Search This Blog

Wednesday, July 6, 2011

Puppet Server and Client Installation and Configuration Version 2.7.1

Puppet Server & Client Installation & Configuration Version 2.7.1

Server Side Installation

Host Name: PuppetMaster

ruby-1.8.5-5.el5_4.8
ruby-libs-1.8.5-5.el5_4.8
Facter 1.6.0 (tar+gzip)
(http://www.puppetlabs.com/misc/download-options/)
puppet-2.7.1 (tar.gz)
(http://www.puppetlabs.com/misc/download-options/ )

Note :
Please follow above sequence for installation.)

A supported Ruby version. Ruby 1.8.5, 1.8.7, and 1.9.2 are fully supported (with a handful of known issues under 1.9.2); Ruby 1.8.1 is supported on a best-effort basis for agent use only. Other versions of Ruby are used at your own risk, and Ruby 1.8.6, 1.9.0, and 1.9.1 are not recommended for compatibility reasons.

To avoid any certification error Make sure following criteria’s are full filled
1) Make sure the time on puppet Server and puppet client is in sync.
2) Make sure that /etc/hosts file has proper entry on both puppet client and puppet server.

Installation Steps:

1) ruby-1.8.5-5.el5_4.8
# yum install ruby
Confirm the installation :
# rpm -qa | grep ruby
ruby-1.8.5-5.el5_4.8
ruby-libs-1.8.5-5.el5_4.8
# ruby --version
ruby 1.8.5 (2006-08-25) [i386-linux]

2) ruby-libs-1.8.5-5.el5_4.8
will get installed if you run yum install ruby.

4) Facter 1.6.0 (tar+gzip)
#gunzip facter-1.6.0.tar.gz
#tar -xvf facter-1.6.0.tar
#cd facter-1.6.0
#ruby install.rb
Confirm the installation.
# facter --version
1.6.0


5) puppet-2.7.1 (tar.gz)
#gunzip /install/puppet-2.7.1.tar.gz
#tar -xvf puppet-2.7.1.tar
#cd puppet-2.7.1
#ruby install.rb
Confirm the installation.
# puppet --version
2.7.1
#puppetmasterd --version
2.7.1
#puppetd --version
2.7.1
#puppetca --version
2.7.1


Configuration:
Step 1: Create manifests folder
#mkdir -p /etc/puppet/manifests

Step 2: place your site.pp file into it.
Content of site.pp file
{ "/etc/sudoers":
owner => root,group => root, mode => 440
}
Above lines ensures that /etc/sudoers files at client meets following requirement.
owner = root, group = root, mode = 440
Step 3: Start the puppet master.

# puppet master --mkusers
Note: Example given here demonstrates following
the basic puppet (2.7.1)
setup Getting started with puppet (2.7.1)
(A simple check to see the file permission is achieved through puppet)

Client Side Installation

Installation Steps:
Note :
There are no separate steps for puppet client installation. Whatever Installation steps are performed in Puppet Server needs to be done in puppet client as well.

Configuration Step

Step 1:

Run following command to implement the rules defined at Puppet server.

# puppet agent --server puppetmaster --waitforcert 60 –test

info: Creating a new SSL key for puppetclient.domain.com

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for ca

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

info: Creating a new SSL certificate request for puppetclient.domain.com

info: Certificate Request fingerprint (md5): 72:C6:73:89:B9:69:D9:8D:93:69:C3:69:14:AD:7E:E2

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session


Note:
For the First run you will need to register your client at server.
(Read further in this article to see how to register your client at server.)

After registration of client on Server you should get following response.

# puppet agent --server PuppetMaster --waitforcert 60 --test

info: Caching catalog for puppetclient.domain.com

info: Applying configuration version '1309406496'

info: Creating state file /var/lib/puppet/state/state.yaml

notice: Finished catalog run in 0.05 seconds

As /etc/sudoers file meet the puppet servers manifest we didn’t notice any change in above output.

# ls -ltr /etc/sudoers

-r--r----- 1 root root 3185 Jan 22 2009 /etc/sudoers

To actually see the changes at puppet client lets modify /etc/sudoers file .

[root@puppetclient tmp]# chmod 777 /etc/sudoers

[root@puppetclient tmp]# chown ftp:root /etc/sudoers

[root@puppetclient tmp]# ls -ltr /etc/sudoers

-rwxrwxrwx 1 ftp root 3185 Jan 22 2009 /etc/sudoers

Now when the permissions on /etc/sudoers is changed on puppet client .

We will run the command once again and check the output.

# puppet agent --server PuppetMaster --waitforcert 60 --test

info: Caching catalog for puppetclient.domain.com

info: Applying configuration version '1309406496'

notice: /Stage[main]//File[/etc/sudoers]/owner: owner changed 'ftp' to 'root'

notice: /Stage[main]//File[/etc/sudoers]/mode: mode changed '777' to '440'

notice: Finished catalog run in 0.11 seconds

Now check the permission.

[root@puppetclient tmp]# ls -ltr /etc/sudoers

-r--r----- 1 root root 3185 Jan 22 2009 /etc/sudoers

As you can see puppet master has implemented the rule on puppet client.


Register puppet client on puppet server:

Whenever a puppet client request for puppet certificate for the first time, client won’t get it unless server signs clients certificate at server end.

Here are the steps to sign clients certificate at server end.

Step 1:

List the available certificates

# puppetca -l

puppetclient.domain.com

Step 2:

Sign them

# puppetca -s puppetclient.domain.com

notice: Signed certificate request for puppetclient.domain.com

notice: Removing file Puppet::SSL::CertificateRequest puppetclient.domain.com at '/etc/puppet/ssl/ca/requests/puppetclient.domain.com.pem'

Note:
This is the default behavior and can be changed . But for the security reason its recommended not to set the server on auto signing mode.


No comments:

Post a Comment