How to Install and Configure Puppet on CentOS 7 / RHEL 7

Install and Configure Puppet on CentOS 7 / RHEL 7
Puppet is an open-source configuration management tool. It runs on many Unix-like systems as well as on Microsoft Windows, and includes its own declarative language to describe system configuration.

Puppet is produced by Puppet Labs, founded by Luke Kanies in 2005. It is written in Ruby and released as free software under the GNU General Public License (GPL) until version 2.7.0 and the Apache License 2.0 after that.
Puppet Master:

Operating system : CentOS 7 Minimal
IP Address       : 192.168.2.10
HostName         : server.hackthesec.local

Puppet client:

Operating System : CentOS 7 Minimal
IP Address       : 192.168.2.20
HostName         : client.hackthesec.local

Make sure your system (both puppet server and client) is able to resolve the hostname each other, either use /etc/hosts file or DNS server.


To have a production ready puppet setup, we have to use apache with passenger. To get the passenger, download and place the repo file to /etc/yum.repos.d/
Note: Only on the master server.

[root@hackthesec server ~]# curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo

To install the puppet master / agent, we would require to setup puppet repository on the all the nodes. Enable puppet labs repository by installing below rpm.

Note: Run it on both master and agent nodes.

# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

Install and Configure Puppet on CentOS 7:

Now, its time to install puppet. Install the puppet server using below command.

[root@hackthesec server ~]# yum -y install puppet-server

As said earlier, we will configure puppet for master / agent architecture. So, this node will acts as a master node. Edit the puppet configuration file and modify the dns_alt_names.

[root@hackthesec server ~]# vi /etc/puppet/puppet.conf

[main]
dns_alt_names = server,server.hackthesec.local
certname = server.hackthesec.local

If this machine is the only puppet master in your environment, run below command to create the puppet master certificate.

[root@hackthesec server ~]# puppet master --verbose --no-daemonize

Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 81:C6:BB:8B:1D:71:4C:64:E1:13:54:1B:EC:CF:99:D8:85:90:D1:6C:E8:85:50:3E:03:41:BA:C5:47:A7:4C:E5
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for server.hackthesec.local
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for server.hackthesec.local
Info: Certificate Request fingerprint (SHA256): FF:BE:D4:9B:E4:12:83:79:AE:BE:50:17:76:5F:F5:CD:5F:53:EA:5D:AA:5D:87:9E:7C:C4:BC:1B:8A:C6:FA:5C
Notice: server.hackthesec.local has a waiting certificate request
Notice: Signed certificate request for server.hackthesec.local
Notice: Removing file Puppet::SSL::CertificateRequest server.hackthesec.local at '/var/lib/puppet/ssl/ca/requests/server.hackthesec.local.pem'
Notice: Removing file Puppet::SSL::CertificateRequest server.hackthesec.local at '/var/lib/puppet/ssl/certificate_requests/server.hackthesec.local.pem'
Notice: Starting Puppet master version 3.8.3

Once you get "Notice: Starting Puppet master version <VERSION>", press ctrl-C to kill the process.
Configure a Production-Ready Web Server:
Puppet comes with a basic puppet master web server, but this cannot be used for real-life loads. We must configure a production quality web server before we start managing our nodes with Puppet.

[root@hackthesec server ~]# yum -y install httpd httpd-devel mod_ssl ruby-devel rubygems gcc gcc-c++ pygpgme curl

Install Passenger and apache module.

[root@hackthesec server ~]# yum install -y mod_passenger

Create three directories for the application (a parent directory, a "public" directory, and a "tmp" directory), Copy the ext/rack/config.ru file from the Puppet source code into the parent directory and Set the ownership of the config.ru file.

[root@hackthesec server ~]# mkdir -p /usr/share/puppet/rack/puppetmasterd
[root@hackthesec server ~]# mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
[root@hackthesec server ~]# cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
[root@hackthesec server ~]# chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

Add virtual host for puppet by creating the below configuration file.

[root@hackthesec server ~]# vi /etc/httpd/conf.d/puppetmaster.conf

Add below content into the virtual host file, change the  entries as per your environement.

# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/server.hackthesec.local.pem        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/server.hackthesec.local.pem        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile   /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        # SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

         DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>  

Restart apache server to take an effect of puppet virtual host, to do that, run following command on terminal.

[root@hackthesec server ~]# systemctl restart  httpd.service

Disable puppet service and enable apache server to auto start on system boot.

[root@hackthesec server ~]# systemctl disable puppet.service
[root@hackthesec server ~]# systemctl enable httpd.service

Firewall:
Puppet listens on port no 8140; Configure the IP tables to allow it.

[root@hackthesec server ~]# firewall-cmd --zone=public --add-port=8140/tcp --permanent
[root@hackthesec server ~]# firewall-cmd --reload

Install Puppet on Agent Nodes:
On your client machine, install puppet agent using below command.


Note: You must have puppet repository configured on the agent nodes.

[root@hackthesec client ~]# yum -y install puppet

Edit the puppet configuration file and set puppet master information on the client stanza.


Note: Modify "server" value as per your environment. In my case, server is "server.hackthesec.local"

[root@hackthesec client ~]# vi /etc/puppet/puppet.conf

[agent]
server = server.hackthesec.local

Start puppet on agent node and make it to start automatically on system boot.

[root@hackthesec client ~]# systemctl start  puppet.service
[root@hackthesec client ~]# systemctl enable puppet.service

You would get below events in the logs.

05:46:45 client systemd: Starting Puppet agent...
05:46:46 client systemd: Started Puppet agent.
05:47:03 client systemd: Reloading.
05:49:10 client puppet-agent[2694]: Did not receive certificate

Sign the Agent Node's Certificate on Master Server:
In an agent/master deployment, an admin must approve a certificate request for each agent node before that node can fetch configurations. Agent nodes will request certificates the first time they attempt to run.


Log into the puppet master server and run below command to view outstanding requests.

[root@hackthesec server ~]# puppet cert list
"server.hackthesec.local" (SHA256) 35:D1:B5:67:52:1C:1C:BH:6H:DD:3C:2E:B0:28:D7:15:52:95:32:95:1F:37:29:2G:5F:D7:4C:F5:DB:94:A1:B2

Run puppet cert sign to sign a request, or puppet cert sign –all to sign all pending requests.

[root@hackthesec server ~]# puppet cert sign client.hackthesec.local

Notice: Signed certificate request for client.hackthesec.local
Notice: Removing file Puppet::SSL::CertificateRequest client.hackthesec.local at '/var/lib/puppet/ssl/ca/requests/client.hackthesec.local.pem'

Run the following command on client machine to check the certificate

[root@hackthesec client ~]# puppet agent -t

Info: Caching certificate for client.hackthesec.local
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for client.hackthesec.local
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.hackthesec.local
Info: Applying configuration version '1445401911'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.09 seconds

That’s All. Now, you have successfully configured puppet master and an agent.

www.hackthesec.co.in