Adding puppet information in cfg/ location and bumping release

ChangeLog

@@ -1,5 +1,6 @@
 ** (2012-12-19) Sven Vermeulen <sven.vermeulen@siphos.be>
 	- Architecturing puppet
+	- Adding puppet information in cfg/ location
 
 ** (2012-12-18) Sven Vermeulen <sven.vermeulen@siphos.be>
 	- Update puppet for multi-master setup

cfg/puppet/auth.conf

@@ -0,0 +1,100 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACL - those applies only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog (ie their configuration)
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their reports
+path /report
+method save
+allow *
+
+# inconditionnally allow access to all files services
+# which means in practice that fileserver.conf will
+# still be used
+path /file
+allow *
+
+### Unauthenticated ACL, for clients for which the current master doesn't
+### have a valid certificate; we allow authenticated users, too, because
+### there isn't a great harm in letting that request through.
+
+# allow access to the master CA
+path /certificate/ca
+auth any
+method find
+allow *
+
+path /certificate/
+auth any
+method find
+allow *
+
+path /certificate_request
+auth any
+method find, save
+allow *
+
+# this one is not stricly necessary, but it has the merit
+# to show the default policy which is deny everything else
+path /
+auth any

cfg/puppet/fileserver.conf

@@ -0,0 +1,12 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Define a section 'files'
+# Adapt the allow/deny settings to your needs. Order
+# for allow/deny does not matter, allow always takes precedence
+# over deny
+# [files]
+#  path /var/lib/puppet/files
+#  allow *.example.com
+#  deny *.evil.example.com
+#  allow 192.168.0.0/24

cfg/puppet/manifests/basic-setup.pp

@@ -0,0 +1,12 @@
+# The 'basenode' node is a Puppet-default baseline node
+node basenode {
+  ######################################
+  #
+  # General variables
+  #
+
+  # Network config
+  $puppet_server = "puppet.internal.genfic.com"
+  $dns_servers = [ "192.168.1.1", "8.8.8.8" ]
+  $domain = "internal.genfic.com"
+}

cfg/puppet/manifests/nodes/puppet.pp

@@ -0,0 +1,6 @@
+##
+## puppet.internal.genfic.com
+##
+node 'puppet.internal.genfic.com' inherits basenode {
+  include general
+}

cfg/puppet/manifests/nodes/test.pp

@@ -0,0 +1,6 @@
+##
+## test.internal.genfic.com
+##
+node 'test.internal.genfic.com' inherits basenode {
+  include general
+}

cfg/puppet/manifests/patterns/general.pp

@@ -0,0 +1,9 @@
+class general {
+  ################################
+  #
+  # General setup
+  #
+
+  # Start with minimal
+  include minimal
+}

cfg/puppet/manifests/patterns/minimal.pp

@@ -0,0 +1,9 @@
+class minimal {
+  ###############################
+  #
+  # Minimal setup
+  #
+
+  # Manage /etc/hosts
+  include hosts
+}

cfg/puppet/manifests/site.pp

@@ -0,0 +1,10 @@
+# This is the base setup of our architecture.
+# Anything that is global for all systems should
+# go in the basic-setup.pp file
+import "basic-setup.pp"
+
+# Import the patterns
+import "patterns/*.pp"
+
+# Import the definitions of the various systems
+import "nodes/*.pp"

cfg/puppet/modules/hosts/manifests/init.pp

@@ -0,0 +1,13 @@
+#########################
+#
+# Class hosts
+#
+# Manages /etc/hosts
+#
+class hosts {
+  file { "hosts":
+    ensure => present,
+    path => "/etc/hosts",
+    content => template("hosts/hosts.erb"),
+  }
+}

cfg/puppet/modules/hosts/templates/hosts.erb

@@ -0,0 +1,10 @@
+# File managed by puppet
+127.0.0.1	local.virtdomain local
+192.168.100.1	gateway.virtdomain gateway
+
+::1		localhost.<%= domain %> localhost
+<%= ipaddress6 %>	<%= hostname %>.<%= domain %> <%= hostname %>
+
+# Minimal requirements (case DNS is unavailable)
+2001:db8:81:e2::26b5:365b:5072	workstation.<%= domain %> workstation
+2001:db8:81:21::53:3a8a:71e0	puppet.<%= domain %> puppet

cfg/puppet/puppet.conf

@@ -0,0 +1,30 @@
+[main]
+    # The Puppet log directory.
+    # The default value is '$vardir/log'.
+    logdir = /var/log/puppet
+
+    # Where Puppet PID files are kept.
+    # The default value is '$vardir/run'.
+    rundir = /var/run/puppet
+
+    # Where SSL certificates are kept.
+    # The default value is '$confdir/ssl'.
+    ssldir = $vardir/ssl
+
+[master]
+    bindaddress="::"
+
+[agent]
+    # The file in which puppetd stores a list of the classes
+    # associated with the retrieved configuratiion.  Can be loaded in
+    # the separate ``puppet`` executable using the ``--loadclasses``
+    # option.
+    # The default value is '$confdir/classes.txt'.
+    classfile = $vardir/classes.txt
+
+    # Where puppetd caches the local configuration.  An
+    # extension indicating the cache format is added automatically.
+    # The default value is '$confdir/localconfig'.
+    localconfig = $vardir/localconfig
+    listen = true
+    bindaddress="::"

src/aglara.xml

@@ -55,12 +55,12 @@
 	offsite knowledge storage ;-)
       </para>
       <para>
-        The version you are reading currently is v0.12 and has been generated
-	on 2012/12/17.
+        The version you are reading currently is v0.13 and has been generated
+	on 2012/12/19.
       </para>
     </abstract>
 
-    <edition>GLARA v0.11</edition> <!-- Update above paragraph too!! -->
+    <edition>GLARA v0.13</edition> <!-- Update above paragraph too!! -->
 
     <copyright>
       <year>2012</year>

src/aglara/09-centralcmdb.xml

@@ -140,17 +140,17 @@
 +- manifests
 |  +- site.pp  # Global definition 
 |  +- nodes.pp # Sources in the node definitions further down
-|  `- nodes
-|     +- team1
-|     |  +- nodes.pp
-|     |  `- ...
-|     `- teamN
+|  +- nodes
+|  |  +- team1
+|  |  |  +- nodes.pp
+|  |  |  `- ...
+|  |  `- teamN
+|  `- patterns
+|     +- pattern1
+|     `- patternN
 +- modules
 |  +- module1
 |  `- moduleN
-+- patterns
-|  +- pattern1
-|  `- patternN
 `- environments
    +- manifests
    |  `- nodes
@@ -466,7 +466,7 @@
 
         <para>Then, on the CA server, sign the request:</para>
 
-        <programlisting># <command>puppet cert --list</command>
+        <programlisting># <command>puppet cert list</command>
 # <command>puppet cert sign &lt;new master cert&gt;</command></programlisting>
 
         <para>Finally, retrieve the signed certificate back on the HUB:</para>
@@ -525,14 +525,11 @@
         <title>Installing puppet client</title>
 
         <para>The puppet client, just like the master, is provided by the
-        <package>app-admin/puppet</package> package. Next to puppet, we will
-        also install augeas, which is a tool that abstracts configuration
-        syntax and allows simple, automated changes on configuration
-        files.</para>
-
-        <programlisting># <command>emerge app-admin/augeas</command></programlisting>
-
-        <para>Once installed, you can start the puppet client service:</para>
+        <package>app-admin/puppet</package> package. During the installation,
+        portage will also install augeas, which is a tool that abstracts
+        configuration syntax and allows simple, automated changes on
+        configuration files. Once installed, you can start the puppet client
+        service:</para>
 
         <programlisting># <command>run_init rc-service puppet start</command></programlisting>
 
@@ -564,6 +561,26 @@
         (by default, the puppet clients connect to the master themselves).
         This can be interesting if you want to push changes to particular
         systems without waiting for the standard refresh period.</para>
+
+        <para>Now tell the client to create a certificate and send the signing
+        request to the puppet master:</para>
+
+        <programlisting># <command>puppet agent --test</command></programlisting>
+
+        <para>On the puppet master, the certificate request is now pending.
+        You can see the list of certificates with puppet cert --list. Sign the
+        certificate if you know it is indeed a valid request.</para>
+
+        <programlisting># <command>puppet cert list</command>
+  "pg_db1.internal.genfic.com" (23:A5:2F:99:65:60:12:32:00:CA:FE:7F:35:2F:E2:3A)
+# <command>puppet cert sign "pg_db1.internal.genfic.com"</command>
+notice: Signed certificate request for pg_db1.internal.genfic.com
+notice: Removing file Puppet::SSL::CertificateRequest pg_db1.internal.genfic.com at '/var/lib/puppet/ssl/ca/requests/pg_db1.internal.genfic.com.pem'</programlisting>
+
+        <para>Once the request is signed, you can retrieve the certificate
+        using the puppet agent command again.</para>
+
+        <programlisting># <command>puppet agent</command></programlisting>
       </section>
 
       <section>
@@ -575,6 +592,45 @@
         boolean.</para>
       </section>
     </section>
+
+    <section>
+      <title>Working with Puppet</title>
+
+      <para/>
+
+      <section>
+        <title>Learning the facts</title>
+
+        <para>When you are on a puppet-managed system, you can run
+        <command>facter</command> to get an overview of all the facts that it
+        found on the system. For instance, to get information on
+        addresses:</para>
+
+        <programlisting># <command>facter | grep address</command>
+ipaddress =&gt; 192.168.100.152
+ipaddress6 =&gt; 2001:db8:81:22:0:d8:e8fc:a2dc
+macaddress =&gt; 36:5b:94:e1:eb:0e</programlisting>
+      </section>
+
+      <section>
+        <title>Not using daemon</title>
+
+        <para>If you do not want to use the puppet (client) daemon, you can
+        run puppet from cron easily. Just have <command>puppet agent</command>
+        ran with the frequency you need.</para>
+      </section>
+
+      <section>
+        <title>Not using a puppet master</title>
+
+        <para>You can even use Puppet without a puppet master. In that case,
+        the local system will need access to the configuration repository
+        (which can be a read-only NFS mount or a local checkout of a
+        repository).</para>
+
+        <para/>
+      </section>
+    </section>
   </section>
 
   <section>