Puppet Configuration Management Tool
Introduction
Puppet is a Ruby based Configuration Management System with client/server model and it was licensed under GPLv2 .It has one Master server puppetmasterd and all other machines are configured as puppet clients . We set every configuration at the puppet server and then push them to all clients which are connected to the master. The client puppet correctly apply the corresponding configurations at the client regardless of their platform difference.
Puppet is a gift to the server administrators who need to manage large number of systems with different flavors of Gnu/Linux systems ,Mac, Solaris and other Unix Based systems.If we are managing it via remote administration then it would be a headache to the administrator and if the systems are different then the complexity will increase. Some accidental configuration changes may cause problems resulting in inconsistency working of the server. If we are using the puppet for the configuration management then it will be an one time implementation of these configurations only at puppet server, then we just duplicate it on different puppet clients with out any delay.
Another power of the puppet is, it using a Declarative Language to define configuration settings at the puppet master server. This language includes all major high level language features like Functions, Conditional Statements, Inheritance and other OOPs concepts. This feature makes the Puppet configurations settings are more readable, reusable and consistent when we compared with other configuration management tools like Cfengine.
Working
Puppet master server hold all clients configurations, each client will contact the server via port 8140 (by default). The connection between server and client are encrypted. The client will generate a self signed key before it will connect to server and will submit this self signed key to the master server and get the verified key back, here master server acts like a Certification Authority. After this process client will establish a encrypted session with server ,and get the configuration settings, compile and apply it on client system. The client will show an error if there is any at the configuration definition when compiling. We can verify this at puppet server and client log file.
Here is the outline of puppet server and client Architecture
Puppet Architecture
Installation
Before installing the puppet we need to setup some dependencies needed for puppet. First we need ruby with common library files(xml,ssl,etc.) installed, and facter, its an another ruby project to get all system informations, facter will be installed in all puppet clients. The puppet server get the client configuration settings and other system specific informations from the facter.
You can use the ruby’s inbuilt library management tool rubygem(rake) similar to CPAN for Perl to solve the dependency problems with libraries.
facter installation :-
Get latest version from www.reductivelabs.com
tar -zvf facter-<version>.tar.gz cd facter ruby install.rb facter --version
puppet installation :-
If we are installing from the package manager there will be two packages, puppetd as the client and puppet-master as the puppet server, we need to install them both to setup client and server. If we are install form the source we can install both from the source code.
download latest package from the www.puppetlabs.com, then similar to facter installation,
tar -xzvf puppet-<latest version>; cd puppet-<latest-version>; ruby install.rb
This step will install the required packages for the puppet client and server. If you have any dependency problem then it will be most of the time due to the version mis match problem between ruby/puppet/facter, so select the version accordingly to avoid these types of errors.
By default the configuration files are listed under /etc/postfix and all others are at /var/lib/puppet folder including log files.
Currently puppet support all major Unix like systems but not Windows.The latest versions of the puppet has introduced support to the windows systems too, by developing Windows specific facter tool to get Windows system informations and puppet.
How to configure Puppet server :-
After Successful installation of puppet master server and client, there are set of daemons associate with this package, it also provide command line utility to manage these daemons. They are,
puppetmasted #Puppet Master Server puppetd #puppet Client. puppetca #Key management daemon #and Set of other Utility commands.
The puppet work with out creating configuration files explicitly, they are already pre-configured. But to start the interaction with clients we need to do some changes. Before that we can check the structure of the puppet configuration file.
Its a good practice maintaining an explicit puppet configuration file,the latest versions of puppet using single configuration file to manage every daemons. By default configuration files are comes under /etc/puppet. We save all the configuration details of major daemons at /etc/puppet/puppet.conf.The puppet.conf using special type of configuration structure to include all daemons configuration details,described below,
#Cat /etc/puppet/puppet.conf [main] Here We specify Set of configurations default to all daemons. [puppetmasterd] Here comes the puppet master server configuration details. [puppetd] To include the Puppet client configurations. [puppetca] Configuration details of puppet key management tool.
To get all the parameters under each daemons and main section with its functional details, please refer this page
How to Connect Puppet Client with Puppet Server
To setup a client we just have to install the puppet client version or every package in another system.Your master server is now capable to work as a puppet client also. At the master server we need to specify the set of configuration, that will guide how to change the configurations at clients.
Puppet server and client using Hostname to communicate with each other and also used to generate ssh key and key verification etc.., so we need a stable hostname resolution system (DNS or Local settings) in our network to ensure the proper connection between clients and server.Then after that select proper hostnames to your server and clients like,
puppet-server.com #For your Master Server
puppet-client1.com,puppet-client2.com,etc... #Your clients.
After the hostname allocation we need to start the server and client.Use command line options now to know the more about the interactions between client and server.
To start master server :-
puppetmasterd --no-daemonize --logdest console
Then Start the puppet Client, specify the server name
puppetd --server puppet-server.com --verbose --waitforcert 30
At the client side we will get the following message with the information about the creation of self signed key and waiting for server verification.
Creating a new SSL key for puppet-client.com Creating a new SSL certificate request for puppet-client.com Certificate Request fingerprint (md5): 37:89:4E:86:C0:A7:5B:24:1A:E2:9B:85:83:90:0F:CE Did not receive certificate
At the same time server side we will get the following message.
notice: Starting Puppet master version 2.6.0 notice: puppet-client.com has a waiting certificate request
To proceed further , at server side we need to verify this key from the puppet-client.com. For that we can use the key management tool puppetca.
puppetca --list #To list the unverified requests. puppetca --sign puppet-client.com # To complete the verification process.
Now If we are restarting the puppet client with following command, you can see the client will immediately apply the configurations. You can check this from the log file or from the console if you are running the client in none daemonize mode.
puppetd --server puppet-server.com
Note:- If we are specify these settings at puppet.conf then you can just type the commands without any parameters to start appropriate daemons.
The Configuration Management
Last and very powerful feature of the puppet is, define the Client configurations. For that puppet using one Language which support most of the high level language constructs like OOPs. So lets try one simple configuration which change the permission of /etc/passwd file at all the clients connected with server to 640 and check Apache webserver installed or not , if not it will install it automatically.
These configuration specifications are defined under a file “/etc/puppet/manifests/site.pp” by default, we can split this file in to several files then include them at sites.pp.
Here is the sample site.pp file.
file { "password":
name => "/etc/passwd",
owner => "root",
group => "bin",
mode => 644,
}
class apache {
package { httpd: ensure => installed }
service { "httpd":
name => $operatingsystem ? {
debian => "apache2",
redhat => "httpd",
default => "apache",
CentOS => "httpd",
},
ensure => running,
require => Package["httpd"],
}
}
node 'puppet-client.com' {
include apache
}
#All other nodes which are not defined and matched with any definitions ,will use the follwing node definition.
node default {
case $operatingsystem {
CentOS: {include apache }
default: {}
}
}
Above file is the Puppet client configuration specification written in puppet declarative language.
Language have lot of constructs to define the resource and its properties.Using these constructs we managing the resources on client systems. The types of resources that puppet manages are listed bellow, and we can add our own customized resources to mange.
Type of Resources that puppet can manage by default:-
- Files
- Packages
- Services
- Corn Jobs
- Users and Groups
- To run Shell Commands
- And User defined resource types
Each of the above resources have set of attributes or properties and values, using the puppet configuration language we can set the corresponding property values. The resource can defined by giving three main parameters ,Resource type name, then inside braces({}) title of the resource and set of property values. From above example, take the resource of type File with title name “password” inside that we have set of property values like name,owner,groups etc… so if a client successfully connect to server,the client puppet will apply these setting on client machine. If we change this property values, after next interval we can see the client will successfully apply it.
By this way we can control the resource configurations. In our networks there should be different types of systems (Redhat,Debian,etc..),and they have some changes in the structure of the files and other package names, so here we need to apply the configurations based on the type of clients. The puppet provide Conditional statements (if and case ) to check and apply configurations depending on client architecture. For that we need some system information back to the client ,the facter will provide these datas. We can use that informations at the puppet configurations like a variable for eg: $operatingsystem (You can see all the informations that facter will provide by just typing the command facter at command prompt.)
Similarly we can specify the rules based on the client name, and using the OPPs constructs we can define the classes and reuse them with other client definitions, you can find some of them from above example site.pp file.You can do a high level configuration design using puppet language. To learn more about the language constructs please check the puppet online wiki and one nice book which describe every thing associated with Puppet by James Turnbull(Pulling Strings with Puppet.)
