Prerequisites
- Before using the SovLabs Puppet Open Source Forman module, automated DNS record creation must be configured, either through the SovLabs DNS module, or some other method. The provisioned VM must be resolvable by hostname or Puppet provisioning will fail.
- Ensure NTP is set up correctly
Create Puppet Certificate and Update Puppet Console Configuration
If you don’t already have one, create a certificate on the Puppet Master that will be used for communication with the Foreman API and the Puppet CA API.
Perform the following for each Puppet Master:
1. SSH to the Puppet Master (as root, or an account that has sudo privileges)
2. su to root if needed
3. Create a certificate (replace CERTNAME with vrosvc)
puppet cert generate CERTNAME
4. Modify auth.conf by typing in the following:
vi /etc/puppet/auth.conf
If the following section does not exist, copy and paste the following section into the auth.conf file, and replace CERTNAME with the certificate name you created in Step 3 (without the .pem extension). This is case-sensitive.
If the section does exist, add your certificate to the allow list.
path /certificate_status
method find, save, search
auth yes
allow <code>CERTNAME</code>
5. Hit the esc key and then type in :wq
6. Restart necessary services by typing in: service puppet restart
Puppet Foreman Credentials
On a monolithic Puppet Open Source instance you will need root credentials (recommended) or credentials with sudo elevated privileges on the Puppet Master server.
If these are separate servers in your environment, you need root credentials or credentials with elevated privileges on these:
- Puppet CA
- Puppet Compile Master
- Puppet database server
The root user can be authenticated using the password or with SSH keys.
The alternative is a service account that has been granted sudo permissions in sudoers.
The steps to setting up sudo permissions on the Puppet components can be quite involved and are not in the scope of this document.
Collect the appropriate keys from the Foreman Master Paste into a text editor or copy/paste directly into the SovLabs Foreman Master configuration form:
| Type | Location |
|---|---|
| API Certificate | /etc/puppetlabs/puppet/ssl/certs/CERTNAME |
| Private Key Certificate | /etc/puppetlabs/puppet/ssl/private_keys/CERTNAME |
| CA Certificate (used to sign the API cert) | /etc/puppetlabs/puppet/ssl/ca/ca_crt |
Provisioning Windows VMs
If you plan to provision Windows VMs with Puppet Enterprise, you will need a method to connect to the VM to install the agent. You can choose to use the VMware Tools option or the WinRM option when you configure your SovLabs Foreman Agent configuration.
VMWare Tools Option (recommended)
- Create a SovLabs vCenter Endpoint (required)
- Create the Puppet Agent with vmware-tools as the Connection Type on the Puppet Agent Configuration tab.
WinRM Option
- Download the activateWinRM.ps1
- Put the
activateWinRM.ps1script into a share OR incorporate it into your Windows Template in vCenter. - In your Customization Specification, call the
activateWinRM.ps1script in the Run Once section
Using activateWinRM.ps1 from a share location
cmd /c powershell -executionpolicy Bypass -noninteractive -file //example.sovlabs.net/SovlabsSoftware/activateWinRM.ps1
Using a local copy of activateWinRM.ps1 in the template:
cmd /c powershell -executionpolicy Bypass -noninteractive -file c:\example_dir\activateWinRM.ps1
Provisioning Linux or Unix VMs
It is recommended to use the SSH connection type in the Foreman Agent configuration. You will need root credentials to the VM for this.