very popular tool for any operational guy\u2019s DevOps utility belt is Puppet \u2013 a system configuration management service. It allows you to automate the entire process of system configuration and maintain consistency across groups of servers.\u00a0Imagine having to deploy 50 servers for a new web farm, with each server requiring the exact same configuration. An especially daunting task when done manually. With Puppet, we simply define a server configuration for the web nodes, including which packages and services are installed and how they themselves are configured. When done we then assign that configuration to those systems.<\/p>\n
Another benefit to using a tool like Puppet is the ability to update configurations across your entire infrastructure on the fly. This could mean installation of the latest version of MySQL onto your database servers, or simply modifying DNS configurations for every server in the environment.<\/p>\n
Puppet uses a client-server model. By that I mean our configurations are defined and stored on what is called a\u00a0Puppet master server, and\u00a0each system that will have its configuration maintained by Puppet has a client \u00a0installed. Every 30 mintues, by default, each client communicates with the master server to have its configuration audited. When a discrepancy\u00a0is discovered between the client\u2019s current configuration and what is defined for it, the appropriate actions are completed to bring the system back into\u00a0compliance.<\/p>\n
This tutorial will guide you through setting up and running a Puppet master server using the open-source version of the software on a CentOS 6 server. Unlike the enterprise version of Puppet, the open-source version requires quite a bit of manual configuration. Nothing overwhelming but definitely not as simple as running a single executable.<\/p>\n
I am a very strong advocate of always running SELinux on Redhat-based servers. I do not take disabling it lightly and avoid doing so where possible. However, at the time of this writing I was unable to find a satisfactory way of enabling SELinux on a Puppet master server. There are SELinux policies for Puppet that can be found on the Internet. Unfortunately, I cannot recommend using any of them since they are not refined enough to ensure the system is secure.<\/p>\n
Outright disabling SELinux is very bad idea. You never know when you\u2019ll be able to re-enable it. And if you do disable it, when it comes time to re-enable SELinx the system will have to relabel every file, directory and port with the appropriate contexts. This a very, very, very time consuming process. Instead, I recommend placing SELinux into Permissive mode. This way SELinux doens\u2019t block Puppet process and communications, and our files, directories, and ports all keep their contexts.<\/p>\n
setenforce 0<\/pre>\n<\/li>\n
nano \/etc\/sysconfig\/selinux<\/pre>\n<\/li>\n
<\/p>\n
The easiest way to install Puppet is by adding the Puppet Labs repository file to your server. We can install it by using the freely available RPM provided by Puppet Labs.<\/p>\n
rpm -ivh http:\/\/yum.puppetlabs.com\/el\/6\/products\/i386\/puppetlabs-release-6-7.noarch.rpm<\/pre>\n<\/li>\n
-rw-r--r--. 1 root root 1926 Nov 27 2013 CentOS-Base.repo\r\n-rw-r--r--. 1 root root 638 Nov 27 2013 CentOS-Debuginfo.repo\r\n-rw-r--r--. 1 root root 630 Nov 27 2013 CentOS-Media.repo\r\n-rw-r--r--. 1 root root 3664 Nov 27 2013 CentOS-Vault.repo\r\n-rw-r--r--. 1 root root 1250 Apr 12 2013 puppetlabs.repo<\/strong>\r\n<\/pre>\n<\/li>\n<\/ol>\n<\/p>\n
Install the Puppet Master<\/h3>\n
The Puppet Master is where your nodes get their configuration profiles from.<\/p>\n
\n
- Install the Puppet Master package from the Puppetlabs repository.\n
yum install -y puppet-server<\/pre>\n<\/li>\n- Start the Puppet Master service.\n
service puppetmaster start<\/pre>\n<\/li>\n- Ensure the Puppet master starts at boot.\n
puppet resource service puppetmaster ensure=running enable=true<\/pre>\n<\/li>\n<\/ol>\n<\/h3>\n
<\/p>\n
Install a Web Server for Puppet Agent Access<\/h3>\n
Each server being managed by Puppet will have an agent installed. By default, the agent will attempt to connect to a Puppet master server using a HTTPS connection. We need to ensure a web server is available on the master server to allow us to service our clients. You can us any web server, but we\u2019ll be using Apache in this tutorial.<\/p>\n
\n
- Install the web server and some other required packages, like Ruby.\n
yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems openssl-devel gcc-c++ curl-devel zlib-devel make automake<\/pre>\n<\/li>\n- The web service requires Passenger to process the Ruby files used by Puppet. We install it using Ruby\u2019s gems.\n
gem install rack passenger<\/pre>\n<\/li>\n- With the Passenger, we need to install and configure its Apache module.\n
passenger-install-apache2-module<\/pre>\n<\/li>\n<\/ol>\n<\/h3>\n
<\/p>\n
Prepare Puppet\u2019s Apache directory<\/h3>\n
\n
- Create a directory.\n
mkdir -p \/usr\/share\/puppet\/rack\/puppetmasterd<\/pre>\n<\/li>\n- Create the document root directory\n
mkdir \/usr\/share\/puppet\/rack\/puppetmasterd\/public \/usr\/share\/puppet\/rack\/puppetmasterd\/tmp<\/pre>\n<\/li>\n- Copy the Rack config template to our Apache virtual host\u2019s directory root.\n
cp \/usr\/share\/puppet\/ext\/rack\/files\/config.ru \/usr\/share\/puppet\/rack\/puppetmasterd\/<\/pre>\n<\/li>\n- Apply the appropriate permissions to the configuration file.\n
chown puppet \/usr\/share\/puppet\/rack\/puppetmasterd\/config.ru<\/pre>\n<\/li>\n<\/ol>\n<\/h3>\n
<\/p>\n
Create the Apache Virtual Host for Puppet<\/h3>\n
\n
- Create a configuration file for the Apache virtual host.\n
touch \/etc\/httpd\/conf.d\/puppetlabs.conf<\/pre>\n<\/li>\n- Edit the file and add the following contents.\n
# And the passenger performance tuning settings:<\/div>\n\u00a0PassengerHighPerformance On<\/div>\n<\/div>\n\u00a0#PassengerUseGlobalQueue On<\/div>\n\u00a0# Set this to about 1.5 times the number of CPU cores in your master:<\/div>\n\u00a0PassengerMaxPoolSize 6<\/div>\n<\/div>\n\u00a0# Recycle master processes after they service 1000 requests<\/div>\n\u00a0PassengerMaxRequests 1000<\/div>\n<\/div>\n\u00a0# Stop processes if they sit idle for 10 minutes<\/div>\n\u00a0PassengerPoolIdleTime 600<\/div>\n\u00a0Listen 8140<\/div>\n<\/div>\n\u00a0<VirtualHost *:8140><\/div>\n\u00a0 SSLEngine On<\/div>\n<\/div>\n\u00a0 # Only allow high security cryptography. Alter if needed for compatibility.<\/div>\n\u00a0 SSLProtocol All -SSLv2<\/div>\n\u00a0 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP<\/div>\n\u00a0 SSLCertificateFile \/var\/lib\/puppet\/ssl\/certs\/puppet.serverlab.intra.pem<\/div>\n\u00a0 SSLCertificateKeyFile \/var\/lib\/puppet\/ssl\/private_keys\/puppet.serverlab.intra.pem<\/div>\n\u00a0 SSLCertificateChainFile \/var\/lib\/puppet\/ssl\/ca\/ca_crt.pem<\/div>\n\u00a0 SSLCACertificateFile \/var\/lib\/puppet\/ssl\/ca\/ca_crt.pem<\/div>\n\u00a0 SSLCARevocationFile \/var\/lib\/puppet\/ssl\/ca\/ca_crl.pem<\/div>\n\u00a0 SSLVerifyClient optional<\/div>\n\u00a0 SSLVerifyDepth 1<\/div>\n\u00a0 #SSLOptions +StdEnvVars +ExportCertData<\/div>\n\u00a0 SSLOptions +StdEnvVars<\/div>\n<\/div>\n\u00a0 # These request headers are used to pass the client certificate<\/div>\n\u00a0 # authentication information on to the puppet master process<\/div>\n\u00a0 RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e<\/div>\n\u00a0 RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e<\/div>\n\u00a0 RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e<\/div>\n<\/div>\n\u00a0 # RackAutoDetect On<\/div>\n\u00a0 DocumentRoot \/usr\/share\/puppet\/rack\/puppetmasterd\/public\/<\/div>\n<\/div>\n\u00a0 <Directory \/usr\/share\/puppet\/rack\/puppetmasterd\/><\/div>\n\u00a0 Options None<\/div>\n\u00a0 AllowOverride None<\/div>\n\u00a0 Order Allow,Deny<\/div>\n\u00a0 Allow from All<\/div>\n\u00a0 <\/Directory><\/div>\n<\/div>\n\u00a0<\/VirtualHost><\/div>\n<\/li>\n- Stop the puppetmaster service.\n
service puppetmaster stop<\/pre>\n<\/li>\n- Start the Apache service.\n
service httpd on<\/pre>\n<\/li>\n- Disable the puppetmaster service to prevent it from starting during system boot.\n
chkconfig puppetmaster off<\/pre>\n<\/li>\n- Enable the Apache service to automatically start it during system boot.\n
chkconfig httpd on<\/pre>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"very popular tool for any operational guy\u2019s DevOps utility belt is Puppet \u2013 a system configuration management service. It allows you to automate the entire process of system configuration and maintain consistency across groups of servers. Imagine having to deploy 50 servers for a new web farm, with each server requiring the exact same configuration. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6495"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6495"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6495\/revisions"}],"predecessor-version":[{"id":6496,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6495\/revisions\/6496"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}