Puppet
puppet is the main configuration management tool to be used on the Wikimedia clusters.
puppetd is the client daemon that runs on all servers, and manages machines with configuration information gathered from puppetmasterd, running on machine sockpuppet.pmtpa.wmnet.
Contents |
puppetd
To install puppet on a single machine, simply run
# apt-get install puppet
Communication with the puppetmaster server is over encrypted SSL and with signed certificates. To sign the certificate of the newly installed machine on the puppetmaster server, log in on sockpuppet.pmtpa.wmnet and run:
# puppetca -s clienthostname
To check the list of outstanding, unsigned certificates, use:
# puppetca -l
Puppetmaster
The puppetmaster server in pmtpa is sockpuppet.pmtpa.wmnet.
Installation
Simply use the (backported) puppetmaster Ubuntu package:
# apt-get install puppetmaster
Configuration
The default configuration is very usable, but we've made some tweaks here and there.
See /etc/puppet/site.pp for the basics. Puppet currently pushes out crontabs for the image scalers, ganglia binaries and conf files on on hosts, and syncs user information including ssh keys on all hosts. It will reread its conf and push changes out every 30 minutes.
MD5 is broken, use SHA1 for signing certificates:
ca_md=sha1
Todo
- More secure certificate signing
- Better, more automated version control
- Better tools for adding/maintaining node definitions
