Project

General

Profile

passenger on Puppet PE » History » Version 2

Laurent Domb, 04/30/2013 03:01 PM

1 1 Laurent Domb
h1.  passenger on Puppet PE 
2 1 Laurent Domb
3 1 Laurent Domb
h2. Overview
4 1 Laurent Domb
5 1 Laurent Domb
This how to describes the steps to install foreman's smart proxy on puppet enterprise 2.7.2 with the embedded puppet labs ruby version. It also walks you thru the steps of modifying the reporting engine to "foreman reports" and use "the foreman" as it's ENC. 
6 1 Laurent Domb
7 1 Laurent Domb
h2. Requirements
8 1 Laurent Domb
9 1 Laurent Domb
1. Internet access as you need to do some git pulls and install some rubygems
10 1 Laurent Domb
11 1 Laurent Domb
2. The puppet enterprise tar ball (puppet-enterprise-2.7.2-el-6-x86_64.tar.gz) which you can download from the puppet labs website.
12 1 Laurent Domb
13 1 Laurent Domb
3. A working foreman host
14 1 Laurent Domb
15 1 Laurent Domb
16 1 Laurent Domb
h3. Install the needed dependencies to install the rubygems
17 1 Laurent Domb
18 1 Laurent Domb
Go to the troubleshooting section [[http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting]] there is a paragraph "I use puppet enterprise, what now?" and install 
19 1 Laurent Domb
20 1 Laurent Domb
"*pe-ruby-devel-1.8.7.370-1.pe.el6.x86_64.rpm*" from your unpacked puppet-enterprise tar ball. You can find the rpm in puppet-enterprise-2.7.2-el-6-x86_64/packages/el-6-x86_64/. 
21 1 Laurent Domb
22 1 Laurent Domb
<pre>
23 1 Laurent Domb
$ sudo yum localinstall pe-ruby-devel-1.8.7.370-1.pe.el6.x86_64.rpm
24 1 Laurent Domb
</pre>
25 1 Laurent Domb
26 1 Laurent Domb
Pupppet pe 2.7.2 comes with mysql as a database back end. This means we need the mysql-devel to build the mysql rubygem package. 
27 1 Laurent Domb
28 1 Laurent Domb
<pre>
29 1 Laurent Domb
$ sudo yum install mysql-devel
30 1 Laurent Domb
</pre>
31 1 Laurent Domb
32 1 Laurent Domb
Now follow the steps copied from the trouble shooting wiki page. 
33 1 Laurent Domb
34 1 Laurent Domb
1. Update your path variable to use the ruby version PE ships with 
35 1 Laurent Domb
36 1 Laurent Domb
<pre>
37 1 Laurent Domb
# export PATH=/opt/puppet/bin:$PATH
38 1 Laurent Domb
</pre>
39 1 Laurent Domb
40 1 Laurent Domb
2. Check to make sure your PATH was updated ("which gem" should return /opt/puppet/bin/gem)
41 1 Laurent Domb
<pre>
42 1 Laurent Domb
# which gem
43 1 Laurent Domb
/opt/puppet/bin/gem
44 1 Laurent Domb
</pre>
45 1 Laurent Domb
46 1 Laurent Domb
3. Install json rest-client and mysql 
47 1 Laurent Domb
<pre>
48 1 Laurent Domb
#gem install json
49 1 Laurent Domb
#gem install rest-client
50 1 Laurent Domb
#gem install mysql
51 1 Laurent Domb
</pre>
52 1 Laurent Domb
53 1 Laurent Domb
4. If everything went fine you should see the following output if you list the gem's
54 1 Laurent Domb
<pre>
55 1 Laurent Domb
#gem list
56 1 Laurent Domb
activerecord (2.3.17)
57 1 Laurent Domb
activesupport (2.3.17)
58 1 Laurent Domb
ar-extensions (0.9.5)
59 1 Laurent Domb
builder (3.0.0)
60 1 Laurent Domb
dalli (1.1.2)
61 1 Laurent Domb
excon (0.14.1)
62 1 Laurent Domb
fog (1.5.0)
63 1 Laurent Domb
formatador (0.2.0)
64 1 Laurent Domb
guid (0.1.1)
65 1 Laurent Domb
hiera (0.3.0)
66 1 Laurent Domb
hiera-puppet (0.3.0)
67 1 Laurent Domb
json (1.7.7)
68 1 Laurent Domb
mime-types (1.16)
69 1 Laurent Domb
multi_json (1.0.3)
70 1 Laurent Domb
mysql (2.9.1)
71 1 Laurent Domb
net-scp (1.0.4)
72 1 Laurent Domb
net-ssh (2.1.4)
73 1 Laurent Domb
nokogiri (1.5.0)
74 1 Laurent Domb
rack (1.1.6)
75 1 Laurent Domb
rack_csrf (2.4.0)
76 1 Laurent Domb
rake (0.8.7)
77 1 Laurent Domb
rbvmomi (1.3.0)
78 1 Laurent Domb
rest-client (1.6.7)
79 1 Laurent Domb
ruby-hmac (0.4.0)
80 1 Laurent Domb
sinatra (1.2.6)
81 1 Laurent Domb
stomp (1.1.9)
82 1 Laurent Domb
tilt (1.3.3)
83 1 Laurent Domb
trollop (1.16.2)
84 1 Laurent Domb
</pre>
85 1 Laurent Domb
86 1 Laurent Domb
h2. Install the smart-proxy from git
87 1 Laurent Domb
88 1 Laurent Domb
As we need to modify some ruby files (for mcollective) along the way, cloning the smart-proxy from git seemed to be the best way to go. 
89 1 Laurent Domb
90 1 Laurent Domb
h3. Cloning the repo
91 1 Laurent Domb
92 1 Laurent Domb
You can download the zip file or just clone the latest smart proxy with git. 
93 1 Laurent Domb
94 1 Laurent Domb
<pre>
95 1 Laurent Domb
# cd /usr/share/
96 1 Laurent Domb
# git clone git clone git://github.com/theforeman/smart-proxy.git foreman-proxy
97 1 Laurent Domb
</pre>
98 1 Laurent Domb
99 1 Laurent Domb
h3. Create the foreman-proxy group / user 
100 1 Laurent Domb
101 1 Laurent Domb
Add the foreman-proxy user and group to the system and make the foreman-proxy user part of the pe-puppet and pe-apache group. 
102 1 Laurent Domb
103 1 Laurent Domb
<pre>
104 1 Laurent Domb
# useradd -r foreman-proxy
105 1 Laurent Domb
# usermod -G foreman-proxy pe-puppet
106 1 Laurent Domb
# usermod -G foreman-proxy pe-apache
107 1 Laurent Domb
</pre>
108 1 Laurent Domb
109 1 Laurent Domb
h3. Add a log and ssl directory
110 1 Laurent Domb
111 1 Laurent Domb
Create those addtional directories: 
112 1 Laurent Domb
113 1 Laurent Domb
<pre>
114 1 Laurent Domb
# mkdir -p /var/log/foreman-proxy/
115 1 Laurent Domb
# mkdir -p /usr/share/foreman-proxy/ssl
116 1 Laurent Domb
# mkdir -p /usr/share/foreman-proxy/ssl/certs
117 1 Laurent Domb
# mkdir -p /usr/share/foreman-proxy/ssl/private_keys 
118 1 Laurent Domb
</pre>
119 1 Laurent Domb
120 1 Laurent Domb
After adding the user, log and ssl directory, cd into the foreman-proxy folder and change the following permissions for config.ru, logs and ssl.
121 1 Laurent Domb
122 1 Laurent Domb
<pre>
123 1 Laurent Domb
# chown foreman-proxy:root config.ru
124 1 Laurent Domb
# chown -R foreman-proxy:root ssl 
125 1 Laurent Domb
# chown -R /var/log/foreman-proxy
126 1 Laurent Domb
</pre>
127 1 Laurent Domb
128 1 Laurent Domb
The reason why we change the permission on config.ru is, because we want apache/passenger to spawn an new process as user foreman-proxy and NOT as root. 
129 1 Laurent Domb
130 2 Laurent Domb
h3. Configure the foreman-proxy settings.yml
131 1 Laurent Domb
132 1 Laurent Domb
Its recommended to have ssl enabled in prod envronments so we need to uncomment these 3 lines, 
133 1 Laurent Domb
134 1 Laurent Domb
ssl_certificate: ssl/certs/fqdn.pem (created on foreman)
135 1 Laurent Domb
ssl_ca_file: ssl/certs/ca.pem (this is the foreman ca.pem)
136 1 Laurent Domb
ssl_private_key: ssl/private_keys/fqdn.key (created on foreman)
137 1 Laurent Domb
138 1 Laurent Domb
and generate a new certificate for the connection between the foreman-proxy and the foreman host. As we do not want to waste puppet enterprise licenses for the apache ssl connection we create the certificate on the foreman host which has puppet oss installed. 
139 1 Laurent Domb
140 1 Laurent Domb
You can follow the foreman manual on section 4.3.6 SSL [[http://theforeman.org/manuals/1.1/index.html#4.3.6SSL]] to create the certificates on the foreman host
141 1 Laurent Domb
142 1 Laurent Domb
To generate a certificate for a proxy host that isn't managed by Puppet or is but you do not want to use the certs from it, do the following:
143 1 Laurent Domb
144 1 Laurent Domb
Generate a new certificate on your puppetmaster: 
145 1 Laurent Domb
<pre>
146 1 Laurent Domb
puppet cert --generate <proxy-FQDN> (which is your puppet-enterprise host)
147 1 Laurent Domb
 </pre>
148 1 Laurent Domb
Copy the certificates and key from the puppetmaster (foreman host)  to the smart proxy (puppet enterprise) to  /usr/share/foreman-proxy/ssl :
149 1 Laurent Domb
<pre>
150 1 Laurent Domb
/usr/share/foreman-proxy/ssl/certs/ca.pem
151 1 Laurent Domb
/usr/share/foreman-proxy/ssl/certs/proxy-FQDN.pem
152 1 Laurent Domb
/usr/share/foreman-proxy/ssl/private_keys/proxy-FQDN.pem
153 1 Laurent Domb
</pre>
154 1 Laurent Domb
155 1 Laurent Domb
Please pay attentions that these are NOT the same certs as you are createing on the puppet enterprise CA! these are created by the foreman open source puppetmaster!
156 1 Laurent Domb
157 1 Laurent Domb
You also have to enable the PuppetCA and Puppet management if your puppet master and ca is on the puppet enterprise host. 
158 1 Laurent Domb
159 1 Laurent Domb
<pre>
160 1 Laurent Domb
# enable PuppetCA management
161 1 Laurent Domb
:puppetca: true
162 1 Laurent Domb
:ssldir: /etc/puppet/ssl
163 1 Laurent Domb
:puppetdir: /etc/puppet
164 1 Laurent Domb
165 1 Laurent Domb
# enable Puppet management
166 1 Laurent Domb
:puppet: true
167 1 Laurent Domb
:puppet_conf: /etc/puppet/puppet.conf
168 1 Laurent Domb
</pre>
169 1 Laurent Domb
170 1 Laurent Domb
h3. Adding the smart-proxy configuration to the puppet httpd directory
171 1 Laurent Domb
172 1 Laurent Domb
You can find the pe-apache folder in /etc/puppetlabs/httpd/conf.d/
173 1 Laurent Domb
174 1 Laurent Domb
Create the follwing file 12-pe-httpd-foreman-proxy.conf 
175 1 Laurent Domb
176 1 Laurent Domb
<pre>
177 1 Laurent Domb
Listen 8443
178 1 Laurent Domb
<VirtualHost YOURIP:8443>
179 1 Laurent Domb
  ServerName puppet-enterprise-fqdn
180 1 Laurent Domb
  SetEnv HOME /usr/share/foreman-proxy
181 1 Laurent Domb
    RailsAutoDetect On
182 1 Laurent Domb
  RailsEnv production
183 1 Laurent Domb
  DocumentRoot /usr/share/foreman-proxy/public
184 1 Laurent Domb
  PassengerAppRoot /usr/share/foreman-proxy
185 1 Laurent Domb
186 1 Laurent Domb
  AddDefaultCharset UTF-8
187 1 Laurent Domb
188 1 Laurent Domb
  SSLEngine On
189 1 Laurent Domb
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
190 1 Laurent Domb
  SSLProtocol ALL -SSLv2
191 1 Laurent Domb
192 1 Laurent Domb
  SSLCertificateFile      /usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem
193 1 Laurent Domb
  SSLCertificateKeyFile   /usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem
194 1 Laurent Domb
  SSLCertificateChainFile /usr/share/foreman-proxy/ssl/certs/ca.pem
195 1 Laurent Domb
  SSLCACertificateFile    /usr/share/foreman-proxy/ssl/certs/ca.pem
196 1 Laurent Domb
  SSLVerifyClient         optional
197 1 Laurent Domb
  SSLOptions              +StdEnvVars
198 1 Laurent Domb
  SSLVerifyDepth          3
199 1 Laurent Domb
200 1 Laurent Domb
  Loglevel Debug
201 1 Laurent Domb
  CustomLog /usr/share/foreman-proxy/logs/access.log combined
202 1 Laurent Domb
  ErrorLog /usr/share/foreman-proxy/logs/error.log
203 1 Laurent Domb
</VirtualHost>
204 1 Laurent Domb
</pre>
205 1 Laurent Domb
206 1 Laurent Domb
207 1 Laurent Domb
h2. Now that we have setup the foreman-proxy we need to add the node.rb file to the /etc/puppetlabs/puppet/ directory so that puppet requests the information from the forman host ENC
208 1 Laurent Domb
209 1 Laurent Domb
You can get the latest node.rb file from here: 
210 1 Laurent Domb
211 1 Laurent Domb
https://github.com/theforeman/puppet-foreman/blob/master/templates/external_node.rb.erb
212 1 Laurent Domb
213 1 Laurent Domb
<pre>
214 1 Laurent Domb
# cd /etc/puppetlabs/puppet/
215 1 Laurent Domb
# git clone https://github.com/theforeman/puppet-foreman/blob/master/templates/external_node.rb.erb node.rb
216 1 Laurent Domb
# chmod +x node.rb
217 1 Laurent Domb
</pre>
218 1 Laurent Domb
219 1 Laurent Domb
h3. Edit node.rb and add the correct url and certificates
220 1 Laurent Domb
221 1 Laurent Domb
That the foreman host and the foreman-proxy host can toak to each other in a secure way, edit the node.rb file and add your certs.
222 1 Laurent Domb
223 1 Laurent Domb
<pre>
224 1 Laurent Domb
SETTINGS = {
225 1 Laurent Domb
  :url          => "https://foreman.youdomain",  # e.g. https://foreman.example.com
226 1 Laurent Domb
  :puppetdir    => "/var/opt/lib/pe-puppet",  #  This is the puppet enterprise dir
227 1 Laurent Domb
  :facts        => true,          # true/false to upload facts
228 1 Laurent Domb
  :storeconfigs => true,   # true/false if sharing ActiveRecord-storeconfigs
229 1 Laurent Domb
  :timeout      => 10,
230 1 Laurent Domb
  # if CA is specified, remote Foreman host will be verified
231 1 Laurent Domb
  :ssl_ca       => "/usr/share/foreman-proxy/ssl/certs/ca.pem",      #  This is the ca.pem form you puppet opensource foreman host
232 1 Laurent Domb
  # ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman
233 1 Laurent Domb
  :ssl_cert     => "/usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem",    #  This is the fqdn.pem form you puppet opensource foreman host
234 1 Laurent Domb
  :ssl_key      => "/usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem"  # This is the fqdn.pem form you puppet opensource foreman host
235 1 Laurent Domb
</pre>
236 1 Laurent Domb
237 1 Laurent Domb
h3. Add the foreman.rb report to the puppetlabs ruby report dir
238 1 Laurent Domb
239 1 Laurent Domb
<pre>
240 1 Laurent Domb
# cd /opt/puppet/lib/ruby/site_ruby/1.8/puppet/reports/
241 1 Laurent Domb
# git clone https://github.com/theforeman/puppet-foreman/blob/master/templates/foreman-report.rb.erb foreman.rb
242 1 Laurent Domb
# chmod +x foreman.rb
243 1 Laurent Domb
</pre>
244 1 Laurent Domb
245 1 Laurent Domb
Now also add the your certs in foreman.rb
246 1 Laurent Domb
247 1 Laurent Domb
<pre>
248 1 Laurent Domb
# URL of your Foreman installation
249 1 Laurent Domb
$foreman_url='https://foreman.yourdomain
250 1 Laurent Domb
# if CA is specified, remote Foreman host will be verified
251 1 Laurent Domb
$foreman_ssl_ca = "/usr/share/foreman-proxy/ssl/certs/ca.pem"
252 1 Laurent Domb
# ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman
253 1 Laurent Domb
$foreman_ssl_cert = "/usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem"
254 1 Laurent Domb
$foreman_ssl_key = "/usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem"
255 1 Laurent Domb
</pre>
256 1 Laurent Domb
257 1 Laurent Domb
h3. After adding all these files we need to modify the master section in the puppet.conf file. 
258 1 Laurent Domb
259 1 Laurent Domb
<pre>
260 1 Laurent Domb
[master]
261 1 Laurent Domb
    reports = foreman
262 1 Laurent Domb
    node_terminus = exec
263 1 Laurent Domb
    external_nodes = /etc/puppetlabs/puppet/node.rb
264 1 Laurent Domb
    ### foreman settings
265 1 Laurent Domb
    privatekeydir = $ssldir/private_keys { group = service }
266 1 Laurent Domb
    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
267 1 Laurent Domb
    #### for passenger
268 1 Laurent Domb
    ssl_client_header = SSL_CLIENT_S_DN
269 1 Laurent Domb
    ssl_client_verify_header = SSL_CLIENT_VERIFY
270 1 Laurent Domb
271 1 Laurent Domb
</pre>
272 1 Laurent Domb
273 1 Laurent Domb
h3. Restart pe-httpd
274 1 Laurent Domb
275 1 Laurent Domb
Restart the puppetlabs httpd server
276 1 Laurent Domb
<pre>
277 1 Laurent Domb
 /etc/init.d/pe-httpd
278 1 Laurent Domb
</pre>
279 1 Laurent Domb
280 1 Laurent Domb
h2. Add the smart-proxy to the Foreman's Smart Proxy page
281 1 Laurent Domb
282 1 Laurent Domb
Go to [FOREMAN_URL]/smart_proxies and klick New Proxy
283 1 Laurent Domb
Then you type in the Name for your Proxy and the URL of your Proxy, with the Port you use.
284 1 Laurent Domb
For example:
285 1 Laurent Domb
286 1 Laurent Domb
Name: Puppet-Proxy
287 1 Laurent Domb
URL: http://puppetpe.your-domain.com:8443