# License: (CC 3.0) BY-NC-SA
puppet node
from the reference, i know how to use regular expression to indicate nodes
node /^(foo|bar)\.example\.com$/ {
include common
}
puppet scope
from the reference, i konw how to use scope
$var = "from topscope"
node default {
$var = "from node"
include lookup_example
}
class lookup_example {
notify { $var: } # will be "from node"
notify { $::var: } # will be "from topscope"
}
Puppet Require
I want to require a package on another class
class foo {
package { "bar": ensure => installed, }
}
class fooo {
package { "barr":
ensure => installed,
require => Package["bar"],
}
}
This does not work, and require => Class["foo"]
does not too. However, add a include "foo"
in fooo works.
how to use puppet tags
if i did not assgin a tag to an agent, the agent will search the master’s config for a node named hostname
or ‘default’. but if you give a tag for the agent, then it will search all resources have the tags.
assgin a tag to agent
- your hostname is a tag too
-
add tags when you run
puppet agent
$ puppetd –tags webserver,ftpserver
-
add tags option in puppet.conf
# cat /etc/puppet/puppet.conf tags = webserver, ftpserver
add a tag to resource
- tag => webserver
- for class, add tag(“webserver”)
- in fact, all node, class and define has a automatical generated tag, it’s their name exactly
how to use puppet kick
see the puppet kick --help
first, the USAGE NOTES
says:
Puppet kick is useless unless puppet agent is listening for incoming
connections and allowing access to the `run` endpoint. This entails
starting the agent with `listen = true` in its puppet.conf file, and
allowing access to the `/run` path in its auth.conf file; see
`http://docs.puppetlabs.com/guides/rest_auth_conf.html` for more
details.
Additionally, due to a known bug, you must make sure a
namespaceauth.conf file exists in puppet agent's $confdir. This file
will not be consulted, and may be left empty.
NOTE: all the following steps must run by root or sudo
step 1
to enable listen conf, add the following line in /etc/puppet/puppet.conf in your puppet slave
[agent]
listen=true
or you can run command by:
# augtool << EOF
set /files/etc/puppet/puppet.conf/agent/listen true
save
EOF
step 2
to allow access to the /run path, you should edit /etc/puppet/auth.conf in your puppet slave
path /run
auth any
method save
allow master.puppet.com
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any
note puppet-master.puppet.com must be add in the /etc/hosts entry
step 3
add a empty file on your puppet slave
# touch /etc/puppet/namespaceauth.conf
step 4
to test the puppet kick
, on puppet slave node, run puppet agent --debug --verbose --no-daemonize
, on puppet master node, run puppet kick --foreground --debug --host slave.puppet.com
. plz not that you should add entry on your /etc/hosts of slave.puppet.com
NOTE: 1) The –tag option is a decorader to object, you can not just specify tag without host class.
NOTE: 2) That puppet listen on 8139, please let firewall allow that port.
ldap <=== this section is not completed
reference: openldap quick guide
step 1
Install ldap server
# apt-get install slapd ldap-utils
# wget https://raw.github.com/puppetlabs/puppet/master/ext/ldap/puppet.schema
# cp puppet.schema /etc/ldap/schema/
Add a include puppet.schema line in /usr/share/slapd/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/puppet.schema
The reference tells me to restart the server, i did it, but i don’t know if it is necessary. Maybe you can try this:
# sudo /etc/init.d/ldap start
Add a default node in your LDAP
# cat test.ldif
dn: cn=default,dc=orgName,dc=com
objectClass: device
objectClass: puppetClient
objectClass: top
cn: default
# ldapadd -x -f test.ldif
The last command seems failed because of “ldap_add: Invalid syntax (21)”
step 2
Install ldap ruby binding for puppet master
# apt-get install ruby-ldap
Check it
# ruby -rldap -e 'puts :installed'
installed
# ruby -rpuppet -e 'p Puppet.features.ldap?'
true
Edit /etc/puppet/puppet.conf
[puppetmasterd]
node_terminus = ldap
ldapserver = ldapserver.yourdomain.com
ldapbase = dc=puppet
Add a empty default node in your site.pp
node default {}
Common Issues
SSL
warning: Certificate validation failed; consider using the certname configuration option
err: Could not retrieve catalog: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Add certname on puppet.conf, cert server domain is pointed to master.puppet.com or you can use master.puppet.com directly.
[master]
certname=cert.puppet.com
NOTE: puppetca clean --all
and remove /var/lib/puppet/ssl will not work