Configuring puppet on Solaris 11

Published 30 Aug 2014 Read time 4 min(s) 26 sec(s) (3004 views). Solaris

This article provides a simple reference guide in getting various portions of puppet working on the Solaris 11 operating environment.

In a nutshell, puppet is usually configured to use a client/server architecture where nodes (agents) periodically connect to a centralized server (master), retrieve configuration information, and apply it. The Puppet master controls the configuration that is applied to each connecting node.

Note: You must ensure time synchronization between puppet master and agents!

We will for the purpose of this article use a single master (master.fqdn) and a single node (agent1.fqdn).

Firstly, install puppet on the master and agent from the regular Solaris repository

# pkg install puppet

Configure puppet master:

master# svccfg -s puppet:master setprop config/server = master.fqdn
master# svccfg -s puppet:master refresh
master# svcadm enable puppet:master
master# svcs puppet
STATE          STIME    FMRI
disabled       Aug_30   svc:/application/puppet:agent
online         Aug_30   svc:/application/puppet:master

Configure puppet agent:

agent1# svccfg -s puppet:agent setprop config/server = master.fqdn
agent1# svccfg -s puppet:agent refresh

Create SSL keys/certs and test on puppet agent:

agent1# puppet agent --test --server master.fqdn
Info: Creating a new SSL key for agent1.fqdn
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent1.fqdn
Info: Certificate Request fingerprint (SHA256): 14:20:1E:C8:D8:78:1D:DF:9C:92:75:F2:72:C6:61:61:AC:56:82:06:FC:A4:6D:5E:DA:5F:7E:12:80:5B:90:A9
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

List and sign SSL cert on master:

master# puppet cert list
  "agent1.fqdn" (SHA256) 28:20:1E:C8:D8:78:1D:DF:6G:92:75:F2:72:C6:61:61:AC:56:82:06:FC:A4:6D:5E:DA:5F:7E:12:80:5B:90:A9
master# puppet cert sign agent1.fqdn
Notice: Signed certificate request for agent1.fqdn
Notice: Removing file Puppet::SSL::CertificateRequest agent1.fqdn at '/etc/puppet/ssl/ca/requests/

Re-test and start agent

agent1# puppet agent --test --server master.fqdn
Info: Caching certificate for agent1.fqdn
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for agent1.fqdn
Info: Retrieving plugin
Notice: /File[/var/lib/puppet/lib/puppet]/ensure: created
[...]
Info: Caching catalog for agent1.fqdn
Info: Applying configuration version '1409387460'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.09 seconds
agent1# svccfg -s puppet:agent setprop config/server = master.fqdn
agent1# svccfg -s puppet:agent refresh
agent1# svcadm enable puppet:agent

Example

Now the connectivity tests are completed between the master and agent, we will configure /etc/hosts to create a puppet module called etchosts which delivers an /etc/hosts

On the puppet master:

master# mkdir /etc/puppet/modules/etchosts
master# mkdir /etc/puppet/modules/etchosts/files
master# mkdir /etc/puppet/modules/etchosts/manifests
master# cp /etc/hosts /etc/puppet/modules/etchosts/files/hosts

Now enable the module for /etc/hosts

master# cat > /etc/puppet/modules/etchosts/manifests/init.pp <<_EOT_
class etchosts {
    file { "/etc/hosts":
        source => 'puppet:///modules/etchosts/hosts',
    }
}
_EOT_

Now simply create a file which includes the nodes definition file:

master# cat > /etc/puppet/manifests/sites.pp <<_EOT_
import 'nodes.pp'
_EOT_

Now define the behaviour of the default node:

# echo "10.1.1.13    agent2.fqdn agent2" >> /etc/puppet/modules/etchosts/files/hosts

Now log into the agent and check the current /etc/host

agent1$ cat /etc/hosts
[...]
10.1.1.12    agent1.fqdn agent1

At this stage the isn't the additional line in the local hosts file. We can wait for 1800 seconds (max timeout) or we can force the update, for example:

agent1# puppet agent --test --server master.fqdn
Info: Retrieving plugin
Info: Caching catalog for agent1.fqdn
Info: Applying configuration version '1409387460'
Notice: /Stage[main]/Etchosts/File[/etc/hosts]/content:
--- /etc/hosts  Sat Aug 30 08:10:32 2014
+++ /tmp/puppet-file20140830-8490-tfgwja        Sat Aug 30 08:10:02 2014
@@ -11,2 +11,3 @@
 10.1.1.12    agent1.fqdn agent1
+10.1.1.13    agent2.fqdn agent2

Info: /Stage[main]/Etchosts/File[/etc/hosts]: Filebucketed /etc/hosts to puppet with sum 38f6c964aab77edb2ff938094f13e2d0
Notice: /Stage[main]/Etchosts/File[/etc/hosts]/content: content changed '{md5}38f6c964aab77edb2ff938094f13e2d0' to '{md5}49b07e8c62ed409a01216bf9a35ae7ae'
Notice: Finished catalog run in 0.60 seconds

Now we can check the local /etc/hosts file again:

agent1$ cat /etc/hosts
[...]
10.1.1.12    agent1.fqdn agent1
10.1.1.13    agent2.fqdn agent2

et voila ... The changes have been populated on the agent ... Happy hunting....

Troubleshooting

The puppet master and agent services log most activity to the syslog service. The syslog configuration dictates where these messages are saved. In Oracle Solaris 11, the default location is the /var/adm/messages directory. However, Puppet service logs are stored in the following locations:

For the puppet daemon, logs are stored in:
- /var/log/puppet/puppet-master.log
- /var/log/puppet/puppet-agent.log
For puppet SMF service instances, the logs are stored in:
- /var/svc/log/application-puppet:master.log
- /var/svc/log/application-puppet:agent.log

Conclusion

Puppet is an excellent tool for administrators who want to enforce configuration management across a wide range of platforms in their data centers. This article briefly touched on a small fraction of the capabilities of Puppet.—Solaris administrators can now benefit from the type of automation they have achieved on Linux-based platforms previously.

References