Simplest Enterprise Continuous Integration Solutions

Saturday, January 12, 2013

Enterprise Linux: Enable GPG signature checking for custom RPM package

# after generated GPG key on EL5.x

[root@linux64-rpm-build-server ~]# uname -a
Linux linux64-rpm-build-server 2.6.32-100.0.19.el5 #1 SMP Fri Sep 17 17:51:41 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@linux64-rpm-build-server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

# make GPG public/private keys

[buildmaster@linux64-rpm-build-server ~]$ gpg --list-keys
/home/buildmaster/.gnupg/pubring.gpg
------------------------------------------
pub 1024D/49A8C4DE 2012-05-26
uid Build Master (RPM Development) <buildmaster@my-company-name.com>
sub 2048g/60FA8C11 2012-05-26[buildmaster@linux64-rpm-build-server ~]$ gpg --list-secret-keys
/home/buildmaster/.gnupg/secring.gpg
------------------------------------------
sec 1024D/49A8C4DE 2012-05-26
uid Build Master (RPM Development) <buildmaster@my-company-name.com>
ssb 2048g/60FA8C11 2012-05-26
[buildmaster@linux64-rpm-build-server ~]$ gpg --export-secret-key -a 49A8C4DE > MYCOMPANY-GPG-KEY.private
[buildmaster@linux64-rpm-build-server ~]$ gpg --export -a 49A8C4DE > MYCOMPANY-GPG-KEY.public
[buildmaster@linux64-rpm-build-server ~]$ file MYCOMPANY-GPG-KEY.public
MYCOMPANY-GPG-KEY.public: PGP armored data public key block
[buildmaster@linux64-rpm-build-server ~]$ file MYCOMPANY-GPG-KEY.private
MYCOMPANY-GPG-KEY.private: PGP armored data

# non-root user RPM build environment configuration

[buildmaster@linux64-rpm-build-server ~]$ echo "%_signature gpg" >> ~/.rpmmacros
[buildmaster@linux64-rpm-build-server ~]$ echo "%_gpg_name Build Master" >> ~/.rpmmacros
[buildmaster@linux64-rpm-build-server ~]$ find /home/buildmaster/rpmbuild/
/home/buildmaster/rpmbuild/
/home/buildmaster/rpmbuild/RPMS
/home/buildmaster/rpmbuild/RPMS/x86_64
/home/buildmaster/rpmbuild/RPMS/noarch
/home/buildmaster/rpmbuild/RPMS/i686
/home/buildmaster/rpmbuild/BUILD
/home/buildmaster/rpmbuild/SOURCES
/home/buildmaster/rpmbuild/SPECS
/home/buildmaster/rpmbuild/SPECS/demo.spec
/home/buildmaster/rpmbuild/SRPMS

# example of demo.spec

[buildmaster@linux64-rpm-build-server ~]$ cat /home/buildmaster/rpmbuild/SPECS/demo.spec
#
# spec file for package 'name' (version 'v')
#
# The software is released as specified below.
#
Name: my-rpm-demo
Version: 2.1
Release: 120628
Summary: my-rpm-demo
Vendor: my-company-name
License: Free
URL: http://my-company-name.com
Group: Application
Prefix: /usr/local

%description
This RPM contains my-rpm-demo from my-company-name

%pre

%post

%preun

%files
%defattr(-,root,root)
%doc

/usr/local/my-rpm-demo

%changelog
* Sat Jul 28 2012 Build Master <buildmaster@my-company-name.com>
- Initial Spec File

# make sure non-root user has access

[root@linux64-rpm-build-server ~]# chmod -R 777 /usr/local/my-rpm-demo
[root@linux64-rpm-build-server ~]# chown -R buildmaster:buildmaster /usr/local/my-rpm-demo
[root@linux64-rpm-build-server ~]# cat /usr/local/my-rpm-demo/demo.txt
This is for testing

# non-root user build RPM

[buildmaster@linux64-rpm-build-server ~]$ rpmbuild -bb /home/buildmaster/rpmbuild/SPECS/demo.spec --target noarch
Building target platforms: noarch
Building for target noarch
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.88391
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.88391
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.88391
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ /usr/lib/rpm/redhat/brp-compress
+ /usr/lib/rpm/redhat/brp-strip /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
+ /usr/lib/rpm/brp-python-bytecompile
+ /usr/lib/rpm/redhat/brp-java-repack-jars
Processing files: my-rpm-demo-2.1-120628
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files %{buildroot}
Wrote: /home/buildmaster/rpmbuild/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.4351
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ exit 0

# YUM repo configuration via httpd

[root@mt-olinux64-y06 ~]# find /var/www/html/test-rpm/
/var/www/html/test-rpm/
/var/www/html/test-rpm/2u1
/var/www/html/test-rpm/2u1/el
/var/www/html/test-rpm/2u1/el/5
/var/www/html/test-rpm/2u1/el/5/RPMS
/var/www/html/test-rpm/2u1/el/5/RPMS/x86_64
/var/www/html/test-rpm/2u1/el/5/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
/var/www/html/test-rpm/2u1/el/5/RPMS/i686
/var/www/html/test-rpm/2u1/el/6
/var/www/html/test-rpm/2u1/el/6/RPMS
/var/www/html/test-rpm/2u1/el/6/RPMS/x86_64
/var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
/var/www/html/test-rpm/2u1/el/6/RPMS/i686
[root@mt-olinux64-y06 html]# chown -R buildmaster:buildmaster /var/www/html/test-rpm/

# sign RPM

[buildmaster@linux64-rpm-build-server ~]$ rpm --resign /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
Enter pass phrase:
Pass phrase is good.
/var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm:
gpg: WARNING: standard input reopened
gpg: WARNING: standard input reopened

# check signed RPM Signature tag

[buildmaster@linux64-rpm-build-server ~]$ rpm -qip /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
warning: /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 49a8c4de
Name : my-rpm-demo Relocations: /usr/local
Version : 2.1 Vendor: my-company-name
Release : 120628 Build Date: Tue 19 Jun 2012 02:13:39 PM EDT
Install Date: (not installed) Build Host: linux64-rpm-build-server
Group : Application Source RPM: my-rpm-demo-2.1-120628.src.rpm
Size : 20 License: Free
Signature : DSA/SHA1, Tue 19 Jun 2012 04:00:43 PM EDT, Key ID 9a8f082149a8c4de
URL : http://my-company-name.com
Summary : my-rpm-demo
Description :
This RPM contains my-rpm-demo from my-company-name
[buildmaster@linux64-rpm-build-server ~]$ rpm --checksig --verbose /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
/var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm:
Header V3 DSA signature: OK, key ID 49a8c4de
Header SHA1 digest: OK (225ca746e87604d2bbe4dfaccb104ba79cfb21ec)
MD5 digest: OK (fbda1a5b85a2b972c6390f9034ffce7e)
V3 DSA signature: OK, key ID 49a8c4de

# install signed RPM on EL5.x

[root@el5.x-server ~]# uname -a
Linux linux64-rpm-build-server 2.6.32-100.0.19.el5 #1 SMP Fri Sep 17 17:51:41 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@el5.x-server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
[root@el5.x-server ~]# cat /etc/yum.repos.d/my.repo
[my-company-name-el-5]
name=(local yum repo of) my-company-name latest el 5
baseurl=http://my-company-name.com/test-rpm/2u1/el/5
gpgkey=http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
gpgcheck=1
enabled=1
[root@el5.x-server ~]# yum install my-rpm-demo
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package my-rpm-demo.noarch 0:2.1-120628 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================
Installing:
my-rpm-demo noarch 2.1-120628 my-company-name-el-5 2.2 k

Transaction Summary
=================================================================================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)

Total download size: 2.2 k
Is this ok [y/N]: y
Downloading Packages:
my-rpm-demo-2.1-120628.noarch.rpm | 2.2 kB 00:00
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 49a8c4de
my-company-name-el-6/gpgkey | 1.7 kB 00:00
Importing GPG key 0x49A8C4DE "Build Master (RPM Development) <buildmaster@my-company-name.com>" from http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : my-rpm-demo 1/1

Installed:
my-rpm-demo.noarch 0:2.1-120628

Complete!
[root@el5.x-server ~]# rpm -qi my-rpm-demo
Name : my-rpm-demo Relocations: /usr/local
Version : 2.1 Vendor: my-company-name
Release : 120628 Build Date: Tue 19 Jun 2012 02:13:39 PM EDT
Install Date: Tue 19 Jun 2012 04:11:39 PM EDT Build Host: linux64-rpm-build-server
Group : Application Source RPM: my-rpm-demo-2.1-120628.src.rpm
Size : 20 License: Free
Signature : DSA/SHA1, Tue 19 Jun 2012 04:00:43 PM EDT, Key ID 9a8f082149a8c4de
URL : http://my-company-name.com
Summary : my-rpm-demo
Description :
This RPM contains my-rpm-demo from my-company-name

# install signed RPM on EL6.x

[root@el6.x-server ~]# uname -a
Linux ol6u3-y01 2.6.32-279.el6.x86_64 #1 SMP Thu Jun 21 15:00:18 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@el6.x-server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root@el6.x-server ~]# cat /etc/yum.repos.d/my.repo
[my-company-name-el-6]
name=(local yum repo of) my-company-name latest el 6
baseurl=http://my-company-name.com/test-rpm/2u1/el/6
gpgkey=http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
gpgcheck=1
enabled=1
[root@el6.x-server ~]# yum install my-rpm-demo
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package my-rpm-demo.noarch 0:2.1-120628 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================
Installing:
my-rpm-demo noarch 2.1-120628 my-company-name-el-6 2.2 k

Transaction Summary
=================================================================================================================================================
Install 1 Package(s)

Total download size: 2.2 k
Installed size: 20
Is this ok [y/N]: y
Downloading Packages:
my-rpm-demo-2.1-120628.noarch.rpm | 2.2 kB 00:00
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 49a8c4de: NOKEY
Retrieving key from http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
Importing GPG key 0x49A8C4DE:
Userid: "Build Master (RPM Development) <buildmaster@my-company-name.com>"
From : http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : my-rpm-demo-2.1-120628.noarch 1/1
Verifying : my-rpm-demo-2.1-120628.noarch 1/1

Installed:
my-rpm-demo.noarch 0:2.1-120628

Complete!
[root@el6.x-server ~]# rpm -qi my-rpm-demo
Name : my-rpm-demo Relocations: /usr/local
Version : 2.1 Vendor: my-company-name
Release : 120628 Build Date: Tue 19 Jun 2012 02:13:39 PM EDT
Install Date: Tue 19 Jun 2012 04:14:24 PM EDT Build Host: linux64-rpm-build-server
Group : Application Source RPM: my-rpm-demo-2.1-120628.src.rpm
Size : 20 License: Free
Signature : DSA/SHA1, Tue 19 Jun 2012 04:00:43 PM EDT, Key ID 9a8f082149a8c4de
URL : http://my-company-name.com
Summary : my-rpm-demo
Description :

This RPM contains my-rpm-demo from my-company-name

Saturday, December 8, 2012

Enterprise Linux: Automated CI build framework

An automated CI build framework

Based on open source tools (CruiseControl/Jenkins, PERL, Puppet + MCollective + Hiera) for listening commits, compiling source code, generating RPM, deploying to different clusters from YUM repositories.

Saturday, November 10, 2012

Enterprise Linux: Subversion migration

Example 1: svnadmin load from a subversion backup full dump file

Note:
If the subversion backup full dump file is a .dump.zip zip binary, you need unzip it to .dump file. Otherwise you will get error as below
svnadmin: E140001: Malformed dumpfile header 'PK'
[root@svn-server ~]# unzip my-project-bkup-r0_6-20120604000034.dump.zip
Archive: my-project-bkup-r0_6-20120604000034.dump.zip
inflating: my-project-bkup-r0_6-20120604000034.dump
# Create an empty svn repo for my-new-project

[root@svn-server ~]# svnadmin load /opt/csvn/data/repositories/my-new-project < /opt/csvn/data/dumps/my-project/my-project-bkup-r0_6-20120604000034.dump

<<< Started new transaction, based on original revision 1
* adding path : branches ... done.
* adding path : tags ... done.
* adding path : trunk ... done.

------- Committed revision 1 >>>

<<< Started new transaction, based on original revision 2
* adding path : trunk/ActionTypes-Report.aspx ... done.
* adding path : trunk/ActionTypes-Report.aspx.vb ... done.
* adding path : trunk/Images ... done.
* adding path : trunk/Images/icon-calendar.gif ... done.
* adding path : trunk/Images/icon-cancel.gif ... done.

------- Committed revision 2 >>>

<<< Started new transaction, based on original revision 3
* editing path : trunk/Images/icon-calendar.gif ... done.

------- Committed revision 3 >>>

<<< Started new transaction, based on original revision 4
* editing path : trunk/ActionTypes-Report.aspx ... done.

------- Committed revision 4 >>>

<<< Started new transaction, based on original revision 5
* editing path : trunk/ActionTypes-Report.aspx ... done.

------- Committed revision 5 >>>

<<< Started new transaction, based on original revision 6
* adding path : trunk/foo.sh ... done.

------- Committed revision 6 >>>

Example 2: svnadmin load from a subversion backup full dump file with new parent-dir

# Create an empty svn repo for my-new-project, with projects/demo folder under svn repository root

[root@svn-server ~]# svnadmin load /opt/csvn/data/repositories/my-new-project --parent-dir projects/demo < /opt/csvn/data/dumps/my-project/my-project-bkup-r0_6-20120604000034.dump

<<< Started new transaction, based on original revision 1
* adding path : projects/demo/branches ... done.
* adding path : projects/demo/tags ... done.
* adding path : projects/demo/trunk ... done.

------- Committed new rev 2 (loaded from original rev 1) >>>

<<< Started new transaction, based on original revision 2
* adding path : projects/demo/trunk/ActionTypes-Report.aspx ... done.
* adding path : projects/demo/trunk/ActionTypes-Report.aspx.vb ... done.
* adding path : projects/demo/trunk/Images ... done.
* adding path : projects/demo/trunk/Images/icon-calendar.gif ... done.
* adding path : projects/demo/trunk/Images/icon-cancel.gif ... done.

------- Committed new rev 3 (loaded from original rev 2) >>>

<<< Started new transaction, based on original revision 3
* editing path : projects/demo/trunk/Images/icon-calendar.gif ... done.

------- Committed new rev 4 (loaded from original rev 3) >>>

<<< Started new transaction, based on original revision 4
* editing path : projects/demo/trunk/ActionTypes-Report.aspx ... done.

------- Committed new rev 5 (loaded from original rev 4) >>>

<<< Started new transaction, based on original revision 5
* editing path : projects/demo/trunk/ActionTypes-Report.aspx ... done.

------- Committed new rev 6 (loaded from original rev 5) >>>

<<< Started new transaction, based on original revision 6
* adding path : projects/demo/trunk/foo.sh ... done.

------- Committed new rev 7 (loaded from original rev 6) >>>

Note:
In case, you received error message as below
svnadmin: E160013: File not found: transaction '1-1', path 'projects/demo',
please run below "svn mkdir" command
/opt/csvn/bin/svn mkdir https://<svn-repo-server>/svn/my-new-project/projects/demo -m "import under projects/demo folder"

Saturday, October 27, 2012

Enterprise Linux: Auto sign custom RPM package with GPG key

[root@linux64-rpm-build-server ~]# yum install expect.x86_64

[buildmaster@linux64-rpm-build-server ~]$ cat ~/.rpmmacros
%_topdir %(echo $HOME)/rpmbuild
%_signature gpg
%_gpg_name Build Master

[buildmaster@linux64-rpm-build-server ~]$ cat /tmp/rpm-sign.exp
#!/usr/bin/expect -f

### rpm-sign.exp -- Sign RPMs by sending the passphrase.

spawn rpm --addsign {*}$argv
expect -exact "Enter pass phrase: "
send -- "<your_gpg_secret_key>\r"
expect eof

## end of rpm-sign.exp

[buildmaster@linux64-rpm-build-server ~]$ /tmp/rpm-sign.exp /<full_path_to_the_custom_RPM_package>

Saturday, October 6, 2012

Enterprise Linux: Generate GPG key

[buildmaster@linux64-rpm-build-server ~]$ cd
[buildmaster@linux64-rpm-build-server ~]$ mkdir .gnupg
[buildmaster@linux64-rpm-build-server ~]$ gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: keyring `/home/buildmaster/.gnupg/secring.gpg' created
gpg: keyring `/home/buildmaster/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Build Master
Email address: buildmaster@my-company-name.com
Comment: RPM Development

You selected this USER-ID:

"Build Master (RPM Development) <buildmaster@my-company-name.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.<your_gpg_secret_key>

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.+++++++++++++++.+++++++++++++++++++++++++++++++++++.+++++++++++++++.++++++++++.+++++.++++++++++++++++++++++++++++++++++++++++>++++++++++.............<+++++......................>+++++..............+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++++++++++++++++++++++.....+++++.+++++.+++++++++++++++.+++++.+++++.++++++++++++++++++++...+++++++++++++++.+++++++++++++++.++++++++++++++++++++++++++++++++++++++++>+++++>.+++++<+++++...............................>+++++.......<..+++++..+++++^^^
gpg: /home/buildmaster/.gnupg/trustdb.gpg: trustdb created
gpg: key 49A8C4DE marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/49A8C4DE 2012-05-26
Key fingerprint = 914C 356A 2C59 3FE1 C602 B650 9A8F 0821 49A8 C4DE
uid Build Master <buildmaster@my-company-name.com>
sub 2048g/60FA8C11 2012-05-26

[buildmaster@linux64-rpm-build-server ~]$
[buildmaster@linux64-rpm-build-server ~]$ gpg --list-keys
/home/buildmaster/.gnupg/pubring.gpg
---------------------------------
pub 1024D/49A8C4DE 2012-05-26
uid Build Master <buildmaster@my-company-name.com>
sub 2048g/60FA8C11 2012-05-26

[buildmaster@linux64-rpm-build-server ~]$ gpg --export -a 'Build Master' > MYCOMPANY-RPM-GPG-KEY
[buildmaster@linux64-rpm-build-server ~]$ file MYCOMPANY-RPM-GPG-KEY
MYCOMPANY-RPM-GPG-KEY: PGP armored data public key block
[buildmaster@linux64-rpm-build-server ~]$ echo "%_signature gpg" >> ~/.rpmmacros
[buildmaster@linux64-rpm-build-server ~]$ echo "%_gpg_name Build Master" >> ~/.rpmmacros
[buildmaster@linux64-rpm-build-server ~]$ cat ~/.rpmmacros
%_signature gpg
%_gpg_name Build Master

Saturday, September 22, 2012

Puppet Deployment: MCollective in Puppet 3.x

Puppet master/agent deployment approach is a pull-based mode (by default) fetching the master node controlled catalog to target agent nodes and apply to target agent nodes periodically (30 minutes, by default).

Puppet 2.7 Out-Of-Box puppet kick (Remotely control puppet agent) has been deprecated in Puppet 3.0.

The Marionette Collective (MCollective for short) is a tool for system administration. It can run commands on large numbers of servers in parallel, and uses a broadcast architecture so that you can administer a large network without the need for a central master server or asset database.

Each node runs an MCollective daemon that listens for requests, and can execute commands locally or return information about the server. This can be used to filter the list of target nodes. So, for example, you could use MCollective to execute a given command on all nodes that match certain criteria. You can think of MCollective as a complement to Puppet.

For example, your provisioning process for a new node might require firewall changes on other machines, permissions granted on a database server, and so on, which is not very easy to do with Puppet. Although you could automate specific jobs using shell scripts and SSH, MCollective provides a powerful and flexible way to solve this general problem.

In order to have a Puppet master/agent deployment infrastructure with a push-based mode and deploy the master nodes controlled catalog into target agent nodes on demand.

Here is the puppet 3.0.2 + mcollective configuration example to achieve a Puppet master/agent deployment infrastructure in a push-mode mode:
1. Within a Puppet master/agent deployment infrastrucutre with cert sign (make sure all of puppet nodes sync with Network Time Protocol otherwise there will be some difficulties to do puppet cert sign)
2. On puppet agent nodes, configured puppet agent service to non-daemonized
3. Installation of RPMs:

yum install activemq activemq-info-provider on a middle-ware node
yum install mcollective mcollective-client mcollective-puppet-agent mcollective-puppet-client on mcollective client node where the requests come from
yum install mcollective mcollective-puppet-agent on puppet agent nodes

4. Configuration

make mcollective daemon is up running on all of nodes
example of /etc/mcollective/server.cfg

cat /etc/mcollective/server.cfg
# main config
libdir = /usr/libexec/mcollective
logfile = /var/log/mcollective.log
loglevel = info
daemonize = 1

# connector plugin config
connector = activemq
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = <activemq_middle-ware_node>
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = secret

# facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml

# Plugins
securityprovider = psk
plugin.psk = unset

# puppet
plugin.puppet.command = puppet agent
plugin.puppet.splay = true
plugin.puppet.splaylimit = 30
plugin.puppet.config = /etc/puppet/puppet.conf
plugin.puppet.resource_allow_managed_resources = true
5. mcollective command with puppet plugin
[root@linux64-client ~]# mco puppet runonce -v
Discovering hosts using the mc method for 2 second(s) .... 2

* [ ============================================================> ] 2 / 2

linux64-node2 : OK
{:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"}

linux64-client : OK
{:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"}

---- rpc stats ----
Nodes: 2 / 2
Pass / Fail: 2 / 0
Start Time: Tue May 14 21:58:51 -0400 2013
Discovery Time: 2015.99ms
Agent Time: 1148.63ms
Total Time: 3164.62ms
[root@linux64-client ~]# mco puppet status linux64-node2 -v
Discovering hosts using the mc method for 2 second(s) .... 2

* [ ============================================================> ] 2 / 2

linux64-client: Currently stopped; last completed run 12 seconds ago
linux64-node2: Currently applying a catalog; last completed run 9 minutes 32 seconds ago

Summary of Applying:

true = 1
false = 1

Summary of Daemon Running:

running = 1
stopped = 1

Summary of Enabled:

enabled = 2

Summary of Idling:

false = 2

Summary of Status:

stopped = 1
applying a catalog = 1

---- rpc stats ----
Nodes: 2 / 2
Pass / Fail: 2 / 0
Start Time: Tue May 14 21:59:31 -0400 2013
Discovery Time: 2015.43ms
Agent Time: 50.95ms

Total Time: 2066.38ms

Saturday, September 8, 2012

Puppet Deployment: puppet kick in Puppet 2.7

Puppet master/agent deployment approach is a pull-based mode (be default) fetching the master node controlled catalog to target agent nodes and apply to target agent nodes periodically (30 minuts, by default).

Puppet 2.7 Out-Of-Box puppet kick (Remotely control puppet agent) needs puppet agent on the target node to be running as a daemon, be configured to listen for incoming network connection, and have an appropriate security configuration.

In order to have a Puppet master/agent deployment infrastructure with a push-based mode and deploy the master nodes controlled catalog into target agent nodes on demand.

Here is my puppet kick configuration example to achieve a Puppet master/agent deployment infrastructure in a push-mode mode:
1. Within a Puppet master/agent deployment infrastrucutre with cert sign (make sure all of puppet nodes sync with Network Time Protocol otherwise there will be some difficulties to do puppet cert sign)
2. On puppet agent nodes, snippets of /etc/puppet/auth.conf and /etc/puppet/puppet.conf

cat /etc/puppet/auth.conf

path /run

method save

auth no

allow <puppet-master-node>

cat /etc/puppet/puppet.conf

...

[agent]

...

listen = true

ignorecache = true

...

3. Trigger puppet kick from puppet master catalog to multiple puppet target nodes

puppet kick --host <puppet_agent_node>

Triggering <puppet_agent_node>

Getting status

status is success

<puppet_agent_node> finished with exit code 0

Finished