 server:
aspetrenko@puppet-master01:~$ sudo -i puppet cert sign puppet-master02.example.com --allow-dns-alt-names Signing Certificate Request for: "puppet-master02.example.com" (SHA256) 16:67:D9:84:A3:50:B6:43:35:08:FE:BA:05:77:7C:C5:E7:3E:A5:D6:D1:00:BE:11:63:AB:6E:93:B7:37:0A:33 (alt names: "DNS:puppet-master02", "DNS:puppet-master02.example.com", "DNS:puppetmaster", "DNS:puppetmaster.example.com") ** Notice: Signed certificate request for puppet-master02.example.com Notice: Removing file Puppet::SSL::CertificateRequest puppet-master02.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-master02.example.com.pem' Get the agent's response to puppet-master02:
Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for puppet-master02.example.com Info: Applying configuration version '1477917008' Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml Notice: Applied catalog in 0.02 seconds On puppet-master01 in the list of certificates you should get something like this:
aspetrenko@puppet-master01:~$ sudo -i puppet cert list -a + "puppet-master01.example.com" (SHA256) 1A:15:76:96:33:6E:F9:DA:9F:C3:8D:9E:FC:98:BA:FB:10:CF:FA:27:54:2C:F2:55:8D:B9:AA:6C:52:FA:9F:C1 (alt names: "DNS:puppet-master01", "DNS:puppet-master01.example.com", "DNS:puppetmaster", "DNS:puppetmaster.example.com") + "puppet-master02.example.com" (SHA256) 80:1B:2C:49:E3:16:C6:37:B5:FC:E2:40:6B:49:B8:9A:95:91:C1:76:9C:79:3D:D5:0A:81:29:1D:E6:C3:B6:52 (alt names: "DNS:puppet-master02", "DNS:puppet-master02.example.com", "DNS:puppetmaster", "DNS:puppetmaster.example.com") ATTENTION! Do not forget to copy the certificate of the certificate authority /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem from puppet-master01 to puppet-master02 in the same location with the same owner and rights.
Run the puppet server on puppet-master02:
sudo systemctl start puppetserver.service Installing r10k on puppet-master01 and puppet-master02 servers
R10k configuration documentation
On all puppet-master servers, install git and rubygems:
sudo apt install git rubygems sudo gem install r10k Put the user r10k into the puppet group:
sudo usermod -a -G puppet r10k Create a directory for the repository cache and give rights to the user r10k and the puppet group:
sudo mkdir -p /var/cache/r10k sudo chown -R r10k:puppet /var/cache/r10k sudo chmod 2775 /var/cache/r10k Create a directory with r10k settings:
sudo mkdir -p /etc/puppetlabs/r10k sudo chown -R puppet:puppet /etc/puppetlabs sudo chmod -R g+w /etc/puppetlabs Also on each puppet-master server you need to create a configuration file /etc/puppetlabs/r10k/r10k.yaml. Its content will depend on which provider you will use to work with the git repository.
Shellgit provider
This provider is available by default, and is suitable in those cases if you intend to use the git repository in a local directory without a git server; or the simplest git-server with ssh access.
The contents of the configuration file /etc/puppetlabs/r10k/r10k.yaml:
# location for cached repos :cachedir: '/var/cache/r10k' git: provider: 'shellgit' # git repositories containing environments :sources: :base: remote: 'gitolite3@sgl-git.example.com:puppet-environments' # gitolite3 # remote: '/srv/puppet.git' # shared # remote: 'ssh://aspetrenko@puppet-master01/srv/puppet.git' # ssh basedir: '/etc/puppetlabs/code/environments/' The Shellgit provider cannot take the username from the configuration file r10k.yaml, so to access the repository on gitolite with the necessary key, set the settings in /r10k/.ssh/config:
host sgl-git.example.com HostName sgl-git.example.com IdentityFile /home/r10k/.ssh/r10k User gitolite3 Rugged provider
But it is better to use a rugged provider, then for each source in r10k.yaml you can specify a separate key and username. You can also work with repositories using the https protocol.
In Ubuntu, to work with ssh and https protocols in rugged mode, you need to compile the libssh2 library with openssl support instead of libgcrypt :
it makes it easier to compile it, and it doesn’t have any legal support. You will need to shellgit or recompile your own libssh2-1 package to use OpenSSL on these distributions.
The libssh2 library version 1.5.0-2.dsc of xenial does not work :
Libssh2 / src / libgcrypt.c. Elsewhere, libssh2 v 1.6.0 works without complaint. If updating, it’s not necessary to use private git repos.
Have to make a backport from yakkety. Install the necessary packages on puppet-master01:
sudo apt install make cmake pkg-config libssh2-1-dev ruby-dev rubygems libevent-pthreads-2.0-5 openssl libssl-dev libz-dev libhttp-parser-dev sudo apt install debhelper dh-autoreconf chrpath devscripts and on puppet-master02 (packages needed to build rugged, via gem):
sudo apt install make cmake pkg-config ruby-dev rubygems libevent-pthreads-2.0-5 openssl libssl-dev libz-dev libhttp-parser-dev Download the libssh2 sources and unpack them:
dget http://archive.ubuntu.com/ubuntu/pool/universe/libs/libssh2/libssh2_1.7.0-1.dsc dpkg-source -x ./libssh2_1.7.0-1.dsc Add to the package description additional information about our changes:
cd libssh2-1.7.0/ dch -i It is necessary to add the description to changelog like:
* Backport from yakkety
* Recompile with openssl support
Increase changelog:
dch -r In the /libssh2-1.7.0/debian/control file, we will change all occurrences of libgcrypt20-dev to libssl-dev:
sed -i 's/libgcrypt20-dev/libssl-dev/g' debian/control And build a new package with openssl support instead of libgcrypt:
./configure --with-openssl --without-libgcrypt dpkg-buildpackage -rfakeroot Do not forget to remove libssh2-1-dev from the old version of libssh2-1:
sudo apt remove libssh2-1-dev Install the reassembled packages on puppet-master01 and puppet-master02 (the dev-package is needed to install rugged via gem):
sudo dpkg -i libssh2-1_1.7.0-1ubuntu1_amd64.deb libssh2-1-dbg_1.7.0-1ubuntu1_amd64.deb libssh2-1-dev_1.7.0-1ubuntu1_amd64.deb Install r10k and rugged:
sudo gem install r10k rugged And create the configuration file /etc/puppetlabs/r10k/r10k.yaml on puppet-master01 and puppet-master02 with the following contents:
# location for cached repos :cachedir: '/var/cache/r10k' git: provider: 'rugged' private_key: '/home/r10k/.ssh/r10k' # git repositories containing environments :sources: :base: remote: 'ssh://gitolite3@sgl-git.example.com/puppet-environments' basedir: '/etc/puppetlabs/code/environments/' Configuring the puppet-environments.git repository
Initial repository setup. Clone the puppet-environments repository on your work computer:
aspetrenko@aspetrenko-pc:~/sgl-git$ git clone gitolite3@sgl-git.example.com:puppet-environments Cloning into 'puppet-environments'... warning: You appear to have cloned an empty repository. Checking connectivity... done. Fill in the repository with the original content, which we take on puppet-master01:
aspetrenko@aspetrenko-pc:~/sgl-git$ scp -r aspetrenko@puppet-master01:/etc/puppetlabs/code/environments/production/* /home/aspetrenko/sgl-git/puppet-environments/ Go to the repository and add a symbolic link for origin, which will be called production, according to the environment name in puppet:
aspetrenko@aspetrenko-pc:~/sgl-git$ cd puppet-environments/ aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git symbolic-ref HEAD refs/heads/production And fix the changes:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git add --all aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git commit -a -m "Initial commit" aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git push --set-upstream origin production Creating a post-receive hook
Create a post-receive hook in the puppet-environments repository that will run r10k on puppet-master01 and puppet-master02, with the following contents:
aspetrenko@sgl-git:~$ sudo cat /media/data/repositories/puppet-environments.git/hooks/post-receive #!/bin/bash umask 0002 while read oldrev newrev ref do branch=$(echo $ref | cut -d/ -f3) echo echo "--> Deploying ${branch}..." echo ssh -i /var/lib/gitolite3/.ssh/gitolite3 r10k@puppet-master01 "r10k deploy environment $branch -p" ssh -i /var/lib/gitolite3/.ssh/gitolite3 r10k@puppet-master02 "r10k deploy environment $branch -p" # sometimes r10k gets permissions wrong too find /etc/puppetlabs/code/environments/$branch/modules -type d -exec chmod 2775 {} \; 2> /dev/null find /etc/puppetlabs/code/environments/$branch/modules -type f -exec chmod 664 {} \; 2> /dev/null done Do not forget to make it executable:
aspetrenko@sgl-git:~$ sudo chmod 0775 /media/data/repositories/puppet-environments.git/hooks/post-receive Post-recive hook check
Create a manifets directory and a .keep file so that git does not ignore the empty directory:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ touch manifests/.keep aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git add manifests/.keep aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git commit manifests/.keep -m "Test commit" [production 72bd288] Test commit 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 manifests/.keep Send changes to the repository:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git push -u origin production Further, git-hook using r10k will make the appropriate changes in / etc / puppetlabs / code / environments on each server. Check for changes on puppet-master01 and puppet-master02.
Installing and configuring Librarian-puppet
librarian-puppet.com
Librarian-puppet takes control of the modules / directory, and will always reinstall (if not available) the modules described in Puppetfile, so you do not need to store and monitor the status of the modules / directory in Git.
Librarian-puppet is the manager (aka Bundler for gem) for your puppet infrastructure. You can use librarian-puppet to manage Puppet modules, regardless of where the modules are stored in Puppet Forge, in a Git repository, or in a local folder.
Librarian-puppet can resolve dependencies described in Modulefile or metadata.json.
Forge modules can be installed from Puppetlabs Forge or internal Forge storage such as Pulp.
Git-modules can be installed from a branch, a tag or a specific commit. Modules can be installed from GitHub using tarballs, without the need to install Git. Modules can be installed from a directory in the local file system. Module dependencies can be resolved transparently without the need to list all modules explicitly.
Install librarian-puppet
On the computer where we work with the repository, use gem to install librarian-puppet:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ sudo gem install librarian-puppet Delete the modules directory with all the attached files that were copied from the original Puppet repository:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ git rm -rf modules We initialize librarian-puppet in the repository:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ librarian-puppet init Comment out the metadata line in the Puppetfile. We'll give Puppetfile to the following form:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ cat Puppetfile #!/usr/bin/env ruby #^syntax detection forge "https://forgeapi.puppetlabs.com" # use dependencies defined in metadata.json # metadata # use dependencies defined in Modulefile # modulefile # A module from the Puppet Forge mod 'puppetlabs-stdlib' mod 'puppetlabs-ntp' mod 'puppetlabs-puppetdb' mod 'puppetlabs-firewall' # For puppetlabs-puppetdb mod 'puppetlabs-inifile' # For puppetlabs-puppetdb mod 'puppetlabs-postgresql' # For puppetlabs-puppetdb mod 'puppetlabs-apt' # For puppetlabs-puppetdb mod 'puppetlabs-concat' # For puppetlabs-puppetdb Create a .keep file in the modules directory so that git does not ignore the empty directory:
aspetrenko@aspetrenko-pc:~/sgl-git/puppet-environments$ touch modules/.keep Add the files in git using the librarian-puppet init command, and send the changes to the puppet-master01 and puppet-master02 servers:
git add --all git commit -a -m "librarian-puppet init" git push -u origin production If everything has been configured correctly, then the modules listed in the Puppetfile should appear on the servers in the / etc / puppetlabs / code / environments / production / modules / directory.
Deploy OpenSource Puppet 4 with multiple puppet masters. Part III. Setting up puppet-db with Puppet
Source: https://habr.com/ru/post/316482/
All Articles