Kickstarting into puppet

05 December 2006

The topic of kickstarting and enabling puppet came up on et-mgmt-tools. In addition to what I’ve said previously on the subject, a few more tips:

1. Installing puppet in the main %packages section

If you are using Fedora Core 6, you can specify additional yum repos right in the kickstart file; with that you can install puppet from the main %packages section. Simply add

repo --name=extras --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=extras-$releasever&arch=$basearch
...
%packages
puppet

to your kickstart file (don’t forget to put real values in for $basearch and $releasever)

2. Do the initial puppet run from the kickstart

Anaconda does not set the hostname during installation, even if the DHCP server sends one. The hostname is needed though if we want to do the initial puppet run from within the kickstart. One way to find the hostname is to look at the file /tmp/netinfo that anaconda produces; with that you can do the initial puppet run like so:

%post --nochroot
# Copy netinfo, which has our FQDN from DHCP, into the chroot
test -f /tmp/netinfo && cp /tmp/netinfo /mnt/sysimage/tmp/

%post
/sbin/chkconfig --level 345 puppet on
# Figure out the FQDN
if [ -f /tmp/netinfo ] ; then
  FQDN=`(source /tmp/netinfo; [ -n "$DOMAIN" ] && echo $HOSTNAME.$DOMAIN || echo $HOSTNAME)`
  # Run puppet, just to get the certs; the actual config update happens
  # on the next reboot
  hostname $FQDN
  /usr/sbin/puppetd -o -v --tag no_such_tag --waitforcert 600
fi

The invocation of puppetd is done solely to get the certs, and assumes that your puppetmaster is called puppet. Passing --tag no_such_tag makes sure that puppet goes through all its motions without actually changing anything, assuming you have nothing in your manifest tagged with no_such_tag.

Of course, you need to make sure that the puppetmaster is ready to accept a certificate signing request when you kickstart the client — make sure you run puppetca --clean CLIENT on teh puppetmaster before kickstarting, and that the signing request actually gets signed when the client runs puppet; turning on autosigning for that client for a brief period of time should do that.

Creative Commons License Watzmann.Blog by David Lutterkort is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Generated with Jekyll