The people at Puppet Labs have their own repository servers for puppet, which is very easy when it comes down to installing and maintaining the server and agent. Although the EPEL repository also provides puppet packages, they tend to be old or not up to date. Hence, I recommend using the Puppet Labs' yum repositories.
This recipe covers a monolithic install. Perform the following steps:
~]# subscription-manager repos --enable rhel-6-server-optional-rpms
puppetlabs
repository installer, as follows:~]# curl -Lo /tmp/puppetlabs-release-el-7.noarch.rpm https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
puppetlabs
repository by executing the following:~]# yum install -y /tmp/puppetlabs-release-el-7.noarch.rpm
puppet-server
by typing out this command:~]# yum install -y puppet-server
[main]
section of /etc/puppet/puppet.conf
:dns_alt_names = puppetmaster.critter.be,rhel7.critter.be always_cache_features = true
puppet
environment through this command line:~]# puppet master --verbose --no-daemonize
Notice: Starting Puppet master version <version number>
8140/tcp
) via the following commands:~]# firewall-cmd --permanent –add-port=8140/tcp ~]# firewall-cmd --reload
~]# systemctl start puppetmaster
~]# systemctl enable puppetmaster
The basic HTTP daemon that Puppet Master uses is not made to provide service for an enterprise. Puppet Labs recommends using Apache with Passenger to provide the same service as Puppet Master for a bigger range of systems (more than 10).
You can either compile the Passenger module yourself, or you can just use EPEL
(for the rubygem(rack)
package) and the Passenger repository. I choose the latter. Here are the steps that you need to perform:
curl -Lo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
~]# curl -Lo /tmp/epel-release-latest-7.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm
EPEL repository (with yum
) via the following command:~]# yum install -y /tmp/epel-release-latest-7.noarch.rpm
~]# yum install -y httpd mod_ssl mod_passenger
~]# mkdir -p /var/www/puppetmaster/{public,tmp} -p && chown -R apache:apache /var/www/puppetmaster
rack
configuration file to Puppet Master's virtual host root using the following command:~]# cp /usr/share/puppet/ext/rack/config.ru /var/www/puppetmaster/.
config.ru
file. This is very important! You can do this through the following command:~#] chown -R puppet:puppet /var/www/puppetmaster/config.ru
/etc/httpd/conf.d/puppetmaster.conf
containing the following:# passenger performance tuning settings: # Set this to about 1.5 times the number of CPU cores in your master: PassengerMaxPoolSize 3 # Recycle master processes after they service 1000 requests PassengerMaxRequests 1000 # Stop processes if they sit idle for 10 minutes PassengerPoolIdleTime 600 Listen 8140 <VirtualHost *:8140> # Make Apache hand off HTTP requests to Puppet earlier, at the cost of # interfering with mod_proxy, mod_rewrite, etc. See note below. PassengerHighPerformance On SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/rhel7.critter.be.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/rhel7.critter.be.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none # which effectively disables CRL checking. If you are using Apache 2.4+ you must # specify 'SSLCARevocationCheck chain' to actually use the CRL. # These request headers are used to pass the client certificate # authentication information on to the Puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /var/www/puppetmaster/public <Directory /var/www/puppetmaster/> Options None AllowOverride None # Apply the right behavior depending on Apache version. <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </Directory> ErrorLog /var/log/httpd/puppetmaster_ssl_error.log CustomLog /var/log/httpd/puppetmaster_ssl_access.log combined </VirtualHost>
puppetmaster
service via the following:~]# systemctl disable puppetmaster
puppetmaster
service:~]# systemctl stop puppetmaster
~]# systemctl start httpd
~]# systemctl enable httpd
~]# systemctl status httpd
This will result in the following (similar) output:
Puppet can also run in a masterless mode. In this case, you don't install a server but only the clients on all the systems that you wish to manage in this way.
For more in-depth information about installing Puppet on RHEL, refer to the following page:
https://docs.puppetlabs.com/guides/install_puppet/install_el.html