본문 바로가기

Computer Engineering/Linux

Puppet Installation Guide

Puppet Installation & Configuration

 

GyeongRyoon Kim

 

# 설치 리눅스 SL5.3 32bit / SL5.5 64bit

 

Installation & Configuration Guide

This guide covers in-depth installation instructions and options for Puppet on a wide-range of operating systems.

 

Before Starting

You will need to install Puppet on all machines on both clients and the central Puppet master server(s).

For most platforms, you can install ‘puppet’ via your package manager of choice. For a few platforms, you will need to install using the tarball or RubyGems.

INFO: For instructions on installing puppet using a distribution-specific package manager, consult your operating system documentation. Volunteer contributed operating system packages can also be found on the downloads page

Ruby Prerequisites

The only prerequisite for Puppet that doesn’t come as part of the Ruby standard library is facter, which is also developed by Puppet Labs.

All other prerequisites Ruby libraries should come with any standard Ruby 1.8.2+ install. Should your OS not come with the complete standard library (or you are using a custom Ruby build), these include:

• base64

• cgi

• digest/md5

• etc

• fileutils

• ipaddr

• openssl

• strscan

• syslog

• uri

• webrick

• webrick/https

• xmlrpc

NOTE: We strongly recommend using the version of Ruby that comes with your system, since that will have a higher degree of testing coverage. If you feel the particular need to build Ruby manually, you can get the source from ruby-lang.org.

 

OS Packages

If installing from a distribution maintained package, such as those listed on the Downloading Puppet Wiki Page all OS prerequisites should be handled by your package manager. See the Wiki for information on how to enable repositories for your particular OS. Usually the latest stable version is available as a package. If you would like to do puppet-development or see the latest versions, however, you will want to install from source.

 

 

 

 

 

■ Install ruby


$ wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p302.tar.bz2

$ tar -xzjf ruby-1.9.2-p0.tar.bz2

$ cd ruby-1.9.2-p0

$ ./configure

$ make

$ make install

 

■ install ruby-gem

 

$ wget http://rubyforge.org/frs/download.php/73779/rubygems-1.4.1.tgz

$ tar -xvzf rubygems-1.4.1.tgz

$ cd rubygems-1.4.1

$ ruby setup.rb

 

■ Download puppet & facter

 

$ wget http://puppetlabs.com/downloads/facter/facter-latest.tgz

$ wget http://puppetlabs.com/downloads/puppet/puppet-latest.tgz

 

 

■ Install facter

 

$ cd facter-1.5.8

$ ruby install.rb

 

■ Install puppet

 

$ cd puppet-2.6.4

$ ruby install.rb

 

■ DNS setting

 

For puppet master server

$ vi /etc/hosts

puppetmast's IP servername puppet

15.180.234.kxx master.gsdc.re.kr puppet

 

For puppet client

$ vi /etc/hosts

puppetmast's IP servername puppet

ex) 15.180.234.xx master.gsdc.re.kr puppet

 

check DNS setting at puppet master server and client server both

$ ping puppet

 

 

■ Open the 8140 port

 

Only for puppetmaster

$ vi /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8140 -j ACCEPT <- add


$ netstat -anpt | grep 8140 <- check 8140 port

$ iptables -nL

 

 

 

■ Create puppet configuration directory and files

 

only for puppetmaster

$ mkdir -p /etc/puppet/manifests/

$ vi /etc/puppet/manifests/site.pp

 

 

■ create ca at puppet master server

 

$ puppetd --generate masgter_server_name

ex) puppetd --generate daniel03.gsdc.re.kr

 

$ ls /etc/puppet/ssl/ca/signed

 

■ Create puppetmasterd script

 

Only for puppetmaster

$ cp /opt/pupet-2.6.4/conf/redhat/server.init /etc/init.d/puppetmasterd

$ chmod u+x /etc/init.d/puppetmasterd

 

If you have some error, change permission at /var/lib/puppet directory

$ chown puppet.puppet /var/lib/puppet/

 

■ Create puppetd script

 

Only for client

$ cp /opt/pupet-2.6.4/conf/redhat/client.init /etc/init.d/puppetd

$ chmod u+x /etc/init.d/puppetd

$ vi /etc/init.d/puppetd

puppetd=${PUPPETD-/usr/local/sbin/puppetd} <- check puppetd path

 

■ Create puppet account for puppetmaster

 

Only for puppetmaster

$ useradd puppet

 

■ Start Puppetmaster daemon

 

It is also neccessary to create the puppet user and group that the daemon will use. Either create these manually, or start the daemon with the --mkusers flag to create them.

Starting the puppet daemon will automatically create all necessary certificates, directories, and files.

$ /usr/sbin/pupptmasterd --mkusers

$ /usr/sbin/pupptmasterd start

 

If you Can not start puppetmasterd demon, check PATH of puppetmasterd and modify path at /etc/init.d/puppetmasterd files

$ vi /etc/init.d/puppetmasterd

 

PUPPETMASTER=/usr/local/sbin/$prog <- check the path

 

 

 

■ Request CA to puppetmaster

 

Only for client

$ puppetd --server SERVERNAME --waitforce 10 --test

 

■ Check CA from client and sign it.

 

$ puppetca --list

ex)daniel02.gsdc.re.kr

$ puppetca --sign daniel02.gsdc.re.kr

or

$ puppetca --sign all

 

If you can not see the list of CA from client, Check CA for puppetmaster

$ openssl x509 -text -noout -in ssl/ca/ca_crt.pem

 

Issuer: CN=Puppet CA: daniel03.gsdc.re.kr

Validity

Not Before: Jan 19 04:49:45 2011 GMT

Not After : Jan 18 04:49:45 2016 GMT

Subject: CN=Puppet CA: daniel03.gsdc.re.kr

 

If hosts name at CA is not same with puppetmaster's name, clear all CA in puppetmaster and recreate CA using puppetmasterd.

 

■ Add init process

 

Only for puppetmaster

$ chkconfig --add puppetmasterd

$ chkconfig puppetmasterd on

$ chkconfig --list | grep puppetmasterd <- check

 

only for client

$ chkconfig --add puppetd

$ chkconfig puppetd on

$ chkconfig --list | grep puppetd <- check

 

 

■ Create puppet.conf files

 

client and puppetmaster are both.

$ vi /etc/puppet/puppet.conf

 

 

[user]

# where puppet stores dynamic and growing data.

# The default value is '/var/puppet'.

vardir = /var/lib/puppet

 

# The Puppet log directory.

# The default value is '$vardir/log'.

logdir = /var/lib/log/puppet

 

# Where Puppet PID files are kept.

# The default value is '$vardir/run'.

rundir = /var/lib/run

 

# Where SSL certificates are kept.

# The default value is '$confdir/ssl'.

ssldir = $confdir/ssl

 

#module path

modulepath = /etc/puppet/modules

 

[main]

manifest = /etc/puppet/manifests/site.pp

modulepath = /etc/puppet/modules

 

[agent]

# The file in which puppetd stores a list of the classes

# associated with the retrieved configuration. Can be loaded in

# the separate ``puppet1`` excutable using the ``--loadclasses``

# option.

# The default value is '$confdir/classes.txt'.

classfile = $vardir/classes.txt

 

# Where puppetd chaches the local configuration. An

# extension indicationg the cache format is added automatically.

# The default value is '$confdir/localconfig'.

localconfig = $vardir/localconfig

 

server = daniel03.gsdc.re.kr

runinterval = 1800

 

[master]

ssl_client_header = SSL_CLIENT_S_DN

ssl_client_verify_header = SSL_CLIENT_VERIFY

 

 

■ Scaling Puppet (Using Passenger)

 

Passenger is the Apache 2.X Extension which lets you run Rails or Rack applications inside Apache.

Puppet (>0.24.6) now ships with a Rack application which can embed a puppetmaster. While it should be compatible with every Rack application server, it has only been tested with Passenger.

Depending on your operation system, the versions of Puppet, Apache and Passenger may not support this implementation. Specifically, Ubuntu Hardy ships with an older version of puppet(0.24.4) and doesn't include passenger at all, howerver updated packages for puppet can be found here. There are also some passenger packages there, but as of 2009-09-28 they do not seem to have the lastest passenger (2.2.5), so better install passenger from a gem as per the instructions at[modrails.com].

 

Note: Passenger versions 2.2.3 and 2.2.4 have known bugs regarding to the SSL environment variables, which make them unsuitable for hosting a puppetmaster. So user either 2.2.2, or 2.2.5. Note that while it was expected that Passenger 2.2.2 would be the last version which can host a 0.24.x puppetmaster, that turns out to be not true, cf. this bug report. So, passenger 2.2.5 works fine.

 

■ Install Rack/Passenger

 

$ gem install rack

$ gem install passenger

 

check the lists what you have installed

 

$ gem list

*** LOCAL GEMS ***

 

daemon_controller (0.2.5)

fastthread (1.0.7)

file-tail (1.0.5)

passenger (3.0.2)

rack (1.2.1)

rake (0.8.7)

spruz (0.2.2)

 

$ install passenger-install-apache2-module

$ passenger-install-apache2-module

 

■ Enable Apache modules “ssl” and “headers”:

install install mod_ssl

$ yum install mod_ssl

 

■ Configure Apache

For RHEL5:

$ vi /etc/httpd/conf.d/puppetmasterd.conf (see below for file contents)

 

Install the rack application [1]:

 

$ mkdir -p /etc/puppet/rack/puppetmasterd

$ mkdir /etc/puppet/rack/puppetmasterd/public

$ mkdir /etc/puppet/rack/puppetmasterd/tmp

$ cp /opt/puppet-2.6.4/ext/rack/files/config.ru /etc/puppet/rack/puppetmasterd

$ chown puppet /etc/puppet/rack/puppetmasterd/config.ru

 

Write below contents for puppetmasterd.conf

contents of puppetmasterd.conf

$vi /etc/httpd/conf.d/puppetmaster.conf


Listen 8140

<VirtualHost *:8140>

SSLEngine on

SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

SSLCertificateFile /etc/puppet/ssl/certs/daniel03.gsdc.re.kr.pem

SSLCertificateKeyFile /etc/puppet/ssl/private_keys/daniel03.gsdc.re.kr.pem

SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem

SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem

# CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line

SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem

SSLVerifyClient optional

SSLVerifyDepth 1

SSLOptions +StdEnvVars

 

# The following client headers allow the same configuration to work with Pound.

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

 

RackAutoDetect On

DocumentRoot /etc/puppet/rack/puppetmasterd/public/

<Directory /etc/puppet/rack/puppetmasterd/>

Options None

AllowOverride None

Order allow,deny

allow from all

</Directory>

</VirtualHost>

 

Add below contests for apache

 

$ vi /etc/httpd/conf/httpd.conf

 

LoadModule passenger_module //usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.2/ext/apache2/mod_passenger.so

PassengerRoot /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.2/

PassengerRuby /usr/local/bin/ruby

 

 

■ Confugure auth.conf file to access modules directory

 

$ vi /etc/puppet/auth.conf

 

## authorize access to module directory to anybody

path /modules

method find

allow *

 

 

 

■ Start apache web server

 

If all works well, you’ll want to make sure your puppmetmasterd init script does not get called anymore:

 

# For Debian/Ubuntu

$ update-rc.d -f puppetmaster remove

 

# For RHEL5

$ chkconfig puppetmaster off

$ chkconfig httpd on

 

 

■ Restart apache server

 

If puppetmaster process is alive, you should kill that process and execute apache process.

# For Debian/Ubuntu

$ /etc/init.d/apache2 restart

 

# For RHEL5

$ /etc/init.d/httpd restart