With the arrival of the internal deployment VM server at work, I’ve started the process of narrowing down exactly how I’m going to be providing server rebuild and management abilities. Prime candidates right now are the Kickstart capability of RedHat Enterprise (and any derived distributions such as CentOS) for automated deployment of servers, and Reductive Lab’s Puppet for management. I’m well aware that there are other automated management tools that can do what Puppet does, but as one article I read said - using any of them is better than using none of them. So I’m using Puppet.
For those who don’t know, Puppet is a Ruby tool that has two halves - puppetmaster on the central management server, and puppetd on the remote clients. All authentication is done with centrally signed SSL certificates, and all the communications appear to be encrypted with those certificates.
On the server side, you define a series of recipes, such as a sudo recipe, a yum recipe and an admin users recipe. You then create the definition file for a node, indicating which recipes (classes and other) that the node is configured with. Boot the puppetmaster daemon to read in the recipes, then boot the puppetd client. A few seconds later, puppetd has grokked the configuration and applied it appropriately:
info: create new repo fred in file /etc/yum.repos.d/fred.repo
notice: //default/yum-rhel5/Yumrepo[fred]/descr: descr changed ” to Fred Local Repository’
notice: //default/yum-rhel5/Yumrepo[fred]/baseurl: baseurl changed ” to ‘http://deploy/’
notice: //default/yum-rhel5/Yumrepo[fred]/enabled: enabled changed ” to ‘0′
notice: //default/yum-rhel5/Yumrepo[fred]/gpgcheck: gpgcheck changed ” to ‘0′
notice: //default/yum-rhel5/Yumrepo[fred]/enablegroups: enablegroups changed ” to ‘1′
notice: Finished configuration run in 0.59 seconds
You could, of course, define a server-side file stanza for the repository configuration, rather than define one with a set of rules.
The one danger to all of this is that puppetd has to use root privileges to manage things like permissions on the sudoers file (in turn enforcing security). This is a bit worrying, as I have to trust that the author of Puppet has done a good job in ensuring that the application won’t trash my servers. Then again, I have to trust that RedHat won’t release a package that trashes the server too, so I suppose it’s a small worry.
