Server Side Installation
Host Name: PuppetMaster
ruby-1.8.5-5.el5_4.8
ruby-libs-1.8.5-5.el5_4.8
Facter 1.6.0 (tar+gzip)
(http://www.puppetlabs.com/misc/download-options/)
puppet-2.7.1 (tar.gz)
(http://www.puppetlabs.com/misc/download-options/ )
Note :
Please follow above sequence for installation.)
A supported Ruby version. Ruby 1.8.5, 1.8.7, and 1.9.2 are fully supported (with a handful of known issues under 1.9.2); Ruby 1.8.1 is supported on a best-effort basis for agent use only. Other versions of Ruby are used at your own risk, and Ruby 1.8.6, 1.9.0, and 1.9.1 are not recommended for compatibility reasons.
To avoid any certification error Make sure following criteria’s are full filled
1) Make sure the time on puppet Server and puppet client is in sync.
2) Make sure that /etc/hosts file has proper entry on both puppet client and puppet server.
Installation Steps:
1) ruby-1.8.5-5.el5_4.8
# yum install ruby
Confirm the installation :
# rpm -qa | grep ruby
ruby-1.8.5-5.el5_4.8
ruby-libs-1.8.5-5.el5_4.8
# ruby --version
ruby 1.8.5 (2006-08-25) [i386-linux]
2) ruby-libs-1.8.5-5.el5_4.8
will get installed if you run yum install ruby.
4) Facter 1.6.0 (tar+gzip)
#gunzip facter-1.6.0.tar.gz
#tar -xvf facter-1.6.0.tar
#cd facter-1.6.0
#ruby install.rb
Confirm the installation.
# facter --version
1.6.0
5) puppet-2.7.1 (tar.gz)
#gunzip /install/puppet-2.7.1.tar.gz
#tar -xvf puppet-2.7.1.tar
#cd puppet-2.7.1
#ruby install.rb
Confirm the installation.
# puppet --version
2.7.1
#puppetmasterd --version
2.7.1
#puppetd --version
2.7.1
#puppetca --version
2.7.1
Configuration:
Step 1: Create manifests folder
#mkdir -p /etc/puppet/manifests
Step 2: place your site.pp file into it.
Content of site.pp file
{ "/etc/sudoers":
owner => root,group => root, mode => 440
}
Above lines ensures that /etc/sudoers files at client meets following requirement.
owner = root, group = root, mode = 440
Step 3: Start the puppet master.
# puppet master --mkusers
Note: Example given here demonstrates following
the basic puppet (2.7.1)
setup Getting started with puppet (2.7.1)
(A simple check to see the file permission is achieved through puppet)
Client Side Installation
Installation Steps:
Note :
There are no separate steps for puppet client installation. Whatever Installation steps are performed in Puppet Server needs to be done in puppet client as well.
Configuration Step
Step 1:
Run following command to implement the rules defined at Puppet server.
# puppet agent --server puppetmaster --waitforcert 60 –test
info: Creating a new SSL key for puppetclient.domain.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for puppetclient.domain.com
info: Certificate Request fingerprint (md5): 72:C6:73:89:B9:69:D9:8D:93:69:C3:69:14:AD:7E:E2
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Note:
For the First run you will need to register your client at server.
(Read further in this article to see how to register your client at server.)
After registration of client on Server you should get following response.
# puppet agent --server PuppetMaster --waitforcert 60 --test
info: Caching catalog for puppetclient.domain.com
info: Applying configuration version '1309406496'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.05 seconds
As /etc/sudoers file meet the puppet servers manifest we didn’t notice any change in above output.
# ls -ltr /etc/sudoers
-r--r----- 1 root root 3185 Jan 22 2009 /etc/sudoers
To actually see the changes at puppet client lets modify /etc/sudoers file .
[root@puppetclient tmp]# chmod 777 /etc/sudoers
[root@puppetclient tmp]# chown ftp:root /etc/sudoers
[root@puppetclient tmp]# ls -ltr /etc/sudoers
-rwxrwxrwx 1 ftp root 3185 Jan 22 2009 /etc/sudoers
Now when the permissions on /etc/sudoers is changed on puppet client .
We will run the command once again and check the output.
# puppet agent --server PuppetMaster --waitforcert 60 --test
info: Caching catalog for puppetclient.domain.com
info: Applying configuration version '1309406496'
notice: /Stage[main]//File[/etc/sudoers]/owner: owner changed 'ftp' to 'root'
notice: /Stage[main]//File[/etc/sudoers]/mode: mode changed '777' to '440'
notice: Finished catalog run in 0.11 seconds
Now check the permission.
[root@puppetclient tmp]# ls -ltr /etc/sudoers
-r--r----- 1 root root 3185 Jan 22 2009 /etc/sudoers
As you can see puppet master has implemented the rule on puppet client.
Register puppet client on puppet server:
Whenever a puppet client request for puppet certificate for the first time, client won’t get it unless server signs clients certificate at server end.
Here are the steps to sign clients certificate at server end.
Step 1:
List the available certificates
# puppetca -l
puppetclient.domain.com
Step 2:
Sign them
# puppetca -s puppetclient.domain.com
notice: Signed certificate request for puppetclient.domain.com
notice: Removing file Puppet::SSL::CertificateRequest puppetclient.domain.com at '/etc/puppet/ssl/ca/requests/puppetclient.domain.com.pem'
Note:
This is the default behavior and can be changed . But for the security reason its recommended not to set the server on auto signing mode.
No comments:
Post a Comment