Thursday, April 9, 2015

Build a Puppet Master on CentOS 7 -- Hella Quick-Style

I build Puppet environments all the time, which means I need to set up Puppet Masters all the time.  Here's what I do to get a Master running on CentOS 7 "hella quick-style."

Build a CentOS 7 machine and set its hostname. I'm going to call mine "kermit.localdomain."

hostnamectl set-hostname kermit.localdomain

Then add the official PuppetLabs yum repo to the system's sources.

rpm -ivh

Now yum can install the Puppet Master for you.

yum -y install puppet-server

The easiest way to generate the Master's SSL keypair and self-sign its certificate is to just start up the Master in the foreground and then control-C out of it once it's done the SSL bits. (There must be a more elegant way to do this.)

puppet master --verbose --no-daemonize

Aim the Master's own Agent at itself. The last stanza in a stock Puppet install's puppet.conf is the [agent] section, so we can get away with just appending to it. (Again, using "kermit" in this example.)

echo 'server = kermit.localdomain' >> /etc/puppet/puppet.conf

Add a [master] stanza to the puppet.conf file. On a stock install, it's safe to just append to the file.

cat >> /etc/puppet/puppet.conf <<EOF
    environmentpath = \$confdir/environments
    basemodulepath = /etc/puppet/modules
    reports = store,log

The Master won't start without a production environment, so make an empty one.

mkdir -p /etc/puppet/environments/production/{modules,manifests}
echo 'node default {}' > /etc/puppet/environments/production/manifests/site.pp

Copy the package-supplied Hiera configuration file to a place where the Master can find it. Later, you'll likely need to update the 'datadir' and your hierarchy, but for now the stock one is fine.

cp /etc/hiera.yaml /etc/puppet/hiera.yaml

Set up firewalld with a rule for Puppet traffic on port 8140.

cat > /etc/firewalld/services/puppetmaster.xml <<EOF
<?xml version="1.0" encoding="utf-8"?>
    <description>Puppet Master</description>
    <port protocol="tcp" port="8140"/>

Tell firewalld to use the rule.

firewall-cmd --permanent --add-service=puppetmaster   # may take two tries
firewall-cmd --reload

And finally, start up the pieces.

puppet resource service puppetmaster ensure=running enable=true
puppet resource service puppet ensure=running enable=true

That's it! If you have to troubleshoot, tail /var/log/messages for clues. Remember, you can kick off Puppet runs manually with `puppet agent -t` to see what's going on during a run.