Installing and configuring Puppet Master

The people at Puppet Labs have their own repository servers for puppet, which is very easy when it comes down to installing and maintaining the server and agent. Although the EPEL repository also provides puppet packages, they tend to be old or not up to date. Hence, I recommend using the Puppet Labs' yum repositories.

How to do it…

This recipe covers a monolithic install. Perform the following steps:

  1. Enable the optional channel via the following command; you'll need this to install the Puppet Server component:
    ~]# subscription-manager repos --enable rhel-6-server-optional-rpms
  2. Download the puppetlabs repository installer, as follows:
    ~]# curl -Lo /tmp/puppetlabs-release-el-7.noarch.rpm https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
  3. Now, install the puppetlabs repository by executing the following:
    ~]# yum install -y /tmp/puppetlabs-release-el-7.noarch.rpm
  4. Install puppet-server by typing out this command:
    ~]# yum install -y puppet-server
  5. Set up Puppet Master by adding the following to the [main] section of /etc/puppet/puppet.conf:
    dns_alt_names = puppetmaster.critter.be,rhel7.critter.be
always_cache_features = true
  6. Next, verify the generation of a CA certificate for the puppet environment through this command line:
    ~]# puppet master --verbose --no-daemonize
  7. Press CTRL + C when it displays the following information:
    Notice: Starting Puppet master version <version number>
  8. Now, allow traffic to the Puppet Master port (8140/tcp) via the following commands:
    ~]# firewall-cmd --permanent –add-port=8140/tcp
~]# firewall-cmd --reload
  9. Start Puppet Master by executing the following:
    ~]# systemctl start puppetmaster
  10. Finally, enable Puppet Master at boot, as follows:
    ~]# systemctl enable puppetmaster

There's more…

The basic HTTP daemon that Puppet Master uses is not made to provide service for an enterprise. Puppet Labs recommends using Apache with Passenger to provide the same service as Puppet Master for a bigger range of systems (more than 10).

You can either compile the Passenger module yourself, or you can just use EPEL (for the rubygem(rack) package) and the Passenger repository. I choose the latter. Here are the steps that you need to perform:

  1. Install the Passenger repository by running the following command:
    curl -Lo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
  2. Now, download the EPEL repository installer, as follows:
    ~]# curl -Lo /tmp/epel-release-latest-7.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  3. Install the rpm EPEL repository (with yum) via the following command:
    ~]# yum install -y /tmp/epel-release-latest-7.noarch.rpm
  4. Next, install the necessary packages for the Puppet web interface. For this, you can execute the following command line:
    ~]# yum install -y httpd mod_ssl mod_passenger
  5. Set up Puppet Master's virtual host directories and ownership, as follows:
    ~]# mkdir -p /var/www/puppetmaster/{public,tmp} -p && chown -R apache:apache /var/www/puppetmaster
  6. Copy the rack configuration file to Puppet Master's virtual host root using the following command:
    ~]# cp /usr/share/puppet/ext/rack/config.ru /var/www/puppetmaster/.
  7. Next, change the ownership of the config.ru file. This is very important! You can do this through the following command:
    ~#] chown -R puppet:puppet /var/www/puppetmaster/config.ru
  8. Then, create an Apache virtual host configuration file at /etc/httpd/conf.d/puppetmaster.conf containing the following:
    # passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 3
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600

Listen 8140
<VirtualHost *:8140>
    # Make Apache hand off HTTP requests to Puppet earlier, at the cost of
    # interfering with mod_proxy, mod_rewrite, etc. See note below.
    PassengerHighPerformance On

    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    SSLHonorCipherOrder     on

    SSLCertificateFile      /var/lib/puppet/ssl/certs/rhel7.critter.be.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/rhel7.critter.be.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLCARevocationCheck   chain
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
    # which effectively disables CRL checking. If you are using Apache 2.4+ you must
    # specify 'SSLCARevocationCheck chain' to actually use the CRL.

    # These request headers are used to pass the client certificate
    # authentication information on to the Puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /var/www/puppetmaster/public

    <Directory /var/www/puppetmaster/>
      Options None
      AllowOverride None
      # Apply the right behavior depending on Apache version.
      <IfVersion < 2.4>
        Order allow,deny
        Allow from all
      </IfVersion>
      <IfVersion >= 2.4>
        Require all granted
      </IfVersion>
    </Directory>

    ErrorLog /var/log/httpd/puppetmaster_ssl_error.log
    CustomLog /var/log/httpd/puppetmaster_ssl_access.log combined
</VirtualHost>

    Tip

    Make sure that you replace the certificate directives with the certificate file paths of your own system.

  9. Disable the puppetmaster service via the following:
    ~]# systemctl disable puppetmaster
  10. Use the following command line to stop the puppetmaster service:
    ~]# systemctl stop puppetmaster
  11. Now, start Apache, as follows:
    ~]# systemctl start httpd
  12. Enable Apache on boot through the following command line:
    ~]# systemctl enable httpd
  13. Check your HTTP daemon's status using the following:
    ~]# systemctl status httpd

    This will result in the following (similar) output:

    There's more…

Puppet can also run in a masterless mode. In this case, you don't install a server but only the clients on all the systems that you wish to manage in this way.

See also

For more in-depth information about installing Puppet on RHEL, refer to the following page:

https://docs.puppetlabs.com/guides/install_puppet/install_el.html

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset