When running multiple puppet masters, you need to dedicate a single puppet master to be your CA server. If you are adding additional puppet master, there is some key config that needs to be set which disables the puppet CA functionality from running on the puppet master. Additionally, you need to set up a proxy pass to forward certificate requests to the puppet CA server. This is detailed below.
1. Install puppet agent and puppet master
Install the puppet and latest epel repo – note the epel repo below is now out of date.
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm
Install the puppet agent and puppet master
yum install puppet puppet-server -y
2. Edit the puppet.conf file and turn off the puppet master from acting as a CA
vi /etc/puppet/puppet.conf
[master] ca = false ca_server = puppet-CA-server.domain.net
3. Start the agent and create and sign the puppet master cert
• On the additional puppet master
puppet agent --test
• On puppet CA server
puppet cert sign --all
• On the puppet master
puppet agent --test
4. Configure iptables
iptables -I INPUT 5 -s 10.10.10.0/24 -m tcp -p tcp --dport 8140 -j ACCEPT service iptables save service iptables restart
Note: If you are adding multiple bridges, assign the correct iptables rules to each vnic adapter and the the applicable source network address.
5. Install the required packages for the puppet master
yum install sudo mod_ssl rubygem-passenger mod_passenger policycoreutils-python rsync -y
6. Copy the example puppet virtual host config to /etc/httpd/conf.d/
cp /usr/share/puppet/ext/rack/files/apache2.conf /etc/httpd/conf.d/puppet-master.conf
7. Edit the puppet-master.conf file and update accordingly
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
SSLProxyEngine On
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppet.myorg.net:8140/$1
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet-server2.myorg.net.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet-server2.myorg.net.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmaster/public/
RackBaseURI /
Options None
AllowOverride None
Order allow,deny
allow from all
Note: We are using the ProxyPassMatch. This is matching any inbound requests on /certificate and redirecting them to the puppet CA server. Change the config accordingly.
Note: As the puppet master you are building is not a CA server, note the SSLCertificateChainFile, SSLCACertificateFile, SSLCARevocationFile paths are different to a puppet master running the CA server. This reflects where the CA certs reside when the PM is not a CA server itself.
8. Create rack directories
mkdir -p /usr/share/puppet/rack/puppetmaster/{public,tmp}
9. Copy config.ru rack file to rack web directory
cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmaster/
10. Change ownership of config.ru rack file to puppet
chown puppet:puppet /usr/share/puppet/rack/puppetmaster/config.ru
11. Set httpd to start on boot and puppet master to not start
chkconfig httpd on chkconfig puppetmaster off
12. Set up a puppet master to connect to puppetdb
• Run the following on each of your puppet masters:
sudo puppet resource package puppetdb-terminus ensure=latest
• Add this to /etc/puppet/puppetdb.conf. Note: you may have to create this file.
[main] server = port = 8081
• Add this to /etc/puppet/puppet.conf
[master] storeconfigs = true storeconfigs_backend = puppetdb
• Add this to /etc/puppet/routes.yaml. Note: you may have to create this file.
master: facts: terminus: puppetdb cache: yaml
13. Enable puppet-dashboard reports on the puppet master
• Add to each puppet master in the puppet environment in /etc/puppet/puppet.conf:
[master] reports = store, https, puppet_dashboard reporturl = https:///reports/upload
14 Copy the following script to the puppet dashboard server and all the puppet masters
• Create /usr/lib/ruby/site_ruby/1.8/puppet/reports/https.rb with the following code
require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'
Puppet::Reports.register_report(:https) do
desc <<-DESC
Send report information via HTTPS to the `reporturl`. Each host sends
its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
The YAML is the `report` parameter of the request."
DESC
def process
url = URI.parse(Puppet[:reporturl].to_s)
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
req = Net::HTTP::Post.new(url.path)
req.body = self.to_yaml
req.content_type = "application/x-yaml"
http.start do |http|
response = http.request(req)
unless response.code == "200"
Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}"
end
end
end
end
• Remove the following file from the puppet dashboard and puppet masters
/usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb
rm -f /usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb
15 Edit the auth.conf file on each puppet master so inventory can pick up facts.
vim /etc/puppet/auth.conf
path /facts method find auth any allow * path /inventory auth any method search, find allow dashboard
# this one is not strictly necessary, but it has the merit
# of showing the default policy, which is deny everything else
path / auth any
Note: The config for /facts and /inventory must go above the config for `path /` – otherwise you may get an access forbidden 404 error message when running the inventory service on puppet-dashboard.
