What is puppet server in linux

Puppet server

To install puppet server first add the upstream GPG key:

Then install the puppetserver AUR package. Afterwards, enable and start the puppetserver service.

Configuration

The Puppet Server’s configuration files are stored in /etc/puppetlabs/puppetserver/ :

. |-- conf.d | |-- auth.conf | |-- global.conf | |-- puppetserver.conf | |-- web-routes.conf | `-- webserver.conf |-- logback.xml |-- request-logging.xml `-- services.d `-- ca.cfg
  • auth.conf which allows you to configure what puppet nodes (clients) are allowed to request from the server.
  • global.conf by default just contains the path to the logging configuration file.
  • puppetserver.conf is the main configuration file for the server, it allows you to set the JRuby load path, JRuby gem home path, the puppet master-conf-dir, master-code-dir, master-var-dir, master-run-dir, master-log-dir and most importantly the max-active-instances. It also has a section for adjusting the http-client allowed protocols which enable you to enable or disable the various SSL cipher suites and protocols.
  • web-routes.conf allows you to configure the puppet server’s web-routes.
  • webserver.conf allows you to set the listen address, port, authentication type and log file path for the puppet server web interface.

Additionally, there is the /etc/default/puppetserver configuration file that allows you to tweak the Java Virtual Machine’s startup settings, set the user and group the server runs as, the path to the puppet server’s files and the configuration path.

Tuning the server for lower memory usage

By default the puppet server allocates 2 gigabytes of RAM for itself, this can be adjusted in /etc/default/puppetserver by editing the JAVA_ARGS.

-Xms2g -Xmx2g -XX:MaxPermSize=256m

But if you are using a server that does not have sufficient RAM spare you can set it to as little as 512 megabytes. Keep in mind though that this will only cater for a small amount of managed servers and you will also need to change the maximum active instances of puppet to 1 in /etc/puppetlabs/puppetserver/puppetserver.conf which limits the number of server’s that the server is able to communicate with at once.

Installing support for hiera eyaml

If you wish to use Hiera eyaml on the puppet server you should install the gems for it on the puppet server using the following command:

puppetserver gem install hiera-eyaml

and then restart puppet server.

Читайте также:  Linux set locale utf 8

Accessing the puppet server web interface

The web interface by default listens on https port 8140 on all interfaces. This can be changed by editing the ssl-host and ssl-port configuration options in /etc/puppetlabs/puppetserver/conf.d/webserver.conf .

  • This page was last edited on 17 May 2022, at 10:26.
  • Content is available under GNU Free Documentation License 1.3 or later unless otherwise noted.
  • Privacy policy
  • About ArchWiki
  • Disclaimers

Источник

About Puppet Server

Puppet is configured in an agent-server architecture, in which a primary server node manages the configuration information for a fleet of agent nodes. Puppet Server acts as the primary server node. Puppet Server is a Ruby and Clojure application that runs on the Java Virtual Machine (JVM). Puppet Server runs Ruby code for compiling Puppet catalogs and for serving files in several JRuby interpreters. It also provides a certificate authority through Clojure.

This page describes the general requirements and the run environment for Puppet Server.

Puppet Server releases

Puppet Server and Puppet share the same major release (Puppet Server 6.x and Puppet 6.x). However, they are versioned separately and might have different minor or patch versions (Puppet Server 6.5 versus Puppet 6.8). For a list of the maintained versions of Puppet and Puppet Server, visit Puppet releases and lifecycles.

Controlling the Service

The Puppet Server service name is puppetserver . To start and stop the service, use commands such as service puppetserver restart , service puppetserver status for your OS.

Puppet Server’s Run Environment

Puppet Server consists of several related services. These services share state and route requests among themselves. The services run inside a single JVM process, using the Trapperkeeper service framework.

Embedded Web Server

Puppet Server uses a Jetty-based web server embedded in the service’s JVM process. No additional or unique actions are required to configure and enable the web server. You can modify the web server’s settings in webserver.conf . You might need to edit this file if you use an external CA or run Puppet on a non-standard port.

Puppet API Service

Puppet Server provides APIs that are used by the Puppet agent to manage the configuration of your nodes. Visit Puppet V3 HTTP API for more information on the basic APIs.

Читайте также:  Архитектура ядра операционной системы linux

Certificate Authority Service

Puppet Server includes a certificate authority (CA) service that:

  • Accepts certificate signing requests (CSRs) from nodes.
  • Serves certificates and a certificate revocation list (CRL) to nodes.
  • Optionally accepts commands to sign or revoke certificates.

Signing and revoking certificates over the network is disabled by default. You can use the auth.conf file to allow specific certificate owners the ability to issue commands.

The CA service uses .pem files to stores credentials. You can use the puppetserver ca command to interact with these credentials, including listing, signing, and revoking certificates. See CA V1 HTTP API for more information on these APIs.

Admin API Service

Puppet Server includes an administrative API for triggering maintenance tasks. The most common task refreshes Puppet’s environment cache, which causes all of your Puppet code to reload without the requirement to restart the service. Consequently, you can deploy new code to long-timeout environments without executing a full restart of the service. g For API docs, visit:

For details about environment caching, visit:

JRuby Interpreters

Most of Puppet Server’s work is done by Ruby code running in JRuby. JRuby is an implementation of the Ruby interpreter that runs on the JVM. Note that you can’t use the system gem command to install Ruby Gems for the Puppet primary server. Instead, Puppet Server includes a separate puppetserver gem command for installing any libraries your Puppet extensions might require. Visit Using Ruby Gems for details.

If you want to test or debug code to be used by the Puppet Server, you can use the puppetserver ruby and puppetserver irb commands to execute Ruby code in a JRuby environment.

To handle parallel requests from agent nodes, Puppet Server maintains separate JRuby interpreters. These JRuby interpreters individually run Puppet’s application code, and distribute agent requests among them. You can configure the JRuby interpreters in the jruby-puppet section of puppetserver.conf.

Tuning Guide

You can maximize Puppet Server’s performance by tuning your JRuby configuration. To learn more, visit the Puppet Server Tuning Guide.

User

If you are running Puppet Enterprise:

  • Puppet Server user runs as pe-puppet .
  • You must specify the user in /etc/sysconfig/pe-puppetserver .

If you are running open source Puppet:

  • Puppet Server needs to run as the user puppet .
  • You must specify the user in /etc/sysconfig/puppetserver .
Читайте также:  Линукс минт как сбросить до заводских настроек

All of the Puppet Server’s files and directories must be readable and writable by this user. Note that Puppet Server ignores the user and group settings from puppet.conf .

Ports

By default, Puppet’s HTTPS traffic uses port 8140. The OS and firewall must allow Puppet Server’s JVM process to accept incoming connections on port 8140. If necessary, you can change the port in webserver.conf . See the Configuration page for details.

Logging

All of Puppet Server’s logging is routed through the JVM Logback library. By default, it logs to /var/log/puppetlabs/puppetserver/puppetserver.log . The default log level is ‘INFO’. By default, Puppet Server sends nothing to syslog . All log messages follow the same path, including HTTP traffic, catalog compilation, certificate processing, and all other parts of Puppet Server’s work.

Puppet Server also relies on Logback to manage, rotate, and archive Server log files. Logback archives Server logs when they exceed 200MB. Also, when the total size of all Server logs exceeds 1GB, Logback automatically deletes the oldest logs. Logback is heavily configurable. If you need something more specialized than a unified log file, it may be possible to obtain. Visit Configuring Puppet Server for more details.

Finally, any errors that cause the logging system to die or occur before logging is set up, display in journalctl .

SSL Termination

By default, Puppet Server handles SSL termination automatically. For network configurations that require external SSL termination (e.g. with a hardware load balancer), additional configuration is required. See the External SSL Termination page for details. In summary, you must:

  • Configure Puppet Server to use HTTP instead of HTTPS.
  • Configure Puppet Server to accept SSL information via insecure HTTP headers.
  • Secure your network so that Puppet Server cannot be directly reached by any untrusted clients.
  • Configure your SSL terminating proxy to set the following HTTP headers:
    • X-Client-Verify (mandatory).
    • X-Client-DN (mandatory for client-verified requests).
    • X-Client-Cert (optional; required for trusted facts).

    Configuring Puppet Server

    Puppet Server uses a combination of Puppet’s configuration files along with its own separate configuration files, which are located in the conf.d directory. Refer to the Config directory for a list of Puppet’s configuration files. For detailed information about Puppet Server settings and the conf.d directory, refer to the Configuring Puppet Server page.

    Источник

Оцените статью
Adblock
detector