Diff for "InstallingControlOnCentos6WithPuppet"

We can use Puppet to automatically deploy the control server:

There is a puppet server running on our westcoast server (li823-33.members.linode.com).

ssh to the westcoast server, su - to root.

cd /etc/puppet/environments/production/manifests/

vim client.pp

then put the new control server's full qualified hostname in the .pp file e.g.

node 'virtual.crecom.com.au' {

...}

Save and exit.

ssh to your new control server, su - to root. And install the puppet agent. Do following steps:

rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
yum -y install puppet
vim /etc/puppet/puppet.conf

Then put following configures in:

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

    #puppet server dns name
    server = li823-33.members.linode.com

    #your client server dns name
    certname = <YOUR CLIENT DNS NAME HERE>
    environment = production
[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    #runinterval = 8h
    onetime = true
    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

After editing the puppet.conf, run:

puppet agent --test --debug

in the log you will see the puppet client creates the client certificate and the puppet master have not signed the certificate yet.

Ssh to puppet master server (westcoast server: li823-33.members.linode.com), run:

puppet cert list -all

we will see the client's certificate has not been signed yet (no “+” in front):

"<YOUR CLIENT HOSTNAME>"         (SHA256) FA:42:85:8A:27:C8:DE:39:AC:20:6A:D5:F5:C7:B2:64:12:B5:FB:93:31:9B:27:DC:28:61:45:0A:F9:8E:C0:57

Then we run:

puppet cert sign <YOUR CLIENT HOSTNAME>

to authorize the client certificate.

List the certificates again to see the client's certificate is authorized.

In the client you can run.

puppet agent --test --debug &>debug

again so the client could communicate with the server and start to deploy the control server automatically.

After the automate deployment, we need to generate the openvpn CA

(because we need to generate the CA on company basis so we can not automate it):

cd /usr/share/easy-rsa/2.0
source vars
./clean-all

Edit the file "vars" and change the items near the end (this is just an example, you can use your real location details):

export KEY_COUNTRY="AU"
export KEY_PROVINCE="NewSouthWales"
export KEY_CITY="CrowsNest"
export KEY_ORG="Creative-Computing"
export KEY_EMAIL=
export KEY_OU="COMPANY NAME e.g. concare"

build the certificate authority (just accept all the defaults and say yes to sign the certificate and commit):

source ./vars
./build-ca
./build-dh
./build-key-server server
wget
mv openvpn.conf /etc/openvpn/
chkconfig openvpn on
mkdir /var/log/openvpn
service openvpn start