Chapter 21. Creating a Puppet Server

Puppet Server is a new product built from the ground up to provide higher performance and better integration with other Puppet Labs products.

Many of the changes with Puppet Server were a change in the technology stack. Puppet Server was written in Clojure and uses Java rather than Ruby as the underlying engine. This ties it more closely with PuppetDB and other Puppet Labs products. However, for most practical purposes you can use it without learning anything about the technology stack. We’re going to skip over these details in favor of the practical concerns of installing and running.

At this point, we’re going to spin up another virtual machine dedicated to hosting this product. You should open another terminal window, or add a new tab on your existing terminal for this virtual machine. This will allow you to switch back and forth between the machines, which is necessary in this chapter.

If you started up the puppetmaster VM in the last chapter, you may want to suspend it to save some memory:

learning-puppet4$ vagrant suspend puppetmaster
==> puppetmaster: Saving VM state and suspending execution...

Starting the puppetserver VM

In the new Terminal window, move into the directory where you checked out the learning-puppet4 Git repository. Start up the puppetserver instance just like we did the client instance at the beginning of the book:

learning-puppet4$ vagrant up puppetserver
Bringing machine 'puppetserver' up with 'virtualbox' provider...
==> puppetserver: Importing base box 'puppetlabs/centos-7.2-64-nocm'...
==> puppetserver: Matching MAC address for NAT networking...
==> puppetserver: Checking if box 'puppetlabs/centos-7.2-64-nocm' is up to date...
==> puppetserver: Setting the name of the VM: learning-puppet4_puppetserver_1437612
...snip...
==> puppetserver: Machine booted and ready!

learning-puppet4$ vagrant ssh puppetserver
[vagrant@puppetserver ~]$

As this is a fresh new virtual machine, install the necessary utilities and a text editor of choice, as you did back in Chapter 2.

$ sudo yum install rsync git vim nano emacs-nox

Installing Puppet Server

Install the latest Puppet Labs Puppet Collection repository on the puppetserver instance. Starting in the home directory, take the following steps:

$ sudo yum install -y 
    http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm

This command will install and enable the puppetlabs-release-pc1 package repository, which contains the Puppet Server package. Now install the Puppet Server package:

$ sudo yum install -y puppetserver

Installed:
  puppetserver.noarch 0:2.3.0-1.el7

Dependency Installed:
  java-1.8.0-openjdk-headless.x86_64 1:1.8.0.51-1.b16.el7_1
  javapackages-tools.noarch 0:3.4.1-6.el7_0      lcms2.x86_64 0:2.5-4.el7
  libjpeg-turbo.x86_64 0:1.2.90-5.el7            libxslt.x86_64 0:1.1.28-5.el7
  puppet-agent.x86_64 0:1.10.9-1.el7             python-lxml.x86_64 0:3.2.1-4.el7
  python-javapackages.noarch 0:3.4.1-6.el7_0     tzdata-java.noarch 0:2015e-1.el7

Complete!

Configuring a Firewall for Puppet Server

At this point, we’ll need to adjust the firewall on the server. Puppet clients connect to servers on TCP port 8140 by default. Use the following commands to allow incoming TCP connections to this port:

$ sudo firewall-cmd --permanent --zone=public --add-port=8140/tcp
success
$ sudo firewall-cmd --reload
success

This change allows incoming connections to the Puppet Server.

Tip
It is safe to run these commands in a virtual instance on your personal workstation. In a production setting, you’d want to limit access to specific IP networks. Don’t make this change to a production system without reviewing your organization’s existing security setup.

Guides for altering other firewalls can be found in Appendix B.

Configuring Puppet Server

Puppet Server takes its configuration values from two places:

  • The primary configuration files at /etc/puppetlabs/puppetserver/conf.d/
  • Historic values it reads from the [master] and [main] blocks of /etc/puppetlabs/puppet/puppet.conf

The settings from these files do not overlap. For any configuration option available in the Puppet Server configuration files, the setting in puppet.conf will be ignored.

Warning
A setting left undefined in the server configuration files will revert to the default value, instead of using the value from the Puppet configuration file.

The Puppet Server configuration files are as follows:

auth.conf
Authentication and authorization controls for Puppet Server and the Puppet Certificate Authority.
global.conf
Global configuration settings common to all components of Puppet Server. This contains only the location of the logback configuration file at this time.
puppetserver.conf
Configuration options for Puppet Server. Some of these options overlap with options in puppet.conf. Be careful to keep these matching, or Puppet Server and the puppet commands will use different directories.
webserver.conf
Web server configuration: authorization, TCP ports, and so on. If you were using the old Puppet master Rack application, this configuration file supersedes the Apache or nginx configuration files you were previously using.
web-routes.conf
Service mount points for Puppet Server’s web applications. Do not modify this file, as the Puppet agent depends on specific mount points being available. This file should be managed only by the Puppet Server package.

For a single server or testing setup, you don’t need to change any of these values. We’ll cover specific changes that may be necessary shortly.

Warning
The Puppet Server configuration files do not use the INI file format used by puppet.conf. These files utilize a superset of JSON known as HOCON, which stands for Human-Optimized Config Object Notation. JSON doesn’t support single quotes for strings, so you must avoid using single quotes in these config files.

Defining Server Paths

There are five variables that define the paths which the Puppet Server should use for its files. Unfortunately, these variables exist in two different files and must be kept in sync. See Table 21-1.

Table 21-1. Variables that define shared paths for Puppet applications
puppetserver.conf puppet.conf Default value
master-conf-dir confdir /etc/puppetlabs/puppet
master-code-dir codedir /etc/puppetlabs/code
master-var-dir vardir /opt/puppetlabs/server/data/puppetserver
master-run-dir rundir /var/run/puppetlabs/puppetserver
master-log-dir logdir /var/log/puppetlabs/puppetserver

Again, it is essential to keep these variables in sync between the two configuration files. If they differ, then Puppet Server will be looking in one place, and Puppet commands like puppet certificate will be looking in another.

Enabling use of /var filesystem

As recommended back in “Store Server Data Files Separately”, you should change the following values to conform to the Filesystem Hierarchy Standard (FHS) and most sysadmin expectations. The following change places all volatile and dynamic data within the /var/ filesystem.

Edit /etc/puppetlabs/puppet/puppet.conf:

[user]
  vardir = /var/opt/puppetlabs/puppetserver
  ssldir = $vardir/ssl

[master]
  vardir = /var/opt/puppetlabs/puppetserver
  ssldir = $vardir/ssl

Double-check these values after installing the puppetserver package, as the package installation scripts will change these values in an existing configuration file during installation.

Make the corresponding change in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf:

   master-var-dir = /var/opt/puppetlabs/puppetserver

Then, create the directory we just named. Puppet Server will fail to run if the directory was not created prior to initialization:

[vagrant@puppetserver ~]$ mkdir -p /var/opt/puppetlabs/puppetserver
[vagrant@puppetserver ~]$ chown -R puppet:puppet /var/opt/puppetlabs/puppetserver

Limiting Memory Usage

By default, Puppet Server tries to allocate 2 gigabytes of RAM. This is not necessary for a test node, and won’t work with Vagrant unless you add more memory to the node settings.

Tune down the memory reserved by changing the startup parameters. Edit /etc/sysconfig/puppetserver and change the following line:

# Modify this if you'd like to change the memory allocation, enable JMX, etc.
JAVA_ARGS="-Xms512m -Xmx512m"

Note that the default file contains a MaxPermSize value in this field. It’s OK to remove it, as the server would simply tell you:

Aug 03 00:55:02 puppetserver.example.com java[14652]:
  OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m;
    support was removed in 8.0
Tip
In large production environments, you will need to raise the memory limit rather than lower it.

Configuring TLS Certificates

Puppet Server accepts configuration of TLS keys and certificates in two different places. You can define the following override settings in /etc/puppetlabs/puppetserver/conf.d/webserver.conf:

ssl-cert = /var/opt/puppetlabs/puppetserver/ssl/certs/puppet.example.com.pem
ssl-key = /var/opt/puppetlabs/puppetserver/ssl/private_keys/
  puppet.example.com.pem
ssl-ca-cert = /var/opt/puppetlabs/puppetserver/ssl/certs/ca.pem
ssl-crl-path = /var/opt/puppetlabs/puppetserver/ssl/crl.pem
Note
Paths are shown with the FHS-compliant directories recommended here. If you are using the default values, these files will reside in the /etc/puppetlabs/puppet/ssl/ directory.

If none of these variables are defined, Puppet Server will fall back to using the following defined or derived settings from /etc/puppetlabs/puppet/puppet.conf, according to Table 21-2.

Table 21-2. Variables used for Puppet Server TLS file locations
puppetserver/conf.d/webserver.conf puppet/puppet.conf
ssl-ca localcacert
ssl-cert hostcert
ssl-key hostprivkey
ssl-crl-path hostcrl

You can use either the settings in the first column or the second column. If you use the settings in webserver.conf, then you must use all four together. Otherwise, leave all four undefined and use the settings in puppet.conf (which is backward compatible with the Puppet master).

At this time, the Certificate Authority continues to use the following settings from puppet.conf. There isn’t an equivalent in puppetserver/conf.d/ files yet:

[master]
  cacert = /etc/puppetlabs/puppet/ssl/certs/ca.pem
  cacrl = /etc/puppetlabs/puppet/ssl/crl.pem
  hostcert = /etc/puppetlabs/puppet/ssl/certs/puppet.example.com.pem
  hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/puppet.example.com.pem

Due to the current mixture of settings in two files, I recommend that you consolidate settings in /etc/puppetlabs/puppet/puppet.conf, and leave the settings blank in webserver.conf. This is the default, as-shipped configuration, so no changes are necessary.

The latest version of Puppet Server may have added new configuration options. Check the latest documentation at “Puppet Server: Differing Behavior in puppet.conf” on the Puppet docs site.

You can see the configuration values for the Puppet master and the Certificate Authority (defined or derived from defaults) with this command:

[vagrant@puppetserver ~]$ sudo puppet config print --section master
cfacter = false
confdir = /etc/puppetlabs/puppet
codedir = /etc/puppetlabs/code
vardir = /var/opt/puppetlabs/puppetserver
...etc

Avoiding Obsolete Settings

The following settings are valid for the Puppet master, but have been replaced by other configuration options in Puppet Server:

  • autoflush—replaced by settings in logback.xml
  • bindaddress—remove and configure ssl-host instead
  • ca—uses CA information from bootstrap.cfg instead
  • keylength—replaced by a fixed value of 4,096 bits
  • logdir—replaced by settings in logback.xml
  • masterhttplog—replaced by the access-log-config setting in webserver.conf
  • masterlog—replaced by settings in logback.xml
  • masterport—replaced by the ssl-port setting in webserver.conf
  • ssl_client_header—ignored unless allow-header-cert-info is enabled in auth.conf
  • ssl_client_verify_header—ignored unless allow-header-cert-info is enabled in auth.conf
  • ssl_server_ca_auth—ignored in favor of ssl-ca-cert or cacert

The following settings used by the Puppet master are ignored by Puppet server, with no equivalent option:

  • capass
  • caprivatedir
  • daemonize
  • http_debug
  • puppetdlog
  • railslog
  • syslogfacility
  • user

The following three settings are valid for Puppet agents, but will be ignored by Puppet Server:

  • configtimeout
  • http_proxy_host
  • http_proxy_port

Configuring Server Logs

Puppet Server uses the well-known JDK logback library. Logback is a successor to the log4j logging library provided with Java.

By default, the logback configuration file can be found at /etc/puppetlabs/puppetserver/logback.xml. This is the standard XML configuration file format as documented in “Logback configuration” on the Logback Project site.

By default, Puppet Server logs all messages at INFO level or higher to /var/log/puppetlabs/puppetserver/puppetserver.log. Review the bolded sections of this logback.xml configuration snippet:

    <appender name="F1" class="ch.qos.logback.core.FileAppender">
        <file>/var/log/puppetlabs/puppetserver/puppetserver.log</file>
        <append>true</append>
        <encoder>
            <pattern>%d %-5p [%t] [%c{2}] %m%n</pattern>
        </encoder>
    </appender>

    <root level="info">
        <appender-ref ref="F1"/>
    </root>

If you are familiar with logback or log4j, you can modify this file far beyond the simple examples here.

Warning
Do not change the ConsoleAppender definition that outputs console messages when running Puppet Server in the foreground debug mode.

If you want to send Puppet Server messages to the system logger syslog, then you may want to replace or supplement the FileAppender with the following:

    <appender name="Syslog" class="ch.qos.logback.core.net.SyslogAppender">
        <syslogHost>loghost.example.com</file>
        <facility>DAEMON</facility>
    </appender>

    <root level="info">
        ...
        <appender-ref ref="Syslog"/>
    </root>

By default, logback scans for configuration files changes every minute. Restarting Puppet Server is not necessary. To disable this, change the scan attribute on the configuration element:

<configuration scan="true">

You can also adjust the scanning interval based on seconds, minutes, hours, or days:

<configuration scan="true" scanPeriod="30 minutes">

You will need to ensure the syslog server is configured to accept messages from the network. If logging to the local host, you will need to uncomment the following lines in /etc/rsyslog.conf:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Configuring Server Authentication

Puppet Server authentication and authorization is defined in the /etc/puppetlabs/puppetserver/conf.d/auth.conf configuration file utilizing the trapperkeeper-authorization format.

This file contains an authorization block that contains the rules used to approve or deny requests.

Tip
This section contains advanced settings for customized server environments. If you are new to Puppet, skip ahead to “Running Puppet Server” and come back later.

Understanding authorization rules

Within the authorization block are a list of rules. Each rule contains a name, a sort-order parameter, a match-request definition, and allow or deny parameters that match the node’s certificate name ($trusted['certname']).

The format of the rules is fairly self-evident, and the inline comments can help you understand why the existing rules are there. Multiple values for allow or deny should be written as an array.

The splat (*) value matches any validated node. The allow-unauthenticated: true setting is used to allow new nodes to submit certificate requests and retrieve the signed certificate.

Here is one of the more complex rules. This rule uses a regular expression capture group to match the node name requested. The allow: definition utilizes the captured node name to permit only that same node to request its catalog. See the bolded parts:

{
    # Allow nodes to retrieve only their own node definition
    match-request: {
        path: "^/puppet/v3/node/([^/]+)$"
        type: regex
        method: get
    }
    allow: "$1"
    sort-order: 500
    name: "puppetlabs node"
},

As shown, the validated node client.example.com can make a GET request for /puppet/v3/node/client.example.com. Any other node requesting the catalog for client.example.com will be denied.

Controlling authorization for Puppet 3 agents

There are separate configuration options for Puppet 3 clients, which do not utilize the Puppet API.

In Puppet Server 2, the default behavior was to enable use of the older /etc/puppetlabs/puppet/auth.conf configuration file originally used by puppet master. This behavior has been deprecated, and will likely be removed in Puppet Server 3.

Unless you have previously deployed a Puppet master with a customized auth.conf configuration file, you should disable the legacy configuration setting. If the following option can be found in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf, set it to false:

    # (optional) Authorize access to Puppet master endpoints via rules specified
    # in the legacy Puppet auth.conf file (if true or not specified) or via rules
    # specified in the Puppet Server HOCON-formatted auth.conf (if false).
    use-legacy-auth-conf: false
Tip
This parameter only affects Puppet 3.x agents that utilize the classic Puppet master endpoints. Puppet 4 agents utilize the Puppet API endpoints controlled by settings in /etc/puppetlabs/puppetserver/conf.d/auth.conf.

To upgrade a Puppet master with a customized auth.conf, migrate the customizations to the new HOCON format auth file. A guide for converting old auth files is available at “Config File Auth: Deprecated Ruby Parameters” on the Puppet docs site.

Running Puppet Server

Now it is time to start the server. While Puppet Server is a high-performance replacement for the old Puppet master, the Java service takes a bit longer to start. Start it like so:

[vagrant@puppetserver ~]$ sudo systemctl enable puppetserver
[vagrant@puppetserver ~]$ sudo systemctl start puppetserver

You can observe what it does during startup by looking at the logfiles:

$ sudo tail -f /var/log/puppetlabs/puppetserver/puppetserver.log
309 INFO [o.e.j.u.log] Logging initialized @12460ms
742 INFO [p.t.s.w.jetty9-service] Initializing web server(s).
874 INFO [p.s.j.jruby-puppet-service] Initializing the JRuby service
209 INFO [puppet-server] Puppet Puppet settings initialized; run mode: master
384 INFO [p.s.j.jruby-puppet-agents] Finished creating JRubyPuppet instance 1 of 1
410 INFO [p.s.c.puppet-server-config-core] Initializing webserver settings
603 INFO [p.s.c.certificate-authority-service] CA Service adding a ring handler

Observe the final line, which says that it started a CA Service with a ring handler. This obscure message is the only notification you’ll receive that it has created a certificate authority based on its own certname, and then signed its own certificate.

By signing its own certificate, this Puppet Server has become the root certificate authority for this Puppet installation. Only agents with certificates signed by this certificate authority will be able to access the service. We’ll discuss ways to handle third-party certificate authorities in “Using an External Certificate Authority”.

Adding Ruby Gems

Puppet Server has its own Ruby installation separate from your system Ruby, and even from the Puppet agent’s Ruby. If you are using server-side plugins that require additional gems, use the puppetserver gem command to install them.

First, examine the gems that come preinstalled:

[vagrant@puppetserver ~]$ sudo puppetserver gem list

*** LOCAL GEMS ***

jar-dependencies (0.1.13)
jruby-openssl (0.9.7 java)
json (1.8.0 java)
rake (10.1.0)
rdoc (4.1.2)

The puppetserver gem command is identical to Ruby’s gem command, but maintains the JRuby gem-store used by the Puppet Server. If you need other gems for a plugin running on the server, use puppetserver gem to install them exactly like you’d use Ruby’s gem command:

$ sudo puppetserver gem install bundler --no-ri --no-rdoc
Fetching: bundler-1.10.6.gem (100%)
Successfully installed bundler-1.10.6
1 gem installed

Puppet Server uses JRuby, a high-performance, threaded Ruby interpreter. It is compatible with all native Ruby gems, but not with gems that use binary or compiled extensions. It is best to adjust the plugin to use a native Ruby gem whenever possible.

IPv6 Dual-Stack Puppet Server

Puppet Server uses IPv6 out of the box without any specific settings. If you are upgrading the Puppet configuration of a Puppet master, you’ll need to remove or comment out the bindaddress configuration setting used to enable IPv6 on a Puppet master:

[master]
  # this setting isn't necessary for Puppet Server
  #bindaddress = ::

If you query for listening services using netstat -an, you’ll see the Puppet master listening on a tcp6 socket. This socket accepts both IPv4 and IPv6 connections:

[vagrant@puppetmaster ~]$ netstat -an |grep 8140
tcp6       0      0 :::8140                 :::*                    LISTEN

Clients will connect to the IPv6 or IPv4 port based on the configuration of the client node, and the addresses available from DNS or the hosts file. If you want nodes to connect using only one of these protocols, provide the address of the Puppet Server in that version’s notation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset