cfpuppetserver class

• deployuser = "deploypuppet" - username for automatically deploying configuration updates
• deployuser_auth_keys = undef - list of keys for $deployuser
• repo_url = undef - repository URI (example: ssh://user@host/repo or file:///some/path)
• puppetserver = true - whether to install the Puppet Server component on this node
• puppetdb = true - whether to install the PuppetDB component on this node
• puppetdb_port = 8081 - port for PuppetDB
• setup_postgresql = true - whether to install the PostgreSQL component on this node (only if PuppetDB installation is enabled)
• service_face = "any" - name of the cfnetwork::iface resource for accepting incoming connections
• puppetserver_mem = auto - RAM for Puppet Server in megabytes (minimum 192MB)
• puppetdb_mem = auto - RAM for PuppetDB in megabytes (minimum 192MB)
• postgresql_mem = auto - RAM for PostgreSQL in megabytes (minimum 128MB)

class cfpuppetserver::puppetdb

• postgresql_host = "localhost" - database address
• postgresql_listen = $postgresql_host - the value goes directly to the listen_addresses PostgreSQL directive
• postgresql_port = 5432 - database port
• postgresql_user = "puppetdb" - PuppetDB user in the database
• postgresql_pass = "puppetdb" - password of the PuppetDB user in the database
• postgresql_ssl = false - enable connection encryption based on Puppet PKI certificates

class cfpuppetserver::puppetserver

• autosign = false - SHOULD NOT be used in a combat environment, except perhaps in the DMZ. Exists exclusively for test automation.
• global_hiera_config = "cfpuppetserver/hiera.yaml" - the path to the default Hiera configuration file according to Puppet canons (the first component is the name of the module, the rest is the path under the files/ folder in the module)

You can help and transfer some funds for the development of the site

Managing a large number of Unix systems cannot be called convenient. To change one parameter, the administrator has to contact each machine; scripts can only partially help, and not in all situations.

It should be recognized that Windows network administrators are still in a more advantageous position. It is enough to change the group policy settings and after a while all computers on the network, including those with a recently installed operating system, will “learn” about the innovation, if it concerns them, of course. Looking back over the long period of Unix development, you will notice that nothing like this ever caught on. There are solutions like kickstart that help with the initial installation operating system, but further refinement will require significant effort. Commercial solutions like BladeLogic and OpsWare only partially solve the problem of automating settings; their main advantage is the availability GUI, and they can only be purchased from large organizations. There are, of course, projects offering free solutions, but throughout their existence they have never been able to create a large community. For example, Cfengine is not very popular among administrators, although in addition to Linux, it can be used in *BSD, Windows and Mac OS X. This may be due to the relative complexity of creating configurations. When describing tasks, you have to take into account the features of each specific system and manually control the sequence of actions when executing commands. That is, the administrator must remember that for some systems you should write adduser for others, useradd, take into account the location of files on different systems, and so on. This complicates the process of writing commands by an order of magnitude; it is very difficult to create the correct configuration on the fly, and it is almost impossible to read the created configurations after a while. Despite the GPL license, Cfengine is actually a one-man project who controls all changes and is not very interested in building an open society. As a result, the capabilities of cfengine are quite satisfactory for the developer, but for other administrators it is rather an extra headache. To improve cfengine, various add-ons were created by third-party developers, which often only made the situation worse. The author of several such modules for cfengine, Luke Kanies, eventually decided to develop a similar tool, but without many of cfengine’s shortcomings.

Puppet Features

Puppet, like cfengine, is a client-server system that uses a declarative, that is, mandatory language for describing tasks and libraries for their implementation. Clients periodically (30 minutes by default) connect to the central server and receive the latest configuration. If the received settings do not match the system state, they will be executed, and if necessary, a report on the operations performed will be sent to the server. The server can save messages to syslog or a file, create an RRD graph, and send them to a specified e-mail. Additional Transactional and Resource abstraction layers provide maximum compatibility with existing settings and applications, allowing you to focus on system objects without worrying about differences in the implementation and description of detailed commands and file formats. The administrator operates only with the object type, Puppet takes care of the rest. Thus, the packages type knows about 17 package systems; the required one will be automatically recognized based on information about the version of the distribution or system, although, if necessary, the package manager can be forced.

Unlike scripts, which are often not possible to use on other systems, Puppet configurations written by third-party administrators will, for the most part, work without problems on any other network. In Puppet CookBook [ http://www.reductivelabs.com/trac/puppet/tags/puppet%2Crecipe] there are already three dozen ready-made recipes. Puppet currently officially supports the following operating systems and services: Debian, RedHat/Fedora, Solaris, SUSE, CentOS, Mac OS X, OpenBSD, Gentoo and MySQL, LDAP.

Puppet language

To move forward, you must first understand the basic elements and capabilities of the language. Language is one of strengths Puppet. With its help, the resources that the administrator plans to manage and actions are described. Unlike most similar solutions, Puppet allows the language to simplify access to all similar resources on any system in a heterogeneous environment. A resource description typically consists of a name, type, and attributes. For example, let's point to the /etc/passwd file and set its attributes:

file("/etc/passwd":

owner => root,

group => root,

Now clients, having connected to the server, will copy the /etc/passwd file and install the specified attributes. You can define multiple resources in one rule, separating them using a semicolon. What to do if the configuration file used on the server differs from the client ones or is not used at all? For example, this situation may arise when VPN settings connections. In this case, the file can be pointed to using the source directive. There are two options here, as usual, to specify the path to another file; two URI protocols are also supported: file and puppet. In the first case, a link to an external NFS server, in the second option, an NFS-like service is launched on the Puppet server, which exports resources. In the latter case, the default path is relative to the puppet root directory - /etc/puppet. That is, the link puppet://server.domain.com/config/sshd_config will correspond to the file /etc/puppet/config/sshd_config. You can override this directory using the filebucket directive, although it is more correct to use the section of the same name in the /etc/puppet/fileserver.conf file. In this case, you can restrict access to the service only from certain addresses. For example, let's describe the config section.

path /var/puppet/config

allow *.domain.com

allow 192.168.0.*

allow 192.168.1.0/24

deny *.wireless.domain.com

And then we turn to this section when describing the resource.

source => "puppet://server.domain.com/config/sshd_config"

Before the colon is the name of the resource. In the simplest cases, you can simply specify an alias or variables as a name. The alias is set using the alias directive. full path to the file. In more complex configurations

file("/etc/passwd":

alias => passwd

Another option for creating an alias is good when you have to deal with different operating systems. For example, let's create a resource describing the sshd_config file:

file(sshdconfig:

name => $operatingsystem ? (

solaris => "/usr/local/etc/ssh/sshd_config",

default => "/etc/ssh/sshd_config"

In this example, we are faced with a choice. The file for Solaris is specified separately, for all others the file /etc/ssh/sshd_config will be selected. Now this resource can be accessed as sshdconfig, depending on the operating system the desired path will be selected. For example, we indicate that if the sshd daemon is running and received new file, you should restart the service.

ensure => true,

subscribe => File

Variables are often used when working with user data. For example, we describe the location of user home directories:

$homeroot = "/home"

Now the files of a specific user can be accessed as

$(homeroot)/$name

The $name parameter will be filled with the user's account name. In some cases it is convenient to define a default value for some type. For example, for the exec type, they often indicate the directories in which it should look for the executable file:

Exec (path => "/usr/bin:/bin:/usr/sbin:/sbin")

If you need to point to several nested files and directories, you can use the recurse parameter.

file("/etc/apache2/conf.d":

source => “puppet:// puppet://server.domain.com/config/apache/conf.d”,

recurse => "true"

Multiple resources can be combined into classes or definitions. Classes are a complete description of a system or service and are used separately.

"/etc/passwd": owner => root, group => root, mode => 644;

"/etc/shadow": owner => root, group => root, mode => 440

As in object-oriented languages, classes can be overridden. For example, on FreeBSD the group owner of these files is wheel. Therefore, in order not to completely rewrite the resource, let’s create a new class freebsd, which will inherit the linux class:

class freebsd inherits linux (

File[“/etc/passwd”] ( group => wheel );

File[“/etc/shadow”] ( group => wheel )

For convenience, all classes can be placed in a separate file, which can be connected using the include directive. Definitions can take multiple parameters as arguments, but do not support inheritance and are used when you need to describe reusable objects. For example, let's define the home directory of users and the commands necessary to create a new account.

define user_homedir ($group, $fullname, $ingroups) (

user("$name":

ensure => present,

comment => "$fullname",

gid => "$group",

groups => $ingroups,

membership => minimum,

shell => "/bin/bash",

home => "/home/$name",

require => Group[$group],

exec("$name homedir":

command => “/bin/cp -R /etc/skel /home/$name; /bin/chown -R $name:$group /home/$name",

creates => "/home/$name",

require => User[$name],

Now to create a new one account just contact user_homedir.

user_homedir("sergej":

group => "sergej",

fullname => “Sergej Jaremchuk”,

ingroups => ["media", "admin]

There are separate descriptions of nodes that support inheritance like classes. When a client connects to the Puppet server, the corresponding node section will be searched and settings specific only to this computer will be provided. To describe all other systems, you can use node default. A description of all types is given in the “Type Reference” document, which must be read in any case, at least in order to understand all the capabilities of the Puppet language. Various types allow you to execute specified commands, including when certain conditions are met (for example, changing a configuration file), work with cron, user credentials and groups, computers, mounting resources, starting and stopping services, installing, updating and removing packages, working with SSH keys, Solaris zones and so on. This is how easy it is to force the list of packages in distributions using apt to be updated every day between 2 and 4 hours.

schedule(daily:

period => daily,

range =>

exec("/usr/bin/apt-get update":

schedule => daily

The update for that period will be performed by each system only once, after which the task is considered completed and will be deleted from the client computer. The Puppet language supports other familiar structures: conditions, functions, arrays, comments, and the like.

Installing Puppet

Puppet requires Ruby (>= 1.8.1) with OpenSSL support and XMLRPC libraries, as well as the Faster library [ http://reductivelabs.com/projects/facter]. The Ubuntu 7.04 repository that was used for the test installation already included the puppy package.

$ sudo apt-cache search puppet

puppet — centralized configuration management for networks

puppetmaster - centralized configuration management control daemon

During installation, all necessary dependency packages will be installed: facter libopenssl-ruby libxmlrpc-ruby.

$ sudo apt-get install puppet puppetmaster

You can check the availability of Ruby libraries with the command.

$ ruby ​​-ropenssl -e "puts:yep"

~$ ruby ​​-rxmlrpc/client -e "puts:yep"

If no errors are received, then everything you need is already included. Files that describe the desired configuration of systems are called manifests in Puppet terminology. When launched, the daemon tries to read the file /etc/puppet/manifests/site.pp; if it is missing, it displays a warning message. When testing, you can tell the daemon to work in offline mode, in which case the manifest is not required

$ sudo /usr/bin/puppetmasterd --nonodes

If necessary, you can connect other files to site.pp, for example with class descriptions. For a test run, you can enter the simplest instructions in this file.

file("/etc/sudoers":

owner => root,

group => root,

All configuration files for both the server and clients are located in /etc/puppet. The fileserver.conf file that we talked about above is optional and is used only if Puppet will also work as a file server. On Ubuntu, this file exports the /etc/puppet/files subdirectory. The ssl subdirectory contains certificates and keys that will be used for encryption when connecting clients. Keys are created automatically the first time you start puppetmasterd; you can create them manually with the command.

$ sudo /usr/bin/ puppetmasterd --mkusers.

The puppetd.conf and puppetmasterd.conf files are similar. They indicate some parameters for the operation of daemons on the client system and server. The client file differs only in the presence of the server parameter, which points to the computer on which puppetmasterd is running.

server = grinder.com

logdir = /var/log/puppet

vardir = /var/lib/puppet

rundir = /var/run

# send a report to the server

To avoid typing everything manually, you can create a template using puppetd itself.

$ puppetd --genconfig > /etc/puppet/puppetd.conf

Similarly, you can create site.pp on the server.

$ puppetd --genmanifest > /etc/puppet/manifests/site.pp

Another file, tagmail.conf, allows you to specify the email addresses to which reports will be sent. In the simplest case, you can use one line.

all: [email protected]

The configuration files are not enough for the client to connect to the server. To do this, you also need to sign the certificates. First, to let the server know about the new computer on the client system, enter the command:

$ sudo puppetd --server grinder.com --waitforcert 60 --test

info: Requesting certificate

warning: peer certificate won’t be verified in this SSL session

notice: Did not receive certificate

If a different line is returned, you should check the operation of the server.

$ ps aux | grep puppet

puppet 5779 0.0 1.4 27764 15404 ? Ssl 21:49 0:00 ruby ​​/usr/sbin/puppetmasterd

The firewall must allow connections on port 8140.

On the server we receive a list of certificates that need to be signed.

$ sudo puppetca --list

nomad.grinder.com

And we sign the client certificate.

$ sudo puppetca –sign nomad.grinder.com

Now the client can freely connect to the server and receive settings.

Unfortunately, it is simply not possible to show all the capabilities of Puppet within the article. But as you can see, this is a functional and flexible tool that allows you to solve most of the problems of simultaneous administration of a large number of systems. If your line of work requires you to set up several systems. And most importantly, the project managed to gather a small but constantly growing community. Therefore, let's hope that a good idea will not be allowed to die or go aside.

Puppet is a cross-platform structure that allows system administrators Perform common tasks using code. The code allows you to perform various tasks from installing new programs to checking file permissions or updating user accounts. Puppet superior not only during the initial installation of the system, but throughout the entire life cycle of the system. In most cases puppet used in client/server configuration.

This section shows installation and configuration Puppet in a client/server configuration. This simple example demonstrates how to install Apache using Puppet.

Installation

For installation Puppet enter in terminal:

Sudo apt-get install puppetmaster

On the client machine(s), enter:

Sudo apt-get install puppet

Settings

Before setting up puppet you might want to add an entry DNS CNAME For puppet.example.com, Where example.com- this is your domain. Default clients Puppet check DNS for puppet.example.com as the puppet server name ( Puppet Master). See Domain Name Service for additional details on using DNS.

If you don't intend to use DNS, you can add entries to the /etc/hosts file on the server and client. For example, in the /etc/hosts file Puppet server add:

127.0.0.1 localhost.localdomain localhost puppet 192.168.1.17 meercat02.example.com meercat02

On every Puppet In the client, add an entry for the server:

192.168.1.16 meercat.example.com meercat puppet

Replace IP addresses and domain names from the example to your current addresses and names of the server and clients.

Now let's set up some resources for apache2. Create a file /etc/puppet/manifests/site.pp containing the following:

Package ( "apache2": ensure => installed ) service ( "apache2": ensure => true, enable => true, require => Package["apache2"] )

Node "meercat02.example.com" ( include apache2 )

Replace meercat02.example.com to your current name Puppet client.

The final step for this simple Puppet server is to restart the service:

Sudo /etc/init.d/puppetmaster restart

Now on Puppet everything is configured on the server and it’s time to configure the client.

First, let's configure the service Puppet agent to launch. Edit /etc/default/puppet, replacing the value START on yes:

Sudo /etc/init.d/puppet start

Let's go back to Puppet server to sign the client certificate using the command:

Sudo puppetca --sign meercat02.example.com

Check /var/log/syslog for any configuration errors. If everything went well, the package apache2 and its dependencies will be installed to Puppet client.

This example is very simple and does not show many of the features and benefits. Puppet. For additional information look

Sergey Yaremchuk

Centralized configuration of UNIX systems using Puppet

Managing a large number of UNIX systems cannot be called convenient. To change one parameter, the administrator has to contact each machine; scripts can only partially help, and not in all situations.

It should be recognized that Windows network administrators are still in a more advantageous position. It is enough to change the group policy settings, and after a while all computers on the network, including those with a recently installed operating system, will “learn” about the innovation, if it concerns them, of course. Looking back over the long period of UNIX development, you can see that nothing like this ever caught on. There are solutions like kickstart that help with the initial installation of the operating system, but further development will require significant effort. Commercial solutions, like BladeLogic and OpsWare, solve the problem of automating settings only partially; their main advantage is the presence of a graphical interface, and only large organizations can afford to purchase them. There are, of course, projects that offer free solutions, but throughout their existence they have not been able to create a large community. For example, Cfengine is not very popular among administrators, although, in addition to Linux, it can be used in *BSD, Windows and Mac OS X. This may be due to the relative complexity of creating configurations. When describing tasks, it is necessary to take into account the characteristics of each specific system and manually control the sequence of actions when executing commands. That is, the administrator must remember that for some systems you should write adduser, for others - useradd, take into account the location of files on different systems, and so on. This complicates the process of writing commands by an order of magnitude; it is very difficult to create the correct configuration on the fly, and it is almost impossible to read the created configurations after a while. Despite the GPL license, Cfengine is essentially a one-man project who controls all changes and is not very interested in building an open society. As a result, the capabilities of Cfengine are quite satisfactory for the developer, but for other administrators it is rather an extra headache. To improve Cfengine, various add-ons were created by third-party developers, which often only made the situation worse. The author of several such modules for Cfengine, Luke Kanies, eventually decided to develop a similar tool, but without many of the shortcomings of Cfengine.

Puppet Features

Puppet, like Cfengine, is a client-server system that uses a declarative language to describe tasks and libraries to implement them. Clients periodically (every 30 minutes by default) connect to the central server and receive the latest configuration. If the received settings do not match the system state, they will be executed, and if necessary, a report on the operations performed will be sent to the server. The message server can save it to syslog or a file, create an RRD graph, and send it to the specified e-mail. Additional Transactional and Resource abstraction layers provide maximum compatibility with existing settings and applications, allowing you to focus on system objects without worrying about differences in implementation and description of detailed commands and file formats. The administrator operates only with the object type, Puppet takes care of the rest. Thus, the packages type knows about 17 package systems; the required one will be automatically recognized based on information about the version of the distribution or system, although, if necessary, the package manager can be set forcibly.

Unlike scripts, which are often impossible to use on other systems, Puppet configurations written by third-party administrators will mostly work without problems on any other network. Puppet CookBook already has three dozen ready-made recipes. Puppet currently officially supports the following operating systems and services: Debian, RedHat/Fedora, Solaris, SUSE, CentOS, Mac OS X, OpenBSD, Gentoo and MySQL, LDAP.

Puppet language

To move forward, you must first understand the basic elements and capabilities of the language. Language is one of Puppet's strengths. It describes the resources that the administrator plans to manage and the actions they take. Unlike most similar solutions, Puppet allows the language to simplify access to all similar resources on any system in a heterogeneous environment. A resource description typically consists of a name, type, and attributes. For example, let's point to the /etc/passwd file and set its attributes:

file("/etc/passwd":

Owner => root,

Group => root,

Mode => 644,

Now clients connecting to the server will copy the /etc/passwd file and set the specified attributes. You can define multiple resources in one rule, separating them using a semicolon. But what if the configuration file used on the server differs from the client ones or is not used at all? For example, this situation may arise when setting up VPN connections. In this case, you should point to the file using the source directive. There are two options here; you can, as usual, specify the path to another file, and also using the two supported URI protocols: file and puppet. In the first case, a link to an external NFS server is used; in the second option, an NFS-like service is launched on the Puppet server, which exports resources. In the latter case, the default path is relative to the puppet root directory – /etc/puppet. That is, the link puppet://server.domain.com/config/sshd_config will correspond to the file /etc/puppet/config/sshd_config. You can override this directory using the filebucket directive, although it is more correct to use the section of the same name in the /etc/puppet/fileserver.conf file. In this case, you can restrict access to the service to only certain addresses. For example, let's describe the config section:

Path /var/puppet/config

Allow *.domain.com

Allow 127.0.0.1

Allow 192.168.0.*

Allow 192.168.1.0/24

Deny *.wireless.domain.com

And then we refer to this section when describing the resource:

source => "puppet://server.domain.com/config/sshd_config"

Before the colon is the name of the resource. In the simplest cases, you can simply specify the full path to the file as the name. In more complex configurations it is better to use an alias or variables. The alias is set using the alias directive:

file("/etc/passwd":

Alias ​​=> passwd

Another option for creating an alias is good when you have to deal with different operating systems. For example, let's create a resource that describes the sshd_config file:

file(sshdconfig:

Name => $operatingsystem ? (

Solaris => "/usr/local/etc/ssh/sshd_config",

Default => "/etc/ssh/sshd_config"

In this example, we are faced with a choice. The file for Solaris is specified separately, for all others the file /etc/ssh/sshd_config will be selected. Now this resource can be accessed as sshdconfig, depending on the operating system the desired path will be selected. For example, we indicate that if the sshd daemon is running and a new file is received, the service should be restarted:

service(sshd:

Ensure => true,

Subscribe => File

Variables are often used when working with user data. For example, we describe the location of user home directories:

$homeroot = "/home"

Now the files of a specific user can be accessed as:

$(homeroot)/$name

The $name parameter will be filled with the user's account name. In some cases it is convenient to define a default value for some type. For example, for the exec type it is very common to specify the directories in which it should look for the executable file:

Exec ( path => "/usr/bin:/bin:/usr/sbin:/sbin" )

If you need to point to several nested files and directories, you can use the recurse parameter:

file("/etc/apache2/conf.d":

Source => "puppet:// puppet://server.domain.com/config/apache/conf.d",

Recurse => "true"

Multiple resources can be combined into classes or definitions. Classes are a complete description of a system or service and are used separately:

class linux (

File (

"/etc/passwd": owner => root, group => root, mode => 644;

"/etc/shadow": owner => root, group => root, mode => 440

As in object-oriented languages, classes can be overridden. For example, on FreeBSD the group owner of these files is wheel. Therefore, in order not to completely rewrite the resource, let’s create a new class freebsd, which will inherit the linux class:

class freebsd inherits linux (

File["/etc/passwd"] ( group => wheel );

File["/etc/shadow"] ( group => wheel )

For convenience, all classes can be placed in a separate file, which must be included using the include directive. Definitions can take multiple parameters as arguments, but do not support inheritance and are used when you need to describe reusable objects. For example, let's define the user's home directory and the commands needed to create a new account:

define user_homedir ($group, $fullname, $ingroups) (

User("$name":

Ensure => present,

Comment => "$fullname",

Gid => "$group",

Groups => $ingroups,

Membership => minimum,

Shell => "/bin/bash",

Home => "/home/$name",

Require => Group[$group],

Exec("$name homedir":

Command => "/bin/cp -R /etc/skel /home/$name; /bin/chown -R $name:$group /home/$name",

Creates => "/home/$name",

Require => User[$name],

Now, to create a new account, just contact user_homedir:

user_homedir("sergej":

Group => "sergej",

Fullname => "Sergej Jaremchuk",

Ingroups => ["media", " admin]

There are separate descriptions of nodes that support inheritance, as well as classes. When a client connects to the Puppet server, the corresponding node section will be searched and settings specific only to this computer will be provided. To describe all other systems, you can use node default. A description of all types is given in the “Type Reference” document, which must be read in any case, at least in order to understand all the capabilities of the Puppet language. Various types allow you to execute specified commands, including when certain conditions are met (for example, changing a configuration file), work with cron, user credentials and groups, computers, mounting resources, starting and stopping services, installing, updating and removing packages, working with SSH keys, Solaris zones, and so on. This is how you can easily force the list of packages in distributions using apt to be updated daily between 2 and 4 hours:

schedule(daily:

Period => daily,

Range =>

exec("/usr/bin/apt-get update":

Schedule => daily

The update for that period will be performed by each system only once, after which the task is considered completed and will be deleted from the client computer. The Puppet language supports other familiar structures: conditions, functions, arrays, comments, and the like.

Installing Puppet

Puppet requires Ruby (version 1.8.1 and above) with OpenSSL support and XMLRPC libraries, as well as the Faster library. The Ubuntu 7.04 repository that was used for the test installation already includes the puppy package:

$ sudo apt-cache search puppet

~$ ruby ​​-rxmlrpc/client -e "puts:yep"

If no errors are received, then everything you need is already included. Files that describe the desired configuration of systems are called manifests in Puppet terminology. When launched, the daemon tries to read the file /etc/puppet/manifests/site.pp; if it is missing, it displays a warning message. When testing, you can tell the daemon to run in standalone mode, which does not require a manifest:

$ sudo /usr/bin/puppetmasterd --nonodes

If necessary, you can connect other files to site.pp, for example, with class descriptions. For a test run, you can enter the simplest instructions in this file.

class sudo (

File("/etc/sudoers":

Owner => root,

Group => root,

Mode => 440,

node default (

Include sudo

All configuration files, both server and client, are located in /etc/puppet. The fileserver.conf file, which we already talked about, is optional and is used only if Puppet will also work as a file server. On Ubuntu, this file exports the /etc/puppet/files subdirectory. The ssl subdirectory contains certificates and keys that will be used for encryption when connecting clients. Keys are created automatically the first time you start puppetmasterd; you can create them manually with the command:

$ sudo /usr/bin/puppetmasterd --mkusers

The puppetd.conf and puppetmasterd.conf files are similar. They indicate some parameters for the operation of daemons on the client system and server. The client file differs only in the presence of the server parameter, which points to the computer on which puppetmasterd is running:

server = grinder.com

logdir = /var/log/puppet

vardir = /var/lib/puppet

rundir = /var/run

# send a report to the server

report = true

To avoid typing everything manually, you can create a template using puppetd itself:

$ puppetd --genconfig > /etc/puppet/puppetd.conf

Similarly, you can create site.pp on the server:

$ puppetd --genmanifest > /etc/puppet/manifests/site.pp

Another file, tagmail.conf, allows you to specify email addresses to which reports will be sent. In the simplest case, you can use one line:

all: [email protected]

The configuration files are not enough for the client to connect to the server. To do this, you also need to sign the certificates.

First, to let the server know about the new computer, enter the command on the client system:

$ sudo puppetd --server grinder.com --waitforcert 60 –test

The firewall must allow connections on port 8140.

On the server we get a list of certificates that need to be signed:

$ sudo puppetca –list

And sign the client certificate:

$ sudo puppetca –sign nomad.grinder.com

Now the client can freely connect to the server and receive settings.

Unfortunately, it is impossible to show all the capabilities of Puppet within the article. But, as you can see, this is a functional and flexible tool that allows you to solve most of the problems of simultaneous administration of a large number of systems. And most importantly, the project managed to gather a small but constantly growing community. Therefore, let's hope that a good idea will not be allowed to die or go aside.

Good luck!

1. BladeLogic project website – http://www.bladelogic.com.
2. The OpsWare project website is http://www.opsware.com.
3. The Cfengine project website is http://www.cfengine.org.
4. The Puppet project website is http://reductivelabs.com/projects/puppet.
5. Puppet CookBook - http://www.reductivelabs.com/trac/puppet/tagspuppet%2Crecipe.
6. Faster Library –