=============================== CentOS 6.4: puppet installation =============================== :Title: CentOS 6.4: puppet installation :Author: Douglas O'Leary :Description: How to quickly/efficiently install puppet on centos6 :Disclaimer: Standard: Use the information that follows at your own risk. If you screw up a system, don't blame it on me... Overview: ========= Most of the info required to create the checklist below came from James Turnbull's `Pro Puppet `_ Two other good links are Toki Winter's site_ and one from 6tech_. .. _site: http://www.tokiwinter.com/running-puppet-master-under-apache-and-passenger/ .. _6tech: http://www.6tech.org/2013/01/how-to-install-puppet-open-source-on-centos-6-3/ This is going to be a work in progress as there are at least two things to which I want to find answers. Unfortunately, if this goes the way of my normal studying, I'll end up having to leave this for a few weeks/months during which time I'll have forgotten everything... The primary point of this checklist is to kick out a *production ready* puppet installation as quickly as possible. Also, note: as of this writing, this installs a puppet ver 2.6 implementation. I'm currently looking into upgrading that to ver 3.X. Steps: ====== Selinux seems to be getting in the way. I have done some initial searching on puppet/selinux interaction but didn't get very far. There were a couple of urls that showed how to create a selinux module; but, one of them was dated and, of course, I didn't record the url of the second. One thing that I just found that seeems like it'll be particularly useful is http://linux.die.net/man/8/puppet_selinux. In that page, there's references to two selinux booleans:: # getsebool -a | grep -i puppet puppet_manage_all_files --> off puppetmaster_use_db --> off That won't help w/the access to port 8140, though. So, in the meantime: * Set selinux to permissive mode: One of two things to correct * ``echo '0' > /selinux/enforce`` * *SELINUX=permissive* in */etc/selinux/config* When I started this up in my real network, I was still getting tons of avc denied messages. Something else on the to-do list, learn selinux. Setting the selinux booleans *puppet_manage_all_files* and *allow_ypbind* **seems** to have gotten rid of most of them. Running the messages through audit2allow resulted in:: # grep ruby /var/log/messages | audit2allow -m ruby module ruby 1.0; [[snip]] #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow passenger_t self:tcp_socket listen; * Update DNS and hosts, use fqdns by default. * Update firewall; ensure 8140 is allowed:: # iptables -L -n | grep -i 8140 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8140 * Install epel on all nodes: ``rpm -ivh http://mirror.symnds.com/distributions/fedora-epel/6/i386/epel-release-6-8.noarch.rpm`` * Install apache and passenger * ``yum -y install httpd mod_ssl rubygem-passenger mod_passenger`` * */etc/httpd/conf.d/passenger.conf* Update hostnames, directories and file locations as needed/appropriate:: LoadModule passenger_module modules/mod_passenger.so PassengerRoot /usr/share/rubygems/gems/passenger-3.0.21 PassengerRuby /usr/bin/ruby PassengerHighPerformance on PassengerUseGlobalQueue on PassengerMaxPoolSize 6 PassengerMaxRequests 4000 PassengerPoolIdleTime 1800 ### Puppet config Listen 8140 SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/vmhost.olearycomputers.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/vmhost.olearycomputers.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem ## Disable following if apachecomplains about CRL SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem ### Optional to allow CSR request; required if certs get distributed ### to clients during provisioning SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars ### Client headers record authentication info for downsteam workers RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /etc/puppet/rack/puppetmaster/public/ Options None AllowOverride None Order allow,deny allow from all * ``mkdir -p -m 755 /etc/puppet/rack/puppetmaster/{public,tmp}`` * */etc/puppet/rack/puppetmaster/config.ru*:: $0 = "master" # enable debugging # ARGV << "--debug" # Standard: ARGV << "--rack" require 'puppet/application/master' run Puppet::Application[:master].run # EOF * ``chkconfig httpd on`` ## **But DO NOT start it yet** * Install puppet master: * ``yum -y install ruby ruby-libs ruby-shadow puppet puppet-server facter`` * ``chown -R puppet:puppet /etc/puppet/rack/puppetmaster/`` * Install puppet clients: ``yum -y install ruby ruby-libs-ruby-shadow puppet facter`` * Run the puppet master in no-daemonize for initial client signatures and to verify everything's functional: ``puppet master --verbose --no-daemonize`` * If reinstalling clients, particularly if you're moving the puppet master, delete existing ssl keys on the clients:: # find /var/lib/puppet/ssl -name \*${short_name}\* -print | xargs -i rm {} * In another window, on a client system, run the the client:: # puppet agent --no-daemonize --verbose --server=vmhost.olearycomputers.com dnsdomainname: Unknown host info: Creating a new SSL key for vm1.olearycomputers.com info: Caching certificate for ca info: Creating a new SSL certificate request for vm1.olearycomputers.com info: Certificate Request fingerprint (md5): 91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3 * Back on the puppet master, sign the certificate:: # puppet cert --list "vm1.olearycomputers.com" (91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3) # puppet cert --sign vm1.olearycomputers.com notice: Signed certificate request for vm1.olearycomputers.com notice: Removing file Puppet::SSL::CertificateRequest vm1.olearycomputers.com at '/var/lib/puppet/ssl/ca/requests/vm1.olearycomputers.com.pem' * Update puppet master configuration files: * */etc/puppet/manifets/{site.pp, nodes.pp}* * Appropriate modules under */etc/puppet/modules* * When everything checks out, turn on relevant services. Check for errors in appropriate log files: * puppet master:: # chkconfig --list | grep -e puppet -e httpd httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off puppet 0:off 1:off 2:on 3:on 4:on 5:on 6:off puppetmaster 0:off 1:off 2:off 3:off 4:off 5:off 6:off * puppet clients:: # chkconfig --list puppet puppet 0:off 1:off 2:on 3:on 4:on 5:on 6:off * ``passenger-status`` is the other thing that I need to investigate:: out what's up with that:: # /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status /usr/lib/ruby/site_ruby/1.8/rubygems.rb:779:in `report_activate_error': Could not find RubyGem passenger (>= 0) (Gem::LoadError) from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:214:in `activate' from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:1082:in `gem' from /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status:18 Summary: ======== So, those steps should get you a puppet master using apache and passenger which, according to the `Pro Puppet `_ should be good for up to 2,000 nodes. It'll also get a couple of clients which can be puppet managed.