3.9 KiB
Puppet Server
Runs the puppet server for rhel7
The main code repositories are synced into:
- /srv/puppet/code/base/preprod/
- /srv/puppet/code/base/prod/
Other optional environments can be arbitrarily created and immediately used under this path:
- /srv/puppet/code/dev/envs/
At https://puppet01.psi.ch/ , a small web app to delete server side certificates is made available. The authentication uses LDAP against the AD, but access rights are granted from the /etc/httpd/conf.d/ssl.conf
Branches
You can create a branch to develop new code from the master branch of the puppet repository. To test the code, a directory with the same name as the branch can be created at puppet01:/srv/puppet/code/dev/envs/ . Upon creating the directory, preprod gets rsynced in here. If the branch alrady exists and if it's to be pulled, that can be done via the command:
git pull origin xyz
This can then be tested on any controlled host by running:
puppet agent -t --environment=xyz
Merge Process
Merge meetings are usually held weekly. To record the meeting a https://git.psi.ch/linux-infra/org/wikis/meeting_reports/YYYY-MM-DD page is to be created based on the https://git.psi.ch/linux-infra/org/wikis/merge-meeting-guidelines template.
Modules
The modules, which are not part of the base repo are to be pulled into /srv/puppet/code/dev/envs/(pre)prod/code/modules/
The correct way to pull the modules is with the use of librarian. However, at this time, the puppetfile contains "prod" or "production" as versions for some of the modules. Librarian can not understand this. As a result, it turns to the puppetfile.lock , where the commit of the initial pull is saved. As long as the lock is present, librarian will always pull the commit saved there, it will not pull the latest commit and will even revert, if that latest commit is pulled manually.
The solution is to always run librarian with the lock file removed:
[root@puppet01 prod]# cd /srv/puppet/code/base/prod
[root@puppet01 prod]# rm -f Puppetfile.lock
[root@puppet01 prod]# /opt/puppetlabs/puppet/bin/librarian-puppet install --path=code/modules
This way the latest commit will be pulled for all incorrectly defined modules.
Hiera / data-xxx
The data-xxx repositories have a webhook configured that points to http://puppet01.psi.ch/events/dataupdate The triggered webhook code can be found on puppet01 at /var/www/webhook/app/webhook.py
This webhook checks out the data repositories in /srv/puppet/data
PuppetDB
To be able to talk to the PuppetDB we need a (client) certificate (including the key) accepted by the Puppet server for authentication. On Puppet-enabled nodes the node's certificate works, i.e.:
- Certificate:
/etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem - Key:
/etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
These can be supplied to curl(1) using the --key, --cert, and
--cacert options:
curl --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
--key /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem \
--cert /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem \
https://puppet01.psi.ch:8080/pdb/query/v4/nodes
There are several API endpoints that can be queried, e.g. /pdb/query/v4 (note that there is no
/ at the end), or /pdb/query/v4/nodes.
Examples
# define a function to simplify the queries
function pdb {
local pql=$1
curl --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
--key /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem \
--cert /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem \
-H content-type:application/json --data "{ \"query\": \"$pql\" }" \
https://puppet01.psi.ch:8080/pdb/query/v4 | json_reformat
}
# list all nodes
pdb "nodes[certname] { order by certname }"
# list environments and times of the last Puppet run
pdb "reports[certname,environment,start_time,end_time] { order by certname }"