cfpuppetserver

Description

The package does standard procedure of installing Puppet Server, Puppet DB, PostgreSQL, r10k, librarian-puppet and making it work all togather. It also lives in peace with cfsystem and cfnetwork packages.

Environment configuration

The configurations expects you to provide Hiera version 4 configuration in environments. Example can be taken from codingfuture/puppe-test.

NOTE1: there is a known closed bug in puppet <=4.3.2 - please make sure that all Hiera hierarchy files exist and both empty YAML and JSON files include '{}' at least

VERY IMPORTANT!!!

Now, the modules uses [cfdb][] for High Availability support out-of-the-box. The consequences is that setup process is quite tricky - we need some facts and resources to be populated into Puppet DB while Puppet DB is malfunctioning until the stack is fully configured. Most likely, you will see some errors during conversion process and both Puppet DB & Puppet Server stop functioning.

In that case, you can continue re-provisioning previously compiled catalog until Puppet Server can continue compiling new catalogs with the following command:

/opt/puppetlabs/bin/puppet apply --catalog /opt/puppetlabs/puppet/cache/client_data/catalog/$(/bin/hostname --fqdn).json
/opt/puppetlabs/bin/puppet agent --test

Upgrade to puppetserver >= 2.5.0

As there is incompatible change related to bootstrap.cfg, please use cfpuppetserver < v0.10 for puppetserver < 2.5.

Upgrade procedures:

• Update to cfpuppetserver >= v0.10
• Manually deploy to current Puppet servers: puppet agent -t
• Puppet Server will fail to restart in 180 seconds
• Upgrade puppetserver/puppetdb/puppet-agent packages to latest versions
• Manually start services:
  • /bin/systemctl stop cfpuppetdb.service cfpuppetserver.service
  • /bin/systemctl start cfpuppetdb.service cfpuppetserver.service
• Wait for services to startup monitoring netstat -pletn
• Try Puppet deployment

Global Hiera config

Puppet 4 has own implementation of lookup() which goes through:

• Global Hiera
• Per-environment Data Providers (Hiera, custom function)
• Per-module Data Providers (Hiera, custom function)

You should not use global Hiera any more. All configurations should be set in environments as mentioned above.

Global Hiera config is as follows:

---
:backends:
  - yaml
:hierarchy:
  - global
:yaml:
  # Make sure to use hiera.yaml in environments
  :datadir: "/etc/puppetlabs/code/hieradata"

Adding new Puppet clients

This module also provides a handy tool to initalize new puppet client hosts:

~#  /opt/codingfuture/bin/cf_gen_puppet_client_init
Usage: cf_gen_puppet_client_init <certname> [<cflocation> [<cflocationpool> [<http_proxy>]]

Manual (re-)deployment of Puppet environments

~# /opt/codingfuture/bin/cf_r10k_deploy

Automatic deployment via VCS (git) hook

~# ssh deploypuppet@puppet.example.com sudo /opt/codingfuture/bin/cf_r10k_deploy

Manual fast refresh of PuppetServer JRuby instances

~# /opt/codingfuture/bin/cf_puppetserver_reload

Manual purge of node trails from infrastructure

~# /opt/codingfuture/bin/cf_purge_node

Restoring default node deactivation and purging behavior

Auto-configuration of CF modules heavily depends PuppetDB info. To protect from accident disasters, automatic node info purging is disabled on purpose. It can be restored:

cfpuppetserver::puppetdb::settings_tune:
    database:
        'node-ttl': '7d'
        'node-purge-ttl': '14d'

Setup

Initial Puppet Server infrastructure

Either do manually (preferred for self-education) or use bundled setup script:

~# ./setup_puppetserver.sh
Usage: ./setup_puppetserver.sh <r10k_repo_url> [<certname=hostname> [<cflocation> [<cflocationpool> [<http_proxy=$http_proxy>] ] ] ]

Config for Puppet Server node

Up to date installation instructions are available in Puppet Forge: https://forge.puppet.com/codingfuture/cfpuppetserver

Please use librarian-puppet to deal with dependencies. If this module is used for server setup then librarian-puppet is installed automatically.

There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.

Examples

Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.

cfpuppetserver class

• deployuser = 'deploypuppet' - user name for auto deploy user for VCS hook
• deployuser_auth_keys = undef - list of ssh_authorized_keys configurations
• repo_url = undef - repository location in URI format (e.g. ssh://user@host/repo or file:///some/path)
• puppetserver = true - if true then assume Puppet Server lives on this host (affects firewall)
• puppetdb = true - if true then assume Puppet DB lives on this host (affects firewall)
• postgresql = true - if true then PostgreSQL is setup on this node
• autodiscovery = true - if true then other instances of PuppetDB & PuppetServers are automatically discovered to be added for PuppetDB access / server_urls
• puppetdb_hosts = [] - statically provide PuppetDB hosts (for autodiscovery = false)
• puppetserver_hosts = [] - statically provide PuppetServer hosts (for autodiscovery = false)
• client_hosts = [] - client hosts to allow access (dynamic ipset cfpuppet_clients)
• iface = 'any' - cfnetwork::iface name to listen for incoming client connections
• cluster = 'cfpuppet' - cfdb cluster to use
• database = 'puppetdb' - cfdb::database` to use in cluster
• is_cluster = false - goes directly to cfdb::instance
• is_secondary = false - goes directly to cfdb::instance
• is_arbitrator = false - goes directly to cfdb::instance
• allow_update_check = false - open firewall to connect to updates.puppetlabs.com, if enabled

cfpuppetserver::postgresql class

NOTE: if PostgreSQL is setup through this module then you SHOULD NOT setup other cfdb instances on the same node.

• $settings_tune = {} - goes directly to cfdb::instance
• $port = 5432 - goes directly to cfdb::instance
• $node_id = undef - required, if node ID cannot be retrieved from hostname in cluster mode
• $password = undef - force specific password instead of random generated
• $version = undef - version to pass to cfdb::postgresql
• $memory_weight = 200 - goes directly to cfdb::instance
• $memory_max = undef - goes directly to cfdb::instance
• $cpu_weight = 200 - goes directly to cfdb::instance
• $io_weight = 200 - goes directly to cfdb::instance
• $init_db_from = undef - overrides default init_db_from, if set

cfpuppetserver::puppetdb class

• $use_proxy = 'secure' - by default TLS channel is used for remote PostgreSQL connections. See cfdb::access.
• $port = 8081 - port to use for PuppetDB instance
• $max_connections = 30 - maximum number of connections per pool (there are two pools)
• $memory_weight = 100 - relative weight for auto-distribution of memory resources
• $memory_max = 256 - max memory in MB
• $cpu_weight = 100 - relative weight for auto-distribution of CPU resources
• $io_weight = 100 - relative weight for auto-distribution of I/O resources
• $cert_whitelist = [] - specify the CNs of Puppet PKI to be accepted. If not set:
  • if Puppet Server runs the same node then [$fqdn]
  • otherwise, all nodes with Puppet Server configured
• $settings_tune = {} - a tree structure of PuppetDB INI for fine control

cfpuppetserver::puppetserver class

• $autosign = false - DO NOT use in production. Enable auto-sign of client certificates.
• $global_hiera_config = 'cfpuppetserver/hiera.yaml' - default global Hiera config
• $memory_weight = 100 - relative weight for auto-distribution of memory resources
• $memory_max = undef - max memory in MB
• $cpu_weight = 100 - relative weight for auto-distribution of CPU resources
• $io_weight = 100 - relative weight for auto-distribution of I/O resources
• $activesupport_ver = '4.2.7.1' - version of activesupport gem to install
• $strict = 'warning' - goes directly to puppet.conf
• $disable_warnings = 'deprecations' - goes directly to puppet.conf
• $settings_tune = {} - optional tune, tree structure
  • 'puppetserver'
    • 'max-active-instances' = $::facts['processorcount'] + 1
    • 'max-requests-per-instance' = 1000
    • 'compile-mode' = 'off'
    • 'connect-timeout-milliseconds' = 15000
    • 'idle-timeout-milliseconds' = 600000

Change Log

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

1.3.1 (2019-11-13)

• FIXED: to install ca-certificates in client init

1.3.0 (2019-04-14)

• FIXED: /status/v1/services API access
• FIXED: to ensure JRE 8 is used for puppetdb/puppetserver
• CHANGED: aligned puppetdb/puppetserver system unit files with the official ones

1.1.0 (2018-12-09)

• CHANGED: updated for Ubuntu 18.04 Bionic support
• CHANGED: to force system upgrade on new puppet agent initialization
• CHANGED: to use cfhttp service in firewall config
• FIXED: to use "cfssh" instead of "ssh" for repo-related firewall configuration
• NEW: suppot for cfdb::postresql::init_db
• NEW: added cfpuppetserver::client_hosts

1.0.1 (2018-04-13)

• CHANGED: disabled automatic deactivation & purging of nodes by default

0.12.3 (2018-03-19)

• CHANGED: to load netfilter conntrack modules on bootstrap
• FIXED: to use proper Puppet 5 release deb on bootstrap of clients
• FIXED: to install dirmngr & apt-transport-https package as part of boostrap script

0.12.2 (2018-03-15)

• CHANGED: to use cflogsink module for centralized logging, if configured

0.12.1

• CHANGED: to use syslog for PuppetServer & PuppetDB
• CHANGED: migrated to Ruby 9K
• NEW: PuppetServer & PuppetDB to version all configuration files for reload detection

0.12.0

• CHANGED: migrated to Puppet 5
• CHANGED: to support forced PostgreSQL version

0.11.3

• NEW: added cf_purge_node script

0.11.2

• FIXED: cfpuppetdb/cfpuppetserver.service TimeoutStartSec to 180sec

0.11.1

• FIXED: ExecPostStart -> ExecStartPost in systemd files
• FIXED: to properly wait for cfpuppetserver/cfpuppetdb startup in systemd
• CHANGED: to use Hiera v5 as default
• CHANGED: to require Puppet >= 4.9
• CHANGED: commented out deprecated "environment_data_provider"
• NEW: Puppet 5.x support
• NEW: Ubuntu Zesty support

0.11.0

• Fixed to properly handle PuppetDB-cfdb config
• Added dependency on cfnetwork:firewall anchor for cfpuppetdb/cfpuppetserver
• Enforced public parameter types
• Updated to use cfauth::sudoentry
• Implemented JRuby pool flush on with cf_pupperserver_reload tool
• Added full reload for puppetserver @ systemd
• Added cf_pupperserver_reload for deploy procedure
• Implemented puppetserver & puppetdb restart on package update
• Added --trace to provisioning scripts
• Minor refactoring
• Changed to cache environment until refresh through cf_puppetserver_reload
• Added pupetserver settings_tune
• Added autodiscovery, puppetdb_hosts, puppetserver_hosts and is_arbitrator parameters
• Implemented autodiscovery of other instances
• Changed, PuppetServer contacts all PuppetDB instances by default (autodiscovery)
• Added PuppetServer msgpack support
• Updated to new Puppet Function API

0.10.5

• Improved server & client bootstrap scripts
• Fixed minor issues in bootstrap process
• Disabled deprecated PuppetDB configuration directives
• Fixed to properly use PermSize for JVM7 and MetaspaceSize for JVM8+
• Updated minimal memory for PuppetDB & PuppetServer to 512MB
• Updated to cfsystem:0.10.1, cfdb:0.10.1

0.10.4

• Updated CF deps to v0.10.x

0.10.3

• Changed to use $strict=warning and $disable_warnings='deprecations' by default
• Added control of $strict and $disable_warnings options
• Fixed validation warnings

0.10.2

• Removed PuppetDB defaults for node-ttl and node-purge-ttl as it led to "vanished" nodes in not so actually maintained deployments.

0.10.1

• Fixed to install activesupport <5.0

0.10.0

• Updated to backward incompatible setup of puppetserver 2.5.0

0.9.7

• Migrated to cfdb module for PostgreSQL provisioning and High Availability setup
• Cpmpletely rewritten PuppetDB configuration
• Many parameters change!
• Security enforcement for PuppetDB access authorization

0.9.6

• Disabled scheduled agent runs safety purposes
• Added custom puppetserver.conf to mitigate memory leaks with JRuby tuning

0.9.5

• Updated to Puppet 4.5.0
• Enforced strict mode checking
• Minor fixes
• Added $allow_update_check option
• Fixed minor issues in puppet server bootstrap script
• Updated to latest deps

0.9.4

• Updated cfsystem to 0.9.9
• Changed to install all scripts under /opt/codingfuture/bin
  • cf_r10k_deploy
  • cf_gen_puppet_client_init

0.9.3

• Fixed issues in deploy.sh under some conditions
  • Forcibly added Puppet bin folder to PATH
  • Fixed deploy.sh created by setup_puppetserver.sh bootstrap script

0.9.2

• Fixed use_srv_records and ca_server puppet setting to depend on correct parameters
• Changed to use primary Puppet host for secondary Puppet servers
• Fixed dependency issues when installing Puppet Server from Puppet itself

0.9.1

• Implemented proper 3 level Global Hiera -> Environment Data Provider -> Module Data Provider configuration lookup instead of pure Hiera-based
• Moved main PuppetServer to cfsystem module and added support for more paramaters from there
• Added checks for minimal configured RAM of each service
• Added advanced PostgreSQL configuration with SSL support based on Puppet's PKI
• Fixed not to reload PuppetServer on configuration change as it leads to aborted deployment run
• Removed installation of deep_merge gem
• Fixed slave Puppet Server provisioning issues
• Added Puppet environments to etckeeeper ignore
• Fixed to properly disable CA service on slave Puppet Server
• Updated bootstrap script to be more verbose and support autosigning configuration (for testing)
• Changed to deploy dependencies though librarian-puppet instead of builtin in r10k
• Updated Puppet client configs to support ca_server

0.9.0

• Changed to use puppetlabs/postgresql and puppetlabs/puppetdb for installation
• Implemented full forceful setup of configuration
• Implemented librarian-puppet based dependency installation instead of not incomplete implementation in r10k. See RK-3.
  • No more need to include dependencies of dependencies in Puppetfile
  • Puppetfile.lock is now supported
• Bugfixes for parameter handling
• Bugfix: opened HTTPS port for Puppet Forge
• Added automatic memory limit configuration for installed services
• Changed $puppet_git_host to $repo_url
• Added new configuration variables

0.1.2

• Added hiera.yaml version 4 support
• Added Puppt Server infrastructure initialization script

0.1.1

• No changes (missed merge)

0.1.0

Initial release