1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
|
Managing iLO's with puppet
==========================
Instead of writing your own code to manage iLO interfaces with python-hpilo,
you can also use a puppet module. While it doesn't support all the
functionality of hpilo.py or hpilo_cli, it does support the more common
functions (and more can be added, just file a bug!)
It uses the same network device management framework as the existing tools to
manage cisco devices or F5 loadbalancers, so you don't need to install anything
special on each server and no custom iLO code is required.
To install the module, simply copy the `modules/ilo` directory into your puppet
tree and follow the instructions below to create recipes.
Caching
-------
This module heavily caches iLO output, most for more than a day. The cache is
invalidated if settings etc. are changed by this module, but if you make
changes manually, you will need to remove the cached information yourself. The
cache lives in the per-device directories in `/var/lib/puppet/devices`.
Because of this caching, applying the catalog takes only a few seconds instead
of several minutes if there are no changes.
Configuring puppet
------------------
Please configure `hpilo_cli` itself first, including username and password. The
puppet `ilo` module works by using this tool. Once it works for you, you can
configure puppet.
To use `puppet device` to manage iLO's, the iLO devices must be added to
`/etc/puppet/device.conf` on the server you want to use for managing them.
The ilo module can be used in two ways: to manage an iLO remotely via HTTP and
to manage an iLO locally via hpilo. With the former you can manage many iLOs
from a single server, with the latter you can manage iLOs that are not (yet)
reachable via the network.
To manage the local iLO, you can put something this in `device.conf`::
[server-001.ilo.kaarsemaker.net]
type ilo
url ilo://server-001.ilo.kaarsemaker.net
Note that the scheme is `ilo://`, this makes the ilo module use `hpilo_cli` in
local mode. You must still use the ilo's FQDN though, as each node needs a
unique name in puppet.
I personally prefer the network method and configuring DHCP properly so all
iLOs are reachable via the network. For this, `device.conf` looks like the
following::
[server-001.ilo.kaarsemaker.net]
type ilo
url http://server-001.ilo.kaarsemaker.net
[server-002.ilo.kaarsemaker.net]
type ilo
url http://server-002.ilo.kaarsemaker.net
[server-003.ilo.kaarsemaker.net]
type ilo
url http://server-003.ilo.kaarsemaker.net
In fact, it's generated by the iLO module. The management server has this
snippet in its recipe:
.. code-block:: puppet
class s_mgmt {
class{'ilo::proxy':
devices => [
"http://server-001.ilo.kaarsemaker.net",
"http://server-002.ilo.kaarsemaker.net",
"http://server-003.ilo.kaarsemaker.net",
]
}
}
Of course you can generate this however you want.
Facts
-----
Several facts are available for use in your recipes.
* `$devicetype` is set to `ilo`
* `$users` contains a list of all users
* `$firmware_version`, `$firmware_date`, `$management_processor`, and
`$license_type` are set to what `get_fw_version` provides
* `$oa_encl`, `$oa_rack`, `$oa_ipaddress`, `$oa_location`, `$oa_macaddress`,
`$oa_uidstatus` and `$oa_system_health` are set to what `get_oa_info`
provides. These are only available on blade servers.
Managing users
--------------
You can use this module to create, modify and delete users. Unfortunately the
normal `user` type cannot be used, so there's a special `ilo_user` type.
.. code-block:: puppet
ilo_user {
"Administrator":
admin_priv => true;
"jack":
ensure => absent;
"dkaarsemaker":
ensure => present,
display_name => 'Dennis Kaarsemaker',
password_atcreate => 'P4ssw0rd',
reset_server_priv => false;
"linda":
ensure => present,
password => 'hunter2'
display_name => 'Linda',
admin_priv => false,
config_ilo_priv => false,
reset_server_priv => true;
}
These example users show the features of this type:
* You can create (`ensure => present`) or delete (`ensure => absent`) users.
* You can manage their permissions (`admin_priv`, `config_ilo_priv`,
`remote_cons_priv`, `reset_server_priv` and `virtual_media_priv`)
* You can manage display names and passwords. Note that for users you want this
module to create, these are mandatory attributes.
Because user passwords cannot be queried, this module has to check the password
every time by doing an http request. This can take a while and goes against the
aggressive caching. To prevent these constant checks, you can use the
`password_atcreate` parameter instead of the `password` parameter. This is only
used when creating the user and is not checked subsequently. Should you want to
change the user's password you can temporarily also add a `password` parameter
until all devices have been updated.
Managing iLO firmware
---------------------
The `ilo_firmware` type can be used to manage firmware on your iLOs.
.. code-block:: puppet
ilo_firmware { $management_processor:
ensure => "latest",
http_proxy => "http://webproxy:3128"
}
The name of the resource must be the same as the iLO type, you can use a fact
to make sure it is. `ensure` accepts any version number or the string `latest`,
which will always upgrade to the latest version.
`http_proxy` is optional and can be used to specify a proxy via which to
download the firmware config and firmware.
Managing settings
-----------------
This module also includes an `ilo_settings` type. This is a relatively thin
wrapper around functions like `mod_global_settings` to configure any of the
following settings: global (`mod_global_settings`), network
(`mod_network_settings`), snmp (`mod_snmp_im_settings`) and directory
authentication (`mod_dir_config`). As with the above types, an example should
make it clear.
.. code-block:: puppet
ilo_settings {
"global":
settings => {
"remote_console_port" => 23,
"enforce_aes" => true,
"f8_login_required" => true,
};
"network":
settings => {
"prim_dns_server" => "10.42.1.31",
"sec_dns_server" => "10.42.1.32",
};
}
As you can see, the individual settings are not all parameters, instead there's
only one settings parameter. Any setting that is not managed by puppet is
completely left alone by this module, there are no defaults.
Installing licenses
-------------------
The last functionality (for now) is the `ilo_license` type, which you can use
to install licenses.
.. code-block:: puppet
ilo_license { "iLO 3 Advanced":
key => "12345-67890-ABCDE-FGHIJ-KLMNO"
}
Note that the spelling of the license name is important. If it's not exactly
the same as what `get_all_licenses` shows, puppet will try to activate the
license again and again.
Complete example
----------------
And here's a complete example to put all the above together.
`/etc/puppet/device.conf`::
[server-001.ilo.kaarsemaker.net]
type ilo
url http://server-001.ilo.kaarsemaker.net
`/etc/puppet/manifests/nodes.pp`
.. code-block:: puppet
node 'management-server.kaarsemaker.net' {
include s_mgmt
}
node 'server-001.ilo.kaarsemaker.net' {
include s_ilo
}
node 'server-002.ilo.kaarsemaker.net' {
include s_ilo
}
node 'server-003.ilo.kaarsemaker.net' {
include s_ilo
}
`/etc/puppet/modules/s_mgmt/manifests/init.pp`
.. code-block:: puppet
class s_mgmt {
class{'ilo::proxy':
devices => [
"http://server-001.ilo.kaarsemaker.net",
"http://server-002.ilo.kaarsemaker.net",
"http://server-003.ilo.kaarsemaker.net",
]
}
}
`/etc/puppet/modules/s_ilo/manifests/init.pp`
.. code-block:: puppet
class s_ilo {
# Always upgrade firmware
ilo_firmware { $management_processor:
ensure => "latest",
http_proxy => "http://webproxy:3128"
}
# We only have iLO 3's in this setup, so one license will do
ilo_license { "iLO 3 Advanced":
key => "12345-67890-ABCDE-FGHIJ-KLMNO"
}
ilo_settings {
"global":
settings => {
"remote_console_port" => 23,
"enforce_aes" => true,
"f8_login_required" => true,
};
"network":
settings => {
"prim_dns_server" => "10.42.1.31",
"sec_dns_server" => "10.42.1.32",
};
}
ilo_user {
"Administrator":
# Temporary until changed everywhere
password => 'P4ssw0rd',
"dennis":
ensure => present,
display_name => 'Dennis Kaarsemaker',
password_atcreate => 'MyPass!',
reset_server_priv => false;
# Remove leavers
["jack", "bob"]:
ensure => absent,
}
}
|
