Installing puppet over ubuntu standard packages

Today, I decided to setup puppet on my local network.First, because I have no dns setup, need to hack the host files.

First, what is puppet and why do you need it?Puppet is a ruby client server system that using ssh keys to securely execute commands for remote system configuration.read more here:http://docs.puppetlabs.com/guides/faq.htmlhttp://docs.puppetlabs.com/guides/installation.htmlhttps://wiki.koumbit.net/PuppetMasterDebianInstall#dns_problems

You have two machines, the puppetmaster and the puppets who are configured.

1. on the puppetmaster server edit the /etc/hosts and add puppet in the localhost entry. that means your puppetmaster server is this one.

2. install the puppetmaster package from ubuntu

3. then stop it and remove it, and the facter and puppet packages :D it will be old.

4. (check the version with puppetmaster -V) 2.6.4 will be the newset version.

5. use ruby gems to install the latest puppet and facter

6. gems install puppet (http://eightbitraptor.com/posts/managing-ubuntu-with-puppet)

7. then you want to add in your symlinks so that debian(ubuntu ) will think you are using its version1. ln -s /usr/bin/puppetmasterd /usr/sbin/puppetmasterd2. ln -s /usr/bin/puppetd /usr/sbin/puppetd3. ln -s /usr/bin/puppetca /usr/sbin/puppetca

8. Then regenerate your configurations1. /usr/sbin/puppetmasterd --genconfig > /etc/puppet/puppet.conf2. and for your local client, yes puppet runs on your server as well to configure the server puppetmasterd --genconfig >> /etc/puppet/puppet.conf

9. Now, important, comment out these lines #genconfig = true otherwise your programs will just generate new configurations when run.

10. If you dont have dns, add the certname in [master] section to be puppet like this : certname = puppet

11. allow clients to connect, add them in the [plugins] section /etc/puppet/fileserver.conf allow 192.168.1.0/24

12. Now you can delete all the files that were generated before :1. rm -rf /var/lib/puppet/*2. 13. Now you can run the server on the command line to check it14. puppetmasterd --no-daemonize -v d

15. Now you can setup the client1. do the same as before, but add in your master server as the puppet in the hosts2. dont touch the certname, it is the clents cert not the servers3. test like this : /usr/bin/puppetd --server puppet --waitforcert 60 test

16. On the server you should get the requests and then you can sign the clients certs :1. puppetca l2. puppetca -s clientname

I will be reading more here :http://miao5.blogspot.com/2010/01/setup-puppetmaster-foreman.html

Ruby Ent + Passenger + Puppet + ForemanAssumptions:1. svn server:192.168.0.12. new puppetmaster hostname: puppet.domain.ltd1. ip address: 192.168.0.23. puppetmaster manifests svn url:http://192.168.0.1/svn/puppetmaster/trunkSteps:

|*| install required packages and group1. # yum groupinstall "Development Tools"

2. # yum install puppet puppet-server mysql mysql-devel mysql-server ruby-mysql httpd httpd-devel apr-devel rubygems readline-devel|*| install ruby enterprise1. # cd ~/incoming

2. # wget http://rubyenterpriseedition.googlecode.com/files/ruby-enterprise-1.8.7-2011.03.tar.gz

3. # tar zxf ruby-enterprise-1.8.7-2011.03.tar.gz

4. # ./ruby-enterprise-1.8.7-2011.03/installerThe installer will install not just ruby-enterprise, but also rails and passenger

The ruby-enterprise will be installed in: /opt/ruby-enterprise-1.8.7-2011.03/Add the ruby-enterprise bin to PATH1. # vim /etc/profile.d/ruby-enterprise.sh1. PATH=/opt/ruby-enterprise-1.8.7-2011.03/bin:$PATHLinks puppet and facter to the ruby-enterprise installation1. # cd /opt/ruby-enterprise-1.8.7-2011.03/lib/ruby/site_ruby/1.8

2. # ln -s /usr/lib/ruby/site_ruby/1.8/facter

3. # ln -s /usr/lib/ruby/site_ruby/1.8/facter.rb

4. # ln -s /usr/lib/ruby/site_ruby/1.8/puppet

5. # ln -s /usr/lib/ruby/site_ruby/1.8/puppet.rbReboot1. # init 6|*| configure passenger1. # /opt/ruby-enterprise-1.8.7-2011.03/bin/passenger-install-apache2-module

2. # vi /etc/httpd/conf.d/passenger.conf

1. LoadModule passenger_module /opt/ruby-enterprise-1.8.7-2011.03/lib/ruby/gems/1.8/gems/passenger-3.0.7/ext/apache2/mod_passenger.so2. PassengerRoot /opt/ruby-enterprise-1.8.7-2011.03/lib/ruby/gems/1.8/gems/passenger-3.0.73. PassengerRuby /opt/ruby-enterprise-1.8.7-2011.03/bin/rubyInfo: the content of the passenger.conf above also appears on screen while cmd passenger-install-apache2-moduleis executing. It might vary from version to version, so stick with the one the cmd provides.

|*| retrieve puppet configuration from svn1. # svn export http://192.168.0.1/svn/puppetmaster/trunk /etc/puppet|*| replace the existing puppet.conf with the puppetmasters one1. # cp /etc/puppet/modules/puppet/files/default/puppetmaster.conf /etc/puppet/puppet.conf

2. # vim /etc/puppet/puppet.conf1. [main]# Where Puppet stores dynamic and growing data.# The default value is '/var/puppet'.

1. vardir = /var/lib/puppet # The Puppet log directory. # The default value is '$vardir/log'.

2. logdir = /var/log/puppet# Where Puppet PID files are kept# The default value is '$vardir/run'.

3. rundir = /var/run/puppet# Where SSL certificates are kept # The default value is '$confdir/ssl'.4. ssldir = $vardir/ssl# we use local5 for syslog logging (default: daemon)5. syslogfacility = local5# puppetqd# (enable puppetqd if activemq is installed and a stomp transport Connector is configured)6. # queue_type = stomp

7. # queue_source = stomp://localhost:61613 [agent]# The file in which puppetd stores a list of the classes# associated with the retrieved configuratiion. Can be loaded inthe separate ``puppet`` executable using the ``--loadclasses`` option.The default value is '$confdir/classes.txt'.8. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An extension indicating the cache format is added automatically. The default value is '$confdir/localconfig'.9. localconfig = $vardir/localconfig# check interval (default: 1800 seconds)10. runinterval = 1800# send report to master11. report = true[master]1. reports = log,foreman2. factsync = true# async_storeconfigs = true # set this to true if queue is configured3. storeconfigs = true4. dbadapter = mysql5. dbuser = puppet6. dbpassword = puppet7. dbserver = localhost8. dbsocket = /var/lib/mysql/mysql.sock9. dbconnections = 20|*| setup mysql database (assuming mysql root user's password is empty)1. # mysql -u root1. mysql> create database puppet;2. mysql> grant all privileges on puppet.* to puppet@localhost identified by 'puppet';|*| create mysql root password1. # mysqladmin -u root password _password_|*| create keys for puppet.domain.tld, for it to control itself via puppet1. # /etc/puppet/modules/puppet/files/default/puppet_ssh_keygen.sh --host puppet|*| start puppetmaster1. # service puppetmaster start|*| add the node definition to site.pp1. node "seele.domain.tld" inherits production {2. include http_server3. include puppet_master4. include vmware5. include nfs_server6. include mysql_server7. }|*| run puppetd onceWARNING: to avoid interfering the existing puppet environment, if any, we should add the following line to the hosts file1. # vim /etc/hosts1. 192.168.0.2 puppet.domain.ltd puppetStop the iptables before running puppetd1. # puppet agent --test --debug --no-daemonize -v|*| create indexAfter a successful puppet run, the database will be populated1. # mysql puppet2. mysql> create index exported_restype_title on resources (exported, restype, title(50));|*| configure puppetmaster via passengerRef: (http://projects.puppetlabs.com/projects/1/wiki/using_passenger)stop and disable puppetmaster daemon1. # service puppetmaster stop2. # chkconfig puppetmaster off

Prepare puppetmaster web root1. # cd /usr/share/puppet/rack2. # mkdir -p puppetmasterd/{tmp,public}3. # cd puppetmasterd/4. # cp /usr/share/puppet/ext/rack/files/config.ru .5. # chown puppet:root config.ruConfig puppetmaster vhost# vim /usr/local/etc/httpd/conf.d/vhosts/puppetmaster.conf1. Listen 81402. 3. SSLEngine on4. SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA5. SSLCertificateFile /var/lib/puppet/ssl/certs/seele.domain.ltd.pem6. SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/seele.domain.ltd.pem7. SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem8. SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem# CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line1. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem2. SSLVerifyClient optional3. SSLVerifyDepth 14. SSLOptions +StdEnvVars # The following client headers allow the same configuration to work with Pound.1. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e2. RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e3. RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

1. DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/a. b. Options Nonec. AllowOverride Noned. Order allow,denye. allow from all2. 3. |*| install and configure foreman1. # yum install foremandisable foreman services, since we will run it under passenger2. # chkconfig foreman off3. # service foreman stopconfigure database. foreman uses and same database as puppet1. # vim /etc/foreman/database.ymla. production:b. adapter: mysqlc. database: puppetd. username: puppete. password: puppetf. pool: 15g. timeout: 5000

1. # cd /usr/share/foreman2. # RAILS_ENV=production rake db:migrateConfigure others accordingly1. # vim /etc/foreman/email.yamla. production:b. delivery_method: :sendmailc. smtp_settings: address: smtp.domain.tldd. port: 25e. domain: domain.tldf. authentication: :none

2. # vim /etc/foreman/settings.yamla. :modulepath: /etc/puppet/modules/b. :tftppath: tftp/c. :rrd_report_url: report/d. :ldap: true#your default puppet server - can be overridden in the host level. If none specified, plain "puppet" will be used.1. #:puppet_server: puppet2. #:unattended: false#use the following setting to override the default 30 minutes puppet run interval - value must be in minutes1. #:puppet_interval: 602. #:document_root: /var/www#Foreman host, required for http links inside emails1. :foreman_url: puppet.domain.tld:8000# where do send out daily report emails, comment out if you want to send to registered Foreman users instead.1. #:administrator: admin@domain.tld2. :failed_report_email_notification: true

copy the report updater to where puppet knows1. # cp extras/puppet/foreman/files/foreman-report.rb /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb2. # chmod 644 /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb# vim /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rbedit the URL (unless you have a DNS alias for foreman already) to point to foreman.# URL of your Foreman installation1. $foreman_url="http://" + `hostname`.strip + ":8000"configure foreman vhost1. # vim /usr/local/etc/httpd/conf.d/vhosts/vhost-foreman.conf2. Listen 80003. NameVirtualHost *:80004. 5. ServerName puppet.domain.ltd6. ServerAlias foreman7. DocumentRoot /usr/share/foreman/public8. AddDefaultCharset UTF-89. RailsEnv production10. 11. Order deny,allow12. Deny from all13. Allow from your_network14. 15. setup cron job1. # crontab e# expires all non interesting reports2. 0 22 * * * cd /usr/share/foreman && rake reports:expire days=7 status=0 RAILS_ENV="production"# sends out a summary email for the last 24 hours3. 0 23 * * * cd /usr/share/foreman/ && rake reports:summarize hours=24 RAILS_ENV="production"restart httpd1. # service httpd restartgo to http://puppet.domain.ltd:8000login asadmin, default passwordchangeme

Settings >> LDAP Authentication >> Create New

For connect to Active DirectoryName = My DirectoryHost = ad.domain.ltdPort = 389 (or 636 of TLS is enabled)TLS = noOnthefly register = yesAccount = domain\$loginPassword = _leave blank_Base DN = CN=users,DC=host,DC=domain,DC=orgattr login = sAMAccountNameattr firstname = givenNameattr lastname = sNmail = mailfor OpenLDAPName = My DirectoryHost = ldap.domain.ltdPort = 389TLS = noOnthefly register = yesAccount = _leave blank_ (if anonymous access is enabled)Password = _leave blank_Base DN = ou=Users,dc=domain,dc=co,dc=ilattr login = uidattr firstname = givenNameattr lastname = snmail = mail

|*| install puppet-dashboard (yet another monitoring app)

setup puppet_dashboard database# mysql -u rootmysql> create database puppet_dashboard;mysql> grant all privileges on puppet_dashboard.* to puppet@localhost identified by puppet;

# tar zxf puppet-dashboard-x.x.x.tgz -C /data/vhosts# cd /data/vhosts/puppet-dashboard# vim config/database.ymlproduction:adapter: mysqldatabase: puppet_dashboardusername: puppetpassword: puppetencoding: utf8

then run installation process# RAILS_ENV=production rake installcopy the report updater to where puppet knows# cp lib/puppet/puppet_dashboard.rb /usr/lib/ruby/site_ruby/1.8/puppet/reports/# chmod 644 /usr/lib/ruby/site_ruby/1.8/puppet/reports/puppet_dashboard.rb# vim /usr/lib/ruby/site_ruby/1.8/puppet/reports/puppet_dashboard.rb

edit the HOST and PORT respectivelyHOST = `hostname`.stripPORT = 9000setup puppet-dashboard web services# vim /usr/local/etc/httpd/conf.d/vhosts/vhost-puppet-bashboard.conf

Listen 9000NameVirtualHost *:9000

ServerName puppet.domain.ltdServerAlias puppet-dashboardDocumentRoot /data/vhosts/puppet-dashboard/publicAddDefaultCharset UTF-8RailsEnv productionOrder deny,allowAllow from your_network

|*| restart services# service httpd restart