SEARCH
TOOLBOX
LANGUAGES
Puppet

Puppet

From GarrettHoneycutt

(Difference between revisions)
Jump to: navigation, search
Line 6: Line 6:
It is generally advantageous to remove a cert, if it exists, with the name of a system that you are provisioning. If not, then when you reinstall a system with the same name you would have to remove the old cert manually. This involves configuring <tt>auth.conf</tt> to allow for a HTTP request and the query itself.
It is generally advantageous to remove a cert, if it exists, with the name of a system that you are provisioning. If not, then when you reinstall a system with the same name you would have to remove the old cert manually. This involves configuring <tt>auth.conf</tt> to allow for a HTTP request and the query itself.
-
== query to remove cert ==
+
== Puppet 4 ==
 +
=== query to remove cert ===
 +
curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/puppet-ca/v1/certificate_status/`hostname -f`
 +
 
 +
=== /etc/puppetlabs/puppetserver/conf.d/auth.conf ===
 +
<source lang="json">
 +
        {
 +
            # Allow nodes to retrieve the certificate they requested earlier
 +
            match-request: {
 +
                path: "/puppet-ca/v1/certificate/"
 +
                type: path
 +
                method: get
 +
            }
 +
            allow-unauthenticated: true
 +
            sort-order: 500
 +
            name: "puppetlabs certificate"
 +
        },
 +
</source>
 +
 
 +
== Puppet 3 ==
 +
=== query to remove cert ===
 +
 
<source lang="bash">
<source lang="bash">
PUPPETCA=puppetca.example.com
PUPPETCA=puppetca.example.com
Line 12: Line 33:
</source>
</source>
-
== auth.conf ==
+
=== auth.conf ===
The important part are lines 51 - 57
The important part are lines 51 - 57
<source lang="vim">
<source lang="vim">

Revision as of 21:36, 12 July 2016

Contents

Cheat Sheet

http://docs.puppetlabs.com/puppet_core_types_cheatsheet.pdf

Removing certs during provisioning process

It is generally advantageous to remove a cert, if it exists, with the name of a system that you are provisioning. If not, then when you reinstall a system with the same name you would have to remove the old cert manually. This involves configuring auth.conf to allow for a HTTP request and the query itself.

Puppet 4

query to remove cert

curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/puppet-ca/v1/certificate_status/`hostname -f`

/etc/puppetlabs/puppetserver/conf.d/auth.conf


GeSHi Error: GeSHi could not find the language json (using path /sites/mediawiki-1.14.0/extensions/SyntaxHighlight_GeSHi/geshi/geshi/) (code 2)

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, abap, actionscript, actionscript3, ada, apache, applescript, apt_sources, asm, asp, autoconf, autohotkey, autoit, avisynth, awk, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_mac, caddcl, cadlisp, cfdg, cfm, cil, clojure, cmake, cobol, cpp, cpp-qt, csharp, css, cuesheet, d, dcs, delphi, diff, div, dos, dot, ecmascript, eiffel, email, erlang, fo, fortran, freebasic, fsharp, gambas, gdb, genero, gettext, glsl, gml, gnuplot, groovy, haskell, hq9plus, html4strict, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lisp, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, make, mapbasic, matlab, mirc, mmix, modula3, mpasm, mxml, mysql, newlisp, nsis, oberon2, objc, ocaml, ocaml-brief, oobas, oracle11, oracle8, oxygene, pascal, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, plsql, povray, powerbuilder, powershell, progress, prolog, properties, providex, purebasic, python, qbasic, rails, rebol, reg, robots, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, sql, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, vb, vbnet, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xml, xorg_conf, xpp, z80

Puppet 3

query to remove cert 

PUPPETCA=puppetca.example.com
curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/production/certificate_status/`hostname -f`

auth.conf

The important part are lines 51 - 57 

  1 # THIS FILE IS MANAGED BY PUPPET
  2 # ANY CHANGES WILL BE OVERWRITTEN
  3 #
  4 #
  5 # The ACL are checked in order of appearance in this file.
  6 # #
  7 # # For details on auth.conf syntax see:
  8 # # http://docs.puppetlabs.com/guides/rest_auth_conf.html
  9 # #
 10 # ### Authenticated ACL - those applies only when the client
 11 # ### has a valid certificate and is thus authenticated
 12 path ~ ^/catalog/([^/]+)$
 13 method find
 14 auth yes
 15 allow $1
 16
 17 path ~ ^/node/([^/]+)$
 18 method find
 19 auth yes
 20 allow $1
 21
 22 path  /certificate_revocation_list/ca
 23 method find
 24 auth yes
 25 allow *
 26
 27 path  /report
 28 method save
 29 auth yes
 30 allow *
 31
 32 path  /file
 33 auth yes
 34 allow *
 35
 36 path  /certificate/ca
 37 method find
 38 auth any
 39 allow *
 40
 41 path  /certificate/
 42 method find
 43 auth any
 44 allow *
 45
 46 path  /certificate_request
 47 method find, save
 48 auth any
 49 allow *
 50
 51 # Allows nodes to clean up certificates of any node. This is being triggered
 52 # at provisioning time in kickstart to remove the old certificate, since a new
 53 # one is generated when the system is provisioned.
 54 path /certificate_status/
 55 auth any
 56 method find, save, destroy
 57 allow *.example.com,pe-internal-dashboard
 58
 59 path  /facts
 60 method find, search
 61 auth any
 62 allow *
 63
 64 # allow all puppet systems to save facts
 65 path  /facts
 66 method save
 67 auth yes
 68 allow puppetmaster.example.com,puppet1.example.com,puppet2.example.com,puppet3.example.com,puppetdb.example.com
 69
 70 # allow anyone to see if a puppet master is alive.
 71 # used for load balancer health checks
 72 path /status/no_key
 73 method find
 74 auth any
 75 allow *
 76
 77
 78 path  /
 79 auth any

Spec tests

Spec tests are unit tests that allow you to test what should be present in the catalog.

Tim's tutorial - http://rspec-puppet.com/

Setup

Install Puppet

Install some other tools 

sudo gem install -V puppet-lint puppetlabs_spec_helper rake rspec-puppet bundler librarian-puppet-simple --no-ri --no-rdoc

Testing

You must be in the directory of the module you are testing.

rake spec 

SPEC_OPTS="--format documentation" bundle exec rake spec
This actually runs the equivalent of 
rake spec_prep; rake spec_standalone; rake spec_clean
You can see these commands by typing 
rake -T
If your tests need to download dependencies, you might want to use 
rake spec_prep
once and then type 
SPEC_OPTS="--format documentation" bundle exec rake spec_standalone
so you do not incur the cost of re-downloading stuff every time you want to run a test.

Dependencies / Fixtures

These should all be noted in your Modulefile and must be listed in .fixtures.yml. example

Examples

puppet-module-common has many different types of spec tests.

Example site manifest - site.pp 

# Define filebucket 'main':
filebucket { 'main':
  server => 'puppet.example.com',
  path   => false,
}
 
# Ignoring version control artifacts
File {
  backup => 'main',
  ignore => [ '.svn',
              '.git',
              'CVS',
              '.bzr' ],
}
 
if $::osfamily == 'Suse' and $::lsbmajdistrelease == '11' {
  Package {
    provider => 'zypper',
  }
}
 
# include classes from hiera
hiera_include('classes')
 
node default {
  # look in fqdn level of hiera
}

Monitoring

PuppetMonitoring

Puppet Dashboard Pending Tasks

Background Tasks in the Dashboard shows a bunch of tasks. This will help resolve the issue and ensure your reports get inserted.

Errors

In the Puppet logs you will likely see errors with this in the string 

2013-10-30T07:39:16+0100: [Worker(delayed_job.0 host:HOSTNAME pid:29076)] Report.create_from_yaml_file failed with ActiveRecord::StatementInvalid: Mysql::Error:

Solution

restart puppet-dashboard-workers 

service puppet-dashboard-workers restart

Work the jobs manually. After doing this, reload the Dashboard in your web browser and you should notice that the number of background tasks is decrementing. 

cd /usr/share/puppet-dashboard
rake RAILS_ENV=production jobs:work

If you hit a problem job, delete it from the spool. The filename will be the one from the logs that is having the issue inserting. 

rm -f /usr/share/puppet-dashboard/spool/report-with-problem.yaml

You could clear all the jobs if you do not care about history 

rake RAILS_ENV=production jobs:clear

Puppet Module Skeleton

A boilerplate is created when using puppet module generate that generates the necessary files to get started on your next module.

Code

https://github.com/ghoneycutt/puppet-module-skeleton

Installing

Create skeleton directory 

SKELETON_DIR=`puppet config print module_skeleton_dir`
mkdir -p $SKELETON_DIR

Clone the repo 

git clone https://github.com/ghoneycutt/puppet-module-skeleton $SKELETON_DIR

Remove the .git directory 

rm -fr $SKELETON_DIR/.git

Using

Just generate a module and it will use the skeleton. 

puppet module generate forgename-foo
Retrieved from "http://garretthoneycutt.com/index.php/Puppet"