Jump to content

Puppet/Bootstrap

From Wikitech

When installing the puppet server for the first time there is a bit of a bootstrapping step specifically because we want to use out own CA.

Standard Puppetserver

  • First move the puppetserver to the pupertserver role and run puppet on the host
  • once puppet has run on the new server run puppet on the following hosts to update all access lists.
    sudo cumin "O:puppetserver or C:puppetmaster or O:cluster::management or C:swift::ring_manager" "run-puppet-agent"
  • manually run puppet-merge on the new server with the current puppet sha e.g. sudo puppet-merge.py -o 64db1c37de4649d48f69ce80303eb2260040ed9b
  • sync a copy of the private repo from the primary puppet server i.e. where yuo edit files in the private repo
    $ sudo su -s /bin/bash - gitpuppet
$ cd /srv/private/
$ GIT_SSH=/srv/private/.git/ssh_wrapper.sh git push ssh://puppetserver1002.eqiad.wmnet/srv/git/private master
  • run the various sync jobs to make sure all data is in sync
    $ sudo systemctl start sync-puppet-ca.service geoipupdate.service geoip_update_ipinfo.service geoip_update_main.service sync-puppet-volatile.service
$ sudo systemctl status sync-puppet-ca.service geoipupdate.service geoip_update_ipinfo.service geoip_update_main.service sync-puppet-volatile.service
  • finally add the new server to the SRV record

Puppet CA

To initialise the CA you will need the intermidate certificate for puppet. the private key is in the private repo modules/secret/secrets/puppetserver/puppet_ca.key. The public key is in the puppet repo modules/profile/files/puppetserver/puppet_ca.pem.

I generated the csr with the following command on the pki-root server 

$ cd /etc/cfssl/ssl
$ for i in * ; do openssl x509 -noout -in ${i}/${i}.pem -serial ; done
# copy the serials to series.txt one serial per line
$ cfssl gencrl serials.txt signers/Wikimedia_Internal_Root_CA/ca/ca.pem signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem  | base64 -d | openssl crl -inform DER -out crl.pem

You then need to run the following command before puppetserver has initialised its ca 

$ sudo puppetserver ca import --cert-bundle /etc/puppet/puppetserver/custom_ca/ca.pem --private-key /etc/puppet/puppetserver/custom_ca/ca.key --crl-chain /etc/puppet/puppetserver/custom_ca/crl.pem
Import succeeded. Find your files in /etc/puppet/puppetserver/ca

you should be able to start the puppet server at this point

also as we have different ssl dirs to support the cloud use case we need to copy the created server certs to the

The following may not be needed check configs 

$ cd /var/lib/puppet
$ cp server/ssl/private_keys/hostname.pem ssl/private_keys/
$ cp server/ssl/certs/hostname.pem ssl/certs/
$ cp server/ssl/certs/ca.pem ssl/certs/
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Puppet/Bootstrap&oldid=2114794"