PUPPET

Q: What is Puppet ?
Puppet is a configuration Tool which is use to automate administration tasks. Puppet
Agent(Client) sends request to Puppet Master (Server) and Puppet Master Push Configuration
on Agent.

Q: What is Manifests?
Manifests, in Puppet, are the files in which the client configuration is specified.

Q: What is Module and how it is different from Manifest?

Whatever the manifests we defined in modules, can call or include into other manifests.
Which makes easier management of Manifests. It helps you to push specific manifests on
specific Node or Agent.

Q: Command to check requests of Certificates?

puppetca list (2.6)
puppet ca list (3.0)

Q: Command to sign Requested Certificates

puppetca sign hostname-of-agent (2.6)
puppet ca sign hostname-of-agent (3.0)

Q: Where Puppet Master Stores Certificates

/var/lib/puppet/ssl/ca/signed

Q: What is Facter ?
Sometime you need to write manifests on conditional expressions based on agent specific
data which is available through Facter. Facter provides information like Kernel version, Dist
release, IP Address, CPU info and etc. You can defined your facter also.

Q: What is the use of etckeeper-commit-post and etckeeper-commit-pre on

Puppet Agent ?
etckeeper-commit-post: In this configuration file you can define command and scripts which
executes after pushing configuration on Agent
Etckeeper-commit-pre: In this configuration file you can define command and scripts which
executes before pushing configuration on Agent

Q: What is Puppet Kick ?

By default Puppet Agent request to Puppet Master after a periodic time which known as
runinterval. Puppet Kick is a utility which allows you to trigger Puppet Agent from Puppet
Master.

Q: What is MCollective ?
MCollective is a powerful orchestration framework. Run actions on thousands of servers
simultaneously, using existing plugins or writing your own.

**
Q:25 What is Puppet Server ?
Ans: Puppet is an open-source & enterprise software for configuration management toll in
UNIX like operating system. Puppet is a IT automation software used to push configuration
to its clients (puppet agents) using code. Puppet code can do a variety of tasks from
installing new software, to check file permissions, or updating user accounts & lots of other
tasks.
Q:26 What are manifests in Puppet ?
Ans: Manifests in Puppet are the files in which the client configuration is specified.
Q:27 Which Command is used to sign requested certificates in Puppet Server ?
Ans: puppetca sign hostname-of-agent in (2.X) & puppet ca sign hostname-of-agent in
(3.X)
Q:28 At which location Puppet Master Stores Certificates ?
Ans: /var/lib/puppet/ssl/ca/signed
**

Master / Client Setup

A Puppet server (running as 'puppet') listening on 8140 on the Puppet Master (the server )
A Puppet client (running as 'root') on each managed node
Client can be run as a service (default), via cron (with random delays), manually or via
MCollective
Client and Server have to share SSL certificates. New client certificates must be signed by
the Master CA
It's possible to enable automatic clients certificates signing on the Master (be aware of
security concerns)

Certificates management
On the Master we can use

puppet cert to manage certificates

List the (client) certificates to sign:

puppet cert list
List all certificates: signed (+), revoked (-), to sign ( ):
puppet cert list --all
Sign a client certificate:
puppet cert sign <certname>
Remove a client certificate:
puppet cert clean <certname>

Client stores its certificates and the server's public one in

$vardir/ssl**

(/var/lib/puppet/ssl on Puppet OpenSource)

Server stores clients public certificates and in
DO NOT remove this directory.

$vardir/ssl/ca (/var/lib/puppet/ssl/ca).

Certificates management - First run

By default the first Puppet run on a client fails:

client # puppet agent -t
# "Exiting; no certificate found and waitforcert is disabled"
An optional `--waitforcert

60 parameter makes client wait 60 seconds before giving up.

The server has received the client's CSR which has to be manually signed:
server # puppet cert sign <certname>
Once signed on the Master, the client can connect and receive its catalog:
client # puppet agent -t
If we have issues with certificates (reinstalled client or other certs related problemes):
Be sure client and server times are synced
Clean up the client certificate. On the client remove it:
client # mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old
On the Master clean the old client certificate:
server # puppet cert clean <certname>

Puppet configuration: puppet.conf

It's Puppet main configuration file.
On opensource Puppet is generally in:
/etc/puppet/puppet.conf
On Puppet Enterprise:
/etc/puppetlabs/puppet/puppet.conf
When running as a normal user can be placed in the home directory:
/home/user/.puppet/puppet.conf
Configurations are divided in [stanzas] for different Puppet sub commands
Common for all commands: [main]
For puppet agent (client): [agent] (Was [puppetd] in Puppet pre 2.6)

For puppet apply (client): [user] (Was [puppet])

For puppet master (server): [master] (Was [puppetmasterd] and [puppetca])
Hash sign (#) can be used for comments.

Main configuration options

To view all or a specific configuration setting:
puppet config print all
puppet config print modulepath
Important options under [main] section:
vardir: Path where Puppet stores dynamic data.
ssldir: Path where SSL certifications are stored.
Under [agent] section:
server: Host name of the PuppetMaster. (Default: puppet)
certname: Certificate name used by the client. (Default is its fqdn)
runinterval: Number of minutes between Puppet runs, when running as service. (Default:
30)
report: If to send Puppet runs' reports to the **report_server. (Default: true)
Under [master] section:
autosign: If new clients certificates are automatically signed. (Default: false)
reports: How to manage clients' reports (Default: store)
storeconfigs: If to enable store configs to support exported resources. (Default: false)
Full configuration reference on the official site.

Puppet CLI

Bootstrap client

puppet agent -t --server <puppet master> [<options>]

Display facts:

facter
# :
facter -y # YAML
facter -j # JSON

Find out effective classes on a node

facter memoryfree
facter is_virtual processor0

cat /var/lib/puppet/classes.txt

Find out when which file was modified

cd /var/lib/puppet
for i in $(find clientbucket/ -name paths); do
echo "$(stat -c %y $i | sed 's/\..*//')
$(cat $i)";
done | sort -n

Puppet Dry Run:

puppet agent --noop --verbose

Disable agent

puppet agent --disable

puppet agent --disable <info message>
puppet agent --enable

Executing selective classes

puppet agent --tags Some::Class

Managing Certificates (on master)

puppet cert list

puppet cert list --all

# Only recent versions

puppet cert sign <name>

puppet cert clean <name>

Managing Nodes

puppet node clean <name>

Managing Modules

puppet
puppet
puppet
puppet
puppet

Inspecting Resources/Types

puppet describe -l
puppet resource <type name>

Debugging deployment and rules on a local machine. This only makes sense in
"one time" mode running in one of the following variants:

puppetd --test # enable standard debugging options

puppetd --debug # enable full debugging
puppetd --one-time --detailed-exitcodes # Enable exit codes:
# 2=changes applied
# 4=failure

Gepetto: Puppet IDE

module
module
module
module
module

# removes cert

# removes node + cert

list
install <name>
uninstall <name>
upgrade <name>
search <name>

# Querying Examples
puppet resource user john.smith
puppet resource service apache
puppet resource mount /data
puppet resource file /etc/motd
puppet resource package wget
# Trigger puppet run from master
puppet kick <name>
puppet kick -p 5 <names>
# 5 parallel

puppet - Correctly using Roles and Profiles

Puppet Master
Enable debugging: Add to /etc/puppet/rack/config.ru
ARGV << "--debug"

and restart the Passenger.

Hiera
Hiera Queries
On Puppet master:
hiera <key>
# to query common.yaml only
hiera <key> -m <FQDN> # to query config of a given node (using mcollective)
hiera <key> -i <FQDN> # to query config of a given node (using Puppet
inventory)
hiera <key> environment=production fqdn=myhost1
# to pass values for
hiera.yaml
# To dump complex data
hiera -a <array key>
hiera -h <hash key>

Encryption with eyaml

eyaml encrypt -f <filename>
eyaml encrypt -s <string>
eyaml encrypt -p
# Encrypt password, will prompt for it
eyaml decrypt -f <filename>
eyaml decrypt -s <string>
eyaml edit -f <filename>

# Decrypts, launches in editor and reencrypts

Hiera+Puppet Debugging
puppet apply -e "notice(hiera_array('some key'))"

Puppet DSL

Snippets
notify { 'message': loglevel => 'err' }

Check for file

if file_exists('somefile.txt') == 1 { }

Execute commands (evil!)

exec { "mkdir -p $dir":
command => "/bin/mkdir -p $dir",
creates => $dir
}

Merging Arrays
$result = split(inline_template("<%= (array1+array2).join(',') %>"),',')

Exceptions
fail('This is a parser time error')

Conditions
if $var == 'value' {
}
case $::lsbdistcodename {
'squeeze': {
}
'wheezy', 'jessie': {
}
default {
}
}

ERB Syntax
ERB Tags

<%= ruby code, result inserted %>

<% ruby code, result not inserted %> # use for loops, conditions...
<%- like above, but strips leading+trailings spaces from output -%>
<%# comment %>
<%%
%%>

# literal <%
# literal %>

Using Variables
<%= @name %>
<%= scope.lookupvar('name') %>
<%= scope['somewhere::name'] %>

# variable visible in current scope

# search in all scopes
# Puppet 3 scope access

Conditions
<% if @name != nil %>
Well, @name is set!
When checking if a variable exists/is set
always do check for nil! Everything else is unsafe.
<% end %>
<% if @name ~ /.* Smith$/ %>
Matches
<% end %>

Augeas
Augeas - in Puppet: Using Puppet with Augeas
augeas { "sshd_config":
changes => [
"set /files/etc/ssh/sshd_config/PermitRootLogin no",
],
}

Testing

Validate manifest
puppet parser validate <manifest>

Validate ERBs

erb -x -T '-' <template> | ruby -c