Puppet/ko

Puppet은 루비en 로 작성한 설정 관리 시스템입니다. 머신 배포 자동화 용도로 활용할 수 있습니다

Installation
Puppet is provided by the package.

Currently, there is no distinction between server and client, so the basic installation procedure is the same for both.

Emerge
First, install Puppet via :

Configuration and setup
Puppet is mainly configured through in an INI-style format. Comments are marked with a hash sign.

The configuration file is separated into several sections, or blocks:


 * [main] 에는 다음 섹션에서 설정을 바꾸기 전까지는 Puppet이 기본적으로 동작하도록 하는 모든 부분에 대한 설정이 들어있습니다:
 * [master] 는 Puppetmaster(puppet master), 또는 CA 도구 (puppet cert)에 적용하는 설정이 들어있습니다
 * [agent] 는 Puppet agent (puppet agent)에 적용하는 설정이 들어있습니다

그 밖의 블록과 마찬가지로 더 많은 설명을 찾으신다면 공식 Puppet 문서를 확인하십시오. 또한 모든 설정 목록 을 통해 서버 또는 클라이언트에 적용할 설정 방식을 알아볼 수 있습니다.

서버(Puppetmaster) 설정
이빌드가 에 넣은 기본 설정은 그대로 활용할 수 있습니다. Puppet 2.7.3에서는 다음과 같이 서버 관련 부분이 들어있습니다:

Setting up the file server
To be able to send files to the clients, the file server has to be configured. This is done in. By default, there are no files being served.

The snippet above sets up a share called files (remember this identifier, as it will need to be referenced later), looking for files in and only available for hosts with an IP from the 192.168.0.0/24 network. Any of the IP addresses, CIDR notation, and host names (including wildcards like ) can be used here. The deny</tt> command can be used to explicitly deny access to certain hosts or IP ranges.

Starting the puppetmaster daemon
With the basic configuration as well as an initial file server configuration, we can start the Puppetmaster daemon using its OpenRC init script:

처음 시작하는 동안 Puppet에서 Puppetmaster 호스트용으로 SSL 인증서를 생성하며 위에서 설정한대로 ssldir</tt>에 복사합니다.

8140/TCP 포트에서 대기하므로, 클라이언트의 접근을 방해하는 방화벽 규칙이 있는지 확인하십시오.

A simple manifest
Manifests, in Puppet's terminology, are the files in which the client configuration is specified. The documentation contains a comprehensive guide about the manifest markup language.

간단한 예제로 오늘의 메시지(MOTD)를 만들어보겠습니다. Puppetmaster에서 앞서 만든 files</tt> 공유 경로에 파일을 만드십시오:

그 다음 manifests</tt> 디렉터리에 주 manifest 파일을 만들겠습니다. 이 파일은 site.pp</tt> 입니다:

The default</tt> node (the name for a client) definition is used in case there is no specific node</tt> statement for the host. We use a file</tt> resource and want the file on our clients to contain the same thing as the motd</tt> file in the files</tt> share on the host. If the puppetmaster is only reachable using another host name, adapt the source</tt> URI accordingly.

Client configuration
During the first execution of the Puppet agent, wait for the certificate to be signed by the puppetmaster. To request a certificate, and execute the first configuration run, execute:

Before the client can connect, authorize the certificate request on the server. The client should appear in the list of nodes requesting a certificate:

Now, we grant the request:

The client will check every 60 seconds whether its certificate has already been issued. After that, it continues with the first configuration run:

When this message pops up, all went well. Now check the contents of the file on the client:

OpenRC
Start the puppet agent as a deamon and have it launch on boot:

Systemd
Conversely, when running systemd:

Manually generating certificates
To manually generate a certificate, use the utility. It will place all generated certificates into the ssldir defined directory as set in the puppet configuration and will sign them with the key of the local Puppet Certificate Authority (CA).

An easy case is the generation of a certificate with only one Common Name:

If the certificate has to be valid for multiple host names, use the  parameter and separate the additional host names with a colon:

이 예제에서는 3가지 호스트 이름을 유효하다고 판단하는 인증서를 만듭니다.

Refreshing agent certificates
This is the process used to manually refresh agent certificates.


 * 1) (on master)
 * 2) (on agent)
 * 3) * This will cause the Puppet agent to regenerate the CSR with the existing SSL key.
 * 4) * The old certificate is no longer valid, as it was nuked on the master.
 * 5) * When one of the above steps is forgotten, an error will pop up about the certificate mis-matching between agent and master.
 * 6) * To replace the SSL keys (optional):
 * 7) (on agent)
 * 8) * When using auto-signing, no further steps are needed.
 * 9) (on master)
 * 10) Verify that the fingerprint listed in the previous two outputs matches
 * 11) (on master)
 * 12) (on agent)

Managing slots with puppet
While the default portage provider in puppet does not support slots there are puppet modules available which seek to add in this functionality.


 * puppet-portage
 * PortageGT

External resources

 * Upstream website
 * Puppet Wiki