Puppet Dashboard

Installing puppet dashboard


Here are my notes in installing puppet dashboard

1. Install EPEL and puppet repos

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm

2. Install required packages

yum install vim puppet-server puppet puppet-dashboard
sudo mod_ssl rubygem-passenger mod_passenger
policycoreutils-python mysql mysql-server -y

3. Generate a puppet client cert and sign on the puppet master

• Run the following:

puppet agent --test

• Sign the certificate on the puppet master

puppet cert --list
puppet cert sign

for example

puppet cert sign puppet-dashboard.myorg.net4.

4 Configure MYSQL and create dashboard database

4.1 Start the mysqld server and configure chkconfig

service mysqld start
chkconfig mysqld on

4.2 Run and secure mysql


4.3 Log in to mysql and create a database and configure permissions / password

GRANT ALL PRIVILEGES ON puppetdash.* TO puppet@'%' IDENTIFIED BY '';
set global max_allowed_packet = 33554432;

4.4 Update database entries for the production DB settings as follows:

vi /usr/share/puppet-dashboard/config/database.yml

database: puppetdash
username: puppet
encoding: utf8
adapter: mysql

4.5 Create dashboard schema

cd /usr/share/puppet-dashboard
rake RAILS_ENV=production db:migrate

5. Copy the example puppet virtual host config to /etc/httpd/conf.d/

cp /usr/share/puppet-dashboard/ext/passenger/dashboard-vhost.conf

6. Remove the ssl.conf file /etc/httpd/conf.d/ directory.

Note, the mod_ssl.so is loaded in the custom puppet-dashboard.conf virtual host file.

rm -f /etc/httpd/conf.d/ssl.conf

7. Configure the puppet-dashboard virtual host file.

vim /etc/httpd/conf.d/puppet-dashboard.conf

# you may want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RailsAutoDetect On

RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1

SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem
SSLCertificateKeyFile /usr/share/puppet-dashboard/certs/dashboard.private_key.pem
SSLCACertificateFile /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem

# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem

SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

ServerName ukcrlcscin0010.tcl-oob.net
DocumentRoot /usr/share/puppet-dashboard/public/

Options None
Order allow,deny
allow from all

ErrorLog /var/log/httpd/puppet-dashboard-net_error.log
LogLevel warn
CustomLog /var/log/httpd/puppet-dashboard-net_access.log combined
ServerSignature On

Order deny,allow
Allow from ALL
# Enable this to require client-side certificates for Dashboard connections
#SSLVerifyClient require

8. Ensure the following log files exist

touch /var/log/httpd/ukcrlcscin0010.tcl-oob.net_access.log
touch /var/log/httpd/ukcrlcscin0010.tcl-oob.net_error.log
touch /usr/share/puppet-dashboard/log/production.log
chmod 0666 /usr/share/puppet-dashboard/log/production.log

9. Create the puppet-dashboard SSL certs for https access

• On the puppet-dashboard server run:

$ sudo -u puppet-dashboard rake cert:create_key_pair
$ sudo -u puppet-dashboard rake cert:request

• On the puppet master, sign the certs

puppet cert sign dashboard

• On the puppet-dashboard, retrieve the SSL certs

$ sudo -u puppet-dashboard rake cert:retrieve

10. Copy the following script to the puppet dashboard server and all the puppet masters

Create /usr/lib/ruby/site_ruby/1.8/puppet/reports/https.rb with the following code

require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'

Puppet::Reports.register_report(:https) do

desc <<-DESC
Send report information via HTTPS to the `reporturl`. Each host sends
its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
The YAML is the `report` parameter of the request."

def process
url = URI.parse(Puppet[:reporturl].to_s)
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

req = Net::HTTP::Post.new(url.path)
req.body = self.to_yaml
req.content_type = "application/x-yaml"

http.start do |http|
response = http.request(req)
unless response.code == "200"
Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}"


• Remove the following file from the puppet dashboard and puppe masters

rm -f /usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb

11. Enable puppet-dashboard reports for each puppet master in the environment

Add to each puppet master in the puppet environment in /etc/puppet/puppet.conf:


reports = store, https, puppet_dashboard
reporturl = https:///reports/upload

12. Create the reports directories on each puppet master

mkdir -p $(puppet master --configprint libdir)/puppet/reports

13. Copy the puppet_dashboard.rb files to each of the puppet masters

Note: To find out where to scp the files to on your puppet master, run the following command on you puppet master:

puppet master --configprint libdir

The scp command needs to be run on your puppet-dashboard server

scp /usr/share/puppet-dashboard/ext/puppet/puppet_dashboard.rb root@puppet:/var/lib/puppet/lib/puppet_dashboard.rb

Change the tag accordingly

14. Update the puppet_dashboard.rb file on each puppet master

Run on your puppet server and update the parameters HOST and PORT

vim /var/lib/puppet/lib/puppet_dashboard.rb

PORT = 443

15. Edit the auth.conf file on each puppet master so inventory can pick up facts.

Make sure the following is set on each puppet master.

path /facts
method find
auth any
allow *

path /inventory
auth any
method search, find
allow dashboard

# deny everything else; this one is not stricly necessary, but it has the merit of showing the default policy, which is deny everything else

path /
auth any

Note: The config for /facts and /inventory must go above the config for `path /` – otherwise you may get an access forbidden 404 error message when running the inventory service on puppet-dashboard.

16. Restart apache on puppet masters

service httpd restart

17. On the puppet dashboard server, turn on and configure the inventory service and cutoff time

vi /usr/share/puppet-dashboard/config/settings.yml

# The "inventory service" allows you to connect to a puppet master to retrieve and node facts

enable_inventory_service: true

# Hostname of the inventory server.

inventory_server: 'puppet'

# Port for the inventory server.

inventory_port: 8140

# Amount of time in seconds since last report before a node is considered no longer reporting

no_longer_reporting_cutoff: 43200

18. Add the puppet-dashboard delayed_job script to rc.local

# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
cd /usr/share/puppet-dashboard
sudo -u puppet-dashboard env RAILS_ENV=production script/delayed_job -p dashboard -n 4 -m start

19. Configure IP tables

iptables -I INPUT 5 -s -m tcp -p tcp --dport 8140 -j ACCEPT
iptables -I INPUT 6 -s -m tcp -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 7 -s -m tcp -p tcp --dport 443 -j ACCEPT
iptables -I INPUT 8 -s -m tcp -p tcp --dport 3306 -j ACCEPT

service iptables save
service iptables restart
iptables -L

20. Start apache and connect to the dashboard URL

service httpd start

Check the apache service has started and the webserver is listening on port 80 and 443.

21. Start the delayed_job script

cd /usr/share/puppet-dashboard
sudo -u puppet-dashboard env RAILS_ENV=production script/delayed_job -p dashboard -n 4 -m start

Connect to the puppet-dashboard web UI. Run a puppet agent –test on the puppet-dashboard and you should see the puppet nodes report in to the puppet dashboard.

Once you have done all of thisand checked the puppet dashboard is working correctly, I would reboot the linux box to ensure that if there was a OS failure and the box got rebooted, or if someone rebooted the box, pupp dashboard would work on a reboot – it is up to you.. but recommended.