Configuration Management: Difference between revisions

From Jeremy Bryan Smith
Jump to navigation Jump to search
(Created page with "=Puppet= Puppet version '''5''' tends to get into defunct states where it will not work and will not provide any useful error messages.<br> Here are the steps I used to insta...")
 
 
(3 intermediate revisions by the same user not shown)
Line 3: Line 3:
Puppet version '''5''' tends to get into defunct states where it will not work and will not provide any useful error messages.<br>
Puppet version '''5''' tends to get into defunct states where it will not work and will not provide any useful error messages.<br>
Here are the steps I used to install version 5 (from Puppet's repository) on a master and a node that previously had version 3 installed (from Ubuntu repository).
Here are the steps I used to install version 5 (from Puppet's repository) on a master and a node that previously had version 3 installed (from Ubuntu repository).
It is important to not have any files or lines in configuration files left from previous versions. Puppet will happily take an invalid config and fail without any useful explanation. Start fresh and add each line as needed.
Differences is file locations for...
Puppet repo:
Puppet repo:
* /etc/puppetlabs/{code,mcollective,puppet,puppetdb,puppetserver,pxp-agent}
* /etc/puppetlabs/{code,mcollective,puppet,puppetdb,puppetserver,pxp-agent}
Line 24: Line 28:
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppet resource service puppetdb ensure=running
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppet resource service puppetdb ensure=running
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> tree /etc/puppetlabs/puppet/ssl/
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> tree /etc/puppetlabs/puppet/ssl/
  <font color="#909090">/etc/puppetlabs/puppet/ssl/
  <span style="color:#909090">/etc/puppetlabs/puppet/ssl/
  ├── ca
  ├── ca
  │   ├── ca_crl.pem
  │   ├── ca_crl.pem
Line 47: Line 51:
     └── puppetmaster.jeremybryansmith.com.pem
     └── puppetmaster.jeremybryansmith.com.pem
   
   
  5 directories, 16 files</font>
  5 directories, 16 files</span>
<span style="font-weight:bold; user-select:none">root@server ~ $</span> cat /etc/puppetlabs/puppet/puppet.conf
<span style="color:#909090"># Puppet Server Config: /etc/puppetlabs/puppet/puppet.conf
[main]
certname = <font color=purple>puppetmaster.jeremybryansmith.com</font>
server = <font color=purple>puppetmaster.jeremybryansmith.com</font>
runinterval = 1h
strict_variables = true
[master]
dns_alt_names = <span style="color:purple">puppetmaster.jeremybryansmith.com</span></span>


On the '''nodes''':
On the '''nodes''':
Line 59: Line 75:
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet resource service puppet ensure=stopped
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet resource service puppet ensure=stopped
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet config print ssldir --section agent
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet config print ssldir --section agent
  <font color="#909090">/etc/puppetlabs/puppet/ssl</font>
  <span style="color:#909090">/etc/puppetlabs/puppet/ssl</span>
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> rm -rf /opt/puppetlabs/puppet/ssl/
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> rm -rf /opt/puppetlabs/puppet/ssl/
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> rm -rf /etc/puppetlabs/puppet/ssl/
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> rm -rf /etc/puppetlabs/puppet/ssl/
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> root@latitude:~# nmap puppetmaster.jeremybryansmith.com -p 8140
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> nmap <font color=purple>puppetmaster.jeremybryansmith.com</font># -p 8140
  <font color="#909090">Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-13 09:58 EDT
  <span style="color:#909090">Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-13 09:58 EDT
  Nmap scan report for puppetmaster.jeremybryansmith.com (104.131.32.175)
  Nmap scan report for puppetmaster.jeremybryansmith.com (104.131.32.175)
  Host is up (0.070s latency).
  Host is up (0.070s latency).
   
   
  PORT    STATE SERVICE
  PORT    STATE SERVICE
  8140/tcp open  puppet</font>
  8140/tcp open  puppet</span>
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> echo "" | openssl s_client -servername puppetmaster.jeremybryansmith.com -connect puppetmaster.jeremybryansmith.com:8140  | grep 'CN ='
  <font color="#909090">depth=0 CN = puppetmaster.jeremybryansmith.com
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> echo "" | openssl s_client -servername <font color=purple>puppetmaster.jeremybryansmith.com</font> -connect puppetmaster.jeremybryansmith.com:8140  | grep 'CN ='
  <span style="color:#909090">depth=0 CN = puppetmaster.jeremybryansmith.com
  verify error:num=20:unable to get local issuer certificate
  verify error:num=20:unable to get local issuer certificate
  verify return:1
  verify return:1
Line 81: Line 98:
  subject=CN = puppetmaster.jeremybryansmith.com
  subject=CN = puppetmaster.jeremybryansmith.com
  issuer=CN = Puppet CA: puppetmaster.jeremybryansmith.com
  issuer=CN = Puppet CA: puppetmaster.jeremybryansmith.com
  CN = Puppet CA: puppetmaster.jeremybryansmith.com</font>
  CN = Puppet CA: puppetmaster.jeremybryansmith.com</span>
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet agent --test --noop --waitforcert 60 <font color="#909090">
<span style="font-weight:bold; user-select:none">root@node ~ $</span> cat /etc/puppetlabs/puppet/puppet.conf
<span style="color:#909090"># Puppet Node Config: /etc/puppetlabs/puppet/puppet.conf
[main]
certname=<font color=purple>latitude.jbsnet.xyz</font>
server=<font color=purple>puppetmaster.jeremybryansmith.com</font>
runinterval = 1h</span>
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet agent --test --noop --waitforcert 60
  <font color=green>Info: Creating a new SSL key for latitude.jbsnet.xyz</font>
  <font color=green>Info: Creating a new SSL key for latitude.jbsnet.xyz</font>
  <font color=red>Error: request https://puppetmaster.jeremybryansmith.com:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.jeremybryansmith.com:8140 (Connection refused - connect(2) for "puppetmaster.jeremybryansmith.com" port 8140)
  <font color=red>Error: request https://puppetmaster.jeremybryansmith.com:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.jeremybryansmith.com:8140 (Connection refused - connect(2) for "puppetmaster.jeremybryansmith.com" port 8140)
  Error: request https://puppetmaster.jeremybryansmith.com:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.jeremybryansmith.com:8140 (Connection refused - connect(2) for "puppetmaster.jeremybryansmith.com" port 8140)</font>
  Error: request https://puppetmaster.jeremybryansmith.com:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.jeremybryansmith.com:8140 (Connection refused - connect(2) for "puppetmaster.jeremybryansmith.com" port 8140)</font>
  ...</font>
  ...


On the '''master''':
On the '''master''':


  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppetserver ca list  
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppetserver ca list  
  <font color="#909090">Requested Certificates:
  <font color="#909090">Requested Certificates:</font>
     latitude.jbsnet.xyz  (SHA256)  E2:4B:0C:3D:D7:DE:14:2A:A0:EC:93:E3:2E:8C:78:51:D4:07:FF:A0:BE:A6:FC:66:FF:7B:54:F4:D5:4A:B0:37</font>
     <font color=purple>latitude.jbsnet.xyz</font><font color="#909090">   (SHA256)  E2:4B:0C:3D:D7:DE:14:2A:A0:EC:93:E3:2E:8C:78:51:D4:07:FF:A0:BE:A6:FC:66:FF:7B:54:F4:D5:4A:B0:37</font>
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppetserver ca sign --certname latitude.jbsnet.xyz
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppetserver ca sign --certname <font color=purple>latitude.jbsnet.xyz</font>
  <font color="#909090">Successfully signed certificate request for latitude.jbsnet.xyz</font>
  <font color="#909090">Successfully signed certificate request for latitude.jbsnet.xyz</font>
<span style="font-weight:bold; user-select:none">root@server ~ $</span> cat /etc/puppetlabs/code/environments/production/manifests/site.pp
<font color="#909090"># /etc/puppetlabs/code/environments/production/manifests/site.pp
...
node '<font color=purple>latitude.jbsnet.xyz</font>'
{
  class {'jeremy': }
}
...</font>
<span style="font-weight:bold; user-select:none">root@server ~ $</span> cat /etc/puppetlabs/code/environments/production/modules/jeremy/manifests/init.pp
<font color="#909090"># /etc/puppetlabs/code/environments/production/modules/jeremy/manifests/init.pp
class jeremy ()
{
  # User 'jeremy' files
  file
  {
    '/home/jeremy/.tmux.conf':
    ensure => present,
    mode => '0644',
    owner => 'jeremy',
    group => 'jeremy',
    source => 'puppet:///modules/jeremy/home/jeremy/.tmux.conf',
  }
  file
  {
    '/home/jeremy/.bash_profile':
    ensure => present,
    mode => '0644',
    owner => 'jeremy',
    group => 'jeremy',
    source => 'puppet:///modules/jeremy/home/jeremy/.bash_profile',
  }
  file
  {
    '/home/jeremy/.bash_aliases':
    ensure => present,
    mode => '0644',
    owner => 'jeremy',
    group => 'jeremy',
    source => 'puppet:///modules/jeremy/home/jeremy/.bash_aliases',
  }
  file
  {
    '/home/jeremy/.vimrc':
    ensure => present,
    mode => '0644',
    owner => 'jeremy',
    group => 'jeremy',
    source => 'puppet:///modules/jeremy/home/jeremy/.vimrc',
  }
  # Local vim config: should probably go into a class for the specific node...
  file
  {
    '/home/jeremy/.vimrc.local':
    ensure => present,
    mode => '0644',
    owner => 'jeremy',
    group => 'jeremy',
  }
}</font>


On the '''nodes''':
On the '''nodes''':
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet agent --test --noop
  <span style="font-weight:bold; user-select:none">root@node ~ $</span> puppet agent --test --noop
  <font color=#969123>Warning: Unable to fetch my node definition, but the agent run will continue:
  <span style="color:green">Info: Using configured environment 'production'
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for latitude.jbsnet.xyz: Could not find terminus puppetdb for indirection facts</font>
  Info: Retrieving pluginfacts
  <font color=green>Info: Retrieving pluginfacts
  Info: Retrieving plugin
  Info: Retrieving plugin
  Info: Retrieving locales</font>
  Info: Retrieving locales
  <font color=red>Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not find terminus puppetdb for indirection facts</font>
Info: Applying configuration version '1584109458'
  <font color=#969123>Warning: Not using cache on failed catalog</font>
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml</span>
  <font color=red>Error: Could not retrieve catalog; skipping run</font>
  <span style="color:#909090">Notice: Applied catalog in 0.35 seconds</span>
 
Update: I should not have removed all files in <tt>/var/lib/puppet/ssl/certs/</tt>, only the relevant ones. Fix:
<span style="font-weight:bold; user-select:none">root@server ~ $</span> mkdir -p /opt/puppetlabs/puppet/ssl/certs
<span style="font-weight:bold; user-select:none">root@server ~ $</span> cd /opt/puppetlabs/puppet/ssl/certs
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> cp -d  /etc/ssl/certs/* .
 
Install additional modules:
  <span style="font-weight:bold; user-select:none">root@server ~ $</span> puppet module install cygnus-disk_facter

Latest revision as of 20:27, 26 March 2020

Puppet

Puppet version 5 tends to get into defunct states where it will not work and will not provide any useful error messages.
Here are the steps I used to install version 5 (from Puppet's repository) on a master and a node that previously had version 3 installed (from Ubuntu repository).

It is important to not have any files or lines in configuration files left from previous versions. Puppet will happily take an invalid config and fail without any useful explanation. Start fresh and add each line as needed.

Differences is file locations for... Puppet repo:

  • /etc/puppetlabs/{code,mcollective,puppet,puppetdb,puppetserver,pxp-agent}

Ubuntu repo:

  • /etc/puppet/puppet/
  • /var/lib/puppet/...

On the master: 

root@server ~ $ puppet resource service puppetserver ensure=stopped
root@server ~ $ mv /etc/puppet /etc/puppet_old
root@server ~ $ mv /var/lib/puppet /var/lib/puppet_old
root@server ~ $ wget  'https://apt.puppet.com/puppet5-release-xenial.deb'
root@server ~ $ dpkg -i puppet5-release-xenial.deb
root@server ~ $ apt-get update
root@server ~ $ apt-get install puppet-agent puppetserver puppetdb
root@server ~ $ puppet resource service puppetserver ensure=stopped
root@server ~ $ rm -rf /opt/puppetlabs/puppet/ssl/
root@server ~ $ rm -rf /etc/puppetlabs/puppet/ssl/
root@server ~ $ puppet resource service puppetserver ensure=running
root@server ~ $ puppet resource service puppetdb ensure=running
root@server ~ $ tree /etc/puppetlabs/puppet/ssl/
/etc/puppetlabs/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── infra_crl.pem
│   ├── infra_inventory.txt
│   ├── infra_serials
│   ├── inventory.txt
│   ├── root_key.pem
│   ├── serial
│   └── signed
│       └── puppetmaster.jeremybryansmith.com.pem
├── certs
│   ├── ca.pem
│   └── puppetmaster.jeremybryansmith.com.pem
├── crl.pem
├── private_keys
│   └── puppetmaster.jeremybryansmith.com.pem
└── public_keys
    └── puppetmaster.jeremybryansmith.com.pem

5 directories, 16 files

root@server ~ $ cat /etc/puppetlabs/puppet/puppet.conf
# Puppet Server Config: /etc/puppetlabs/puppet/puppet.conf

[main]
certname = puppetmaster.jeremybryansmith.com
server = puppetmaster.jeremybryansmith.com
runinterval = 1h
strict_variables = true

[master]
dns_alt_names = puppetmaster.jeremybryansmith.com

On the nodes: 

root@node ~ $ puppet resource service puppet ensure=stopped # If previously installed
root@node ~ $ mv /etc/puppet /etc/puppet_old
root@node ~ $ mv /var/lib/puppet /var/lib/puppet_old
root@node ~ $ wget  'https://apt.puppet.com/puppet5-release-xenial.deb'
root@node ~ $ dpkg -i puppet5-release-xenial.deb
root@node ~ $ apt-get update
root@node ~ $ apt-get install puppet-agent
root@node ~ $ puppet resource service puppet ensure=stopped
root@node ~ $ puppet config print ssldir --section agent
/etc/puppetlabs/puppet/ssl
root@node ~ $ rm -rf /opt/puppetlabs/puppet/ssl/
root@node ~ $ rm -rf /etc/puppetlabs/puppet/ssl/
root@node ~ $ nmap puppetmaster.jeremybryansmith.com# -p 8140
Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-13 09:58 EDT
Nmap scan report for puppetmaster.jeremybryansmith.com (104.131.32.175)
Host is up (0.070s latency).

PORT     STATE SERVICE
8140/tcp open  puppet

root@node ~ $ echo "" | openssl s_client -servername puppetmaster.jeremybryansmith.com -connect puppetmaster.jeremybryansmith.com:8140   | grep 'CN ='
depth=0 CN = puppetmaster.jeremybryansmith.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = puppetmaster.jeremybryansmith.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
 0 s:CN = puppetmaster.jeremybryansmith.com
   i:CN = Puppet CA: puppetmaster.jeremybryansmith.com
subject=CN = puppetmaster.jeremybryansmith.com
issuer=CN = Puppet CA: puppetmaster.jeremybryansmith.com
CN = Puppet CA: puppetmaster.jeremybryansmith.com

root@node ~ $ cat /etc/puppetlabs/puppet/puppet.conf
# Puppet Node Config: /etc/puppetlabs/puppet/puppet.conf

[main]
certname=latitude.jbsnet.xyz
server=puppetmaster.jeremybryansmith.com
runinterval = 1h

root@node ~ $ puppet agent --test --noop --waitforcert 60
Info: Creating a new SSL key for latitude.jbsnet.xyz
Error: request https://puppetmaster.jeremybryansmith.com:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.jeremybryansmith.com:8140 (Connection refused - connect(2) for "puppetmaster.jeremybryansmith.com" port 8140)
Error: request https://puppetmaster.jeremybryansmith.com:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.jeremybryansmith.com:8140 (Connection refused - connect(2) for "puppetmaster.jeremybryansmith.com" port 8140)
...

On the master: 

root@server ~ $ puppetserver ca list 
Requested Certificates:
   latitude.jbsnet.xyz   (SHA256)  E2:4B:0C:3D:D7:DE:14:2A:A0:EC:93:E3:2E:8C:78:51:D4:07:FF:A0:BE:A6:FC:66:FF:7B:54:F4:D5:4A:B0:37
root@server ~ $ puppetserver ca sign --certname latitude.jbsnet.xyz
Successfully signed certificate request for latitude.jbsnet.xyz
root@server ~ $ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
# /etc/puppetlabs/code/environments/production/manifests/site.pp
...
node 'latitude.jbsnet.xyz'
{
  class {'jeremy': } 
}
...

root@server ~ $ cat /etc/puppetlabs/code/environments/production/modules/jeremy/manifests/init.pp
# /etc/puppetlabs/code/environments/production/modules/jeremy/manifests/init.pp
class jeremy ()
{
 # User 'jeremy' files
 file
 {
   '/home/jeremy/.tmux.conf':
   ensure => present,
   mode => '0644',
   owner => 'jeremy',
   group => 'jeremy',
   source => 'puppet:///modules/jeremy/home/jeremy/.tmux.conf',
 }
 file
 {
   '/home/jeremy/.bash_profile':
   ensure => present,
   mode => '0644',
   owner => 'jeremy',
   group => 'jeremy',
   source => 'puppet:///modules/jeremy/home/jeremy/.bash_profile',
 }
 file
 {
   '/home/jeremy/.bash_aliases':
   ensure => present,
   mode => '0644',
   owner => 'jeremy',
   group => 'jeremy',
   source => 'puppet:///modules/jeremy/home/jeremy/.bash_aliases',
 }
 file
 {
   '/home/jeremy/.vimrc':
   ensure => present,
   mode => '0644',
   owner => 'jeremy',
   group => 'jeremy',
   source => 'puppet:///modules/jeremy/home/jeremy/.vimrc',
 }
 # Local vim config: should probably go into a class for the specific node...
 file
 {
   '/home/jeremy/.vimrc.local':
   ensure => present,
   mode => '0644',
   owner => 'jeremy',
   group => 'jeremy',
 }
}

On the nodes: 

root@node ~ $ puppet agent --test --noop
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Applying configuration version '1584109458'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.35 seconds

Update: I should not have removed all files in /var/lib/puppet/ssl/certs/, only the relevant ones. Fix: 

root@server ~ $ mkdir -p /opt/puppetlabs/puppet/ssl/certs
root@server ~ $ cd /opt/puppetlabs/puppet/ssl/certs
root@server ~ $ cp -d  /etc/ssl/certs/* .

Install additional modules: 

root@server ~ $ puppet module install cygnus-disk_facter
Retrieved from "https://wiki.jeremybryansmith.com/index.php?title=Configuration_Management&oldid=250"