Concept of Maintenance in Puppet

Backing up and restoring Puppet Enterprise

Your Puppet Enterprise (PE) infrastructure should be regularly backed up. You may move your PE installation after a significant OS upgrade, migrate to new primary server hardware more easily, troubleshoot your installation, and recover from system faults more quickly.

Customizing backup and restoring scope

Your PE configuration, PE certificates, Puppet code, and PuppetDB are all automatically included in the backup and restore commands for the PE. However, you can choose which data is backed up or restored using the —scope option.

The following data is backed up (or restored) by the puppet-backup command by default:

• Your PE's configuration includes RBAC, classification, and license settings. Puppet gems and Puppet Server gems are not included in the configuration backup data.
   
• Certificates from PE CAs and the complete SSL database.
   
• At the time of the backup, the Puppet code was deployed to your code directory.
   
• Data from PuppetDB, including facts, catalogs, and previous reports.
   

You can use the —scope command line option to restrict the scope of a backup or restore if you want discrete backup files or if you want to back up particular components of your infrastructure more frequently than others. One or more of certs, code, config, or puppetdb are acceptable options for the —scope flag. All is the default value if nothing is given.
If you frequently alter your code, you might back up your Puppet code more frequently than the rest of your infrastructure. The backup file only contains the components of your infrastructure that you designate when you limit the backup scope. In order to know what each backup file includes, make sure to include the scope in the file name.
You must restore your Puppet configuration, certificates, code, and PuppetDB data when you restore your primary server. However, by using backup files with restricted scopes or by limiting the restore scope, you can restore each component from a different file.

Back up your infrastructure

Your primary server's configuration, certificates, code, and PuppetDB are copied during the Puppet Enterprise (PE) backup procedure. Depending on the size of PuppetDB, backing up can take several hours.

Using the puppet-backup command, you must back up your infrastructure's secret keys in addition to your PE configuration, PE certificates, Puppet code, and PuppetDB data.

• On your main server, execute the puppet-backup command. The standard command is: 

Command:

sudo puppet-backup create --dir=<BACKUP_DIRECTORY>

Back up the LDAP service secret key and, if necessary, the secret keys directory.

You can find the secret key directory at:

/etc/puppetlabs/orchestration-services/conf.d/secrets/

The LDAP service key can be found here:

/etc/puppetlabs/console-services/conf.d/secrets/keys.json

Results

Puppet-Backup generates a single backup file, including all the data you're backing up each time you create a new backup (defined by the —scope). Unless you provide an alternative destination in the puppet-backup command, PE writes backup files to /var/puppetlabs/backups. Unless you specify an alternative name in the puppet-backup command, the file name uses the default naming scheme (pe_backup-TIMESTAMP>.tgz).

Restore your infrastructure

In order to move your primary server to a different host or to recover from a system breakdown, use the Puppet Enterprise (PE) restore method.

• Prior to reinstalling and restoring, you must remove any pre-existing PE installations if you are restoring to an earlier-existing primary server. 
• Run the following command on the primary server to remove PE: 

Command:

sudo /opt/puppetlabs/bin/puppet-enterprise-uninstaller -p -d

 

• Make sure that the directories /opt/puppetlabs/ and /etc/puppetlabs/ are no longer present in the system.
   
• On the primary server you intend to use for a backup, install PE. The PE version that you used to make your backup files must be installed.
   
• If the machine you wish to restore to doesn't already have the PE installation script, download it and perform the following command to unpack it: tar -xf <TARBALL_FILENAME>.
   
• Go to the directory where the install script is located. Normally, after unpacking the tarball, the PE directory is where you'll find the installer script.
   
• Run sudo./puppet-enterprise-installer to install PE.
   
• Use the puppet-backup restore command on your main server to restore your PE infrastructure. Restoring backups of your secret key is the default command.

Command:

sudo puppet-backup restore <BACKUP-FILENAME>

• The inventory service, orchestrator, and LDAP service all use these keys to encrypt and decode sensitive data (if enabled).
  • Directory for the inventory service and orchestrator keys is located at: 

/etc/puppetlabs/orchestration-services/conf.d/secrets

 

• The LDAP service key file is located at:

/etc/puppetlabs/console-services/conf.d/secrets/keys.json

 

• Ensure that the secret key ownership for the inventory service is set up as follows: 

pe-orchestration-services:pe-orchestration-services

• Make sure the LDAP service's secret key ownership is set up as follows if the LDAP service is activated: 

pe-console-services:pe-console-services

• Restart the pe-console and pe-orchestration services.
   
• You must direct your agents to the new primary server if PE was reinstalled onto the primary server with a different hostname than the original installation and the DNS alt names setting in the pe.conf file has not been set. Using the Bolt task runner to complete a task is one approach to achieve this:
  
  • Download and install Bolt if it isn't already installed.
     
• Run these commands to modify the puppet.conf file to point all the agents at the new primary server.
  Command: 

bolt task run puppet_conf action=set section=agent setting=server value=<RESTORE_HOSTNAME> --targets <COMMA-SEPARATED_LIST_OF_NODES>

bolt task run puppet_conf action=set section=main setting=server value=<RESTORE_HOSTNAME> --targets <COMMA-SEPARATED_LIST_OF-NODES>

• Run puppet agent -t —no-use_cached_catalog on the primary server that has just been restored to make the changes. To restart services, issue the same command a second time.
   
• Run puppet agent -t —no-use_cached_catalog on each agent node to check the connection to the new primary server.
   
• The following commands should be used to deploy your code if Code Manager was enabled when you produced your backup file: 

Command:

puppet-access login
puppet code deploy --all --wait

 

• You have to provision a fresh replica if disaster recovery is a feature of your installation.

Enable the pe_databases module

You can manage and fine-tune your Puppet Enterprise (PE) databases with the aid of the pe databases module. When installing or upgrading PE, the module is placed in the $basemodulepath directory and turned on by default.

• You can modify the puppet enterprise::enable database maintenance argument to enable or disable the pe databases module. Boolean values are accepted for this parameter.
   
• Command to start Puppet: puppet agent -t

Databases in PE 

PostgreSQL serves as the database backend for Puppet Enterprise's (PE) databases. The native utilities in PostgreSQL can be used to import and export databases.

The following databases are part of the PE PostgreSQL database:

• pe-activity :

It includes Classifier data on activity, including users, nodes, and activity times

• pe-classifier : 

It includes Information about all node groups and classification

• pe-puppetdb : 

It includes Data from PuppetDB, such as exported resources, catalogs, statistics, and reports

• pe-rbac : 

It includes Information on AD/LDAP users, permissions, and role-based access control (RBAC)

• pe-orchestrator : 

It includes Information from the orchestrator, such as user, node, and task run outcome details

List all database names

The following steps can generate a list of PostgreSQL database names:

• You can switch to the pe-postgres by using the following command:

Command:

sudo su - pe-postgres -s /bin/bash

 

• Run the following command to access the PostgreSQL command line:

Command:

/opt/puppetlabs/server/bin/psql

 

• The databases can be listed using the \l command.
   
• You can exit from the PostgreSQL command line by using \q.
   
• You can terminate the pe-postgres user's session using the logout command.
   

Let's look into the details of Rotating the inventory service secret key.

Rotating the inventory service secret key

The secret key used by the inventory service to encrypt a connection entry's sensitive parameters is generated at random.

To reduce the chances that an attacker will obtain the secret key, rotate it every 90 days. You can rotate the inventory service secret key by using the following commands:

• You can use the following command for stopping the inventory service:

    Command: 

puppet resource service pe-orchestration-services ensure=stopped

 

• As you rotate the secret key, stop the puppet service to make sure that a future puppet run won't unintentionally launch the inventory service.
   
• Download the key_rotation.rb script with this command.
  Command: 

curl https://puppet.com/docs/pe/latest/files/key_rotation.rb -L --output key_rotation.rb

 

• On the main server, execute the key_rotation.rb script.
   
• To stop unintended secret key rotations, remove the key_rotation.rb script.
   
• Run puppet resource service to restart the inventory service on the principal server. 

Command:

puppet resource service pe-orchestration-services ensure=running

 

• Launch the Puppet service again.

Frequently Asked Questions

What Puppet agent?

The Puppet agent is a tool that controls configurations on your nodes.

What is the command used for listing all databases in Puppet?

The \l command is used to list all databases in Puppet.

What is the use of a service key?

The secret key used by the inventory service to encrypt a connection entry's.

Conclusion

In this article, we have extensively discussed the details of Maintenance in Puppet along with the details of Backing up and restoring Puppet Enterprise, Enabling the pe_databases module, and Rotating the inventory service secret key.

We hope that this blog has helped you enhance your knowledge regarding Concept of Maintenance in Puppet, and if you would like to learn more, you can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc. To practice and improve yourself in the interview, you can also check out Top 100 SQL problems, Interview experience, Coding interview questions, and the Utimate guide path for interviews. Do upvote our blog to help other ninjas grow. Happy Coding!!