Using Puppet to configure OpenStack Instances

About Puppet

Puppet is a configuration management tool which can be used to configure servers / instances on runtime. For further information visit: http://docs.puppetlabs.com/

Our Approach

Install and configure the puppet client directly on the image which will be used to launch instances. After the instance has booted, the puppet client connects to its configured puppet server and retrieves its associated specification of configuration (puppet calls that manifests).

We installed puppet server on our cloud controller c2n2. The puppet client runs inside an virtual instance. Further information about our test environment can be found: here.

Client and Server Installation and configuration after the break…

Puppet Client Installation and Configuration

During the image creation phase: Run the following command:

root@instanceimage:~# apt-get install puppet

to install the puppet client on your image VM. Use the “server=” statement to configure a puppet server within the “agent” section in  /etc/puppet/puppet.conf (puppet client configuration file).

root@instanceimage:~# cat /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
runinterval=30

[agent]
server = c2n2.stratus.lab

Set an individual server query interval (in seconds; “runinterval=”): By default the puppet client queries the puppet server every 30 minutes and checks whether there is a new version of its configuration specification available.

Make sure that the name of your puppet server can be resolved by the puppet client. We used the flat interface (eth1 – 192.168.4.1) of our cloud controller c2n2.stratus.lab as contact point for puppet clients on the running instances. Here is our /etc/hosts file:

root@instanceimage:~# cat /etc/hosts
 127.0.0.1    localhost
 127.0.1.1    pcserver

# The following lines are desirable for IPv6 capable hosts
 ::1     ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 192.168.4.1    c2n2.stratus.lab puppet

The Puppet Server uses hostnames for the identification of instances with running puppet clients. Our OpenStack installation doesn’t set individual hostnames by default. Therefore we set one on boot by using following boot script:

root@instanceimage:/iconfig# cat script.sh
 #!/bin/bash

# variables
 hostname=""

# set hostname
 hostname=`wget -q -O - http://169.254.169.254/latest/meta-data/local-hostname`
 hostname=${hostname%%.*}
 [[ -z $hostname ]] && hostname="$RANDOM-server"
 hostname $hostname

# start the puppet client (by default it is disabled in /etc/default/puppet)
 puppetd
Hint!
Make sure that the “cloud-init” package is installed on your image VM.

Edit /etc/rc.local to run the script after the instance booted:

root@instanceimage:~# cat /etc/rc.local
 #!/bin/sh -e
 #
 # rc.local
 #
 # This script is executed at the end of each multiuser runlevel.
 # Make sure that the script will "exit 0" on success or any other
 # value on error.
 #
 # In order to enable or disable this script just change the execution
 # bits.
 #
 # By default this script does nothing.
 /iconfig/script.sh

Now, continue creating your OpenStack image…

Puppet Server Installation and Configuration

We used c2n2.stratus.lab for our puppet server. Install the puppet server:

root@c2n2:~# apt-get install puppetmaster

Configure autosign for answering the certificate signing requests from puppet clients on instances automatically by creating /etc/puppet/autosign.conf:

root@c2n2:~# cat /etc/puppet/autosign.conf
 *.novalocal
Attention!
This configuration implies a security risk, because a node can masquerades itself as another node and get the configuration intended for that node. (The puppet server uses the CN (usually the fqdn of the node) to lookup the node definition of configuration to serve). Alternatively you can answer certificate signing requests manually.

For test purposes, create a simple manifests file (/etc/puppet/manifests/site.pp):

root@c2n2:~# cat /etc/puppet/manifests/site.pp
node default {
    file {'testfile':
        path    => '/tmp/testfile',
        ensure  => present,
        content => "I'm a test file.",
    }
}

The example above will create a file called “testfile” with “I’m a test file.” as its content in /tmp. For more information regarding manifests and the use of puppet in general, please visit: http://docs.puppetlabs.com/

Finally…

For debugging your configuration, it’s easier to start the the puppet server in the non-daemonized mode combined with the verbose output option:

root@c2n2:~# puppetmasterd --no-daemonize --verbose

Now use the image you created before to launch an openstack instance by using “euca-run-instances …”

  1. No comments yet.

  1. No trackbacks yet.