passenger on Puppet PE and use foreman as an ENC and reporting engine » History » Version 6
Laurent Domb, 05/03/2013 02:04 PM
1 | 1 | Laurent Domb | h1. passenger on Puppet PE and use foreman as an ENC and reporting engine |
---|---|---|---|
2 | |||
3 | h2. Overview |
||
4 | |||
5 | This how to describes the steps to install foreman's smart proxy on puppet enterprise 2.7.2 with the embedded puppet labs ruby version. It also walks you thru the steps of modifying the reporting engine to "foreman reports" and use "the foreman" as it's ENC. |
||
6 | |||
7 | h2. Requirements |
||
8 | |||
9 | 1. Internet access as you need to do some git pulls and install some rubygems |
||
10 | |||
11 | 2. The puppet enterprise tar ball (puppet-enterprise-2.7.2-el-6-x86_64.tar.gz) which you can download from the puppet labs website. |
||
12 | |||
13 | 3 | Laurent Domb | 3. A working foreman 1.1 or higher host |
14 | 1 | Laurent Domb | |
15 | |||
16 | h3. Install the needed dependencies to install the rubygems |
||
17 | |||
18 | Go to the troubleshooting section [[http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting]] there is a paragraph "I use puppet enterprise, what now?" and install |
||
19 | |||
20 | "*pe-ruby-devel-1.8.7.370-1.pe.el6.x86_64.rpm*" from your unpacked puppet-enterprise tar ball. You can find the rpm in puppet-enterprise-2.7.2-el-6-x86_64/packages/el-6-x86_64/. |
||
21 | |||
22 | <pre> |
||
23 | $ sudo yum localinstall pe-ruby-devel-1.8.7.370-1.pe.el6.x86_64.rpm |
||
24 | </pre> |
||
25 | |||
26 | Pupppet pe 2.7.2 comes with mysql as a database back end. This means we need the mysql-devel to build the mysql rubygem package. |
||
27 | |||
28 | <pre> |
||
29 | 5 | Laurent Domb | $ sudo yum install mysql-devel gcc make |
30 | 1 | Laurent Domb | </pre> |
31 | |||
32 | Now follow the steps copied from the trouble shooting wiki page. |
||
33 | |||
34 | 1. Update your path variable to use the ruby version PE ships with |
||
35 | |||
36 | <pre> |
||
37 | # export PATH=/opt/puppet/bin:$PATH |
||
38 | </pre> |
||
39 | |||
40 | 2. Check to make sure your PATH was updated ("which gem" should return /opt/puppet/bin/gem) |
||
41 | <pre> |
||
42 | # which gem |
||
43 | /opt/puppet/bin/gem |
||
44 | </pre> |
||
45 | |||
46 | 3. Install json rest-client and mysql |
||
47 | <pre> |
||
48 | #gem install json |
||
49 | #gem install rest-client |
||
50 | #gem install mysql |
||
51 | </pre> |
||
52 | |||
53 | 4. If everything went fine you should see the following output if you list the gem's |
||
54 | <pre> |
||
55 | #gem list |
||
56 | activerecord (2.3.17) |
||
57 | activesupport (2.3.17) |
||
58 | ar-extensions (0.9.5) |
||
59 | builder (3.0.0) |
||
60 | dalli (1.1.2) |
||
61 | excon (0.14.1) |
||
62 | fog (1.5.0) |
||
63 | formatador (0.2.0) |
||
64 | guid (0.1.1) |
||
65 | hiera (0.3.0) |
||
66 | hiera-puppet (0.3.0) |
||
67 | json (1.7.7) |
||
68 | mime-types (1.16) |
||
69 | multi_json (1.0.3) |
||
70 | mysql (2.9.1) |
||
71 | net-scp (1.0.4) |
||
72 | net-ssh (2.1.4) |
||
73 | nokogiri (1.5.0) |
||
74 | rack (1.1.6) |
||
75 | rack_csrf (2.4.0) |
||
76 | rake (0.8.7) |
||
77 | rbvmomi (1.3.0) |
||
78 | rest-client (1.6.7) |
||
79 | ruby-hmac (0.4.0) |
||
80 | sinatra (1.2.6) |
||
81 | stomp (1.1.9) |
||
82 | tilt (1.3.3) |
||
83 | trollop (1.16.2) |
||
84 | </pre> |
||
85 | |||
86 | h2. Install the smart-proxy from git |
||
87 | |||
88 | 2 | Laurent Domb | As we need to modify some ruby files (for [[ mcollective ]] ) along the way, cloning the smart-proxy from git seemed to be the best way to go. |
89 | 1 | Laurent Domb | |
90 | h3. Cloning the repo |
||
91 | |||
92 | You can download the zip file or just clone the latest smart proxy with git. |
||
93 | |||
94 | <pre> |
||
95 | # cd /usr/share/ |
||
96 | 6 | Laurent Domb | # git clone git://github.com/theforeman/smart-proxy.git foreman-proxy |
97 | 1 | Laurent Domb | </pre> |
98 | |||
99 | h3. Create the foreman-proxy group / user |
||
100 | |||
101 | Add the foreman-proxy user and group to the system and make the foreman-proxy user part of the pe-puppet and pe-apache group. |
||
102 | |||
103 | <pre> |
||
104 | # useradd -r foreman-proxy |
||
105 | # usermod -G foreman-proxy pe-puppet |
||
106 | # usermod -G foreman-proxy pe-apache |
||
107 | </pre> |
||
108 | |||
109 | h3. Add a log and ssl directory |
||
110 | |||
111 | Create those addtional directories: |
||
112 | |||
113 | <pre> |
||
114 | # mkdir -p /var/log/foreman-proxy/ |
||
115 | # mkdir -p /usr/share/foreman-proxy/ssl |
||
116 | # mkdir -p /usr/share/foreman-proxy/ssl/certs |
||
117 | # mkdir -p /usr/share/foreman-proxy/ssl/private_keys |
||
118 | </pre> |
||
119 | |||
120 | After adding the user, log and ssl directory, cd into the foreman-proxy folder and change the following permissions for config.ru, logs and ssl. |
||
121 | |||
122 | <pre> |
||
123 | # chown foreman-proxy:root config.ru |
||
124 | # chown -R foreman-proxy:root ssl |
||
125 | # chown -R /var/log/foreman-proxy |
||
126 | </pre> |
||
127 | |||
128 | The reason why we change the permission on config.ru is, because we want apache/passenger to spawn an new process as user foreman-proxy and NOT as root. |
||
129 | |||
130 | h3. Configure the foreman-proxy settings.yml |
||
131 | |||
132 | Its recommended to have ssl enabled in prod envronments so we need to uncomment these 3 lines, |
||
133 | |||
134 | ssl_certificate: ssl/certs/fqdn.pem (created on foreman) |
||
135 | ssl_ca_file: ssl/certs/ca.pem (this is the foreman ca.pem) |
||
136 | ssl_private_key: ssl/private_keys/fqdn.key (created on foreman) |
||
137 | |||
138 | and generate a new certificate for the connection between the foreman-proxy and the foreman host. As we do not want to waste puppet enterprise licenses for the apache ssl connection we create the certificate on the foreman host which has puppet oss installed. |
||
139 | |||
140 | You can follow the foreman manual on section 4.3.6 SSL [[http://theforeman.org/manuals/1.1/index.html#4.3.6SSL]] to create the certificates on the foreman host |
||
141 | |||
142 | To generate a certificate for a proxy host that isn't managed by Puppet or is but you do not want to use the certs from it, do the following: |
||
143 | |||
144 | Generate a new certificate on your puppetmaster: |
||
145 | <pre> |
||
146 | puppet cert --generate <proxy-FQDN> (which is your puppet-enterprise host) |
||
147 | </pre> |
||
148 | Copy the certificates and key from the puppetmaster (foreman host) to the smart proxy (puppet enterprise) to /usr/share/foreman-proxy/ssl : |
||
149 | <pre> |
||
150 | /usr/share/foreman-proxy/ssl/certs/ca.pem |
||
151 | /usr/share/foreman-proxy/ssl/certs/proxy-FQDN.pem |
||
152 | /usr/share/foreman-proxy/ssl/private_keys/proxy-FQDN.pem |
||
153 | </pre> |
||
154 | |||
155 | Please pay attentions that these are NOT the same certs as you are createing on the puppet enterprise CA! these are created by the foreman open source puppetmaster! |
||
156 | |||
157 | You also have to enable the PuppetCA and Puppet management if your puppet master and ca is on the puppet enterprise host. |
||
158 | |||
159 | <pre> |
||
160 | # enable PuppetCA management |
||
161 | :puppetca: true |
||
162 | :ssldir: /etc/puppet/ssl |
||
163 | :puppetdir: /etc/puppet |
||
164 | |||
165 | # enable Puppet management |
||
166 | :puppet: true |
||
167 | :puppet_conf: /etc/puppet/puppet.conf |
||
168 | </pre> |
||
169 | |||
170 | 4 | Laurent Domb | h3. Allow the foreman-proxy to make puppetca requests |
171 | |||
172 | Add the following content to /etc/sudoers.d/foreman-proxy |
||
173 | |||
174 | <pre> |
||
175 | foreman-proxy ALL = NOPASSWD : /usr/sbin/puppetca * |
||
176 | Defaults:foreman-proxy !requiretty |
||
177 | </pre> |
||
178 | |||
179 | |||
180 | 1 | Laurent Domb | h3. Adding the smart-proxy configuration to the puppet httpd directory |
181 | |||
182 | You can find the pe-apache folder in /etc/puppetlabs/httpd/conf.d/ |
||
183 | |||
184 | Create the follwing file 12-pe-httpd-foreman-proxy.conf |
||
185 | |||
186 | <pre> |
||
187 | Listen 8443 |
||
188 | <VirtualHost YOURIP:8443> |
||
189 | ServerName puppet-enterprise-fqdn |
||
190 | SetEnv HOME /usr/share/foreman-proxy |
||
191 | RailsAutoDetect On |
||
192 | RailsEnv production |
||
193 | DocumentRoot /usr/share/foreman-proxy/public |
||
194 | PassengerAppRoot /usr/share/foreman-proxy |
||
195 | |||
196 | AddDefaultCharset UTF-8 |
||
197 | |||
198 | SSLEngine On |
||
199 | SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP |
||
200 | SSLProtocol ALL -SSLv2 |
||
201 | |||
202 | SSLCertificateFile /usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem |
||
203 | SSLCertificateKeyFile /usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem |
||
204 | SSLCertificateChainFile /usr/share/foreman-proxy/ssl/certs/ca.pem |
||
205 | SSLCACertificateFile /usr/share/foreman-proxy/ssl/certs/ca.pem |
||
206 | SSLVerifyClient optional |
||
207 | SSLOptions +StdEnvVars |
||
208 | SSLVerifyDepth 3 |
||
209 | |||
210 | Loglevel Debug |
||
211 | CustomLog /usr/share/foreman-proxy/logs/access.log combined |
||
212 | ErrorLog /usr/share/foreman-proxy/logs/error.log |
||
213 | </VirtualHost> |
||
214 | </pre> |
||
215 | |||
216 | |||
217 | h2. Now that we have setup the foreman-proxy we need to add the node.rb file to the /etc/puppetlabs/puppet/ directory so that puppet requests the information from the forman host ENC |
||
218 | |||
219 | You can get the latest node.rb file from here: |
||
220 | |||
221 | https://github.com/theforeman/puppet-foreman/blob/master/templates/external_node.rb.erb |
||
222 | |||
223 | <pre> |
||
224 | # cd /etc/puppetlabs/puppet/ |
||
225 | # git clone https://github.com/theforeman/puppet-foreman/blob/master/templates/external_node.rb.erb node.rb |
||
226 | # chmod +x node.rb |
||
227 | </pre> |
||
228 | |||
229 | h3. Edit node.rb and add the correct url and certificates |
||
230 | |||
231 | That the foreman host and the foreman-proxy host can toak to each other in a secure way, edit the node.rb file and add your certs. |
||
232 | |||
233 | <pre> |
||
234 | SETTINGS = { |
||
235 | :url => "https://foreman.youdomain", # e.g. https://foreman.example.com |
||
236 | :puppetdir => "/var/opt/lib/pe-puppet", # This is the puppet enterprise dir |
||
237 | :facts => true, # true/false to upload facts |
||
238 | :storeconfigs => true, # true/false if sharing ActiveRecord-storeconfigs |
||
239 | :timeout => 10, |
||
240 | # if CA is specified, remote Foreman host will be verified |
||
241 | :ssl_ca => "/usr/share/foreman-proxy/ssl/certs/ca.pem", # This is the ca.pem form you puppet opensource foreman host |
||
242 | # ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman |
||
243 | :ssl_cert => "/usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem", # This is the fqdn.pem form you puppet opensource foreman host |
||
244 | :ssl_key => "/usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem" # This is the fqdn.pem form you puppet opensource foreman host |
||
245 | </pre> |
||
246 | |||
247 | h3. Add the foreman.rb report to the puppetlabs ruby report dir |
||
248 | |||
249 | <pre> |
||
250 | # cd /opt/puppet/lib/ruby/site_ruby/1.8/puppet/reports/ |
||
251 | # git clone https://github.com/theforeman/puppet-foreman/blob/master/templates/foreman-report.rb.erb foreman.rb |
||
252 | # chmod +x foreman.rb |
||
253 | </pre> |
||
254 | |||
255 | Now also add the your certs in foreman.rb |
||
256 | |||
257 | <pre> |
||
258 | # URL of your Foreman installation |
||
259 | $foreman_url='https://foreman.yourdomain |
||
260 | # if CA is specified, remote Foreman host will be verified |
||
261 | $foreman_ssl_ca = "/usr/share/foreman-proxy/ssl/certs/ca.pem" |
||
262 | # ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman |
||
263 | $foreman_ssl_cert = "/usr/share/foreman-proxy/ssl/certs/puppet-enterprise-fqdn.pem" |
||
264 | $foreman_ssl_key = "/usr/share/foreman-proxy/ssl/private_keys/puppet-enterprise-fqdn.pem" |
||
265 | </pre> |
||
266 | |||
267 | h3. After adding all these files we need to modify the master section in the puppet.conf file. |
||
268 | |||
269 | <pre> |
||
270 | [master] |
||
271 | reports = foreman |
||
272 | node_terminus = exec |
||
273 | external_nodes = /etc/puppetlabs/puppet/node.rb |
||
274 | ### foreman settings |
||
275 | privatekeydir = $ssldir/private_keys { group = service } |
||
276 | hostprivkey = $privatekeydir/$certname.pem { mode = 640 } |
||
277 | #### for passenger |
||
278 | ssl_client_header = SSL_CLIENT_S_DN |
||
279 | ssl_client_verify_header = SSL_CLIENT_VERIFY |
||
280 | |||
281 | </pre> |
||
282 | |||
283 | h3. Restart pe-httpd |
||
284 | |||
285 | Restart the puppetlabs httpd server |
||
286 | <pre> |
||
287 | /etc/init.d/pe-httpd |
||
288 | </pre> |
||
289 | |||
290 | h2. Add the smart-proxy to the Foreman's Smart Proxy page |
||
291 | |||
292 | Go to [FOREMAN_URL]/smart_proxies and klick New Proxy |
||
293 | Then you type in the Name for your Proxy and the URL of your Proxy, with the Port you use. |
||
294 | For example: |
||
295 | |||
296 | Name: Puppet-Proxy |
||
297 | URL: http://puppetpe.your-domain.com:8443 |