Overview
This article describes how to use Puppet to manage a group of servers. This management can range from package management to configuration management as well as many other things. The goal of this document is to use only stable, trusted CentOS repositories and native RPM package management as much as possible.
The example scenario given here consists of a single puppet server, called the puppet master. This server, along with a single client, will be managed by puppet. This scenario can easily be expanded by adding more clients.
| Server | Role | IP Address |
|---|---|---|
| util.example.prv | Puppet Master | 192.168.56.10 |
| centos.example.prv | Puppet Client -- This is the server being managed by puppet | 192.168.56.21 |
Prerequisites
This sections applies to all servers participating in the puppet architecture, including the puppet master and all of the clients.
- Enable the EPEL yum repository
rpm -ivh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
- The clients use the special DNS name "puppet" to find its puppet master. If the operating system is configured to automatically search its domain to DNS queries (example.prv in this example), this means it would be looking for puppet.example.prv. This can be overridden in the client configuration file, but the fewer items that need configuring makes for an easier deployment. If modifying DNS is an option, add a puppet entry to point to the puppet master server. If this is not an option, add an entry to /etc/hosts
192.168.56.10 puppet puppet.example.prv
Puppet Master (Server)
Installation
- Install the puppet-server package along with any dependencies
yum install puppet-server
- Start the puppetmaster daemon. This initializes everything in /var/lib/puppet including the ssl certitficates
service puppetmaster start
Configuration
The puppetmaster daemon that comes packaged with puppet is sufficient for very small environments (5-10 servers), or for testing. But in order to scale at all, puppetmaster should be run as a Rack application.
- Enable the stealthymonkeys.com repository. This is where the ruby passenger module is maintained (it's even linked from the main ruby on rails website)
rpm -Uvh http://passenger.stealthymonkeys.com/rhel/5/passenger-release.noarch.rpm
- Install apache, mod_ssl, some ruby gems, and a few other dependencies
yum install httpd mod_ssl rubygem-rack rubygem-rake mod_passenger
- Copy the package-provided apache configuration (with a few modifications on the way) to /etc/httpd/conf.d/puppetmaster.conf
cat /usr/share/puppet/ext/rack/files/apache2.conf | sed 's/\/etc\/puppet\//\/var\/lib\/puppet\//g' |\ sed s/squigley.namespace.at/`hostname`/g > /etc/httpd/conf.d/puppetmaster.conf - Add the following section to /etc/puppet/puppet.conf
[master] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY - Copy the package-provided Rack configuration to the puppet directory, and set the correct permissions
mkdir -p /var/lib/puppet/rack/public cp /usr/share/puppet/ext/rack/files/config.ru /var/lib/puppet/rack/ chown -R puppet: /var/lib/puppet/rack
SELinux
If SELinux is set to enforcing mode (which is the default), the following policy changes must be made.
- Allow apache to listen on port 8140
semanage port -a -t http_port_t -p tcp 8140
There are some other policies that keep puppet from working in passenger, but I have yet to flush them out. For now, I have just put SELinux in permissive mode, and will revisit this at some other time.
Execution
- Stop and disable puppetmasterd
service puppetmaster stop chkconfig puppetmaster off
- Enable and start httpd
service httpd start chkconfig httpd on
Puppet Client
- Install the puppet package, along with any dependencies
yum install puppet