Puppet is a tool designed to manage the configuration of Unix-like and Microsoft Windows systems declaratively. The user describes system resources and their state, either using Puppet’s declarative language or a Ruby DSL (domain specific language). This information is stored in files called “Puppet manifests”. Puppet discovers the system information via a utility called Facter, and compiles the Puppet manifests into a system-specific catalog containing resources and resource dependency, which are applied against the target systems. Any actions taken by Puppet are then reported.
Scenario
In this tutorial i am going to use two systems as mentioned below.
Puppet Master:
Operating system : CentOS 7 minimal installation IP Address : 10.1.1.200/24
Puppet client:
Operating System :CentOS 7 minimal installation IP Address : 10.1.1.154/24
Add Puppet repository to your Centos Machine:
For Centos 7:
rpm -ivh https://yum.puppetlabs.com/el/7/products/x86_64/puppetlabs-release-7-11.noarch.rpm
Install the Puppet Master:
# Download puppet-server from Puppet Labs
yum install -y puppet-server
# Start Puppet-Server
Centos 7:
systemctl start puppetmaster.service
# Set Puppet Master to run on startup
puppet resource service puppetmaster ensure=running enable=true
-------------------------------------------------------------------------------
/Service[puppetmaster]/ensure: ensure changed 'stopped' to 'running'
service { 'puppetmaster':
ensure => 'stopped',
enable => 'true',
}
Puppet needs a scalable web server in a non testing environment, so lets install apache (Official Docs):
# Download apache and necessary dependencies
yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems gcc-c++ curl-devel zlib-devel make automake openssl-devel
# Install Rack/Passenger
gem install rack passenger ----------------------------------------------------- gem install rack passenger Successfully installed rack-1.5.2 Building native extensions. This could take a while... Successfully installed passenger-4.0.35 2 gems installed Installing ri documentation for rack-1.5.2...
Then
passenger-install-apache2-module
[root@Unixmen-centos7 yum.repos.d]# passenger-install-apache2-module --------------------------------------------------------------------------------------- Welcome to the Phusion Passenger Apache 2 module installer, v4.0.35. This installer will guide you through the entire installation process. It shouldn't take more than 3 minutes in total. Here's what you can expect from the installation process: 1. The Apache 2 module will be installed for you. 2. You'll learn how to configure Apache. 3. You'll learn how to deploy a Ruby on Rails application. Don't worry if anything goes wrong. This installer will advise you on how to solve any problems. Press Enter to continue, or Ctrl-C to abort. Use <space> to select. If the menu doesn't display correctly, press '!' ‣ ⬢ Ruby ⬢ Python ⬡ Node.js ⬡ Meteor -------------------------------------------- Checking for required software... * Checking for C compiler... Found: yes Location: /usr/bin/cc * Checking for C++ compiler... Found: yes Location: /usr/bin/c++ * Checking for Curl development headers with SSL support... Found: yes curl-config location: /usr/bin/curl-config Header location: /usr/include/curl/curl.h Version: libcurl 7.29.0 Usable: yes Supports SSL: yes * Checking for OpenSSL development headers... Found: yes Location: /usr/include/openssl/ssl.h * Checking for Zlib development headers... Found: yes Location: /usr/include/zlib.h * Checking for Apache 2... Found: yes Location of httpd: /usr/sbin/httpd Apache version: 2.4.6 * Checking for Apache 2 development headers... Found: yes Location of apxs2: /usr/bin/apxs * Checking for Rake (associated with /usr/bin/ruby)... Found: yes Location: /usr/bin/ruby /usr/local/bin/rake * Checking for OpenSSL support for Ruby... Found: yes * Checking for RubyGems... Found: yes * Checking for Ruby development headers... Found: yes Location: /usr/include/ruby.h * Checking for rack... Found: yes * Checking for Apache Portable Runtime (APR) development headers... Found: yes Location: /usr/bin/apr-1-config Version: 1.4.8 * Checking for Apache Portable Runtime Utility (APU) development headers... Found: yes Location: /usr/bin/apu-1-config Version: 1.5.2
Create a virtual host file for puppet:
vi /etc/httpd/conf.d/puppetmaster.conf
and add:
# RHEL/CentOS: LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.35/buildout/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.35/ PassengerRuby /usr/bin/ruby # And the passenger performance tuning settings: PassengerHighPerformance On PassengerUseGlobalQueue On # Set this to about 1.5 times the number of CPU cores in your master: PassengerMaxPoolSize 6 # Recycle master processes after they service 1000 requests PassengerMaxRequests 1000 # Stop processes if they sit idle for 10 minutes PassengerPoolIdleTime 600 Listen 8140 <VirtualHost *:8140> SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/unixmen-centos7.arnhem.chello.nl.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/unixmen-centos7.arnhem.chello.nl.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e #RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order Allow,Deny Allow from All </Directory> </VirtualHost>
Add the puppet https Port to the firewall:
firewall-cmd --zone=public --add-port=8140/tcp --permanent firewall-cmd --reload
Start up Apache:
/etc/init.d/puppetmaster stop /etc/init.d/httpd start
Disable WEBrick and enable Apache on boot:
chkconfig puppetmaster off chkconfig httpd on
Make sure the port is open and it’s listening:
lsof -i tcp:8140 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 8743 root 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8747 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8748 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8749 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8750 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8751 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8752 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8753 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8754 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN) httpd 8755 apache 6u IPv6 74005 0t0 TCP *:8140 (LISTEN)ZZ
Append this to the end of the file:
vim /etc/puppet/puppet.conf [master] certname = puppet-server #Use the FQDN here autosign = true
Check the Apache configuration with an apachectl configtest and again fix any errors you encounter.
Now, copy the Rack config:
cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
Give Puppet correct permission to access the Rack config:
chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
Client Node install
Add the puppet labs repo:
rpm -ivh https://yum.puppetlabs.com/el/7/products/x86_64/puppetlabs-release-7-11.noarch.rpm
Install the Puppet Client:
yum install -y puppet
If you are not using DNS in your envrionment, you will need to manually edit your hosts file on both machines .
vim /etc/hosts 10.1.x.x node 10.1.x.y puppet-server
Edit /etc/puppet/puppet.conf and add the agent variables:
vim /etc/puppet/puppet.conf
# In the [agent] section
server = puppet-server #Should be the FQDN!
report = true
pluginsync = true
Set the puppet agent to run on boot:
chkconfig puppet on puppet agent --daemonize
Now test the client:
puppet agent -t Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for localhost.unixmen.com Info: Certificate Request fingerprint (SHA256): 51:E3:75:7D:EC:BA:1F:68:B1:94:5E:4D:1F:84:53:07:F6:67:18:AB:12:6A:B6:89:05:D9:19:9F:30:DB:7A:F8 Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled
Check and apply from The Puppet-master:
[root@unixmen-centos7 certs]# puppet cert list "localhost.triennium.com" (SHA256) 51:E3:75:7D:EC:BA:1F:68:B1:94:5E:4D:1F:84:53:07:F6:67:18:AB:12:6A:B6:89:05:D9:19:9F:30:DB:7A:F8 [root@unixmen-centos7 certs]# puppet cert sign --all Notice: Signed certificate request for localhost.unixmen.com Notice: Removing file Puppet::SSL::CertificateRequest localhost.unixmen.com at '/var/lib/puppet/ssl/ca/requests/localhost.unixmen.com.pem'
Enjoy!
