CentOS 6.4: puppet installation¶
- Title:
CentOS 6.4: puppet installation
- Author:
Douglas O’Leary <dkoleary@olearycomputers.com>
- Description:
How to quickly/efficiently install puppet on centos6
- Disclaimer:
Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me…
Overview:¶
Most of the info required to create the checklist below came from James Turnbull’s Pro Puppet
Two other good links are Toki Winter’s site and one from 6tech.
This is going to be a work in progress as there are at least two things to which I want to find answers. Unfortunately, if this goes the way of my normal studying, I’ll end up having to leave this for a few weeks/months during which time I’ll have forgotten everything…
The primary point of this checklist is to kick out a production ready puppet installation as quickly as possible.
Also, note: as of this writing, this installs a puppet ver 2.6 implementation. I’m currently looking into upgrading that to ver 3.X.
Steps:¶
Selinux seems to be getting in the way. I have done some initial searching on puppet/selinux interaction but didn’t get very far. There were a couple of urls that showed how to create a selinux module; but, one of them was dated and, of course, I didn’t record the url of the second.
One thing that I just found that seeems like it’ll be particularly useful is http://linux.die.net/man/8/puppet_selinux. In that page, there’s references to two selinux booleans:
# getsebool -a | grep -i puppet
puppet_manage_all_files --> off
puppetmaster_use_db --> off
That won’t help w/the access to port 8140, though. So, in the meantime:
Set selinux to permissive mode: One of two things to correct
echo '0' > /selinux/enforce
SELINUX=permissive in /etc/selinux/config
When I started this up in my real network, I was still getting tons of avc denied messages. Something else on the to-do list, learn selinux. Setting the selinux booleans puppet_manage_all_files and allow_ypbind seems to have gotten rid of most of them. Running the messages through audit2allow resulted in:
# grep ruby /var/log/messages | audit2allow -m ruby module ruby 1.0; [[snip]] #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow passenger_t self:tcp_socket listen;
Update DNS and hosts, use fqdns by default.
Update firewall; ensure 8140 is allowed:
# iptables -L -n | grep -i 8140 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8140
Install epel on all nodes:
rpm -ivh http://mirror.symnds.com/distributions/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
Install apache and passenger
yum -y install httpd mod_ssl rubygem-passenger mod_passenger
/etc/httpd/conf.d/passenger.conf Update hostnames, directories and file locations as needed/appropriate:
LoadModule passenger_module modules/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/share/rubygems/gems/passenger-3.0.21 PassengerRuby /usr/bin/ruby PassengerHighPerformance on PassengerUseGlobalQueue on PassengerMaxPoolSize 6 PassengerMaxRequests 4000 PassengerPoolIdleTime 1800 </IfModule> ### Puppet config Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/vmhost.olearycomputers.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/vmhost.olearycomputers.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem ## Disable following if apachecomplains about CRL SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem ### Optional to allow CSR request; required if certs get distributed ### to clients during provisioning SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars ### Client headers record authentication info for downsteam workers RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /etc/puppet/rack/puppetmaster/public/ <Directory /etc/puppet/rack/puppetmaster/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost>
mkdir -p -m 755 /etc/puppet/rack/puppetmaster/{public,tmp}
/etc/puppet/rack/puppetmaster/config.ru:
$0 = "master" # enable debugging # ARGV << "--debug" # Standard: ARGV << "--rack" require 'puppet/application/master' run Puppet::Application[:master].run # EOF
chkconfig httpd on
## But DO NOT start it yet
Install puppet master:
yum -y install ruby ruby-libs ruby-shadow puppet puppet-server facter
chown -R puppet:puppet /etc/puppet/rack/puppetmaster/
Install puppet clients:
yum -y install ruby ruby-libs-ruby-shadow puppet facter
Run the puppet master in no-daemonize for initial client signatures and to verify everything’s functional:
puppet master --verbose --no-daemonize
If reinstalling clients, particularly if you’re moving the puppet master, delete existing ssl keys on the clients:
# find /var/lib/puppet/ssl -name \*${short_name}\* -print | xargs -i rm {}
In another window, on a client system, run the the client:
# puppet agent --no-daemonize --verbose --server=vmhost.olearycomputers.com dnsdomainname: Unknown host info: Creating a new SSL key for vm1.olearycomputers.com info: Caching certificate for ca info: Creating a new SSL certificate request for vm1.olearycomputers.com info: Certificate Request fingerprint (md5): 91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3
Back on the puppet master, sign the certificate:
# puppet cert --list "vm1.olearycomputers.com" (91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3) # puppet cert --sign vm1.olearycomputers.com notice: Signed certificate request for vm1.olearycomputers.com notice: Removing file Puppet::SSL::CertificateRequest vm1.olearycomputers.com at '/var/lib/puppet/ssl/ca/requests/vm1.olearycomputers.com.pem'
Update puppet master configuration files:
/etc/puppet/manifets/{site.pp, nodes.pp}
Appropriate modules under /etc/puppet/modules
When everything checks out, turn on relevant services. Check for errors in appropriate log files:
puppet master:
# chkconfig --list | grep -e puppet -e httpd httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off puppet 0:off 1:off 2:on 3:on 4:on 5:on 6:off puppetmaster 0:off 1:off 2:off 3:off 4:off 5:off 6:off
puppet clients:
# chkconfig --list puppet puppet 0:off 1:off 2:on 3:on 4:on 5:on 6:off
passenger-status
is the other thing that I need to investigate:: out what’s up with that:# /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status /usr/lib/ruby/site_ruby/1.8/rubygems.rb:779:in `report_activate_error': Could not find RubyGem passenger (>= 0) (Gem::LoadError) from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:214:in `activate' from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:1082:in `gem' from /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status:18
Summary:¶
So, those steps should get you a puppet master using apache and passenger which, according to the Pro Puppet should be good for up to 2,000 nodes. It’ll also get a couple of clients which can be puppet managed.