Here are my notes in installing puppet dashboard
1. Install EPEL and puppet repos
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm
2. Install required packages
yum install vim puppet-server puppet puppet-dashboard sudo mod_ssl rubygem-passenger mod_passenger policycoreutils-python mysql mysql-server -y
3. Generate a puppet client cert and sign on the puppet master
• Run the following:
puppet agent --test
• Sign the certificate on the puppet master
puppet cert --list puppet cert sign
for example
puppet cert sign puppet-dashboard.myorg.net4.
4 Configure MYSQL and create dashboard database
4.1 Start the mysqld server and configure chkconfig
service mysqld start chkconfig mysqld on
4.2 Run and secure mysql
/usr/bin/mysql_secure_installation
4.3 Log in to mysql and create a database and configure permissions / password
CREATE DATABASE puppetdash; GRANT ALL PRIVILEGES ON puppetdash.* TO puppet@'%' IDENTIFIED BY ''; FLUSH PRIVILEGES; set global max_allowed_packet = 33554432;
4.4 Update database entries for the production DB settings as follows:
vi /usr/share/puppet-dashboard/config/database.yml production: database: puppetdash username: puppet password: encoding: utf8 adapter: mysql
4.5 Create dashboard schema
cd /usr/share/puppet-dashboard rake RAILS_ENV=production db:migrate
5. Copy the example puppet virtual host config to /etc/httpd/conf.d/
cp /usr/share/puppet-dashboard/ext/passenger/dashboard-vhost.conf /etc/httpd/conf.d/puppet-dashboard.conf
6. Remove the ssl.conf file /etc/httpd/conf.d/ directory.
Note, the mod_ssl.so is loaded in the custom puppet-dashboard.conf virtual host file.
rm -f /etc/httpd/conf.d/ssl.conf
7. Configure the puppet-dashboard virtual host file.
vim /etc/httpd/conf.d/puppet-dashboard.conf
# you may want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RailsAutoDetect On
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem
SSLCertificateKeyFile /usr/share/puppet-dashboard/certs/dashboard.private_key.pem
SSLCACertificateFile /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
ServerName ukcrlcscin0010.tcl-oob.net
DocumentRoot /usr/share/puppet-dashboard/public/
Options None
Order allow,deny
allow from all
ErrorLog /var/log/httpd/puppet-dashboard-net_error.log
LogLevel warn
CustomLog /var/log/httpd/puppet-dashboard-net_access.log combined
ServerSignature On
Order deny,allow
Allow from ALL
# Enable this to require client-side certificates for Dashboard connections
#SSLVerifyClient require
8. Ensure the following log files exist
touch /var/log/httpd/ukcrlcscin0010.tcl-oob.net_access.log touch /var/log/httpd/ukcrlcscin0010.tcl-oob.net_error.log touch /usr/share/puppet-dashboard/log/production.log chmod 0666 /usr/share/puppet-dashboard/log/production.log
9. Create the puppet-dashboard SSL certs for https access
• On the puppet-dashboard server run:
$ sudo -u puppet-dashboard rake cert:create_key_pair $ sudo -u puppet-dashboard rake cert:request
• On the puppet master, sign the certs
puppet cert sign dashboard
• On the puppet-dashboard, retrieve the SSL certs
$ sudo -u puppet-dashboard rake cert:retrieve
10. Copy the following script to the puppet dashboard server and all the puppet masters
Create /usr/lib/ruby/site_ruby/1.8/puppet/reports/https.rb with the following code
require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'
Puppet::Reports.register_report(:https) do
desc <<-DESC
Send report information via HTTPS to the `reporturl`. Each host sends
its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
The YAML is the `report` parameter of the request."
DESC
def process
url = URI.parse(Puppet[:reporturl].to_s)
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
req = Net::HTTP::Post.new(url.path)
req.body = self.to_yaml
req.content_type = "application/x-yaml"
http.start do |http|
response = http.request(req)
unless response.code == "200"
Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}"
end
end
end
end
• Remove the following file from the puppet dashboard and puppe masters
/usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb rm -f /usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb
11. Enable puppet-dashboard reports for each puppet master in the environment
Add to each puppet master in the puppet environment in /etc/puppet/puppet.conf:
[master] reports = store, https, puppet_dashboard reporturl = https:///reports/upload
12. Create the reports directories on each puppet master
mkdir -p $(puppet master --configprint libdir)/puppet/reports
13. Copy the puppet_dashboard.rb files to each of the puppet masters
Note: To find out where to scp the files to on your puppet master, run the following command on you puppet master:
puppet master --configprint libdir $/var/lib/puppet/lib
The scp command needs to be run on your puppet-dashboard server
scp /usr/share/puppet-dashboard/ext/puppet/puppet_dashboard.rb root@puppet:/var/lib/puppet/lib/puppet_dashboard.rb
Change the tag accordingly
14. Update the puppet_dashboard.rb file on each puppet master
Run on your puppet server and update the parameters HOST and PORT
vim /var/lib/puppet/lib/puppet_dashboard.rb HOST = PORT = 443
15. Edit the auth.conf file on each puppet master so inventory can pick up facts.
Make sure the following is set on each puppet master.
path /facts method find auth any allow * path /inventory auth any method search, find allow dashboard # deny everything else; this one is not stricly necessary, but it has the merit of showing the default policy, which is deny everything else path / auth any
Note: The config for /facts and /inventory must go above the config for `path /` – otherwise you may get an access forbidden 404 error message when running the inventory service on puppet-dashboard.
16. Restart apache on puppet masters
service httpd restart
17. On the puppet dashboard server, turn on and configure the inventory service and cutoff time
vi /usr/share/puppet-dashboard/config/settings.yml # The "inventory service" allows you to connect to a puppet master to retrieve and node facts enable_inventory_service: true # Hostname of the inventory server. inventory_server: 'puppet' # Port for the inventory server. inventory_port: 8140 # Amount of time in seconds since last report before a node is considered no longer reporting no_longer_reporting_cutoff: 43200
18. Add the puppet-dashboard delayed_job script to rc.local
#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local cd /usr/share/puppet-dashboard sudo -u puppet-dashboard env RAILS_ENV=production script/delayed_job -p dashboard -n 4 -m start
19. Configure IP tables
iptables -I INPUT 5 -s 10.33.22.0/24 -m tcp -p tcp --dport 8140 -j ACCEPT iptables -I INPUT 6 -s 10.33.22.0/24 -m tcp -p tcp --dport 80 -j ACCEPT iptables -I INPUT 7 -s 10.33.22.0/24 -m tcp -p tcp --dport 443 -j ACCEPT iptables -I INPUT 8 -s 10.33.22.0/24 -m tcp -p tcp --dport 3306 -j ACCEPT service iptables save service iptables restart iptables -L
20. Start apache and connect to the dashboard URL
service httpd start
Check the apache service has started and the webserver is listening on port 80 and 443.
21. Start the delayed_job script
cd /usr/share/puppet-dashboard sudo -u puppet-dashboard env RAILS_ENV=production script/delayed_job -p dashboard -n 4 -m start
Connect to the puppet-dashboard web UI. Run a puppet agent –test on the puppet-dashboard and you should see the puppet nodes report in to the puppet dashboard.
Once you have done all of thisand checked the puppet dashboard is working correctly, I would reboot the linux box to ensure that if there was a OS failure and the box got rebooted, or if someone rebooted the box, pupp dashboard would work on a reboot – it is up to you.. but recommended.
