Install Puppet Server On CentOS 7

Puppet is a tool designed to manage the configuration of Unix-like and Microsoft Windows systems declaratively. The user describes system resources and their state, either using Puppet’s declarative language or a Ruby DSL (domain specific language). This information is stored in files called “Puppet manifests”. Puppet discovers the system information via a utility called Facter, and compiles the Puppet manifests into a system-specific catalog containing resources and resource dependency, which are applied against the target systems. Any actions taken by Puppet are then reported.

Scenario

In this tutorial i am going to use two systems as mentioned below.

Puppet Master:

Operating system : CentOS 7 minimal installation
IP Address       : 10.1.1.200/24

Puppet client:

Operating System :CentOS 7 minimal installation
IP Address       : 10.1.1.154/24

Add Puppet repository to your Centos Machine:

For Centos 7:

rpm -ivh https://yum.puppetlabs.com/el/7/products/x86_64/puppetlabs-release-7-11.noarch.rpm

Install the Puppet Master:

# Download puppet-server from Puppet Labs

yum install -y puppet-server

# Start Puppet-Server

Centos 7:

systemctl start  puppetmaster.service

# Set Puppet Master to run on startup

 puppet resource service puppetmaster ensure=running enable=true

-------------------------------------------------------------------------------
 /Service[puppetmaster]/ensure: ensure changed 'stopped' to 'running'
service { 'puppetmaster':
  ensure => 'stopped',
  enable => 'true',
}

Puppet needs a scalable web server in a non testing environment, so lets install apache (Official Docs):

# Download apache and necessary dependencies

 yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems gcc-c++ curl-devel zlib-devel make automake  openssl-devel

# Install Rack/Passenger

 gem install rack passenger
-----------------------------------------------------
gem install rack passenger
Successfully installed rack-1.5.2
Building native extensions.  This could take a while...
Successfully installed passenger-4.0.35
2 gems installed
Installing ri documentation for rack-1.5.2...

Then

passenger-install-apache2-module

[root@Unixmen-centos7 yum.repos.d]#  passenger-install-apache2-module
---------------------------------------------------------------------------------------
Welcome to the Phusion Passenger Apache 2 module installer, v4.0.35.
This installer will guide you through the entire installation process. It
shouldn't take more than 3 minutes in total.
Here's what you can expect from the installation process:
 1. The Apache 2 module will be installed for you.
 2. You'll learn how to configure Apache.
 3. You'll learn how to deploy a Ruby on Rails application.
Don't worry if anything goes wrong. This installer will advise you on how to
solve any problems.
Press Enter to continue, or Ctrl-C to abort.

Use <space> to select.
If the menu doesn't display correctly, press '!'

 ‣ ⬢  Ruby
   ⬢  Python
   ⬡  Node.js
   ⬡  Meteor

--------------------------------------------

Checking for required software...

 * Checking for C compiler...
      Found: yes
      Location: /usr/bin/cc
 * Checking for C++ compiler...
      Found: yes
      Location: /usr/bin/c++
 * Checking for Curl development headers with SSL support...
      Found: yes
      curl-config location: /usr/bin/curl-config
      Header location: /usr/include/curl/curl.h
      Version: libcurl 7.29.0
      Usable: yes
      Supports SSL: yes
 * Checking for OpenSSL development headers...
      Found: yes
      Location: /usr/include/openssl/ssl.h
 * Checking for Zlib development headers...
      Found: yes
      Location: /usr/include/zlib.h
 * Checking for Apache 2...
      Found: yes
      Location of httpd: /usr/sbin/httpd
      Apache version: 2.4.6
 * Checking for Apache 2 development headers...
      Found: yes
      Location of apxs2: /usr/bin/apxs
 * Checking for Rake (associated with /usr/bin/ruby)...
      Found: yes
      Location: /usr/bin/ruby /usr/local/bin/rake
 * Checking for OpenSSL support for Ruby...
      Found: yes
 * Checking for RubyGems...
      Found: yes
 * Checking for Ruby development headers...
      Found: yes
      Location: /usr/include/ruby.h
 * Checking for rack...
      Found: yes
 * Checking for Apache Portable Runtime (APR) development headers...
      Found: yes
      Location: /usr/bin/apr-1-config
      Version: 1.4.8
 * Checking for Apache Portable Runtime Utility (APU) development headers...
      Found: yes
      Location: /usr/bin/apu-1-config
      Version: 1.5.2

Create a virtual host file for puppet:

vi /etc/httpd/conf.d/puppetmaster.conf

and add:

# RHEL/CentOS:
LoadModule passenger_module  /usr/lib/ruby/gems/1.8/gems/passenger-4.0.35/buildout/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.35/
PassengerRuby /usr/bin/ruby
# And the passenger performance tuning settings:
PassengerHighPerformance On
PassengerUseGlobalQueue On
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 6
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
    SSLEngine On
    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/unixmen-centos7.arnhem.chello.nl.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/unixmen-centos7.arnhem.chello.nl.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData
    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    #RackAutoDetect On
    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
    <Directory /usr/share/puppet/rack/puppetmasterd/>
        Options None
        AllowOverride None
        Order Allow,Deny
        Allow from All
    </Directory>
</VirtualHost>

Add the puppet https Port to the firewall:

firewall-cmd --zone=public --add-port=8140/tcp --permanent
firewall-cmd --reload

Start up Apache:

/etc/init.d/puppetmaster stop
/etc/init.d/httpd start

Disable WEBrick and enable Apache on boot:

chkconfig puppetmaster off
chkconfig httpd on

Make sure the port is open and it’s listening:

lsof  -i tcp:8140
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   8743   root    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8747 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8748 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8749 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8750 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8751 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8752 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8753 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8754 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)
httpd   8755 apache    6u  IPv6  74005      0t0  TCP *:8140 (LISTEN)ZZ

Append this to the end of the file:

vim /etc/puppet/puppet.conf
[master]
certname = puppet-server #Use the FQDN here
autosign = true

Check the Apache configuration with an apachectl configtest and again fix any errors you encounter.

Now, copy the Rack config:

 cp /usr/share/puppet/ext/rack/config.ru   /usr/share/puppet/rack/puppetmasterd/

Give Puppet correct permission to access the Rack config:

chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

Client Node install

Add the puppet labs repo:

rpm -ivh https://yum.puppetlabs.com/el/7/products/x86_64/puppetlabs-release-7-11.noarch.rpm

 

Install the Puppet Client:

yum install -y puppet

If you are not using DNS in your envrionment, you will need to manually edit your hosts file on both  machines .

vim /etc/hosts
10.1.x.x                node
10.1.x.y                puppet-server

Edit /etc/puppet/puppet.conf and add the agent variables:

vim /etc/puppet/puppet.conf
# In the [agent] section

    server = puppet-server #Should be the FQDN!
    report = true
    pluginsync = true

Set the puppet agent to run on boot:

chkconfig puppet on
puppet agent --daemonize

Now test the client:

puppet agent -t
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.unixmen.com
Info: Certificate Request fingerprint (SHA256): 51:E3:75:7D:EC:BA:1F:68:B1:94:5E:4D:1F:84:53:07:F6:67:18:AB:12:6A:B6:89:05:D9:19:9F:30:DB:7A:F8
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

Check and apply from The Puppet-master:

 [root@unixmen-centos7 certs]# puppet cert list
  "localhost.triennium.com" (SHA256) 51:E3:75:7D:EC:BA:1F:68:B1:94:5E:4D:1F:84:53:07:F6:67:18:AB:12:6A:B6:89:05:D9:19:9F:30:DB:7A:F8

[root@unixmen-centos7 certs]# puppet cert sign --all
Notice: Signed certificate request for localhost.unixmen.com
Notice: Removing file Puppet::SSL::CertificateRequest localhost.unixmen.com at '/var/lib/puppet/ssl/ca/requests/localhost.unixmen.com.pem'

Enjoy!