Puppet: Difference between revisions
m →WHAT |
m →WHAT |
||
(8 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
==WHAT== | ==WHAT== | ||
You really really really want at least | You really really really want at least 2Gb of ram assigned to the virtual machine ( the java stuff hits the swap hard ! ) | ||
Disable your ipv6 if you don't use it [http://wiki.centos.org/FAQ/CentOS7#head-8984faf811faccca74c7bcdd74de7467f2fcd8ee How to disable ipv6 on CentOS 7] to which I'd add to do this for the named server ( also don't forget to disable the listen ::1 and stuff from /etc/named.conf ) | |||
<source lang="bash"> | |||
echo 'OPTIONS="-4"' >> /etc/sysconfig/named # so it won't resolve ipv6 addresses | |||
systemctl restart named.service | |||
</source> | |||
Make sure all your dns works right ( aliases pointing to master, dns for the agents and so on ) | |||
Create your postgresql users before hand ! ( 3.3.1 seems to only support postgres and they won't support mysql in the future ) | Create your postgresql users before hand ! ( 3.3.1 seems to only support postgres and they won't support mysql in the future ) | ||
Line 20: | Line 28: | ||
<source lang="bash"> | <source lang="bash"> | ||
tail -n 3 /var/lib/pgsql/data/pg_hba.conf | tail -n 3 /var/lib/pgsql/data/pg_hba.conf | ||
host pe-puppetdb pe-puppetdb 127.0.0.1/32 md5 | |||
host console console 127.0.0.1/32 md5 | |||
host console-auth console-auth 127.0.0.1/32 md5 | |||
systemctl restart postgresql.service | systemctl restart postgresql.service | ||
</source> | </source> | ||
Line 29: | Line 39: | ||
<source lang="bash"> | <source lang="bash"> | ||
adduser -m puppet | adduser -m puppet | ||
passwd puppet ( and set a password if you're only allowing sudo with password, it'll also be used if the ssh is with password auth ) | passwd puppet # ( and set a password if you're only allowing sudo with password, it'll also be used if the ssh is with password auth ) | ||
genkey | genkey | ||
mkdir -p /home/puppet/.ssh/ | mkdir -p /home/puppet/.ssh/ | ||
Line 36: | Line 46: | ||
chmod 700 /home/puppet/.ssh/ | chmod 700 /home/puppet/.ssh/ | ||
chmod 600 /home/puppet/.ssh/authorized_keys | chmod 600 /home/puppet/.ssh/authorized_keys | ||
usermod -a -G wheel puppet | |||
</source> | </source> | ||
Line 45: | Line 56: | ||
firewall-cmd --zone=public --permanent --add-port=3000/tcp # the ruby installer | firewall-cmd --zone=public --permanent --add-port=3000/tcp # the ruby installer | ||
firewall-cmd --zone=public --permanent --add-port=443/tcp # the dashboard | firewall-cmd --zone=public --permanent --add-port=443/tcp # the dashboard | ||
firewall-cmd --zone=public --permanent --add-port=8081/tcp # it only seems to listen on 127.0.0.1 though ... | |||
firewall-cmd --zone=public --permanent --add-port=8140/tcp # puppet master | firewall-cmd --zone=public --permanent --add-port=8140/tcp # puppet master | ||
systemctl restart firewalld.service | systemctl restart firewalld.service | ||
</source> | |||
Here's an example answer file for agent only ( there doesn't seem to be one in the repo and you have to make your own ) | |||
<source lang="bash"> | |||
q_all_in_one_install=n | |||
q_database_install=n | |||
q_disable_live_management=n | |||
q_fail_on_unsuccessful_master_lookup=y | |||
q_install=y | |||
q_pe_check_for_updates=n | |||
q_puppet_cloud_install=n | |||
q_puppet_enterpriseconsole_install=n | |||
q_puppetagent_certname=debian.example.internal | |||
q_puppetagent_install=y | |||
q_puppetagent_server=puppet.example.internal | |||
q_puppetca_install=n | |||
q_puppetdb_install=n | |||
q_puppetmaster_certname=puppet.example.internal | |||
q_puppetmaster_dnsaltnames=puppet,puppet.example.internal | |||
q_puppetmaster_install=n | |||
q_run_updtvpkg=n | |||
q_vendor_packages_install=y | |||
</source> | </source> |
Latest revision as of 20:59, 7 September 2014
Just testing out puppet can be a lil' bit of a headache .. here's a heads up !
WHAT
You really really really want at least 2Gb of ram assigned to the virtual machine ( the java stuff hits the swap hard ! )
Disable your ipv6 if you don't use it How to disable ipv6 on CentOS 7 to which I'd add to do this for the named server ( also don't forget to disable the listen ::1 and stuff from /etc/named.conf )
echo 'OPTIONS="-4"' >> /etc/sysconfig/named # so it won't resolve ipv6 addresses
systemctl restart named.service
Make sure all your dns works right ( aliases pointing to master, dns for the agents and so on )
Create your postgresql users before hand ! ( 3.3.1 seems to only support postgres and they won't support mysql in the future )
CREATE USER "console" PASSWORD 'P4ssw0rd';
CREATE DATABASE "console" OWNER "console" ENCODING 'utf8' LC_CTYPE 'en_US.utf8' LC_COLLATE 'en_US.utf8' template template0;
CREATE USER "console-auth" PASSWORD 'P4ssw0rd';
CREATE DATABASE "console-auth" OWNER "console-auth" ENCODING 'utf8' LC_CTYPE 'en_US.utf8' LC_COLLATE 'en_US.utf8' template template0;
CREATE USER "pe-puppetdb" PASSWORD 'P4ssw0rd';
CREATE DATABASE "pe-puppetdb" OWNER "pe-puppetdb" ENCODING 'utf8' LC_CTYPE 'en_US.utf8' LC_COLLATE 'en_US.utf8' template template0;
And you'll probably want to set it up to use md5 auth in /var/lib/pgsql/data/pg_hba.conf
tail -n 3 /var/lib/pgsql/data/pg_hba.conf
host pe-puppetdb pe-puppetdb 127.0.0.1/32 md5
host console console 127.0.0.1/32 md5
host console-auth console-auth 127.0.0.1/32 md5
systemctl restart postgresql.service
You'll neet to create an user with sudo privileges !
adduser -m puppet
passwd puppet # ( and set a password if you're only allowing sudo with password, it'll also be used if the ssh is with password auth )
genkey
mkdir -p /home/puppet/.ssh/
cp /root/.ssh/id_rsa.pub /home/puppet/.ssh/authorized_keys
chown -R puppet:puppet /home/puppet/.ssh/
chmod 700 /home/puppet/.ssh/
chmod 600 /home/puppet/.ssh/authorized_keys
usermod -a -G wheel puppet
You'll also want these ports open. Here's how I did it on centos 7:
firewall-cmd --zone=public --permanent --add-port=22/tcp # sshd - it uses it to connect to itself as an agent
firewall-cmd --zone=public --permanent --add-port=61613/tcp # mcollective
firewall-cmd --zone=public --permanent --add-port=3000/tcp # the ruby installer
firewall-cmd --zone=public --permanent --add-port=443/tcp # the dashboard
firewall-cmd --zone=public --permanent --add-port=8081/tcp # it only seems to listen on 127.0.0.1 though ...
firewall-cmd --zone=public --permanent --add-port=8140/tcp # puppet master
systemctl restart firewalld.service
Here's an example answer file for agent only ( there doesn't seem to be one in the repo and you have to make your own )
q_all_in_one_install=n
q_database_install=n
q_disable_live_management=n
q_fail_on_unsuccessful_master_lookup=y
q_install=y
q_pe_check_for_updates=n
q_puppet_cloud_install=n
q_puppet_enterpriseconsole_install=n
q_puppetagent_certname=debian.example.internal
q_puppetagent_install=y
q_puppetagent_server=puppet.example.internal
q_puppetca_install=n
q_puppetdb_install=n
q_puppetmaster_certname=puppet.example.internal
q_puppetmaster_dnsaltnames=puppet,puppet.example.internal
q_puppetmaster_install=n
q_run_updtvpkg=n
q_vendor_packages_install=y