Installing and configuring Puppet version 3.8 using the example of Centos 6.5
Puppet, Chef, Ansible are the so-called configuration management systems, which can often be found in foreign IT job vacancies such as Server / DevOps Admin. In fact, these are powerful tools that can fully configure the zero server or quickly enough to massively reconfigure a set of 1-100 + servers. Work with packages, with the command line, configuration files, everything is available.
An overview can be found in the publication How to become a puppeteer .
Actually, the writing of this initial article for Puppet led me to a very poor description in the results found on the Internet. And even with the use of official documentation you manage to stumble upon a bunch of rakes and pitfalls and get not what you expected.
')
The reason for using the 3.8 branch, instead of 4.3, is to use this version on “my” servers due to the presence of these packages in the repo. The paid Enterprise option is also not considered, since I have not worked with it. The reason for using Centos is that it is widely distributed, including modified versions from Amazon.
For local tests, you can use two virtualboxes on VirtualBox under CentOS-6.5-x86_64 .
To begin with, two interfaces are configured: to go to the external Internet and to create a local network for puppet. The hostname will conditionally be pmaster.test.net, and the node for the client (more nodes are possible) stage.test.net. We will register them on all nodes in hosts (of course, if only you do not have your own DNS server for them).
Additional recommendation from off site - open port 8140.
upd. iscsi
It is also recommended to set SELINUX = permissive parameter in / etc / sysconfig / selinux, at the very least disabled.
The current version of the installation manual from puppetlabs is here , which shows very important nuances that are missing in your article, for example, NTP.
/ upd. iscsi
We begin the installation of the server. We import two repos for packages into the system:
Put the server package:
In the load put an exotic type:
T. h. Who is critical, be careful with updates. As a result, we get:
/etc/init.d/puppetmaster is the first way to work through the service for tests and node registration. Next, we will switch to the option of working through heme under Apache.
/ etc / sysconfig / puppet - microconfig. It is recommended to uncomment a line to get separate logs.
/ etc / puppet / environments - can be used to divide customers into groups, a very ambiguous technology, needed if there are at least 30 nodes and is often replaced with the exotic R10K add-in.
/ etc / puppet / hieradata - used for storage, quite an interesting technology, requires a separate article.
/etc/puppet/manifests/site.pp is the main class launch configuration from the client configuration modules.
/ etc / puppet / modules - the modules for setting up clients, which are essentially a set of classes (manifests) written in DSL similar to Ruby, are downloaded / written here. If desired, you can even make inserts in pure Ruby.
/ var / lib / puppet - as long as we don’t climb here, it will be necessary for certificates.
/etc/puppet/puppet.conf is the main server configuration config.
Add to the [main] section:
dns_alt_names - here you can write nodes that can work with the server through certificates. For those who have servers sitting behind the proxy and they want to pull modules with forgeapi.puppetlabs.com, it will be useful to know that puppet do not care for your system http_proxy = proxy01.int: 8080 and https_proxy = proxy02.int: 8080 and have to score in the config section.
To check all current server settings there is a useful command:
And even the daemon does not need to reboot, all the time he rereads his configs.
At this temporarily everything.
We import two repos for packages into the system:
Put the client package:
We need:
/etc/init.d/puppet is a client daemon for auto-checking, has anything changed on the server. We will use com line.
/ etc / sysconfig / puppet - microconfig. We bring it to the form like:
/etc/puppet/puppet.conf - the main config.
Add to the [main] section:
Now we need to generate and sign certificates. The server will be self-signed and will be generated when the server starts. On the client we make a request for verification:
Here we can wait for the first stone of the type "forgot about the port or service on the server." Implicitly you will see an error:
Using the –debug key, get more detailed:
Well, if everything is fine, something like:
Go back to the server and check the list of serts:
If it is without a plus, then it must be signed:
The result should appear in / var / lib / puppet / ssl. If something went wrong, we erase everything there and repeat it again. Actually now we have a ready configuration and you can see the available folk art , or search for something directly for yourself from the command line:
See the names with a hyphen? This is a format like author_name-module_name. We will write the first test module to understand the scheme of their use, and not to hammer all the code in site.pp.
Go to / etc / puppet / modules and generate the skeleton:
We press 8 input times, because all this can then be altered.
Get the directory myname-mytest, which is renamed to mytest. You need the full name if you want to knock out and upload your module to the public forge. We are interested in the /etc/puppet/modules/mytest/manifests/init.pp file. In class mytest, we hammer in the very pseudo-type of type
Of the features:
- quotes and apostrophes are interchangeable, but sometimes quotes are better;
- at the end of the commas put to the penultimate line.
Now in /etc/puppet/manifests/site.pp add the type code:
To test the client run:
And we get something like:
Check:
Now what is the apache option for? I suspect performance and caching. I will not say how many fiery words were said towards the offs of the docks during the installation and configuration process, but in the end the correct version looked like this:
Stop service:
Put a bunch of good:
Run the exotic crap, which knocked the module. He can swear at the end, that is, check the build and reconfigure the Apache later.
Now you need to create a boot loader for puppet:
Hello again /etc/puppet/puppet.conf Add a section.
We configure the module and the host in Apache. My version is /etc/httpd/conf.d/passenger.conf .
Actually there was a launch of the service:
And to protest it on the client:
I also noticed that in the 3.8.4 branch now having changed the module code, I had to restart the puppetmaster or httpd service in order for the changes to be applied right away, before it did not ignore it.
Creating a more complex module, using Hiera and R10K and at the same time a description of working with chef, which is essentially the heir to puppet but with its own problems, is a topic for a separate article, if you get your hands on it.
An overview can be found in the publication How to become a puppeteer .
Actually, the writing of this initial article for Puppet led me to a very poor description in the results found on the Internet. And even with the use of official documentation you manage to stumble upon a bunch of rakes and pitfalls and get not what you expected.
')
The reason for using the 3.8 branch, instead of 4.3, is to use this version on “my” servers due to the presence of these packages in the repo. The paid Enterprise option is also not considered, since I have not worked with it. The reason for using Centos is that it is widely distributed, including modified versions from Amazon.
For local tests, you can use two virtualboxes on VirtualBox under CentOS-6.5-x86_64 .
To begin with, two interfaces are configured: to go to the external Internet and to create a local network for puppet. The hostname will conditionally be pmaster.test.net, and the node for the client (more nodes are possible) stage.test.net. We will register them on all nodes in hosts (of course, if only you do not have your own DNS server for them).
10.1.1.10 pmaster.test.net 10.1.1.11 stage.test.net Additional recommendation from off site - open port 8140.
upd. iscsi
It is also recommended to set SELINUX = permissive parameter in / etc / sysconfig / selinux, at the very least disabled.
The current version of the installation manual from puppetlabs is here , which shows very important nuances that are missing in your article, for example, NTP.
/ upd. iscsi
Install / configure client / server pair
We begin the installation of the server. We import two repos for packages into the system:
rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm rpm -ivh http://mirror.logol.ru/epel/6/i386/epel-release-6-8.noarch.rpm Put the server package:
yum –y install puppet-server In the load put an exotic type:
hiera 1.3.4-1.el6 ruby 1.8.7.374-4.el6_ rubygems 1.3.7 T. h. Who is critical, be careful with updates. As a result, we get:
/etc/init.d/puppetmaster is the first way to work through the service for tests and node registration. Next, we will switch to the option of working through heme under Apache.
/ etc / sysconfig / puppet - microconfig. It is recommended to uncomment a line to get separate logs.
PUPPET_LOG=/var/log/puppet/puppet.log / etc / puppet / environments - can be used to divide customers into groups, a very ambiguous technology, needed if there are at least 30 nodes and is often replaced with the exotic R10K add-in.
/ etc / puppet / hieradata - used for storage, quite an interesting technology, requires a separate article.
/etc/puppet/manifests/site.pp is the main class launch configuration from the client configuration modules.
/ etc / puppet / modules - the modules for setting up clients, which are essentially a set of classes (manifests) written in DSL similar to Ruby, are downloaded / written here. If desired, you can even make inserts in pure Ruby.
/ var / lib / puppet - as long as we don’t climb here, it will be necessary for certificates.
/etc/puppet/puppet.conf is the main server configuration config.
Add to the [main] section:
confdir = /etc/puppet server = pmaster.test.net certname = pmaster.test.net environmentpath = $confdir/environments basemodulepath = $confdir/modules default_manifest = $confdir/manifests hiera_config = $confdir/hiera.yaml environment_timeout = unlimited dns_alt_names = pmaster.test.net,stage.test.net vardir=/var/lib/puppet dns_alt_names - here you can write nodes that can work with the server through certificates. For those who have servers sitting behind the proxy and they want to pull modules with forgeapi.puppetlabs.com, it will be useful to know that puppet do not care for your system http_proxy = proxy01.int: 8080 and https_proxy = proxy02.int: 8080 and have to score in the config section.
[user] http_proxy_host = proxy01.int http_proxy_port = 8080 To check all current server settings there is a useful command:
puppet config print And even the daemon does not need to reboot, all the time he rereads his configs.
At this temporarily everything.
Starting the client installation
We import two repos for packages into the system:
rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm rpm -ivh http://mirror.logol.ru/epel/6/i386/epel-release-6-8.noarch.rpm Put the client package:
yum –y install puppet We need:
/etc/init.d/puppet is a client daemon for auto-checking, has anything changed on the server. We will use com line.
/ etc / sysconfig / puppet - microconfig. We bring it to the form like:
PUPPET_SERVER=pmaster.test.net PUPPET_PORT=8140 PUPPET_LOG=/var/log/puppet/puppet.log PUPPET_EXTRA_OPTS=--waitforcert=500 /etc/puppet/puppet.conf - the main config.
Add to the [main] section:
server = pmaster.test.net
Now we need to generate and sign certificates. The server will be self-signed and will be generated when the server starts. On the client we make a request for verification:
puppet agent --test --ca_server=pmaster.test.net Here we can wait for the first stone of the type "forgot about the port or service on the server." Implicitly you will see an error:
Error: Could not request certificate: No route to host - connect(2) Using the –debug key, get more detailed:
Debug: Creating new connection for https://pmaster.test.net:8140 Error: Could not request certificate: No route to host - connect(2) Well, if everything is fine, something like:
Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for stage.test.net Info: Certificate Request fingerprint (SHA256): 89:19:56:C4:76:0F:7F:C3:14:F3:D7:91:81:8C:A3:07:C5:55:AC:32:35:F5:93:6A:1B:17:DE:AC:EB:5D:DD:44 Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled Go back to the server and check the list of serts:
puppet cert list --all "stage.test.net" (SHA256) 89:19:56:C4:76:0F:7F:C3:14:F3:D7:91:81:8C:A3:07:C5:55:AC:32:35:F5:93:6A:1B:17:DE:AC:EB:5D:DD:44 + "pmaster.test.net" (SHA256) 67:F8:6A:01:58:9B:1F:24:46:12:4E:5D:FB:39:60:12:79:4C:2C:6C:BE:EF:D2:27:52:95:6C:AE:B3:6C:05:1E (alt names: "DNS:pmaster.test.net", "DNS:stage.test.net") If it is without a plus, then it must be signed:
puppet cert --sign –all Notice: Signed certificate request for stage.test.net Notice: Removing file Puppet::SSL::CertificateRequest stage.test.net at '/var/lib/puppet/ssl/ca/requests/stage.test.net.pem' The result should appear in / var / lib / puppet / ssl. If something went wrong, we erase everything there and repeat it again. Actually now we have a ready configuration and you can see the available folk art , or search for something directly for yourself from the command line:
puppet module search passwd Notice: Searching https://forgeapi.puppetlabs.com ... NAME DESCRIPTION AUTHOR KEYWORDS fraenki-vpasswd Manage virtual users @fraenki dovecot proftpd virtual user passwd wcooley-name_service Type & provider to manage system name service configuration @wcooley dns files ldap passwd lookup group reidmv-local_user Example local user pattern @reidmv user local passwd See the names with a hyphen? This is a format like author_name-module_name. We will write the first test module to understand the scheme of their use, and not to hammer all the code in site.pp.
Go to / etc / puppet / modules and generate the skeleton:
puppet module generate myname-mytest We press 8 input times, because all this can then be altered.
Get the directory myname-mytest, which is renamed to mytest. You need the full name if you want to knock out and upload your module to the public forge. We are interested in the /etc/puppet/modules/mytest/manifests/init.pp file. In class mytest, we hammer in the very pseudo-type of type
class mytest { file { '/tmp/puppettestfile': path => '/tmp/puppettestfile', ensure => file, content => 'test text' } file { '/tmp/puppettestdir': path => "/tmp/puppettestdir", ensure => directory } } Of the features:
- quotes and apostrophes are interchangeable, but sometimes quotes are better;
- at the end of the commas put to the penultimate line.
Now in /etc/puppet/manifests/site.pp add the type code:
node default { } node 'stage.test.net' { include mytest } To test the client run:
puppet agent –test And we get something like:
puppet agent --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for stage.test.net Info: Applying configuration version '1448981968' Notice: /Stage[main]/Mytest/File[/tmp/puppettestdir]/ensure: created Notice: /Stage[main]/Mytest/File[/tmp/puppettestfile]/ensure: defined content as '{md5}1e2db57dd6527ad4f8f281ab028d2c70' Notice: Finished catalog run in 0.15 seconds Check:
ls -l /tmp/puppet* -rw-r--r-- 1 root root 9 Dec 1 09:54 /tmp/puppetenv -rw-r--r-- 1 root root 9 Dec 1 09:59 /tmp/puppettestfile Now what is the apache option for? I suspect performance and caching. I will not say how many fiery words were said towards the offs of the docks during the installation and configuration process, but in the end the correct version looked like this:
Stop service:
/etc/init.d/puppetmaster stop Put a bunch of good:
yum install httpd yum install mod_passenger yum install mod_ssl yum install gcc-c++ yum install libcurl-devel openssl-devel zlib-devel httpd-devel ruby-devel gem install rack gem install passenger Run the exotic crap, which knocked the module. He can swear at the end, that is, check the build and reconfigure the Apache later.
passenger-install-apache2-module ls -l /usr/lib/ruby/gems/1.8/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so Now you need to create a boot loader for puppet:
mkdir -p /usr/share/puppet/rack/puppetmasterd mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/ chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru Hello again /etc/puppet/puppet.conf Add a section.
[master] always_cache_features = true ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY We configure the module and the host in Apache. My version is /etc/httpd/conf.d/passenger.conf .
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-5.0.21 PassengerDefaultRuby /usr/bin/ruby </IfModule> PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 600 PassengerMaxRequests 1000 PassengerStatThrottleRate 120 Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SS SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/pmaster.test.net.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/pmaster.test.net.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public RackBaseURI / <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/puppet-server_error.log CustomLog /var/log/httpd/puppet-server_access.log combined </VirtualHost> : EECDH + aRSA + AESGCM: EECDH + aRSA + SHA384: EECDH + aRSA + SHA256: EECDH: + CAMELLIA256: + AES256: + CAMELLIA128: + AES128: + SS LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-5.0.21 PassengerDefaultRuby /usr/bin/ruby </IfModule> PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 600 PassengerMaxRequests 1000 PassengerStatThrottleRate 120 Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SS SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/pmaster.test.net.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/pmaster.test.net.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public RackBaseURI / <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/puppet-server_error.log CustomLog /var/log/httpd/puppet-server_access.log combined </VirtualHost> Actually there was a launch of the service:
/etc/init.d/httpd start And to protest it on the client:
puppet agent --test I also noticed that in the 3.8.4 branch now having changed the module code, I had to restart the puppetmaster or httpd service in order for the changes to be applied right away, before it did not ignore it.
Creating a more complex module, using Hiera and R10K and at the same time a description of working with chef, which is essentially the heir to puppet but with its own problems, is a topic for a separate article, if you get your hands on it.
Source: https://habr.com/ru/post/272199/
All Articles