Introduction
Pour faire l'architecture de test, j'installe 16 conteneurs OpenVZ sur une machine (servtest1). Cf Installation d'OpenVZ sur servtest1
Installation d'un serveur puppet sur le conteneur 200
Config de git
git config --global user.name "Sylvain Zimmermann" git config --global user.email "Sylvain.Zimmermann@uhp-nancy.fr" git config --global core.editor "vim" git config --global alias.st status git config --global alias.ci commit git config --global alias.co checkout git config --global alias.br branch git config --global alias.sl "log --graph --pretty=oneline --abbrev-commit --decorate" git config --global color.branch auto git config --global color.diff auto git config --global color.interactive auto git config --global color.status auto # les fichiers à toujours ignorer : fichiers temporaires de vi et fichiers de sauvegarde *~ cat > ~/.gitignore <<EOF *~ *.swp EOF cd /etc/puppet git init git add . git commit -a -m "Commit initial - /etc/puppet"
Création des répertoires de travail pour puppet
mkdir -p /etc/puppet/environnements/{production,test,developpement}/{manifests,tools,modules} touch /etc/puppet/environnements/{production,test,developpement}/manifests/site.pp mkdir -p /var/lib/puppet/bucket/{environnement,production,test}
Ajout des trois environnements de travail dans la conf de puppet : /etc/puppet/puppet.conf
diff --git a/puppet.conf b/puppet.conf index d35593f..56ac5fe 100644 --- a/puppet.conf +++ b/puppet.conf @@ -11,6 +11,41 @@ # The default value is '$confdir/ssl'. ssldir = $vardir/ssl + # les environnements autorisés + environments = production,developpement,test + # environnement par défaut + environment = production + +[production] + # The Puppet log directory. + # The default value is '$vardir/log'. + logdir = /var/log/puppet + + # Where Puppet PID files are kept. + # The default value is '$vardir/run'. + rundir = /var/run/puppet + + # Where SSL certificates are kept. + # The default value is '$confdir/ssl'. + ssldir = $vardir/ssl + + manifest = /etc/puppet/environnements/production/manifests/site.pp + modulepath = /etc/puppet/environnements/production/modules + templatedir = /etc/puppet/environnements/production/templates + bucketdir = /var/lib/puppet/bucket/production + +[developpement] + manifest = /etc/puppet/environnements/developpement/manifests/site.pp + modulepath = /etc/puppet/environnements/developpement/modules + templatedir = /etc/puppet/environnements/developpement/templates + bucketdir = /var/lib/puppet/bucket/developpement + +[test] + manifest = /etc/puppet/environnements/test/manifests/site.pp + modulepath = /etc/puppet/environnements/test/modules + templatedir = /etc/puppet/environnements/test/templates + bucketdir = /var/lib/puppet/bucket/test + [puppetd] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in @@ -23,3 +58,7 @@ # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig + + report = true + reports = store,tagmail
Configuration correcte des locales
cat > /etc/sysconfig/i18n <<EOF LANG="fr_FR.UTF-8" SYSFONT="latarcyrheb-sun16" EOF
Ajout du conteneur 200 comme puppetmaster + certificat
# remplacement du puppetmaster sed -i -e "s/^#PUPPET_SERVER=puppet/PUPPET_SERVER=puppet.example.test/" /etc/sysconfig/puppet hostname puppet.example.test /etc/init.d/puppetmaster start
installation des diffutils
yum install diffutils
modifications dans /etc/puppet/fileserver.conf pour autoriser les filebucket
diff --git a/fileserver.conf b/fileserver.conf index 67e387c..620b5ab 100644 --- a/fileserver.conf +++ b/fileserver.conf @@ -10,3 +10,16 @@ # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 + +# Pour les environnements +[developpement] + path /var/lib/puppet/bucket/developpement + allow * + +[test] + path /var/lib/puppet/bucket/test + allow * + +[production] + path /var/lib/puppet/bucket/production + allow *
Génération d'un mot de passe crypté avec openssl
echo "****" | openssl passwd -1 -stdin # > $1$xxxxxxxx$xxxxxxxxxxxxxxxxx
Premier exemple simple : le compte root - on veut en changer le mot de passe
# création des répertoires (cf. bonnes pratiques) mkdir -p /etc/puppet/environnements/{developpement,test,production}/modules/user/{templates,manifests,lib,files}
Démo 1 : changer le mot de passe du root
Au niveau du module user
/etc/puppet/environnements/developpement/modules/user/manifests/init.pp
# init.pp import "*.pp"
/etc/puppet/environnements/developpement/modules/user/manifests/root.pp
# root.pp # Le cas particulier du root class user::root { user { "root": ensure => "present", uid => "0", gid => "0", comment => "root", home => "/root", shell => "/bin/bash", password => '$1$xxxxxxxx$xxxxxxxxxxxxxxxxxxx/', } }
Vérification de la validité de la syntaxe du fichier précédent
puppet --parseonly --ignoreimport /etc/puppet/environnements/developpement/modules/user/manifests/root.pp # aucun affichage de résultat en sortie => c'est bon, le fichier est correct syntaxiquement.
Au niveau des nœuds
/etc/puppet/environnements/developpement/manifests/nodes.pp
# nodes.pp node basenode { include user::root } node "puppet.example.test" inherits basenode { }
Au niveau du manifeste global - environnement de développement
/etc/puppet/environnements/developpement/manifests/site.pp
# site.pp import "nodes"
Test de l'application de ce manifeste au puppetmaster (puppet.example.test)
Sortie d'affichage de la mise en place du nouveau mot de passe root
# la ligne de commande puppetd --no-daemonize --debug --onetime --test --server puppet.example.test --environment developpement --noop # affichage [root@puppet /]# puppetd --no-daemonize --debug --onetime --test --server puppet.example.test --environment developpement --noop debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/classes.txt]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/public_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: Finishing transaction 23965876002200 with 0 changes debug: /File[/var/lib/puppet/ssl/certs/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: Finishing transaction 23965875421560 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for puppet.example.test debug: Finishing transaction 23965875122140 with 0 changes debug: Loaded state in 0.00 seconds debug: Using cached certificate for ca debug: Using cached certificate for puppet.example.test debug: Using cached certificate_revocation_list for ca debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml; using pson info: Caching catalog for puppet.example.test debug: Creating default schedules debug: Loaded state in 0.00 seconds info: Applying configuration version '1297964027' debug: //user::root/User[root]: Changing password debug: //user::root/User[root]: 1 change(s) notice: //user::root/User[root]/password: is !*, should be $1$xxxxxxxx$xxxxxxxxxxxxxxxxxxxxxx (noop) debug: Time for triggering 1 events to edges: 4.79221343994141e-05 debug: Finishing transaction 23965875889440 with 1 changes debug: Storing state debug: Stored state in 0.00 seconds debug: Value of 'preferred_serialization_format' (pson) is invalid for report, using default (yaml) debug: report supports formats: b64_zlib_yaml marshal raw yaml; using yaml notice: Finished catalog run in 0.12 seconds
Affichage de l'application effective du manifeste root.pp
[root@puppet /]# more /etc/shadow root:!*:15021:0:99999:7::: bin:*:15021:0:99999:7::: daemon:*:15021:0:99999:7::: adm:*:15021:0:99999:7::: lp:*:15021:0:99999:7::: sync:*:15021:0:99999:7::: shutdown:*:15021:0:99999:7::: halt:*:15021:0:99999:7::: mail:*:15021:0:99999:7::: news:*:15021:0:99999:7::: uucp:*:15021:0:99999:7::: operator:*:15021:0:99999:7::: games:*:15021:0:99999:7::: gopher:*:15021:0:99999:7::: ftp:*:15021:0:99999:7::: nobody:*:15021:0:99999:7::: vcsa:!!:15021:0:99999:7::: sshd:!!:15021:0:99999:7::: puppet:!!:15022:::::: [root@puppet /]# puppetd --no-daemonize --debug --onetime --test --server puppet.example.test --environment developpement debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/ssl/public_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/certs/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/classes.txt]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: Finishing transaction 23955747712360 with 0 changes debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl/certs/puppet.example.test.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: Finishing transaction 23955747130800 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for puppet.example.test debug: Finishing transaction 23955746830660 with 0 changes debug: Loaded state in 0.00 seconds debug: Using cached certificate for ca debug: Using cached certificate for puppet.example.test debug: Using cached certificate_revocation_list for ca debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml; using pson info: Caching catalog for puppet.example.test debug: Creating default schedules debug: Loaded state in 0.00 seconds info: Applying configuration version '1297964027' debug: //user::root/User[root]: Changing password debug: //user::root/User[root]: 1 change(s) debug: User[root](provider=useradd): Executing '/usr/sbin/usermod -p $1$xxxxxxxx$xxxxxxxxxxxxxxxxx root' notice: //user::root/User[root]/password: changed password debug: Time for triggering 1 events to edges: 5.69820404052734e-05 debug: Finishing transaction 23955747599880 with 1 changes debug: Storing state debug: Stored state in 0.00 seconds debug: Value of 'preferred_serialization_format' (pson) is invalid for report, using default (yaml) debug: report supports formats: b64_zlib_yaml marshal raw yaml; using yaml notice: Finished catalog run in 0.25 seconds [root@puppet /]# more /etc/shadow root:$1$xxxxxxxx$xxxxxxxxxxxxxxxxxxxx:15022:0:99999:7::: bin:*:15021:0:99999:7::: daemon:*:15021:0:99999:7::: adm:*:15021:0:99999:7::: lp:*:15021:0:99999:7::: sync:*:15021:0:99999:7::: shutdown:*:15021:0:99999:7::: halt:*:15021:0:99999:7::: mail:*:15021:0:99999:7::: news:*:15021:0:99999:7::: uucp:*:15021:0:99999:7::: operator:*:15021:0:99999:7::: games:*:15021:0:99999:7::: gopher:*:15021:0:99999:7::: ftp:*:15021:0:99999:7::: nobody:*:15021:0:99999:7::: vcsa:!!:15021:0:99999:7::: sshd:!!:15021:0:99999:7::: puppet:!!:15022:::::: [root@puppet /]#
Démo 2 : ajout d'un nouvel utilisateur
Modifs à faire au niveau du module user
Répertoire pour les définitions du module user
mkdir /etc/puppet/environnements/developpement/manifests/defines
/etc/puppet/environnements/developpement/modules/user/manifests/defines/template_user.pp
# template_user.pp # # ce fichier est une définition de fonction puppet. # elle permet la création d'un utilisateur par le passage # de quelques paramètres. # ce qui est défini : le home (toujours /home/login) # le shell : toujours /bin/bash # le groupe : toujours users (100) # vim:ts=4:sw=4 define template_user($login, $fullname, $uid, $gid="users", $groups = "", $shell="/bin/bash", $password) { user { "${login}": ensure => "present", comment => "${fullname}", uid => "${uid}", gid => "${gid}", groups => "${groups}", home => "/home/${login}", shell => "${shell}", password => "${password}", managehome => true, } file { "/home/${login}": ensure => directory, owner => "${login}", group => "${gid}", mode => 0700, } file { "/home/${login}/.ssh": ensure => directory, owner => "${login}", group => "${gid}", mode => 0700, } file { "/home/${login}/.ssh/authorized_keys": # pas de ensure => file pour ne pas écraser celle qui pourrait etre mise à la place #ensure => file, owner => "${login}", mode => 0600, source => "puppet:///user/files/${login}/.ssh/authorized_keys", } }
/etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp
# virtual.pp # # People accounts of interest as virtual resources # vim:ts=4:sw=4 class user::virtual { @template_user { "u1": login => "u1" , fullname => "utilisateur u1", uid => "1001", password => '$1$xxxxxxxx$xxxxxxxxxxxxxxxxxxxxxx', } # de u1 à u10. # puis les administrateurs @template_user { "a1": login => "a1" , fullname => "utilisateur a1", uid => "1101", groups => "wheel", password => '$1$xxxxxxxx$xxxxxxxxxxxxxxxxxxxxxx', } # de a1 à a10. }
Génération du fichier de virtual.pp
cat > /etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp <<"EOF" # virtual.pp # # People accounts of interest as virtual resources # vim:ts=4:sw=4 class user::virtual { # les utilisateurs normaux EOF for i in $(seq 1 10) do pwd=$(echo "****$i" | openssl passwd -1 -stdin) # construit un mot de passe crypté cat >> /etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp <<EOF @template_user { "u$i": login => "u$i" , fullname => "utilisateur u$i", uid => "$((1000 + $i))", password => '$pwd', } EOF done cat >> /etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp <<"EOF" # les administrateurs EOF for i in $(seq 1 10) do pwd=$(echo "****$i" | openssl passwd -1 -stdin) cat >> /etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp <<EOF @template_user { "a$i": login => "a$i" , fullname => "utilisateur a$i", uid => "$((1100 + $i))", groups => "wheel", password => '$pwd', } EOF done echo "}" >> /etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp
/etc/puppet/environnements/developpement/modules/user/manifests/init.pp
diff --git a/environnements/developpement/modules/user/manifests/init.pp b/environnements/developpement/modules/user/manifests/init.pp index 6f09675..9303414 100644 --- a/environnements/developpement/modules/user/manifests/init.pp +++ b/environnements/developpement/modules/user/manifests/init.pp @@ -1,4 +1,5 @@ # init.pp - + +import "defines/*.pp" import "*.pp"
/etc/puppet/environnements/developpement/modules/user/manifests/unixadmins.pp
# unixadmins.pp # # Réalisation des utilisateurs présents sur toutes les machines # gérées par puppet. class user::unixadmins inherits user::virtual { # Realize les administrateurs système realize( Template_user["a1"], Template_user["a2"], Template_user["a3"], Template_user["a4"], Template_user["a5"], Template_user["a6"], Template_user["a7"], Template_user["a8"], ) }
/etc/puppet/environnements/developpement/modules/user/manifests/habituels.pp
# habituels.pp # # Réalisation des utilisateurs présents habituellement sur les machines class user::habituels inherits user::virtual { # Realize les administrateurs système realize( Template_user["u1"], Template_user["u2"], Template_user["u3"], Template_user["u4"], Template_user["u5"], Template_user["u6"], Template_user["u7"], Template_user["u8"], ) }
/etc/puppet/environnements/developpement/manifests/nodes.pp
diff --git a/environnements/developpement/manifests/nodes.pp b/environnements/developpement/manifests/nodes.pp index cbb645e..aa27503 100644 --- a/environnements/developpement/manifests/nodes.pp +++ b/environnements/developpement/manifests/nodes.pp @@ -2,7 +2,9 @@ node basenode { include user::root + include user::unixadmins } node "puppet.example.test" inherits basenode { + include user::habituels }
Création des certificats
for i in $(seq 1 10) do mkdir -p /etc/puppet/environnements/developpement/modules/user/files/{u,a}${i}/.ssh # authorized_keys des utilisateurs (clé avec phrase vide) ssh-keygen -b 2048 -t rsa -N "" -f /etc/puppet/environnements/developpement/modules/user/files/u${i}/.ssh/cle cp -pf /etc/puppet/environnements/developpement/modules/user/files/u${i}/.ssh/{cle.pub,authorized_keys} # authorized_keys des administrateurs : pas de clé (clé vide) - pour éviter d'avoir des erreurs. touch /etc/puppet/environnements/developpement/modules/user/files/a${i}/.ssh/authorized_keys done
Application des nouveaux manifestes - utilisateurs et admins
[root@puppet developpement]# puppetd --no-daemonize --onetime --test --server puppet.example.test --environment developpement --noop err: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate definition: Template_user[a1] is already defined in file /etc/puppet/environnements/developpement/modules/user/manifests/virtual.pp at line 14; cannot redefine at /etc/puppet/environnements/deoppement/modules/user/manifests/virtual.pp:87 on node puppet.example.test warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
- Cette erreur intervenait parce que j'avais généré deux fois les utilisateurs a1 à a10 dans le fichier
/etc/puppet/environnements/deoppement/modules/user/manifests/virtual.pp
.
Exécution de la mise en place des utilisateurs
Affichage de l'application du manifeste à la machine (ajout d'utilisateurs
[root@puppet developpement]# puppetd --no-daemonize --onetime --test --server puppet.example.test --environment developpement info: Caching catalog for puppet.example.test info: Applying configuration version '1297980552' notice: //user::virtual/Template_user[u3]/User[u3]/ensure: created notice: //user::virtual/Template_user[u3]/File[/home/u3/.ssh/authorized_keys]/ensure: content changed '{md5}d9f4127f33ecbd15d64c703ff41e e' to '{md5}d9f4127f33ecbd15d64c703ff41e199e' notice: //user::virtual/Template_user[a6]/User[a6]/ensure: created notice: //user::virtual/Template_user[a6]/File[/home/a6/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[u6]/User[u6]/ensure: created notice: //user::virtual/Template_user[u6]/File[/home/u6/.ssh/authorized_keys]/ensure: content changed '{md5}0e315f76c34d21fc08020c7171c8 1' to '{md5}0e315f76c34d21fc08020c7171c824c1' notice: //user::virtual/Template_user[a2]/User[a2]/ensure: created notice: //user::virtual/Template_user[a2]/File[/home/a2/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[a1]/User[a1]/ensure: created notice: //user::virtual/Template_user[a1]/File[/home/a1/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[u7]/User[u7]/ensure: created notice: //user::virtual/Template_user[u7]/File[/home/u7/.ssh/authorized_keys]/ensure: content changed '{md5}93e04bc76832e859b9ed03e8fc72 4' to '{md5}93e04bc76832e859b9ed03e8fc729604' notice: //user::virtual/Template_user[a8]/User[a8]/ensure: created notice: //user::virtual/Template_user[a8]/File[/home/a8/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[a3]/User[a3]/ensure: created notice: //user::virtual/Template_user[a3]/File[/home/a3/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[u4]/User[u4]/ensure: created notice: //user::virtual/Template_user[u4]/File[/home/u4/.ssh/authorized_keys]/ensure: content changed '{md5}bf7927d6d1cb0686149c8bb6a373 c' to '{md5}bf7927d6d1cb0686149c8bb6a37356ac' notice: //user::virtual/Template_user[u8]/User[u8]/ensure: created notice: //user::virtual/Template_user[u8]/File[/home/u8/.ssh/authorized_keys]/ensure: content changed '{md5}ed22c514d2b2268f1462624694ad c' to '{md5}ed22c514d2b2268f1462624694adc27c' notice: //user::virtual/Template_user[a4]/User[a4]/ensure: created notice: //user::virtual/Template_user[a4]/File[/home/a4/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[u1]/User[u1]/ensure: created notice: //user::virtual/Template_user[u1]/File[/home/u1/.ssh/authorized_keys]/ensure: content changed '{md5}2fb6c6706225141c0d27bed28309 d' to '{md5}2fb6c6706225141c0d27bed28309e82d' notice: //user::virtual/Template_user[u5]/User[u5]/ensure: created notice: //user::virtual/Template_user[u5]/File[/home/u5/.ssh/authorized_keys]/ensure: content changed '{md5}56686af3aba9e86b07b561649678 3' to '{md5}56686af3aba9e86b07b561649678a3c3' notice: //user::virtual/Template_user[a5]/User[a5]/ensure: created notice: //user::virtual/Template_user[a5]/File[/home/a5/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: //user::virtual/Template_user[u2]/User[u2]/ensure: created notice: //user::virtual/Template_user[u2]/File[/home/u2/.ssh/authorized_keys]/ensure: content changed '{md5}674058f9beddaa7e87be5985e928 b' to '{md5}674058f9beddaa7e87be5985e928907b' notice: //user::virtual/Template_user[a7]/User[a7]/ensure: created notice: //user::virtual/Template_user[a7]/File[/home/a7/.ssh/authorized_keys]/ensure: content changed '{md5}d41d8cd98f00b204e9800998ecf8 e' to '{md5}d41d8cd98f00b204e9800998ecf8427e' notice: Finished catalog run in 3.37 seconds
Supprimer tous les utilisateurs ajoutés (u* et a*)
Création d'une classe delusers faisant le ménage dans les comptes
cat > /etc/puppet/environnements/developpement/modules/user/manifests/delusers.pp <<EOF # delusers.pp class user::delusers { EOF for i in $(seq 1 10) do cat >> /etc/puppet/environnements/developpement/modules/user/manifests/delusers.pp <<EOF user { "u$i": ensure => absent } user { "a$i": ensure => absent } EOF done echo "}" >> /etc/puppet/environnements/developpement/modules/user/manifests/delusers.pp
/etc/puppet/environnements/developpement/manifests/nodes.pp
diff --git a/environnements/developpement/manifests/nodes.pp b/environnements/developpement/manifests/nodes.pp index aa27503..863fb53 100644 --- a/environnements/developpement/manifests/nodes.pp +++ b/environnements/developpement/manifests/nodes.pp @@ -5,6 +5,9 @@ node basenode { include user::unixadmins } -node "puppet.example.test" inherits basenode { - include user::habituels +node "puppet.example.test" { + #include user::habituels + + # pour supprimer tous les utilisateurs créés + include user::delusers }
On peut remarquer l'importance de la suppression de l'héritage de basenode.
Si ce n'est pas fait, voici les erreurs obtenues :
Erreurs si l'héritage de basenode n'est pas enlevé
[root@puppet developpement]# puppetd --no-daemonize --onetime --test --server puppet.example.test --environment developpement --noop err: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate definition: User[a1] is already defined in file /etc/puppet/environnements/developpement/modules/user/manifests/delusers.pp at line 5; cannot redefine at /etc/puppet/environnements/developpement/modules/user/manifests/defines/template_user.pp:24 on node puppet.example.test warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
Application de delusers
[root@puppet developpement]# puppetd --no-daemonize --onetime --test --server puppet.example.test --environment developpement info: Caching catalog for puppet.example.test info: Applying configuration version '1297979796' notice: //user::delusers/User[a8]/ensure: removed notice: //user::delusers/User[a5]/ensure: removed notice: //user::delusers/User[a6]/ensure: removed notice: //user::delusers/User[u7]/ensure: removed notice: //user::delusers/User[u4]/ensure: removed notice: //user::delusers/User[a3]/ensure: removed notice: //user::delusers/User[a2]/ensure: removed notice: //user::delusers/User[u1]/ensure: removed notice: //user::delusers/User[u8]/ensure: removed notice: //user::delusers/User[u5]/ensure: removed notice: //user::delusers/User[a4]/ensure: removed notice: //user::delusers/User[a1]/ensure: removed notice: //user::delusers/User[u2]/ensure: removed notice: //user::delusers/User[u6]/ensure: removed notice: //user::delusers/User[a7]/ensure: removed notice: //user::delusers/User[u3]/ensure: removed notice: Finished catalog run in 0.68 seconds
Certifier un client
Ajouter le puppetmaster (son dns) dans /etc/hosts de chaque machine cliente
Ajout de puppet.example.test dans /etc/hosts de tous les clients - sur la machine hébergeant les conteneurs openvz
for i in $(seq 201 215) do echo "10.0.1.200 puppet.example.test puppet" >> /vz/private/$i/etc/hosts done
Sur le client .201
Sur le client (.201)
# création d'un certificat puppetd --server puppet.example.test --waitforcert=30 --test
Sur le puppetmaster
# listing des certificats en attente de validation par le puppetmaster puppetca --list # > clientpuppet1.example.test # validation du certificat en attente puppetca --sign clientpuppet1.example.test
Affichage de la sortie lors de la validation du certificat
# sur le client1 [root@clientpuppet1 /]# puppetd --server puppet.example.test --waitforcert=30 --test warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for clientpuppet1.example.test warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate # sur puppetmaster [root@puppet developpement]# puppetca --list clientpuppet1.example.test [root@puppet developpement]# puppetca --sign clientpuppet1.example.test clientpuppet1.example.test notice: Signed certificate request for clientpuppet1.example.test notice: Removing file Puppet::SSL::CertificateRequest clientpuppet1.example.test at '/var/lib/puppet/ssl/ca/requests/clientpuppet1.example.test.pem' # sur le client1 - la fin une fois le certificat validé info: Caching certificate for clientpuppet1.example.test info: Caching certificate_revocation_list for ca info: Caching catalog for clientpuppet1.example.test info: Applying configuration version '1297963606' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.01 seconds