In part 1 of this discussion, Puppet was installed and tested in a VirtualBox test scenario. Now, as part 2, let’s apply Puppet to a linux cluster. This article covers configuring Mongrel, installing Puppet on the client nodes with autosigned certs, and adding the Puppet dependencies to our kickstart file.
Install Mongrel:
We will need a more robust web service than the standard Webrick, so let’s install Mongrel along with Puppet. Mongrel (or Passenger) is an alternative that you will want if deploying Puppet to more than a few nodes.
yum install puppet puppet-server rubygem-mongrel httpd mod_ssl
Confirm ports are open: 8140, 18140, 18141, 18142, 18143
Uncomment the PORTS line in /etc/sysconfig/puppetmaster:
PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
Configure mongrel with apache:
# /etc/httpd/conf.d/puppet.conf:
Listen 8140
<Proxy balancer://puppetmaster>
BalancerMember http://127.0.0.1:18140
BalancerMember http://127.0.0.1:18141
BalancerMember http://127.0.0.1:18142
BalancerMember http://127.0.0.1:18143
</Proxy>
# Modify the fully qualified domain name for your server in SSLCertificateFile and SSLCertificateKeyFile
<VirtualHost *:8140>
SSLEngine On
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/lib/puppet/ssl/certs/puppetserver.fqdn.org.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppetserver.fqdn.org.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On
ErrorLog /var/log/httpd/balancer_error_log
CustomLog /var/log/httpd/balancer_access_log combined
CustomLog /var/log/httpd/balancer_ssl_requests "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
When you restart httpd and puppetmaster, you should see multiple processes:
puppet 4996 1 0 20:28 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --masterport=18140 --pidfile=/var/run/puppet/puppetmaster.18140.pid puppet 5043 1 0 20:28 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --masterport=18141 --pidfile=/var/run/puppet/puppetmaster.18141.pid puppet 5090 1 0 20:28 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --masterport=18142 --pidfile=/var/run/puppet/puppetmaster.18142.pid puppet 5137 1 0 20:28 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --masterport=18143 --pidfile=/var/run/puppet/puppetmaster.18143.pid
Add puppet server name to admin node line in /etc/hosts on puppetmaster and clients:
192.168.1.1 admin-node admin-node.fqdn.org puppet
Not having the /etc/hosts exactly correct seems to cause lots of delays. I tried changing the puppet server name to puppet-anything, and it wouldn’t work, so I settled for using the exact word “puppet” and relying on the /etc/hosts to pick up the correct puppet server, regardless of DNS.
Set puppetmaster autosign for certs: ( a great feature, key autosigning goes so quickly )
echo ‘*.fqdn.org’ > /etc/puppet/autosign.conf
Install puppet on clients: in this example, using pdsh to the group “nodes”
pdsh -g nodes "yum -y install puppet" pdsh -g nodes "puppetd --waitforcert 30 --test"
Then check on the puppetmaster:
ls -laR /var/lib/puppet/ssl/ | grep pem
You should see your nodes certificates added, and also evidence of this in /var/log/.
Add puppet’s rpm dependencies to kickstart file:
# puppet.ks: %packages @base ruby ruby-libs puppet facter ruby-shadow rubygems %post /sbin/chkconfig --level 345 puppet on /bin/echo "$PUPPETIP puppet" >> /etc/hosts
Next article: managing user accounts, passwords, and ssh keys with Puppet
Linux Puzzles 