Credentials-Password

We would be learning about, how to set password in clients via puppet in this post. This seems to be easy task, but believe me its not.

Before, we start setting up password for user, lets checkout for some of the important files in /etc/puppet on master server, auth.conf, fileserver.conf, puppet.conf.

We would be discussing as to how to share/transfer a file to client via puppet.
We will be putting all the files to share in /etc/puppet/files directory, if directory is not existing, we need to create it, its not necessary that we need to have same name, but we stick to it.

Edit file /etc/puppet/fileserver.conf

Add mentioned lines at end, you can also search MOUNT POINTS section and uncomment it, but is is wise to have it done at end of file.

[files]
   path /etc/puppet/files
   allow *

Edit file /etc/puppet/auth.conf

Add mentioned lines below "path /file" section and not above it as it can implement extra security and would be hard for you to debug.

path ~ ^/file_(metadata|content)/files/
auth yes
allow /^(.+\.)?puppet.com$/
allow_ip 192.168.1.0/24

In our case 192.168.1.0/24 is private range and puppet.com as domain, set according to your convenience.

Edit file /etc/puppet/puppet.conf

In [main] section add the mentioned parameter

pluginsync = true

After doing all necessary changes, restart service for puppet master.

On master server : CentOS

/etc/init.d/puppetmaster restart

Lets move onto setting up password in /etc/shadow file. We tried alot of methods to set password but eventually the method which worked is defined under.

First, we will create a sh file and place it in files folder in /etc/puppet.
This file basically, queries second field of /etc.shadow file and if returned with "!" it sets password, else does not executes change password command i.e chpasswd.

Create and edit file /etc/puppet/files/shadow.sh

#!/bin/bash

rc=`/bin/grep $1 /etc/shadow | awk -F":" '($2 == "!")' | wc -l`

if [ $rc -eq 0 ]
then
    exit 1
else
    exit 0
fi

Edit file /etc/puppet/modules/accounts/init.pp

In this file we will add file type and exec type under accounts class, file type will share/transfer file created in above step on the client and exec type will execute chpasswd on client along with username and password. To avoid password in shadow to overwritten again and again whenever the client is synchronized, an onlyif attribute is set, wherein with the help of above script file and the user name it will query the second field for "!" and if not returned with the same result, it will not execute chpasswd utility.

Also, to remember on the client there should be a directory templates, in our case Ubuntu is by default having it, so we transferred file onto that location, location can be anything according to your convenience, but be sure to point it to right location in file type and similarly using it in exec type.

class accounts {

  file { '/etc/puppet/templates/shadow.sh':
        ensure => file,
        recurse => true,
        mode => "0777",
        source => "puppet:///files/shadow.sh",
        }

 @accounts::system { 'demo':
       comment      => 'demo users',
       }
  exec { "demo":
          command => 'echo "demo:password@123" | chpasswd',
          provider => 'shell',
          onlyif => "/etc/puppet/templates/shadow.sh demo",
       }
}

Edit file /etc/puppet/manifests/nodes/client2.pp

node 'client2.puppet.com' {
    include accounts
    realize (Accounts::System['demo'])
    }

Apply changes on the master to take effect.

On master server : CentOS

papply 
Notice: Compiled catalog for server.puppet.com in environment production in 0.16 seconds
Notice: Finished catalog run in 0.11 seconds

Let move on to client to fetch changes.

On client server : Ubuntu

pagent 
Info: Retrieving plugin
Info: Caching catalog for client2.puppet.com
Info: Applying configuration version '1392108081'
Notice: /Stage[main]/Accounts/Accounts::System[demo]/User[demo]/ensure: created
Notice: /Stage[main]/Accounts/Exec[demo]/returns: executed successfully
Notice: Finished catalog run in 3.05 seconds

User Management

Now, that we have seen what directory and file structure should be in puppet management. Lets, discuss about user management - creation of local user on client, which is a daily/frequent task of system admin.

Lets change directory to /etc/puppet/modules and create folder accounts with a sub-folder manifests i.e /etc/puppet/modules/accounts/manifests.

We will be creating two files init.pp and system.pp. Please be careful with directory and file names as they hold the key to run your configuration in an appropriate way.

Create and edit file - /etc/puppet/modules/accounts/manifests/system.pp

define accounts::system ($comment,$password) {
user { $title:
       ensure => 'present',
       shell => '/bin/bash',
       managehome => true,
     }
}

In the above file we have defined type accounts::system, which is done in order to ensure that every user should get home, shell as defined and not the default which is created by useradd utility. We also included variable for comment and password as these variables varies user to user and cannot be constant.

For example : If we try to create user on ubuntu via useradd utility manually, we will end up having /bin/sh as its shell until explicitly defined using -s option. 


Create and edit file - /etc/puppet/modules/accounts/manifests/init.pp

class accounts {
   
   @accounts::system { 'demo':
       comment      => 'demo users',
       password     => '*',
   }
}

Now that the defined type is done, we can use it to actually create the system user resources.We repeat as many times as necessary to create a system accounts::system resource for each user account you want to manage within Puppet.


Once we are done with these configuration, we just then have to realize it in nodes.

Edit file /etc/puppet/manifests/nodes/client2.pp

node 'client2.puppet.com' {
    include accounts
    realize (Accounts::System['demo'])
    }

Apply changes on the master to take effect.

On master server : CentOS

papply 
Notice: Compiled catalog for server.puppet.com in environment production in 0.05 seconds
Notice: Finished catalog run in 0.06 seconds

Let move on to client to fetch changes.

On client server : Ubuntu

pagent 
Info: Retrieving plugin
Info: Caching catalog for client2.puppet.com
Info: Applying configuration version '1390898484'
Notice: /Stage[main]/Accounts/Accounts::System[demo]/User[demo]/ensure: created
Notice: Finished catalog run in 0.67 seconds

Puppet Management

Lets, move one step ahead and clean up site.pp and follow a hierarchy in which resources should be setup, which is necessary, working with puppet.

/etc/puppet contains two important directories manifests and modules.


Puppet

.
|-- auth.conf
|-- fileserver.conf
|-- manifests
|   |-- nodes
|   |   |-- client1.pp
|   |   |-- client2.pp
|   |   `-- server.pp
|   `-- site.pp
|-- modules
|   |-- accounts
|   |   `-- manifests
|   |       |-- init.pp
|   |       `-- system.pp
|   |-- elinks
|   |   `-- manifests
|   |       `-- init.pp
|   |-- nmap
|   |   `-- manifests
|   |       `-- init.pp
|   `-- s3cmd
|       `-- manifests
|           `-- init.pp
`-- puppet.conf

Manifests

manifests
|   |-- nodes
|   |   |-- client1.pp
|   |   |-- client2.pp
|   |   `-- server.pp
|   `-- site.pp

Modules

modules
|   |-- accounts
|   |   `-- manifests
|   |       |-- init.pp
|   |       `-- system.pp
|   |-- elinks
|   |   `-- manifests
|   |       `-- init.pp
|   |-- nmap
|   |   `-- manifests
|   |       `-- init.pp
|   `-- s3cmd
|       `-- manifests
|           `-- init.pp

Edit file /etc/puppet/manifests/site.pp

import 'nodes/*.pp'

Create directory /etc/puppet/manifests/nodes and create files with respective node name prefix in the nodes directory, in our case

server.puppet.com - server.pp
client1.puppet.com - client1.pp
client2.puppet.com - client2.pp

Edit file /etc/puppet/manifests/nodes/server.pp

node 'server.puppet.com' {
    }

Edit file /etc/puppet/manifests/nodes/client1.pp

node 'client1.puppet.com' {
    }

Edit file /etc/puppet/manifests/nodes/client2.pp

node 'client2.puppet.com' {
    }

Now, lets create modules for the packages to be installed on the clients.
Remember, we used nmap in our previous post, lets take it again.

Change to directory /etc/puppet/modules

create directory with package name to be installed on clients, create a sub directory with name as manifests in the package directory.

Modules

|-- nmap
|   `-- manifests

Next, we will create a init.pp file. The puppet autoloader convention require all modules contain an init.pp file that contains a class or define that matches the module name.

Create and edit file /etc/puppet/modules/nmap/manifests/init.pp

class nmap {
case $operatingsystem {
        centos, redhat: {
        package { "nmap":
        ensure => installed,
        }
      }
        debian, ubuntu: {
        package { "nmap":
        ensure => installed,
        }
      }
     }
    }

Now, lets get back to main manifests directory having nodes and include package class.

Edit file /etc/puppet/manifests/nodes/client2.pp

node 'client2.puppet.com' {
    include nmap
    }

Before, applying changes lets create simple bash scripts for master and clients to apply and fetch changes respectively.

On master server : CentOS

Create and edit file - /usr/bin/papply

#!/bin/bash

/usr/bin/puppet apply -v  /etc/puppet/manifests/site.pp

On client server :Ubuntu

Create and edit file - /usr/bin/pagent

#!/bin/bash 

/usr/bin/puppet  agent -v --test

On master server : CentOS

papply 
Notice: Finished catalog run in 0.07 seconds

On client server :Ubuntu

pagent 
Info: Retrieving plugin
Info: Caching catalog for client2.puppet.com
Info: Applying configuration version '1390207277'
Notice: Finished catalog run in 0.41 seconds

                                       

Basic Puppet Programs - Manifest

Basically, puppet programs are called “manifests,” and they use the .pp file extension.

site.pp: first file that the Puppet Master parses when determining a server’s catalog. It imports all the underlying subdirectories and the other special files in this directory. It also defines any global defaults, such as package managers as per http://projects.puppetlabs.com/projects/1/wiki/Puppet_Best_Practice2

To begin with, lets start definining things in the first file that the puppet master parses.

site.pp file should contain all the nodes -- clients as well as master, else it will not allow to proceed further.

On master server - CentOS

Create file - /etc/puppet/manifests/site.pp

node 'server.puppet.com' {
    }

node 'client1.puppet.com', 'client2.puppet.com' {
     }

Now, lets move further and introduce packages that we need to install on clients.

Now that we have clients on Ubuntu, we need to define operating system variable with a switch.


Packages to be installed - nmap and elinks.

Edit file /etc/puppet/manifests/site.pp

node 'server.puppet.com' {
    }

node 'client1.puppet.com', 'client2.puppet.com' {
      include nmap
      include elinks
    }

class nmap {
case $operatingsystem {
        centos, redhat: {
        package { "nmap":
        ensure => installed,
        }
      }
        debian, ubuntu: {
        package { "nmap":
        ensure => installed,
        }
      }
     }
    }

class elinks {
case $operatingsystem {
        centos, redhat: {
        package { "elinks":
        ensure => installed,
        }
      }
        debian, ubuntu: {
        package { "elinks":
        ensure => installed,
        }
      }
     }
    }

Note : If you can see in the above code in nodes section, we have included nmap and elinks class in clients and not in master. And in below section defined both the classes.

Apply changes on the master to take effect.

puppet apply -v  /etc/puppet/manifests/site.pp
info: Applying configuration version '1389452030'
notice: Finished catalog run in 2.43 seconds

Let move on to client to fetch changes.

On client server : Ubuntu

puppet agent -v --test
info: Caching catalog for client2.puppet.com
info: Applying configuration version '1389452959'
notice: /Stage[main]/Elinks/Package[elinks]/ensure: created
notice: /Stage[main]/Nmap/Package[nmap]/ensure: ensure changed 'purged' to 'present'
notice: Finished catalog run in 16.69 seconds

Note : Client synchronizes every 30 minutes for any changes/configuration applied on the puppet master server.

Puppet Configuration ( Setting up Master Server and Client Servers )

Setting up Master Puppet Server and Client Puppet Servers



Puppet as per dictionary means " a movable model of a person or animal that is typically moved either by strings controlled from above or by a hand inside it. "

To setup Puppet Master and Client, we would be taking an example, wherein our Master server will on CentOS and clients on Ubuntu. 

Master - server.puppet.com
Client 1 - client1.puppet.com 
Client 2 - client2.puppet.com

Configurations, that need to be set before installing any packages.

On master server : CentOS

Edit file /etc/sysconfig/network

HOSTNAME=server.puppet.com

service network restart
hostname server.puppet.com

Edit file /etc/hosts

127.0.0.1   server.puppet.com localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

192.168.1.28 server.puppet.com
192.168.1.10 client1.puppet.com
192.168.1.19 client2.puppet.com

On client server : Ubuntu

 Edit file /etc/hostname

client1.puppet.com

/etc/init.d/hostname restart
hostname client1.puppet.com

Edit file /etc/hosts

127.0.0.1       client1.puppet.com localhost

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.10 client1.puppet.com
192.168.1.28 server.puppet.com

Now, lets move onto installing necessary packages on both the servers.

On master server : CentOS

yum install puppet-server
/etc/init.d/puppetmaster start

On client server : Ubuntu
  

apt-get install puppet
/etc/init.d/puppet start

telnet server.puppet.com 8140
Trying 192.168.1.28...
Connected to server.puppet.com.
Escape character is '^]'.
^]q

telnet> q
Connection closed.

Lets, move onto configuration, generating and signing of certificates.


On client server : Ubuntu

Configuration - Edit file  /etc/puppet/puppet.conf


In [main] section add the mentioned parameter

[main]
server=server.puppet.com

/etc/init.d/puppet restart

puppet agent  --waitforcert 60 --test
info: Caching certificate for ca
info: Creating a new SSL certificate request for client2.puppet.com
info: Certificate Request fingerprint (md5): 72:B7:5B:78:46:BF:DA:6A:8F:8C:CF:62:11:93:CD:F1

The above command will send a certificate signing request (csr) to master server, and as csr is delivered to master, we need execute commands on master server simultaneously after we see above info i.e.

info: Certificate Request fingerprint (md5): 72:B7:5B:78:46:BF:DA:6A:8F:8C:CF:62:11:93:CD:F1

The above client will not exit to terminal prompt until it receives an acknowledgement of the signed certificate by master server.

On master server : CentOS

puppetca --list
"client1.puppet.com" (72:B7:5B:78:46:BF:DA:6A:8F:8C:CF:62:11:93:CD:F1)

puppetca --sign client1.puppet.com
notice: Signed certificate request for client1.puppet.com
notice: Removing file Puppet::SSL::CertificateRequest client1.puppet.com at '/var/lib/puppet/ssl/ca/requests/client1.puppet.com.pem'

On client server : Ubuntu

As the certificate is signed from the master, complete output of previously executed commands on server will display info as,

puppet agent  --waitforcert 60 --test
info: Caching certificate for ca
info: Creating a new SSL certificate request for client2.puppet.com
info: Certificate Request fingerprint (md5): 72:B7:5B:78:46:BF:DA:6A:8F:8C:CF:62:11:93:CD:F1
info: Caching certificate for client2.puppet.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client2.puppet.com
info: Applying configuration version '1389337083'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.04 seconds