Difference between revisions of "Puppet"
(→Tutorials from the Web) |
(→Things to remember) |
||
(21 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Overview = | = Overview = | ||
+ | Our environment is currently using Puppet v3.8.7 - [https://docs.puppet.com/puppet/3.8/reference/ Documentation] | ||
+ | |||
The current Puppet environment is running on a single instance server. We are not sure yet if we will stick with Puppet or switch to [[Ansible]] (or Ansible Tower), but in the mean time, it was decided that making the existing Puppet environment more resilient would be a good idea. | The current Puppet environment is running on a single instance server. We are not sure yet if we will stick with Puppet or switch to [[Ansible]] (or Ansible Tower), but in the mean time, it was decided that making the existing Puppet environment more resilient would be a good idea. | ||
Line 5: | Line 7: | ||
Autosigning appears to be enabled on the new Puppet Master. I think we might want to adjust this at some point. It's considered insecure to enable naive auto-signing : [https://docs.puppet.com/puppet/latest/reference/ssl_autosign.html#nave-autosigning documentation]. Currently, the autosign.conf file contains "*" which I understand to mean that EVERYONE is allowed to have their CSR auto-signed. | Autosigning appears to be enabled on the new Puppet Master. I think we might want to adjust this at some point. It's considered insecure to enable naive auto-signing : [https://docs.puppet.com/puppet/latest/reference/ssl_autosign.html#nave-autosigning documentation]. Currently, the autosign.conf file contains "*" which I understand to mean that EVERYONE is allowed to have their CSR auto-signed. | ||
+ | |||
+ | == Packages Installed == | ||
+ | * puppetlabs-release, 7-12 | ||
+ | * puppet-server, 3.8.7-1.el7 | ||
+ | * puppet, 3.8.7-el7 | ||
= Useful Documentation Pages = | = Useful Documentation Pages = | ||
Line 12: | Line 19: | ||
= Tutorials from the Web = | = Tutorials from the Web = | ||
* [https://shapeshed.com/connecting-clients-to-a-puppet-master/ Connecting clients to a Puppet Master] | * [https://shapeshed.com/connecting-clients-to-a-puppet-master/ Connecting clients to a Puppet Master] | ||
+ | * [https://www.digitalocean.com/community/tutorials/configuration-management-101-writing-puppet-manifests Configuration Management 101 - Writing Puppet Manifests] | ||
* [http://serverfault.com/questions/277900/migrating-puppet-clients-to-new-puppetmaster Migrating Puppet clients to new Puppet Master] | * [http://serverfault.com/questions/277900/migrating-puppet-clients-to-new-puppetmaster Migrating Puppet clients to new Puppet Master] | ||
* [https://stuckinadoloop.wordpress.com/2012/02/16/automated-migration-of-systems-to-a-new-puppet-master-server/ Automated migration of systems to a new puppet master server] | * [https://stuckinadoloop.wordpress.com/2012/02/16/automated-migration-of-systems-to-a-new-puppet-master-server/ Automated migration of systems to a new puppet master server] | ||
Line 19: | Line 27: | ||
** [https://www.digitalocean.com/community/tutorials/getting-started-with-puppet-code-manifests-and-modules Getting started with Puppet code Manifests and Modules] | ** [https://www.digitalocean.com/community/tutorials/getting-started-with-puppet-code-manifests-and-modules Getting started with Puppet code Manifests and Modules] | ||
** [https://www.digitalocean.com/community/tutorials/how-to-use-foreman-to-manage-puppet-nodes-on-ubuntu-14-04 How to use Foreman to manage Puppet Nodes on Ubuntu 10-04] | ** [https://www.digitalocean.com/community/tutorials/how-to-use-foreman-to-manage-puppet-nodes-on-ubuntu-14-04 How to use Foreman to manage Puppet Nodes on Ubuntu 10-04] | ||
− | * [https://www.youtube.com/watch?v=hE64Nv6Uros Puppet Configuration Tutorial | Server Configuration with Puppet | Puppet Configuration in Linux] | + | * [https://www.youtube.com/watch?v=hE64Nv6Uros YouTube: Puppet Configuration Tutorial | Server Configuration with Puppet | Puppet Configuration in Linux] |
− | * [https://www.youtube.com/watch?v=0yVJhb2VkVk Puppet Tutorial for Beginners Part -1 | Puppet DevOps Tutorial | DevOps Tools | Edureka] | + | * [https://www.youtube.com/watch?v=0yVJhb2VkVk YouTube: Puppet Tutorial for Beginners Part -1 | Puppet DevOps Tutorial | DevOps Tools | Edureka] |
− | * [https://www.youtube.com/watch?v=k51SY_o9hMo Installing The Puppet Configuration Management Server] | + | * [https://www.youtube.com/watch?v=k51SY_o9hMo YouTube: Installing The Puppet Configuration Management Server] |
+ | * [https://www.pluralsight.com/courses/puppet-system-administrators-fundamentals PluralSight Puppet System Admin Fundamentals] | ||
+ | ** [[PluralSight Puppet Admin Course Notes]] | ||
= Things to remember = | = Things to remember = | ||
* RITM1393607 - Server Request for a fail over for the Puppet environment. | * RITM1393607 - Server Request for a fail over for the Puppet environment. | ||
* TASK1852223 - Requested access to the current Puppet server | * TASK1852223 - Requested access to the current Puppet server | ||
+ | * Puppet-dhts the Puppet address from the DMZ. | ||
+ | * RITM1966581 - Decommission old Puppet Environment | ||
= Process Thoughts = | = Process Thoughts = | ||
* Determine which Firewall ports need to be opened to the new Puppet server ([https://groups.google.com/forum/#!topic/puppet-users/BbQAof33on8 Google Group]) | * Determine which Firewall ports need to be opened to the new Puppet server ([https://groups.google.com/forum/#!topic/puppet-users/BbQAof33on8 Google Group]) | ||
+ | ** Port 8140 (puppet) and Port 22 (ssh) are the recommended ports that need to be opened. | ||
* Submit change request for firewall ports. | * Submit change request for firewall ports. | ||
+ | ** DONE - Actually I submitted a firewall request, they handled the Change Request under a standing change request. | ||
* Determine how to migrate older puppet clients to the new Puppet server (article) | * Determine how to migrate older puppet clients to the new Puppet server (article) | ||
− | * | + | ** Because we are using the default "puppet" name for the F5 VIP, the internal servers don't need to resign anything. |
+ | ** For the DMZ systems, they will have their configurations adjusted by their current Puppet environemt | ||
+ | |||
+ | = SSL Configuration = | ||
+ | == SSL & Certificate Documentation == | ||
+ | * [https://docs.puppet.com/puppet/3.8/reference/config_ssl_external_ca.html Using an External CA] | ||
+ | * [https://docs.puppet.com/puppetserver/1.1/external_ca_configuration.html Using an External CA With Puppet Server] | ||
+ | * [https://docs.puppet.com/puppetserver/1.1/external_ssl_termination.html External SSL Termination With Puppet Server] | ||
+ | * [https://docs.puppet.com/puppet/3.8/reference/ssl_autosign.html Configuring Autosigning] | ||
+ | * [https://docs.puppet.com/puppet/3.8/reference/ssl_attributes_extensions.html CSR Attributes and Certificate Extensions] | ||
+ | * [https://docs.puppet.com/puppet/3.8/reference/ssl_regenerate_certificates.html Regenerating All Certificates in a Deployment] | ||
+ | |||
+ | == Issues == | ||
+ | * [[Thoughts on using an F5 to provide failover support for two Puppet Servers]] | ||
+ | * [https://serverfault.com/questions/320028/how-to-add-multiple-dns-names-to-my-puppetmaster Multiple DNS Names for PuppetMaster] | ||
+ | * [https://groups.google.com/forum/#!topic/puppet-users/LUSO3bI4iFI Puppet with a DNS Round Robin] | ||
+ | * [https://unix.stackexchange.com/questions/138156/generating-server-and-client-certificates-with-multiple-hostnames Generating Server and Client Certificates with Multiple Hostnames] | ||
+ | ** This looks like it will be the solution to our needs. As long as it works with 3.8 and 4.x | ||
+ | |||
+ | = Discussions about Load Balancing = | ||
+ | * [https://groups.google.com/forum/#!topic/puppet-users/CxHIGQ5zIxo how to scale puppet with F5 load balancer?] | ||
+ | * [https://docs.puppet.com/guides/scaling_multiple_masters.html Scaling Multiple Masters] | ||
+ | * [https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=puppet%20fail%20over Google Search: Puppet Fail Over] | ||
+ | |||
+ | = Meetings = | ||
+ | * [[Puppet 20170329]] | ||
[[Category:Puppet]] | [[Category:Puppet]] | ||
[[Category:Configuration Management]] | [[Category:Configuration Management]] |
Latest revision as of 13:59, 12 January 2018
Contents
Overview
Our environment is currently using Puppet v3.8.7 - Documentation
The current Puppet environment is running on a single instance server. We are not sure yet if we will stick with Puppet or switch to Ansible (or Ansible Tower), but in the mean time, it was decided that making the existing Puppet environment more resilient would be a good idea.
There is a group of Puppet clients that need to be upgraded before we can point them to the new Puppet Master.
Autosigning appears to be enabled on the new Puppet Master. I think we might want to adjust this at some point. It's considered insecure to enable naive auto-signing : documentation. Currently, the autosign.conf file contains "*" which I understand to mean that EVERYONE is allowed to have their CSR auto-signed.
Packages Installed
- puppetlabs-release, 7-12
- puppet-server, 3.8.7-1.el7
- puppet, 3.8.7-el7
Useful Documentation Pages
Tutorials from the Web
- Connecting clients to a Puppet Master
- Configuration Management 101 - Writing Puppet Manifests
- Migrating Puppet clients to new Puppet Master
- Automated migration of systems to a new puppet master server
- Discussion about firewall ports needed for Puppet clients to talk to Puppet Master
- Puppet 4 Tutorial
- YouTube: Puppet Configuration Tutorial | Server Configuration with Puppet | Puppet Configuration in Linux
- YouTube: Puppet Tutorial for Beginners Part -1 | Puppet DevOps Tutorial | DevOps Tools | Edureka
- YouTube: Installing The Puppet Configuration Management Server
- PluralSight Puppet System Admin Fundamentals
Things to remember
- RITM1393607 - Server Request for a fail over for the Puppet environment.
- TASK1852223 - Requested access to the current Puppet server
- Puppet-dhts the Puppet address from the DMZ.
- RITM1966581 - Decommission old Puppet Environment
Process Thoughts
- Determine which Firewall ports need to be opened to the new Puppet server (Google Group)
- Port 8140 (puppet) and Port 22 (ssh) are the recommended ports that need to be opened.
- Submit change request for firewall ports.
- DONE - Actually I submitted a firewall request, they handled the Change Request under a standing change request.
- Determine how to migrate older puppet clients to the new Puppet server (article)
- Because we are using the default "puppet" name for the F5 VIP, the internal servers don't need to resign anything.
- For the DMZ systems, they will have their configurations adjusted by their current Puppet environemt
SSL Configuration
SSL & Certificate Documentation
- Using an External CA
- Using an External CA With Puppet Server
- External SSL Termination With Puppet Server
- Configuring Autosigning
- CSR Attributes and Certificate Extensions
- Regenerating All Certificates in a Deployment
Issues
- Thoughts on using an F5 to provide failover support for two Puppet Servers
- Multiple DNS Names for PuppetMaster
- Puppet with a DNS Round Robin
- Generating Server and Client Certificates with Multiple Hostnames
- This looks like it will be the solution to our needs. As long as it works with 3.8 and 4.x