This post is a follow-up to the article how to install Solaris 11.2 with Unified Archives. As explained in a former post I think the combination of Golden Images and Puppet makes a lot of sense. But what is the best or easiest method to install and configure the Puppet agent on a newly deployed server? This post shows an easy way for Solaris 11.2.
At work we just push the agent with a Fabric task to the new installations. This works fine, but it’s still an unnecessary human interaction. Therefore, my idea was, to just include a simple start-script into the Golden Image which fetches the agent and the configuration from a remote server. But there is a simpler method on Solaris 11.2 available.
- The Puppet package “pkg://solaris/system/management/puppet” must be already included in the UA image file.
- DNS server and entries for Puppet Master and client servers.
As shown in the Getting Started with Puppet on Oracle Solaris 11 OTN article the configuration of the Puppet agent can be done completely by setting SMF properties. For example:
# svccfg -s puppet:agent setprop config/server=master.example.com # svccfg -s puppet:agent setprop config/certname=agent1.example.com # svccfg -s puppet:agent refresh # svcadm enable puppet:agent
If the configuration is in SMF you can also directly add the config to a sysconfig profile which you can apply during the deployment of a Unified Archive.
svccfg extract command is useful to get the relevant XML parts, after you have set this SMF properties on a test system:
# svccfg extract svc:/application/puppet:agent
In this example the sysconfig profile from the former blog post is extended by this XML fragment. Additionally DNS is configured, because Puppet needs to find the Puppet Master on the network.
<service_bundle type="profile" name="sysconfig">
This configuration should be enough to enable the Puppet Agent to connect to the Puppet Master, after a new server is installed with the Unified Archive. During the first connection the Agent requests a SSL certificate, depending on your security requirements, you can manually sign them, or configure autosigning on the Master. For example by whitelisting your entire domain:
If the certificate of the Agent is signed, the Manifests are pulled from the Master and get applied. So you got your new installation completely under the control of the Puppet Master and you can configure your new installation with Puppet as required.