Tikejhya: Ashish Nepal

Knowledgebase

Category: puppet

Could not evaluate: Cannot allocate memory [puppet]

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Error: /Stage[main]/Vsftpd/Service[vsftpd]: Could not evaluate: Cannot allocate memory – fork(2)
Error: /Stage[main]/Graphite::Install/Package[whisper]: Could not evaluate: Cannot allocate memory – /usr/bin/pip freeze 2>&1
Error: /Stage[main]/Myclass/Exec[myexec]/returns: change from notrun to 0 failed: Cannot allocate memory – fork(2)

memory issue:

# Modify this if you’d like to change the memory allocation, enable JMX, etc
JAVA_ARGS=”-Xms512m -Xmx512m -XX:MaxPermSize=256m”

#Or get more memory 😀

YAML break a string over multiple lines

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

#where each line break is replaced by a space
>
This is a very long sentence
that spans several lines in the YAML
but which will be rendered as a string
without carriage returns.

#to indicate that the string will span several lines
|
This is a very long sentence
that spans several lines in the YAML
but which will be rendered as a string
without carriage returns.

puppet agent example

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

# puppet agent debug
puppet agent -t –debug

# puppet agent dry run
puppet agent –test –noop

# check certificate to be signed
puppet cert –list

#check all certificate
puppet cert –list –all

# Removing certificates
puppet cert –clean {node certname}

# Remove the entire SSL directory of the client machine
rm -r /etc/puppet/ssl; rm -r /var/lib/puppet/ssl

#register client with puppetserver
#Client
puppet agent --server puppetmaster.ashishnepal.net --waitforcert 60 --test

#Master
puppet cert --sign web1.tikejhya.net

#Config example

[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server=puppetmaster.ashishnepal.net
environment = development
runinterval = 5y

[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

# There can be always fun with puppet agent and its hostname: (give it a go and see)

# hostname
foobar
# uname -n
foobar
# hostname -f
foobar.example.com
# hostname -a
foobar localhost.localdomain localhost

hiera example

sample hiera.yml

To Include hiera puppet.conf should have this single line:
hiera_config = /etc/puppet/hiera.yaml

#hiera.yml
---
:backends:
- yaml
- json
:yaml:
:datadir: /etc/puppet/hieradata
:json:
:datadir: /etc/puppet/hieradata
:hierarchy:
- "%{::clientcert}"
- "node/%{::fqdn}"
- "%{::environment}"
- common
:logger: console

In our setup above, we will have /etc/puppet/hieradata as yaml or json format.

priority of hierarchy is top bottom, so we format folders accordingly, i.e, environment can be group specific, like production, DR or development etc, node/nodename and common for most generic.

#common.yaml

---
install_packages::packages:
- strace
- ngrep
- libaio
- mlocate
- rsync
- lrzsz
- wget
- telnet
- crontabs

uninstall_packages::packages:
- cups

rollout:
- authorized_keys
- zabbix
- install_packages
- rpm_packages
- uninstall_packages
- motd
- yum-repo-zabbix

zabbix::params::zabbix_agent_pidfile: /var/run/zabbix/zabbix_agentd.pid
zabbix::params::zabbix_agent_logfile: /var/log/zabbix/zabbix_agentd.log

authorized_keys::key1: ssh-rsa AAAAB3NzaC1yc2EAAAADAQxx....
authorized_keys::key2: ssh-rsa AAAAB3NzaC1yc2xxxxx.....

motd::content: something here

# Individual node can be something like:

nodename.com.yaml
---
rollout:
- zabbix
- authorized_keys
zabbix::params::zabbix_agent_hostname: something.net
zabbix::params::zabbix_server_ip: ipgoeshere
uninstall_packages::packages:
- mysql-libs
- jwhois

motd::content: |
BI Server
Key Software: Mysql

rpm_packages::packages:
- MySQL-client
- epel-release-6-8.noarch
- MySQL-server

rpm_packages::src:
- https://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.10-1.el6.x86_64.rpm
- https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
- https://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.10-1.el6.x86_64.rpm

Puppet class [sshd]

ReCap: Instalation and troubleshooting

Create directories:
sudo mkdir -p /etc/puppet/modules/sshd/{manifests,files}

Writing Class:
File Location: /etc/puppet/modules/sshd/manifests/init.pp

class sshd {

package { 'openssh-server':
ensure => latest
}

service { 'ssh':
subscribe => File[sshdconfig],
require => Package['openssh-server'],
}

file { 'sshdconfig':
name => '/etc/ssh/sshd_config',
owner => root,
group => root,
mode => 644,
source => 'puppet:///modules/sshd/sshd_config',
require => Package['openssh-server'],
}
}

Fix Permissions:
chown puppet: /etc/puppet/modules/sshd/files/sshd_config
chmod 600 /etc/puppet/modules/sshd/files/sshd_config

This file needs to be called inside the node call:
include sshd

Test for syntax error:
puppet parser validate init.pp

Test using dryrun:
puppet agent -t --noop

Centos 6.x howto-puppet Installation and Configuration

Centos 6.x howto-puppet Installation and Configuration

This is tested on Centos 6.4 with epel repo based version of puppet 2.6.17

cd /usr/local/src;
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm;
yum install puppet-server;
touch /etc/puppet/manifests/site.pp
service puppetmaster start

Jump into puppet-client

yum install puppet;
vi /etc/puppet/puppet.conf

# Note: control.meotic.com is my puppet master for puppet client

puppetd --server control.meotic.com --waitforcert 60 --test

Response:
info: Creating a new SSL key for db1.meotic.com
warning: peer certificate won’t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
info: Creating a new SSL certificate request for db1.meotic.com
info: Certificate Request fingerprint (md5): 6D:35:2F:D7:4A:2C:CC:90:A0
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session

Now jump into server (puppet-master):

puppetca --list

“db1.meotic.com” (6D:35:2F:D7:4A:1A:F2:13:C3:2C:CC:90:A0)

[root@control manifests]# puppetca --sign db1.meotic.com
notice: Signed certificate request for db1.meotic.com
notice: Removing file Puppet::SSL::CertificateRequest db1.meotic.com at '/var/lib/puppet/ssl/ca/requests/db1.meotic.com.pem'
[root@control manifests]#

What we have at This point:
Puppet Master (as: control.meotic.com)
Puppet Agent (as: db1.meotic.com)

Certificate are signed and all set to roll.

Now lets look into configuration files, directory and fileserver Next.

[root@control ~]# cd /etc/puppet/
[root@control puppet]# ll -al
total 28
drwxr-xr-x. 4 puppet puppet 4096 Mar 23 11:27 .
drwxr-xr-x. 59 root root 4096 Mar 23 09:25 ..
-rw-r--r--. 1 puppet puppet 2346 Jul 19 2012 auth.conf
drwxr-xr-x. 2 puppet puppet 4096 Mar 23 12:46 files
-rw-r--r--. 1 puppet puppet 459 Mar 23 11:27 fileserver.conf
drwxr-xr-x. 3 puppet puppet 4096 Mar 23 12:40 manifests
-rw-r--r--. 1 puppet puppet 853 Jul 6 2012 puppet.conf

Auth: Authentication config file.
files: Directory to store files to share

vi /etc/puppet/fileserver.conf:
[files]
path /etc/puppet/files
allow *.meotic.com
allow 192.168.1.0/24

Here, in fileserver.conf you will declare location of file share point, allow whom by IP or by DNS.

Now Manifests: I have divided into two part.
Classes:
site.pp:

[root@control puppet]# cd manifests/
[root@control manifests]# ls
classes site.pp

Site.pp : Its preety much self explanatory, it holds the different node.

# /etc/puppet/manifests/site.pp

import "classes/*"

## Base Nodes

node default {
include sudo
include ntp
}

node mysqldb {
include ntp
include mysql
}

node webserver {
include web
include monitoring
}

## Specific Nodes

node 'web1.meotic.com', 'web2.meotic.com' inherits loadbalancer {
include apacheconf
include app
include backups
}

node 'db1.meotic.com' inherits mysqldb {
include sudo
}

node 'control.meotic.com' inherits mysqldb {
}

node 'dns1.meotic.com', 'dns2.meotic.com' {
include monitoring
}

And class:

[root@control classes]# ll -al
-rw-r–r–. 1 puppet puppet 591 Mar 23 12:49 ntp.pp
-rw-r–r–. 1 puppet puppet 235 Mar 23 12:50 sudo.pp

Currently i have 2 files, one to serve ntp setting and config file
and sudo file.

vi ntp.pp

# /etc/puppet/manifests/classes/

class ntp {
# If you have different distro within org you can declare here as variable
case $operatingsystem {
centos, redhat: {
$service_name = 'ntpd'
$conf_file = 'ntp.conf'
}
}

package { 'ntp':
# package can also be parsed in array.
ensure => installed,
}

service { 'ntp':
name => $service_name,
ensure => running,
enable => true,
subscribe => File['ntp.conf'],
}

file { "ntp.conf":
path => "/etc/ntp.conf",
owner => "root",
group => "root",
mode => 644,
source => "puppet://control.meotic.com/files/ntp.conf"
}
}

sudo.pp

# /etc/puppet/manifests/classes/sudo.pp

class sudo {
file { "/etc/sudoers":
owner => "root",
group => "root",
mode => 440,
source => "puppet://control.meotic.com/files/sudoers"
}
}

Once you wirte before restarting and commiting changes, you might want to check syntax.

puppet --parseonly sudo.pp
puppet --parseonly ntp.conf

# How to install RPM with puppet

class examplerpm ( $src ) {

  package { 'package':
     provider => 'rpm',
     ensure => installed,
     source => "${examplerpm::src}"
 }
}

class { 'examplerpm':
  src => 'http://nginx.org/packages/rhel/6/x86_64/RPMS/nginx-1.4.4-1.el6.ngx.x86_64.rpm',
}

# How to share file Using Puppet.

file { "/etc/sudoers":
    mode => 440,
    owner => root,
    group => root,
    source => "puppet:///files/sudoers",
}

# How to write files using Puppet

file { '/data/some.sh':
		owner => root, group => root, mode =>0755,
                content => "#!/bin/bashnpuppet agent --onetime --no-daemonize --verbose $1n",
	}

And to run sync with client.
on client machine.

puppetd --server control.meotic.com --test

(ofcourse this can be automated with cronjob or other hook method to execute on file change on master and repository base is recommended by many experts or even as standard best practise.)

This might be a best tool 😉
http://www.puppetcookbook.com/

General layout

├── auth.conf
├── environments
│   └── example_env
│   ├── manifests
│   ├── modules
│   └── README.environment
├── fileserver.conf
├── hieradata
│   ├── common.yaml
│   ├── node
│   │   ├── ares.ashishnepal.net.yaml
│   │   ├── logarchive.ashishnepal.net.yaml
│   │   └── varnish1.ashishnepal.com.yaml
│   └── sshkeys
├── hiera.yaml -> /etc/hiera.yaml
├── manifests
│   ├── classes
│   │   └── basetools.pp
│   ├── nodes
│   │   └── test_nodes.pp
│   └── site.pp
├── modules
│   ├── authorized_keys
│   │   ├── manifests
│   │   │   └── init.pp
│   │   └── templates
│   │   ├── backoffice
│   │   │   └── authorized_keys.erb
│   │   ├── db
│   │   │   └── authorized_keys.erb
│   ├── nginx
│   │   ├── manifests
│   │   │   ├── init.pp
│   │   │   └── params.pp
│   │   └── templates
│   │   ├── default_conf.erb
│   │   ├── fastcgi_params_conf.erb
│   │   ├── koi-utf_conf.erb
│   │   ├── koi-win_conf.erb
│   │   ├── mime.types_conf.erb
│   │   ├── nginx_conf.erb
│   │   ├── scgi_params_conf.erb
│   │   ├── ssl_conf.erb
│   │   ├── uwsgi_params_conf.erb
│   │   └── win-utf_conf.erb
│   ├── sshd
│   │   ├── files
│   │   │   └── sshd_config
│   │   └── manifests
│   │   └── init.pp
│   └── zabbix
│   ├── manifests
│   │   ├── init.pp
│   │   ├── params.pp
│   │   └── resources
│   │   └── agent.pp
│   └── templates
│   ├── zabbix_agent_conf.erb
│   └── zabbix_agentd_conf.erb
└── puppet.conf

TROUBLESHOOT:
[root@puppet2 ~]# puppet agent –no-daemonize –onetime –verbose
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get certificate CRL for /CN=puppet1.tike.com]
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get certificate CRL for /CN=puppet1.tike.com]

Solution: Update Time, Delete Existing Certificates, Retry

Client: find /var/lib/puppet -type f -print0 |xargs -0r rm
Master: puppet cert clean puppet2.tike.com
Client: puppet agent –no-daemonize –onetime –verbose
Master: puppet cert list
Master: puppet cert sign “puppet2.tike.com”

More Troubleshooting on officaial page.
http://docs.puppetlabs.com/guides/troubleshooting.html

Powered by WordPress & Theme by Anders Norén