Config management, DevOPs and all those sorts of time saving things are all well and good for readily repeatable tasks that happen on the same systems on a regular basis. But as a consultant my tasks are rarely the same and change from day to day depending on the customer, their mood or the phase of the moon. So while I’ve used puppet a lot I’ve only deployed a puppet platform once or twice and every time I do I end up digging around trying to work out the latest best practice.
So primarily to remind myself so I have a quick guide for the next time here’s my quick puppetmaster in five minutes using just rpm packages (so they’re easily upgraded and checked for security issues etc) on RHEL-6 or Fedora.
First ensure you have proper forward and reverse DNS records for the puppet master server and all puppet clients.
- Set SELinux to Permissive. This is a FIXME as there appears to be an issue running puppetmaster on rails on apache. A quick check it seems to be related to comms between httpd and rails. RHBZ 730837 has more info but I need to investigate but it should be straight forward .
sed 's/SELINUX=enforcing/SELINUX=permissive/' /etc/sysconfig/selinux setenforce permissve
- On Fedora you already have all the repos required out of the box. On RHEL I’m using the upstream PuppetLabs repos so I used the following:
rhn-channel -a -c rhel-x86_64-server-optional-6 rpm -ivh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-10.noarch.rpm rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum-config-manager --enable epel puppetlabs-products puppetlabs-deps
- Install the needed packages
yum install puppet-server httpd mod_ssl rubygem-rack mod_passenger
- Start the puppetmaster and set it to run on startup. While we won’t be using WEBrick we start it initially so it will initialise the default puppet config and setup things like certificates.
service puppetmaster start puppet resource service puppetmaster ensure=running enable=true
- Configure the puppetmaster Rails app
mkdir -p /usr/share/puppet/rack/puppetmasterd mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/ chown -R puppet.puppet /usr/share/puppet/rack restorecon -Rv /usr/share/puppet mkdir /var/run/passenger restorecon -Rv /var/run/passenger
- Configure apache by adding the config below and updating FQDN.pem to your local certificate name.
vim /etc/httpd/conf.d/puppetmaster.conf# RHEL/CentOS: # And the passenger performance tuning settings: PassengerHighPerformance On PassengerUseGlobalQueue On # Set this to about 1.5 times the number of CPU cores in your master: PassengerMaxPoolSize 6 # Recycle master processes after they service 1000 requests PassengerMaxRequests 1000 # Stop processes if they sit idle for 10 minutes PassengerPoolIdleTime 600 PassengerTempDir /var/run/passenger Listen 8140 <VirtualHost *:8140> SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/FQDN.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/FQDN.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order Allow,Deny Allow from All </Directory> </VirtualHost>
restorecon -Rv /etc/httpd/conf.d
- Disable the puppetmaster so it runs via Rails on Apache
chkconfig puppetmaster off; service puppetmaster stop chkconfig httpd on; service httpd restart
- Setup a basic puppet config files:
- autosign.conf
vim /etc/puppet/autosign.conf
*.infra.example.com
- site.pp
vim /etc/puppet/manifests/site.pp# /etc/puppet/manifests/site.pp import "nodes" # The filebucket option allows for file backups to the server filebucket { main: server => 'puppetmaster.infra.example.com' } # Set global defaults - including backing up all files to the main filebucket and adds a global path File { backup => main } Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
- modules.pp
vim /etc/puppet/manifests/modules.pp# /etc/puppet/manifests/modules.pp import "dns-client" import "ntp-client"
- nodes.pp
vim /etc/puppet/manifests/nodes.pp# /etc/puppet/manifests/nodes.pp node 'common' { include dns-client include ntp-client } node default inherits common { } node 'puppetmaster.infra.example.com' inherits common { }
With the above you obviously need to have the dns-client and ntp-client modules in place in /etc/puppet/modules/ or update the config files to reflect the modules you have installed!
- autosign.conf
- Relabel all the various puppet directories to ensure we’re good with selinux:
restorecon -Rv /etc/puppet - Reboot to ensure it all works when it comes back online 😉
P.S. I’ll update this post once I’ve had time to work out the SELinux issues, pointers welcome in the comments below 🙂