puppet_configure_master_client

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

puppet_configure_master_client [2020/11/16 16:11] – created andonovjpuppet_configure_master_client [2020/11/16 16:21] (current) andonovj
Line 1: Line 1:
 =====Overview===== =====Overview=====
-As shown in the previous section, we have configured one master and slaveWe have also signed the certificate and+From the previous section, we have installed the binaries for both: Agent & Server. 
 +In this section, we will configure them and sign the certificate: 
 + 
 + 
 +=====Configuration===== 
 +For the configuration, we have to configure the agent to point to the master server. Then we have to sign the agent's certificate from the master. 
 + 
 +====Configure Master==== 
 +We can start the service as follows: 
 + 
 +<Code:bash|Start the pupept Server> 
 +[root@puppetmaster etc]# service puppetserver start 
 +Redirecting to /bin/systemctl start puppetserver.service 
 +[root@puppetmaster etc]# service puppetserver status 
 +Redirecting to /bin/systemctl status puppetserver.service 
 +● puppetserver.service - puppetserver Service 
 +   Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled; vendor preset: disabled) 
 +   Active: active (running) since Fri 2020-11-13 16:50:11 EST; 7s ago 
 +  Process: 7345 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS) 
 + Main PID: 7368 (java) 
 +    Tasks: 40 (limit: 4915) 
 +   CGroup: /system.slice/puppetserver.service 
 +           └─7368 /usr/bin/java -Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError="kill -9 %p" -XX:ErrorFile=/var/log/puppetlabs/pu... 
 + 
 +Nov 13 16:49:35 puppetmaster.example.com systemd[1]: Starting puppetserver Service... 
 +Nov 13 16:50:11 puppetmaster.example.com systemd[1]: Started puppetserver Service. 
 +[root@puppetmaster etc]#  
 +</Code> 
 + 
 +As stated before, the agent is the one pulling the requests from the master, but before it can do that, the connection between them NEEDS to be secure. Secure in the IT world means, certificates, so let's check what certificates the Master has: 
 + 
 +<Code:bash|Check Master Certificates> 
 +[root@puppetmaster certificate_requests]# puppetserver ca list --all 
 +Signed Certificates: 
 +    puppetmaster.example.com       (SHA256)  ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B    alt names: ["DNS:puppet", "DNS:puppetmaster.example.com" authorization extensions: [pp_cli_auth: true] 
 +[root@puppetmaster certificate_requests]#  
 +</Code> 
 + 
 +So we see that the master has his own certificate and that is thatBut for the agent to work, we need the agent to send his certificate to be signed by the master. So let's setup the agent. 
 + 
 +====Configure Agent==== 
 +<Code:bash|Edit Puppet Agent Conf> 
 +[root@puppetagent puppet]# vi /etc/puppetlabs/puppet/puppet.conf 
 +# This file can be used to override the default puppet settings. 
 +# See the following links for more details on what settings are available: 
 +# - https://puppet.com/docs/puppet/latest/config_important_settings.html 
 +# - https://puppet.com/docs/puppet/latest/config_about_settings.html 
 +# - https://puppet.com/docs/puppet/latest/config_file_main.html 
 +# - https://puppet.com/docs/puppet/latest/configuration.html 
 + 
 +[main] 
 +certserver = puppetslave.example.com 
 +server = puppetmaster.example.com 
 + 
 +:wq 
 + 
 +</Code> 
 + 
 +After that, we can start the Agent. 
 +<Code:bash|Start Puppet Agent> 
 +[root@puppetagent puppet]# service puppet start 
 +Redirecting to /bin/systemctl start puppet.service 
 +[root@puppetagent puppet]# service puppet status 
 +Redirecting to /bin/systemctl status puppet.service 
 +● puppet.service - Puppet agent 
 +   Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled) 
 +   Active: active (running) since Fri 2020-11-13 17:23:04 EST; 2s ago 
 + Main PID: 26262 (puppet) 
 +    Tasks: 2 
 +   CGroup: /system.slice/puppet.service 
 +           └─26262 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize 
 + 
 +Nov 13 17:23:04 puppetslave.example.com systemd[1]: Started Puppet agent. 
 +[root@puppetagent puppet]# 
 +</Code> 
 + 
 +====Sign Certificate==== 
 +Since the agent started (and hopefully not mistakes) the master should've received the certificate (from the agent) to approve: 
 + 
 +<Code:bash|Check Certificate Requests> 
 +[root@puppetmaster certificate_requests]# puppetserver ca list --all 
 +Requested Certificates: 
 +    puppetslave.example.com       (SHA256)  1F:86:36:82:A1:0E:A6:76:BE:D5:F8:11:93:85:E1:9C:AC:EE:AA:29:AC:85:0F:EB:49:90:A7:CF:FC:40:51:22 
 +Signed Certificates: 
 +    puppetmaster.example.com       (SHA256)  ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B    alt names: ["DNS:puppet", "DNS:puppetmaster.example.com" authorization extensions: [pp_cli_auth: true] 
 +</Code> 
 + 
 +Now, we have 2 certiciates :), so let's approve our agent. 
 + 
 +<Code:bash|Sign Certificate> 
 +[root@puppetmaster certificate_requests]# puppetserver ca sign --certname puppetslave.example.com 
 +Successfully signed certificate request for puppetslave.example.com 
 +[root@puppetmaster certificate_requests]# 
 +[root@puppetmaster certificate_requests]# puppetserver ca list --all 
 +Signed Certificates: 
 +    puppetmaster.example.com       (SHA256)  ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B    alt names: ["DNS:puppet", "DNS:puppetmaster.example.com" authorization extensions: [pp_cli_auth: true] 
 +    puppetslave.example.com        (SHA256)  A4:24:76:E7:3D:B8:5B:35:15:1D:79:61:6B:44:F7:1B:D8:B9:8A:03:C9:5B:C4:0D:10:23:8B:00:75:7F:9A:DA 
 +[root@puppetmaster certificate_requests]# 
 +</Code> 
 + 
 +From now on, we will have trusted connection between the Agent/Slave and the Master. 
 + 
 +=====Verification===== 
 +We can verify the connection and the pull from the Agent as follows: 
 + 
 +<Code:bash|Pull latest Changes> 
 +[root@puppetagent puppet]# puppet agent --test --verbose 
 +Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml 
 +Info: Creating a new SSL certificate request for puppetslave.example.com 
 +Info: Certificate Request fingerprint (SHA256): 1F:86:36:82:A1:0E:A6:76:BE:D5:F8:11:93:85:E1:9C:AC:EE:AA:29:AC:85:0F:EB:49:90:A7:CF:FC:40:51:22 
 +Info: Downloaded certificate for puppetslave.example.com from https://puppetmaster.example.com:8140/puppet-ca/v1 
 +Info: Using configured environment 'production' 
 +Info: Retrieving pluginfacts 
 +Info: Retrieving plugin 
 +Info: Retrieving locales 
 +Info: Caching catalog for puppetslave.example.com 
 +Info: Applying configuration version '1605307262' 
 +Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml 
 +Notice: Applied catalog in 0.03 seconds 
 +[root@puppetagent puppet]# puppet agent --test --verbose 
 +Info: Using configured environment 'production' 
 +Info: Retrieving pluginfacts 
 +Info: Retrieving plugin 
 +Info: Retrieving locales 
 +Info: Caching catalog for puppetslave.example.com 
 +Info: Applying configuration version '1605307275' 
 +Notice: Applied catalog in 0.01 seconds 
 +[root@puppetagent puppet]#  
 +</Code> 
  • puppet_configure_master_client.1605543111.txt.gz
  • Last modified: 2020/11/16 16:11
  • by andonovj