Puppet in Dell Networkingi.dell.com/.../data-sheets/en/Documents/puppet-in-dell-networking.pdf · Puppet in Dell Networking v1.2 6 With Open Automation Starter Kit VM: S4810-2(conf)#

Puppet in Dell Networking

Jose Gonzalez – Product Management

V1.2 February 17, 2015

Table of Contents 1 Topology ............................................................................................................................................................... 2

2 Installation ............................................................................................................................................................ 2

2.1 Puppet Master .............................................................................................................................................. 2

2.1.1 Open Automation Starter Kit VM ......................................................................................................... 2

2.1.2 Puppet Master initial configuration ..................................................................................................... 2

2.2 Puppet Agent................................................................................................................................................ 5

2.2.1 Puppet Agent installation ..................................................................................................................... 5

2.2.2 With Open Automation Starter Kit VM ................................................................................................ 5

2.2.3 Without Open Automation Starter Kit VM .......................................................................................... 5

2.2.4 Puppet Agent initial configuration ....................................................................................................... 5

3 Applying the first Puppet manifest ...................................................................................................................... 8

4 Using Puppet ...................................................................................................................................................... 10

5 Stand-alone Puppet on switches ........................................................................................................................ 12

6 Conclusion .......................................................................................................................................................... 14

Puppet in Dell Networking v1.2

2

1 Topology For this demo, we assume we have two S4810’s and one server running Puppet Master. The switches must be

able to reach the server with Puppet Master from their management interfaces.

Although it is not required, for simplicity the three nodes reside in the same local network. Puppet allows users to

identify the nodes with arbitrary names, which need not be identical to their hostnames. Again for simplicity, we

will be using the hostnames.

2 Installation

2.1 Puppet Master

2.1.1 Open Automation Starter Kit VM

If you will not be using the Open Automation Starter Kit VM with Puppet Master pre-installed, skip this chapter.

The VM is based on Ubuntu 14.04. It comes with the following settings pre-configured:

Username: dell

Password: dell

Sudo password: dell

Hostname: oa-server

Domain: openautomation.demo

IP address (static): 10.10.4.1/16

Gateway: 10.10.0.1

File servers (enabled): TFTP, FTP, HTTP, NFS

DHCP server (enabled)

DNS Server for local hosts: 10.10.4.1

Upstream DNS Server: 10.10.0.1

NTP server for local hosts: 10.10.4.1

Details of how to run and configure the different services can be found in /home/dell/HOWTO-OA.txt

2.1.2 Puppet Master initial configuration

Puppet does not work with IP addresses. It must use names that will get resolved to IP addresses by a DNS service.

You can edit the files /etc/hosts on each device to add the names and corresponding IP addresses of all Puppet

Puppet Master

(10.10.4.1)

S4810 (1)

(10.10.48.1)

S4810 (2)

(10.10.48.2)

oa-server

s4810-1 s4810-2


3

Agents. You can use the switches’ hostnames or arbitrary names for their Puppet names. However, this method

requires that you login as root, which is problematic on the switches. Moreover, this file is reset after the switch

reloads. So you will have to edit those files manually multiple times. Fortunately, the Open Automation Starter Kit

VM has a DNS service that can be used to easily configure all these names.

With Open Automation Starter Kit VM:

root@oa-server:~# cat /etc/hosts

127.0.0.1 localhost

10.10.4.1 oa-server oa-server.openautomation.demo

10.10.4.1 puppet-master puppet-master.openautomation.demo

10.10.48.1 S4810-1 S4810-1.openautomation.demo

10.10.48.2 S4810-2 S4810-2.openautomation.demo

Without Open Automation Starter Kit VM:

root@oa-server:~# cat /etc/hosts

127.0.0.1 localhost oa-server

10.10.48.1 s4810-1

10.10.48.2 s4810-2

The configuration files are stored in /home/dell/.puppet. If you change the Puppet name, IP addresses, etc., it

is better to remove all SSL certificates and start fresh. Just remove these two directories:

dell@oa-server:~/.puppet$ ls

manifests puppet.conf ssl var

dell@oa-server:~/.puppet$ rm -rf ssl var

dell@oa-server:~/.puppet$ ls

manifests puppet.conf

Then, edit /home/dell/.puppet/puppet.conf

dell@oa-server:~/.puppet$ cat puppet.conf

user = dell

group = dell

autosign = true

dns_alt_names = oa-server, puppet-master

manifest = /home/dell/.puppet/manifests

modulepath = /home/dell/.puppet/modules

Notice that we can have an alternative name (puppet-master) for the server running Puppet Master. You can

use the hostname or this Puppet name if you prefer. Whatever you chose, you must be consistent on all agents.

In this document, we will use the server hostname.

You can also use the puppet tool to edit the configuration file:


4

dell@oa-server:~/.puppet$ puppet config set user dell

dell@oa-server:~/.puppet$ puppet config set group dell

dell@oa-server:~/.puppet$ puppet config set dns_alt_names oa-server, puppet-master

dell@oa-server:~/.puppet$ puppet config set autosign true

dell@oa-server:~/.puppet$ puppet config set manifest /home/dell/.puppet/manifests

dell@oa-server:~/.puppet$ puppet config set modulepath /home/dell/.puppet/modules

Next, install the Dell Networking Puppet Agent provider in the designated directory (create it if it does not exist): /home/dell/.puppet/modules

This provider can be downloaded from iSupport.

dell@oa-server:~/.puppet/modules$ cp /tmp/netdev_config.tar.gz .

dell@oa-server:~/.puppet/modules$ tar xfv netdev_config.tar.gz

dell@oa-server:~/.puppet/modules$ rm netdev_config.tar.gz

dell@oa-server:~/.puppet/modules$ ls

dell-dnos

Next, check the date and time of the server. The Puppet Master and Agents must be in synch. In a production

environment, you want to use an NTP service. Here, we just update the time manually. We will use the server’s

time as the reference:

dell@oa-server:~/.puppet$ date -u

Tue Jan 27 09:27:22 UTC 2015

Finally, run the master for the first time in the foreground and notice if there are errors: (Some output and

warnings removed for brevity)

dell@oa-server:~/.puppet$ puppet master --verbose --no-daemonize

Info: Creating a new SSL key for ca

Info: Creating a new SSL certificate request for ca

.

.

Info: Creating a new SSL key for oa-server.openautomation.demo

Info: csr_attributes file loading from /home/dell/.puppet/csr_attributes.yaml

.

.

Notice: oa-server.openautomation.demo has a waiting certificate request

Info: Autosigning oa-server.openautomation.demo

.

.

Notice: Starting Puppet master version 3.6.2


5

2.2 Puppet Agent

2.2.1 Puppet Agent installation

Uninstall any previous Open Automation package

Upgrade the switch to OS 9.7+

Install the corresponding Scripting package:

Dell# package install tftp://1.2.3.4/SMARTSCRIPTS-P-x.y.z.u.tar.gz

Install the corresponding Puppet Agent package:

Dell# package install tftp://1.2.3.4/PUPPET-P-x.y.z.u.tar.gz

2.2.2 With Open Automation Starter Kit VM

Skip the next section and continue with Section 2.2.4.

2.2.3 Without Open Automation Starter Kit VM

Enter the NetBSD shell as root:

S4810-2# start shell

login: root

Password:

Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,

2006, 2007, 2008, 2009, 2010

The NetBSD Foundation, Inc. All rights reserved.

Copyright (c) 1982, 1986, 1989, 1991, 1993

The Regents of the University of California. All rights reserved.

SStk-0 #

Edit the file /etc/hosts to add the IP address of the Puppet Master server and the switch. Notice we can use

either the server hostname or the server Puppet name. As said earlier, we use the hostname for the server, and

the Puppet name for the switch (s4810-2)

SStk-0 # cat /etc/hosts

127.0.0.1 localhost

10.10.4.1 oa-server

Note, this file is reset after a reload. You will need to update it again.

Exit the NetBSD shell and continue from the CLI.

2.2.4 Puppet Agent initial configuration

Check the date and time of the switch and ensure is as close as possible to that of the server. The Open

Automation Starter Kit VM has a NTP service that can be used to easily configure all these names.


6

With Open Automation Starter Kit VM:

S4810-2(conf)# ntp server 10.10.4.1

S4810-2(conf)# end

S4810-2# show clock

09:27:40.221 UTC Tue Jan 27 2015

Without Open Automation Starter Kit VM:

S4810-2# show clock

08:21:50.249 UTC Wed Nov 5 2014

S4810-2# clock set 09:27:30 Jan 27 2015

S4810-2# show clock

09:27:40.221 UTC Tue Jan 27 2015

Create a CLI user called puppet with privilege 15: (Choose any password)

S4810-2(conf)# username puppet password xxxx privilege 15

For convenience, let’s add the path of the Puppet Agent scripts to the CLI path:

S4810-2(conf)# script path /usr/pkg/dnos-puppet/scripts/bin

Puppet Agent requires the REST interface be enabled. HTTP suffices:

S4810-2(conf)# rest-server http

Remove any previous SSL certificates that might no longer be valid:

S4810-2# script execute puppet-agent args "clear-ssl" username puppet

You must use this user puppet to interact with Puppet Agent. You can login with this user, or you can use the

username parameter. Let’s display the current configuration:

S4810-2# script execute puppet-show args "config" username puppet

agentrestipaddr : 127.0.0.1

agentrestpasswd :

agentrestport : 8008

agentrestproto : http

agentrestuser :

agentsyncinterval : 60

S4810-2#


7

We need to configure the following parameters for Puppet Agent:

A CLI user with privilege 15 for the REST interface. Since we created puppet, let’s user it here, but any other

user will do as well

The REST interface details (e.g., protocol and port)

The Puppet name of the agent (i.e., s4810-2)

The Puppet name of the server where Puppet Master runs (i.e., oa-server)

We use another script to configure these parameters:

S4810-2# script execute puppet-config args "user=puppet" username puppet

S4810-2# script execute puppet-config args "group=users" username puppet

S4810-2# script execute puppet-config args "server=oa-server" username puppet

S4810-2# script execute puppet-config args "certname=s4810-2" username puppet

S4810-2# script execute puppet-config args "agentrestuser=puppet" username puppet

S4810-2# script execute puppet-config args "agentrestpasswd=xxxx" username puppet

S4810-2# script execute puppet-config args "agentrestproto=http" username puppet

S4810-2# script execute puppet-config args "agentrestport=8008" username puppet

S4810-2# script execute puppet-show args "config" username puppet

agentrestipaddr : 127.0.0.1

agentrestpasswd : ********

agentrestport : 8008

agentrestproto : http

agentrestuser : puppet

agentsyncinterval : 60

certname : s4810-2

group : users

server : oa-server

user : puppet

S4810-2#

If you wonder where the configuration files are stored, there are two.

The master configuration file is /usr/pkg/dnos-puppet/scripts/conf/dnos-puppet.cfg. This file

contains the Puppet Agent portion and the REST parameters

The configuration file for Puppet Agent is /usr/pkg/dnos-puppet/puppet/puppet.conf

Now, run the agent for the first time in the foreground and notice if there are errors: (Some output and warnings

removed for brevity)

S4810-2# script execute puppet-agent args "poll-master" username puppet

PING oa-server (10.10.4.1): 56 data bytes

64 bytes from 10.10.4.1: icmp_seq=0 ttl=64 time=0.612 ms

.

.

Info: Creating a new SSL key for s4810-2

Info: Caching certificate for ca

Info: Creating a new SSL certificate request for s4810-2

.

.

Info: Retrieving plugin


8

.

.

Info: Caching catalog for s4810-2

Info: Applying configuration version '1415154666'

.

.

Notice: Finished catalog run in 0.63 seconds

S4810-2#

Look at the Puppet Master console and verify the agent has been added to its database:

.

.

Notice: Starting Puppet master version 3.6.2

.

.

Notice: s4810-2 has a waiting certificate request

Info: Autosigning s4810-2

.

.

Notice: Compiled catalog for s4810-2 in environment production in 0.01 seconds

Info: Caching node for s4810-2

Congratulations. You have added the first node.

Repeat the same steps on the second switch.

3 Applying the first Puppet manifest Create a file with this content. The extension for Puppet manifest files is .pp. The name of the file does not

matter much. I use S4810-2.pp. What is important is the node name (s4810-2). Puppet Master will apply the

manifest whose node name matches the Puppet Agent name.

node "s4810-2" {

netdev_device { "S4810-2-Puppet":

ensure => present

}

netdev_interface {

"TenGigabitEthernet 0/1":

active => true,

admin => up,

description => "Interface tengig 0/1",

speed => 1g,

duplex => full,

mtu => 2500,

ensure => present

}

netdev_vlan {

"vlan-red":

active => true,

vlan_id => 100,

description => "Red network vlan",

ensure => present

}

netdev_vlan {


9

"vlan-green":

active => true,

vlan_id => 200,

description => "Green network vlan",

ensure => present

}

netdev_vlan {

"vlan-blue":

active => true,

vlan_id => 300,

description => "Blue network vlan",

ensure => present

}

}

Copy it to the Puppet Master server in the path provisioned for manifest in its puppet.conf , i.e.,

/home/dell/.puppet/manifests. Puppet Master will read and process all .pp files found in that directory.

Restart Puppet Master. Run Puppet Agent again:

S4810-2# script execute puppet-agent args "poll-master" username puppet PING oa-server (10.10.4.1): 56 data bytes

64 bytes from 10.10.4.1: icmp_seq=0 ttl=64 time=0.612 ms

.

.

Info: Retrieving plugin

Info: Loading facts in /usr/pkg/dnos-puppet/puppet/modules/dell-dnos/lib/facter/dell_dnos.rb

.

.

Notice: /Netdev_vlan[vlan-green]/ensure: created

Notice: /Netdev_interface[TenGigabitEthernet 0/1]/admin: admin changed 'down' to 'up'

.

.

Notice: /Netdev_vlan[vlan-red]/ensure: created

Notice: /Netdev_vlan[vlan-blue]/ensure: created

.

.

INFO : Completed Dell puppet agent run. Exit status : 2

S4810-2-Puppet#

Notice the prompt has changed to what the Puppet manifest has. If we display the Vlans, we will see them too:

S4810-2-Puppet# show vlan

NUM Status Description Q Ports

* 1 Active U Te 0/41

100 Inactive Red network vlan

200 Inactive Green network vlan

300 Inactive Blue network vlan

S4810-2-Puppet#

Congratulations. You have provisioned the first node with Puppet

Repeat the same steps on the second switch.


10

4 Using Puppet In a production scenario, Puppet Agent is running continuously in the background. At some given intervals, it will

wake up and contact Puppet Master to retrieve its configuration in order to apply it.

The beauty of Puppet is a term called Desired State Configuration, which means, Puppet guarantees an end state.

For example, if you delete any of the Vlans by accident or purposely, Puppet Agent will re-create them again in

the next run cycle.

By default, our Puppet Agent syncs with Puppet Master every hour. For this demo, we will set the minimum

interval that we allow: 10 minutes.

S4810-2-Puppet# script execute puppet-config args "agentsyncinterval=10" username puppet

Start now the Puppet Agent daemon, which will run in the background:

S4810-2-Puppet# script execute puppet-agentd username puppet bg

S4810-2-Puppet# show script process

JobID Script Name

000 puppet-agentd

Now change the hostname and delete Vlan 200:

S4810-2-Puppet(conf)# hostname NoNAME

NoNAME(conf)# no int vlan 200

NoNAME(conf)# end

NoNAME#

Wait some minutes. In the next sync cycle, the Puppet Agent daemon will wake up and perform the following

actions:

Retrieve the manifest from the master

Compare the actual status with the manifest

If there is any discrepancy, the daemon will update the system. In other words, the hostname and Vlan

200 will appear again

NoNAME#

NoNAME#

<.. Puppet Agent wakes up and syncs with the master ..>

S4810-2-Puppet# show vlan






S4810-2-Puppet#


11

Let’s check whether Puppet made this change: (The timestamp will give us a hint)

S4810-2-Puppet# script execute puppet-show args "status" username puppet

Daemon Status : Running

Agent Sync Status : Running

Last Sync : 2015-01-28 06:57:28 AM

Last Sync Result : success

.

.

Master Status : alive

S4810-2-Puppet#

And what the log files say:

S4810-2-Puppet# script execute puppet-show args "log" username puppet

Previous puppet agent run log :

Latest puppet agent run log : 2015-01-28 06:57:57 +0000 Puppet (info): Retrieving plugin

2015-01-28 06:58:16 +0000 Puppet (info): Loading facts in /usr/pkg/dnos-puppet/puppet ...

.

.

2015-01-28 06:59:37 +0000 Puppet (notice): Finished catalog run in 13.97 seconds

S4810-2-Puppet#

Lastly, you can pause and resume the Puppet Agent daemon with the following commands. The daemon will

continue being alive, it will just skip the sync operations:

S4810-2-Puppet# script execute puppet-agent args "stop" username puppet

DEBUG : Stop request raised for Dell puppet agent daemon

S4810-2-Puppet#

S4810-2-Puppet# script execute puppet-agent args "start" username puppet

DEBUG : Start request raised for Dell puppet agent daemon

S4810-2-Puppet#

These commands are useful if you want to run an out-of-band synchronization with the command used in Chapter

3, without killing the daemon, and thus, avoiding race conditions if both processes tried to sync with the master at

the same time.

Finally, terminate the daemon:


JobID Script Name

000 puppet-agentd

S4810-2-Puppet# script kill job-id 000


JobID Script Name


12

S4810-2-Puppet#

If you want, you leave the daemon configured to be executed after a reload:

S4810-2-Puppet# configure

S4810-2-Puppet(conf)# script execute puppet-agentd watch username puppet

S4810-2-Puppet(conf)# end

S4810-2-Puppet# write


JobID Script Name

000 puppet-agentd

5 Stand-alone Puppet on switches The Open Automation Puppet package contains the full Puppet distribution. This allows you to use Puppet

manifest files directly on the switch without having to configure an external Puppet Master.

The process for applying Puppet files to the switch is simpler. First, create or copy a manifest file to the switch

flash, or mount an NFS share from the switch. Notice it has the same node name as the previous files. In fact, you

can use the same manifest file used on the Puppet Master. For instance:

S4810-2-Puppet(conf)# mount nfs 10.10.50.3:/Share/Puppet puppet

S4810-2-Puppet(conf)# end

S4810-2-Puppet# dir nfsmount://puppet

Directory of nfsmount:/puppet

.

.

8 -rw- 182 Nov 05 2014 18:08:49 +00:00 example.conf

9 -rwx 1068 Nov 06 2014 10:52:01 +00:00 S4810-2.pp

S4810-2-Puppet# show file nfsmount://puppet/S4810-2.pp

node "s4810-2" {

netdev_device { "S4810-2-Standalone":

ensure => present

}

netdev_vlan {

"vlan-white":

active => true,

vlan_id => 400,

description => "White network vlan",

ensure => present

}

}

S4810-2-Puppet#


13

Note that the switches mount NFS shares in /f10/mnt/nfs/<mount-point>. Therefore, we will execute this

manifest file with this command:

S4810-2-Puppet# script execute puppet-apply args "-f /f10/mnt/nfs/puppet/S4810-2.pp" username puppet

Warning: Could not retrieve fact fqdn

Warning: Host is missing hostname and/or domain: s4810-2

.

.

Notice: /Netdev_vlan[vlan-white]/ensure: created

.

.


INFO : Puppet manifest file (/f10/mnt/nfs/puppet/S4810-2.pp) has been applied.

S4810-2-Standalone#

Notice the prompt has changed and a new Vlan has been added:

S4810-2-Standalone# show vlan






400 Inactive White network vlan

S4810-2-Standalone#

Puppet will not touch Vlans or any other resource that is not explicitly configured in the manifest files. As a result,

the previous Vlans 100, 200, 300 are maintained on the switch. To make the point, edit S4810-2.pp and add a

block to ensure Vlan 200 cannot exist:

S4810-2-Standalone# script execute vi args "/f10/mnt/nfs/puppet/S4810-2.pp"

<.. Use the vi commands to edit the file ..>

S4810-2-Standalone# show file nfsmount://puppet/S4810-2.pp

node "s4810-2" {

netdev_device { "S4810-2-Standalone":

ensure => present

}

netdev_vlan {

"vlan-green":

active => true,

vlan_id => 200,

description => "Gren network vlan",

ensure => absent

}

netdev_vlan {

"vlan-white":

active => true,


14

vlan_id => 400,

description => "White network vlan",

ensure => present

}

}

S4810-2-Standalone#

Let’s run the manifest again:

S4810-2-Puppet# script execute puppet-apply args "-f /f10/mnt/nfs/puppet/S4810-2.pp" username puppet

Warning: Could not retrieve fact fqdn

Warning: Host is missing hostname and/or domain: s4810-2

.

.

description : Green network vlan

Notice: /Netdev_vlan[vlan-green]/ensure: removed

.

.


INFO : Puppet manifest file (/f10/mnt/nfs/puppet/S4810-2.pp) has been applied.

S4810-2-Standalone#

If we display the current Vlans, we see 200 is gone:

S4810-2-Standalone# show vlan





400 Inactive White network vlan

S4810-2-Standalone#

6 Conclusion There are multiples places to learn the syntax and the features of Puppet. We have just scratched the surface.

Moreover, you are not restricted to the NetdevOps classes. All native resources are also available, for instance,

you can create and delete files, execute commands, etc.

We will introduce more advanced scenarios and another important tool, Facter, in following editions of this user

guide.