Costa Rica/Tecnico/Puppet

From OLPC
Jump to: navigation, search

Hardware actual>
Chassis: MicroATX
Tarjeta Madre: Foxconn M61PML-K
Procesador: AMD Sempron 145 AM3 2.8GHz
Memoria: 2GB DDR3 1333MHz
Disco: 500GB Seagate 7200RPM SATA

Instalación del servidor puppet master.

Pasos:
1- Realizar una instalación de Fedora17 Mínima. El hostname debe de ser puppet
2- Verificar que el sistema esté actualizado

# yum update -y

3- Setear el FQDN de la máquina:

[root@puppet ~]# vi /etc/hosts
186.15.1.93	puppet.fqt.cr	puppet ##agregar esta línea
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

[root@puppet ~]# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=puppet.fqt.cr

4- Deshabilitar iptables:

[root@puppet ~]# systemctl stop iptables.service
[root@puppet ~]# systemctl stop ip6tables.service
[root@puppet ~]# systemctl disable iptables.service
[root@puppet ~]# systemctl disable ip6tables.service
  • NO es recomendable deshabilitar el servicio de iptables para un servidor con acceso externo. Se debe de revisar este paso para gregar la regla adecuada y permitir conexiones sin necesidad de realizar la desactivación del servicio.

5- Deshabilitar SElinux: 

[root@puppet ~]# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - SELinux is fully disabled.
SELINUX=disabled # cambiar esto
# SELINUXTYPE= type of policy in use. Possible values are:
#targeted - Only targeted network daemons are protected.
#strict - Full SELinux protection.
SELINUXTYPE=targeted

6- Instalar puppet-server: 

[root@puppet ~]# yum install -y puppet-server

7- Editar la variable MAX_URI_LENGTH = 2083 y cambiarla por un valor de 4096: 

[root@puppet ~]# vi /usr/share/ruby/webrick/httprequest.rb

8- Iniciar el servicio y habilitar su ejecución automática: 

[root@puppet ~]# systemctl start puppetmaster.service
[root@puppet ~]# chkconfig puppetmaster on

9- Reiniciar el servidor 

[root@puppet ~]# reboot

Uso de puppet

Revisar si existen certificados sin firmar: 

[root@puppet ~]# puppetca --list
"schoolserver.flexi.fqt.cr" (F0:F4:E0:E2:6A:81:67:99:C4:3F:8E:2C:41:E9:0A)

Firmar la solicitud de certificado: 

[root@puppet certs]# puppetca --sign schoolserver.flexi.fqt.cr
notice: Signed certificate request for schoolserver.flexi.fqt.cr

Generar/Firmar nuevamente un certificado (En caso de reinstalación del XS): 

En el XS:
[root@schoolserver ssl]# service puppet stop
Stopping puppet:                                           [  OK  ]
[root@schoolserver ssl]# rm -rf /var/lib/puppet/ssl

En el puppetmaster:
[root@puppet certs]# puppetca --clean schoolserver.flexi.fqt.cr
notice: Revoked certificate with serial 4
notice: Removing file Puppet::SSL::Certificate schoolserver.flexi.fqt.cr at '/var/lib/puppet/ssl/ca/signed/schoolserver.flexi.fqt.cr.pem'
notice: Removing file Puppet::SSL::Certificate schoolserver.flexi.fqt.cr at '/var/lib/puppet/ssl/certs/schoolserver.flexi.fqt.cr.pem'

En el XS:
[root@schoolserver ssl]# service puppet start
Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Costa_Rica/Tecnico/Puppet&oldid=280395"