puppet

The last years I have used several tools to distribute the public ssh keys of my users across the servers but they don't fit anymore. I use puppet for my infrastructure but the build in puppet feature ssh_authorized_key does not fit.

I have different users across my servers and same users on many servers (e.g. web farms).

One public ssh key can be an member of:

• an ssh public key group that is mapped to an user on an server


• an ssh public key group that is mapped to an user on an sever group


• an user mapped to an server


• an user mapped to an server group

I have created an Webapp with an ajax interface. You can drag & drop the ssh key groups or ssh keys to an user.

The key will be deployed via an puppet parser function, you need the storeconfig feature in puppet.

The webapp has got an own database (postgres) but you can merge the puppet storeconfig database to the server manager database (via an rake task). If you specify an regular expression on your server groups, an new merged server will be automatically added to the group and on the next run of puppet the keys from the server group will be deployed without any action from you.

Puppet stuff:

• puppet module


• puppet function to fetch the keys from the webapp


• fact to fetch existing users on the servers (not needed, but features auto complete in the app)

drag & drop the ssh keys or the ssh key groups from right to left into the users on the servers or server groups

public ssh key distribution with puppet and ajax interface from Jonas on Vimeo.

I'm using Nagios to check for Wordpress Version updates and plugin updates - it's really nice. You don't need to login to wp-admin and check for version. An single PHP Cli script, that puppet installs and configures the nagios for every wordpress installation.

Next step: create an all in wonder script that will upgrade wordpress and all plugins

Update: Script: check_wordpress

With this post I will explain you the Puppet Configuration Key feature at the server manager.

With the puppet configuration key feature you can store configuration data used in puppet classes at your database. You can also store configuration data on server groups and add servers to that group.

Yes - it's working like ripienaar's great extlookup but with database.

For this example I have got two hosts:

• valentina.brachium-system.net


• web01.brachium-system.net

Both hosts are saved on the server manager.

We have some puppet configuration keys at server manager:



The first server valentina.brachium-system.net has got the following puppet key configuration:




The second server web01.brachium-system.net has got the following puppet key configuration:



We are using this puppet manifest:

# Configuration for dblookup from servermgmt:
$dblook_host = "localhost"
$dblook_user = "servermgmt"
$dblook_pass = "servermgmt"
$dblook_db = "servermgmt"


class ssh::server {
$ssh_server_password_authentication = dblookup('ssh_server_password_authentication')
$ssh_server_root_login = dblookup('ssh_server_root_login')
notice("ssh_server_password_authentication: $ssh_server_password_authentication")
notice("ssh_server_root_login: $ssh_server_root_login")
file { "/etc/ssh/sshd_config":
content => template("/home/jonas/puppet/templates/sshd_config.erb")
}
}


node default {
$pkg_install_subversion = dblookup('pkg_install_subversion')
notice("We are the server: ${fqdn}")
notice("pkg_install_subversion: $pkg_install_subversion")
include ssh::server
package {"subversion":
ensure => dblookup('pkg_install_subversion')
}
}

We run that manifest on the server valentina:

notice: Scope(Node[default]): We are the server: valentina.brachium-system.net
notice: Scope(Node[default]): pkg_install_subversion: present
notice: Scope(Class[ssh::server]): ssh_server_password_authentication: yes
notice: Scope(Class[ssh::server]): ssh_server_root_login: no

We run that manifest on the server web01:

notice: Scope(Node[default]): We are the server: web01.stg.brachium-system.net
notice: Scope(Node[default]): pkg_install_subversion: absent
notice: Scope(Class[ssh::server]): ssh_server_password_authentication: no
notice: Scope(Class[ssh::server]): ssh_server_root_login: yes

You can see on the verbose output from puppet, the information is fetched from the database - if the server has got no own value for one key, the default value is used.

You can get the source at http://github.com/hggh/servermgmt