-
Notifications
You must be signed in to change notification settings - Fork 0
Puppet
Puppet is a configuration management tool that is extreamly useful. It ensures that the admin just needs to manage a single resource instead of all the nodes in the cluster. It ensures that software is consistantly installed, configured, and properly started on all systems.
The puppet version in almost every repo is way to outdated. Puppet 2.7 or better is /higly/ recommended by this guide. Thankfully Puppet Labs provides a really good resource.
Check the Puppet Labs yum repo for the latest version. Look for the 'puppetlabs-release' rpm for the highest release.
$ sudo yum install https://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm
Once that is installed, we can now install puppet.
$ sudo yum install puppet-server
Configure the master to autosign the SSL certs for nodes so we don't have to do them by hand for each node. This should be disabled later as it could be a security risk.
$ sudo vim /etc/puppet/autosign.conf
*.cluster.domain
Turn Puppetmaster on during boot
$ sudo chkconfig puppetmaster on
Start the puppetmaster
$ sudo service puppetmaster start
Verify that the puppet client can connect to the server. This won't do much but it should setup the keys and get the basic files configured.
$ sudo puppet agent -t
If that doesn't work or it times out, try to add the puppet hostname to /etc/hosts. Then try again.
$ sudo sh -c 'echo "127.0.0.1 puppet.cluster.domain" >> /etc/hosts'
Once the puppet client and server can talk, there will most likely be an "error" about "Could not find node definition". Lets fix that.
$ sudo vim /etc/puppet/manifests/site.pp
node 'frontend01.cluster.domain' { }
Puppet Labs provides a forge for community modules. The firewall module is very useful.
Install it:
$ puppet module install puppetlabs-firewall
Configure the frontend node configuration:
$ sudo vim /etc/puppet/manifests/site.pp
node 'frontend01.cluster.domain' {
__# Include the rules that are common to all cluster nodes
__include cluster_firewall
__# Open the port for the puppet master server.
__firewall { '8140 open puppet master':
______port => 8140,
______proto => tcp,
______action => accept,
__}
}
Configure the cluster_firewall:
$ sudo mkdir /etc/puppet/modules/cluster_firewall
There are three parts to the cluster firewall; the pre.pp is for the rules that we need to run first, the post.pp is for the rules that we want to run last, and init.pp is for the main rule set.
$ sudo vim /etc/puppet/modules/cluster_firewall/manifests/init.pp
__class cluster_firewall () {
____resources { "firewall": purge => true }
____Firewall {
______before => Class['cluster_firewall::post'],
______require => Class['cluster_firewall::pre'],
____}
____# Open SSH on all the nodes.
____firewall { '22 open ssh':
______port => 22,
______proto => tcp,
______action => accept,
____}
____include cluster_firewall::pre
____include cluster_firewall::post
}
$ sudo vim /etc/puppet/modules/cluster_firewall/manifests/pre.pp
class cluster_firewall::pre {
__Firewall { require => undef, }
__firewall { '000 accept all icmp':
____proto => 'icmp',
____action => 'accept',
__}->
__firewall { '001 accept all to lo interface':
____proto => 'all',
____iniface => 'lo',
____action => 'accept',
__}->
__firewall { '002 accept related established rules':
____proto => 'all',
____state => ['ESTABLISHED' , 'RELATED'],
____action => 'accept',
__}
}
$ sudo vim /etc/puppet/modules/cluster_firewall/manifests/post.pp
class cluster_firewall::post {
__firewall { '999 drop all':
____proto => 'all',
____action => 'drop',
____before => undef,
__}
}
Now that the firewall module is configured, we can use it to open the puppet master port. Edit the site.pp file and add the rule to the frontend config.
$ sudo vim /etc/puppet/manifests/site.pp
node 'frontend01.cluster.domain' {
____firewall { '8140 puppet master':
______port => 8140,
______proto => tcp,
______action => accept,
____}
}
Test the config and ensure it all works.
sudo puppet agent -t
Turn Puppet client on during boot
$ sudo chkconfig puppet on
Start the puppet client
$ sudo service puppet start