Costa Rica/Tecnico/Puppet
< Costa Rica | Tecnico
Jump to navigation
Jump to search
Hardware actual>
Chassis: MicroATX
Tarjeta Madre: Foxconn M61PML-K
Procesador: AMD Sempron 145 AM3 2.8GHz
Memoria: 2GB DDR3 1333MHz
Disco: 500GB Seagate 7200RPM SATA
Instalación del servidor puppet master.
Pasos:
1- Realizar una instalación de Fedora17 Mínima. El hostname debe de ser puppet
2- Verificar que el sistema esté actualizado
# yum update -y
3- Setear el FQDN de la máquina:
[root@puppet ~]# vi /etc/hosts 186.15.1.93 puppet.fqt.cr puppet ##agregar esta línea 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@puppet ~]# vi /etc/sysconfig/network NETWORKING=yes HOSTNAME=puppet.fqt.cr
4- Deshabilitar iptables:
[root@puppet ~]# systemctl stop iptables.service [root@puppet ~]# systemctl stop ip6tables.service [root@puppet ~]# systemctl disable iptables.service [root@puppet ~]# systemctl disable ip6tables.service
- NO es recomendable deshabilitar el servicio de iptables para un servidor con acceso externo. Se debe de revisar este paso para gregar la regla adecuada y permitir conexiones sin necesidad de realizar la desactivación del servicio.
5- Deshabilitar SElinux:
[root@puppet ~]# vi /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: #enforcing - SELinux security policy is enforced. #permissive - SELinux prints warnings instead of enforcing. #disabled - SELinux is fully disabled. SELINUX=disabled # cambiar esto # SELINUXTYPE= type of policy in use. Possible values are: #targeted - Only targeted network daemons are protected. #strict - Full SELinux protection. SELINUXTYPE=targeted
6- Instalar puppet-server:
[root@puppet ~]# yum install -y puppet-server
7- Editar la variable MAX_URI_LENGTH = 2083 y cambiarla por un valor de 4096:
[root@puppet ~]# vi /usr/share/ruby/webrick/httprequest.rb
8- Iniciar el servicio y habilitar su ejecución automática:
[root@puppet ~]# systemctl start puppetmaster.service [root@puppet ~]# chkconfig puppetmaster on
9- Reiniciar el servidor
[root@puppet ~]# reboot
Uso de puppet
Revisar si existen certificados sin firmar:
[root@puppet ~]# puppetca --list "schoolserver.flexi.fqt.cr" (F0:F4:E0:E2:6A:81:67:99:C4:3F:8E:2C:41:E9:0A)
Firmar la solicitud de certificado:
[root@puppet certs]# puppetca --sign schoolserver.flexi.fqt.cr notice: Signed certificate request for schoolserver.flexi.fqt.cr
Generar/Firmar nuevamente un certificado (En caso de reinstalación del XS):
En el XS: [root@schoolserver ssl]# service puppet stop Stopping puppet: [ OK ] [root@schoolserver ssl]# rm -rf /var/lib/puppet/ssl
En el puppetmaster: [root@puppet certs]# puppetca --clean schoolserver.flexi.fqt.cr notice: Revoked certificate with serial 4 notice: Removing file Puppet::SSL::Certificate schoolserver.flexi.fqt.cr at '/var/lib/puppet/ssl/ca/signed/schoolserver.flexi.fqt.cr.pem' notice: Removing file Puppet::SSL::Certificate schoolserver.flexi.fqt.cr at '/var/lib/puppet/ssl/certs/schoolserver.flexi.fqt.cr.pem'
En el XS: [root@schoolserver ssl]# service puppet start