Automated Puppet Agent configuration with SMF sysconfig profiles

This post is a follow-up to the article how to install Solaris 11.2 with Unified Archives. As explained in a former post I think the combination of Golden Images and Puppet makes a lot of sense. But what is the best or easiest method to install and configure the Puppet agent on a newly deployed server? This post shows an easy way for Solaris 11.2.

At work we just push the agent with a Fabric task to the new installations. This works fine, but it’s still an unnecessary human interaction. Therefore, my idea was, to just include a simple start-script into the Golden Image which fetches the agent and the configuration from a remote server. But there is a simpler method on Solaris 11.2 available.

Additional requirements:

  • The Puppet package “pkg://solaris/system/management/puppet” must be already included in the UA image file.
  • DNS server and entries for Puppet Master and client servers.

As shown in the Getting Started with Puppet on Oracle Solaris 11 OTN article the configuration of the Puppet agent can be done completely by setting SMF properties. For example:

# svccfg -s puppet:agent setprop config/server=master.example.com
# svccfg -s puppet:agent setprop config/certname=agent1.example.com
# svccfg -s puppet:agent refresh
# svcadm enable puppet:agent

If the configuration is in SMF you can also directly add the config to a sysconfig profile which you can apply during the deployment of a Unified Archive.

The svccfg extract command is useful to get the relevant XML parts, after you have set this SMF properties on a test system:

# svccfg extract svc:/application/puppet:agent
1
2
3
4
5
6
7
8
9
10
11
12
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='profile' name='extract'>
<service name='application/puppet' type='service' version='0'>
<instance name='agent' enabled='true'>
<property_group name='config' type='application'>
<propval name='certname' type='hostname' value='agent1.example.com'/>
<propval name='server' type='host' value='master.example.com'/>
</property_group>
</instance>
</service>
</service_bundle>

In this example the sysconfig profile from the former blog post is extended by this XML fragment. Additionally DNS is configured, because Puppet needs to find the Puppet Master on the network.

Part of sysconfig profileagent1.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<service_bundle type="profile" name="sysconfig">

<service version="1" type="service" name="system/identity">
<instance enabled="true" name="node">
<property_group type="application" name="config">
<propval type="astring" name="nodename" value="agent1"/>
</property_group>
</instance>
</service>

<service version="1" type="service" name="network/dns/client">
<property_group type="application" name="config">
<property type="net_address" name="nameserver">
<net_address_list>
<value_node value="192.168.0.10"/>
</net_address_list>
</property>
<property type="astring" name="search">
<astring_list>
<value_node value="example.com"/>
</astring_list>
</property>
</property_group>
<instance enabled="true" name="default"/>
</service>

<service version="1" type="service" name="system/name-service/switch">
<property_group type="application" name="config">
<propval type="astring" name="default" value="files"/>
<propval type="astring" name="host" value="files dns"/>
</property_group>
<instance enabled="true" name="default"/>
</service>

...

<service name='application/puppet' type='service' version='0'>
<instance name='agent' enabled='true'>
<property_group name='config' type='application'>
<propval name='server' type='host' value='master.example.com'/>
<propval name='certname' type='hostname' value='agent1.example.com'/>
</property_group>
</instance>
</service>

</service_bundle>

This configuration should be enough to enable the Puppet Agent to connect to the Puppet Master, after a new server is installed with the Unified Archive. During the first connection the Agent requests a SSL certificate, depending on your security requirements, you can manually sign them, or configure autosigning on the Master. For example by whitelisting your entire domain:

/etc/puppet/autosign.conf
1
*.example.com

If the certificate of the Agent is signed, the Manifests are pulled from the Master and get applied. So you got your new installation completely under the control of the Puppet Master and you can configure your new installation with Puppet as required.

Related:

Share Comments