Wednesday, January 23, 2013

Installing a puppet master and ca server



Here are my install notes on how I set up my puppet server. Note, with EPEL 6.8, passenger is available via yum. This is a much better way to install passenger, rather than using ruby gems.

1 - Install EPEL and puppet repos

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm

2- Install required packages

yum install puppet-server puppet sudo mod_ssl rubygem-passenger mod_passenger policycoreutils-python vim rsync -y

3.    Create a puppet CA cert

puppet master --no-daemonize --verbose

ctrl+c to break out of puppet master deamon once the puppet daemon is running when you see the following message

Notice: Starting Puppet master version 3.x.x

4. Copy the example puppet virtual host config to /etc/httpd/conf.d/

cp /usr/share/puppet/ext/rack/files/apache2.conf /etc/httpd/conf.d/puppet-master.conf

5.    Edit the puppet-master.conf file and update accordingly

# you probably want to tune these settings

PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>

        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
        SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet-server.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet-server.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem

        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.

        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1

        # The `ExportCertData` option is needed for agent certificate expiration warnings

        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        DocumentRoot /usr/share/puppet/rack/puppetmaster/public/
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmaster/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>
6.    Create rack directories

mkdir -p /usr/share/puppet/rack/puppetmaster/{public,tmp}

7.    Copy config.ru rack file to rack web directory

cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmaster/

8.    Change ownership of config.ru rack file to puppet

chown puppet:puppet /usr/share/puppet/rack/puppetmaster/config.ru

9.    Set httpd to start on boot and puppet master to not start

chkconfig httpd on
chkconfig puppetmaster off

10.  IPTABLES configuration

This is environment specific depending on the bridges you need to create to let the puppet master communicate to its various networks. Port 8140 needs to be open on the puppet master for each interface you have added, specifying the source networks and interface adapter as applicable. Below is an example taken from the UK Cressex LAB puppet master deployment. All IPTABLES information is covered later in the document under the configured puppet environments section.

Here is the following content of the /etc/sysconfig/iptables

# Generated by iptables-save v1.4.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2304]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.10.10.0/24 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.10.0/24 -i eth0 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.11.0/24 -i eth1 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.12.0/24 -i eth2 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.13.0/24 -i eth3 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.14.0/24 -i eth4 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

You can add these rules following the example command below

iptables -I INPUT 6 -i eth1 -p tcp -s 10.10.10.0/24 --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT

service iptables save

or by editing the /etc/sysconfig/iptables and running iptables-save and service iptables restart

11.  Start apache

service httpd start

12. check that httpd is running and test connectivity

https://puppet-server1.tcl-oob.net:8140/

If everything is working correctly, you should see

The environment must be purely alphanumeric, not ''


Hope this helps some people. There are some more blogs I have written concerning how to install puppet DB, puppet dashboard and adding additional puppet masters.
Posted by at

1 comment:

  1. soumyaFebruary 15, 2018 at 2:49 AM

    You have shared wonderful information with us, Thanks for sharing keep share. Check it once through Devops Online Training

    ReplyDelete

Subscribe to: Post Comments (Atom)