puppet

Comment installer et configurer puppet sur CentOS 7

Puppet est un outil open source d’automatisation d’infrastructure, il automatise le packaging et le déploiement d’applications sur les serveurs. C’est l’un des meilleurs outils de « Configuration Management » comme Ansible est chef.

Dans c’est article nous allons voir comment installer puppet master et puppet agent sur RedHat/CentOS 7.

Installer puppet master et puppet agent :

Prérequis :

Nous avons besoin au minimum de deux machines :

-puppet-master /192.168.139.133 :  serveur puppet
-puppet-agent  /192.168.139.134 :  puppet agent

Au lieu de mettre en place un serveur DNS, rassurez vous de mettre les noms des deux serveurs sur le fichier /etc/hosts de chaque machine:

[root@puppet-master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1       localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.139.133 puppet-master
192.168.139.134 puppet-agent
[root@puppet-master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.139.134 puppet-agent
192.168.139.133 puppet-master

Installation de NTP:

D’abord nous devons s’assurer que les horloges sont bien synchronisés entre les deux serveurs, pour cela nous allons installer le service ntp sur le puppet-master :

[root@puppet-master ~]# yum install ntp -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base: repo.nixval.com
extras: repo.nixval.com
updates: mirror.marwan.ma
Resolving Dependencies
--> Running transaction check
---> Package ntp.x86_64 0:4.2.6p5-29.el7.centos.2 will be installed
--> Processing Dependency: ntpdate = 4.2.6p5-29.el7.centos.2 for package: ntp-4.2.6p5-29.el7.centos.2.x86_64
--> Processing Dependency: libopts.so.25()(64bit) for package: ntp-4.2.6p5-29.el7.centos.2.x86_64
--> Running transaction check
---> Package autogen-libopts.x86_64 0:5.18-5.el7 will be installed
---> Package ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================================================================
Package Arch Version Repository Size
Installing:
ntp x86_64 4.2.6p5-29.el7.centos.2 base 549 k
Installing for dependencies:
autogen-libopts x86_64 5.18-5.el7 base 66 k
ntpdate x86_64 4.2.6p5-29.el7.centos.2 base 87 k

Nous allons utiliser les serveurs ntp de CentOS par défaut déja configurés:

[root@puppet-master ~]# cat /etc/ntp.conf | grep -i centos
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

Ensuite taper la commande ntpdate pour synchroniser la date et l’horloge :

[root@puppet-master ~]# ntpdate 0.centos.pool.ntp.org
27 Apr 11:52:55 ntpdate[18794]: adjust time server 196.200.160.123 offset -0.011770 sec

Redémarrez le service ntp et n’oubliez pas de le mettre en enabled :

[root@puppet-master ~]# systemctl restart ntpd
[root@puppet-master ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
[root@puppet-master ~]# systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-04-27 11:54:48 EDT; 18s ago
Main PID: 18820 (ntpd)
CGroup: /system.slice/ntpd.service
└─18820 /usr/sbin/ntpd -u ntp:ntp -g
Apr 27 11:54:48 puppet-master ntpd[18820]: Listen and drop on 1 v6wildcard :: UDP 123
Apr 27 11:54:48 puppet-master ntpd[18820]: Listen normally on 2 lo 127.0.0.1 UDP 123
Apr 27 11:54:48 puppet-master ntpd[18820]: Listen normally on 3 ens33 192.168.139.133 UDP 123

Installer puppet master :

Pour pouvoir installer puppet, nous devons ajouter le dépôt puppet :

[root@puppet-master ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
warning: /var/tmp/rpm-tmp.49mzgb: Header V4 RSA/SHA1 Signature, key ID ef8d349f: NOKEY
Preparing… ################################# [100%]
Updating / installing…
1:puppetlabs-release-pc1-1.1.0-5.el################################# [100%]

Notre dépôt a été bien ajouté :

[root@puppet-master ~]# ll /etc/yum.repos.d/
total 44
-rw-r--r--. 1 root root 1664 Nov 23 10:08 CentOS-Base.repo
-rw-r--r--. 1 root root 1309 Nov 23 10:08 CentOS-CR.repo
-rw-r--r--. 1 root root 649 Nov 23 10:08 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 314 Nov 23 10:08 CentOS-fasttrack.repo
-rw-r--r--. 1 root root 630 Nov 23 10:08 CentOS-Media.repo
-rw-r--r--. 1 root root 1331 Nov 23 10:08 CentOS-Sources.repo
-rw-r--r--. 1 root root 8515 Nov 23 10:08 CentOS-Vault.repo
-rw-r--r--. 1 root root 616 Nov 23 10:08 CentOS-x86_64-kernel.repo
-rw-r--r--. 1 root root 529 Jan 10 2017 puppetlabs-pc1.repo

Nous pouvons maintenant installer puppet-server :

[root@puppet-master ~]# yum -y install puppetserver
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base: repo.nixval.com
extras: repo.nixval.com
updates: mirror.marwan.ma
puppetlabs-pc1 | 2.5 kB 00:00:00
puppetlabs-pc1/x86_64/primary_db | 234 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package puppetserver.noarch 0:2.8.1-1.el7 will be installed
--> Processing Dependency: puppet-agent >= 1.6.0 for package: puppetserver-2.8.1-1.el7.noarch
--> Processing Dependency: java-1.8.0-openjdk-headless for package: puppetserver-2.8.1-1.el7.noarch
--> Running transaction check
---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.292.b10-1.el7_9 will be installed
--> Processing Dependency: tzdata-java >= 2021a for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: copy-jdk-configs >= 3.3 for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: pcsc-lite-libs(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: lksctp-tools(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: libjpeg.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: jpackage-utils for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: cups-libs(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
--> Processing Dependency: libjpeg.so.62()(64bit) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64
---> Package puppet-agent.x86_64 0:1.10.14-1.el7 will be installed
--> Running transaction check
---> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be installed
---> Package cups-libs.x86_64 1:1.6.3-51.el7 will be installed
--> Processing Dependency: libavahi-common.so.3()(64bit) for package: 1:cups-libs-1.6.3-51.el7.x86_64
--> Processing Dependency: libavahi-client.so.3()(64bit) for package: 1:cups-libs-1.6.3-51.el7.x86_64
---> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be installed
--> Processing Dependency: python-javapackages = 3.4.1-11.el7 for package: javapackages-tools-3.4.1-11.el7.noarch
---> Package libjpeg-turbo.x86_64 0:1.2.90-8.el7 will be installed
---> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be installed

Editer le fichier de configuration de puppet master et ajouter les lignes ci-dessous :

[root@puppet-master ~]# cat /etc/puppetlabs/puppet/puppet.conf
[master]
dns_alt_names=puppet-master
[main]
certname = puppet-master
server = puppet-master
environment = production
runinterval = 1h

Démarrez le service et mettez-le en enbaled :

[root@puppet-master ~]# systemctl start puppetserver.service
[root@puppet-master ~]# systemctl enable puppetserver.service
Created symlink from /etc/systemd/system/multi-user.target.wants/puppetserver.service to /usr/lib/systemd/system/puppetserver.service.
[root@puppet-master ~]# systemctl status puppetserver.service
● puppetserver.service - puppetserver Service
Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-04-27 12:08:11 EDT; 2min 10s ago
Main PID: 19120 (java)
CGroup: /system.slice/puppetserver.service
└─19120 /usr/bin/java -Xms2g -Xmx2g -XX:MaxPermSize=256m -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetserver/pup…
Apr 27 12:07:15 puppet-master systemd[1]: Starting puppetserver Service…
Apr 27 12:07:15 puppet-master puppetserver[19111]: OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
Apr 27 12:08:11 puppet-master systemd[1]: Started puppetserver Service.

Installer puppet agent :

Contrairement à Ansible, Puppet nécessite un agent sur les clients pour dialoguer avec eux.

Comme pour puppet master, ajouter le dépôt puppet ensuite installer puppet agent :

[root@puppet-agent ~]# yum install -y puppet-agent
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base: repo.nixval.com
extras: repo.nixval.com
updates: mirror.marwan.ma
puppetlabs-pc1 | 2.5 kB 00:00:00
puppetlabs-pc1/x86_64/primary_db | 234 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package puppet-agent.x86_64 0:1.10.14-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================
Package Arch Version Repository Size
Installing:
puppet-agent x86_64 1.10.14-1.el7 puppetlabs-pc1 19 M
Transaction Summary

Editer le fichier de configuration de puppet agent et ajouter les ligne ci-dessous :

[root@puppet-agent ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
certname = puppet-agent
server = puppet-master
environment = production
runinterval = 1h

Firewalld :

Avant de continuer nous avons besoin d’autoriser le port sur lequel écoute puppet 8140 au niveau du firewalld :

[root@puppet-master ~]# netstat -tulpen |grep 8140
tcp6 0 0 :::8140 :::* LISTEN 997 50711 19120/java

Comme vous pouvez le constater ci-dessous, puppet agent n’arrive pas à joindre puppet master via le port 8140 :

[root@puppet-agent ~]# telnet puppet-master 8140
Trying 192.168.139.133…
telnet: connect to address 192.168.139.133: No route to host

Nous devons donc autoriser les connexions entrants et sortantes à partir et vers puppet agent via ce port :

[root@puppet-master ~]# firewall-cmd --add-port=8140/tcp --permanent
[root@puppet-master ~]# firewall-cmd --reload
[root@puppet-master ~]# firewall-cmd --list-ports
8140/tcp
[root@puppet-agent ~]# telnet puppet-master 8140
Trying 192.168.139.133…
Connected to puppet-master.
Escape character is '^]'.

Signer le certificat de puppet agent :

Maintenant nous allons enregistrer puppet agent sur puppet master via la commande ci-dessous :

[root@puppet-agent ~]# /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
}

Sur puppet master taper la commande ci-dessous pour afficher le certificat de puppet agent

[root@puppet-master ~]# puppet cert list
"puppet-agent" (SHA256) 1F:6C:C2:57:5B:4A:B9:0B:68:E3:4C:BD:1B:44:69:2F:59:3E:72:1B:E8:EF:9B:4E:F0:DA:1E:00:F4:13:D7:F9

Signez le certificat avec la commande ci-dessous :

[root@puppet-master ~]# puppet cert sign puppet-agent
Signing Certificate Request for:
"puppet-agent" (SHA256) 1F:6C:C2:57:5B:4A:B9:0B:68:E3:4C:BD:1B:44:69:2F:59:3E:72:1B:E8:EF:9B:4E:F0:DA:1E:00:F4:13:D7:F9
Notice: Signed certificate request for puppet-agent
Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-agent.pem'

Notre certificat est maintenant signé.

Maintenant que tout est ok, démmarer puppet agent avec la commande ci-dessous :

[root@puppet-agent ~]# /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
}

Vérification de la configuration de puppet agent :

Taper la commande ci-dessous :

[root@puppet-agent ~]# puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppet-agent
Info: Applying configuration version '1619543869'
Notice: Applied catalog in 0.01 seconds

Puppet agent a bien tiré (pulled) la configuration depuis le master avec succès.

Installer le service httpd via puppet :

Nous allons maintenant faire un vrais test en installant le service httpd :

Créez un fichier avec le nom de votre choix au niveau du répertoire /etc/puppetlabs/code/environments/production/manifests et ajoutez les lignes ci-dessous :

[root@puppet-master ~]# cd /etc/puppetlabs/code/environments/production/manifests
[root@puppet-master manifests]# cat httpd.pp
node 'puppet-agent' {
        package { 'httpd':
        ensure => "installed",
       } 
        service { 'httpd':
        ensure => running,
        enable => true
       }
  }

Ensuite tapez la commande ci-dessous au niveau de puppet agent :

[root@puppet-agent ~]# /opt/puppetlabs/bin/puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppet-agent
Info: Applying configuration version '1619544385'
Notice: /Stage[main]/Main/Node[puppet-agent]/Package[httpd]/ensure: created
Notice: /Stage[main]/Main/Node[puppet-agent]/Service[httpd]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Main/Node[puppet-agent]/Service[httpd]: Unscheduling refresh on Service[httpd]
Notice: Applied catalog in 4.51 seconds

La commande récupère la configuration depuis puppet master et l’applique.

Comme pouvez voir ci-dessous le service httpd a été bien installé et démarré :

[root@puppet-agent ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-04-27 13:26:31 EDT; 21s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 19330 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─19330 /usr/sbin/httpd -DFOREGROUND
├─19331 /usr/sbin/httpd -DFOREGROUND
├─19332 /usr/sbin/httpd -DFOREGROUND
├─19333 /usr/sbin/httpd -DFOREGROUND
├─19334 /usr/sbin/httpd -DFOREGROUND
└─19335 /usr/sbin/httpd -DFOREGROUND
Apr 27 13:26:31 puppet-agent systemd[1]: Starting The Apache HTTP Server…