Puppet est un outil open source d’automatisation d’infrastructure, il automatise le packaging et le déploiement d’applications sur les serveurs. C’est l’un des meilleurs outils de « Configuration Management » comme Ansible est chef.
Dans c’est article nous allons voir comment installer puppet master et puppet agent sur RedHat/CentOS 7.
Installer puppet master et puppet agent :
Prérequis :
Nous avons besoin au minimum de deux machines :
-puppet-master /192.168.139.133 : serveur puppet -puppet-agent /192.168.139.134 : puppet agent
Au lieu de mettre en place un serveur DNS, rassurez vous de mettre les noms des deux serveurs sur le fichier /etc/hosts de chaque machine:
[root@puppet-master ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.139.133 puppet-master 192.168.139.134 puppet-agent
[root@puppet-master ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.139.134 puppet-agent 192.168.139.133 puppet-master
Installation de NTP:
D’abord nous devons s’assurer que les horloges sont bien synchronisés entre les deux serveurs, pour cela nous allons installer le service ntp sur le puppet-master :
[root@puppet-master ~]# yum install ntp -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile base: repo.nixval.com extras: repo.nixval.com updates: mirror.marwan.ma Resolving Dependencies --> Running transaction check ---> Package ntp.x86_64 0:4.2.6p5-29.el7.centos.2 will be installed --> Processing Dependency: ntpdate = 4.2.6p5-29.el7.centos.2 for package: ntp-4.2.6p5-29.el7.centos.2.x86_64 --> Processing Dependency: libopts.so.25()(64bit) for package: ntp-4.2.6p5-29.el7.centos.2.x86_64 --> Running transaction check ---> Package autogen-libopts.x86_64 0:5.18-5.el7 will be installed ---> Package ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================ Package Arch Version Repository Size Installing: ntp x86_64 4.2.6p5-29.el7.centos.2 base 549 k Installing for dependencies: autogen-libopts x86_64 5.18-5.el7 base 66 k ntpdate x86_64 4.2.6p5-29.el7.centos.2 base 87 k
Nous allons utiliser les serveurs ntp de CentOS par défaut déja configurés:
[root@puppet-master ~]# cat /etc/ntp.conf | grep -i centos server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst
Ensuite taper la commande ntpdate pour synchroniser la date et l’horloge :
[root@puppet-master ~]# ntpdate 0.centos.pool.ntp.org 27 Apr 11:52:55 ntpdate[18794]: adjust time server 196.200.160.123 offset -0.011770 sec
Redémarrez le service ntp et n’oubliez pas de le mettre en enabled :
[root@puppet-master ~]# systemctl restart ntpd [root@puppet-master ~]# systemctl enable ntpd Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service. [root@puppet-master ~]# systemctl status ntpd ● ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2021-04-27 11:54:48 EDT; 18s ago Main PID: 18820 (ntpd) CGroup: /system.slice/ntpd.service └─18820 /usr/sbin/ntpd -u ntp:ntp -g Apr 27 11:54:48 puppet-master ntpd[18820]: Listen and drop on 1 v6wildcard :: UDP 123 Apr 27 11:54:48 puppet-master ntpd[18820]: Listen normally on 2 lo 127.0.0.1 UDP 123 Apr 27 11:54:48 puppet-master ntpd[18820]: Listen normally on 3 ens33 192.168.139.133 UDP 123
Installer puppet master :
Pour pouvoir installer puppet, nous devons ajouter le dépôt puppet :
[root@puppet-master ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm Retrieving https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm warning: /var/tmp/rpm-tmp.49mzgb: Header V4 RSA/SHA1 Signature, key ID ef8d349f: NOKEY Preparing… ################################# [100%] Updating / installing… 1:puppetlabs-release-pc1-1.1.0-5.el################################# [100%]
Notre dépôt a été bien ajouté :
[root@puppet-master ~]# ll /etc/yum.repos.d/
total 44
-rw-r--r--. 1 root root 1664 Nov 23 10:08 CentOS-Base.repo
-rw-r--r--. 1 root root 1309 Nov 23 10:08 CentOS-CR.repo
-rw-r--r--. 1 root root 649 Nov 23 10:08 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 314 Nov 23 10:08 CentOS-fasttrack.repo
-rw-r--r--. 1 root root 630 Nov 23 10:08 CentOS-Media.repo
-rw-r--r--. 1 root root 1331 Nov 23 10:08 CentOS-Sources.repo
-rw-r--r--. 1 root root 8515 Nov 23 10:08 CentOS-Vault.repo
-rw-r--r--. 1 root root 616 Nov 23 10:08 CentOS-x86_64-kernel.repo
-rw-r--r--. 1 root root 529 Jan 10 2017 puppetlabs-pc1.repoNous pouvons maintenant installer puppet-server :
[root@puppet-master ~]# yum -y install puppetserver Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile base: repo.nixval.com extras: repo.nixval.com updates: mirror.marwan.ma puppetlabs-pc1 | 2.5 kB 00:00:00 puppetlabs-pc1/x86_64/primary_db | 234 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package puppetserver.noarch 0:2.8.1-1.el7 will be installed --> Processing Dependency: puppet-agent >= 1.6.0 for package: puppetserver-2.8.1-1.el7.noarch --> Processing Dependency: java-1.8.0-openjdk-headless for package: puppetserver-2.8.1-1.el7.noarch --> Running transaction check ---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.292.b10-1.el7_9 will be installed --> Processing Dependency: tzdata-java >= 2021a for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: copy-jdk-configs >= 3.3 for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: pcsc-lite-libs(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: lksctp-tools(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: libjpeg.so.62(LIBJPEG_6.2)(64bit) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: jpackage-utils for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: cups-libs(x86-64) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 --> Processing Dependency: libjpeg.so.62()(64bit) for package: 1:java-1.8.0-openjdk-headless-1.8.0.292.b10-1.el7_9.x86_64 ---> Package puppet-agent.x86_64 0:1.10.14-1.el7 will be installed --> Running transaction check ---> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be installed ---> Package cups-libs.x86_64 1:1.6.3-51.el7 will be installed --> Processing Dependency: libavahi-common.so.3()(64bit) for package: 1:cups-libs-1.6.3-51.el7.x86_64 --> Processing Dependency: libavahi-client.so.3()(64bit) for package: 1:cups-libs-1.6.3-51.el7.x86_64 ---> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be installed --> Processing Dependency: python-javapackages = 3.4.1-11.el7 for package: javapackages-tools-3.4.1-11.el7.noarch ---> Package libjpeg-turbo.x86_64 0:1.2.90-8.el7 will be installed ---> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be installed
Editer le fichier de configuration de puppet master et ajouter les lignes ci-dessous :
[root@puppet-master ~]# cat /etc/puppetlabs/puppet/puppet.conf [master] dns_alt_names=puppet-master [main] certname = puppet-master server = puppet-master environment = production runinterval = 1h
Démarrez le service et mettez-le en enbaled :
[root@puppet-master ~]# systemctl start puppetserver.service [root@puppet-master ~]# systemctl enable puppetserver.service Created symlink from /etc/systemd/system/multi-user.target.wants/puppetserver.service to /usr/lib/systemd/system/puppetserver.service.
[root@puppet-master ~]# systemctl status puppetserver.service ● puppetserver.service - puppetserver Service Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2021-04-27 12:08:11 EDT; 2min 10s ago Main PID: 19120 (java) CGroup: /system.slice/puppetserver.service └─19120 /usr/bin/java -Xms2g -Xmx2g -XX:MaxPermSize=256m -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetserver/pup… Apr 27 12:07:15 puppet-master systemd[1]: Starting puppetserver Service… Apr 27 12:07:15 puppet-master puppetserver[19111]: OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0 Apr 27 12:08:11 puppet-master systemd[1]: Started puppetserver Service.
Installer puppet agent :
Contrairement à Ansible, Puppet nécessite un agent sur les clients pour dialoguer avec eux.
Comme pour puppet master, ajouter le dépôt puppet ensuite installer puppet agent :
[root@puppet-agent ~]# yum install -y puppet-agent Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile base: repo.nixval.com extras: repo.nixval.com updates: mirror.marwan.ma puppetlabs-pc1 | 2.5 kB 00:00:00 puppetlabs-pc1/x86_64/primary_db | 234 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package puppet-agent.x86_64 0:1.10.14-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================================================== Package Arch Version Repository Size Installing: puppet-agent x86_64 1.10.14-1.el7 puppetlabs-pc1 19 M Transaction Summary
Editer le fichier de configuration de puppet agent et ajouter les ligne ci-dessous :
[root@puppet-agent ~]# cat /etc/puppetlabs/puppet/puppet.conf [main] certname = puppet-agent server = puppet-master environment = production runinterval = 1h
Firewalld :
Avant de continuer nous avons besoin d’autoriser le port sur lequel écoute puppet 8140 au niveau du firewalld :
[root@puppet-master ~]# netstat -tulpen |grep 8140 tcp6 0 0 :::8140 :::* LISTEN 997 50711 19120/java
Comme vous pouvez le constater ci-dessous, puppet agent n’arrive pas à joindre puppet master via le port 8140 :
[root@puppet-agent ~]# telnet puppet-master 8140 Trying 192.168.139.133… telnet: connect to address 192.168.139.133: No route to host
Nous devons donc autoriser les connexions entrants et sortantes à partir et vers puppet agent via ce port :
[root@puppet-master ~]# firewall-cmd --add-port=8140/tcp --permanent [root@puppet-master ~]# firewall-cmd --reload [root@puppet-master ~]# firewall-cmd --list-ports 8140/tcp
[root@puppet-agent ~]# telnet puppet-master 8140
Trying 192.168.139.133…
Connected to puppet-master.
Escape character is '^]'.Signer le certificat de puppet agent :
Maintenant nous allons enregistrer puppet agent sur puppet master via la commande ci-dessous :
[root@puppet-agent ~]# /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' service { 'puppet': ensure => 'running', enable => 'true', }
Sur puppet master taper la commande ci-dessous pour afficher le certificat de puppet agent
[root@puppet-master ~]# puppet cert list "puppet-agent" (SHA256) 1F:6C:C2:57:5B:4A:B9:0B:68:E3:4C:BD:1B:44:69:2F:59:3E:72:1B:E8:EF:9B:4E:F0:DA:1E:00:F4:13:D7:F9
Signez le certificat avec la commande ci-dessous :
[root@puppet-master ~]# puppet cert sign puppet-agent Signing Certificate Request for: "puppet-agent" (SHA256) 1F:6C:C2:57:5B:4A:B9:0B:68:E3:4C:BD:1B:44:69:2F:59:3E:72:1B:E8:EF:9B:4E:F0:DA:1E:00:F4:13:D7:F9 Notice: Signed certificate request for puppet-agent Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-agent.pem'
Notre certificat est maintenant signé.
Maintenant que tout est ok, démmarer puppet agent avec la commande ci-dessous :
[root@puppet-agent ~]# /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' service { 'puppet': ensure => 'running', enable => 'true', }
Vérification de la configuration de puppet agent :
Taper la commande ci-dessous :
[root@puppet-agent ~]# puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppet-agent
Info: Applying configuration version '1619543869'
Notice: Applied catalog in 0.01 secondsPuppet agent a bien tiré (pulled) la configuration depuis le master avec succès.
Installer le service httpd via puppet :
Nous allons maintenant faire un vrais test en installant le service httpd :
Créez un fichier avec le nom de votre choix au niveau du répertoire /etc/puppetlabs/code/environments/production/manifests et ajoutez les lignes ci-dessous :
[root@puppet-master ~]# cd /etc/puppetlabs/code/environments/production/manifests
[root@puppet-master manifests]# cat httpd.pp
node 'puppet-agent' {
package { 'httpd':
ensure => "installed",
}
service { 'httpd':
ensure => running,
enable => true
}
}Ensuite tapez la commande ci-dessous au niveau de puppet agent :
[root@puppet-agent ~]# /opt/puppetlabs/bin/puppet agent --test Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for puppet-agent Info: Applying configuration version '1619544385' Notice: /Stage[main]/Main/Node[puppet-agent]/Package[httpd]/ensure: created Notice: /Stage[main]/Main/Node[puppet-agent]/Service[httpd]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[main]/Main/Node[puppet-agent]/Service[httpd]: Unscheduling refresh on Service[httpd] Notice: Applied catalog in 4.51 seconds
La commande récupère la configuration depuis puppet master et l’applique.
Comme pouvez voir ci-dessous le service httpd a été bien installé et démarré :
[root@puppet-agent ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-04-27 13:26:31 EDT; 21s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 19330 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─19330 /usr/sbin/httpd -DFOREGROUND
├─19331 /usr/sbin/httpd -DFOREGROUND
├─19332 /usr/sbin/httpd -DFOREGROUND
├─19333 /usr/sbin/httpd -DFOREGROUND
├─19334 /usr/sbin/httpd -DFOREGROUND
└─19335 /usr/sbin/httpd -DFOREGROUND
Apr 27 13:26:31 puppet-agent systemd[1]: Starting The Apache HTTP Server…
Trois commandes pour vérifier si un port est ouvert sur un système Linux distant
Iptables : 12 commandes à connaître
dd (Disk Dump) : 7 exemples pratiques d’utilisation
Nslookup : 8 commandes les plus utilisés
Fail2Ban : How to protect Linux services