Difference between revisions of "Puppet"

From RiceFamily Wiki
Jump to: navigation, search
(Issues)
(Things to remember)
 
(5 intermediate revisions by the same user not shown)
Line 37: Line 37:
 
* TASK1852223 - Requested access to the current Puppet server
 
* TASK1852223 - Requested access to the current Puppet server
 
* Puppet-dhts the Puppet address from the DMZ.
 
* Puppet-dhts the Puppet address from the DMZ.
 +
* RITM1966581 - Decommission old Puppet Environment
  
 
= Process Thoughts =
 
= Process Thoughts =
 
* Determine which Firewall ports need to be opened to the new Puppet server ([https://groups.google.com/forum/#!topic/puppet-users/BbQAof33on8 Google Group])
 
* Determine which Firewall ports need to be opened to the new Puppet server ([https://groups.google.com/forum/#!topic/puppet-users/BbQAof33on8 Google Group])
 +
** Port 8140 (puppet) and Port 22 (ssh) are the recommended ports that need to be opened.
 
* Submit change request for firewall ports.
 
* Submit change request for firewall ports.
 +
** DONE - Actually I submitted a firewall request, they handled the Change Request under a standing change request.
 
* Determine how to migrate older puppet clients to the new Puppet server (article)
 
* Determine how to migrate older puppet clients to the new Puppet server (article)
* Submit change request for puppet migration.
+
** Because we are using the default "puppet" name for the F5 VIP, the internal servers don't need to resign anything.
 +
** For the DMZ systems, they will have their configurations adjusted by their current Puppet environemt
  
 
= SSL Configuration =
 
= SSL Configuration =
Line 56: Line 60:
 
* [[Thoughts on using an F5 to provide failover support for two Puppet Servers]]
 
* [[Thoughts on using an F5 to provide failover support for two Puppet Servers]]
 
* [https://serverfault.com/questions/320028/how-to-add-multiple-dns-names-to-my-puppetmaster Multiple DNS Names for PuppetMaster]
 
* [https://serverfault.com/questions/320028/how-to-add-multiple-dns-names-to-my-puppetmaster Multiple DNS Names for PuppetMaster]
 +
* [https://groups.google.com/forum/#!topic/puppet-users/LUSO3bI4iFI Puppet with a DNS Round Robin]
 +
* [https://unix.stackexchange.com/questions/138156/generating-server-and-client-certificates-with-multiple-hostnames Generating Server and Client Certificates with Multiple Hostnames]
 +
** This looks like it will be the solution to our needs.  As long as it works with 3.8 and 4.x
  
 
= Discussions about Load Balancing =
 
= Discussions about Load Balancing =

Latest revision as of 13:59, 12 January 2018

Overview

Our environment is currently using Puppet v3.8.7 - Documentation

The current Puppet environment is running on a single instance server. We are not sure yet if we will stick with Puppet or switch to Ansible (or Ansible Tower), but in the mean time, it was decided that making the existing Puppet environment more resilient would be a good idea.

There is a group of Puppet clients that need to be upgraded before we can point them to the new Puppet Master.

Autosigning appears to be enabled on the new Puppet Master. I think we might want to adjust this at some point. It's considered insecure to enable naive auto-signing : documentation. Currently, the autosign.conf file contains "*" which I understand to mean that EVERYONE is allowed to have their CSR auto-signed.

Packages Installed

  • puppetlabs-release, 7-12
  • puppet-server, 3.8.7-1.el7
  • puppet, 3.8.7-el7

Useful Documentation Pages

Tutorials from the Web

Things to remember

  • RITM1393607 - Server Request for a fail over for the Puppet environment.
  • TASK1852223 - Requested access to the current Puppet server
  • Puppet-dhts the Puppet address from the DMZ.
  • RITM1966581 - Decommission old Puppet Environment

Process Thoughts

  • Determine which Firewall ports need to be opened to the new Puppet server (Google Group)
    • Port 8140 (puppet) and Port 22 (ssh) are the recommended ports that need to be opened.
  • Submit change request for firewall ports.
    • DONE - Actually I submitted a firewall request, they handled the Change Request under a standing change request.
  • Determine how to migrate older puppet clients to the new Puppet server (article)
    • Because we are using the default "puppet" name for the F5 VIP, the internal servers don't need to resign anything.
    • For the DMZ systems, they will have their configurations adjusted by their current Puppet environemt

SSL Configuration

SSL & Certificate Documentation

Issues

Discussions about Load Balancing

Meetings