Deploying a Puppet Master Server on CentOS 6

Overview

A very popular tool for any operational guy’s DevOps utility belt is Puppet – a system configuration management service. It allows you to automate the entire process of system configuration and maintain consistency across groups of servers. Imagine having to deploy 50 servers for a new web farm, with each server requiring the exact same configuration. An especially daunting task when done manually. With Puppet, we simply define a server configuration for the web nodes, including which packages and services are installed and how they themselves are configured. When done we then assign that configuration to those systems.

Another benefit to using a tool like Puppet is the ability to update configurations across your entire infrastructure on the fly. This could mean installation of the latest version of MySQL onto your database servers, or simply modifying DNS configurations for every server in the environment.

Puppet uses a client-server model. By that I mean our configurations are defined and stored on what is called a Puppet master server, and each system that will have its configuration maintained by Puppet has a client  installed. Every 30 mintues, by default, each client communicates with the master server to have its configuration audited. When a discrepancy is discovered between the client’s current configuration and what is defined for it, the appropriate actions are completed to bring the system back into compliance.

This tutorial will guide you through setting up and running a Puppet master server using the open-source version of the software on a CentOS 6 server. Unlike the enterprise version of Puppet, the open-source version requires quite a bit of manual configuration. Nothing overwhelming but definitely not as simple as running a single executable.

Goals

  • Deploy a Puppet Master server

Installing Puppet

Disabling SELinux

I am a very strong advocate of always running SELinux on Redhat-based servers. I do not take disabling it lightly and avoid doing so where possible. However, at the time of this writing I was unable to find a satisfactory way of enabling SELinux on a Puppet master server. There are SELinux policies for Puppet that can be found on the Internet. Unfortunately, I cannot recommend using any of them since they are not refined enough to ensure the system is secure.

Outright disabling SELinux is very bad idea. You never know when you’ll be able to re-enable it. And if you do disable it, when it comes time to re-enable SELinx the system will have to relabel every file, directory and port with the appropriate contexts. This a very, very, very time consuming process. Instead, I recommend placing SELinux into Permissive mode. This way SELinux doens’t block Puppet process and communications, and our files, directories, and ports all keep their contexts.

  1. Immediately place SELinux into permissive mode.
    setenforce 0
  2. The command above is not persistent. It will be undone during the next reboot. To make the change persistent, open the SELinux configuration file into a text editor.
    nano /etc/sysconfig/selinux
  3. Change the SELINUX value from enforcing to permissive, as seen in the example below.
     
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    ::HL::SELINUX=permissive
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
  4. Save your changes and exit the text editor.

 

Install the Puppet Repo

The easiest way to install Puppet is by adding the Puppet Labs repository file to your server. We can install it by using the freely available RPM provided by Puppet Labs.

  1. Download and install the PuppetLabs’ repository RPM. At the time of this writing, version 6.7 was available.
    rpm -ivh http://yum.puppetlabs.com/el/6/products/i386/puppetlabs-release-6-7.noarch.rpm
  2. If all was successful, you should now have a filled called puppetlabs.repo located in /etc/yum.repos.d/.
    -rw-r--r--. 1 root root 1926 Nov 27  2013 CentOS-Base.repo
    -rw-r--r--. 1 root root  638 Nov 27  2013 CentOS-Debuginfo.repo
    -rw-r--r--. 1 root root  630 Nov 27  2013 CentOS-Media.repo
    -rw-r--r--. 1 root root 3664 Nov 27  2013 CentOS-Vault.repo
    -rw-r--r--. 1 root root 1250 Apr 12  2013 puppetlabs.repo
    

 

Install the Puppet Master

The Puppet Master is where your nodes get their configuration profiles from.

  1. Install the Puppet Master package from the Puppetlabs repository.
    yum install -y puppet-server
  2. Start the Puppet Master service.
    service puppetmaster start
  3. Ensure the Puppet master starts at boot.
    puppet resource service puppetmaster ensure=running enable=true

 

Install a Web Server for Puppet Agent Access

Each server being managed by Puppet will have an agent installed. By default, the agent will attempt to connect to a Puppet master server using a HTTPS connection. We need to ensure a web server is available on the master server to allow us to service our clients. You can us any web server, but we’ll be using Apache in this tutorial.

  1. Install the web server and some other required packages, like Ruby.
    yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems openssl-devel gcc-c++ curl-devel zlib-devel make automake
  2. The web service requires Passenger to process the Ruby files used by Puppet. We install it using Ruby’s gems.
    gem install rack passenger
  3. With the Passenger, we need to install and configure its Apache module.
    passenger-install-apache2-module

 

Prepare Puppet’s Apache directory

  1. Create a directory.
    mkdir -p /usr/share/puppet/rack/puppetmasterd
  2. Create the document root directory
    mkdir /usr/share/puppet/rack/puppetmasterd/public  /usr/share/puppet/rack/puppetmasterd/tmp
  3. Copy the Rack config template to our Apache virtual host’s directory root.
    cp /usr/share/puppet/ext/rack/files/config.ru  /usr/share/puppet/rack/puppetmasterd/
  4. Apply the appropriate permissions to the configuration file.
    chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru

 

Create the Apache Virtual Host for Puppet

  1. Create a configuration file for the Apache virtual host.
    touch /etc/httpd/conf.d/puppetlabs.conf
  2. Edit the file and add the following contents.
    # And the passenger performance tuning settings:
    PassengerHighPerformance On
     
    #PassengerUseGlobalQueue On
    # Set this to about 1.5 times the number of CPU cores in your master:
    PassengerMaxPoolSize 6
     
    # Recycle master processes after they service 1000 requests
    PassengerMaxRequests 1000
     
    # Stop processes if they sit idle for 10 minutes
    PassengerPoolIdleTime 600
    Listen 8140
     
    <VirtualHost *:8140>
        SSLEngine On
     
        # Only allow high security cryptography. Alter if needed for compatibility.
        SSLProtocol             All -SSLv2
        SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
        SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.serverlab.intra.pem 
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.serverlab.intra.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient         optional
        SSLVerifyDepth        1
        #SSLOptions            +StdEnvVars +ExportCertData
        SSLOptions              +StdEnvVars
     
        # These request headers are used to pass the client certificate
        # authentication information on to the puppet master process
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
     
        # RackAutoDetect On
        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
     
        <Directory /usr/share/puppet/rack/puppetmasterd/>
        Options None
        AllowOverride None
        Order Allow,Deny
        Allow from All
        </Directory>
     
    </VirtualHost>
  3. Stop the puppetmaster service.
    service puppetmaster stop
  4. Start the Apache service.
    service httpd on
  5. Disable the puppetmaster service to prevent it from starting during system boot.
    chkconfig puppetmaster off
  6. Enable the Apache service to automatically start it during system boot.
    chkconfig httpd on