I started deploying puppet at work, after installing it a couple of weeks ago and playing with it. I’ve got it doing some pretty basic management so far:
- SSH key management
- Timezone and Locale
- NTP
- Minimum required packages
- /etc/resolv.conf
None of this is overly complicated, but it is very useful for me.
SSH key management
This is actually really trivial at this stage – I have an authorized_keys file which I push out to all hosts, thus allowing anyone with a key matching one in that file to log in as root. I’ll eventually change this to having user profiles managed by puppet, but for now this is good enough.
Timezone and Locale
For some reason, these two things get missed an awful lot when configuring new servers quickly, particularly if they are VMs (when debootstrapping a server, you don’t get prompted for these things). I manually symlink /etc/localtime to the right timezone file, and I use debconf-set-selections to pick the right locale then install localeconf
NTP
Once the timezone is set correctly, I install and configure ntpd. I give it a simple config using a few of the nz.pool.ntp.orNTPg servers and an internal one, and call it done. We seem to get a lot of calls from customers about time/date being wrong on their email/reports/something, so this will fix that.
Minimum required packages
Other than my preferred editor, there are a large number of packages that all hosts should have installed, no questions asked. less. tcpdump. mtr. strace. nmap. host. dig. And the rest. Puppet installs these for me now, rather than having to wait till I need the tool to install it. Puppet will happily install packages from a range of sources, and autodetects which one to use based on your OS version. Of course, package names will probably change (ssh vs openssh-server, etc), but that can be dealt with on a per-OS override.
/etc/resolv.conf
This one caught me out quite badly. I figured I was being really smart by pushing out a resolv.conf to all sites, until I then realised I was overwriting references to any local DNS servers. Up until now I had one node definition – the default one. Everything else was being autodetected at run time.
I could depart from this model and have a per-node definition which included the searchpath and the local resolvers to use, but that means creating a node definition for every new node I add. That’s not too much work, granted, but it’s more than I want to have to do for something as basic as /etc/resolv.conf. I could also create a per-site class and have every node include that class, which would save some work, but still require a per-node definition.
It looks like it’s currently impossible to have a wildcard definition of a node, eg:
[code]
node ‘*.example.com’ inherits base {
$searchpath = ‘example.com’
$nameservers = ‘192.168.0.1’
}
[/code]
So I signed up to the puppet mailing list and asked how to do this, and predictably I worked out how to do it about 30 seconds later. Puppet uses the ruby ‘facter’ library, which lets you get various facts about the system you are running on. One of these facts is the domain name.
Now I have a couple of switch statements in my resolvconf class which specify the searchpath and nameservers based on the domain name of the node being configured, which are then used to fill out a template. Magic!