Centos 6.x howto-puppet Installation and Configuration

Centos 6.x howto-puppet Installation and Configuration

This is tested on Centos 6.4 with epel repo based version of puppet 2.6.17

cd /usr/local/src;
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm;
yum install puppet-server;
touch /etc/puppet/manifests/site.pp
service puppetmaster start

Jump into puppet-client

yum install puppet;
vi /etc/puppet/puppet.conf

# Note: control.meotic.com is my puppet master for puppet client

puppetd --server control.meotic.com --waitforcert 60 --test

Response:
info: Creating a new SSL key for db1.meotic.com
warning: peer certificate won’t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
info: Creating a new SSL certificate request for db1.meotic.com
info: Certificate Request fingerprint (md5): 6D:35:2F:D7:4A:2C:CC:90:A0
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session

Now jump into server (puppet-master):

puppetca --list

“db1.meotic.com” (6D:35:2F:D7:4A:1A:F2:13:C3:2C:CC:90:A0)

[root@control manifests]# puppetca --sign db1.meotic.com
notice: Signed certificate request for db1.meotic.com
notice: Removing file Puppet::SSL::CertificateRequest db1.meotic.com at '/var/lib/puppet/ssl/ca/requests/db1.meotic.com.pem'
[root@control manifests]#

What we have at This point:
Puppet Master (as: control.meotic.com)
Puppet Agent (as: db1.meotic.com)

Certificate are signed and all set to roll.

Now lets look into configuration files, directory and fileserver Next.

[root@control ~]# cd /etc/puppet/
[root@control puppet]# ll -al
total 28
drwxr-xr-x. 4 puppet puppet 4096 Mar 23 11:27 .
drwxr-xr-x. 59 root root 4096 Mar 23 09:25 ..
-rw-r--r--. 1 puppet puppet 2346 Jul 19 2012 auth.conf
drwxr-xr-x. 2 puppet puppet 4096 Mar 23 12:46 files
-rw-r--r--. 1 puppet puppet 459 Mar 23 11:27 fileserver.conf
drwxr-xr-x. 3 puppet puppet 4096 Mar 23 12:40 manifests
-rw-r--r--. 1 puppet puppet 853 Jul 6 2012 puppet.conf

Auth: Authentication config file.
files: Directory to store files to share

vi /etc/puppet/fileserver.conf:
[files]
path /etc/puppet/files
allow *.meotic.com
allow 192.168.1.0/24

Here, in fileserver.conf you will declare location of file share point, allow whom by IP or by DNS.

Now Manifests: I have divided into two part.
Classes:
site.pp:

[root@control puppet]# cd manifests/
[root@control manifests]# ls
classes site.pp

Site.pp : Its preety much self explanatory, it holds the different node.

# /etc/puppet/manifests/site.pp

import "classes/*"

## Base Nodes

node default {
include sudo
include ntp
}

node mysqldb {
include ntp
include mysql
}

node webserver {
include web
include monitoring
}

## Specific Nodes

node 'web1.meotic.com', 'web2.meotic.com' inherits loadbalancer {
include apacheconf
include app
include backups
}

node 'db1.meotic.com' inherits mysqldb {
include sudo
}

node 'control.meotic.com' inherits mysqldb {
}

node 'dns1.meotic.com', 'dns2.meotic.com' {
include monitoring
}

And class:

[root@control classes]# ll -al
-rw-r–r–. 1 puppet puppet 591 Mar 23 12:49 ntp.pp
-rw-r–r–. 1 puppet puppet 235 Mar 23 12:50 sudo.pp

Currently i have 2 files, one to serve ntp setting and config file
and sudo file.

vi ntp.pp

# /etc/puppet/manifests/classes/

class ntp {
# If you have different distro within org you can declare here as variable
case $operatingsystem {
centos, redhat: {
$service_name = 'ntpd'
$conf_file = 'ntp.conf'
}
}

package { 'ntp':
# package can also be parsed in array.
ensure => installed,
}

service { 'ntp':
name => $service_name,
ensure => running,
enable => true,
subscribe => File['ntp.conf'],
}

file { "ntp.conf":
path => "/etc/ntp.conf",
owner => "root",
group => "root",
mode => 644,
source => "puppet://control.meotic.com/files/ntp.conf"
}
}

sudo.pp

# /etc/puppet/manifests/classes/sudo.pp

class sudo {
file { "/etc/sudoers":
owner => "root",
group => "root",
mode => 440,
source => "puppet://control.meotic.com/files/sudoers"
}
}

Once you wirte before restarting and commiting changes, you might want to check syntax.

puppet --parseonly sudo.pp
puppet --parseonly ntp.conf

# How to install RPM with puppet

class examplerpm ( $src ) {

  package { 'package':
     provider => 'rpm',
     ensure => installed,
     source => "${examplerpm::src}"
 }
}

class { 'examplerpm':
  src => 'http://nginx.org/packages/rhel/6/x86_64/RPMS/nginx-1.4.4-1.el6.ngx.x86_64.rpm',
}

# How to share file Using Puppet.

file { "/etc/sudoers":
    mode => 440,
    owner => root,
    group => root,
    source => "puppet:///files/sudoers",
}

# How to write files using Puppet

file { '/data/some.sh':
		owner => root, group => root, mode =>0755,
                content => "#!/bin/bash\npuppet agent --onetime --no-daemonize --verbose $1\n",
	}

And to run sync with client.
on client machine.

puppetd --server control.meotic.com --test

(ofcourse this can be automated with cronjob or other hook method to execute on file change on master and repository base is recommended by many experts or even as standard best practise.)

This might be a best tool ;)

http://www.puppetcookbook.com/

TROUBLESHOOT:
[root@puppet2 ~]# puppet agent –no-daemonize –onetime –verbose
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get certificate CRL for /CN=puppet1.tike.com]
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get certificate CRL for /CN=puppet1.tike.com]

Solution: Update Time, Delete Existing Certificates, Retry

Client: find /var/lib/puppet -type f -print0 |xargs -0r rm
Master: puppet cert clean puppet2.tike.com
Client: puppet agent –no-daemonize –onetime –verbose
Master: puppet cert list
Master: puppet cert sign “puppet2.tike.com”

More Troubleshooting on officaial page.

http://docs.puppetlabs.com/guides/troubleshooting.html

  

Comments are closed.