Running Puppet from cron
You can do a lot with the setup you already have: work on your Puppet manifests as a team, communicate changes via GitHub, and manually apply them on a machine using the papply
script.
However, you still have to log into each machine to update the Git repo and re-run Puppet. It would be helpful to have each machine update itself and apply any changes automatically. Then all you need to do is to push a change to the repo, and it will go out to all your machines within a certain time.
The simplest way to do this is with a cron job that pulls updates from the repo at regular intervals and then runs Puppet if anything has changed.
Getting ready...
You'll need the Git repo we set up in Managing your manifests with Git and Creating a decentralized Puppet architecture, and the papply
script from Writing a papply script.
You'll also need to create an SSH key that each machine can use to pull changes from the Git repo. To create this, follow these steps:
Run the following command to generate the keyfile:
ubuntu@cookbook:~/puppet$ ssh-keygen -f ubuntu Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ubuntu. Your public key has been saved in ubuntu.pub. The key fingerprint is: ae:80:48:1c:14:51:d6:b1:73:4f:60:e2:cf:3d:ce:f1 ubuntu@cookbook The key's randomart image is: +--[ RSA 2048]----+ | ++o.o.o | | + | | + | | = + | | o oS= | | o + | | o E | | | | | +-----------------+
Print the contents of the
ubuntu.pub
file:ubuntu@cookbook:~/puppet$ cat ubuntu.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8EsdLAZHIg1nnMzJuIQ5jEcFL1WI5AVhml6Z3Gw4zc4xw6F1Citomc+3DexcaD+y3VrD3WEOGcXweCsxJF0EGyJoc4RbPAJaP3D4V/+9FQVZcH90GukasvtIrfJYy2KFfRBROKtrfckMbBlWF7U2U+FwaalMOtgLzZeECSDU4eYuheN3UVcyg9Zx87zrLYU5EK1JH2WVoZd3UmdH73/rwPJWtSEQ3xs9A2wMr0lJsCF4CcFCVwrAIoEf5WzIoHbhWyZaVyPR4gHUHd3wNIzC0rmoRiYwE5uYvVBObLN10uZhn7zGPWHEc5tYU7DMbz61iTe4NLtauwJkZxmXUiPJh ubuntu@cookbook
Copy this and add it to your GitHub repo as a deploy key (refer to the GitHub site for instructions on how to do this). This will authorize the key to clone the Puppet repo from GitHub.
How to do it...
Follow these steps:
Move the public key file into your
puppet
module:ubuntu@cookbook:~/puppet$ mv ubuntu.pub modules/puppet/files/ubuntu.pub
Keep the private key file somewhere separate from your Puppet repo (you'll distribute this via some other channel to machines which need to check out the repo).
Create the file
modules/puppet/files/pull-updates.sh
with the following contents:#!/bin/sh cd /home/ubuntu/puppet git pull && /usr/local/bin/papply
Modify the file
modules/puppet/manifests/init.pp
to look like this:class puppet { file { '/usr/local/bin/papply': source => 'puppet:///modules/puppet/papply.sh', mode => '0755', } file { '/usr/local/bin/pull-updates': source => 'puppet:///modules/puppet/pull-updates.sh', mode => '0755', } file { '/home/ubuntu/.ssh/id_rsa': source => 'puppet:///modules/puppet/ubuntu.priv', owner => 'ubuntu', mode => '0600', } cron { 'run-puppet': ensure => 'present', user => 'ubuntu', command => '/usr/local/bin/pull-updates', minute => '*/10', hour => '*', } }
Run Puppet:
ubuntu@cookbook:~/puppet$ papply Notice: /Stage[main]/Puppet/Cron[run-puppet]/ensure: created Notice: /Stage[main]/Puppet/File[/usr/local/bin/pull- updates]/ensure: defined content as '{md5}20cfc6cf2a40155d4055d475a109137d' Notice: /Stage[main]/Puppet/File[/home/ubuntu/.ssh/id_rsa]/ensure: defined content as '{md5}db19f750104d3bf4e2603136553c6f3e' Notice: Finished catalog run in 0.27 seconds
Test that the new SSH key is authorized to GitHub correctly:
ubuntu@cookbook:~/puppet$ ssh [email protected] PTY allocation request failed on channel 0 Hi bitfield/cookbook! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed.
Check that the
pull-updates
script works properly:ubuntu@cookbook:~/puppet$ pull-updates Already up-to-date. Notice: Finished catalog run in 0.16 seconds
How it works...
Up to now, you've been using your own SSH credentials to access GitHub from the managed machine (using SSH agent forwarding), but that won't work if we want the machine to be able to pull updates unattended, while you're not logged in. So we've created a new SSH keypair and added the public part of it as a deploy key on GitHub, which gives repo access to anyone who has the private half of the key.
We've added this private key as the ubuntu
user's default SSH key:
file { '/home/ubuntu/.ssh/id_rsa': source => 'puppet:///modules/puppet/ubuntu.priv', owner => 'ubuntu', mode => '0600', }
This enables the ubuntu
user to run git pull
in the puppet
directory. We've also added the pull-updates
script, which does this and runs Puppet if any changes were pulled:
#!/bin/sh cd /home/ubuntu/puppet git pull && papply
We deploy this script to the box with Puppet:
file { '/usr/local/bin/pull-updates': source => 'puppet:///modules/puppet/pull-updates.sh', mode => '0755', }
Finally, we've created a cron job that runs pull-updates
at regular intervals (every 10 minutes, but feel free to change this if you need to):
cron { 'run-puppet': ensure => 'present', command => '/usr/local/bin/pull-updates', minute => '*/10', hour => '*', }
There's more...
Congratulations, you now have a fully-automated Puppet infrastructure! Once you have checked out the repo on a new machine and applied the manifest, the machine will be set up to pull any new changes and apply them automatically.
So, for example, if you wanted to add a new user account to all your machines, all you have to do is add the account in your working copy of the manifest, and commit and push the changes to GitHub. Within 10 minutes it will automatically be applied to every machine that's running Puppet.
That's very handy, but sometimes we'd like to be able to apply the changes to a specific machine right away, without waiting for them to be picked up by the cron job. We can do this using the Rake tool, and we'll see how to do that in the next section.