Matt Borja

Puppet Master Walkthrough

Note: It is recommended to review and establish a trust path to one of the signatures on the release keys described by this document.

  • Add SSH key for authentication
  • Enable Puppet Collection 1 repository:

    sudo rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
    
  • Import Puppet signing key for verifying Puppet packages:
  • Verify key's fingerprint:

    gpg --list-key --fingerprint 7F438280EF8D349F
    
  • Import Puppet release key for verifying RPM packages:
  • Verify key's fingerprint:

    gpg --list-key --fingerprint 0x1054B7A24BD6EC30
    
  • Import to RPM:

    sudo rpm --import 1054b7a24bd6ec30.asc
    
  • Download and verify Puppet packages:

    curl -O https://downloads.puppetlabs.com/puppet/puppetserver-2.6.0.tar.gz
    curl -O https://downloads.puppetlabs.com/puppet/puppetserver-2.6.0.tar.gz.asc
    gpg --verify puppetserver-2.6.0.tar.gz.asc puppetserver-2.6.0.tar.gz
    
  • Download and verify RPM packages:

    curl -O https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
    curl -O https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
    sudo rpm -vK *.rpm
    
  • Install Puppet server:

    sudo yum install puppetserver
    
  • Review JVM tuning for Puppet server:

    grep JAVA_ARGS /etc/sysconfig/puppetserver
    
  • Review and tighten down file permissions on manifests as necessary.

    sudo ls -lha /etc/puppetlabs/code/environment/production/manifests/*.pp
    sudo chmod 0640 /etc/puppetlabs/code/environment/production/manifests/*.pp
    
  • Start Puppet server:

    sudo service puppetserver start
    
  • Set server variable in [master] section of system config:

    sudo `which puppet` config set server puppetmaster.domain.com --section master
    
  • Open port 8140 to accept certificate signing requests from Puppet agents:

    sudo firewall-cmd --zone=public --add-port=8140/tcp --permanent && sudo firewall-cmd --reload
    
  • Run Puppet agents and sign certificate requests on master

    sudo `which puppet` cert list
    sudo `which puppet` cert sign web01.domain.com
    sudo `which puppet` cert sign web02.domain.com
    
  • Install Puppet approved puppet/iis module (requires Windows Server 2008 or higher):

    puppet module install puppet-iis
    
    • Note: Dependencies in Puppet repository may not be in sync with project repo (i.e. puppet-windowsfeature) and may need to be installed manually:
    • Download latest puppet-windowsfeature

      sudo `which puppet` module install puppet-windowsfeature.tar.gz
      
  • Create default main manifest file:

    sudo touch /etc/puppetlabs/code/environments/production/manifests/site.pp
    
  • Install PuppetDB:

    sudo `which puppet` resource package puppetdb ensure=latest
    
  • Install PostgreSQL:

    sudo yum install postgresql
    sudo postgresql-setup initdb
    sudo service postgresql start
    
    • TODO: Configure PostgreSQL
  • Create PuppetDB user and database:

    sudo -u postgres sh
    createuser -DRSP puppetdb
    createdb -E UTF8 -O puppetdb puppetdb
    exit
    
  • Install RegExp-optimized index extension pg_trgm

    sudo yum install postgresql-contrib
    sudo -u postgres sh
    psql puppetdb -c 'create extension pg_trgm'
    
  • Import and cross-compare Foreman Release Signing Keys:

  • Download and verify Foreman RPM:

    curl -O https://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm
    sudo rpm -vK foreman-release.rpm
    
  • Enable EPEL and Foreman repositories if not already installed:

    sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    
  • Enable Foreman repositories:

    sudo yum install https://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm
    
    • Or from local verified RPM: `sudo yum localinstall foreman-release.rpm
    • Note: Packages may fail if optional RPMs are not enabled in RHEL7

      sudo subscription-manager repos --list
      sudo subscription-manager repos --enable rhel-7-server-optional-rpms
      
  • Install Foreman installer:

    sudo yum install foreman-installer
    
  • Run Foreman installer:

    sudo foreman-installer
    
    • Note: If any packages fail to install, try running them manually to debug (i.e. sudo yum install foreman-proxy)
  • Open port 443 to allow access to web console:

    sudo firewall-cmd --zone=public --add-port=443/tcp --permanent && sudo firewall-cmd --reload
    
  • Install NTP module into production to be managed by Foreman

    sudo `which puppet` module install puppetlabs/ntp
    
  • In Foreman console, import modules:
    • Configure -> Classes -> Import from...
  • Follow instructions to Override Default NTP Pool
    • Set default servers parameter to type array with value: `["0.us.pool.ntp.org","1.us.pool.ntp.org","2.us.pool.ntp.org","3.us.pool.ntp.org"]
  • Apply NTP class to puppetmaster node and test:

    • Edit PuppetClasses for puppetmaster host, add ntp from list of available classes and click "Submit" to apply changes

        sudo `which puppet` agent --test
      
  • In Foreman Console ("Web Cluster"), create Config Group Web Server and add Puppet classes: iis, `stdlib
  • Create Host Group Web Cluster:
    • Environment: production
    • Puppet CA: puppetmaster
    • Puppet Master: puppetmaster
    • Included Config Groups: `Web Server
  • Assign hosts to Web Cluster host group