Puppet: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
 
(8 intermediate revisions by the same user not shown)
Line 3: Line 3:
==WHAT==
==WHAT==


You really really really want at least 1Gb of ram assigned to the virtual machine ( the java stuff hits the swap hard ! )
You really really really want at least 2Gb of ram assigned to the virtual machine ( the java stuff hits the swap hard ! )
 
Disable your ipv6 if you don't use it [http://wiki.centos.org/FAQ/CentOS7#head-8984faf811faccca74c7bcdd74de7467f2fcd8ee How to disable ipv6 on CentOS 7] to which I'd add to do this for the named server ( also don't forget to disable the listen ::1 and stuff from /etc/named.conf )
<source lang="bash">
echo 'OPTIONS="-4"' >> /etc/sysconfig/named # so it won't resolve ipv6 addresses
systemctl restart named.service
</source>
 
Make sure all your dns works right ( aliases pointing to master, dns for the agents and so on )


Create your postgresql users before hand ! ( 3.3.1 seems to only support postgres and they won't support mysql in the future )
Create your postgresql users before hand ! ( 3.3.1 seems to only support postgres and they won't support mysql in the future )
Line 20: Line 28:
<source lang="bash">
<source lang="bash">
tail -n 3 /var/lib/pgsql/data/pg_hba.conf
tail -n 3 /var/lib/pgsql/data/pg_hba.conf
#host    pe-puppetdb    pe-puppetdb    127.0.0.1/32    md5
 
#host    console console 127.0.0.1/32    md5
host    pe-puppetdb    pe-puppetdb    127.0.0.1/32    md5
#host    console-auth    console-auth    127.0.0.1/32    md5
host    console console 127.0.0.1/32    md5
host    console-auth    console-auth    127.0.0.1/32    md5
 
systemctl restart postgresql.service
systemctl restart postgresql.service
</source>
</source>
Line 29: Line 39:
<source lang="bash">
<source lang="bash">
adduser -m puppet
adduser -m puppet
passwd puppet ( and set a password if you're only allowing sudo with password, it'll also be used if the ssh is with password auth )
passwd puppet # ( and set a password if you're only allowing sudo with password, it'll also be used if the ssh is with password auth )
genkey
genkey
mkdir -p /home/puppet/.ssh/
mkdir -p /home/puppet/.ssh/
Line 36: Line 46:
chmod 700 /home/puppet/.ssh/
chmod 700 /home/puppet/.ssh/
chmod 600 /home/puppet/.ssh/authorized_keys
chmod 600 /home/puppet/.ssh/authorized_keys
usermod -a -G wheel puppet
</source>
</source>


Line 45: Line 56:
firewall-cmd --zone=public --permanent --add-port=3000/tcp # the ruby installer  
firewall-cmd --zone=public --permanent --add-port=3000/tcp # the ruby installer  
firewall-cmd --zone=public --permanent --add-port=443/tcp # the dashboard
firewall-cmd --zone=public --permanent --add-port=443/tcp # the dashboard
firewall-cmd --zone=public --permanent --add-port=8081/tcp # it only seems to listen on 127.0.0.1 though ...
firewall-cmd --zone=public --permanent --add-port=8140/tcp # puppet master
firewall-cmd --zone=public --permanent --add-port=8140/tcp # puppet master
systemctl restart firewalld.service
systemctl restart firewalld.service
</source>
Here's an example answer file for agent only ( there doesn't seem to be one in the repo and you have to make your own )
<source lang="bash">
q_all_in_one_install=n
q_database_install=n
q_disable_live_management=n
q_fail_on_unsuccessful_master_lookup=y
q_install=y
q_pe_check_for_updates=n
q_puppet_cloud_install=n
q_puppet_enterpriseconsole_install=n
q_puppetagent_certname=debian.example.internal
q_puppetagent_install=y
q_puppetagent_server=puppet.example.internal
q_puppetca_install=n
q_puppetdb_install=n
q_puppetmaster_certname=puppet.example.internal
q_puppetmaster_dnsaltnames=puppet,puppet.example.internal
q_puppetmaster_install=n
q_run_updtvpkg=n
q_vendor_packages_install=y
</source>
</source>

Latest revision as of 20:59, 7 September 2014

Just testing out puppet can be a lil' bit of a headache .. here's a heads up !

WHAT

You really really really want at least 2Gb of ram assigned to the virtual machine ( the java stuff hits the swap hard ! )

Disable your ipv6 if you don't use it How to disable ipv6 on CentOS 7 to which I'd add to do this for the named server ( also don't forget to disable the listen ::1 and stuff from /etc/named.conf )

echo 'OPTIONS="-4"' >> /etc/sysconfig/named # so it won't resolve ipv6 addresses
systemctl restart named.service

Make sure all your dns works right ( aliases pointing to master, dns for the agents and so on )

Create your postgresql users before hand ! ( 3.3.1 seems to only support postgres and they won't support mysql in the future )

CREATE USER "console" PASSWORD 'P4ssw0rd';
CREATE DATABASE "console" OWNER "console" ENCODING 'utf8' LC_CTYPE 'en_US.utf8' LC_COLLATE 'en_US.utf8' template template0;
CREATE USER "console-auth" PASSWORD 'P4ssw0rd';
CREATE DATABASE "console-auth" OWNER "console-auth" ENCODING 'utf8' LC_CTYPE 'en_US.utf8' LC_COLLATE 'en_US.utf8' template template0;
CREATE USER "pe-puppetdb" PASSWORD 'P4ssw0rd';
CREATE DATABASE "pe-puppetdb" OWNER "pe-puppetdb" ENCODING 'utf8' LC_CTYPE 'en_US.utf8' LC_COLLATE 'en_US.utf8' template template0;

And you'll probably want to set it up to use md5 auth in /var/lib/pgsql/data/pg_hba.conf

tail -n 3 /var/lib/pgsql/data/pg_hba.conf

host    pe-puppetdb     pe-puppetdb     127.0.0.1/32    md5
host    console console 127.0.0.1/32    md5
host    console-auth    console-auth    127.0.0.1/32    md5

systemctl restart postgresql.service

You'll neet to create an user with sudo privileges !

adduser -m puppet
passwd puppet # ( and set a password if you're only allowing sudo with password, it'll also be used if the ssh is with password auth )
genkey
mkdir -p /home/puppet/.ssh/
cp /root/.ssh/id_rsa.pub /home/puppet/.ssh/authorized_keys
chown -R puppet:puppet /home/puppet/.ssh/
chmod 700 /home/puppet/.ssh/
chmod 600 /home/puppet/.ssh/authorized_keys
usermod -a -G wheel puppet

You'll also want these ports open. Here's how I did it on centos 7:

firewall-cmd --zone=public --permanent --add-port=22/tcp # sshd - it uses it to connect to itself as an agent
firewall-cmd --zone=public --permanent --add-port=61613/tcp # mcollective
firewall-cmd --zone=public --permanent --add-port=3000/tcp # the ruby installer 
firewall-cmd --zone=public --permanent --add-port=443/tcp # the dashboard
firewall-cmd --zone=public --permanent --add-port=8081/tcp # it only seems to listen on 127.0.0.1 though ...
firewall-cmd --zone=public --permanent --add-port=8140/tcp # puppet master
systemctl restart firewalld.service

Here's an example answer file for agent only ( there doesn't seem to be one in the repo and you have to make your own )

q_all_in_one_install=n
q_database_install=n
q_disable_live_management=n
q_fail_on_unsuccessful_master_lookup=y
q_install=y
q_pe_check_for_updates=n
q_puppet_cloud_install=n
q_puppet_enterpriseconsole_install=n
q_puppetagent_certname=debian.example.internal
q_puppetagent_install=y
q_puppetagent_server=puppet.example.internal
q_puppetca_install=n
q_puppetdb_install=n
q_puppetmaster_certname=puppet.example.internal
q_puppetmaster_dnsaltnames=puppet,puppet.example.internal
q_puppetmaster_install=n
q_run_updtvpkg=n
q_vendor_packages_install=y