Puppet - first steps (using CentOS 7)
Installation
yum install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm yum install puppetserver
add following lines to /etc/puppetlabs/puppet/puppet.conf, of course, change puppetmaster to your host name:
dns_alt_names = puppet,puppetmaster [agent] runinterval = 1m
you can reduce memory usage - edit /etc/sysconfig/puppetserver file and change JAVA_ARGS to:
JAVA_ARGS="-Xms256m -Xmx384m -XX:MaxPermSize=256m"
then run service:
systemctl enable puppetserver systemctl start puppetserver
First manifests
To communicate with agents puppet use 8140 port - we try to open it using puppet in three steps:
- Install module to manage firewalld
- Create new puppet service
- Enable this service for public zone
Module installation
First we need module to manage firewalld - to install it create manifest file, ie. puppet.test.firewalld-install.pp (as you can see I used /root directory, but it does'n matter):
$module_firewalld = 'crayfishx-firewalld'
exec { 'install-puppet-module-firewalld':
command => "puppet module install ${module_firewalld}",
unless => "puppet module list | grep ${module_firewalld}",
path => ['/bin', '/opt/puppetlabs/bin']
}
and test (--noop) first manifest:
[root@puppetmaster ~]# puppet apply puppet.test.firewalld-install.pp --noop Notice: Compiled catalog for puppetmaster.lan in environment production in 0.18 seconds Notice: /Stage[main]/Main/Exec[install-puppet-module-firewalld]/returns: current_value notrun, should be 0 (noop) Notice: Class[Main]: Would have triggered 'refresh' from 1 events Notice: Stage[main]: Would have triggered 'refresh' from 1 events Notice: Applied catalog in 1.45 seconds
after this you can apply (without --noop):
[root@puppetmaster ~]# puppet apply puppet.test.firewalld-install.pp Notice: Compiled catalog for puppetmaster.lan in environment production in 0.18 seconds Notice: /Stage[main]/Main/Exec[install-puppet-module-firewalld]/returns: executed successfully Notice: Applied catalog in 14.33 seconds
of course you could just run:
puppet module install crayfishx-firewalld
but it would be too simple ;-)
Create service
Now we can create firewalld service. Create file puppet.test.firewalld-service.pp:
firewalld::custom_service{'puppet':
short => 'puppet',
description => 'Puppet Client access Puppet Server',
port => [
{
'port' => '8140',
'protocol' => 'tcp',
},
{
'port' => '8140',
'protocol' => 'udp',
},
],
}
and apply this:
[root@puppetmaster ~]# puppet apply puppet.test.firewalld-service.pp
Notice: Compiled catalog for puppetmaster.lan in environment production in 0.27 seconds
Notice: /Stage[main]/Main/Firewalld::Custom_service[puppet]/File[/etc/firewalld/services/puppet.xml]/ensure: defined content as '{md5}3fc4d356e7cb57739c8ceb8a0b483eaa'
Notice: /Stage[main]/Main/Firewalld::Custom_service[puppet]/Exec[firewalld::custom_service::reload-puppet]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 1.32 seconds
(I cut warnings about depreciated validate functions)
As you can see there is a new file:
[root@puppetmaster ~]# more /etc/firewalld/services/puppet.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>puppet</short>
<description>Puppet Client access Puppet Server</description>
<port protocol="tcp" port="8140" />
<port protocol="udp" port="8140" />
</service>
Again we could create this file manually, but what for?
Enable service
It's time to use this service. Create file puppet.test.firewalld-apply.pp:
firewalld_service { 'Allow puppet from the public zone':
ensure => 'present',
service => 'puppet',
# zone => 'external',
}(because public id default parameter zone can be omitted) and apply this:
[root@puppetmaster ~]# puppet apply puppet.test.firewalld-apply.pp Notice: Compiled catalog for puppetmaster.lan in environment production in 0.15 seconds Notice: /Stage[main]/Main/Firewalld_service[Allow puppet from the public zone]/ensure: created Notice: Applied catalog in 2.04 seconds
and check:
[root@puppetmaster ~]# firewall-cmd --list-services ssh dhcpv6-client dhcp dns puppet
This way is more interesting than boring:
firewall-cmd --add-service=puppet firewall-cmd --permanent --add-service=puppet firewall-cmd --reload
Summary
As you can see setting up a test puppet master (and use them) is not so difficult. Configuration files and manifests are easy to understand.
Next step is to manage agents on other hosts...
Komentarze
Log in or create a user account to comment.