Source: https://puppetlabs.com/services/certification/puppet-professional

to do…

to do…

to do…

to do…

• Puppet Forge: https://forge.puppetlabs.com
• List installed modules:

  puppet module list --tree

• Search modules:

  puppet module search nginx

• Install module:

  puppet module install <module>

• Install module to different environment:

  puppet module install saz-motd --environment test

to do…

to do…

Environments are groups of puppet agents. Configured via directory or config file. Directory is easier and will replace config file environments.

• Directory environments, per default enabled in v3.7.
• Provides module path, main manifest and -config version- script.

mv /etc/puppetlabs/puppet/environments/production/manifests/site.pp /etc/puppetlabs/puppet/manifests

# edit puppet.conf
default_manifest = $confdir/manifests

cp -R /etc/puppetlabs/puppet/environments/production/ /etc/puppetlabs/puppet/environments/test

# check basemodulepath in puppet.conf includes: /opt/puppet/share/puppet/modules

• Node sends data about its state (facts) to the puppet master (hostname, node name, os, virtual, etc.)
• Puppet uses the facts to compile a catalog that specifies how the node should be configured. Sends the catalog to the agent.
• Config changes (if necessary) are reported back to the master.
• Puppet master aggregates reports and Puppet's API can also report to 3rd party tools.

to do…

Pre install

• Meet the necessary system requirements.
• Make sure DNS is working, configure A and PTR records, a puppet CNAME will also work.
• Sync time with NTPd or Chronyd.
• Open firewall ports 8140/tcp (puppet master), 443/tcp (web console), 61613/tcp (ActiveMQ MCollective). If you are using the web-based install, open port 3000/tcp during install.

Install

• Monolitic or split install.
• Local or remote database.

Post install

• Configure master server.
• Install agents via OS repo or download package. Configure puppet.conf, enable puppet.service and start agent.
• Sign agent certificates.

  puppet cert list
  puppet cert sign <name>
  #or
  puppet cert sign --all

to do…

• All client↔server traffic over HTTPS.
• Uses its own CA per default.
• Public / private keys to encrypt and sign.

• List outstanding certificates:

  puppet cert list

• List all certificates:

  puppet cert list --all

• Sign certificate:

  puppet cert sign <NAME>

• Using the PE console, the best practice architecture is to create environment groups and classification groups.
• Classify via site.pp
• Classify using Hiera.

Environment node group

• Create groups for setting environment only (dev, test, accept), do not add classes to these groups.
• Set environment override only in the environment node groups.
• Create a rule to match agents to env. groups. You can use pinning, but rules are the most flexible way to assign nodes.

Classification node group

• Create classification node group for example web-dev, web-prod, monitor, etc.
• Create a rule to match agents to class. groups.

• Puppet Enterprise rule based node classification.
• Dynamically assign nodes to groups:
  • Create node groups
  • Create rules to dynamically add and remove nodes from node groups
  • Assign classes to node groups

• Role Based Access Control, manages permissions.
• Can use external directories: LDAP, ActiveDirectory.
• Manage roles and users via Enterprise Console “Access Control” tab.

to do…

to do…

• Collects data generated by puppet.
  • most recent facts from every node.
  • most recent catalog from every node.
  • optionally event reports.
• Exports resources. Can be used by other nodes. For example a backup module configures the client and also adds the backup agent definition to the backup server.

to do…

• Log in as peadmin (cli).

  su - peadmin

• Install, enable and start the MCollective agent on the client:

  yum install mcollective

• Test connectivity:

  peadmin@puppet:~$ mco ping web1-dev.mgmt.dc.polaire.nl
  puppet.mgmt.dc.polaire.nl                time=51.06 ms
  
  
  ---- ping statistics ----
  1 replies max: 51.06 min: 51.06 avg: 51.06

• Facter collects facts about the current system.
• Per default all facts will be returned.
• Display single fact:

  $ facter netmask
  255.255.255.0

• Can be extended with scripts on the local system or on puppet master (Plugins in Modules)
• A single script can return multiple facts.
  • Local executable system script example: /etc/facter/facts.d/testje:

    # create executable script:
    #!/bin/bash
    echo "key1=value1"
    
    # Then run the test:
    $ facter key1
    value1

• Find bottlenecks with:

  facter --timing

• Structured facts: hash or array.