Monday, January 28, 2013

Installing puppet dashboard



Here are my notes in installing puppet dashboard

1.    Install EPEL and puppet repos

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm
 
2.    Install required packages

yum install vim puppet-server puppet puppet-dashboard sudo mod_ssl rubygem-passenger mod_passenger policycoreutils-python mysql mysql-server -y

3.    Generate a puppet client cert and sign on the puppet master
 
•    Run the following:
 
puppet agent --test 

•    Sign the certificate on the puppet master
 
puppet cert --list
puppet cert sign <puppet-client>
 
for example

puppet cert sign puppet-dashboard.myorg.net4.    Configure MYSQL and create dashboard database

4.1     Start the mysqld server and configure chkconfig

service mysqld start
chkconfig mysqld on 

4.2     Run and secure mysql
 
/usr/bin/mysql_secure_installation

4.3     Log in to mysql and create a database and configure permissions / password
create database puppetdash;

GRANT ALL PRIVILEGES ON puppetdash.* TO puppet@'%' IDENTIFIED BY '<password>';
FLUSH PRIVILEGES;
set global max_allowed_packet = 33554432;

4.4     Update database entries for the production DB settings as follows:
 
vi /usr/share/puppet-dashboard/config/database.yml

production:
  database: puppetdash
  username: puppet
  password: <password>
  encoding: utf8
  adapter:  mysql
 
4.5     Create dashboard schema

cd /usr/share/puppet-dashboard

rake RAILS_ENV=production db:migrate

5.    Copy the example puppet virtual host config to /etc/httpd/conf.d/

cp /usr/share/puppet-dashboard/ext/passenger/dashboard-vhost.conf /etc/httpd/conf.d/puppet-dashboard.conf

6.    Remove the ssl.conf file /etc/httpd/conf.d/ directory. Note, the mod_ssl.so is loaded in the custom puppet-dashboard.conf virtual host file.

rm -f /etc/httpd/conf.d/ssl.conf

7.    Configure the puppet-dashboard virtual host file.

vim /etc/httpd/conf.d/puppet-dashboard.conf

# you may want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RailsAutoDetect On


<VirtualHost *:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile        /usr/share/puppet-dashboard/certs/dashboard.cert.pem
        SSLCertificateKeyFile     /usr/share/puppet-dashboard/certs/dashboard.private_key.pem
        SSLCACertificateFile      /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem

        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile       /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem

        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

        ServerName ukcrlcscin0010.tcl-oob.net
        DocumentRoot /usr/share/puppet-dashboard/public/

        <Directory /usr/share/puppet-dashboard/public/>
                Options None
                Order allow,deny
                allow from all
        </Directory>

      ErrorLog /var/log/httpd/puppet-dashboard-net_error.log
      LogLevel warn
      CustomLog /var/log/httpd/puppet-dashboard-net_access.log combined
      ServerSignature On


        <Location / >
                Order deny,allow
                Allow from ALL
                # Enable this to require client-side certificates for Dashboard connections
                #SSLVerifyClient require

</Location>
</VirtualHost>8.    Ensure the following log files exist

touch /var/log/httpd/ukcrlcscin0010.tcl-oob.net_access.log
touch /var/log/httpd/ukcrlcscin0010.tcl-oob.net_error.log
touch /usr/share/puppet-dashboard/log/production.log
chmod 0666 /usr/share/puppet-dashboard/log/production.log
 
9.    Create the puppet-dashboard SSL certs for https access

•    On the puppet-dashboard server run:

$ sudo -u puppet-dashboard rake cert:create_key_pair
$ sudo -u puppet-dashboard rake cert:request

•    On the puppet master, sign the certs

puppet cert sign dashboard

•    On the puppet-dashboard, retrieve the SSL certs

$ sudo -u puppet-dashboard rake cert:retrieve
 
10.    Copy the following script to the puppet dashboard server and all the puppet masters
 
Create /usr/lib/ruby/site_ruby/1.8/puppet/reports/https.rb with the following code

require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'

Puppet::Reports.register_report(:https) do

  desc <<-DESC
  Send report information via HTTPS to the `reporturl`. Each host sends
  its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
  The YAML is the `report` parameter of the request."
  DESC

  def process
    url = URI.parse(Puppet[:reporturl].to_s)
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE

    req = Net::HTTP::Post.new(url.path)
    req.body = self.to_yaml
    req.content_type = "application/x-yaml"

    http.start do |http|
      response = http.request(req)
      unless response.code == "200"
        Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}"
      end
    end

  end
end
 
•    Remove the following file from the puppet dashboard and puppe masters

/usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb
rm -f /usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb

11.    Enable puppet-dashboard reports for  each puppet master in the environment 

Add to each puppet master in the puppet environment in /etc/puppet/puppet.conf:
 
 [master]

    reports = store, https, puppet_dashboard
    reporturl = https://<puppet-dashboard-server>/reports/upload
12.     Create the reports directories on each puppet master

mkdir -p $(puppet master --configprint libdir)/puppet/reports

13.  Copy the puppet_dashboard.rb files to each of the puppet masters
 
Note: To find out where to scp the files to on your puppet master, run the following command on you puppet master:
 
$ puppet master --configprint libdir

> /var/lib/puppet/lib
 
The scp command needs to be run on your puppet-dashboard server
 
scp /usr/share/puppet-dashboard/ext/puppet/puppet_dashboard.rb root@puppet:/var/lib/puppet/lib/puppet_dashboard.rb
Change the <puppet> tag accordingly

14.  Update the puppet_dashboard.rb file on each puppet master

Run on your puppet server and update the parameters HOST and PORT
 
vim /var/lib/puppet/lib/puppet_dashboard.rb

HOST = <puppet-dashboard-server>
PORT = 443 

15.    Edit the auth.conf file on each puppet master so inventory can pick up facts.
 
Make sure the following is set on each puppet master.
 
path /facts
method find
auth any
allow *

path /inventory
auth any
method search, find
allow dashboard

# deny everything else; this one is not stricly necessary, but it has the merit of showing the default policy, which is deny everything else

path /
auth any
 
Note: The config for /facts and /inventory must go above the config for `path /` - otherwise you may get an access forbidden 404 error message when running the inventory service on puppet-dashboard.
 
16.    Restart apache on puppet masters
 
service httpd restart 

17.    On the puppet dashboard server, turn on and configure the inventory service and cutoff time
 
vi /usr/share/puppet-dashboard/config/settings.yml


# The "inventory service" allows you to connect to a puppet master to retrieve and node facts

enable_inventory_service: true

# Hostname of the inventory server.

inventory_server: 'puppet'

# Port for the inventory server.

inventory_port: 8140

# Amount of time in seconds since last report before a node is considered no longer reporting

no_longer_reporting_cutoff: 43200

18.     Add the puppet-dashboard delayed_job script to rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
cd /usr/share/puppet-dashboard
sudo -u puppet-dashboard env RAILS_ENV=production script/delayed_job -p dashboard -n 4 -m start

19.    Configure IP tables

iptables -I INPUT 5 -s 10.33.22.0/24 -m tcp -p tcp --dport 8140 -j ACCEPT
iptables -I INPUT 6 -s 10.33.22.0/24 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 7 -s 10.33.22.0/24 -m tcp -p tcp --dport 443 -j ACCEPT
iptables -I INPUT 8 -s 10.33.22.0/24 -m tcp -p tcp --dport 3306 -j ACCEPT

service iptables save
service iptables restart
iptables -L

20.    Start apache and connect to the dashboard URL

service httpd start

Check the apache service has started and the webserver is listening on port 80 and 443.

21.     Start the delayed_job script

cd /usr/share/puppet-dashboard
sudo -u puppet-dashboard env RAILS_ENV=production script/delayed_job -p dashboard -n 4 -m start

Connect to the puppet-dashboard web UI. Run a puppet agent --test on the puppet-dashboard and you should see the puppet nodes report in to the puppet dashboard.

Posted by at

2 comments:

  1. UnknownJanuary 7, 2014 at 5:12 AM

    Hi Oliver,

    This was useful. Thanks for the blog.

    ReplyDelete
  2. soumyaFebruary 15, 2018 at 2:49 AM

    You have shared wonderful information with us, Thanks for sharing keep share. Check it once through Devops Online Training

    ReplyDelete

Subscribe to: Post Comments (Atom)