I recently started playing around with Puppet to manage my current infrastructure of a plethora of linux flavors. After an evaluation using Puppet-Enterprise I was told to see what I could do with the Open Source version. As Puppet-Enterprise is pretty much a ‘no brainer’ install, the open-source version is a different animal.
I’ve had several attempts at installing the Open Source version of Puppet and getting it enterprise ready. Below are my notes on it’s installation:
First, I started with a clean install of CentOS 5.8. I disable selinux but not the firewall. Then did a ‘sudo yum update’ to bring it up to date.
Since I am installing on a VM (off of the network) and puppet requires dns resolution for the puppet master, I’m installing Bind and system-config-bind.
I opened the network configuration and edited the DNS settings and modified the hostname.
Then modified the hosts to include aliases for puppet.domainname.com and dns.domainname.com.
I added the latter because I am going to make a forwarding dns for this instance.
Then I opened up the DNS and let it create the default bind configuration and added a zone for my domainname.com.
I then added an A record for my host and a cname for puppet.domainname.com.
I tested this by using nslookup and setting it to my local loopback address.
I then opened the network configuration and set my primary dns server to 127.0.0.1.
Next I added the EPEL repository
sudo rpm -ivh http://mirror.facebook.net/fedora/epel/5/x86_64/epel-release-5-4.noarch.rpm
And installed puppet:
sudo yum install puppet-server
Edited and added the following under [main] since this is going to be the server AND an agent to itself.
vim /etc/puppet/puppet.conf
added
server = puppet.domainname.com
report=true
pluginsync=true
certname=puppet.domainname.com
#dns_alt_names is comma separated list
dns_alt_names=puppet.domainname.com,puppet
After saving the file, I started the puppet master non daemonized so that I can see the output:
sudo puppet master --no-daemonize --verbose
This was the output:
info: Creating a new SSL key for ca
info: Creating a new SSL certificate request for ca
info: Certificate Request fingerprint (md5): 4A:8B:BF:01:6A:BC:84:8C:EA:12:7D:A3:46:C8:32:9A
notice: Signed certificate request for ca
notice: Rebuilding inventory file
info: Creating a new certificate revocation list
info: Creating a new SSL key for puppet.domainname.com
info: Creating a new SSL certificate request for puppet.domainanme.com
info: Certificate Request fingerprint (md5): BB:D2:A1:47:24:F3:C4:3F:9E:37:20:DE:FC:0F:44:07
notice: puppet.domainname.com has a waiting certificate request
notice: Signed certificate request for puppet.domainname.com
notice: Removing file Puppet::SSL::CertificateRequest puppet.domainname.com at '/var/lib/puppet/ssl/ca/requests/puppet.nelsone.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest puppet.domainname.com at '/var/lib/puppet/ssl/certificate_requests/puppet.domainname.com.pem'
notice: Starting Puppet master version 2.6.17
Here I can see that the puppet master created the certificate using the name I wanted: puppet.domainname.com.
Next I opened another terminal window and started the puppet agent. This way I can see what was happening on the master AND the agent:
sudo puppet agent --no-daemonize --verbose
The agent returned:
notice: Starting Puppet client version 2.6.17
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve information from environment production source(s) puppet://puppet.domainname.com/plugins
info: Caching catalog for puppet.domainname.com
info: Applying configuration version '1345431460'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.06 seconds
The error is OK. It doesn’t mean that the agent is not working. It means that there is no plugins location on the server.
The server returned the following:
info: access[^/catalog/([^/]+)$]: allowing 'method' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing 'method' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing 'method' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing 'method' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing 'method' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing 'method' find
info: access[/certificate_request]: allowing 'method' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: Inserting default '/status'(auth) ACL because none were found in '/etc/puppet/auth.conf'
info: Could not find filesystem info for file 'plugins' in environment production
info: Could not find file_metadata for 'plugins'
info: Caching node for puppet.domainname.com
notice: Compiled catalog for puppet.domainname.com in environment production in 0.03 seconds
Now that I know it’s working I’m going to CtrlC both the agent and the master. I’m not going to set the master to start automatically yet because I want the puppet master to use httpd and not the ruby server it uses by default.
NOTE: One thing I notice when I setup the master and agent up on the same machine is that I do not need to sign the certificate.
First thing is to install Passenger:
sudo rpm -Uvh http://passenger.stealthymonkeys.com/rhel/5/passenger-release.noarch.rpm
sudo yum install mod_passenger
Then install mod_ssl:
sudo yum install mod_ssl
If you look at http://docs.puppetlabs.com/guides/passenger.html it says to copy cp puppetmaster.conf /etc/httpd/conf.d/
but this file is no where to be found or at least, I cannot find it. So… I created it:
touch /etc/httpd/conf.d/puppetmaster.conf
I then add the contents at the bottom of http://docs.puppetlabs.com/guides/passenger.html:
Listen 8140
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet-server.inqnet.at.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet-server.inqnet.at.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
ErrorLog /var/log/httpd/puppetmaster_error.log
CustomLog /var/log/httpd/puppetmaster_access.log
# The following client headers allow the same configuration to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
RackAutoDetect On
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
Options None
AllowOverride None
Order allow,deny
allow from all
NOTE: There is a file called apache2 in /usr/share/puppet/ext/rack/files but this file will not work if you copy if into /etc/httpd/conf.d.
Next I created the rack application:
mkdir -p /usr/share/rack/puppetmasterd
mkdir -p /usr/share/puppet/rack/puppetmasterd
mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/
chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
Now I check if my config is ok for httpd:
sudo /sbin/service httpd configtest
If all is good it returns ‘Syntax OK’
I restart it:
sudo /sbin/service httpd restart
Now I start the agent in –no-daemonize and –verbose mode:notice: Starting Puppet client version 2.6.17
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve information from environment production source(s) puppet://puppet.nelsone.com/plugins
info: Caching catalog for puppet.nelsone.com
info: Applying configuration version '1345435173'
notice: Finished catalog run in 0.10 seconds
Same as above! that’s good. Just to be 100% sure that it’s working using the httpd server, I’m going to check the access log i added in the conf file:
127.0.0.1 - - [19/Aug/2012:21:59:32 -0600] "GET /production/file_metadatas/plugins?links=manage&&checksum_type=md5&ignore=---+%0A++-+.svn%0A++-+CVS%0A++-+.git&recurse=true HTTP/1.1" 404 56 "-" "-"
127.0.0.1 - - [19/Aug/2012:21:59:33 -0600] "GET /production/file_metadata/plugins HTTP/1.1" 404 36 "-" "-"
127.0.0.1 - - [19/Aug/2012:21:59:33 -0600] "GET /production/catalog/puppet.nelsone.com?facts=eNqdV1uTqrgWfj%252B%252FIqef9i5HuSiIVE3VURClEe%252Fa6ktXhCAoNxNQ8ddPuLSt%250Ae%252FY8nNGSIitZybp8%252BdayXq%252BD%252F%252BJ0nzHR%252FoisRJ6mcYwSWR5HNpJlDVoJ%252BQ8A%250A6BZ7GCZeFMqAZzm%252Bzkp1rgN4XuY7crPZ6HAs2xJAnRVllqXrQxggGcTFXo0Q%250A%252BSQKUcOKAjp1gX6KiAzoKwD5ycRLkO1hGTApwYzv7ZnCnlz8WbxxDalY7EYk%250AKTeuduQKsU%252F2tkcSixpczmpeCP1iKg29c4o8WwYs23ZYrrANgBhHdmpVe00h%250Ahr5PNwRrDycp9MHUh4kT4aBY65HPSymXwVuCU%252FRWiEOUBJCcaDQEofH1Y5%252Ft%250AwchHkNAD3oSG9FC6Rvj0iRKXlQHHNniOazz00jjxAvRJkBWFNsn1WgJXKroQ%250A21eIUUB9pHbcJPFTbBUzZe5IFoDPXJskMIhlsEhD0E0PIE8RJwt5ivLcsGyR%250AvELxhDCN4gVhUia1ITa4MsyxS1NiQZ9GyUKERNiK0jCh9lTG7CNqDUHYg36Y%250ABntEMzemyfiKbKnDyUAPE%252BT%252FmP8ESoTRj6X5E3htoExXoPyYQGyxAPyPHi2x%250Ag%252BG90I9ilMMsPJCMJCj4TQy%252FQuER%252BBKIKiFVbP%252BelTK6NOpyk6VISjEpxOQK%250AY%252BLd6UQOYjDoldIX7x4Iqfc4IKlA6YB%252BD6gKUFXQ0gDFvdQHfBewPSDRCPcB%250AXdZhgVDtRVybwBPKZNCln15zfIcKd7KaJh0pva5%252B9bndZuPpcGyqqT%252B1ajvr%250AXRheGY0sjubQus3INgvMeXxcWtrKc6y7akCJUaIPfj6w%252BQwfbs6tKU2yluef%250A0loTSsn63UHXm%252BSiG%252BTCS7yz1Gy7q3mTwWq2gW571c3mA5z4nOR37BrsLkMC%250As8xMGSZkvWbUChhdGja9tsfPgsk7Fubrs3e%252F6%252Btbbr82UxYmQ87tVE96I5Eo%250AKV8TA8jNBy0czegCvTdmRXTbz3uC6glMhx%252FzO%252FskifDoj3enbVvv21NnN%252Bso%250AXBLM%252BlKEVF07%252BWdbYL0P5ZQZvZZ5YBwObi5qj3On%252FbajLcVTMjPms%252FNlK3BD%250AczqqLfd6NHRP08kg1bQpWk4ZbtQnPTGWVpozd9W1ZUntyXinofe%252BYC42nbPk%250ADlYbx9sarW53fxRqE8GX1qW9nAg3Jj6xJ6ebmOx9qh%252BC3qat1c6%252BrYywukwF%250AGJBj8%252BJ6WTRdMYooGszsIq3u4%252BEEp4TD7lITTnpTFyeYNWLSCwK4bfPvvpow%250AxyHPzJcXM96rInQG88NioZvL8L6zmzN%252BBu0%252Bab23trOd2F4oKFup3Q%252FYHW64%250A2927sMkId8214WjXrBewg9p6fvjzz2eqKGD8fTEp8QTw%252BAv3vD1g7mD0C8wr%250AprIRsbAXl%252ByuoDCZLEC1A6D3DvwoCPVnoRJAC9o2pne8umksK3OK3OLljiAL%250AisxKT%252BxCrXkQzBtlmNIWj%252FICdqCVF4G3fJM%252F%252FOgPyvbs26MkPLQo9TeEUiuu%250Azn0mzoqxqB%252FfHssWpZt6q8HWYWCLre%252BhB5v89yikLGa58gHD2PUs8qTwIiqU%250AXiSVYoypH5SonhRfRIXii6RULJ2MqRsxAXXkvNLmF9Xyb69y9t%252FR6Xe2%252FilR%250AAQxTmoskxS9MBxaRk%252BQ0WxyLw6L009Koh1aj0HPOdvhdh38p8aCq%252FK%252FVpf2E%250AjEe6yrpTb7JSg6aUayBfeEa4DbMcJRU0HhgQZeAgi5VlB8GOzHMW9ctx6Cj3%250Azapco8SL%252F068mcX3i6F%252Bpc9Zv8saPofGCuZHhrndW07X0OP00JaSyWA7EGLj%250AnRtZg0Gw5tdGW7WRwySLcTezybZ2gsjaH26X405XxMt1sh6s1A8cSoNh886a%250A92Tahitu5C%252BPRq3ffh%252F6cMId17OOO35fNDETori3rvGj8dRxqZXc2AnOxmG6%250ANQPSD7DFb3rmpaO7zJE%252FGYI9Q5vpbiAd%252Bkd3wbHde9jxF%252BLYXJyFo7e6Ylfr%250AuUazvZs7k1twsfriera8Gx%252BLlXMyOiNNm%252ByWH3AtRPj6rp2uwSjq3vkshh8f%250A%252BwXmtY9b7PKOqmK8aN1mCj%252Fj13YvMPZD7npu8tuktjwvvfUZOj7G3kWf4MFy%250AurVU5tr3t5ubJhnzjqvr03Bxuh19Q1nF0awiqoC2LDgrCyzX6IhfzFP0EP9P%250AG1ZRVd7KlQxVSPMLRdvEAr4v3UAOnjsFpAxMdfmKnU8%252Forbw7QZLv2UHmWQx%250AXbkKT2F0DZ%252FsLhmTa7SaX3bnVwXhJ3oSG2LZuBAHBp5PsTZH9hAm317%252B2xtG%250AkO%252BF6Y2i34E%252BqdpOmB7ovXmcTx1gq%252F7m279fu0vumZJlMMp3LSSPvjb%252BMuql%250AS32OE%252FsUlSRKcqXndKKQ7hWFAcrJq0orNbCYs3yPii2Ek3%252F4Q%252FDdu%252BUnFh3b%250A48QYJm71x2DvhXL5yEekeMufv%252BsbX0BSGvA7LsrRhKOoTJYdBdD75rTcuL8A%250AQ%252BgHeQ%253D%253D%250A&facts_format=b64_zlib_yaml HTTP/1.1" 200 500 "-" "-"
127.0.0.1 - - [19/Aug/2012:21:59:34 -0600] "PUT /production/report/puppet.nelsone.com HTTP/1.1" 200 14 "-" "-"
Success! I can see that the agent is accessing the master via httpd!
Now I set the agent to start and run automatically:
sudo /sbin/chkconfig puppet on
sudo /sbin/service puppet start
Now we’re good!