Puppet es un sistema de codigo abierto basado en Ruby Puppet es un sistema para automatizar las tareas administrativas de una red de ordenadores. Funciona bajo esquema cliente/servidor y es el método que tenemos para configurar y adaptar el servidor ldap delcentro, el servidor principal (nfs) y lo servidores de terminales de las aulas. El método de funcionamiento es a base de reglas que son ejecutadas en el cliente cada vez que se conecta al servidor. El servidor principal de cada centro es a la vez cliente puppet (del servidor puppet2) y servidor puppet de los servidores de terminales de cada aula. Actualmente, el servidor principal se conecta cada 3 horas a puppet2, de esta forma sincroniza los archivos fundamentales de configuración y otros aspectos importantes de funcionamiento como el listado de paquetes instalados. De la misma forma, puppet2 envía archivos de configuración importantes al servidor principal para que éste a su vez los utilice para enviarlos a los servidores de terminales, así como algunas reglas que se ejecutarán en dichos servidores. Todas las configuraciones tanto de servidor como de cliente, pueden verse en el directorio /etc/puppet/ . Para mayor información del funcionamiento de puppet y puppetmaster, debe consultarse la información que aparece en el sitio puppet

1.2. ¿Cómo trabaja Puppet?

Con Puppet, los servidores centrales, llamados Puppetmasters, son instalados y configurados. El Softwa Cleinte es luego instalado en los equipos a controlar, llamados puppets o nodos, que deseamos administrar. La configuración es definida en el Puppetmaster, compilada, y luego enviada a los clientes de Puppet, cuando estos se conectan.

Para proveer la conectividad cliente-servidor, Puppet usa el protocolo XML-RPC corriendo sobre HTTPS on el puerto TCP 8140.

2.1. Instalacion Puppetmaster

Para el servidor Puppetmaster usamos el Sistema Operativo Fedora 14, con las siguientes características de hardware:

Procesador: Intel Core2Duo 2.4 Ghz
Disco Duro: 500 GB
RAM: 2GB
2 Tarjetas de Red 10/100

Instalamos el paquete en el servidor...

su -c 'yum -y install ruby puppet-server'

Iniciamos el servicio, y lo habilitamos para que lo haga cuando se encianda el servidor...

su -c 'service puppetmaster start'
su -c 'chkconfig puppetmaster on'

2.2. Instalación Puppetclient

Para los clientes Puppet usamos el Sistema Operativo Fedora XS, el cual es una variación de Fedora, con funciones propias del proyecto OLPC, en cuanto a hardware, las espcificaciones son la siguientes:

Procesador: Intel Core2Duo 2.4 Ghz
Disco Duro: 500 GB
RAM: 2GB
2 Tarjetas de Red 10/100

Instalamos el paquete en los clientes...

su -c 'yum -y install ruby puppet'

Editamos el siguiente archivo, para que puppetclient se conecte a puppetmaster /etc/sysconfig/puppet

# The puppetmaster server
PUPPET_SERVER=puppet

# If you wish to specify the port to connect to do so here
PUPPET_PORT=8140

# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log

# You may specify other parameters to the puppet client here
PUPPET_EXTRA_OPTS=--waitforcert=60

Modificamos el archivo /etc/hosts, agregando una entrada con la IP del puppetmaster

127.0.0.1               schoolserver.redes.fundacionzt.org localhost.localdomain localhost
::1                     localhost6.localdomain6 localhost6
192.168.1.60            puppet

Iniciamos el servicio, y lo habilitamos para que lo haga cuando se encianda el cliente...

su -c 'service puppet start'
su -c 'chkconfig puppet on'

Capítulo 3. Configuracion de Puppet

3.1. Configuracion de Puppetmaster
3.2. Configuración de Puppetclient

3.1. Configuracion de Puppetmaster

Al instalar puppet-server, se crean los siguientes directorios:

/etc/puppet/
/var/lib/puppet

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[puppetd]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
[puppetmasterd]
        certname=puppet

site.pp

# Declaración de las clases...
# Estas son las configuraciones que puppet distribuira a sus clientes...
import "config-vpn.pp"
import "config-no-vpn.pp"
import "todos.pp"

# Lista de los servidores o nodos...
import "nodo-vpn.pp"
import "nodo-no-vpn.pp"

config-vpn.pp

# Configuración Base para los servidores

class config-vpn {
        package { 
                "openvpn": 
                ensure => installed
        }
        file { "client.conf":
                name => "/etc/openvpn/client.conf",
                content => template("/var/lib/puppet/templates/vpn-client-config.conf"),
                require => Package["openvpn"]
        }
        file {
                "/etc/openvpn/keys":
                ensure => directory,
                require => Package["openvpn"]
        }
        file {
                "/etc/openvpn/keys/ca.crt":
                source => "puppet:///scripts/ca.crt",
                require => File["/etc/openvpn/keys"]
        }
        file {
                "/etc/openvpn/keys/$fqdn.crt":
                source => "puppet:///keys/$fqdn.crt",
                require => File["/etc/openvpn/keys"]
        }
        file {
                "/etc/openvpn/keys/$fqdn.key":
                source => "puppet:///keys/$fqdn.key",
                require => File["/etc/openvpn/keys"]
        }
        service {
                "openvpn":
                ensure => running,
                require => File["/etc/openvpn/keys/$fqdn.key"]
        }
}

class config-vpn inherits todos {
}

todos.pp

# Configuración Base para los servidores
# Esta es la configuracion base que aplicacamos a todos los clientes de puppet...
class todos {
# Paquetes que deseamos tener instalados
        package {
                "zile": ensure => installed 
        }
        package {
                nrpe :
                ensure => installed
        }
        package {
                nagios-plugins-all :
                ensure => installed
        }

# Servicios a correr en los clientes
# Puppet se encarga de revisar que estos demonios siempre esten corriendo...
        service { "httpd" :
                ensure => running,
        }
        service { "sshd" :
                ensure => running,
        }
        service { "ejabberd" :
                ensure => running,
                enable => true,
                hasstatus => true,
                hasrestart => true,
        }

# Cuentas de usuarios que deseamos tener en los clientes...
        user{ fzt:
                ensure => present,
                groups => wheel,
                managehome => true,
        }
        ssh_authorized_key { "german@fundacion-laptop":
                key => "AAAAB3NzaC1yc2EAAAADAQABAAABAQDWjQhYQPv/PvCqMmHFS3w/YwEfjq6n4PwUT3T2Kp9BN4DrXuTPE+sjT92B8RiH+HeacDD3bF5+ibAl/aGYDQqkzGzt8ahQSE4uHKbWZs34t2tPPIkmUXcf5O3Ok3+URvuAiORrduzszxGD/fy9Mft0D2rQqcwzjwan/fF9UTMVWcanucRgGLKD+HFV03GFri0KwTXh+virFH933ZPeEDVfWxdew6iOCpKTZHnHS174mPRzcl6Uxprmg2Klof+B4mwT66W4sGuDsFY8Y+Rr93Kn1LW0knYEpxHNAUF6ipVigSaI/E9qqNrLzCpa9DTJv3sb36K7UVPbgtX73YqioLFN",
                ensure => present,
                type => "ssh-rsa",
                user => "fzt",
                target => "/home/fzt/.ssh/authorized_keys",
                require => User["fzt"],
        }
        file {
                "/home/fzt/.ssh":
                ensure  => directory,
                owner   => fzt,
                group   => fzt,
                mode    => 700,
                require => User["fzt"]
        }
        file {
                "/home/fzt/.ssh/authorized_keys":
                ensure  => present,
                owner   => "fzt",
                group   => "fzt",
                mode    => 600,
                require => User["fzt"]
        }

# Prueba de contenido...
        file { "/library/webcontenido":
                ensure => directory,
                recurse => true,
                source => "puppet:///webcontenido",
                purge => true,
        }
# Para DHCP...
        file {
                "/etc/sysconfig/olpc-scripts/dhcpd.conf.1":
                source => "puppet:///scripts/dhcpd.conf.1",
                owner => "root",
                group => "root",
                mode => "0755"
        }
        service {
                "dhcpd":
                subscribe => File["/etc/sysconfig/olpc-scripts/dhcpd.conf.1"]
        }
        file {
                "/etc/sysconfig/olpc-scripts/gen-iptables":
                source => "puppet:///scripts/gen-iptables",
                owner => "root",
                group => "root",
                mode => "0755"
        }
        file {
                "/etc/sysconfig/olpc-scripts/iptables-xs.in":
                source => "puppet:///scripts/iptables-xs.in",
                owner => "root",
                group => "root",
                mode => "0755"
        }
}
file { "/root/.ssh/puppet_rsa":
        source => "puppet:///scripts/puppet_rsa",
        owner => "root",
        group => "root",
        mode => "0700"
        }
# 
file { "/usr/local/bin/puppet-xs-activity-sync":
        ensure => file,
        source => "puppet:///scripts/puppet-xs-activity-sync",
        owner => root,
        group => root,
        mode => 755,
}
# 
file { "/usr/local/bin/rsync-activities":
        ensure => file,
        source => "puppet:///scripts/rsync-activities",
        owner => root,
        group => root,
        mode => 755,
}
# 
file { "/library/xs-activity-server/incoming":
        checksum => md5lite,
        ensure => directory,
        recurse => true,
}
# 
exec { "rsync_activities":
        command => "/usr/local/bin/rsync-activities", 
        subscribe => File["/library/xs-activity-server/incoming"],
        require => File["/usr/local/bin/rsync-activities"],
        refreshonly => true,
}

# 
exec { "/usr/local/bin/puppet-xs-activity-sync":
       subscribe => File["/library/xs-activity-server/incoming"],
       refreshonly => true,
        require => Exec["rsync_activities"],    
#       require => File["/usr/local/bin/puppet-xs-activity-sync"],
}

3.2. Configuración de Puppetclient

/etc/sysconfig/olpc-scrips/domain_config redes.fundacion.org
reboot

Configuración del Hostname

yum install puppet

Instalación de puppetclient

[root@schoolserver ~]# ping puppet
PING puppet (192.168.1.60) 56(84) bytes of data.
64 bytes from puppet (192.168.1.60): icmp_seq=1 ttl=64 time=0.127 ms
64 bytes from puppet (192.168.1.60): icmp_seq=2 ttl=64 time=0.104 ms
64 bytes from puppet (192.168.1.60): icmp_seq=3 ttl=64 time=0.111 ms
64 bytes from puppet (192.168.1.60): icmp_seq=4 ttl=64 time=0.110 ms
^C
--- puppet ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3319ms
rtt min/avg/max/mdev = 0.104/0.113/0.127/0.008 ms

Probamos la conexión

[root@schoolserver ~]# puppetd --test
info: Creating a new certificate request for schoolserver.redes1.fundacionzt.org
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/schoolserver.redes1.fundacionzt.org.pem
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
notice: Set to run 'one time'; exiting with no certificate

Solicitud de Certificados del Puppetcliet a Puppetmaster

[root@desarrollo ~]# puppetca --list
localhost.localdomain
schoolserver.redes1.fundacionzt.org

Verificamos la solicitud de certificado en Puppetmaster

[root@desarrollo ~]# puppetca --sign schoolserver.redes1.fundacionzt.org
notice: Signed certificate request for schoolserver.redes1.fundacionzt.org
notice: Removing file Puppet::SSL::CertificateRequest schoolserver.redes1.fundacionzt.org at '/var/lib/puppet/ssl/ca/requests/schoolserver.redes1.fundacionzt.org.pem'

Firmamos el certificado en Puppetmaster

[root@schoolserver ~]# puppetd --test
warning: peer certificate won't be verified in this SSL session
notice: Got signed certificate
err: Could not retrieve catalog: Could not find default node or by name with 'schoolserver.redes1.fundacionzt.org, schoolserver.redes1.fundacionzt, schoolserver.redes1, schoolserver' on node schoolserver.redes1.fundacionzt.org
warning: Not using cache on failed catalog

Hacemos la conexión de Puppetclient a Puppetmaster

En este caso el cliente schoolserver.redes1.fundacionzt.org no recibe ninguna configuración, ya que aún no ha sido definica en Puppetclient

Agregamos nuestro cliente schoolserver.redes1.fundacionzt.org a la configuración de Puppetmaster

[root@desarrollo manifests]# vim /etc/puppet/manifests/site.pp
# Declaración de las clases...
# Estas son las configuraciones que puppet distribuira a sus clientes...
import "config-vpn.pp"
import "config-no-vpn.pp"
import "todos.pp"

# Lista de los servidores o nodos...
import "nodo-vpn.pp"
import "nodo-no-vpn.pp"

[root@desarrollo manifests]# vim /etc/puppet/manifests/nodo-vpn.pp
node 'schoolserver.prueba.fundacionzt.org' { include config-vpn }
node 'schoolserver.redes.fundacionzt.org' { include config-vpn }
node 'schoolserver.redes1.fundacionzt.org' {include config-vpn}

[root@schoolserver ~]# puppetd --test
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
notice: /Stage[main]//File[/usr/local/bin/puppet-xs-activity-sync]/ensure: created
notice: /Stage[main]//File[/usr/local/bin/rsync-activities]/ensure: created
notice: /Stage[main]/Todos/Package[nrpe]/ensure: created
notice: /Stage[main]/Todos/Package[nagios-plugins-all]/ensure: created
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /etc/sysconfig/olpc-scripts/iptables-xs.in(9ba7342547fd2a076494d98efb44b615)
notice: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/iptables-xs.in]: Filebucketed to  with sum 9ba7342547fd2a076494d98efb44b615
notice: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/iptables-xs.in]/source: replacing from source puppet:///scripts/iptables-xs.in with contents {md5}a26104d4edb5533233e3e7ac6de91813
notice: /Stage[main]/Todos/File[/library/webcontenido]/ensure: created
notice: /Stage[main]/Todos/File[/library/webcontenido/index.html]/ensure: created
notice: /Stage[main]/Config-vpn/Package[openvpn]/ensure: created
notice: /Stage[main]/Config-vpn/File[client.conf]/content: defined 'content' as '{md5}a24ff31f87fe274978e62217271b22a7'
notice: /Stage[main]/Config-vpn/File[/etc/openvpn/keys]/ensure: created
err: /Stage[main]/Config-vpn/File[/etc/openvpn/keys/schoolserver.redes1.fundacionzt.org.key]: Failed to retrieve current state of resource: No specified source was found from puppet:///keys/schoolserver.redes1.fundacionzt.org.key
notice: /Stage[main]/Config-vpn/Service[openvpn]: Dependency file[/etc/openvpn/keys/schoolserver.redes1.fundacionzt.org.key] has 1 failures
warning: /Stage[main]/Config-vpn/Service[openvpn]: Skipping because of failed dependencies
notice: /Stage[main]/Config-vpn/File[/etc/openvpn/keys/ca.crt]/ensure: created
err: /Stage[main]/Config-vpn/File[/etc/openvpn/keys/schoolserver.redes1.fundacionzt.org.crt]: Failed to retrieve current state of resource: No specified source was found from puppet:///keys/schoolserver.redes1.fundacionzt.org.crt
58c58
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /etc/sysconfig/olpc-scripts/gen-iptables(fbe65b72cbda37694b66be2d705942e3)
notice: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/gen-iptables]: Filebucketed to  with sum fbe65b72cbda37694b66be2d705942e3
notice: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/gen-iptables]/source: replacing from source puppet:///scripts/gen-iptables with contents {md5}381d0635599b4980b56324086e8574bd
notice: /Stage[main]//File[/library/xs-activity-server/incoming]/ensure: created
info: /Stage[main]//File[/library/xs-activity-server/incoming]: Scheduling refresh of Exec[rsync_activities]
info: /Stage[main]//File[/library/xs-activity-server/incoming]: Scheduling refresh of Exec[/usr/local/bin/puppet-xs-activity-sync]
notice: /Stage[main]//Exec[rsync_activities]: Triggering 'refresh' from 1 dependencies
err: /Stage[main]//Exec[rsync_activities]: Failed to call refresh on Exec[rsync_activities]: /usr/local/bin/rsync-activities returned 255 instead of 0 at /etc/puppet/manifests/todos.pp:141
notice: /Stage[main]//Exec[/usr/local/bin/puppet-xs-activity-sync]: Triggering 'refresh' from 1 dependencies
notice: /Stage[main]/Todos/User[fzt]/ensure: created
notice: /Stage[main]/Todos/File[/home/fzt/.ssh]/ensure: created
notice: /Stage[main]/Todos/File[/home/fzt/.ssh/authorized_keys]/ensure: created
notice: /Stage[main]/Todos/Ssh_authorized_key[german@fundacion-laptop]/ensure: created
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /home/fzt/.ssh/authorized_keys(d41d8cd98f00b204e9800998ecf8427e)
notice: /Stage[main]/Todos/Package[zile]/ensure: created
notice: /Stage[main]//File[/root/.ssh/puppet_rsa]/ensure: created
6c6,7
---
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /etc/sysconfig/olpc-scripts/dhcpd.conf.1(4246afbfccdb5a2de5867d68e9d99f8d)
notice: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/dhcpd.conf.1]: Filebucketed to  with sum 4246afbfccdb5a2de5867d68e9d99f8d
notice: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/dhcpd.conf.1]/source: replacing from source puppet:///scripts/dhcpd.conf.1 with contents {md5}82698abf1b350697fc640170e47fd6de
info: /Stage[main]/Todos/File[/etc/sysconfig/olpc-scripts/dhcpd.conf.1]: Scheduling refresh of Service[dhcpd]
notice: /Stage[main]/Todos/Service[dhcpd]: Triggering 'refresh' from 1 dependencies
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 131.75 seconds
[root@schoolserver ~]#

Revision History

Historial de revisiones

Revisión 0-0

Septiembre de 2011

German Ruiz

Creación Inicial del Documento