Tuesday, September 16, 2014

Puppet on Oracle Linux 7: Master and Agent Installation

Automation is changing the server management game. Not only, you can now deal with hundreds of servers from a single access point but you can also evaluate impacts, schedule changes and make sure servers stay aligned over time. This can drastically increase system and application service levels by reducing the way they differ one from the other.

When it comes to managing Oracle workloads, Puppet is one of the few automation frameworks of choice. It is easy to use, widely adopted and you can find predefined modules for Oracle on Puppet Forge. It addresses most of the challenges you will face with (1) templates and golden images that are difficult to evolve once deployed ; (2) all-or-nothing software packagers like yum that don't allow fine grained customization required by real applications and (3) custom scripts that are difficult to managed in non-standardized environments.

This article outlines the steps required to install a Puppet Master Server as well as a Puppet Agent on Oracle Linux 7.

Puppet Master Installation

Assuming you have your server accesses the Internet with an IP address, you've disabled SELinux and it is connected to an Oracle Yum repository, Puppet Master Installation on Oracle Linux 7 is very easy:
hostname
purple

cat /etc/hosts
192.168.56.6 purple.resetlogs.com purple

grep "^SELINUX=" /etc/selinux/config
SELINUX=disabled

cat /etc/yum.repos.d/public-yum-ol7.repo 
[ol7_optional_latest]
name=Oracle Linux $releasever Optional Latest ($basearch)
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL7/optional/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1
All you need is registering the PuppetLabs Yum repository and installing the puppet-server RPM:
yum install http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

yum install puppet-server
Once done, generate Puppet Master Certificate Authority to manage deployments and hit 'Ctrl+C' to stop it:
sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
[...]
Notice: Starting Puppet master version 3.6.2
^C
Notice: Caught INT; calling stop

Apache and Passenger for Puppet

Puppet Master comes with Ruby built-in web server, WEBrick. For production deployment, you might prefer to deploy Apache HTTP server with Passenger as described in the documentation
yum -y install httpd httpd-devel mod_ssl \
     ruby-devel rubygems gcc openssl-devel \
     libcurl-devel zlib-devel gcc-c++

gem install rack passenger
Once installed, configure Passenger module for Apache:
passenger-install-apache2-module

Welcome to the Phusion Passenger Apache 2 module installer, v4.0.48.

This installer will guide you through the entire installation process. It
shouldn't take more than 3 minutes in total.

Here's what you can expect from the installation process:

 1. The Apache 2 module will be installed for you.
 2. You'll learn how to configure Apache.
 3. You'll learn how to deploy a Ruby on Rails application.

Don't worry if anything goes wrong. This installer will advise you on how to
solve any problems.

Press Enter to continue, or Ctrl-C to abort.

--------------------------------------------

Which languages are you interested in?

Use  to select.
If the menu doesn't display correctly, press '!'

 ‣ ⬢  Ruby
   ⬢  Python
   ⬡  Node.js
   ⬡  Meteor

--------------------------------------------

[...]

Phusion Passenger is a trademark of Hongli Lai & Ninh Bui.

Allow access to port 8140 on the Puppet Master Server:
firewall-cmd --get-active-zones
public
  interfaces: enp0s3 enp0s8

firewall-cmd --add-port=8140/tcp
success

firewall-cmd --permanent --add-port=8140/tcp
success

firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3 enp0s8
  sources: 
  services: dhcpv6-client ssh
  ports: 8140/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
Create directories for Puppet Master:
mkdir -p /usr/share/puppet/rack/puppetmasterd
mkdir /usr/share/puppet/rack/puppetmasterd/public 
mkdir /usr/share/puppet/rack/puppetmasterd/tmp
cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
Copy the Example vHost Configuration file to /usr/share/puppet/ext/rack/example-passenger-vhost.conf and copy the file to /etc/httpd/conf.d/puppetmaster.conf:
cp /usr/share/puppet/ext/rack/example-passenger-vhost.conf \
   /etc/httpd/conf.d/puppetmaster.conf
Search for the server certificates and modify the configuration file as below:
find /var/lib/puppet/ssl/public_keys -type f
/var/lib/puppet/ssl/public_keys/purple.resetlogs.com.pem

find /var/lib/puppet/ssl/certs -type f
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/purple.resetlogs.com.pem

diff /usr/share/puppet/ext/rack/puppetmasterd.conf \
     /etc/httpd/conf.d/puppetmaster.conf                        
12a13,15
> LoadModule passenger_module /usr/local/share/gems/gems/passenger-4.0.48/buildout/apache2/mod_passenger.so
> PassengerRoot /usr/local/share/gems/gems/passenger-4.0.48
> PassengerDefaultRuby /usr/bin/ruby
33,34c36,37
< SSLCertificateFile    /var/lib/puppet/ssl/certs/puppet-server.example.com.pem
< SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet-server.example.pem
---
> SSLCertificateFile    /var/lib/puppet/ssl/certs/purple.resetlogs.com.pem
> SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/purple.resetlogs.com.pem
Puppet Master is now managed by Apache. You can disable the puppetmaster service and enable/start Apache:
systemctl stop puppetmaster
systemctl disable puppetmaster
systemctl start httpd
systemctl enable httpd

Puppet Agent Installation

Once the master installed, the agent deployment is straight forward. If your server is connected to the Internet, simply run the 2 commands below:
yum install http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
yum install puppet
Add a server property in the [main] or [agent] section of the /etc/puppet/puppet.conf file like below:
server=purple
Run puppet in test mode so that it register to the master:
puppet agent -t
Connect to your Puppet Master, review and sign the certificates request for the new server:
puppet cert list
  "yellow.resetlogs.com" (SHA256) 7D:A2:F5:7A:... 

puppet cert sign yellow.resetlogs.com
Notice: Signed certificate request for yellow.resetlogs.com
Notice: Removing file Puppet::SSL::CertificateRequest yellow...
The agent should now be running fine with its master:
puppet agent -t
Info: Caching certificate for yellow.resetlogs.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for yellow.resetlogs.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for yellow.resetlogs.com
Info: Applying configuration version '1408374669'
Notice: Finished catalog run in 0.02 seconds
Reference:
For more information about how to install Puppet on Oracle Linux, check Installing Puppet: Red Hat Enterprise Linux (and Derivatives)

No comments:

Post a Comment