CentOS 6.4: puppet installation

Title:

CentOS 6.4: puppet installation

Author:

Douglas O’Leary <dkoleary@olearycomputers.com>

Description:

How to quickly/efficiently install puppet on centos6

Disclaimer:

Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me…

Overview:

Most of the info required to create the checklist below came from James Turnbull’s Pro Puppet

Two other good links are Toki Winter’s site and one from 6tech.

This is going to be a work in progress as there are at least two things to which I want to find answers. Unfortunately, if this goes the way of my normal studying, I’ll end up having to leave this for a few weeks/months during which time I’ll have forgotten everything…

The primary point of this checklist is to kick out a production ready puppet installation as quickly as possible.

Also, note: as of this writing, this installs a puppet ver 2.6 implementation. I’m currently looking into upgrading that to ver 3.X.

Steps:

Selinux seems to be getting in the way. I have done some initial searching on puppet/selinux interaction but didn’t get very far. There were a couple of urls that showed how to create a selinux module; but, one of them was dated and, of course, I didn’t record the url of the second.

One thing that I just found that seeems like it’ll be particularly useful is http://linux.die.net/man/8/puppet_selinux. In that page, there’s references to two selinux booleans:

# getsebool -a | grep -i puppet
puppet_manage_all_files --> off
puppetmaster_use_db --> off

That won’t help w/the access to port 8140, though. So, in the meantime:

• Set selinux to permissive mode: One of two things to correct

  • echo '0' > /selinux/enforce

  • SELINUX=permissive in /etc/selinux/config

  When I started this up in my real network, I was still getting tons of avc denied messages. Something else on the to-do list, learn selinux. Setting the selinux booleans puppet_manage_all_files and allow_ypbind seems to have gotten rid of most of them. Running the messages through audit2allow resulted in:

  # grep ruby /var/log/messages | audit2allow -m ruby
  
  module ruby 1.0;
  [[snip]]
  #!!!! This avc can be allowed using the boolean 'allow_ypbind'
  allow passenger_t self:tcp_socket listen;
  

• Update DNS and hosts, use fqdns by default.

• Update firewall; ensure 8140 is allowed:

  # iptables -L -n | grep -i 8140
  ACCEPT  tcp  --  0.0.0.0/0 0.0.0.0/0  state NEW tcp dpt:8140
  

• Install epel on all nodes: rpm -ivh http://mirror.symnds.com/distributions/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

• Install apache and passenger

  • yum -y install httpd mod_ssl rubygem-passenger mod_passenger

  • /etc/httpd/conf.d/passenger.conf Update hostnames, directories and file locations as needed/appropriate:

    LoadModule passenger_module modules/mod_passenger.so
    <IfModule mod_passenger.c>
       PassengerRoot /usr/share/rubygems/gems/passenger-3.0.21
       PassengerRuby /usr/bin/ruby
        PassengerHighPerformance on
        PassengerUseGlobalQueue on
        PassengerMaxPoolSize 6
        PassengerMaxRequests 4000
        PassengerPoolIdleTime 1800
    </IfModule>
    
    ### Puppet config
    
    Listen 8140
    <VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
        SSLCertificateFile /var/lib/puppet/ssl/certs/vmhost.olearycomputers.com.pem
        SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/vmhost.olearycomputers.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
    ## Disable following if apachecomplains about CRL
        SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
    ### Optional to allow CSR request; required if certs get distributed
    ### to clients during provisioning
        SSLVerifyClient optional
        SSLVerifyDepth 1
        SSLOptions +StdEnvVars
    ### Client headers record authentication info for downsteam workers
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    
        RackAutoDetect On
        DocumentRoot /etc/puppet/rack/puppetmaster/public/
        <Directory /etc/puppet/rack/puppetmaster/>
            Options None
            AllowOverride None
            Order allow,deny
            allow from all
        </Directory>
    </VirtualHost>
    

  • mkdir -p -m 755 /etc/puppet/rack/puppetmaster/{public,tmp}

  • /etc/puppet/rack/puppetmaster/config.ru:

    $0 = "master"
    # enable debugging
    # ARGV << "--debug"
    # Standard:
    ARGV << "--rack"
    require 'puppet/application/master'
    run Puppet::Application[:master].run
    # EOF
    

  • chkconfig httpd on ## But DO NOT start it yet

• Install puppet master:

  • yum -y install ruby ruby-libs ruby-shadow puppet puppet-server facter

  • chown -R puppet:puppet /etc/puppet/rack/puppetmaster/

• Install puppet clients: yum -y install ruby ruby-libs-ruby-shadow puppet facter

• Run the puppet master in no-daemonize for initial client signatures and to verify everything’s functional: puppet master --verbose --no-daemonize

• If reinstalling clients, particularly if you’re moving the puppet master, delete existing ssl keys on the clients:

  # find /var/lib/puppet/ssl -name \*${short_name}\* -print | xargs -i rm {}
  

• In another window, on a client system, run the the client:

  # puppet agent --no-daemonize --verbose --server=vmhost.olearycomputers.com
  dnsdomainname: Unknown host
  info: Creating a new SSL key for vm1.olearycomputers.com
  info: Caching certificate for ca
  info: Creating a new SSL certificate request for vm1.olearycomputers.com
  info: Certificate Request fingerprint (md5): 91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3
  

• Back on the puppet master, sign the certificate:

  # puppet cert --list
    "vm1.olearycomputers.com" (91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3)
  # puppet cert --sign vm1.olearycomputers.com
  notice: Signed certificate request for vm1.olearycomputers.com
  notice: Removing file Puppet::SSL::CertificateRequest vm1.olearycomputers.com at '/var/lib/puppet/ssl/ca/requests/vm1.olearycomputers.com.pem'
  

• Update puppet master configuration files:

  • /etc/puppet/manifets/{site.pp, nodes.pp}

  • Appropriate modules under /etc/puppet/modules

• When everything checks out, turn on relevant services. Check for errors in appropriate log files:

  • puppet master:

    # chkconfig --list | grep -e puppet -e httpd
    httpd        0:off  1:off  2:on   3:on   4:on   5:on   6:off
    puppet       0:off  1:off  2:on   3:on   4:on   5:on   6:off
    puppetmaster 0:off  1:off  2:off  3:off  4:off  5:off  6:off
    

  • puppet clients:

    # chkconfig --list puppet
    puppet       0:off  1:off  2:on   3:on   4:on   5:on   6:off
    

• passenger-status is the other thing that I need to investigate:: out what’s up with that:

  # /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status
  /usr/lib/ruby/site_ruby/1.8/rubygems.rb:779:in `report_activate_error': Could not find RubyGem passenger (>= 0) (Gem::LoadError)
          from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:214:in `activate'
          from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:1082:in `gem'
          from /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status:18
  

Summary:

So, those steps should get you a puppet master using apache and passenger which, according to the Pro Puppet should be good for up to 2,000 nodes. It’ll also get a couple of clients which can be puppet managed.