input/howto/puppet-setup.mdwn

   1 # Puppet infrastructure
   2
   3 handel.debian.org is our current puppetmaster.  Currently, it handles
   4 configuration of samhain, munin, apt, and exim (although more to come -
   5 this list is likely to get out of date quickly).
   6
   7 To set up a new host to be a puppet client, do the following:
   8
   9 Make sure you have set up the IP address for the new machine in ud-ldap.
  10 After that run puppet on puppetmaster once, so the ferm config get
  11 adjusted.
  12
  13         : __handel__ && puppetd -w 5 -t --factsync --environment=production
  14
  15         : ::client:: && echo 'deb http://mirror.netcologne.de/debian-backports/ lenny-backports main' > /etc/apt/sources.list.d/backports.org.list &&
  16                 apt-key add - << EOF &&
  17     -----BEGIN PGP PUBLIC KEY BLOCK-----
  18     Version: GnuPG v1.4.9 (GNU/Linux)
  19
  20     mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx
  21     Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc
  22     /lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz
  23     onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd
  24     kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex
  25     Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6
  26     m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq
  27     bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR
  28     bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz
  29     Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR
  30     AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S
  31     cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD
  32     FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48
  33     OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD
  34     FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44
  35     Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA
  36     mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR
  37     AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l
  38     40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA
  39     n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD
  40     CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv
  41     JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL
  42     wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm
  43     gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh
  44     WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG
  45     8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h
  46     qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1
  47     h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX
  48     Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp
  49     VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm
  50     7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR
  51     AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd
  52     AJ4v9ojJnvJu2yUl4W586soBm+wsLg==
  53     =n4L0
  54     -----END PGP PUBLIC KEY BLOCK-----
  55     EOF
  56                 apt-get update &&
  57                 apt-get install --no-install-recommends puppet/lenny-backports libaugeas-ruby1.8/lenny-backports augeas-lenses/lenny-backports libaugeas0/lenny-backports &&
  58                 /etc/init.d/puppet stop &&
  59                 puppetd -w 5 --debug -t --factsync
  60
  61 This will not overwrite anything yet, since handel has not signed the
  62 client cert.  Now is the time to abort if you are getting cold feet.
  63
  64 Compare incoming csr request:
  65 on handel:
  66
  67         : __handel__ && echo -n 'Client name: ' && read client &&
  68                 sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
  69 on new client:
  70
  71         : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem
  72
  73 If you're satisfied, sign the request on handel with:
  74
  75         : __handel__ && puppetca --sign $client.debian.org
  76
  77 bootstrap client knowledge of puppet ca:
  78 on handel:
  79
  80         : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
  81                 cat /var/lib/puppet/ssl/certs/ca.pem &&
  82                 echo 'EOF' &&
  83                 echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
  84                 cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
  85                 echo 'EOF'
  86
  87 and execute this on the client.
  88
  89         : ::client:: copy paste the thing you just created on handel
  90
  91 If this is a busy mail host, you might want to stop exim before proceeding
  92 although the config files should remain identical before and after.
  93
  94 Then run (this will change the configs in /etc):
  95
  96         : ::client:: && puppetd -w 5 --debug -t --factsync
  97
  98 This run will start puppet after reconfiguring it, so if you are
  99 unhappy with what just happened, you'll need to stop it again to do
 100 repair.
 101
 102 Double check apt - the puppet setup usually results in duplicate apt
 103 sources, since we ship a few under sources.list.d.  Remove any unnecessary
 104 entries from sources.list.
 105
 106 We ship a samhain config file that includes /lib and /usr/lib.  This will
 107 almost certainly be different than the config file on the machine, so it
 108 will result in 1000s of files changed.
 109 You may need to run samhain update after getting puppet going.
 110
 111 # vim:textwidth=72 sw=8 ts=8 et