Featured Post

Directory environments in Puppet

Environments are individual groups of Puppet agents each environment have there own completely different manifests and module-paths. This basically is useful for testing changes to our Puppet code before implementing them on production machines. There are two types of implementation of environments structure in Puppet one if directory based and another is config file based here we will see bit of an insight about directory based. As usual for more information about this you can visit puppetlabs official website. On the master node: Append following details in puppet.conf which is placed under /etc/puppet or /etc/puppetlabs/puppet:     Under [main] section add a variable called confdir with value as /etc/puppet or /etc/puppetlabs/puppet     confdir=/etc/puppet Then add information regarding environments/manifests and modulepath in it.      #environments     environmentpath = $confdir/environments     default_manfiest = $confdir/manifests     basemodulepath =
Post a Comment

Creating a module in Puppet

Here we will try to create a module[sudo] and see how we can use it.

For more information about the structure of a module you can check this link.

Our mission is to add users sunny and bbee to the sudoers file.

Firstly create a directory called sudo in /etc/puppet/modules/ directory. This is basically your module name.

[root@puppet modules]# mkdir sudo

Now create three sub-directories in it as manifests, files, templates.

[root@puppet modules]# mkdir manifests files templates

So your current structure is somewhat like this:

sudo/
├── files
├── manifests
└── templates

3 directories, 0 files

The first and foremost part is to check and install[If not installed] the necessary package.

package { 'sudo':
                ensure => present,
                }

The above code states that package sudo should be installed in the machine. The values applicable for ensure in case of package are absent[Un-installed] or present[Installed].

Next part is to manage the configuration file i.e. /etc/sudoers

Take a copy of this file /etc/sudoers and keep that in the files directory which was created earlier /etc/puppet/modules/sudo/files

Add below lines to this file:

bbee    ALL=(ALL)       ALL
sunny   ALL=(ALL)       ALL

These two lines means bbee and sunny can run any command as a super user.

Now we need to manage the /etc/sudoers file.

file { "/etc/sudoers":
        owner => "root",
        group => "root",
        mode => 0440,
        source => "puppet:///modules/sudo/sudoers",
        }

Above code means that the file /etc/sudoers should have the owner and group as root and the mode for that file should be 0440. The most important part is source. It means that the file should be picked from specified location <puppet:///modules/sudo/sudoers>.

Noticed that this time while giving the path the files was missing you need not to worry about it its puppet responsibility to search for sudoers file in sudo module.

Now add both the above codes in a file called init.pp in manifests directory under on class called sudo.

Make sure that the name of the class matches the module name.

[root@puppet sudo]# tree
.
├── files
│   └── sudoers
├── manifests
│   └── init.pp
└── templates

3 directories, 2 files
[root@puppet sudo]#

Our structure somewhat looks like stated above.

Our init.pp files looks like given below:

class sudo {
        package { 'sudo':
                ensure => present,
                }

file { "/etc/sudoers":
        owner => "root",
        group => "root",
        mode => 0440,
        source => "puppet:///modules/sudo/sudoers",
        }
}

At this point of time we have a module in place, the question is how to use this module now.

For running a puppet master there should be a file called site.pp in /etc/puppet/manifests/ directory. So create a file in this location called site.pp and add below content:

[root@puppet manifests]# cat site.pp
node 'rhel6.sunny.com' {
        include sudo
        }
[root@puppet manifests]#

This means for node "rhel6.sunny.com" module sudo should be applied.

Go to the agent node "rhel6.sunny.com" and fire "puppet agent --test" 

[root@rhel6 ~]# puppet agent --test
info: Caching catalog for rhel6.sunny.com
info: Applying configuration version '1410473962'
notice: /Stage[main]/Sudo/File[/etc/sudoers]/content:
--- /etc/sudoers    2014-09-12 03:48:53.597212199 +0530
+++ /tmp/puppet-file20140912-5782-bp1jyw-0    2014-09-12 03:49:23.136172466 +0530
@@ -93,6 +93,8 @@
 ##
 ## Allow root to run any commands anywhere
 root    ALL=(ALL)     ALL
+bbee    ALL=(ALL)    ALL
+sunny    ALL=(ALL)    ALL
 ## Allows members of the 'sys' group to run networking, software,
 ## service management apps and more.
 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

info: FileBucket got a duplicate file {md5}e81452ad78198a79772447b1f2b3b614
info: /Stage[main]/Sudo/File[/etc/sudoers]: Filebucketed /etc/sudoers to puppet with sum e81452ad78198a79772447b1f2b3b614
notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: content changed '{md5}e81452ad78198a79772447b1f2b3b614' to '{md5}e2d690ebe349d93efa84146eb854c987'
notice: Finished catalog run in 1.18 seconds
[root@rhel6 ~]#

This shows that the content of /etc/sudoers is changed. To make sure that both the users now do have sudo access lets give it a shot.

[root@rhel6 ~]# su - bbee
[bbee@rhel6 ~]$ sudo /etc/init.d/httpd status

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bbee:
httpd (pid  1762) is running...
[bbee@rhel6 ~]$

Working as expected now by the help of this module you can add users sunny and bbee to any number of agent nodes. For doing so you just need to add the host entries to site.pp file and rest work will be completed by puppet.

Comments

Post a Comment

Popular posts from this blog

Exec in Puppet

Exec is a very useful resource type present in Puppet which is used to executes external commands. Puppet basically runs as a daemon in which it executes every 30 mins. So while writing an exec resource type make sure that the exec resource must be able to run multiple times without causing any harm to the machine i.e. it must be idempotent. Suppose you just want to run a command like reload a service for that what you can do is? exec { "reload httpd": command => "service httpd reload", path => "/usr/local/bin/:/bin/:/sbin/", } Lets break this line by line: exec { "reload httpd": This specifies that the resource type is exec type and has a human readable name as "reload httpd". command => "service httpd reload", This specified which command to execute when puppet is executed. path => "/usr/local/bin/:/bin/:/sbin/", This specifies where the binary service can be found in your mac
Read more

Un-revoke the revoked certificate in Puppet

If you revoked or deleted the puppet agent’s certificate accidentally. Basically it is nearly impossible un-revoke a certificate. The solution is to recover all revoked certificates then revoke other certificates which don’t need to be recovered. But if in-case you have thousands of revoked certificates then its a bit lengthy process. Second one is to generate a new certificate for the client/agent and get that signed by the puppet master.  List of all the certificates which are signed at the moment:  [root@puppet requests]# puppet cert list --all + "fedora20"            (AE:57:40:F6:FC:E1:CD:DD:ED:EE:1E:8C:A7:81:0D:76) + "kubuntu14.sunny.com" (20:6B:A1:E2:A3:DE:B1:95:C8:80:4C:B4:27:2B:C0:A2) + "puppet.sunny.com"    (68:12:76:3C:D0:F8:0D:2D:8B:2B:40:E7:49:2D:55:5B) (alt names: "DNS:puppet", "DNS:puppet.sunny.com") + "rhel6.sunny.com"     (DC:6E:B1:FC:27:1D:7A:2A:85:E7:3E:3A:24:8B:64:D3) [root@puppet requests]# N
Read more

Dry run in Puppet --noop

 Dry run in puppet is a powerful feature given by puppet. This basically is used to test your Puppet manifests on any of the environment without actually making any changes to the machine. To dry-run Puppet, --noop flag needs to be used. Puppet’s ‘noop’ (no-operation) mode shows you what would happen, but actually doesn’t do anything :) This basically helps us for debugging stuff. For instance: [root@puppet manifests]# puppet apply site.pp --noop notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: current_value {md5}e81452ad78198a79772447b1f2b3b614, should be {md5}e2d690ebe349d93efa84146eb854c987 (noop) notice: Class[Sudo]: Would have triggered 'refresh' from 1 events notice: /Stage[main]/Ssh::Service/Service[sshd]/ensure: current_value stopped, should be running (noop) notice: Class[Ssh::Service]: Would have triggered 'refresh' from 1 events notice: Stage[main]: Would have triggered 'refresh' from 2 events notice: Finished catalog run in 2.75 seco
Read more