Software-Configuration-Management on Janik von Rotz https://janikvonrotz.ch/categories/software-configuration-management/ Recent content in Software-Configuration-Management on Janik von Rotz Hugo en Fri, 05 Jun 2020 20:07:00 +0200 Pin and update Ubuntu packages with Ansible https://janikvonrotz.ch/2020/06/05/pin-and-update-ubuntu-packages-with-ansible/ Fri, 05 Jun 2020 20:07:00 +0200 https://janikvonrotz.ch/2020/06/05/pin-and-update-ubuntu-packages-with-ansible/ <p>Patching is an essential part in server maintenance. For Windows servers and clients you have <a href="https://de.wikipedia.org/wiki/Windows_Server_Update_Services">WSUS</a> to coordinate updates and security patches. But how do you patch Ubuntu, Debian, RHEL or Fedora machines? The linux distro field is very dispersed, how do you do patch all these systems? In this post I will show you how I install package updates and ensure that specific packages cannot be updated using version pinning.</p> <p>The current state of patch managenent.</p> <h1 id="enterprise-derivatives">Enterprise derivatives</h1> <p>RHEL and Ubuntu are both enterprise derivates, which means that enterprise features for these distros are managed by companies and not communities.</p> <p>Ubuntu is managed by <a href="https://canonical.com/">Canonical</a> and they have their <a href="https://ubuntu.com/livepatch">Livepatch Service</a> to apply patches.</p> <p>RHEL is managed by <a href="https://www.redhat.com/">Red Hat</a> and they provide <a href="https://www.redhat.com/de/technologies/management/satellite">Satellite</a> to apply patches, system configurations and much more.</p> <h1 id="community-derivates">Community derivates</h1> <p>Debian, Fedora and <a href="https://en.wikipedia.org/wiki/List_of_Linux_distributions">many more</a> are distros managed by communities. If you search their name in combination with patching you end up with various blog posts, where people show how they install the kernel updates and security patches. It is obvious that patch management is executed by companies running a farm of servers and there for seek automated solutions.</p> <p>However, with Ansible you can easily manage you server farm and therefore also require an advanced solution to apply patches for your hosts.</p> <h1 id="patch-ubuntu-using-ansible">Patch Ubuntu using Ansible</h1> <p>First let me assure that the method for patching can also be used for other distros. For better understanding I will show how its done using Ubuntu.</p> <p>In this tutorial I will show you how I install essential packages and apply system patches. For my system configurations I try to be as explicit as possible, which means I pin versions for installed software. Assume that we have a Docker installation on an Ubuntu server and want to make sure that Docker is not updated as we do not want break compatibility.</p> <h2 id="project-setup">Project setup</h2> <p>In my Ansible project I have created the following inventory and role:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-txt" data-lang="txt"><span style="display:flex;"><span>inventories/setup </span></span><span style="display:flex;"><span>├── group_vars </span></span><span style="display:flex;"><span>│   ├── all.yml </span></span><span style="display:flex;"><span>│   └── ubuntu1804.yml </span></span><span style="display:flex;"><span>├── host_vars </span></span><span style="display:flex;"><span>│   ├── server1.yml </span></span><span style="display:flex;"><span>│   └── server2.yml </span></span><span style="display:flex;"><span>└── hosts.yml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>roles/update/tasks </span></span><span style="display:flex;"><span>├── main.yml </span></span><span style="display:flex;"><span>└── update-ubuntu.yml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>roles/docker/tasks </span></span><span style="display:flex;"><span>├── main.yml </span></span><span style="display:flex;"><span>└── install.yml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>setup.yml </span></span></code></pre></div><p>The <code>setup.yml</code> is an Ansible playbook that installs docker and updates servers. Note that I simplified the project setup for this tutorial.</p> <h2 id="group-vars">Group vars</h2> <p>The group vars usually contains a list of packages.</p> <p><strong>inventories/setup/group_vars/ubuntu1804.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">docker_package</span>: <span style="color:#e6db74">&#34;docker-ce=5:19.03.8~3-0~ubuntu-bionic&#34;</span> </span></span></code></pre></div><p>I will demonstrate the pin version feature using this package.</p> <h2 id="host-vars">Host vars</h2> <p>The host vars simply tell wether this host should be updated or not.</p> <p><strong>inventories/setup/host_vars/server1.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">update</span>: <span style="color:#66d9ef">yes</span> </span></span></code></pre></div><h2 id="setup-role">Setup role</h2> <p>The setup role installs docker ce and pins its version if the package string contains an <code>=</code>.</p> <p><strong>roles/docker/tasks/install.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Unpin docker-ce version</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">dpkg_selections</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ docker_package }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">selection</span>: <span style="color:#ae81ff">hold</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#e6db74">&#34;&#39;=&#39; not in docker_package&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Update apt and install docker-ce</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">apt</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">update_cache</span>: <span style="color:#66d9ef">yes</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ docker_package }}&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Pin docker-ce version</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">dpkg_selections</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ docker_package.split(&#39;=&#39;)[0] }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">selection</span>: <span style="color:#ae81ff">hold</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#e6db74">&#34;&#39;=&#39; in docker_package&#34;</span> </span></span></code></pre></div><p>Once a package has been pinned, it cannot be updated by the package manger.</p> <h2 id="update-role">Update role</h2> <p>The update role runs only if updates are enabled for the host.</p> <p><strong>update/tasks/main.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Include update tasks</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">include_tasks</span>: <span style="color:#ae81ff">update-ubuntu.yml</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#ae81ff">update</span> </span></span></code></pre></div><p>The update role refreshes the repo cache and runs a dist upgrade.</p> <p><strong>update/tasks/update-ubuntu.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Update apt-get repo and cache</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">apt</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">update_cache</span>: <span style="color:#66d9ef">yes</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">force_apt_get</span>: <span style="color:#66d9ef">yes</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">cache_valid_time</span>: <span style="color:#ae81ff">3600</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Upgrade all packages</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">apt</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">upgrade</span>: <span style="color:#ae81ff">dist</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Check if reboot is required</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">stat</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">path</span>: <span style="color:#ae81ff">/var/run/reboot-required</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">register</span>: <span style="color:#ae81ff">reboot_required</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Reboot system if required</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">reboot</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">msg</span>: <span style="color:#ae81ff">Rebooting to complete system upgrade</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">reboot_timeout</span>: <span style="color:#ae81ff">120</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#ae81ff">reboot_required.stat.exists</span> </span></span></code></pre></div><p>If a reboot is required it will do so.</p> <h2 id="run-the-playbook">Run the playbook</h2> <p>The Ansible playbook <code>setup.yml</code> supports two running modes. The default mode and the update mode (<code>update</code> tag is required).</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">hosts</span>: <span style="color:#ae81ff">all</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">become</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">roles</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">role</span>: <span style="color:#ae81ff">docker</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: <span style="color:#ae81ff">docker</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">role</span>: <span style="color:#ae81ff">update</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: <span style="color:#ae81ff">update,never</span> </span></span></code></pre></div><p>To install docker on the target host you would enter: <code>ansible-playbook -i inventory/setup setup.yml -l server1</code></p> <p>And to update the target host you would enter: <code>ansible-playbook -i inventory/setup setup.yml -l server1 -t update</code></p> <p>It is recommend the run the update command periodically.</p> <p>I hope I was able to demonstrate how you can manage patches for your linux systems using Ansible. As mentioned this method can be used for other non-aptitude-enabled distros.</p> Package Java Spring Boot service into rpm https://janikvonrotz.ch/2019/04/12/package-java-spring-boot-service-into-rpm/ Fri, 12 Apr 2019 11:38:15 +0200 https://janikvonrotz.ch/2019/04/12/package-java-spring-boot-service-into-rpm/ <p>This post is a follow-up to my last post <a href="https://janikvonrotz.ch/2019/03/20/the-final-rpm-packaging-guide/">The final rpm packaging guide</a>. What I did not cover in the &ldquo;final&rdquo; guide was how to deal with the common case of packaging a service. In this post we are going to build a simple java spring boot application and package it as a <a href="https://www.linux.com/learn/understanding-and-using-systemd">systemd</a> service into an rpm.</p> <p>To get started I recommend to walk through the test setup section of <a href="https://janikvonrotz.ch/2019/03/20/the-final-rpm-packaging-guide#test-setup">my last post</a>.</p> <h1 id="requirements">Requirements</h1> <p>To accomplish this tutorial a few dev tools must be installed.</p> <p><a href="https://httpie.org">httpie</a> - Modern alternative to wget and curl.</p> <p><code>sudo yum install httpie</code></p> <p><a href="https://rpm.org/">rpmbuild</a> - Utility to build rpms.</p> <p><code>sudo yum install rpm-build</code></p> <p><a href="https://fedoraproject.org/wiki/Rpmdevtools">rpmdev</a> - Dev utilities to build rpms.</p> <p><code>sudo yum install rpmdevtools</code></p> <p><a href="https://github.com/rpm-software-management/rpmlint">rpmlint</a> - Tool for checking common errors in rpm packages.</p> <p><code>sudo yum install rpmlint</code></p> <h1 id="example-application">Example Application</h1> <p>We assume that we want to deploy a spring boot application.</p> <p>Lets create one from the spring boot getting started source.</p> <p>Checkout the official getting started repository.</p> <p><code>cd ~ &amp;&amp; git clone https://github.com/spring-guides/gs-spring-starter.git</code></p> <p>Navigate into the project.</p> <p><code>gs-spring-starter/initial</code></p> <p>Then build and run the jar file.</p> <p><code>./gradlew build &amp;&amp; java -jar build/libs/gs-spring-starter-0.1.0.jar</code></p> <p>Check if you get a response from the spring boot service.</p> <p><code>http GET localhost:8080</code></p> <p>It should return:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-txt" data-lang="txt"><span style="display:flex;"><span>HTTP/1.1 200 </span></span><span style="display:flex;"><span>Content-Length: 27 </span></span><span style="display:flex;"><span>Content-Type: text/plain;charset=UTF-8 </span></span><span style="display:flex;"><span>Date: Fri, 12 Apr 2019 07:28:37 GMT </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Greetings from Spring Boot! </span></span></code></pre></div><h1 id="project-setup">Project Setup</h1> <p>Create the initial rpm folder structure.</p> <p><code>cd ~; mkdir rpmbuild; cd ~/rpmbuild; rpmdev-setuptree</code></p> <p>Copy the jar file into the source folder.</p> <p><code>cp ../gs-spring-starter/initial/build/libs/gs-spring-starter-0.1.0.jar SOURCES/</code></p> <p>Our example service will be managed by systemd and thus we also have to package a service file into the rpm.</p> <p>Create the file <code>vim SOURCES/spring-starter.service</code> with the following content:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-txt" data-lang="txt"><span style="display:flex;"><span>[Unit] </span></span><span style="display:flex;"><span>Description=Spring Starter </span></span><span style="display:flex;"><span>After=network-online.target </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[Service] </span></span><span style="display:flex;"><span>Type=simple </span></span><span style="display:flex;"><span>WorkingDirectory=/var/opt/spring-starter </span></span><span style="display:flex;"><span>ExecStart=/usr/bin/java -jar /usr/local/spring-starter/gs-spring-boot.jar </span></span><span style="display:flex;"><span>Restart=on-abort </span></span><span style="display:flex;"><span>User=spring-starter </span></span><span style="display:flex;"><span>Group=spring-starter </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[Install] </span></span><span style="display:flex;"><span>WantedBy=multi-user.target </span></span></code></pre></div><p>And thats it.</p> <h1 id="write-the-spec">Write the Spec</h1> <p>The spec file defines the rpm build process and installation procedure.</p> <p>Create a spec file for our spring starter application.</p> <p><code>vim SPECS/spring-starter.spec</code></p> <p>And set the following content:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### HEADER SECTION #####</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Name: spring-starter </span></span><span style="display:flex;"><span>Version: 0.1.0 </span></span><span style="display:flex;"><span>Release: <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>Summary: Rpm package <span style="color:#66d9ef">for</span> Spring Starter </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>License: ASL 2.0 </span></span><span style="display:flex;"><span>URL: https://spring.io </span></span><span style="display:flex;"><span>Source0: gs-spring-boot-%<span style="color:#f92672">{</span>version<span style="color:#f92672">}</span>.jar </span></span><span style="display:flex;"><span>Source1: %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Requires: shadow-utils,bash </span></span><span style="display:flex;"><span>BuildRequires: systemd </span></span><span style="display:flex;"><span>%<span style="color:#f92672">{</span>?systemd_requires<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BuildArch: noarch </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%description </span></span><span style="display:flex;"><span>%<span style="color:#f92672">{</span>summary<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># disable debuginfo, which is useless on binary-only packages</span> </span></span><span style="display:flex;"><span>%define debug_package %<span style="color:#f92672">{</span>nil<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># do not repack jar files</span> </span></span><span style="display:flex;"><span>%define __jar_repack %<span style="color:#f92672">{</span>nil<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### PREPARATION SECTION #####</span> </span></span><span style="display:flex;"><span>%prep </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># empty section</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### BUILD SECTION #####</span> </span></span><span style="display:flex;"><span>%build </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># empty section</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### PREINSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%pre </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create Spring Starter service group</span> </span></span><span style="display:flex;"><span>getent group spring-starter &gt;/dev/null <span style="color:#f92672">||</span> groupadd -f -g <span style="color:#ae81ff">30000</span> -r spring-starter </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create Spring Starter service user</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> ! getent passwd spring-starter &gt;/dev/null ; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ! getent passwd <span style="color:#ae81ff">30000</span> &gt;/dev/null ; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> useradd -r -u <span style="color:#ae81ff">30000</span> -g spring-starter -d /home/spring-starter -s /sbin/nologin -c <span style="color:#e6db74">&#34;Spring Starter service account&#34;</span> spring-starter </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> useradd -r -g spring-starter -d /home/spring-starter -s /sbin/nologin -c <span style="color:#e6db74">&#34;Spring Starter service account&#34;</span> spring-starter </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span>exit <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### INSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/usr/local/spring-starter </span></span><span style="display:flex;"><span>data_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/var/opt/spring-starter </span></span><span style="display:flex;"><span>service_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/%<span style="color:#f92672">{</span>_unitdir<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># cleanup build root</span> </span></span><span style="display:flex;"><span>rm -rf %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span>mkdir -p %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create app folder</span> </span></span><span style="display:flex;"><span>mkdir -p $app_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create data folder</span> </span></span><span style="display:flex;"><span>mkdir -p $data_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create service folder</span> </span></span><span style="display:flex;"><span>mkdir -p $service_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># copy all files</span> </span></span><span style="display:flex;"><span>cp %<span style="color:#f92672">{</span>SOURCE0<span style="color:#f92672">}</span> $app_dir/gs-spring-boot.jar </span></span><span style="display:flex;"><span>cp %<span style="color:#f92672">{</span>SOURCE1<span style="color:#f92672">}</span> $service_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### FILES SECTION #####</span> </span></span><span style="display:flex;"><span>%files </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># define default file attributes</span> </span></span><span style="display:flex;"><span>%defattr<span style="color:#f92672">(</span>-,spring-starter,spring-starter,-<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># list of directories that are packaged</span> </span></span><span style="display:flex;"><span>%dir /usr/local/spring-starter </span></span><span style="display:flex;"><span>%dir %attr<span style="color:#f92672">(</span>660, -, -<span style="color:#f92672">)</span> /var/opt/spring-starter </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># list of files that are packaged</span> </span></span><span style="display:flex;"><span>/usr/local/spring-starter/gs-spring-boot.jar </span></span><span style="display:flex;"><span>/usr/lib/systemd/system/%<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### POST INSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%post </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ensure Spring Starter service is enabled and running</span> </span></span><span style="display:flex;"><span>%systemd_post %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span>%<span style="color:#f92672">{</span>_bindir<span style="color:#f92672">}</span>/systemctl enable %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span>%<span style="color:#f92672">{</span>_bindir<span style="color:#f92672">}</span>/systemctl start %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### UNINSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%preun </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ensure Spring Starter service is disabled and stopped</span> </span></span><span style="display:flex;"><span>%systemd_preun %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%postun </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">case</span> <span style="color:#e6db74">&#34;</span>$1<span style="color:#e6db74">&#34;</span> in </span></span><span style="display:flex;"><span> 0<span style="color:#f92672">)</span> <span style="color:#75715e"># This is a package remove</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove app and data folders</span> </span></span><span style="display:flex;"><span> rm -rf /usr/local/spring-starter </span></span><span style="display:flex;"><span> rm -rf /var/opt/spring-starter </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove Spring Starter service user and group</span> </span></span><span style="display:flex;"><span> userdel spring-starter </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span> 1<span style="color:#f92672">)</span> <span style="color:#75715e"># This is a package upgrade</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># do nothing</span> </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">esac</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ensure Spring Starter service restartet if an upgrade is performed</span> </span></span><span style="display:flex;"><span>%systemd_postun_with_restart %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>.service </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### CHANGELOG SECTION #####</span> </span></span><span style="display:flex;"><span>%changelog </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>* Wed Mar <span style="color:#ae81ff">20</span> <span style="color:#ae81ff">2019</span> Janik vonRotz &lt;contact@janikvonrotz.ch&gt; - 0.1.0-0 </span></span><span style="display:flex;"><span>- First spring-starter package </span></span></code></pre></div><p>I wont go into details about the spec as I already did that in my last post. Not much has changed. However, one thing worth to mention is the <code>%define __jar_repack %{nil}</code> definition. This options disables the compression for <code>.jar</code> files. If the jar file is compressed it becomes inexecutable.</p> <p>Further, as you might have noticed there are systemd macros, which ensure the service is configured properly. In the post install section two additional commands have been added to enable and start the service. This was done because t the systemd macros do not enable or start service by default.</p> <h1 id="build">Build</h1> <p>Build the rpm.</p> <p><code>rpmbuild -ba SPECS/spring-starter.spec</code></p> <p>Lint the rpm.</p> <p><code>rpmlint RPMS/noarch/spring-starter-0.1.0-0.noarch.rpm</code></p> <p>Rpmlint is very verbose, most warnings can be ignored.</p> <p>Install the rpm.</p> <p><code>sudo yum install RPMS/noarch/spring-starter-0.1.0-0.noarch.rpm -y</code></p> <p>Check if the spring starter service is running.</p> <p><code>systemctl status spring-starter</code></p> <p>And have a look at the interface.</p> <p><code>http GET localhost:8080</code></p> <p>If the service responds you have accomplished the tutorial.</p> <p>Uninstall the rpm.</p> <p><code>sudo yum remove spring-starter -y</code></p> <p>And thats it.</p> <p>As usual feel free to ask any question in the comments.</p> <p>See ya 😄</p> <h1 id="helpers">Helpers</h1> <p>Output rpm scriptlets.<br> <code>rpm -E %{_unitdir}</code></p> <h1 id="sources">Sources</h1> <p>Sources that I used to build this tutorial.</p> <p><a href="https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd">Fedora Packaging Guidelines - Systemd</a></p> <p><a href="https://fedoraproject.org/wiki/Packaging:Systemd">Fedora Wiki - Packaging Systemd</a></p> <p><a href="https://github.com/systemd/systemd/blob/master/src/core/macros.systemd.in">Github - Systemd Macros Source</a></p> <p><a href="https://www.golinuxhub.com/2018/05/how-to-execute-script-at-pre-post-preun-postun-spec-file-rpm.html">Golinuxhub - How to execute a script at %pre, %post, %preun or %postun stage (spec file) while installing/upgrading an rpm</a></p> The final rpm packaging guide https://janikvonrotz.ch/2019/03/20/the-final-rpm-packaging-guide/ Wed, 20 Mar 2019 14:22:16 +0100 https://janikvonrotz.ch/2019/03/20/the-final-rpm-packaging-guide/ <p>A customer required that every component of a software project I worked for is delivered as rpm.</p> <p>This was problematic for <a href="http://activemq.apache.org/artemis/">Apache ActiveMQ Artemis</a> as there is no rpm available.</p> <p>But, the maintainer publishes a binary tarball and this is all we need to build an rpm.</p> <p>So in this post I am going to show how to build an rpm from a tarball and explain the rpm build process in detail.</p> <h1 id="introduction">Introduction</h1> <p>I highly recommend to read the <a href="https://rpm-packaging-guide.github.io/">RPM Packaging Guide</a> to get a basic understanding of the rpm build and packaging process.</p> <h1 id="requirements">Requirements</h1> <p>Lets get started by installing some dev tools.</p> <p><a href="https://httpie.org">httpie</a> - Modern alternative to wget and curl.</p> <p><code>sudo yum install httpie</code></p> <p><a href="https://rpm.org/">rpmbuild</a> - Utility to build rpms.</p> <p><code>sudo yum install rpm-build</code></p> <p><a href="https://fedoraproject.org/wiki/Rpmdevtools">rpmdev</a> - Dev utilities to build rpms.</p> <p><code>sudo yum install rpmdevtools</code></p> <p><a href="https://github.com/rpm-software-management/rpmlint">rpmlint</a> - Tool for checking common errors in rpm packages.</p> <p><code>sudo yum install rpmlint</code></p> <h1 id="test-setup">Test Setup</h1> <p>Before we setup the dev chain for the apache Artemis package, let&rsquo;s get familiar with an hello world example.</p> <p>Create a working dir wherever you would like.</p> <p><code>mkdir rpmbuild</code></p> <p>Create a symbolic to the <code>rpmbuild</code> folder from the home folder.</p> <p><code>ln -s /path/to/rpmbuild ~/rpmbuild</code></p> <p>Add default directories to build the RPM</p> <p><code>cd ~/rpmbuild; rpmdev-setuptree</code></p> <table> <thead> <tr> <th style="text-align: left">Macro Name</th> <th style="text-align: left">Name</th> <th style="text-align: left">Location</th> <th style="text-align: left">Purpose</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>%_specdir</code></td> <td style="text-align: left">Specification directory</td> <td style="text-align: left"><code>~/rpmbuild/SPECS</code></td> <td style="text-align: left">RPM specifications (<code>.spec</code>) files</td> </tr> <tr> <td style="text-align: left"><code>%_sourcedir</code></td> <td style="text-align: left">Source directory</td> <td style="text-align: left"><code>~/rpmbuild/SOURCES</code></td> <td style="text-align: left">Pristine source package (e.g. tarballs) and patches</td> </tr> <tr> <td style="text-align: left"><code>%_builddir</code></td> <td style="text-align: left">Build directory</td> <td style="text-align: left"><code>~/rpmbuild/BUILD</code></td> <td style="text-align: left">Source files are unpacked and compiled in a subdirectory underneath this.</td> </tr> <tr> <td style="text-align: left"><code>%_buildrootdir</code></td> <td style="text-align: left">Build root directory</td> <td style="text-align: left"><code>~/rpmbuild/BUILDROOT</code></td> <td style="text-align: left">Files are installed under here during the <code>%install</code> stage.</td> </tr> <tr> <td style="text-align: left"><code>%_rpmdir</code></td> <td style="text-align: left">Binary RPM directory</td> <td style="text-align: left"><code>~/rpmbuild/RPMS</code></td> <td style="text-align: left">Binary rpms are created and stored under here.</td> </tr> <tr> <td style="text-align: left"><code>%_srcrpmdir</code></td> <td style="text-align: left">Source RPM directory</td> <td style="text-align: left"><code>~/rpmbuild/SRPMS</code></td> <td style="text-align: left">Source rpms are created and stored here.</td> </tr> </tbody> </table> <p>Create spec file for the hello world example.</p> <p><code>touch ~/rpmbuild/SPECS/hello-world.spec</code></p> <p>And set the following content.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Name: hello-world </span></span><span style="display:flex;"><span>Version: <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>Release: <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>Summary: Most simple RPM package </span></span><span style="display:flex;"><span>License: FIXME </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%description </span></span><span style="display:flex;"><span>This is my first RPM package, which does nothing. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%prep </span></span><span style="display:flex;"><span><span style="color:#75715e"># we have no source, so nothing here</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%build </span></span><span style="display:flex;"><span>cat &gt; hello-world.sh <span style="color:#e6db74">&lt;&lt;EOF </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">#!/usr/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">echo Hello world </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%install </span></span><span style="display:flex;"><span>mkdir -p %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/usr/bin/ </span></span><span style="display:flex;"><span>install -m <span style="color:#ae81ff">755</span> hello-world.sh %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/usr/bin/hello-world.sh </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%files </span></span><span style="display:flex;"><span>/usr/bin/hello-world.sh </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%changelog </span></span><span style="display:flex;"><span><span style="color:#75715e"># let skip this for now</span> </span></span></code></pre></div><p>Build the hello world rpm.</p> <p><code>cd ~/rpmbuild; rpmbuild -ba SPECS/hello-world.spec</code></p> <p>Install the rpm.</p> <p><code>sudo yum install RPMS/x86_64/hello-world-1-0.x86_64.rpm -y</code></p> <p>Run hello world.</p> <p><code>hello-world.sh</code></p> <p>If the installation was successful you should see now the output: <code>hello world</code>.</p> <p>Uninstall the hello world rpm.</p> <p><code>sudo yum remove hello-world -y</code></p> <p>Now the hello world command must not be available.</p> <p>I assume that the hello world spec file is easy to understand. The install section might be misleading, but I will cover that in the next chapter.</p> <p>Lets move with the more complex case.</p> <h1 id="apache-artemis-spec-file">Apache Artemis Spec File</h1> <p>Create the spec file for the apache Artemis.</p> <p><code>touch ~/rpmbuild/SPECS/apache-artemis.spec</code></p> <p>Navigate into the sources folder.</p> <p><code>cd ~/rpmbuild/SOURCES</code></p> <p>And download the apache Artemis binary.</p> <p><code>http -d http://www.pirbot.com/mirrors/apache/activemq/activemq-artemis/2.6.4/apache-artemis-2.6.4-bin.tar.gz</code></p> <h2 id="sections">Sections</h2> <p>The spec file has been split into multiple sections. Copy and paste the snippet for every section and read the notes carefully.</p> <h3 id="header">Header</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### HEADER SECTION #####</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Name: apache-artemis </span></span><span style="display:flex;"><span>Version: 2.6.4 </span></span><span style="display:flex;"><span>Release: <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>Summary: Rpm package <span style="color:#66d9ef">for</span> Apache ActiveMQ Artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>License: ASL 2.0 </span></span><span style="display:flex;"><span>URL: http://activemq.apache.org/artemis/ </span></span><span style="display:flex;"><span>Source0: %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>-%<span style="color:#f92672">{</span>version<span style="color:#f92672">}</span>-bin.tar.gz </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Requires: shadow-utils,bash </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BuildArch: noarch </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%description </span></span><span style="display:flex;"><span>%<span style="color:#f92672">{</span>summary<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># disable debuginfo, which is useless on binary-only packages</span> </span></span><span style="display:flex;"><span>%define debug_package %<span style="color:#f92672">{</span>nil<span style="color:#f92672">}</span> </span></span></code></pre></div><p>In the header section metadata is defined for the build process and for the package itself.</p> <h3 id="build">Build</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### PREPARATION SECTION #####</span> </span></span><span style="display:flex;"><span>%prep </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># unpack tarball</span> </span></span><span style="display:flex;"><span>%setup -q </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### BUILD SECTION #####</span> </span></span><span style="display:flex;"><span>%build </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># empty section</span> </span></span></code></pre></div><p>We use a tarball source, so no build step apart from unpacking the file is required. The <code>%setup</code> is a macro that extracts the tarball.</p> <h3 id="install">Install</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### PREINSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%pre </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create Apache Artemis service group</span> </span></span><span style="display:flex;"><span>getent group artemis &gt;/dev/null <span style="color:#f92672">||</span> groupadd -f -g <span style="color:#ae81ff">30101</span> -r artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create Apache Artemis service user</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> ! getent passwd artemis &gt;/dev/null ; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ! getent passwd <span style="color:#ae81ff">30101</span> &gt;/dev/null ; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> useradd -r -u <span style="color:#ae81ff">30101</span> -g artemis -d /home/artemis -s /sbin/nologin -c <span style="color:#e6db74">&#34;Apache Artemis service account&#34;</span> artemis </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> useradd -r -g artemis -d /home/artemis -s /sbin/nologin -c <span style="color:#e6db74">&#34;Apache Artemis service account&#34;</span> artemis </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span>exit <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### INSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/opt/app/artemis </span></span><span style="display:flex;"><span>data_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/opt/data/artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># cleanup build root</span> </span></span><span style="display:flex;"><span>rm -rf %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span>mkdir -p %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create app folder</span> </span></span><span style="display:flex;"><span>mkdir -p $app_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create data folder</span> </span></span><span style="display:flex;"><span>mkdir -p $data_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># copy all files</span> </span></span><span style="display:flex;"><span>cp LICENSE $app_dir </span></span><span style="display:flex;"><span>cp README.html $app_dir </span></span><span style="display:flex;"><span>cp -R bin $app_dir </span></span><span style="display:flex;"><span>cp -R lib $app_dir </span></span><span style="display:flex;"><span>cp -R schema $app_dir </span></span><span style="display:flex;"><span>cp -R web $app_dir </span></span></code></pre></div><p>Here we create the Artemis service user and group and copy selected files from the build to buildroot folder.</p> <p>The <code>%install</code> section of an rpm spec file is not run on rpm package installation.</p> <p>The <code>%install</code> section is run during package creation to install the files that need to be packaged such that the rpmbuild process can package them up.</p> <h3 id="file">File</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### FILES SECTION #####</span> </span></span><span style="display:flex;"><span>%files </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># define default file attributes</span> </span></span><span style="display:flex;"><span>%defattr<span style="color:#f92672">(</span>-,artemis,artemis,-<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># list of directories that are packaged</span> </span></span><span style="display:flex;"><span>%dir /opt/app/artemis </span></span><span style="display:flex;"><span>/opt/app/artemis/bin/* </span></span><span style="display:flex;"><span>/opt/app/artemis/lib/* </span></span><span style="display:flex;"><span>/opt/app/artemis/schema/* </span></span><span style="display:flex;"><span>/opt/app/artemis/web/* </span></span><span style="display:flex;"><span>%dir %attr<span style="color:#f92672">(</span>660, -, -<span style="color:#f92672">)</span> /opt/data/artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># list of files that are packaged</span> </span></span><span style="display:flex;"><span>%doc /opt/app/artemis/README.html </span></span><span style="display:flex;"><span>%license /opt/app/artemis/LICENSE </span></span></code></pre></div><p>The <code>%files</code> section lists all the files and directories that the package contains. The uninstallation process for an rpm is simply the removal of all the packaged files.</p> <h3 id="uninstall">Uninstall</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### UNINSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%postun </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">case</span> <span style="color:#e6db74">&#34;</span>$1<span style="color:#e6db74">&#34;</span> in </span></span><span style="display:flex;"><span> 0<span style="color:#f92672">)</span> <span style="color:#75715e"># This is a package remove</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove app and data folders</span> </span></span><span style="display:flex;"><span> rm -rf /opt/app/artemis </span></span><span style="display:flex;"><span> rm -rf /opt/data/artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove Apache Artemis service user and group</span> </span></span><span style="display:flex;"><span> userdel artemis </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span> 1<span style="color:#f92672">)</span> <span style="color:#75715e"># This is a package upgrade</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># do nothing</span> </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">esac</span> </span></span></code></pre></div><p>If additional work needs to be done before or after the files are removed the <code>%preun</code> and <code>%postun</code> scriptlets are available in the spec file for that work.</p> <h3 id="changelog">Changelog</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### CHANGELOG SECTION #####</span> </span></span><span style="display:flex;"><span>%changelog </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>* Wed Mar <span style="color:#ae81ff">20</span> <span style="color:#ae81ff">2019</span> Janik vonRotz &lt;contact@janikvonrotz.ch&gt; - 2.6.4-0 </span></span><span style="display:flex;"><span>- Init apache-artemis package </span></span></code></pre></div><p>Every time you make change, that is, whenever version or release of the package is incremented, add a comment to the changelog section</p> <h2 id="full-spec-file">Full Spec File</h2> <p>The final spec file should look like this.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">##### HEADER SECTION #####</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Name: apache-artemis </span></span><span style="display:flex;"><span>Version: 2.6.4 </span></span><span style="display:flex;"><span>Release: <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>Summary: Rpm package <span style="color:#66d9ef">for</span> Apache ActiveMQ Artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>License: ASL 2.0 </span></span><span style="display:flex;"><span>URL: http://activemq.apache.org/artemis/ </span></span><span style="display:flex;"><span>Source0: %<span style="color:#f92672">{</span>name<span style="color:#f92672">}</span>-%<span style="color:#f92672">{</span>version<span style="color:#f92672">}</span>-bin.tar.gz </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Requires: shadow-utils,bash </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BuildArch: x86_64 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>%description </span></span><span style="display:flex;"><span>%<span style="color:#f92672">{</span>summary<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># disable debuginfo, which is useless on binary-only packages</span> </span></span><span style="display:flex;"><span>%define debug_package %<span style="color:#f92672">{</span>nil<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### PREPARATION SECTION #####</span> </span></span><span style="display:flex;"><span>%prep </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># unpack tarball</span> </span></span><span style="display:flex;"><span>%setup -q </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### BUILD SECTION #####</span> </span></span><span style="display:flex;"><span>%build </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># empty section</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### PREINSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%pre </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create Apache Artemis service group</span> </span></span><span style="display:flex;"><span>getent group artemis &gt;/dev/null <span style="color:#f92672">||</span> groupadd -f -g <span style="color:#ae81ff">30101</span> -r artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create Apache Artemis service user</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> ! getent passwd artemis &gt;/dev/null ; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ! getent passwd <span style="color:#ae81ff">30101</span> &gt;/dev/null ; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> useradd -r -u <span style="color:#ae81ff">30101</span> -g artemis -d /home/artemis -s /sbin/nologin -c <span style="color:#e6db74">&#34;Apache Artemis service account&#34;</span> artemis </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span> </span></span><span style="display:flex;"><span> useradd -r -g artemis -d /home/artemis -s /sbin/nologin -c <span style="color:#e6db74">&#34;Apache Artemis service account&#34;</span> artemis </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span>exit <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### INSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/opt/app/artemis </span></span><span style="display:flex;"><span>data_dir<span style="color:#f92672">=</span>%<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span>/opt/data/artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># cleanup build root</span> </span></span><span style="display:flex;"><span>rm -rf %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span>mkdir -p %<span style="color:#f92672">{</span>buildroot<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create app folder</span> </span></span><span style="display:flex;"><span>mkdir -p $app_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create data folder</span> </span></span><span style="display:flex;"><span>mkdir -p $data_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># copy all files</span> </span></span><span style="display:flex;"><span>cp LICENSE $app_dir </span></span><span style="display:flex;"><span>cp README.html $app_dir </span></span><span style="display:flex;"><span>cp -R bin $app_dir </span></span><span style="display:flex;"><span>cp -R lib $app_dir </span></span><span style="display:flex;"><span>cp -R schema $app_dir </span></span><span style="display:flex;"><span>cp -R web $app_dir </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### FILES SECTION #####</span> </span></span><span style="display:flex;"><span>%files </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># define default file attributes</span> </span></span><span style="display:flex;"><span>%defattr<span style="color:#f92672">(</span>-,artemis,artemis,-<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># list of directories that are packaged</span> </span></span><span style="display:flex;"><span>%dir /opt/app/artemis </span></span><span style="display:flex;"><span>/opt/app/artemis/bin/* </span></span><span style="display:flex;"><span>/opt/app/artemis/lib/* </span></span><span style="display:flex;"><span>/opt/app/artemis/schema/* </span></span><span style="display:flex;"><span>/opt/app/artemis/web/* </span></span><span style="display:flex;"><span>%dir %attr<span style="color:#f92672">(</span>660, -, -<span style="color:#f92672">)</span> /opt/data/artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># list of files that are packaged</span> </span></span><span style="display:flex;"><span>%doc /opt/app/artemis/README.html </span></span><span style="display:flex;"><span>%license /opt/app/artemis/LICENSE </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### UNINSTALL SECTION #####</span> </span></span><span style="display:flex;"><span>%postun </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">case</span> <span style="color:#e6db74">&#34;</span>$1<span style="color:#e6db74">&#34;</span> in </span></span><span style="display:flex;"><span> 0<span style="color:#f92672">)</span> <span style="color:#75715e"># This is a package remove</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove app and data folders</span> </span></span><span style="display:flex;"><span> rm -rf /opt/app/artemis </span></span><span style="display:flex;"><span> rm -rf /opt/data/artemis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove Apache Artemis service user and group</span> </span></span><span style="display:flex;"><span> userdel artemis </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span> 1<span style="color:#f92672">)</span> <span style="color:#75715e"># This is a package upgrade</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># do nothing</span> </span></span><span style="display:flex;"><span> ;; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">esac</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##### CHANGELOG SECTION #####</span> </span></span><span style="display:flex;"><span>%changelog </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>* Wed Mar <span style="color:#ae81ff">20</span> <span style="color:#ae81ff">2019</span> Janik vonRotz &lt;contact@janikvonrotz.ch&gt; - 2.6.4-0 </span></span><span style="display:flex;"><span>- Init apache-artemis package </span></span></code></pre></div><h1 id="installation">Installation</h1> <p>Navigate to the rpm build directory</p> <p><code>cd ~/rpmbuild</code></p> <p>Build the rpm.</p> <p><code>rpmbuild -ba SPECS/apache-artemis.spec</code></p> <p>Lint the rpm.</p> <p><code>rpmlint RPMS/x86_64/apache-artemis-2.6.4-0.x86_64.rpm </code></p> <p>There will be thousands of error and warnings. Ignore them for now.</p> <p>Install the rpm.</p> <p><code>sudo yum install RPMS/x86_64/apache-artemis-2.6.4-0.May.rpm -y</code></p> <p>Create a broker instance.</p> <p><code>sudo /opt/app/artemis/bin/artemis create broker /opt/data/artemis/broker --user artemis --password artemis --require-login</code></p> <p>Start the Artemis instance.</p> <p><code>sudo &quot;/opt/data/artemis/broker/bin/artemis-service&quot; start</code></p> <p>Open the browser to <a href="localhost:8161/console">localhost:8161/console</a> and check if you can login with <code>artemis:artemis</code>.</p> <p>If everything worked you can stop the service.</p> <p><code>sudo &quot;/opt/data/artemis/broker/bin/artemis-service&quot; stop</code></p> <p>And check if there is really no Artemis service running.</p> <p><code>ps aux | grep artemis</code></p> <p>Finally remove the package.</p> <p><code>sudo yum remove apache-artemis -y</code></p> <h1 id="disclaimer">Disclaimer</h1> <p>Apache Artemis has been installed to <code>/opt/app/artemis</code> and the instance has been created in <code>/opt/data/artemis</code>. Note that this is not best practice. The <a href="http://www.pathname.com/fhs/">Filesystem Hierarchy Standard</a> tells where to put what.</p> <h1 id="conclusion">Conclusion</h1> <p>That&rsquo;s it! Lets recap what we just learned.</p> <ul> <li>First we created the rpmbuild folder structure</li> <li>Then created an example spec file for an hello world script</li> <li>Next we prepared the assets for the Apache Artemis package</li> <li>We defined the spec file for the rpm</li> <li>Following-up we installed the rpm</li> <li>Then created, started, tested and killed an Artemis instance</li> <li>Finally we uninstalled the Apache Artemis package</li> </ul> <p>This is also resembles the life cycle of an rpm service.</p> <p>As usual if you have any questions, concerns or inputs feel free to make a comment.</p> <h1 id="edits">Edits</h1> <h2 id="edit-1-upgrade">Edit 1: Upgrade</h2> <p>I also investigated the behavior in an upgrade scenario.</p> <p>Assuming the following points apply:</p> <ul> <li>Release or version is incremented</li> <li>A file e.g. README.html has been removed</li> <li>An rpm is already installed</li> <li>Yum does an rpm install</li> </ul> <p>The results are as followed:</p> <ul> <li>Yum detects the upgrade</li> <li>The README file is removed</li> </ul> <p>It behaves as expected.</p> <h2 id="edit-2-gradle-project">Edit 2: Gradle Project</h2> <p>I have created a gradle project to facilitate the build process.</p> <p>Link: <a href="https://codeberg.org/janikvonrotz/apache-artemis-rpm">GitHub - Apache Artemis RPM</a></p> <h1 id="sources">Sources</h1> <p>Sources I relied on to build this tutorials:</p> <p><a href="https://docs.fedoraproject.org/en-US/packaging-guidelines/">Fedora Packaging Guidelines</a></p> <p><a href="https://rpm-packaging-guide.github.io/">RPM Packaging Guide</a></p> <p><a href="https://superuser.com/questions/168461/managing-service-accounts-in-an-rpm-spec">superuser - Managing service accounts in an RPM spec</a></p> <p><a href="https://blog.packagecloud.io/rpm/rpmbuild/packaging/2015/06/29/building-rpm-packages-with-rpmbuild/">packagecloud - Building RPM packages with rpmbuild</a></p> Generate PEM key- and truststores With Puppet https://janikvonrotz.ch/2019/03/07/generate-pem-key-and-truststores-with-puppet/ Thu, 07 Mar 2019 10:23:04 +0100 https://janikvonrotz.ch/2019/03/07/generate-pem-key-and-truststores-with-puppet/ <p>This post is a follow-up of <a href="https://janikvonrotz.ch/2019/01/30/generate-pkcs12-key-and-truststores-with-puppet/">Generate pkcs12 key- and truststores with Puppet</a>.<br> In this post we are going to create <a href="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM</a> key- and truststores with Puppet.</p> <p>PEM files are base64 encoded <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> certificates. Enclosed between <code>-----BEGIN CERTIFICATE-----</code> and <code>-----END CERTIFICATE-----</code> multiple PEM files can be concatinated into key- and truststores. And that is exactly what we are going to do using a Puppet manifest.</p> <p>For the example use case multiple certificate files are required. Using the commands from the <a href="https://janikvonrotz.ch/2019/01/21/create-a-certificate-authority-ca-and-sign-server-certificates-without-prompting-using-openssl/">Create a certificate authority and sign server certificates without prompting using openssl</a> post the following files must be provided:</p> <ul> <li>localhost_cert.pem</li> <li>localhost_key.pem</li> <li>example.com_cert.pem</li> <li>ca_cert.pem</li> </ul> <p>The certificates will be concatinated into the following stores:</p> <ul> <li>webservice-keystore.pem <ul> <li>localhost - private key entry</li> </ul> </li> <li>webservice-truststore.pem <ul> <li>ca - trusted cert entry</li> </ul> </li> <li>custom-truststore.pem <ul> <li>example.com - trusted cert entry</li> <li>ca - trusted cert entry</li> </ul> </li> </ul> <p>All the files are processed in <code>/var/tmp/certificates</code>.</p> <p>The manifest file is defined as followed:</p> <p><strong>modules/certbox/manifests/init.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> certbox ( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $host <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;localhost&#39;</span>, </span></span><span style="display:flex;"><span> String $cert_dir <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;/var/tmp/certificates&#39;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $server_ca_cert <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/ca_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_cn <span style="color:#f92672">=</span> $host, </span></span><span style="display:flex;"><span> String $server_cert <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/${host}_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_key <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/${host}_key.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_key_pass <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;password&#39;</span>, </span></span><span style="display:flex;"><span> String $server_keystore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/webservice-keystore.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_truststore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/webservice-truststore.pem&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Array $custom_trust_entries <span style="color:#f92672">=</span> <span style="color:#f92672">[</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> cn <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;example.com&#39;</span>, </span></span><span style="display:flex;"><span> cert <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;example.com_cert.pem&#39;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> cn <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;ca&#39;</span>, </span></span><span style="display:flex;"><span> cert <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;ca_cert.pem&#39;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> String $custom_truststore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/custom-truststore.pem&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $owner <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;root&#39;</span>, </span></span><span style="display:flex;"><span> String $group <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;root&#39;</span>, </span></span><span style="display:flex;"><span> String $file_read_mode <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;a=,ug+r&#39;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># component-wide defaulting of the exec path attribute</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Exec</span> { </span></span><span style="display:flex;"><span> path <span style="color:#f92672">=&gt;</span> <span style="color:#f92672">[</span><span style="color:#e6db74">&#39;/usr/bin&#39;</span>, <span style="color:#e6db74">&#39;/bin&#39;</span><span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create copy of sever cert, if file state changes notify keystore assemble task</span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;${server_cert}.tmp&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> $server_cert, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server keystore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># check if keystore file does not exist and notify creation task</span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - check if server keystore exists&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;test ! -f $server_keystore&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;echo &#34;File does not exist.&#34;&#39;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server keystore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create server keystore if temporary file state changed</span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - create server keystore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;cat ${server_cert} &gt; ${server_keystore}; cat ${server_key} &gt;&gt; ${server_keystore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ensure server keystore file permissions</span> </span></span><span style="display:flex;"><span> file { $server_keystore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;${server_ca_cert}.tmp&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> $server_ca_cert, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - check if server truststore exists&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;test ! -f $server_truststore&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;echo &#34;File does not exist.&#34;&#39;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;cat ${server_ca_cert} &gt; ${server_truststore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $server_truststore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create copy for each ca truststore entry</span> </span></span><span style="display:flex;"><span> $custom_trust_entries<span style="color:#f92672">.</span>each <span style="color:#f92672">|</span> Integer $index, <span style="color:#66d9ef">Hash</span> $entry <span style="color:#f92672">|</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;${cert_dir}/${entry[&#39;cert&#39;]}.ca_trust.icam.tmp&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;${cert_dir}/${entry[&#39;cert&#39;]}&#34;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#f92672">[</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - cleanup ca truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - add pem ${entry[&#39;cn&#39;]} to ca truststore&#34;</span><span style="color:#f92672">]]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - check if ca truststore for ${entry[&#39;cn&#39;]} exists&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;test ! -f $custom_truststore&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;echo &#34;File does not exist.&#34;&#39;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - add pem ${entry[&#39;cn&#39;]} to ca truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># reset ca truststore if temporary entry file state changed</span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - cleanup ca truststore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;echo &gt; ${custom_truststore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># add ca truststore entry if temporary entry file state changed</span> </span></span><span style="display:flex;"><span> $custom_trust_entries<span style="color:#f92672">.</span>each <span style="color:#f92672">|</span> Integer $index, <span style="color:#66d9ef">Hash</span> $entry <span style="color:#f92672">|</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - add pem ${entry[&#39;cn&#39;]} to ca truststore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;echo &gt;&gt; ${custom_truststore};cat ${cert_dir}/${entry[&#39;cert&#39;]} &gt;&gt; ${custom_truststore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $custom_truststore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>This manifest checks if the source PEM files have changed or the target stores does not exist. If one of these cases apply the manifests creates the key- or truststore. Finally, it sets the file mode and ownership.</p> <p>To apply the manifest with Puppet run the following command:</p> <p><code>sudo puppet apply --modulepath=modules/ -e &quot;include certbox&quot;</code></p> <p>To verify if the files have been assembled correctly use this keytool commands:</p> <p><code>sudo keytool -printcert -file /var/tmp/certificates/custom-truststore.pem</code></p> <p>Let me know if this post helped you to resolve a particular use case.</p> Generate pkcs12 key- and truststores with Puppet https://janikvonrotz.ch/2019/01/30/generate-pkcs12-key-and-truststores-with-puppet/ Wed, 30 Jan 2019 11:16:52 +0100 https://janikvonrotz.ch/2019/01/30/generate-pkcs12-key-and-truststores-with-puppet/ <p>In <a href="https://janikvonrotz.ch/2019/01/22/create-pkcs12-key-and-truststore-with-keytool-and-openssl/">my last post</a> I have showed how to generate pkcs12 key- and truststores using openssl and keytool.</p> <p>For this post we assume that we want to automate the store assembling with Puppet. <a href="https://puppet.com/">Puppet</a> is a configuration management tool that shares many ideas with <a href="https://www.ansible.com/">Ansible</a>. In the world of Puppet you define a <a href="https://puppet.com/docs/puppet/5.5/lang_summary.html#files">manifest file</a> that describes a state of how a file, service or any type of resource should look like. Puppet applies these manifests and makes sure that the targeted system reaches the defined state.</p> <p>Using Puppets <a href="https://puppet.com/docs/puppet/5.3/types/exec.html">exec resource</a> we are going to define key- and truststores using openssl and keytool.</p> <p>Our manifest assure that the stores are assembled as defined. Puppet will be able to detect deltas and act accordingly.</p> <p>For our use-case we assume we have generate multiple certificates under <code>/var/tmp/certificates</code>:</p> <ul> <li>localhost_cert.pem</li> <li>localhost_key.pem</li> <li>example.com_cert.pem</li> <li>example.com_key.pem</li> <li>ca_cert.pem</li> </ul> <p>Our fictive webservice requires a key- and truststore containing the provided certificates and keys:</p> <ul> <li>webservice-keystore.pkcs12 <ul> <li>ca - trusted cert entry</li> <li>localhost - private key entry</li> <li>example.com - private key entry</li> </ul> </li> <li>webservice-truststore.pkcs12 <ul> <li>ca - trusted cert entry</li> </ul> </li> </ul> <p>Puppet is installed on our system and we are ready to declare and apply our manifest file.</p> <p>Our Puppet module will be called <em>certbox</em>. Modules must follow a strict naming and folder structure.</p> <p>Below is a copy-and-paste definition for our Puppet module. Create the manifest file and folders as showed.</p> <p><strong>modules/certbox/manifests/init.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> certbox ( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $certDir <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/var/tmp/certificates&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $caCert <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/ca_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $cn1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;localhost&#34;</span>, </span></span><span style="display:flex;"><span> String $cert1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn1}_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $key1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn1}_key.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $keyPassword1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $cn2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;example.com&#34;</span>, </span></span><span style="display:flex;"><span> String $tmpKeystore2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/$cn2.pkcs12&#34;</span>, </span></span><span style="display:flex;"><span> String $cert2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn2}_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $key2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn2}_key.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $keyPassword2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $keystore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/webservice-keystore.pkcs12&#34;</span>, </span></span><span style="display:flex;"><span> String $truststore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/webservice-truststore.pkcs12&#34;</span>, </span></span><span style="display:flex;"><span> String $keystorePassword <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> String $truststorePassword <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $owner <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;root&#34;</span>, </span></span><span style="display:flex;"><span> String $group <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;root&#34;</span>, </span></span><span style="display:flex;"><span> String $fileReadMode <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;a=,ug+r&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;remove keystore for $cn1 if password changed or is empty&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -storetype PKCS12 -keystore $keystore -storepass $keystorePass | grep &#39;password was incorrect</span><span style="color:#ae81ff">\\</span><span style="color:#e6db74">|file exists, but is empty&#39;&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/rm $keystore1&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;create pkcs12 keystore for $cn1&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $keystore -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert1 | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/openssl pkcs12 -export -in $cert1 -inkey $key1 -passin pass:$keyPassword1 -certfile $caCert -out $keystore -passout pass:$keystorePassword -name $cn1&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;remove keystore for $cn2 if password changed or is empty&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -storetype PKCS12 -keystore $tmpKeystore2 -storepass $keystorePass | grep &#39;password was incorrect</span><span style="color:#ae81ff">\\</span><span style="color:#e6db74">|file exists, but is empty&#39;&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/rm $tmpKeystore2&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;create pkcs12 keystore for $cn2&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $tmpKeystore2 -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert2 | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/openssl pkcs12 -in $cert2 -inkey $key2 -passin pass:$keyPassword2 -export -out $tmpKeystore2 -passout pass:$keystorePassword -name $cn2&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;merge $cn2 into $cn1 keystore&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $keystore -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert2 | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -importkeystore -storetype PKCS12 -destkeystore $keystore -deststorepass $keystorePassword -destkeypass $keystorePassword \ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> -srckeystore $tmpKeystore2 -srcstoretype PKCS12 -srcstorepass $keystorePassword -alias $cn2 -noprompt&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $keystore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $fileReadMode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;remove truststore for $cn1 if password changed&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -storetype PKCS12 -keystore $truststore -storepass $truststorePass | grep &#39;password was incorrect&#39;&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/rm $truststore&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;create pkcs12 truststore&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $truststore -storepass $truststorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $caCert | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -importcert -storetype PKCS12 -keystore $truststore -storepass $truststorePassword -alias ca -file $caCert -noprompt&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $truststore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $fileReadMode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><strong>Edit 1:</strong> Compare sha1 of cert to assert if import should be executed.<br> <strong>Edit 2:</strong> On create keystore check not if store file already exist, but check if cert in keystore matches the sha1. The check should also act as expected if file does not exist.<br> <strong>Edit 3:</strong> Remove the create empty truststore task. If the truststore file does not exist, the keytool import command will create the file.<br> <strong>Edit 4:</strong> Added exec task that remove the store file if the password has changed.</p> <p>The manifest is kept fairly simple. However, you might ask why we have to merge our second certificate from a pkcs12 store. The answer is a bit more complicated. The openssl and keytool utilities help generating and managing key material. They provide similar tasks, but differ heavy in specific features. Here are the most important differences:</p> <ul> <li>Openssl cannot manipulate existing pkcs12 stores.</li> <li>Openssl cannot create pkcs12 with multiple certificates and keys.</li> <li>Keytool cannot import certificates and keys into an existing pkcs12 store, however, it can import a pkcs12 store into an existing one.</li> <li>Keytool cannot create pkcs12 stores from a certificate and key.</li> </ul> <p>Hope this helps to understand the design decisions made here much better.</p> <p>To apply the manifest with Puppet run the following command:</p> <p><code>sudo puppet apply --modulepath=modules/ -e &quot;include certbox&quot;</code></p> <p>At this point Puppet should create the key- and truststores.</p> <p>If you ended up with an error or faced some other issues let me know!</p> Puppet masterless project setup guide https://janikvonrotz.ch/2018/12/08/puppet-masterless-project-setup-guide/ Sat, 08 Dec 2018 09:25:50 +0100 https://janikvonrotz.ch/2018/12/08/puppet-masterless-project-setup-guide/ <p>This document is a proposal for a Puppet project setup. It covers the setup of masterless Puppet module and provides a layout for a proper project structure. It will give you an example for a nginx module that can be deployed locally and remote. Further the roles and profiles concept will be applied and coupled with the hiera configuration data.</p> <h1 id="requirements">Requirements</h1> <p>Walking through this guide requires specific abilities and tools:</p> <ul> <li>Basic Puppet knowledge</li> <li>Working in a unix environment</li> <li>Access to a git repository</li> </ul> <p>Also prepare the following values:</p> <pre><code>_PROJECT_NAME_: Name of the git repo _GIT_REPO_URL_: Git repo url for pushing the project </code></pre> <p>And export them:</p> <pre tabindex="0"><code>export _PROJECT_NAME_=&#34;value&#34; export _GIT_REPO_URL_=&#34;value&#34; </code></pre><h1 id="project-setup">Project Setup</h1> <p>Install Puppet and Git on your development machine.</p> <p><code>yum install puppet git -y</code></p> <p><em>Make sure at least Puppet version 5 has been installed</em></p> <p><strong>Optional:</strong></p> <p>Create a git repository and push an initial commit.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir ~/$_PROJECT_NAME_ </span></span><span style="display:flex;"><span>git init </span></span><span style="display:flex;"><span>touch README.md </span></span><span style="display:flex;"><span>git add . </span></span><span style="display:flex;"><span>git commit -m <span style="color:#e6db74">&#34;init&#34;</span> </span></span><span style="display:flex;"><span>git remote add origin $_GIT_REPO_URL_ </span></span><span style="display:flex;"><span>git push -u origin master </span></span></code></pre></div><h1 id="initial-puppet-module">Initial Puppet Module</h1> <p>Next we are going to create a folder and file structure for a dummy module.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/$_PROJECT_NAME_ </span></span><span style="display:flex;"><span>mkdir -p ./modules/foo/files/ </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;hello world&#34;</span> &gt; ./modules/foo/files/hello </span></span><span style="display:flex;"><span>mkdir -p ./modules/foo/manifests/ </span></span><span style="display:flex;"><span>touch ./modules/foo/manifests/init.pp </span></span><span style="display:flex;"><span>mkdir ./manifests/ </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;include foo&#34;</span> &gt; ./manifests/site.pp </span></span></code></pre></div><p>Add the following definitions to the <code>init.pp</code> file</p> <p><strong>init.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> foo { </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;/tmp/hello&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;puppet:///modules/foo/hello&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>We added a Puppet module named <em>foo</em> that creates a file and is included in our <code>site.pp</code>.</p> <p>The Puppet code can be executed with the following command:</p> <p><code>puppet apply --modulepath modules manifests/site.pp</code></p> <p>You should find a file <code>/tmp/hello</code> with content <code>hello world</code>.</p> <p>If everything worked, we are ready to extend the project structure.</p> <h1 id="hiera-files">Hiera Files</h1> <p>Based on facts (Puppet environment variables) we assign to a node (host) our Puppet setup should load specific configurations and apply them to modules. The Puppet hiera concept helps us achieving that.</p> <p>First you need to now about <em>facts</em>.</p> <p>Facts are key values that are available to Puppet by default.</p> <p>Show all available facts by running <code>facter</code>.</p> <p>Create a custom fact: <code>export FACTER_environment=&quot;dev&quot;</code></p> <p>Show the custom fact: <code>facter environment</code></p> <p>Simple isn&rsquo;t it?</p> <p>Depending on these facts and the Puppet configuration our project should load specific configuration data. The configuration data structure is organized as a hierarchy.</p> <p>Our configuration hierarchy will consist of three levels:</p> <ul> <li>common: Data loaded by default.</li> <li>environment: Data assigned to an environment.</li> <li>node: Data assigned to a host.</li> </ul> <p>Create the folder structure and files for the hierarchy.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/$_PROJECT_NAME_ </span></span><span style="display:flex;"><span>mkdir -p ./data/<span style="color:#66d9ef">$(</span>facter environment<span style="color:#66d9ef">)</span>/nodes/ </span></span><span style="display:flex;"><span>touch ./data/common.yaml </span></span><span style="display:flex;"><span>touch ./data/<span style="color:#66d9ef">$(</span>facter environment<span style="color:#66d9ef">)</span>/default.yaml </span></span><span style="display:flex;"><span>touch ./data/<span style="color:#66d9ef">$(</span>facter environment<span style="color:#66d9ef">)</span>/nodes/<span style="color:#66d9ef">$(</span>facter hostname<span style="color:#66d9ef">)</span>.yaml </span></span><span style="display:flex;"><span>touch hiera.yaml </span></span></code></pre></div><p>Update the hiera configuration file.</p> <p><strong>hiera.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">version</span>: <span style="color:#ae81ff">5</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">defaults</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">data_hash</span>: <span style="color:#ae81ff">yaml_data</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">datadir</span>: <span style="color:#ae81ff">data</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">hierarchy</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;Per-node data&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">path</span>: <span style="color:#e6db74">&#34;%{facts.environment}/nodes/%{facts.hostname}.yaml&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;Per-environment defaults&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">path</span>: <span style="color:#e6db74">&#34;%{facts.environment}/default.yaml&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;Common data&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">path</span>: <span style="color:#e6db74">&#34;common.yaml&#34;</span> </span></span></code></pre></div><p>The hiera file implements the mentioned data hierarchy.</p> <p>Now we are going to set configurations for our data hierarchy.</p> <p><strong>data/common.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">nginx::port</span>: <span style="color:#ae81ff">80</span> </span></span></code></pre></div><p><strong>data/dev/default.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">nginx::host</span>: <span style="color:#ae81ff">default_server</span> </span></span></code></pre></div><p><strong>data/dev/nodes/_HOSTNAME_.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">nginx::welcome_message</span>: <span style="color:#e6db74">&#34;hello world&#34;</span> </span></span></code></pre></div><p>This configuration data will be applied to the nginx module.</p> <h1 id="nginx-module">Nginx Module</h1> <p>Create the nginx module folders and files.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/$_PROJECT_NAME_ </span></span><span style="display:flex;"><span>mkdir -p ./modules/nginx/manifests/ </span></span><span style="display:flex;"><span>touch ./modules/nginx/manifests/init.pp </span></span><span style="display:flex;"><span>mkdir -p ./modules/nginx/templates/ </span></span><span style="display:flex;"><span>touch ./modules/nginx/templates/index.html.epp </span></span><span style="display:flex;"><span>touch ./modules/nginx/templates/nginx.conf.epp </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;include nginx&#34;</span> &gt; ./manifests/site.pp </span></span></code></pre></div><p>Add resources to the nginx module.</p> <p><strong>init.pp (nginx)</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> nginx ( </span></span><span style="display:flex;"><span> Integer $port, </span></span><span style="display:flex;"><span> String $host, </span></span><span style="display:flex;"><span> String $welcome_message, </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> package { <span style="color:#e6db74">&#34;nginx&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> installed, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> service { <span style="color:#e6db74">&#34;nginx&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> running, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;/usr/share/nginx/html/index.html&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> present, </span></span><span style="display:flex;"><span> content <span style="color:#f92672">=&gt;</span> epp(<span style="color:#e6db74">&#34;nginx/index.html.epp&#34;</span>), </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;/etc/nginx/nginx.conf&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> present, </span></span><span style="display:flex;"><span> content <span style="color:#f92672">=&gt;</span> epp(<span style="color:#e6db74">&#34;nginx/nginx.conf.epp&#34;</span>), </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Service</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#39;nginx&#39;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Update the <code>index.html</code> template.</p> <p><strong>index.html</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-html" data-lang="html"><span style="display:flex;"><span><span style="color:#75715e">&lt;!DOCTYPE html PUBLIC &#34;-//W3C//DTD XHTML 1.1//EN&#34; &#34;http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd&#34;&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>&lt;<span style="color:#f92672">html</span> <span style="color:#a6e22e">xmlns</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;http://www.w3.org/1999/xhtml&#34;</span> <span style="color:#a6e22e">xml:lang</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;en&#34;</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">head</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">title</span>&gt;Test Page for the Nginx HTTP Server&lt;/<span style="color:#f92672">title</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">meta</span> <span style="color:#a6e22e">http-equiv</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;Content-Type&#34;</span> <span style="color:#a6e22e">content</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;text/html; charset=UTF-8&#34;</span> /&gt; </span></span><span style="display:flex;"><span> &lt;/<span style="color:#f92672">head</span>&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">body</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">h1</span>&gt;Welcome to &lt;<span style="color:#f92672">strong</span>&gt;nginx&lt;/<span style="color:#f92672">strong</span>&gt;&lt;/<span style="color:#f92672">h1</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">p</span>&gt;<span style="color:#960050;background-color:#1e0010">&lt;</span>%= $nginx::welcome_message %&gt;&lt;/<span style="color:#f92672">p</span>&gt; </span></span><span style="display:flex;"><span> &lt;/<span style="color:#f92672">body</span>&gt; </span></span><span style="display:flex;"><span>&lt;/<span style="color:#f92672">html</span>&gt; </span></span></code></pre></div><p>Update the nginx conf template.</p> <p><strong>nginx.conf</strong></p> <pre tabindex="0"><code>user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main &#39;$remote_addr - $remote_user [$time_local] &#34;$request&#34; &#39; &#39;$status $body_bytes_sent &#34;$http_referer&#34; &#39; &#39;&#34;$http_user_agent&#34; &#34;$http_x_forwarded_for&#34;&#39;; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/*.conf; server { listen &lt;%= $nginx::port %&gt; &lt;%= $nginx::host %&gt;; listen [::]:&lt;%= $nginx::port %&gt; &lt;%= $nginx::host %&gt;; server_name _; root /usr/share/nginx/html; include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } </code></pre><p>And finally install everything.</p> <p><code>puppet apply --modulepath modules manifests/site.pp --debug --hiera_config hiera.yaml</code></p> <p>Open your browser to <a href="http://localhost:80/">http://localhost:80/</a>.</p> <h1 id="roles-and-profiles">Roles and Profiles</h1> <p>Having multiple modules, shared resources and dependencies comes at cost of complexity. Thus Puppet came up with the roles and profiles concept.</p> <p>The <a href="https://puppet.com/docs/pe/2017.2/r_n_p_intro.html">official documentation</a> explains the key idea very well:</p> <blockquote> <p>Roles and profiles are two extra layers of indirection between your node classifier and your component modules. This separates your code into three levels:</p> <ol> <li>Component modules: Normal modules that manage one particular technology. (For example, puppetlabs/apache.)</li> <li>Profiles: Wrapper classes that use multiple component modules to configure a layered technology stack.</li> <li>Roles: Wrapper classes that use multiple profiles to build a complete system configuration.</li> </ol> </blockquote> <p>And here is a visual presentation:</p> <p>![puppet roles and profiles concept](/images/puppet roles and profiles concept.png)</p> <p>Further roles and profiles allow us to decouple Puppet modules from the hiera config.</p> <p>Create the profile and role files.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/$_PROJECT_NAME_ </span></span><span style="display:flex;"><span>mkdir -p ./modules/profile/manifests </span></span><span style="display:flex;"><span>mkdir -p ./modules/role/manifests </span></span><span style="display:flex;"><span>touch ./modules/profile/manifests/nginx.pp </span></span><span style="display:flex;"><span>touch ./modules/role/manifests/webserver.pp </span></span></code></pre></div><p>Further to make things a bit more interesting create a new module.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir -p ./modules/base/manifests </span></span><span style="display:flex;"><span>touch ./modules/base/manifests/init.pp </span></span></code></pre></div><p><strong>init.pp (base)</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> base ( </span></span><span style="display:flex;"><span> String $username, </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> user { $username: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> present, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>The profile contains multiple modules. Update the nginx profile as followed:</p> <p><strong>nginx.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> profile<span style="color:#f92672">::</span>nginx ( </span></span><span style="display:flex;"><span> Integer $port <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;80&#39;</span>, </span></span><span style="display:flex;"><span> String $host <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;default_server&#39;</span>, </span></span><span style="display:flex;"><span> String $welcome_message <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;hello world&#39;</span>, </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">class</span> { <span style="color:#e6db74">&#34;base&#34;</span>: </span></span><span style="display:flex;"><span> username <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;dummy&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">class</span> { <span style="color:#e6db74">&#34;nginx&#34;</span>: </span></span><span style="display:flex;"><span> port <span style="color:#f92672">=&gt;</span> $port, </span></span><span style="display:flex;"><span> host <span style="color:#f92672">=&gt;</span> $host, </span></span><span style="display:flex;"><span> welcome_message <span style="color:#f92672">=&gt;</span> $welcome_message, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>The profile helps to decouple modules from the hiera config.</p> <p>A role includes multiple profiles and modules.</p> <p><strong>webserver.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> role<span style="color:#f92672">::</span>webserver { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">include</span> foo </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">include</span> profile<span style="color:#f92672">::</span>nginx </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>In roles only include modules that do not need any configuration.</p> <p>Update the hiera data with profile configuration keys.</p> <p><strong>data/common.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">profile::nginx::port</span>: <span style="color:#ae81ff">81</span> </span></span></code></pre></div><p><strong>data/dev/default.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">profile::nginx::host</span>: <span style="color:#ae81ff">default_server</span> </span></span></code></pre></div><p><strong>data/dev/nodes/_HOSTNAME_.yaml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">profile::nginx::welcome_message</span>: <span style="color:#e6db74">&#34;how are you?&#34;</span> </span></span></code></pre></div><p>The hiera data will be looked up by the profile and applied to the nginx module.</p> <p>As a final step assign the role to the default node.</p> <p><strong>site.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span>node default { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">include</span> role<span style="color:#f92672">::</span>webserver </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Run the new setup.</p> <p><code>puppet apply --modulepath modules manifests/site.pp --debug --hiera_config hiera.yaml</code></p> <p>Open your browser to <a href="http://localhost:81/">http://localhost:81/</a>.</p> <p>And we are done 😄 Now you have masterless Puppet project up and running.</p> <p>I hope you enjoyed this tutorial, if not let me know. Feel free to ask questions.</p> <h1 id="source">Source</h1> <p><a href="https://www.puppefy.com/how-to-set-up-a-masterless-puppet-on-centos/">Puppefy IT Automation - How To Set Up a Masterless Puppet on CentOS</a></p> <p><a href="https://gist.github.com/jordansissel/628837">GitHub Gist - Simplest example of a masterless puppet invocation using module paths</a></p> <p><a href="https://ask.puppet.com/question/23910/masterless-puppet-with-hiera-dynamic-lookup/">Puppet Ask - Masterless puppet with hiera dynamic lookup?</a></p> <p><a href="https://github.com/cpilsworth/puppet-simple-masterless">GitHub - Puppet Simple Masterless</a></p> <p><a href="https://www.scalescale.com/tips/nginx/how-to-install-nginx-on-centos-rhel/">ScaleScale - How to install Nginx on CentOS 6 / RHEL</a></p>