Puppet is a free and open-source configuration management tool, helps you to centrally deploy and manage the configurations of hundreds of client systems. It is available for GNU/Linux, Mac, BSD, Solaris and Windows-based computer Systems, released under Apache License, written in “Ruby” language. This guide helps you to install puppet on CentOS 7 / RHEL 7.
Puppet’s Architecture:
Agent / Master:
In this architecture, One or more servers run the puppet master application, usually as a Rack application managed by a web server (like Apache with Passenger) and puppet agent application runs on client servers, usually as a background service.
Periodically, puppet agent will send facts to the puppet master and request a catalog. The master will compile and return that node’s catalog, using several sources of information it has access to.
The Stand-Alone Architecture:
In this architecture, client servers run the puppet apply application( self-contained combination of the puppet master and puppet agent applications), usually as a scheduled task or cron job.
Environment:
Here, i will show you how to configure a puppet in master / agent architecture. In this tutorial, i will be using two CentOS 7 systems as mentioned below.
Puppet Master:
Operating system : CentOS 7 Minimal IP Address : 192.168.12.10 HostName : server.itzgeek.local
Puppet client:
Operating System : CentOS 7 Minimal IP Address : 192.168.12.20 HostName : client.itzgeek.local
Prerequsites:
Configure EPEL repository on CentOS 7 / RHEL 7.
Make sure your system (both puppet server and client) is able to resolve the hostname each other, either use /etc/hosts file or DNS server.
To have a production ready puppet setup, we have to use apache with passenger. To get the passenger, download and place the repo file to /etc/yum.repos.d/
Note: Only on the master server.
[root@server ~]# curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
To install the puppet master / agent, we would require to setup puppet repository on the all the nodes. Enable puppet labs repository by installing below rpm.
Note: Run it on both master and agent nodes.
# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Install and Configure Puppet on CentOS 7:
Now, its time to install puppet. Install the puppet server using below command.
[root@server ~]# yum -y install puppet-server
As said earlier, we will configure puppet for master / agent architecture. So, this node will acts as a master node. Edit the puppet configuration file and modify the dns_alt_names.
[root@server ~]# vi /etc/puppet/puppet.conf [main] dns_alt_names = server,server.itzgeek.local certname = server.itzgeek.local
If this machine is the only puppet master in your environment, run below command to create the puppet master certificate.
[root@server ~]# puppet master --verbose --no-daemonize Info: Creating a new SSL key for ca Info: Creating a new SSL certificate request for ca Info: Certificate Request fingerprint (SHA256): 81:C6:BB:8B:1D:71:4C:64:E1:13:54:1B:EC:CF:99:D8:85:90:D1:6C:E8:85:50:3E:03:41:BA:C5:47:A7:4C:E5 Notice: Signed certificate request for ca Info: Creating a new certificate revocation list Info: Creating a new SSL key for server.itzgeek.local Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for server.itzgeek.local Info: Certificate Request fingerprint (SHA256): FF:BE:D4:9B:E4:12:83:79:AE:BE:50:17:76:5F:F5:CD:5F:53:EA:5D:AA:5D:87:9E:7C:C4:BC:1B:8A:C6:FA:5C Notice: server.itzgeek.local has a waiting certificate request Notice: Signed certificate request for server.itzgeek.local Notice: Removing file Puppet::SSL::CertificateRequest server.itzgeek.local at '/var/lib/puppet/ssl/ca/requests/server.itzgeek.local.pem' Notice: Removing file Puppet::SSL::CertificateRequest server.itzgeek.local at '/var/lib/puppet/ssl/certificate_requests/server.itzgeek.local.pem' Notice: Starting Puppet master version 3.8.3
Once you get “Notice: Starting Puppet master version <VERSION>“, press ctrl-C to kill the process.
Configure a Production-Ready Web Server:
Puppet comes with a basic puppet master web server, but this cannot be used for real-life loads. We must configure a production quality web server before we start managing our nodes with Puppet.
[root@server ~]# yum -y install httpd httpd-devel mod_ssl ruby-devel rubygems gcc gcc-c++ pygpgme curl
Install Passenger and apache module.
[root@server ~]# yum install -y mod_passenger
Create three directories for the application (a parent directory, a “public” directory, and a “tmp” directory), Copy the ext/rack/config.ru file from the Puppet source code into the parent directory and Set the ownership of the config.ru file.
[root@server ~]# mkdir -p /usr/share/puppet/rack/puppetmasterd [root@server ~]# mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp [root@server ~]# cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/ [root@server ~]# chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
Add virtual host for puppet by creating the below configuration file.
[root@server ~]# vi /etc/httpd/conf.d/puppetmaster.conf
Add below content into the virtual host file, change the green colored entries as per your environement.
# you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/server.itzgeek.local.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/server.itzgeek.local.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none # which effectively disables CRL checking; if you are using Apache 2.4+ you must # specify 'SSLCARevocationCheck chain' to actually use the CRL. # SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 # The `ExportCertData` option is needed for agent certificate expiration warnings SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public RackBaseURI / <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost>
Restart apache server to take an effect of puppet virtual host, to do that, run following command on terminal.
[root@server ~]# systemctl restart httpd.service
Disable puppet service and enable apache server to auto start on system boot.
[root@server ~]# systemctl disable puppet.service [root@server ~]# systemctl enable httpd.service
Firewall:
Puppet listens on port no 8140; Configure the IP tables to allow it.
[root@server ~]# firewall-cmd --zone=public --add-port=8140/tcp --permanent [root@server ~]# firewall-cmd --reload
Install Puppet on Agent Nodes:
On your client machine, install puppet agent using below command.
Note: You must have puppet repository configured on the agent nodes.
[root@client ~]# yum -y install puppet
Edit the puppet configuration file and set puppet master information on the client stanza.
Note: Modify “server” value as per your environment. In my case, server is “server.itzgeek.local”
[root@client ~]# vi /etc/puppet/puppet.conf
[agent]
server = server.itzgeek.local
Start puppet on agent node and make it to start automatically on system boot.
[root@client ~]# systemctl start puppet.service [root@client ~]# systemctl enable puppet.service
You would get below events in the logs.
Oct 21 05:46:45 client systemd: Starting Puppet agent... Oct 21 05:46:46 client systemd: Started Puppet agent. Oct 21 05:47:03 client systemd: Reloading. Oct 21 05:49:10 client puppet-agent[2694]: Did not receive certificate
Sign the Agent Node’s Certificate on Master Server:
In an agent/master deployment, an admin must approve a certificate request for each agent node before that node can fetch configurations. Agent nodes will request certificates the first time they attempt to run.
Log into the puppet master server and run below command to view outstanding requests.
[root@server ~]# puppet cert list "client.itzgeek.local" (SHA256) D4:88:EC:C5:0A:F7:5D:4E:32:C5:B3:61:E0:51:7B:0C:CD:B3:49:9E:68:0B:E7:5D:75:19:1D:0B:92:8A:E7:C1
Run puppet cert sign to sign a request, or puppet cert sign –all to sign all pending requests.
[root@server ~]# puppet cert sign client.itzgeek.local Notice: Signed certificate request for client.itzgeek.local Notice: Removing file Puppet::SSL::CertificateRequest client.itzgeek.local at '/var/lib/puppet/ssl/ca/requests/client.itzgeek.local.pem'
Run the following command on client machine to check the certificate
[root@client ~]# puppet agent -t Info: Caching certificate for client.itzgeek.local Info: Caching certificate_revocation_list for ca Info: Caching certificate for client.itzgeek.local Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for client.itzgeek.local Info: Applying configuration version '1445401911' Info: Creating state file /var/lib/puppet/state/state.yaml Notice: Finished catalog run in 0.09 seconds
That’s All. Now, you have successfully configured puppet master and an agent. It’s time to create a manifests (client configuration). Stay tuned.
