CentOS 6.4: puppet installation

Title:CentOS 6.4: puppet installation
Author:Douglas O’Leary <dkoleary@olearycomputers.com>
Description:How to quickly/efficiently install puppet on centos6
Disclaimer:Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me...


Most of the info required to create the checklist below came from James Turnbull’s Pro Puppet

Two other good links are Toki Winter’s site and one from 6tech.

This is going to be a work in progress as there are at least two things to which I want to find answers. Unfortunately, if this goes the way of my normal studying, I’ll end up having to leave this for a few weeks/months during which time I’ll have forgotten everything...

The primary point of this checklist is to kick out a production ready puppet installation as quickly as possible.

Also, note: as of this writing, this installs a puppet ver 2.6 implementation. I’m currently looking into upgrading that to ver 3.X.


Selinux seems to be getting in the way. I have done some initial searching on puppet/selinux interaction but didn’t get very far. There were a couple of urls that showed how to create a selinux module; but, one of them was dated and, of course, I didn’t record the url of the second.

One thing that I just found that seeems like it’ll be particularly useful is http://linux.die.net/man/8/puppet_selinux. In that page, there’s references to two selinux booleans:

# getsebool -a | grep -i puppet
puppet_manage_all_files --> off
puppetmaster_use_db --> off

That won’t help w/the access to port 8140, though. So, in the meantime:

  • Set selinux to permissive mode: One of two things to correct

    • echo '0' > /selinux/enforce
    • SELINUX=permissive in /etc/selinux/config

    When I started this up in my real network, I was still getting tons of avc denied messages. Something else on the to-do list, learn selinux. Setting the selinux booleans puppet_manage_all_files and allow_ypbind seems to have gotten rid of most of them. Running the messages through audit2allow resulted in:

    # grep ruby /var/log/messages | audit2allow -m ruby
    module ruby 1.0;
    #!!!! This avc can be allowed using the boolean 'allow_ypbind'
    allow passenger_t self:tcp_socket listen;
  • Update DNS and hosts, use fqdns by default.

  • Update firewall; ensure 8140 is allowed:

    # iptables -L -n | grep -i 8140
    ACCEPT  tcp  --  state NEW tcp dpt:8140
  • Install epel on all nodes: rpm -ivh http://mirror.symnds.com/distributions/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

  • Install apache and passenger

    • yum -y install httpd mod_ssl rubygem-passenger mod_passenger

    • /etc/httpd/conf.d/passenger.conf Update hostnames, directories and file locations as needed/appropriate:

      LoadModule passenger_module modules/mod_passenger.so
      <IfModule mod_passenger.c>
         PassengerRoot /usr/share/rubygems/gems/passenger-3.0.21
         PassengerRuby /usr/bin/ruby
          PassengerHighPerformance on
          PassengerUseGlobalQueue on
          PassengerMaxPoolSize 6
          PassengerMaxRequests 4000
          PassengerPoolIdleTime 1800
      ### Puppet config
      Listen 8140
      <VirtualHost *:8140>
          SSLEngine on
          SSLProtocol -ALL +SSLv3 +TLSv1
          SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
          SSLCertificateFile /var/lib/puppet/ssl/certs/vmhost.olearycomputers.com.pem
          SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/vmhost.olearycomputers.com.pem
          SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
          SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
      ## Disable following if apachecomplains about CRL
          SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
      ### Optional to allow CSR request; required if certs get distributed
      ### to clients during provisioning
          SSLVerifyClient optional
          SSLVerifyDepth 1
          SSLOptions +StdEnvVars
      ### Client headers record authentication info for downsteam workers
          RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
          RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
          RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
          RackAutoDetect On
          DocumentRoot /etc/puppet/rack/puppetmaster/public/
          <Directory /etc/puppet/rack/puppetmaster/>
              Options None
              AllowOverride None
              Order allow,deny
              allow from all
    • mkdir -p -m 755 /etc/puppet/rack/puppetmaster/{public,tmp}

    • /etc/puppet/rack/puppetmaster/config.ru:

      $0 = "master"
      # enable debugging
      # ARGV << "--debug"
      # Standard:
      ARGV << "--rack"
      require 'puppet/application/master'
      run Puppet::Application[:master].run
      # EOF
    • chkconfig httpd on ## But DO NOT start it yet

  • Install puppet master:

    • yum -y install ruby ruby-libs ruby-shadow puppet puppet-server facter
    • chown -R puppet:puppet /etc/puppet/rack/puppetmaster/
  • Install puppet clients: yum -y install ruby ruby-libs-ruby-shadow puppet facter

  • Run the puppet master in no-daemonize for initial client signatures and to verify everything’s functional: puppet master --verbose --no-daemonize

  • If reinstalling clients, particularly if you’re moving the puppet master, delete existing ssl keys on the clients:

    # find /var/lib/puppet/ssl -name \*${short_name}\* -print | xargs -i rm {}
  • In another window, on a client system, run the the client:

    # puppet agent --no-daemonize --verbose --server=vmhost.olearycomputers.com
    dnsdomainname: Unknown host
    info: Creating a new SSL key for vm1.olearycomputers.com
    info: Caching certificate for ca
    info: Creating a new SSL certificate request for vm1.olearycomputers.com
    info: Certificate Request fingerprint (md5): 91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3
  • Back on the puppet master, sign the certificate:

    # puppet cert --list
      "vm1.olearycomputers.com" (91:92:CC:09:94:16:2A:DF:75:45:61:DC:03:AF:08:A3)
    # puppet cert --sign vm1.olearycomputers.com
    notice: Signed certificate request for vm1.olearycomputers.com
    notice: Removing file Puppet::SSL::CertificateRequest vm1.olearycomputers.com at '/var/lib/puppet/ssl/ca/requests/vm1.olearycomputers.com.pem'
  • Update puppet master configuration files:

    • /etc/puppet/manifets/{site.pp, nodes.pp}
    • Appropriate modules under /etc/puppet/modules
  • When everything checks out, turn on relevant services. Check for errors in appropriate log files:

    • puppet master:

      # chkconfig --list | grep -e puppet -e httpd
      httpd        0:off  1:off  2:on   3:on   4:on   5:on   6:off
      puppet       0:off  1:off  2:on   3:on   4:on   5:on   6:off
      puppetmaster 0:off  1:off  2:off  3:off  4:off  5:off  6:off
    • puppet clients:

      # chkconfig --list puppet
      puppet       0:off  1:off  2:on   3:on   4:on   5:on   6:off
  • passenger-status is the other thing that I need to investigate:: out what’s up with that:

    # /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status
    /usr/lib/ruby/site_ruby/1.8/rubygems.rb:779:in `report_activate_error': Could not find RubyGem passenger (>= 0) (Gem::LoadError)
            from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:214:in `activate'
            from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:1082:in `gem'
            from /usr/share/rubygems/gems/passenger-3.0.21/bin/passenger-status:18


So, those steps should get you a puppet master using apache and passenger which, according to the Pro Puppet should be good for up to 2,000 nodes. It’ll also get a couple of clients which can be puppet managed.