Toolserver:Admin:Puppet

Puppet is a configuration engine for hosts. It uses a definition of how each host should be configured, and changes the host until it matches the desired configuration. We use Puppet for distributing configuration files, installing (and upgrading) software, and enabling services. Puppet only runs on the Solaris systems.

Puppet consists of two parts, the puppetmaster which runs on a single server and serves the configuration information, and puppetd which runs on each host and applies the configuration. The puppetmaster runs on hemlock under the svc:/network/puppetmasterd:default SMF service. Its configuration is in /etc/puppet.

Puppet normally runs from cron on each host every 60 minutes. If you want to force a run before then (e.g. to test configuration changes), run /opt/ts/sbin/puppetd -t on the host where the config should be updated.

Editing configuration files
Most configuration files are in /etc/puppet/modules/ /files/. Basic configuration files are in the base module. Other modules contains task-specific configuration files. Note that there might be several copies of one configuration file, usually one in base and one in an overriding module.

When you edit a configuration file, remember it will be propagated to every host. Don't put host-specific things in it.

The Puppet configuration is stored in Git. When you change anything, run 'git commit' to commit your changes. Also, remember to open a MNT issue for every change.

Installing software
Puppet handles installing software. Before configuring the software to be installed, you should build a package, probably using pkgbuild. Then edit the appropriate software cluster manifest; these are stored under /global/misc/puppet/etc/modules/software/manifests. For software that should be installed on every host, add it to misc_std. For login servers only, add it to misc_user</tt>. Do not include the "TS" prefix; the Puppet configuration will add it automatically.

(Re-)Adding a server to puppet

 * Delete the servername.pem at /etc/puppet/ssl/ca/signed/</tt> on the puppet-master if present.
 * Restart the puppet-master-service svc:/network/puppetmasterd:default</tt> on the puppet-master.
 * Install the puppet-client on the client (puppet</tt> on Debian).
 * Run puppetd --server puppet.toolserver.org --test</tt> on the client (that will output some warnings, but no errors).
 * Run puppetca -la</tt> on the puppet-master. That will show the new client name (either as only output or different from the other servers).
 * Run puppetca --sign </tt> on the puppet-master.
 * Run puppetd --server puppet.toolserver.org --test</tt> on the client.