Files
Controls-docs/admin-guide/legacy/misc/psi-puppet2_installation.rst
T
2021-05-05 14:24:27 +02:00

610 lines
17 KiB
ReStructuredText

Installation `psi-puppet2`
==========================
References
----------
- https://wiki.intranet.psi.ch/AIT/PuppetServer2009
- http://reductivelabs.com/trac/puppet/wiki/PluginsInModules
Introduction
------------
This document describes the Installation of the new puppet server
psi-puppet2, which replaces the puppet server running on pxeserv01.
The psi-puppet2 server is an interim solution for the pxeserv01
replacement for the following reasons:
- The puppet service on pxeserv01 is very unstable.
- The performance on pxeserv01 is very bad, what makes work almost impossible.
- The psi-puppet1 server is not ready for production yet.
The new system will be setup as a 32 bit SL5 server with the latest
puppet server package and dependencies installed.
The puppet server configuration is the same as the one on pxeserv01.
**Note**: Don't confuse psi-puppet2 with psi-puppet1, which not only
is thought as a replacement of the puppet server on pxeserv01 but also
comes with a reimplementation of the whole puppet configuration,
whereas psi-puppet2 takes over the puppet configuration from
pxeserv01.
Description of the Basic Server Setup
-------------------------------------
- Hardware
Dell Power Edge 1750
- Operating System
SL51 32 bit Server
- Network configuration
Static IP for Production Server: 129.129.190.160/24
Hostname: psi-puppet2.psi.ch
- Required RPMS
- puppet-server (http://download.fedora.redhat.com/pub/epel/5/i386/repoview/)
- augeas-libs
- facter
- puppet (http://download.fedora.redhat.com/pub/epel/5/i386/repoview/)
- ruby
- ruby-augeas
- ruby-libs
- ruby-shadow
- ruby-irb (required for reading help)
- ruby-rdoc (required for reading help)
Procedure
---------
Setup The Puppet Server
~~~~~~~~~~~~~~~~~~~~~~~
Install The Puppet Server Software
..................................
Use the yum repositories `/etc/yum.repos.d/epeli386.repo` and
`/etc/yum.repos.d/epelx86_64.repo` to download and install the latest
puppet packages::
[epeli386]
name=epel i386
baseurl=http://download.fedora.redhat.com/pub/epel/5/i386/
enabled=0
Install the puppet-server package. Dependencies will be resolved::
# yum --enablerepo=epeli386 install puppet-server
...
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
puppet-server noarch 0.24.8-1.el5.1 epel 26 k
Installing for dependencies:
augeas-libs i386 0.5.1-1.el5 epel 196 k
facter noarch 1.5.5-1.el5 epel 54 k
puppet noarch 0.24.8-1.el5.1 epel 542 k
ruby i386 1.8.5-5.el5_2.6 sl5update 279 k
ruby-augeas i386 0.2.0-1.el5 epel 17 k
ruby-libs i386 1.8.5-5.el5_2.6 sl5update 1.6 M
ruby-shadow i386 1.4.1-7.el5 epel 9.5 k
Transaction Summary
=============================================================================
Install 8 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
...
For later use, download the required RPMS and copy them to our yum
repository, see section `Put Puppet Related RPMS To Our Yum
Repository` below.
Configure The Puppet Server
...........................
Use the puppet server configuration of pxeserv01 on psi-puppet2.
The configuration files of the puppet server, directory
`/etc/puppet/`, are located on AFS, see section `Mount AFS Volumes`.
The log is on the local disk in `/var/log/puppet`. To set the logfile
edit the line `PUPPETMASTER_OPTS` in
`/etc/rc.d/init.d/puppetmaster`. For testing also the debug option
`-d` is enabled::
PUPPETMASTER_OPTS="-v -d -l /var/log/puppet/puppetmaster.log"
Enable puppetmaster in runlevels 3, 4 and 5::
# chkconfig --levels 345 puppetmaster on
Mount AFS Volumes on Puppet Server
..................................
The puppet server configuration files as well as the puppet manifests
for clients are located on AFS.
AFS is already mounted as `/afs` in this default SL5 server installation::
# mount
...
AFS on /afs type afs (rw)
Now, we want to remount `/afs/psi.ch/service/linux/puppet/etc/puppet`
on `/etc/puppet`. Therefor the mount option `bind` is used, which
facilitates to remount parts of already mounted filesystems on an
alternative location in the file hierarchy.
As shown below we do the remount in `/etc/rc.local`, which is executed
after all the other init scripts::
#!/bin/sh
touch /var/lock/subsys/local
# Puppet
mount -o bind /afs/psi.ch/service/linux/puppet/etc/puppet /etc/puppet
# Restart Services depending on afs mounts
/etc/init.d/puppetmaster restart
Before the `rc.local` script can be applied the proper AFS permissions
have to be set.
Check the AFS permissions::
# [gasser_m@pc7377 ~]
# fs la /afs/psi.ch/service/linux/
Access list for /afs/psi.ch/service/linux/ is
Normal rights:
svc_linux:tools l
svc_linux:puppet l
svc_linux:readonly rl
svc_linux:pxe l
svc_linux rlidwka
Create a new AFS group for the puppet server::
# pts creategr svc_linux:puppet_hosts -owner svc_linux
group svc_linux:puppet_hosts has id -10851
Add the IP of psi-puppet2 to this group::
# pts adduser 129.129.190.160 svc_linux:puppet_hosts
Set the AFS permissions::
# fs sa /afs/psi.ch/service/linux/ svc_linux:puppet_hosts l
# fs sa /afs/psi.ch/service/linux/puppet/ svc_linux:puppet_hosts rl
# fs sa /afs/psi.ch/service/linux/puppet/etc svc_linux:puppet_hosts rl
# fs sa /afs/psi.ch/service/linux/puppet/var svc_linux:puppet_hosts rl
# fs sa /afs/psi.ch/service/linux/puppet/etc/puppet svc_linux:puppet_hosts rl
Recursively set the same permissions to all subdirectories underneath
`/afs/psi.ch/service/linux/puppet/etc/puppet`::
# cd /afs/psi.ch/service/linux/puppet/etc/puppet
# find -noleaf -type d -exec fs sa {} svc_linux:puppet_hosts rl \;
Then restart the AFS service::
# service afs restart
Finally, run the `rc.local` script or just reboot psi-puppet2 to see
whether everything comes up.
Allow User Login Access To psi-puppet2
......................................
To enable remote login via ssh and execution of root commands via
sudo, the following files have to be edited.
- `/etc/passwd`
- `/etc/shadow`
- `/etc/security/ssh.allow`
- `/etc/group`
- `/etc/hosts.allow`
- `/etc/sudoers`
passwd::
gasser_m:!:2374:840:Gasser Marc:/afs/psi.ch/user/g/gasser_m:/bin/bash
kapeller:!:3804:9102:Rene Kapeller:/afs/psi.ch/user/k/kapeller:/bin/bash
billich:!:3830:840:Heinrich Billich:/afs/psi.ch/user/b/billich:/bin/bash
markushin:!:3883:840:Valeri Markushin:/afs/psi.ch/user/m/markushin:/bin/bash
shadow::
gasser_m:NP:::::::
kapeller:NP:::::::
billich:NP:::::::
markushin:NP:::::::
group::
ait::840
sls::9102
ssh.allow::
kapeller
billich
markushin
gasser_m
hosts.allow::
sshd: ... pc7377 pc7377.psi.ch gfalc05 gfalc05.psi.ch pc4568 pc4568.psi.ch
Configuring Puppet Reporting
............................
There are a number of different report processors available on the
master. The default report, store, simply stores the report file on
the disk.
By default, each client is configured not to report back to the
master. It has to be enabled either by the report option in
`puppet.conf` or using `--report` on the command line.
`/etc/puppet/puppet.conf`::
[puppetd]
report = true
Command line::
# puppetd --report
Store Report Processor
,,,,,,,,,,,,,,,,,,,,,,
Enable the store reports by using the `reports` configuration option
in the puppemasterd section of the `puppet.conf` file on the master.
`/etc/puppet/puppet.conf`::
[puppetmasterd]
reports = store
The default reports directory is $vardir/reports.
Rrdgraph Report Processor
,,,,,,,,,,,,,,,,,,,,,,,,,
To enable the `rrdgraph` reports, `rrdtool` and `rrdtool-ruby`
packages have to be installed.
The packages are available from the the `psi-beta` repository, they
originate from the repository shown below.
`/etc/yum.repos.d/epeli386.repo`::
[epeli386]
name=epel i386
baseurl=http://download.fedora.redhat.com/pub/epel/5/i386/
enabled=0
# yum install rrdtool rrdtool-ruby
Then, configure `puppet.conf` by adding the lines shown below in the
corresponding section. Here store and rrdgraph are enabled.
`/etc/puppet/puppet.conf`::
[puppetmasterd]
reports = store,rrdgraph
rrddir = $vardir/rrd
rrdinterval = $runinterval
rrdgraph = true
Install the Ganglia Monitor Daemon
..................................
Install `ganglia-gmond` and add the configuration file shown below::
# yum install ganglia-gmond
Use the same `/etc/gmond.conf` as on psi-puppet1::
# /etc/init.d/gmond start
For the ganglia server configuration ask Valeri Markushin.
See puppet at [[http://129.129.190.27/ganglia/][http://129.129.190.27/ganglia/]].
Setup The Puppet Client
~~~~~~~~~~~~~~~~~~~~~~~~
Either install or update the puppet package on a client::
# yum --enablerepo=psi-beta install puppet
# yum --enablerepo=psi-beta update puppet
Test The Puppet Clients
~~~~~~~~~~~~~~~~~~~~~~~
To find out which versions of puppet servers and clients are
compatible to each other and in which order they should be updated,
the following tests are performed.
Test the Old Client With The New Server
.......................................
Set the new server `psi-puppet2.psi.ch` in `/etc/puppet/puppet.conf`,
remove the certificate and run puppetd::
# [root@vsl5132de-ut]
# cd /var/puppet/
# rm -rf ssl/
# puppetd --test
Ok.
Test the New Client With The New Server
.......................................
Update the puppet client. Set the new server `psi-puppet2.psi.ch` in
`/etc/puppet/puppet.conf`, remove the certificate and run puppetd::
# [root@vsl5132de-ut]
# yum --enablerepo=psi-beta update puppet
# cd /var/puppet/
# rm -rf ssl/
# puppetd --test
Ok.
Test the New Client With The Old Server
.......................................
Update the puppet client. Then set the old server `pxeserv01.psi.ch`
in `/etc/puppet/puppet.conf`, remove the certificate and run puppetd::
# [root@vsl5132de-ut]
# yum --enablerepo=psi-beta update puppet
...
=============================================================================
Package Arch Version Repository Size
=============================================================================
Updating:
puppet noarch 0.24.8-1.el5.1 psi-beta 542 k
Installing for dependencies:
augeas-libs i386 0.5.1-1.el5 psi-beta 196 k
ruby-augeas i386 0.2.0-1.el5 psi-beta 17 k
ruby-shadow i386 1.4.1-7.el5 psi-beta 9.5 k
Updating for dependencies:
facter noarch 1.5.5-1.el5 psi-beta 54 k
Transaction Summary
=============================================================================
Install 3 Package(s)
Update 2 Package(s)
Remove 0 Package(s)
...
# cd /var/puppet/
# rm -rf ssl/
# puppetd --test
Not ok. A lot of error messages appear. It seems the new client is not
compatible to the old server!
Conclusion
..........
First update the server, then the client.
So, when you have an old client addressing the new server for tests,
and finally you wanna change it back to the old server, this should
work by just modifying `/etc/puppet/puppet.conf` on the client.
However, once you updated the client you can not go back to the old
server, unless you downgrade the client --- with yum this means
removing the new client and reinstalling the old one.
Put Puppet Related RPMS To Our Yum Repository
---------------------------------------------
To have a consistent puppet installation on our hosts we put them to
our repository.
Use yumdowloader, package yum-utils, to download puppet related RPMS::
# root@psi-puppet2
# yum install yum-utils
# yumdownloader --enablerepo=epeli386 puppet-server augeas-libs facter \
# puppet ruby-augeas ruby-shadow
# yumdownloader --enablerepo=epelx86_64 augeas-libs ruby-augeas ruby-shadow
**Note**: There seem to be only i386 and noarch versions of the
required RPMS.
Before they are linked into the latest `testing` and `current`
repositories they should be tested. So copy them to the `psi-beta`
repository first::
# scp *rpm gasser_m@tux50:/afs/psi.ch/software/linux/dist/scientific/51/beta
# gasser_m@tux50
# cd /afs/psi.ch/software/linux/dist/scientific/51/beta
# createrepo .
To test the puppet clients see section `Test The Puppet Clients`.
If the tests passed successfully copy them to the `others` repository
and create symbolic links to `testing` and `current` to make them
available::
# [root@psi-puppet2]
# scp *rpm gasser_m@tux50:/afs/psi.ch/software/linux/dist/scientific/51/others/all
# gasser_m@tux50
# cd /afs/psi.ch/software/linux/dist/scientific/51/others/all
# createrepo .
Update Puppet
-------------
Keep the following order.
- Update the puppet server.
- Update the puppet client.
Update The Puppet Server
~~~~~~~~~~~~~~~~~~~~~~~~
At the time of writing the latest Puppet version 0.25.1 was only
available at http://tmz.fedorapeople.org/repo/puppet/epel/5/i386/.
Download the required packages to SL51 psi-beta repository first::
# wget http://tmz.fedorapeople.org/repo/puppet/epel/5/i386/puppet-server-0.25.1-0.3.el5.noarch.rpm
# wget http://tmz.fedorapeople.org/repo/puppet/epel/5/i386/puppet-0.25.1-0.3.el5.noarch.rpm
Then login to a test server and stop the puppetmaster daemon::
# /etc/init.d/puppetmaster stop
Because the /etc/puppet/ is on AFS, root has no write permissions.
So, first umount the etc/puppet from AFS, then run `yum update` using
the psi-beta repository, and remount etc/puppet::
# umount /etc/puppet
# yum --enablerepo=psi-beta update puppet-server
# mount -o bind /afs/psi.ch/service/linux/puppet/etc/puppet /etc/puppet
Set the following options in /etc/init.d/puppetmaster::
PUPPETMASTER_OPTS="-v -d -l /var/log/puppet/puppetmaster.log"
Finally, restart the service and test it with a client::
# /etc/init.d/puppetmaster start
Login to a client and run puppetd::
# puppetd --test
Update The Puppet Client
~~~~~~~~~~~~~~~~~~~~~~~~
Basically, the 0.24.x clients should be compatible to the 0.25.x
server. Though, there are some changes between the versions, that
might cause troubles. Thus, the puppet clients should be updated, too.
On a SL51 client run::
# yum --enablerepo=psi-beta update puppet
On a SL54 client run::
# yum update puppet
As soon as the client is updated, its `puppet.conf` needs some
modifications, because of the "factsync" option which is deprecated
and replaced by "pluginsync" in the 0.25.x versions.
`/etc/puppet/puppet.conf` on a 0.25.x client: "factsync" is replaced
by "pluginsync", factpath is set (not clear whether the latter is
necessary)::
[main]
vardir = /var/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
pluginsync = true
factpath = $vardir/lib/facter
environment = DesktopSL5Unstable
[puppetd]
report = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = psi-puppet1.psi.ch
Further the directory structure on the server for placing facts
changed. The new structure if using modules and environments is
illustrated below taking the environment "DesktopSL5Unstable" as an
example:
The modulepath for DesktopSL5Unstable is::
modulepath = /var/puppet/environments/DesktopSL5Unstable/modules
A stub module called "custom" has to be created in the "$modulepath"
subdirectory to keep the files::
$modulepath/custom/
`-- lib/
|-- facter/
| `-- sysconfig_psi_desktop.rb
`-- puppet/
|-- provider/
`-- type/
This subdirectory tree under custom is implicitly searched by the
puppet server.
**Notes**:
If you have both, the new and the old variant to keep facts, option
"pluginsync" enabled, only the new script location will be considered.
If you run only the old variant to keep facts::
$modulepath/facts/files/somescript.rb
with option "factsync" enabled, they will be loaded giving out a
warning "... use pluginsync instead of factsync ..."
For more information see the
http://reductivelabs.com/trac/puppet/wiki/PluginsInModules.