Managing Linux Using Puppet

Running Puppet Automatically

Running Puppet each time you want to make a change doesn't work well beyond a handful of machines. To solve this, you can have each machine automatically check git for changes and then run puppet apply (you can do this only if git has changed, but that is an optional).

Next, you will define a file called puppetApply.sh that does what you want and then set up a cron job to call it every ten minutes. This is done in a new module called puppet_apply in three steps:

  • Create your puppetApply.sh template in modules/puppet_apply/files/puppetApply.sh as per Listing 12.

  • Create the puppetApply.sh file and set up the crontab entry as shown in Listing 13.

  • Use your puppet_apply module from your node in puppet-test.pp as per Listing 14.

Listing 12. /modules/puppet_apply/files/puppetApply.sh


# Managed by Puppet

cd /etc/puppet/linuxjournal
git pull
puppet apply /etc/puppet/linuxjournal/manifests
 ↪--modulepath=/etc/puppet/linuxjournal/modules/
↪:/etc/puppet/modules/

Listing 13. /modules/puppet_apply/manifests/init.pp


class puppet_apply () {
    file { "/usr/local/bin/puppetApply.sh":
        source => "puppet:///modules/puppet_apply/puppetApply.sh",
        mode  => 'u=wrx,g=r,o=r'
    }

    ->

    cron { "run-puppetApply":
        ensure => 'present',
        command => "/usr/local/bin/puppetApply.sh >
         ↪/tmp/puppetApply.log 2>&1",
        minute => '*/10',
    }
}

Listing 14. /manifests/puppet-test.pp


class { 'puppet_apply': ; }

You will need to ensure that the server has read access to the git repository. You can do this using an SSH key distributed via Puppet and an IdentityFile entry in /root/.ssh/config.

If you apply changes now, you should see that there is an entry in root's crontab, and every ten minutes puppetApply.sh should run. Now you simply can commit your changes to git, and within ten minutes, they will be rolled out.

Modifying Config Files

Many times you don't want to replace a config file, but rather ensure that certain options are set to certain values. For example, I may want to change the SSH port from the default of 22 to 2022 and disallow password logins. Rather than manage the entire config file with Puppet, I can use the augeas resource to set multiple configuration options.

Refer to Listing 15 for some code that can be added to the developer_pc class you created earlier. The code does three things:

  • Installs openssh-server (not really required, but there for completeness).

  • Ensures that SSH is running as a service.

  • Sets Port 2022 and PasswordAuthentication no in /etc/ssh/sshd_config.

  • If the file changes, the notify clause causes SSH to reload the configuration.

Listing 15. /modules/developer_pc/manifests/init.pp


package { 'openssh-server':
    ensure => 'present'
}

service { 'ssh':
    ensure => running,
    require => [ Package["openssh-server"] ]
}

augeas { 'change-sshd':
    context => '/files/etc/ssh/sshd_config',
    changes => ['set Port 2022', 'set PasswordAuthentication no'],
    notify => Service['ssh'],
    require => [ Package["openssh-server"] ]
}

Once puppetApply.sh automatically runs, any subsequent SSH sessions will need to connect on port 2022, and you no longer will be able to use a password.

______________________

David Barton is Managing Director of OneIT, a company specializing in custom business software development. He's been using Linux since 1998 and managing OneIT's Linux servers for more than 10 years.