Archive for the ‘puppet’ Category

Install DSC  and hiera-eyaml modules (for password encryption):

puppet module install puppetlabs-dsc
puppetserver gem install hiera-eyaml
Edit /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
      - "nodes/%{trusted.certname}.yaml"
      - "windowspass.eyaml"
    options:
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

Create keys (make sure key path reflects path from hiera.yaml file):

/opt/puppetlabs/puppet/bin/eyaml createkeys

Create password (-l is just label):

/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Add this encrypted password to /etc/puppetlabs/puppet/data/windowspass.eyaml file:

12

/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
image2018-10-31_12-20-1.png

Test decryption:

/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Secure keys:

chown -R puppet:puppet /etc/puppetlabs/puppet/keys
chmod 400 /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
chmod 400 /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem

 

For Windows currently is not possible to hide passwords when running  agent in verbose output:

puppet agent -t -v

 

Map content of windowspass.eyaml to manifest file:

'password' => Sensitive(lookup('password'))

Complete code-/etc/puppetlabs/code/environments/production/manifests/site.pp:

node 'windows.example.com' {
 
 
file {
 
['c:/NTDS']:
 
 ensure => directory
}
 
 
dsc_windowsfeature  {'dns':
            dsc_ensure => 'Present',
            dsc_name => 'DNS',
        }
 
 
dsc_windowsfeature  { 'addsinstall':
            dsc_ensure => 'Present',
            dsc_name => 'AD-Domain-Services',
        }
 
dsc_windowsfeature  {'addstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-ADDS',
        }
 
 
dsc_windowsfeature  {'addnstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-DNS-Server',
        }
 
 
 
dsc_xaddomain   { 'firstdc':
     subscribe => Dsc_windowsfeature['addsinstall'],
            dsc_domainname => 'ad.contoso.com',
     dsc_domainadministratorcredential => {
               'user' => 'pagent',
               'password' => Sensitive(lookup('password'))
     },
     dsc_safemodeadministratorpassword   => {
 'user' => 'pagent',
 'password' => 'password' => Sensitive(lookup('password'))
            },
 
            dsc_databasepath => 'c:\NTDS',
            dsc_logpath => 'c:\NTDS',
 
        }
 
 
reboot {'dsc_reboot':
 message => 'DSC has requested a reboot',
when => pending,
}

}


For debugging:

puppet master --debug --compile windows.example.com --environment=production

Creating new AD user,create New Security group and add user to it:

dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username   => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password   => {
'user' => 'tfl@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user'  => 'Administrator@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
dsc_xgroup {'testgroup':
dsc_ensure    => 'present',
dsc_memberstoinclude => 'tfl@ad.contoso.com',
dsc_groupname   => 'test',
#dsc_credential => {
#'user' => 'Administrator@ad.contoso.com',
#'password' => 'Passw0rd01'
#},
}
Advertisements

In last post we installed Puppet server, in this one we’ll install Puppet agent on Windows server

Make sure Puppet server DNS name is resolvable from Windows host and vice-versa (skip this step if there is Host A DNS record for Puppet server):

C:\Windows\system32\drivers\etc\hosts

Download latest Puppet agent

image2018-10-31_12-20-1.png

Installation:

puppet-agent-5.0.0-x64.msi /qn PUPPET_MASTER_SERVER=puppetserver.example.com PUPPET_AGENT_CERTNAME=windows.example.com

If all goes smooth, certificate request file should be seen in C:\ProgramData\PuppetLabs\puppet\etc\ssl\certificate_requests

7.PNG

This certificate is waiting for signing, to do so, we need to move to Puppet server:

sudo puppet cert list
sudo puppet cert sign "windows.example.com"

On Windows server go to Puppet-Start Command Prompt with Puppet as Administrator

9.png

Test connection from Windows to Puppet server:

puppet agent --test

10.PNG

By default, Puppet agent polls Puppet server every 30 minutes.This behavior can be overridden by specifying custom polling interval by editing “C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf” fileand adding line

runinterval=

One security concern is that catalog file stores credentials in plain text, to avoid this,prevent storing this file (which is in JSON format) to Puppet client

catalog_cache_terminus=""

11.png

Creating  simple manifest file

In this example we’ll make sure that IIS is installed

Install IIS module from Forge:

puppet module install puppetlabs-iis --version 4.5.0

Create manifest file and specify node and actions:

/etc/puppetlabs/code/environments/production/manifests/site.pp:

$iis_features = ['Web-WebServer','Web-Scripting-Tools','Web-Mgmt-Console']
iis_feature { $iis_features:
ensure => 'present',
include_management_tools => 'present'
}
}

Check for syntax errors:

puppet parser validate site.pp

Run powershell scripts

In order not to run script every time, when script runs if will create file with content “Done”

When Puppet tries to run this script again, it will check whether C:\log.txt or string “Done” exists in C:\log.txt, if both checks are true then script won’t be run (unless directive)

exec { 'configure_gpo':
command => 'Set-ADDefaultDomainPasswordPolicy -Identity ad.contoso.com -ComplexityEnabled $true -MinPasswordLength 7 -MinPasswordAge 1 -MaxPasswordAge 30 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3;write-output "Done" | out-file C:\log.txt -Append',
unless => 'if (!(Test-Path C:\log.txt) -or !(Select-String -Path C:\log.txt -Pattern "Done")) {exit 1}',
provider => powershell,
logoutput => true,
}

 

Make sure DNS resolution is in place.This is needed in case no central DNS server is available:

cat /etc/hosts
192.168.1.97 puppetmaster
Add puppet repository:
rpm -Uvh https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm
Install Puppet:
sudo yum -y install puppetserver
#check version:
/opt/puppetlabs/bin/puppet --version
#Add Puppet path to Environmental variable:
export PATH=/opt/puppetlabs/bin:$PATH
source ~/.bash_profile
Alocate memory:

 

In this example 1GB of RAM is allocated to puppet:
Edit /etc/sysconfig/puppetserver
#Now change the line as below (Replace 1 with number of GBs)
JAVA_ARGS="-Xms1g -Xmx1g ...."
#Save and exit.

 

Edit /etc/puppetlabs/puppet/puppet.conf (make sure to put here puppet server name resolvable from DNS and from nodes)

[master]
 
[main]
environment = production
runinterval = 5s

 

 

Enable/start puppet service

systemctl start puppetserver
systemctl enable puppetserver
Open port 8140 if firewalld is running
firewall-cmd --add-port=8140/tcp --permanent
firewall-cmd --reload

 

Add path to puppet command to VISUDO

 

sudo visudo
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin

 

Disable agent (one time run)

 

If we want “one time” run (execute some manifest and stop contacting Puppet master, we can configure agent to stop-at the end of manifest file)

service { 'puppet':
  ensure => 'stopped',
  enable => 'false',
}