Featured Post

Directory environments in Puppet

Environments are individual groups of Puppet agents each environment have there own completely different manifests and module-paths. This basically is useful for testing changes to our Puppet code before implementing them on production machines. There are two types of implementation of environments structure in Puppet one if directory based and another is config file based here we will see bit of an insight about directory based. As usual for more information about this you can visit puppetlabs official website. On the master node: Append following details in puppet.conf which is placed under /etc/puppet or /etc/puppetlabs/puppet:     Under [main] section add a variable called confdir with value as /etc/puppet or /etc/puppetlabs/puppet     confdir=/etc/puppet Then add information regarding environments/manifests and modulepath in it.      #environments     environmentpath = $confdir/environments     default_manfiest = $confdir/manifests     basemodulepath =
Post a Comment

puppet agent???

*Agent sub-command in Puppet "puppet agent"*

The puppet agent subcommand is a powerful tool which fetches the configurations from a master server and get that applied to the agent node. It has basically two modes:

1. Daemonize and fetch configurations every half-hour (this is by default and can be changed).
2. Run once and quit


It is the main puppet client. Basically its purpose is to retrieve the local machine's configuration from a remote server[the master] and apply it to the agent node. In order to successfully communicate with the remote server, the client must have a certificate signed by a certificate authority provided by the puppet master. The client will connect and request a signed certificate unless and until the puppet master sign's the certificate the agent node cannot communicate with the puppet master.

Once the client has a signed certificate, it will retrieve its configuration from the puppet master and apply it on the agent node.

Now suppose we want to fetch the configuration from the master and needs to apply that to the agent node either the node will communicate with the master in next half an hour or you can run fetch the configuration on demand.

[root@puppet ~]# puppet agent --test
info: Caching catalog for puppet.sunny.com
info: Applying configuration version '1410267296'
notice: /Stage[main]/Sudo/File[/etc/sudoers]/content:
--- /etc/sudoers    2014-09-09 18:29:37.968604525 +0530
+++ /tmp/puppet-file20140909-4883-1g6znfz-0    2014-09-09 18:30:00.376521970 +0530
@@ -93,6 +93,8 @@
 ##
 ## Allow root to run any commands anywhere
 root    ALL=(ALL)     ALL
+bbee    ALL=(ALL)    ALL
+sunny    ALL=(ALL)    ALL
 ## Allows members of the 'sys' group to run networking, software,
 ## service management apps and more.
 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

info: FileBucket got a duplicate file {md5}e81452ad78198a79772447b1f2b3b614
info: /Stage[main]/Sudo/File[/etc/sudoers]: Filebucketed /etc/sudoers to puppet with sum e81452ad78198a79772447b1f2b3b614
notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: content changed '{md5}e81452ad78198a79772447b1f2b3b614' to '{md5}e2d690ebe349d93efa84146eb854c987'
notice: /Stage[main]/Ssh::Service/Service[sshd]/ensure: ensure changed 'stopped' to 'running'
info: /Stage[main]/Ssh::Service/Service[sshd]: Unscheduling refresh on Service[sshd]
notice: Finished catalog run in 0.54 seconds
[root@puppet ~]#

Adding --test to the command will show you some information about what configuration are being applied to the agent node. But in case you just fired "puppet agent" then the process will be executed on the backend and you will not see any information about what all changes were made to the system.

 [root@puppet ~]# puppet agent
[root@puppet ~]#


If incase you want to make your troubleshooting a bit easier you can use --debug option to see far more information what puppet is doing as given below:

[root@puppet ~]# puppet agent --test --debug
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
debug: Failed to load library 'rubygems' for feature 'rubygems'
debug: /File[/var/lib/puppet/state/last_run_summary.yaml]: Autorequiring File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/client_data]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state/resources.txt]: Autorequiring File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/ssl/public_keys/puppet.sunny.com.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
..........................
..........................
..........................
[root@puppet ~]#


If you just want to run the puppet agent once you can use the option --onetime with the command.

[root@puppet ~]# puppet agent --test --onetime
info: Caching catalog for puppet.sunny.com
info: Applying configuration version '1410267296'
notice: Finished catalog run in 0.29 seconds
[root@puppet ~]#

Now the most important part suppose you want to just check what changes are being made by the puppet master to node but you don't want the changes to be applied. What you can do is use a option called --noop i.e. no operation.

In below case I stopped the sshd daemon and ran the puppet agent as --noop:

[root@puppet ~]# /etc/init.d/sshd stop
Stopping sshd:                                             [  OK  ]
[root@puppet ~]# puppet agent --test --noop
info: Caching catalog for puppet.sunny.com
info: Applying configuration version '1410267296'
notice: /Stage[main]/Ssh::Service/Service[sshd]/ensure: current_value stopped, should be running (noop)
info: /Stage[main]/Ssh::Service/Service[sshd]: Unscheduling refresh on Service[sshd]
notice: Class[Ssh::Service]: Would have triggered 'refresh' from 1 events
notice: Stage[main]: Would have triggered 'refresh' from 1 events
notice: Finished catalog run in 0.28 seconds
[root@puppet ~]#

After checking what all stuff puppet master will do with the node and if you think its okay then you can remove the --noop option and fire the command again to get the changes applied.

[root@puppet ~]# puppet agent --test
info: Caching catalog for puppet.sunny.com
info: Applying configuration version '1410267296'
notice: /Stage[main]/Ssh::Service/Service[sshd]/ensure: ensure changed 'stopped' to 'running'
info: /Stage[main]/Ssh::Service/Service[sshd]: Unscheduling refresh on Service[sshd]
notice: Finished catalog run in 0.33 seconds
[root@puppet ~]#

If you want to save the configuration changes logs you can save it by using --logdest option.

[root@puppet ~]# puppet agent --test --logdest /tmp/puppet_log
info: Caching catalog for puppet.sunny.com
info: Applying configuration version '1410267296'
notice: Finished catalog run in 0.28 seconds
[root@puppet ~]# 
[root@puppet ~]# cat /tmp/puppet_log
Tue Sep 09 18:46:52 +0530 2014 Puppet (info): Caching catalog for puppet.sunny.com
Tue Sep 09 18:46:52 +0530 2014 Puppet (info): Applying configuration version '1410267296'
Tue Sep 09 18:46:53 +0530 2014 Puppet (notice): Finished catalog run in 0.28 seconds
[root@puppet ~]#

For more information about puppet agent you can fire "puppet agent --help" on CLI.

Comments

Post a Comment

Popular posts from this blog

Exec in Puppet

Exec is a very useful resource type present in Puppet which is used to executes external commands. Puppet basically runs as a daemon in which it executes every 30 mins. So while writing an exec resource type make sure that the exec resource must be able to run multiple times without causing any harm to the machine i.e. it must be idempotent. Suppose you just want to run a command like reload a service for that what you can do is? exec { "reload httpd": command => "service httpd reload", path => "/usr/local/bin/:/bin/:/sbin/", } Lets break this line by line: exec { "reload httpd": This specifies that the resource type is exec type and has a human readable name as "reload httpd". command => "service httpd reload", This specified which command to execute when puppet is executed. path => "/usr/local/bin/:/bin/:/sbin/", This specifies where the binary service can be found in your mac
Read more

Un-revoke the revoked certificate in Puppet

If you revoked or deleted the puppet agent’s certificate accidentally. Basically it is nearly impossible un-revoke a certificate. The solution is to recover all revoked certificates then revoke other certificates which don’t need to be recovered. But if in-case you have thousands of revoked certificates then its a bit lengthy process. Second one is to generate a new certificate for the client/agent and get that signed by the puppet master.  List of all the certificates which are signed at the moment:  [root@puppet requests]# puppet cert list --all + "fedora20"            (AE:57:40:F6:FC:E1:CD:DD:ED:EE:1E:8C:A7:81:0D:76) + "kubuntu14.sunny.com" (20:6B:A1:E2:A3:DE:B1:95:C8:80:4C:B4:27:2B:C0:A2) + "puppet.sunny.com"    (68:12:76:3C:D0:F8:0D:2D:8B:2B:40:E7:49:2D:55:5B) (alt names: "DNS:puppet", "DNS:puppet.sunny.com") + "rhel6.sunny.com"     (DC:6E:B1:FC:27:1D:7A:2A:85:E7:3E:3A:24:8B:64:D3) [root@puppet requests]# N
Read more

Dry run in Puppet --noop

 Dry run in puppet is a powerful feature given by puppet. This basically is used to test your Puppet manifests on any of the environment without actually making any changes to the machine. To dry-run Puppet, --noop flag needs to be used. Puppet’s ‘noop’ (no-operation) mode shows you what would happen, but actually doesn’t do anything :) This basically helps us for debugging stuff. For instance: [root@puppet manifests]# puppet apply site.pp --noop notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: current_value {md5}e81452ad78198a79772447b1f2b3b614, should be {md5}e2d690ebe349d93efa84146eb854c987 (noop) notice: Class[Sudo]: Would have triggered 'refresh' from 1 events notice: /Stage[main]/Ssh::Service/Service[sshd]/ensure: current_value stopped, should be running (noop) notice: Class[Ssh::Service]: Would have triggered 'refresh' from 1 events notice: Stage[main]: Would have triggered 'refresh' from 2 events notice: Finished catalog run in 2.75 seco
Read more