Installing puppet over ubuntu standard packages

Today, I decided to setup puppet on my local network.

First, because I have no dns setup, need to hack the host files.
First, what is puppet and why do you need it?
Puppet is a ruby client server system that using ssh keys to securely execute commands for remote system
configuration.
read more here:
http://docs.puppetlabs.com/guides/faq.html
http://docs.puppetlabs.com/guides/installation.html
https://wiki.koumbit.net/PuppetMasterDebianInstall#dns_problems
You have two machines, the puppetmaster and the puppets who are configured.

1.

on the puppetmaster server edit the /etc/hosts and add puppet in the localhost entry. that means your
puppetmaster server is this one.

2.

install the puppetmaster package from ubuntu

3.

then stop it and remove it, and the facter and puppet packages :D it will be old.

4.

(check the version with puppetmaster -V) 2.6.4 will be the newset version.

5.

use ruby gems to install the latest puppet and facter

6.

gems install puppet (http://eightbitraptor.com/posts/managing-ubuntu-with-puppet)

7.

then you want to add in your symlinks so that debian(ubuntu ) will think you are using its version
1. ln -s /usr/bin/puppetmasterd /usr/sbin/puppetmasterd
2. ln -s /usr/bin/puppetd /usr/sbin/puppetd
3. ln -s /usr/bin/puppetca /usr/sbin/puppetca

8.

Then regenerate your configurations

1. /usr/sbin/puppetmasterd --genconfig > /etc/puppet/puppet.conf
2. and for your local client, yes puppet runs on your server as well to configure the server
puppetmasterd --genconfig >> /etc/puppet/puppet.conf

9.

Now, important, comment out these lines #genconfig = true otherwise your programs will just generate new
configurations when run.

10.

If you dont have dns, add the certname in [master] section to be puppet like this : certname = puppet

11.

12.

13.
14.

allow clients to connect, add them in the [plugins] section /etc/puppet/fileserver.conf

allow 192.168.1.0/24
Now you can delete all the files that were generated before :
1. rm -rf /var/lib/puppet/*
2.
Now you can run the server on the command line to check it
puppetmasterd --no-daemonize -v d

15.

Now you can setup the client

1. do the same as before, but add in your master server as the puppet in the hosts
2. dont touch the certname, it is the clents cert not the servers
3. test like this : /usr/bin/puppetd --server puppet --waitforcert 60 test

16.

On the server you should get the requests and then you can sign the clients certs :
1. puppetca l
2. puppetca -s clientname
I will be reading more here :
http://miao5.blogspot.com/2010/01/setup-puppetmaster-foreman.html

Ruby Ent + Passenger + Puppet + Foreman

Assumptions:
1. svn server: 192.168.0.1
2. new puppetmaster hostname: puppet.domain.ltd
1. ip address: 192.168.0.2
3. puppetmaster manifests svn url: http://192.168.0.1/svn/puppetmaster/trunk

Steps:
|*| install required packages and group
1. # yum groupinstall "Development Tools"
2. # yum install puppet puppet-server mysql mysql-devel mysql-server ruby-mysql httpd httpddevel apr-devel rubygems readline-devel
|*| install ruby enterprise
1. # cd ~/incoming
2. # wget http://rubyenterpriseedition.googlecode.com/files/ruby-enterprise-1.8.7-2011.03.tar.gz
3. # tar zxf ruby-enterprise-1.8.7-2011.03.tar.gz
4. # ./ruby-enterprise-1.8.7-2011.03/installer

The installer will install not just ruby-enterprise, but also rails and passenger
The ruby-enterprise will be installed in: /opt/ruby-enterprise-1.8.7-2011.03/
Add the ruby-enterprise bin to PATH
1. # vim /etc/profile.d/ruby-enterprise.sh
1. PATH=/opt/ruby-enterprise-1.8.7-2011.03/bin:$PATH
Links puppet and facter to the ruby-enterprise installation
1. # cd /opt/ruby-enterprise-1.8.7-2011.03/lib/ruby/site_ruby/1.8
2. # ln -s /usr/lib/ruby/site_ruby/1.8/facter
3. # ln -s /usr/lib/ruby/site_ruby/1.8/facter.rb
4. # ln -s /usr/lib/ruby/site_ruby/1.8/puppet
5. # ln -s /usr/lib/ruby/site_ruby/1.8/puppet.rb
Reboot
1. # init 6
|*| configure passenger
1. # /opt/ruby-enterprise-1.8.7-2011.03/bin/passenger-install-apache2-module
2. # vi /etc/httpd/conf.d/passenger.conf
1. LoadModule passenger_module /opt/ruby-enterprise-1.8.72011.03/lib/ruby/gems/1.8/gems/passenger-3.0.7/ext/apache2/mod_passenger.so
2. PassengerRoot /opt/ruby-enterprise-1.8.7-2011.03/lib/ruby/gems/1.8/gems/passenger-3.0.7
3. PassengerRuby /opt/ruby-enterprise-1.8.7-2011.03/bin/ruby
Info: the content of the passenger.conf above also appears on screen while cmd passengerinstall-apache2-module
is executing. It might vary from version to version, so stick with the one the cmd provides.
|*| retrieve puppet configuration from svn
1. # svn export http://192.168.0.1/svn/puppetmaster/trunk /etc/puppet
|*| replace the existing puppet.conf with the puppetmasters one
1. # cp /etc/puppet/modules/puppet/files/default/puppetmaster.conf /etc/puppet/puppet.conf
2. # vim /etc/puppet/puppet.conf
1. [main]
# Where Puppet stores dynamic and growing data.
# The default value is '/var/puppet'.
1. vardir = /var/lib/puppet
# The Puppet log directory.

# The default value is '$vardir/log'.

2. logdir = /var/log/puppet
# Where Puppet PID files are kept
# The default value is '$vardir/run'.
3. rundir = /var/run/puppet
# Where SSL certificates are kept
# The default value is '$confdir/ssl'.
4. ssldir = $vardir/ssl
# we use local5 for syslog logging (default: daemon)
5. syslogfacility = local5
# puppetqd
# (enable puppetqd if activemq is installed and a stomp transport Connector is configured)
6. # queue_type = stomp
7. # queue_source = stomp://localhost:61613
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded inthe separate ``puppet``
executable using the ``--loadclasses`` option.The default value is '$confdir/classes.txt'.
8. classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An extension indicating the cache format
is added automatically. The default value is '$confdir/localconfig'.
9. localconfig = $vardir/localconfig
# check interval (default: 1800 seconds)
10.runinterval = 1800
# send report to master
11.report = true
[master]
1. reports = log,foreman
2. factsync = true
# async_storeconfigs = true # set this to true if queue is configured
3. storeconfigs = true
4. dbadapter = mysql
5. dbuser = puppet
6. dbpassword = puppet

7. dbserver = localhost
8. dbsocket = /var/lib/mysql/mysql.sock
9. dbconnections = 20
|*| setup mysql database (assuming mysql root user's password is empty)
1. # mysql -u root
1. mysql> create database puppet;
2. mysql> grant all privileges on puppet.* to puppet@localhost identified by 'puppet';
|*| create mysql root password
1. # mysqladmin -u root password _password_
|*| create keys for puppet.domain.tld, for it to control itself via puppet
1. # /etc/puppet/modules/puppet/files/default/puppet_ssh_keygen.sh --host puppet
|*| start puppetmaster
1. # service puppetmaster start
|*| add the node definition to site.pp
1.
2.
3.
4.
5.
6.
7.

node "seele.domain.tld" inherits production {

include http_server
include puppet_master
include vmware
include nfs_server
include mysql_server
}

|*| run puppetd once

WARNING: to avoid interfering the existing puppet environment, if any, we should add the
following line to the hosts file
1. # vim /etc/hosts
1. 192.168.0.2 puppet.domain.ltd puppet
Stop the iptables before running puppetd
1. # puppet agent --test --debug --no-daemonize -v
|*| create index
After a successful puppet run, the database will be populated
1. # mysql puppet
2. mysql> create index exported_restype_title on resources (exported, restype, title(50));
|*| configure puppetmaster via passenger
Ref: (http://projects.puppetlabs.com/projects/1/wiki/using_passenger)
stop and disable puppetmaster daemon
1. # service puppetmaster stop
2. # chkconfig puppetmaster of

Prepare puppetmaster web root

1.
2.
3.
4.
5.

#
#
#
#
#

cd /usr/share/puppet/rack
mkdir -p puppetmasterd/{tmp,public}
cd puppetmasterd/
cp /usr/share/puppet/ext/rack/files/config.ru .
chown puppet:root config.ru

Config puppetmaster vhost

# vim /usr/local/etc/httpd/conf.d/vhosts/puppetmaster.conf
1. Listen 8140
2. <virtualhost>
3.
SSLEngine on
4.
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
5.
SSLCertificateFile
/var/lib/puppet/ssl/certs/seele.domain.ltd.pem
6.
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/seele.domain.ltd.pem
7.
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
8.
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache complaining about the
CRL, disable the next line
1.
2.
3.
4.

SSLCARevocationFile
/var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

# The following client headers allow the same configuration to work with Pound.
1.
2.
3.

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

1.

DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
a. <directory /usr/share/puppet/rack/puppetmasterd/>
b. Options None
c. AllowOverride None
d. Order allow,deny
e. allow from all
2. </directory>
3. </virtualhost>
|*| install and configure foreman
1. # yum install foreman
disable foreman services, since we will run it under passenger
2. # chkconfig foreman of
3. # service foreman stop
configure database. foreman uses and same database as puppet

1. # vim /etc/foreman/database.yml
a. production:
b. adapter: mysql
c. database: puppet
d. username: puppet
e. password: puppet
f. pool: 15
g. timeout: 5000
1. # cd /usr/share/foreman
2. # RAILS_ENV=production rake db:migrate
Configure others accordingly
1. # vim /etc/foreman/email.yaml
a. production:
b. delivery_method: :sendmail
c. smtp_settings: address: smtp.domain.tld
d. port: 25
e. domain: domain.tld
f. authentication: :none
2. # vim /etc/foreman/settings.yaml
a. :modulepath: /etc/puppet/modules/
b. :tftppath: tftp/
c. :rrd_report_url: report/
d. :ldap: true
#your default puppet server - can be overridden in the host level. If none specified, plain
"puppet" will be used.
1. #:puppet_server: puppet
2. #:unattended: false
#use the following setting to override the default 30 minutes puppet run interval - value must be
in minutes
1. #:puppet_interval: 60
2. #:document_root: /var/www
#Foreman host, required for http links inside emails
1. :foreman_url: puppet.domain.tld:8000
# where do send out daily report emails, comment out if you want to send to registered Foreman
users instead.
1. #:administrator: admin@domain.tld
2. :failed_report_email_notification: true
copy the report updater to where puppet knows
1. # cp extras/puppet/foreman/files/foreman-report.rb
/usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb
2. # chmod 644 /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb

# vim /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb
edit the URL (unless you have a DNS alias for foreman already) to point to foreman.
# URL of your Foreman installation
1. $foreman_url="http://" + `hostname`.strip + ":8000"
configure foreman vhost
1. # vim /usr/local/etc/httpd/conf.d/vhosts/vhost-foreman.conf
2. Listen 8000
3. NameVirtualHost *:8000
4. <virtualhost *:8000>
5. ServerName puppet.domain.ltd
6. ServerAlias foreman
7. DocumentRoot /usr/share/foreman/public
8. AddDefaultCharset UTF-8
9. RailsEnv production
10.<Location "/">
11.Order
deny,allow
12.Deny from
all
13.Allow from
your_network
14.</Location>
15.</virtualhost>
setup cron job
1. # crontab e
# expires all non interesting reports
2. 0 22 * * * cd /usr/share/foreman && rake reports:expire days=7 status=0
RAILS_ENV="production"
# sends out a summary email for the last 24 hours
3. 0 23 * * * cd /usr/share/foreman/ && rake reports:summarize hours=24
RAILS_ENV="production"
restart httpd
1. # service httpd restart
go to http://puppet.domain.ltd:8000
login as admin, default password changeme

Settings >> LDAP Authentication >> Create New

For connect to Active Directory
Name
Host

= My Directory
= ad.domain.ltd

Port

= 389 (or 636 of TLS is enabled)

TLS

= no

Onthefly register = yes

Account

= domain\$login

Password

= _leave blank_

Base DN

= CN=users,DC=host,DC=domain,DC=org

attr login

= sAMAccountName

attr firstname

= givenName

attr lastname

= sN

mail

= mail

for OpenLDAP
Name

= My Directory

Host

= ldap.domain.ltd

Port

= 389

TLS

= no

Onthefly register = yes

Account

= _leave blank_ (if anonymous access is enabled)

Password

= _leave blank_

Base DN

= ou=Users,dc=domain,dc=co,dc=il

attr login

= uid

attr firstname

= givenName

attr lastname

= sn

mail

= mail

|*| install puppet-dashboard (yet another monitoring app)

setup puppet_dashboard database
# mysql -u root
mysql> create database puppet_dashboard;
mysql> grant all privileges on puppet_dashboard.* to puppet@localhost identified by puppet;

# tar zxf puppet-dashboard-x.x.x.tgz -C /data/vhosts

# cd /data/vhosts/puppet-dashboard
# vim config/database.yml
production:
adapter: mysql
database: puppet_dashboard
username: puppet
password: puppet
encoding: utf8
then run installation process
# RAILS_ENV=production rake install
copy the report updater to where puppet knows
# cp lib/puppet/puppet_dashboard.rb /usr/lib/ruby/site_ruby/1.8/puppet/reports/
# chmod 644 /usr/lib/ruby/site_ruby/1.8/puppet/reports/puppet_dashboard.rb
# vim /usr/lib/ruby/site_ruby/1.8/puppet/reports/puppet_dashboard.rb
edit the HOST and PORT respectively
HOST = `hostname`.strip
PORT = 9000
setup puppet-dashboard web services
# vim /usr/local/etc/httpd/conf.d/vhosts/vhost-puppet-bashboard.conf

Listen 9000
NameVirtualHost *:9000
<virtualhost *:9000>
ServerName puppet.domain.ltd
ServerAlias puppet-dashboard
DocumentRoot /data/vhosts/puppet-dashboard/public

AddDefaultCharset UTF-8
RailsEnv production
Order deny,allow
Allow from your_network
</virtualhost>
|*| restart services
# service httpd restart