We can use Puppet to automatically deploy the control server:
There is a puppet server running on our westcoast server (li823-33.members.linode.com).
ssh to the westcoast server, su - to root.
docker ps The result will be: CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 554b5ba9c2b4 7a52905b3674 "/bin/bash" 2 weeks ago Up 2 weeks jovial_shockley e2f8ce9e076e registry "/entrypoint.sh /etc 2 weeks ago Up 2 weeks 0.0.0.0:5000->5000/tcp registry
docker attach 554b5ba9c2b4 (go into the server container)
service server status (make sure the server is running) server (pid 109) is running... Then list the certificates: cert list -all cd /etc/puppet/environments/production/manifests/
vim client.pp
then put the new control server's full qualified hostname in the .pp file e.g.
node 'virtual.crecom.com.au' {...}
Save and exit.
ssh to your new control server, su - to root. And install the puppet agent. Do following steps:
rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm yum -y install puppet vim /etc/puppet/puppet.conf
Then put following configures in:
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
#puppet server dns name
server = li823-33.members.linode.com
#your client server dns name
certname = <YOUR CLIENT DNS NAME HERE>
environment = production
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
#runinterval = 8h
onetime = true
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfigAfter editing the puppet.conf, run:
puppet agent --test --debug
in the log you will see the puppet client creates the client certificate and the puppet master have not signed the certificate yet.
Then in your puppet master server container (westcoast server: li823-33.members.linode.com), run:
puppet cert list -all
we will see the client's certificate has not been signed yet (no “+” in front):
"<YOUR CLIENT HOSTNAME>" (SHA256) FA:42:85:8A:27:C8:DE:39:AC:20:6A:D5:F5:C7:B2:64:12:B5:FB:93:31:9B:27:DC:28:61:45:0A:F9:8E:C0:57
Then we run:
puppet cert sign <YOUR CLIENT HOSTNAME>
to authorize the client certificate.
List the certificates again to see the client's certificate is authorized.
In the client you can run.
puppet agent --test --debug &>debug
again so the client could communicate with the server and start to deploy the control server automatically.
Then go back to your puppet server docker container (your westcoast terminal)
Type Ctrl+p, Ctrl+q will help you to detach from the puppet server container and back to the westcoast bash shell.
After the automate deployment, we need to generate the openvpn CA
(because we need to generate the CA on company basis so we can not automate it):
cd /usr/share/easy-rsa/2.0 source vars ./clean-all
Edit the file "vars" and change the items near the end (this is just an example, you can use your real location details):
export KEY_COUNTRY="AU" export KEY_PROVINCE="NewSouthWales" export KEY_CITY="CrowsNest" export KEY_ORG="Creative-Computing" export KEY_EMAIL= export KEY_OU="COMPANY NAME e.g. concare"
build the certificate authority (just accept all the defaults and say yes to sign the certificate and commit):
source ./vars ./build-ca ./build-dh ./build-key-server server wget mv openvpn.conf /etc/openvpn/ chkconfig openvpn on mkdir /var/log/openvpn service openvpn start