Puppet Base Knowledge

-
Puppet: manage the status of clients. If not match, try to modify it. 

Resource --> Class --> ManiFest

1. Everything in server need to be care --> resource;
Example
Create a file resource:
file { '/etc/ssh/ssh_config':
       ensure => file,
       owner => 'root',
       group => 'root',
       source => 'puppet:///modules/ssh/ssh_config',
       }

Check file type resource: puppet resource file

Check specific resource: puppet resource user root

2. Resources belong to one unit --> class;
Example
class ssh {
            package { 'openssh-clients':
                            ensure => present,
                           }

            file { '/etc/ssh/ssh_config':
                    ensure => file,
                    owner => 'root',
                    group => 'root',
                    source => 'puppet:///modules/ssh/ssh_config',
                    }
    
            service { 'sshd':
                        ensure => running,
                        enable => true,
                        }
            }

3. Manifest: to direct puppet to include or instantiate a given class
Example: 
motd.pp
class motd {
  file { '/etc/motd':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    content => 'Hello world! Puppet is awesome.',
  }
}

# notice that no changes are made until we include the class
include motd

Validate script: puppet parseer validate motd.pp
Run script: puppet apply motd.pp

4. A server can be abstract as a node 
Example site.pp
node 'site.example.com' {
                                    include ssh
                                    include apache
                                    include mysql
                                    include web-app
                                    }

5. Module = Directory Tree
module-name 
  |-manifests/            (contains all the mainfests in the module. This directory should contain an init.pp manifest, where the class name matches the module name)               
  |-files/                     (contains static files, which managed nodes can download)
  |-templates/            (contains templates, which the module's manifests can use)
  |-lib/                       (contains plugins, like custom facts and custom resource types)
  |-tests/                   (contains examples showing how to declare the module's classes and defined types)
  |-spec/                   (contains spec tests for any plugins in the lib directory)

By default module path: $confdir/modules
$confdir: main puppet configuration directory
default puppet: $confdir=/etc/puppet
default puppet enterprise: $confdir=/etc/puppetlabs/puppet

Check the module path: puppet config print modulepath

Autoloading: puppet run --> complies catalog --> loads modules

6. Relationships
Relationship parameter:
A. before (->): cause a resource to be applied before the target resource
B. require (->): cause a resource to be applied after the target resource
C. notify (~>): causes a resource to be applied before the target resource. The target resource will refresh if the notifying resource changes.
D. subscribe (~>): causes a resource to be applied after the target resource. The subscribing resource will refresh if the target resource changes.

Example
package { 'openssh-server':
                ensure => present,
                before => File['/etc/ssh/sshd_config'],
              }

file { '/etc/ssh/sshd_config':
        ensure => file,
        mode => 600,
        source => 'puppet:///modules/sshd/sshd_config',
        require => Package['openssh-server'],
     }

file { '/etc/ssh/sshd_config':
        ensure => file,
        mode   => 600,
        source => 'puppet:///modules/sshd/sshd_config',
        subscribe => Service['sshd'],
}

service { 'sshd':
            ensure => running,
            enable => true,
            notify => File['/etc/ssh/sshd_config'],
            }

7. Inheritance
Describe: inherits all resources from the parent class and add new resources, modify the source attribute, add relationship;
only useful for overriding resource attributes
Example:
class ssh {
    package { 'openssh-clients':
                            ensure => present,
                           }

            file { '/etc/ssh/ssh_config':
                    ensure => file,
                    owner => 'root',
                    group => 'root',
                    source => 'puppet:///modules/ssh/ssh_config',
                    }
            
            file { '/etc/ssh/sshd_config':
                    ensure => file,
                    owner => 'root',
                    group => 'root',
                    source  => 'puppet:///modules/ssh/sshd_config'
                  }
    
            service { 'sshd':
                        ensure => running,
                        enable => true,
                        }    
            }

Class ssh::paranoid inherits ssh {
                                                   package { 'fail2ban':
                                                                   ensure => present,
                                                                 }                 
                                                   sshkey { 'trustedhost.example.com':
                                                                ensure => present,
                                                                key => 'puppet:///modules/ssh/trutedhost.pub',
                                                                }
                                                  file ['/etc/ssh/sshd_config'] {
                                                                                            source => 'puppet:///modules/ssh/sshd_config_paranoid',
                                                                                           }
                                                  service ['sshd'] {
                                                                         require => package['fail2ban'],
                                                                         subscribe => sshkey['trustedhost.example.com'],
                                                                         }
                                                }

8. Event Inspector accomplish
A. Mointoring: a summary of the infrastructure's activity
B. Analyzing: the details of import changes and failures

Event result:
A. Changed
B. Failure
C. Noop
D. Skip

9. PuppetDB
PuppetDB 1.3 store:
A. Most recent facts from every nodes;
B. Most recent catalog;
C. Optional 7 days events report

Get data out:
A. PuppetDB's query API
check status: puppet node status <node>
B. Puppet's Inventory Service
C. Exported resources

10. Hiera (used to specific the value of parameters in module)
Process:
A. Install Hiera
B. Make hiera.yaml config file
C. Make hierarchy
D. Write datasource
E. Use Hiera data in Puppet

Example: change to use hiera to control the login information
A. vi /etc/puppetlabs/puppet/modules/motd/manifests/init.pp
class motd {
    file { '/etc/motd':
            ensure => file,
            owner => 'root',
            group => 'root',
            content => hiera('motd'),
    }
}

B. vi /etc/puppetlabs/puppet/hiera.ymal
---
:backends:
- yaml
:yaml:
    :datadir: /etc/puppetlabs/puppet/hieradata
:hierarchy:
    - hosts/%{fqdn}
    - env/%{environment}
    - common
C. vi /etc/puppetlabs/puppet/hieradata/common.yaml
---
motd: Hello there! This machine is managed by Puppet.

D. input command to make change apply:
puppet apply -e 'notice(hiera("motd"))'
puppet apply /etc/puppetlabs/puppet/modules/motd/tests/init.pp

E. Open another session to verfiy

11. Facter (used to discover basic node information)
facts: key => value
Example 
architecture => x86_64
ipaddress => 172.16.10.1

Fact location: 
puppet: /etc/facter/facts.d/
puppet enterprise: /etc/puppetlab/facter/facts.d/

Check facts information:
facter: list all the information
facter fqdn: list hostname
facter interfaces: list network adapter

Using facts:
${hostname}
${ipaddress_eth0}

Example: show the hostname and ipaddress_eth0 in login message
A. vi /etc/puppetlabs/puppet/modules/motd/manifests/init.pp
class motd {
    file { '/etc/motd':
            ensure => file,
            owner => 'root',
            group => 'root',
            content => "Hello to server ${hostname}! server ip is ${ipaddress_eth0}.",
    }
}

B. input command to make change apply:
puppet apply /etc/puppetlabs/puppet/modules/motd/tests/init.pp

C. Open another session to verfiy

12. Forge (community of content creators)
Exampe:
A. Classes for managing applications like Apache
B. Custom facts for determining a machine's warranty status
C. Custom Types & Providers that let you manage new things as puppet resources


Install module from forge in puppet master server
Check help: puppet help module
Search module: puppet module search apache
Install module: puppet module install <module name>
List all installed modules: puppet module list

13. Roles & Profiles
Puppet modules -> profiles -> roles -> nodes
Using hiera to pass data to profile

Example
A. Define nodes with roles
node 'ares.example.com' {
    include role::dbserver
}
node 'zeus.example.com' {
    include role::webserver
}
node 'hera.example.com' {
    include role::webdbserver
}
node 'hermes.example.com' {
    include role::webmail
}

B. Base role
class role {
    include profile::base
}

C. Define roles with profiles
class role::webserver inherits role {
    include profile::web
}
class role::dbserver inherits role {
    include profile::db
}
class role::webdbserver inherits role {
    include profile::web
    include profile::db
}

D. Define profiles with modules
class profile::web {
    include apache
    include php
    include tomcat
    include jdk
    include memcache
}

class profile::base {
    include network
    include users
}

class profile::db {
    include mysql
}

class profile::mail {
    include exim
}

E. real world example

14. Puppet NTP
A. Install ntp module: puppet module install puppetlabs-ntp
B. Config ntp module by puppet enterprise console
C. Use Puppet Enterprise manage NTP

15. Puppet DNS (using puppet master to manage DNS)
Example:
#Public nameserver
ns1.google.com 8.8.8.8
ns2.google.com 8.8.4.4
#Private nameserver
ns1.example.com 192.168.33.10
ns2.example.com 192.168.33.11

A. install ntp to sync the time zone
B. default modules path: /etc/puppetlabs/puppet/modules
C. install resolve class in console
D. add resolve class in node
E. Modify the configuration as you need in console
F. Click "run once" to check

16 Puppet SSH key
A. Install SSH module: puppet module instrall saz-ssh
(saz-ssh classes: ssh / ssh::client / ssh:server / ssh::server::host_key)
B. Modify the config of SSH by Puppet Enterprise Console
C. Distribuet to nodes
D. Use Puppet Enterprise manage SSH

If you want to block root login: add parameter
{"PermitRootLogin"=>"no"} 

Comments

Post a Comment

Popular posts from this blog

Nginx Proxy & Load Balance & LNMP

-
Nginx Proxy Service E-commerce website Server 1: provide image request response (  apache / nginx ) Server 2: provide dynamic request response ( php-fpm / apache-php ) Server 3: provide static request response ( apache / nginx ) Server 4: provide data request response ( mysql ) It need one additional nginx server 1. Install nginx 2. proxy to specific server Example location / {      proxy_pass http://192.168.199.187:80/; } location /bbs/ {      proxy_pass http://192.168.199.187:80/bbs/; } location ~* \.(jpg|png|gif)$  {      proxy_pass http://172.16.100.7; } Enhance the log information and specific the hostname location / {      proxy_pass  http://192.168.199.187:80/;      proxy_set_header <parameter name>  $host;  (client requst the hostname )      proxy_set_header <parameter name> $remote_addr; ...
Read more

Linux RHCE Preparation

-
RHCE 1. Start classroom-rh254 2. Set environment: yum install ./examrhce-0.0.1-l.el7.x86_64.rpm -y 3. Start server-rh254 4. Set lab environment: lab examrhce setup 5. Start desktop-rh254 6.  Set lab environment: lab examrhce setup 7. Check result: lab examrhcsa grade 1. Set Selinux A. Change config file: vim /etc/sysconfig/selinux B. Temporary set selinux: setenforce 1 C. Check selinux: getenforce If it used to be disabled, you need to restart to change to enforcing.  2. SSH Access Setting A. Disable the firewall for RHEL 6 i. systemctl mask iptables; ii. systemctl mask ip6tables; iii systemctl mask ebtable.service B. Start the firewall for RHEL 7 i. systemctl enable firewalld ii. systemctl start firewalld C. Set firewall rule i. Allow ssh: firewall-cmd --permanent --add-service=ssh ii. Block subnet for ssh: firewall-cmd --permanent --add-rich-rul='rule family=ipv4 source address=172.17.10.0/24 service=ssh reject' D. Reloa...
Read more

Snort+barnyard2+Snorby CentOS 6.5_64 Installation

-
#download packages: daq-2.0.2.tar.gz ImageMagicK-6.8.9-8.tar.gz oinkmaster-2.0.tar.gz ruby-1.9.3-p547.tar.gz snort-2.9.6.2.tar.gz snortrules-snapshot-2962.tar.gz MySQL-server-5.5.40-1.rhel5.x86_64.rpm MySQL-client-5.6.21-1.rhel5.x86_64.rpm MySQL-devel-5.6.21-1.rhel5.x86_64.rpm MySQL-shared-5.6.21-1.rhel5.x86_64.rpm epel-release-6-8.noarch.rpm barnyard2-2.1.13.tar.gz #install yum package rpm -ivh epel-release-6-8.noarch.rpm yum install gcc-c++ patch readline readline-devel zlib zlib-devel flex git yum install libyaml-devel libffi-devel openssl-devel make  yum install bzip2 autoconf automake libtool bison iconv-devel libxml2-devel libxslt  yum install gcc g++ build-essential libssl-devel libreadline5-devel zlib1g-devel linux-headers-generic libsqlite3-devel libxslt-devel curl-devel sqlite-devel yum --enablerepo=epel install jasper jasper-libs jasper-devel #Mysql install yum remove mysql mysql-libs rpm -ivh MySQL-server-5.5.40-1.rh...
Read more