Fujitsu
Not logged in » Login
X

Please login

Please log in with your Fujitsu Partner Account.

Login


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now
Apr 26 2018

Practical Tips for SPARC: Automatically Configuring Solaris Environments Using Puppet (Part 1)

/data/www/ctec-live/application/public/media/images/blogimages/32136_Fujitsu_M10-1_front_view_3D_open_scr.jpg

Nowadays, we are seeing more and more instances of virtual environments being installed in a private cloud. Since these virtual environments are in many cases similarly configured, it makes sense to automate the configuration procedure.

Solaris 11.x includes the AI installer, which is a useful configuration automation tool, but is not suitable for integrated management in heterogeneous environments, because it's not available for other operating systems such as Linux. When operating within a heterogeneous environment, DevOps tools are very useful. This two-part blog provides step-by-step instructions for a configuration automation example using Puppet, which is a DevOps tool available on Solaris.

About Puppet on Solaris
Puppet is an open-source software configuration management tool produced by Puppet Labs. Puppet, with extensions for Solaris, has been distributed as a part of the OS repository since Oracle Solaris 11.2. For more details about Puppet, please see: https://puppet.com/

For the Solaris 11.3 version of the Puppet manual, please see:
https://docs.oracle.com/cd/E53394_01/html/E77676/index.html

Available resource types on Solaris can be confirmed with the command "puppet describe -- list".

root@domaster:~# puppet describe --list

These are the types known to Puppet:

address_object - Manage the configuration of Oracle Solaris ad ...
address_properties - Manage Oracle Solaris address properties
augeas - Apply a change or an array of changes to the ...
boot_environment - Manage Oracle Solaris Boot Environments (BEs)
computer - Computer object management using DirectorySer ...
cron - Installs and manages cron jobs. Every cron re ...
dns - Manage the configuration of the DNS client fo ...
etherstub - Manage the configuration of Solaris etherstub ...
exec - Executes external commands. Any command in an ...
file - Manages files, including their content, owner ...
filebucket - A repository for storing and retrieving file ...
group - Manage groups. On most platforms this can onl ...
host - Installs and manages host entries. For most s ...
interface - This represents a router or switch interface. ...
interface_properties - Manage Oracle Solaris interface properties
ip_interface - Manage the configuration of Oracle Solaris IP ...
ip_tunnel - Manage the configuration of Oracle Solaris IP ...
ipmp_interface - Manage the configuration of Oracle Solaris IP ...
k5login - Manage the '.k5login' file for a user. Specif ...
ldap - Manage the configuration of the LDAP client f ...
link_aggregation - Manage the configuration of Oracle Solaris li ...
link_properties - Manage Oracle Solaris link properties
macauthorization - Manage the Mac OS X authorization database. S ...
mailalias - Creates an email alias in the local alias dat ...
maillist - Manage email lists. This resource type can on ...
mcx - MCX object management using DirectoryService ...
mount - Manages mounted filesystems, including puttin ...
nagios_command - The Nagios type command. This resource type i ...
nagios_contact - The Nagios type contact. This resource type i ...
nagios_contactgroup - The Nagios type contactgroup. This resource t ...
nagios_host - The Nagios type host. This resource type is a ...
nagios_hostdependency - The Nagios type hostdependency. This resource ...
nagios_hostescalation - The Nagios type hostescalation. This resource ...
nagios_hostextinfo - The Nagios type hostextinfo. This resource ty ...
nagios_hostgroup - The Nagios type hostgroup. This resource type ...
nagios_service - The Nagios type service. This resource type i ...
nagios_servicedependency - The Nagios type servicedependency. This resou ...
nagios_serviceescalation - The Nagios type serviceescalation. This resou ...
nagios_serviceextinfo - The Nagios type serviceextinfo. This resource ...
nagios_servicegroup - The Nagios type servicegroup. This resource t ...
nagios_timeperiod - The Nagios type timeperiod. This resource typ ...
nis - Manage the configuration of the NIS client fo ...
notify - Sends an arbitrary message to the agent run-t ...
nsswitch - Name service switch configuration data
package - Manage packages. There is a basic dichotomy i ...
pkg_facet - Manage Oracle Solaris package facets
pkg_mediator - Manage Oracle Solaris package mediators
pkg_publisher - Manage Oracle Solaris package publishers
pkg_variant - Manage Oracle Solaris package variants
protocol_properties - Manage Oracle Solaris protocol properties
resources - This is a metatype that can manage other reso ...
router - Manages connected router.
schedule - Define schedules for Puppet. Resources can be ...
scheduled_task - Installs and manages Windows Scheduled Tasks. ...
selboolean - Manages SELinux booleans on systems with SELi ...
selmodule - Manages loading and unloading of SELinux poli ...
service - Manage running services. Service support unfo ...
solaris_vlan - Manage the configuration of Oracle Solaris VL ...
ssh_authorized_key - Manages SSH authorized keys. Currently only t ...
sshkey - Installs and manages ssh host keys. At this p ...
stage - A resource type for creating new run stages. ...
svccfg - Manage SMF service properties with svccfg(1M) ...
tidy - Remove unwanted files based on specific crite ...
user - Manage users. This type is mostly built to ma ...
vlan - Manages a VLAN on a router or switch.
vni_interface - Manage the configuration of Solaris VNI inter ...
vnic - Manage the configuration of Oracle Solaris Vi ...
whit - Whits are internal artifacts of Puppet's curr ...
yumrepo - The client-side description of a yum reposito ...
zfs - Manage zfs. Create destroy and set properties ...
zone - Manages Solaris zones.
zpool - Manage zpools. Create and delete zpools. The ...

In addition, available providers can be confirmed with the command "puppet describe <resource type>". Below is an example of the resource type "zfs".

root@domaster:~# puppet describe zfs

zfs
===
Manage zfs. Create destroy and set properties on zfs instances.
**Autorequires:** If Puppet is managing the zpool at the root of this zfs
instance, the zfs resource will autorequire it. If Puppet is managing any
parent zfs instances, the zfs resource will autorequire them.

Parameters
----------

- **aclinherit**
The aclinherit property. Valid values are 'discard', 'noallow',
'restricted', 'passthrough', 'passthrough-x'.

- **aclmode**
The aclmode property. Valid values are 'discard', 'groupmask',
'passthrough'.

(Omits)

- **xattr**
The xattr property. Valid values are 'on', 'off'.

- **zoned**
The zoned property. Valid values are 'on', 'off'.

Providers
---------
zfs

Puppet uses a server-client model. A centralized management server is the "master," and each node/client is called an "agent." On Solaris, both "master" and "agent" are under the control of SMF. To start-up and shutdown, use the svcadm command.

System Configuration

Image

Prepare two nodes, server and client. A domain of Oracle VM for SPARC is also available. In this blog, the hostname of the master node is "domaster", and the hostname of the agent node is "doagent". All the IP addresses of nodes should be added to "/etc/inet/hosts". The tested OS version is Oracle Solaris11.3 SRU 22.3.

Configuring Puppet: Puppet Installation
While Puppet has master and agent modules, the required package to install is only "system/management/puppet". Related packages are installed together.

root@domaster:~# pkg install system/management/puppet

Configuring Puppet: Configuring Master Nodes
While the "puppet.conf" file would be edited to configure master nodes on a Linux platform, in Solaris configurations the SMF properties need to be modified, as Puppet is integrated into SMF. Since the Solaris SMF service automatically creates the "puppet.conf" file in the directory "/etc/puppet", do not edit the file manually as those changes will be lost.

First, configure SMF to specify the host for the Puppet "master." The specified host information should be the hostname since it is related to the certificate of cryptographic communication with agent nodes. Do not mix a hostname and IP address, as that will cause communication between master and agent to fail.

root@domaster:~# svccfg -s puppet:master setprop config/server=domaster

Start up the service as below:

root@domaster:~# svcadm enable puppet:master

Note that it takes a couple of minutes to complete the startup processing for the service. Confirm that the service state is "online" with the command svcs. A state of "*offline" is displayed while startup processing is occurring.

root@domaster:~# svcs puppet:master
STATE STIME FMRI
*offline 10:42:41 svc:/application/puppet:master
root@domaster:~# svcs puppet:master
STATE STIME FMRI
online 10:44:52 svc:/application/puppet:master

Configuring Puppet: Configuring Agent Nodes
The SMF properties for the agent node also needs to be updated with the hostname for the Puppet master.

root@doagent:~# svccfg -s puppet:agent setprop config/server=domaster
root@doagent:~# svccfg -s puppet:agent refresh

Test the connection from agent to master. Do not forget to specify the master node with the "--server" option.

root@doagent:~# puppet agent --test --server domaster

The first test will fail for insufficiency of authentication, displaying the following message.

Info: Creating a new SSL key for doagent
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for doagent
Info: Certificate Request fingerprint (SHA256):
BA:77:44:4B:B0:33:04:B9:AC:08:9F:9B:BF:9C:6A:CC:E8:D1:6A:06:AE:73:1F:14:16:B4:4F:9F:83:70:31:FA
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

This agent test sends a certificate request to the master node, which can be checked on the latter using the "puppet cert list" command as shown in the following example.

root@domaster:~# puppet cert list
+ "doagent" (SHA256)
DB:A0:20:26:94:DA:EF:76:05:E8:C9:27:C8:6F:3D:EB:E1:90:D6:83:51:39:C6:A8:3A:EA:7B:D5:71:6D:CC:82

You then need to validate or sign the certificate request from the agent.

root@domaster:~# puppet cert sign doagent

Now repeat the test connection from agent to master to confirm that they communicate properly.

root@doagent:~# puppet agent --test --server domaster
Info: Caching certificate for doagent
Info: Caching certificate_revocation_list for ca
(Omits)
Info: Applying configuration version '1503534351'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.08 seconds

Basic Usage of Puppet: Creating a Manifest
When you run Puppet, you should write a configuration file called manifest.
The basic format is as follows:
<resource type> { '<title>':
<parameter> => <value>,
}

For more details, please visit:
https://docs.puppet.com/puppet/3.8/

Below is an example manifest to add user 'testuser' to the agent node. Put the manifest in the directory "/etc/puppet/manifest" on "master" node. For this example, the manifest filename is "site.pp".

user { 'testuser':
ensure => 'present',
gid => '100',
home => '/export/home/testuser',
uid => '1001',
}

Basic Usage of Puppet: Running a Manifest
Run the following command on the master node to apply the manifest. If an error occurs, the error messages are written to the file "/var/log/puppet/puppet-master.log".

root@domaster:~# puppet apply -v /etc/puppet/manifests/site.pp

Run the following command on the agent node. If an error occurs, the error messages are written to the file "/var/ log/puppet/puppet-agent.log".

root@doagent:~# puppet agent --onetime --server domaster

When you can log into the agent node as 'testuser,' the procedure has been successfully completed.

Disclaimer
The information contained in this blog is for general information purposes only. While we endeavour to keep the information up-to-date and correct through testing on a practical system, we make no warranties of any kind about the completeness, accuracy, reliability, suitability or availability. Any reliance you place on such information is strictly at your own risk. – The information in this blog is subject to change without notice.

Shinichiro Asai

 

About the Author:

Shinichiro Asai

Technical Sales Support, Platform Solution Unit, FUJITSU Japan

SHARE

Comments on this article

No comments yet.

Please Login to leave a comment.