Project

General

Profile

passenger on Puppet PE and use foreman as an ENC and reporting engine » History » Version 10

Laurent Domb, 05/03/2013 02:30 PM

1 1 Laurent Domb
h1.  passenger on Puppet PE and use foreman as an ENC and reporting engine 
2
3
h2. Overview
4
5
This how to describes the steps to install foreman's smart proxy on puppet enterprise 2.7.2 with the embedded puppet labs ruby version. It also walks you thru the steps of modifying the reporting engine to "foreman reports" and use "the foreman" as it's ENC. 
6
7
h2. Requirements
8
9
1. Internet access as you need to do some git pulls and install some rubygems
10
11
2. The puppet enterprise tar ball (puppet-enterprise-2.7.2-el-6-x86_64.tar.gz) which you can download from the puppet labs website.
12
13 3 Laurent Domb
3. A working foreman 1.1 or higher host
14 1 Laurent Domb
15
16
h3. Install the needed dependencies to install the rubygems
17
18
Go to the troubleshooting section [[http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting]] there is a paragraph "I use puppet enterprise, what now?" and install 
19
20
"*pe-ruby-devel-1.8.7.370-1.pe.el6.x86_64.rpm*" from your unpacked puppet-enterprise tar ball. You can find the rpm in puppet-enterprise-2.7.2-el-6-x86_64/packages/el-6-x86_64/. 
21
22
<pre>
23
$ sudo yum localinstall pe-ruby-devel-1.8.7.370-1.pe.el6.x86_64.rpm
24
</pre>
25
26
Pupppet pe 2.7.2 comes with mysql as a database back end. This means we need the mysql-devel to build the mysql rubygem package. 
27
28
<pre>
29 5 Laurent Domb
$ sudo yum install mysql-devel gcc make
30 1 Laurent Domb
</pre>
31
32
Now follow the steps copied from the trouble shooting wiki page. 
33
34
1. Update your path variable to use the ruby version PE ships with 
35
36
<pre>
37
# export PATH=/opt/puppet/bin:$PATH
38
</pre>
39
40
2. Check to make sure your PATH was updated ("which gem" should return /opt/puppet/bin/gem)
41
<pre>
42
# which gem
43
/opt/puppet/bin/gem
44
</pre>
45
46 10 Laurent Domb
3. Install rest-client and mysql 
47 1 Laurent Domb
<pre>
48
#gem install rest-client
49
#gem install mysql
50
</pre>
51
52
4. If everything went fine you should see the following output if you list the gem's
53
<pre>
54
#gem list
55
activerecord (2.3.17)
56
activesupport (2.3.17)
57
ar-extensions (0.9.5)
58
builder (3.0.0)
59
dalli (1.1.2)
60
excon (0.14.1)
61
fog (1.5.0)
62
formatador (0.2.0)
63
guid (0.1.1)
64
hiera (0.3.0)
65
hiera-puppet (0.3.0)
66
json (1.7.7)
67
mime-types (1.16)
68
multi_json (1.0.3)
69
mysql (2.9.1)
70
net-scp (1.0.4)
71
net-ssh (2.1.4)
72
nokogiri (1.5.0)
73
rack (1.1.6)
74
rack_csrf (2.4.0)
75
rake (0.8.7)
76
rbvmomi (1.3.0)
77
rest-client (1.6.7)
78
ruby-hmac (0.4.0)
79
sinatra (1.2.6)
80
stomp (1.1.9)
81
tilt (1.3.3)
82
trollop (1.16.2)
83
</pre>
84
85
h2. Install the smart-proxy from git
86
87 2 Laurent Domb
As we need to modify some ruby files (for [[ mcollective ]] ) along the way, cloning the smart-proxy from git seemed to be the best way to go. 
88 1 Laurent Domb
89
h3. Cloning the repo
90
91
You can download the zip file or just clone the latest smart proxy with git. 
92
93
<pre>
94
# cd /usr/share/
95 6 Laurent Domb
# git clone git://github.com/theforeman/smart-proxy.git foreman-proxy
96 1 Laurent Domb
</pre>
97
98
h3. Create the foreman-proxy group / user 
99
100
Add the foreman-proxy user and group to the system and make the foreman-proxy user part of the pe-puppet and pe-apache group. 
101
102
<pre>
103
# useradd -r foreman-proxy
104 7 Laurent Domb
# usermod -G pe-puppet,pe-apache foreman-proxy
105 1 Laurent Domb
</pre>
106
107
h3. Add a log and ssl directory
108
109
Create those addtional directories: 
110
111
<pre>
112
# mkdir -p /var/log/foreman-proxy/
113
# mkdir -p /usr/share/foreman-proxy/ssl
114
# mkdir -p /usr/share/foreman-proxy/ssl/certs
115
# mkdir -p /usr/share/foreman-proxy/ssl/private_keys 
116
</pre>
117
118
After adding the user, log and ssl directory, cd into the foreman-proxy folder and change the following permissions for config.ru, logs and ssl.
119
120
<pre>
121
# chown foreman-proxy:root config.ru
122
# chown -R foreman-proxy:root ssl 
123 8 Laurent Domb
# chown -R foreman-proxy:foreman-proxy /var/log/foreman-proxy
124 1 Laurent Domb
</pre>
125
126
The reason why we change the permission on config.ru is, because we want apache/passenger to spawn an new process as user foreman-proxy and NOT as root. 
127
128
h3. Configure the foreman-proxy settings.yml
129
130
Its recommended to have ssl enabled in prod envronments so we need to uncomment these 3 lines, 
131
132
ssl_certificate: ssl/certs/fqdn.pem (created on foreman)
133
ssl_ca_file: ssl/certs/ca.pem (this is the foreman ca.pem)
134
ssl_private_key: ssl/private_keys/fqdn.key (created on foreman)
135
136
and generate a new certificate for the connection between the foreman-proxy and the foreman host. As we do not want to waste puppet enterprise licenses for the apache ssl connection we create the certificate on the foreman host which has puppet oss installed. 
137
138
You can follow the foreman manual on section 4.3.6 SSL [[http://theforeman.org/manuals/1.1/index.html#4.3.6SSL]] to create the certificates on the foreman host
139
140
To generate a certificate for a proxy host that isn't managed by Puppet or is but you do not want to use the certs from it, do the following:
141
142
Generate a new certificate on your puppetmaster: 
143
<pre>
144
puppet cert --generate <proxy-FQDN> (which is your puppet-enterprise host)
145
 </pre>
146
Copy the certificates and key from the puppetmaster (foreman host)  to the smart proxy (puppet enterprise) to  /usr/share/foreman-proxy/ssl :
147
<pre>
148
/usr/share/foreman-proxy/ssl/certs/ca.pem
149
/usr/share/foreman-proxy/ssl/certs/proxy-FQDN.pem
150
/usr/share/foreman-proxy/ssl/private_keys/proxy-FQDN.pem
151
</pre>
152
153
Please pay attentions that these are NOT the same certs as you are createing on the puppet enterprise CA! these are created by the foreman open source puppetmaster!
154
155
You also have to enable the PuppetCA and Puppet management if your puppet master and ca is on the puppet enterprise host. 
156
157
<pre>
158
# enable PuppetCA management
159
:puppetca: true
160 9 Laurent Domb
:ssldir: /etc/puppetlabs/puppet/ssl
161
:puppetdir: /etc/puppetlabs/puppet
162 1 Laurent Domb
163
# enable Puppet management
164
:puppet: true
165 9 Laurent Domb
:puppet_conf: /etc/puppetlabs/puppet/puppet.conf
166 1 Laurent Domb
</pre>
167
168 4 Laurent Domb
h3. Allow the foreman-proxy to make puppetca requests
169
170
Add the following content to /etc/sudoers.d/foreman-proxy
171
172
<pre>
173
foreman-proxy ALL = NOPASSWD : /usr/sbin/puppetca *
174
Defaults:foreman-proxy !requiretty
175
</pre>
176
177
178 1 Laurent Domb
h3. Adding the smart-proxy configuration to the puppet httpd directory
179
180
You can find the pe-apache folder in /etc/puppetlabs/httpd/conf.d/
181
182
Create the follwing file 12-pe-httpd-foreman-proxy.conf 
183
184
<pre>
185
Listen 8443
186
<VirtualHost YOURIP:8443>
187
  ServerName puppet-enterprise-fqdn
188
  SetEnv HOME /usr/share/foreman-proxy
189
    RailsAutoDetect On
190
  RailsEnv production
191
  DocumentRoot /usr/share/foreman-proxy/public
192
  PassengerAppRoot /usr/share/foreman-proxy
193
194
  AddDefaultCharset UTF-8
195
196
  SSLEngine On
197
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
198
  SSLProtocol ALL -SSLv2
199
200
  SSLCertificateFile      /usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem
201
  SSLCertificateKeyFile   /usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem
202
  SSLCertificateChainFile /usr/share/foreman-proxy/ssl/certs/ca.pem
203
  SSLCACertificateFile    /usr/share/foreman-proxy/ssl/certs/ca.pem
204
  SSLVerifyClient         optional
205
  SSLOptions              +StdEnvVars
206
  SSLVerifyDepth          3
207
208
  Loglevel Debug
209
  CustomLog /usr/share/foreman-proxy/logs/access.log combined
210
  ErrorLog /usr/share/foreman-proxy/logs/error.log
211
</VirtualHost>
212
</pre>
213
214
215
h2. Now that we have setup the foreman-proxy we need to add the node.rb file to the /etc/puppetlabs/puppet/ directory so that puppet requests the information from the forman host ENC
216
217
You can get the latest node.rb file from here: 
218
219
https://github.com/theforeman/puppet-foreman/blob/master/templates/external_node.rb.erb
220
221
<pre>
222
# cd /etc/puppetlabs/puppet/
223 10 Laurent Domb
# wget https://raw.github.com/theforeman/puppet-foreman/master/templates/external_node.rb.erb -O node.rb
224 1 Laurent Domb
# chmod +x node.rb
225
</pre>
226
227
h3. Edit node.rb and add the correct url and certificates
228
229
That the foreman host and the foreman-proxy host can toak to each other in a secure way, edit the node.rb file and add your certs.
230
231
<pre>
232
SETTINGS = {
233
  :url          => "https://foreman.youdomain",  # e.g. https://foreman.example.com
234
  :puppetdir    => "/var/opt/lib/pe-puppet",  #  This is the puppet enterprise dir
235
  :facts        => true,          # true/false to upload facts
236
  :storeconfigs => true,   # true/false if sharing ActiveRecord-storeconfigs
237
  :timeout      => 10,
238
  # if CA is specified, remote Foreman host will be verified
239
  :ssl_ca       => "/usr/share/foreman-proxy/ssl/certs/ca.pem",      #  This is the ca.pem form you puppet opensource foreman host
240
  # ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman
241
  :ssl_cert     => "/usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem",    #  This is the fqdn.pem form you puppet opensource foreman host
242
  :ssl_key      => "/usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem"  # This is the fqdn.pem form you puppet opensource foreman host
243
</pre>
244
245
h3. Add the foreman.rb report to the puppetlabs ruby report dir
246
247
<pre>
248
# cd /opt/puppet/lib/ruby/site_ruby/1.8/puppet/reports/
249
# git clone https://github.com/theforeman/puppet-foreman/blob/master/templates/foreman-report.rb.erb foreman.rb
250
# chmod +x foreman.rb
251
</pre>
252
253
Now also add the your certs in foreman.rb
254
255
<pre>
256
# URL of your Foreman installation
257
$foreman_url='https://foreman.yourdomain
258
# if CA is specified, remote Foreman host will be verified
259
$foreman_ssl_ca = "/usr/share/foreman-proxy/ssl/certs/ca.pem"
260
# ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman
261
$foreman_ssl_cert = "/usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem"
262
$foreman_ssl_key = "/usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem"
263
</pre>
264
265
h3. After adding all these files we need to modify the master section in the puppet.conf file. 
266
267
<pre>
268
[master]
269
    reports = foreman
270
    node_terminus = exec
271
    external_nodes = /etc/puppetlabs/puppet/node.rb
272
    ### foreman settings
273
    privatekeydir = $ssldir/private_keys { group = service }
274
    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
275
    #### for passenger
276
    ssl_client_header = SSL_CLIENT_S_DN
277
    ssl_client_verify_header = SSL_CLIENT_VERIFY
278
279
</pre>
280
281
h3. Restart pe-httpd
282
283
Restart the puppetlabs httpd server
284
<pre>
285
 /etc/init.d/pe-httpd
286
</pre>
287
288
h2. Add the smart-proxy to the Foreman's Smart Proxy page
289
290
Go to [FOREMAN_URL]/smart_proxies and klick New Proxy
291
Then you type in the Name for your Proxy and the URL of your Proxy, with the Port you use.
292
For example:
293
294
Name: Puppet-Proxy
295
URL: http://puppetpe.your-domain.com:8443