lundi 25 avril 2016

Intégration de puppet et ansible

Intégration de puppet et ansible

Objectif


Ansible fait du ssh, et ne nécessite pas d'install sur le client.
De ce fait, ansible pour bootstapper puppet est une bonne option.

De plus Ansible a le vent en poupe, et, est (soi-disant, je vais tester) plus simple pour déployer "en quelques lignes"

Plateforme


Je me sers de mon infrastructure, à base de raspberry et de cubietruck (donc raspbian et armbian en jessie).
Le serveur d'administration est experience.

It's showtime

Synthesis

root@experience:~# apt-get update
root@experience:~# mkdir /etc/ansible
root@experience:~# cd /etc/ansible
root@experience:/etc/ansible# wget -4 https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg

Edit ansible.cfg

[defaults]
inventory      = /etc/ansible/hosts
library        = /usr/share/ansible/
remote_tmp     = $HOME/.ansible/tmp
local_tmp      = $HOME/.ansible/tmp
forks          = 5
poll_interval  = 15
sudo_user      = root
ask_sudo_pass = True
ask_pass      = True
module_lang    = C
module_set_locale = True
host_key_checking = False

timeout = 10
remote_user = pi
executable = /bin/bash
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[ssh_connection]
scp_if_ssh = True


remplir /etc/ansible/hosts avec les ips

Si l'utilisateur 'pi' n'existe pas :
root@cubietruck:~# useradd -u 1000 -m -d /home/pi -s /bin/bash -U pi
root@cubietruck:~# passwd pi

root@cubietruck:~# usermod -a -G adm,sudo,audio,video,users,input,netdev,plugdev pi

Puis

root@experience:/etc/ansible# cd
root@experience:~# apt-get install -y sshpass python-pip python-apt python-distutils-extra libssl-dev

root@experience:~# sudo -H pip install --upgrade pip
root@experience:~# sudo -H pip install ansible setuptools paramiko PyYAML Jinja2 httplib2 six

 Test :
root@experience:~#  ansible all -m ping

Attention, le sample ici est pour lancer puppet, mais il nécessite le fichier /etc/passwd_git
Pensez a le remplir

Edit ~/playbook.yaml

---

- hosts: all
  tasks:
  - name: make sure ntp daemon is running
    service: name=ntp state=started

  - name: set proxy for apt
    copy: src=/etc/apt/apt.conf.d/01proxy dest=/etc/apt/apt.conf.d/01proxy owner=root group=root mode=0644
  - name: apt-get update and upgrade
    apt: upgrade=dist update_cache=yes dpkg_options='force-confold,force-confdef'
  - name: apt-get install -y puppet git expect
    apt: name=puppet,git,expect state=latest dpkg_options='force-confold,force-confdef'
  - name: allow puppetadmin to write in /etc/puppet
    file: path=/etc/puppet owner=495 state=touch mode="u+rw"
  - name: install puppetadmin user
    user: name=puppetadmin uid=495 group=root groups=adm append=yes shell=/bin/bash home=/etc/puppet move_home=yes skeleton=yes generate_ssh_key=yes ssh_key_bits=2048 ssh_key_\
file=.ssh/id_rsa
  - name: allow puppetadmin to be su
    shell: "echo 'puppetadmin ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/puppetadmin"
  - name: install librarian
    gem: name=librarian-puppet state=latest
  - name: install tgit link
    shell: ln -s scripts/tgit
    ignore_errors: True
    args:
      chdir: /etc/puppet/
  - name: update /etc/puppet
    shell: librarian-puppet clean && su - puppetadmin -c './tgit pull'
    args:
      executable: /bin/bash
      chdir: /etc/puppet/
  - name: Start puppet agent
    shell: librarian-puppet update && /usr/bin/puppet apply manifests/$( hostname ).pp
    register: puppet_apply_result
    changed_when: puppet_apply_result.rc == 2
    failed_when: puppet_apply_result.rc != 2 and puppet_apply_result.rc != 0
    args:
      executable: /bin/bash
      chdir: /etc/puppet/


On lance !!
root@experience:~# ansible-playbook playbook.yaml

Showtime !! 

Tribulations (uniquement si vous avez des erreurs)


root@experience:~# apt-get update
root@experience:~# apt-get install -y ansible
root@experience:~# cd /etc/ansible/
root@experience:/etc/ansible# ls
ansible.cfg  hosts




Pour le test, on va ajouter toutes les machines, on verra plus tard pour filtrer et pour grouper.


#myself, experience                                                                                                
127.0.0.1
#cubietruck                                                                                                        
192.168.1.5
#omv                                                                                                               
192.168.1.28
#owncloud                                                                                                          
192.168.1.22


root@experience:/etc/ansible#  ansible all -m ping --ask-pass
SSH password:
192.168.1.28 | FAILED => to use the 'ssh' connection type with passwords, you must install the sshpass program
...


root@experience:/etc/ansible# apt-get install sshpass
...

root@experience:/etc/ansible#  ansible all -m ping --ask-pass
SSH password:
127.0.0.1 | FAILED => Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host.

...

WTF, ça pose les même problème que du ssh ...
Mauvais point, ça me donne envie de faire du expect tout ça ! C'est vrai, si ça ne rajoute rien

Bon, il faut de toute façon changer les utilisateurs : sur les raspbian, il faut se connecter en 'pi' et sur armbian, ben ce sera 'pi' aussi.

remote_user    = pi
sudo_user      = root
ask_sudo_pass = True
ask_pass       = True
scp_if_ssh = True
host_key_checking = False
Bon, avec ça, ça marche sur 127.0.0.1
Par simplicité, on va en ajouter un autre et se limiter à 2 machines.

La seule qui répond est cubietruck, alors on fonce.
Par contre, c'est aussi la seule qui n'a pas l'utilisateur 'pi', on le crée :

root@cubietruck:~# useradd -u 1000 -m -d /home/pi -s /bin/bash -U pi
root@cubietruck:~# passwd pi

 root@cubietruck:~# usermod -a -G adm,sudo,audio,video,users,input,netdev,plugdev pi

 And now !

root@experience:/etc/ansible#  ansible all -m ping --ask-pass
SSH password:
127.0.0.1 | success >> {
    "changed": false,
    "ping": "pong"
}

192.168.1.5 | success >> {
    "changed": false,
    "ping": "pong"
}

root@experience:/etc/ansible# cd
root@experience:~# cat playbook.yaml
---

- hosts: all
  tasks:
  - name: make sure ntp daemon is running
    service: name=ntp state=started


root@experience:~# ansible-playbook playbook.yaml
SSH password:
ERROR: become is not a legal parameter in an Ansible task or handler


Ok, on reprend, on installe ansible différement.

root@experience:~# apt-get remove ansible
root@experience:~# mkdir src
root@experience:~# cd src
root@experience:~/src# git clone git://github.com/ansible/ansible.git --recursive

root@experience:~/src# cd ./ansible
root@experience:~/src/ansible# source ./hacking/env-setup
Ansible now needs setuptools in order to build. Install it using your package manager (usually python-setuptools) or via pip (pip install setuptools).

Setting up Ansible to run out of checkout...

PATH=/root/src/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PYTHONPATH=/root/src/ansible/lib:
MANPATH=/root/src/ansible/docs/man:

Remember, you may wish to specify your host file with -i

Done!




Ok ! c'est tout pourri ! il ne s'agit pas d'un truc à builder, mais de l'exec lui-même, je ne l'ai donc pas mis au bon endroit ! fuck !!!
 

root@experience:~/src/ansible# cd ..
root@experience:~/src# ls -al
total 12
drwxr-xr-x 3 root root 4096 Apr 25 15:02 .
drwx------ 7 root root 4096 Apr 25 15:09 ..
drwxr-xr-x 15 root root 4096 Apr 25 15:03 ansible
root@experience:~/src# mv ansible /var/lib/
root@experience:~/src# source /var/lib/ansible/hacking/env-setup


root@experience:~# pip install paramiko PyYAML Jinja2 httplib2 six
root@experience:~# pip install setuptools



root@experience:~# ansible-playbook playbook.yaml
SSH password:

PLAY [all] *********************************************************************

TASK [setup] *******************************************************************
fatal: [127.0.0.1]: UNREACHABLE! => {"changed": false, "msg": "Authentication failure.", "unreachable": true}
fatal: [192.168.1.5]: UNREACHABLE! => {"changed": false, "msg": "Authentication failure.", "unreachable": true}
to retry, use: --limit @playbook.retry

PLAY RECAP *********************************************************************
127.0.0.1 : ok=0 changed=0 unreachable=1 failed=0
192.168.1.5 : ok=0 changed=0 unreachable=1 failed=0


bon, je ne sais pas quelle version j'ai, mais avoir une version de dev ne me plait pas.
J'aurais du lire jusqu'au bout : installation via PIP

root@experience:~# cd /var/lib
root@experience:/var/lib# ls
alsa bluetooth dpkg initscripts nfs python-support ucf xml-core
ansible container emacsen-common insserv ntp samba update-rc.d
apt dbus gems logrotate pam sgml-base urandom
apt-cacher-ng dhcp git man-db plymouth sudo usbutils
aptitude dhcpcd5 initramfs-tools misc puppet systemd vim
root@experience:/var/lib# rm -fR ansible
root@experience:/var/lib# exit
pi@experience:~ $ sudo -s
root@experience:/home/pi# pip install ansible
Downloading/unpacking ansible
Downloading ansible-2.0.2.0.tar.gz (1.5MB): 1.5MB downloaded

root@experience:/home/pi# ansible --version
ansible 2.0.2.0
config file = /etc/ansible/ansible.cfg
configured module search path = /usr/share/ansible

root@experience:/home/pi# cd /etc/ansible/
root@experience:/etc/ansible# rm ansible.cfg
root@experience:/etc/ansible# wget -4 https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg


Edit and modify

Gros boulet que je suis, je tapais l mauvais mot de passe !!!

On recommence.

root@experience:~# ansible-playbook playbook.yaml
SSH password:
SUDO password[defaults to SSH password]:

PLAY [all] *********************************************************************


TASK [setup] *******************************************************************

ok: [192.168.1.5]
ok: [127.0.0.1]

TASK [make sure ntp daemon is running] *****************************************
ok: [127.0.0.1]
ok: [192.168.1.5]

PLAY RECAP *********************************************************************
127.0.0.1                  : ok=2    changed=0    unreachable=0    failed=0  
192.168.1.5                : ok=2    changed=0    unreachable=0    failed=0  


Ok, pour faire de l'apt, il faut le module python-apt


root@experience:~# apt-get install -y python-apt python-distutils-extra



dimanche 24 avril 2016

installation de puppet et librarian-puppet

installation de puppet et librarian-puppet

avec les dépôts par défaut

apt-get update
apt-get upgrade -y

lvcreate -L 512M -n puppet system
mkfs.ext4 /dev/mapper/system-puppet

apt-get install -y expect git

cd /etc
git clone https://db_freerider@bitbucket.org/dbouwyn/puppet.git

password is bitbucket_rocks

Cloning into 'puppet'...
Password for 'https://db_freerider@bitbucket.org':
remote: Counting objects: 5656, done.
remote: Compressing objects: 100% (2145/2145), done.
remote: Total 5656 (delta 3252), reused 5474 (delta 3084)
Receiving objects: 100% (5656/5656), 2.14 MiB | 315.00 KiB/s, done.
Resolving deltas: 100% (3252/3252), done.
Checking connectivity... done.


echo '/dev/mapper/system-puppet /etc/puppet ext4 rw,relatime,data=ordered 0 1' >>/etc/fstab
mount -a

mount
/dev/mapper/system-puppet on /etc/puppet type ext4 (rw,relatime,data=ordered)

apt-get install puppet
gem install librarian-puppet

cd /usr/tidy/etc/puppet && tar cf - . | tar xvf - -C /etc/puppet

cd /etc/puppet && mkdir hieradata
echo '/etc/puppet/hieradata           /var/lib/hiera  none    bind,rw         0       2' >>/etc/fstab
mount -a

useradd -g 0 -u 495 -r -d /etc/puppet -s /bin/bash puppetadmin
echo 'puppetadmin ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/puppetadmin


cd /etc && chown -R puppetadmin puppet

cd /etc/puppet && ( ln -s scripts/tgit ; ln -s scripts/autocommit.sh )

echo 'bitbucket_rocks' >/etc/passwd_git

su - puppetadmin -c './tgit pull'
librarian-puppet update

It's now possible to run your puppet manisfest, and you're saying : but ... OMG ! I don't have any !

Real next step is to create your first manifest, using experience, bronco and palette as sample.

Before doing that, setup you environment.

puppet apply manifests/myexperience.pp