X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fpuppet-setup.mdwn;h=dfdeee64b2dd7ef43db754a268c0ee593df15882;hb=49e7b079d69fea75e597e857865905acc654b8e7;hp=ba948a7a73cd16b044b3b6cc00574d82420757db;hpb=73e69cf296d9aeaa0bf9c037844d35cd4ff1fd59;p=mirror%2Fdsa-wiki.git diff --git a/input/howto/puppet-setup.mdwn b/input/howto/puppet-setup.mdwn index ba948a7..dfdeee6 100644 --- a/input/howto/puppet-setup.mdwn +++ b/input/howto/puppet-setup.mdwn @@ -5,7 +5,56 @@ configuration of samhain, munin, apt, and exim (although more to come - this list is likely to get out of date quickly). To set up a new host to be a puppet client, do the following: - : ::client:: && apt-get install puppet && + +Make sure you have set up the IP address for the new machine in ud-ldap. +After that run puppet on puppetmaster once, so the ferm config get +adjusted. + + : __handel__ && puppetd -w 5 -t --factsync --environment=production + + : ::client:: && echo 'deb http://mirror.netcologne.de/debian-backports/ lenny-backports main' > /etc/apt/sources.list.d/backports.org.list && + apt-key add - << EOF && + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1.4.9 (GNU/Linux) + + mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx + Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc + /lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz + onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd + kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex + Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6 + m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq + bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR + bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz + Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR + AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S + cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD + FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48 + OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD + FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44 + Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA + mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR + AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l + 40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA + n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD + CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv + JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL + wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm + gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh + WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG + 8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h + qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1 + h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX + Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp + VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm + 7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR + AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd + AJ4v9ojJnvJu2yUl4W586soBm+wsLg== + =n4L0 + -----END PGP PUBLIC KEY BLOCK----- + EOF + apt-get update && + apt-get install --no-install-recommends puppet/lenny-backports libaugeas-ruby1.8/lenny-backports augeas-lenses/lenny-backports && /etc/init.d/puppet stop && puppetd -w 5 --debug -t --factsync @@ -14,17 +63,21 @@ client cert. Now is the time to abort if you are getting cold feet. Compare incoming csr request: on handel: - : __handel__ && echo -n 'Client name: ' && read client && + + : __handel__ && echo -n 'Client name: ' && read client && sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem on new client: - : ::client:: && sha1sum /var/lib/puppet/ssl/csr_$(hostname).debian.org.pem + + : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem If you're satisfied, sign the request on handel with: - : __handel__ && puppetca --sign $client.debian.org + + : __handel__ && puppetca --sign $client.debian.org bootstrap client knowledge of puppet ca: on handel: - : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && + + : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && cat /var/lib/puppet/ssl/certs/ca.pem && echo 'EOF' && echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " && @@ -32,21 +85,27 @@ on handel: echo 'EOF' and execute this on the client. - : ::client:: copy paste the thing you just created on handel + + : ::client:: copy paste the thing you just created on handel If this is a busy mail host, you might want to stop exim before proceeding although the config files should remain identical before and after. Then run (this will change the configs in /etc): - : ::client:: && puppetd -w 5 --debug -t --factsync + + : ::client:: && puppetd -w 5 --debug -t --factsync This run will start puppet after reconfiguring it, so if you are unhappy with what just happened, you'll need to stop it again to do repair. -Finally, for some reason, the switch to puppet seems to heavily confuse -samhain (possibly the config file getting changed out from under it?). +Double check apt - the puppet setup usually results in duplicate apt +sources, since we ship a few under sources.list.d. Remove any unnecessary +entries from sources.list. + +We ship a samhain config file that includes /lib and /usr/lib. This will +almost certainly be different than the config file on the machine, so it +will result in 1000s of files changed. You may need to run samhain update after getting puppet going. -When you're happy with everything, add teh new host to the puppet -hostgroup in dsa-nagios. +# vim:textwidth=72 sw=8 ts=8 et