PuppetDemoBootServer

From SELinux Wiki
Jump to: navigation, search

This pages briefly describes how to build a boot server for use with the Puppet demonstration.

General Notes

The sample configurations assume a local network using the 192.168.201.0/24 address block. Network ranges/addresses should be modified to match those currently in use if desired.

A default domain of "example.com" is used throughout the configuration examples and in the demo environment. The domain may be modified to match an existing domain. Changes to the kickstarts will be required to set the new default domain and to change the creation of the ldap structure if the domain name is increased beyond two levels.

The location of the configuration files identified for the boot server configuration are assuming Fedora Core 11 is the host operating system. Different release versions or distributions may place the configuration files in different locations.

As the DNS, DHCP, and HTTP servers need to be accessible to remote systems, the boot server firewall may need to be configured to allow incoming connections from the local network to these ports:

   * 80/tcp
   * 67/udp
   * 53/udp 

Installing packages

The YUM package tool is used to install packages. This requires a connection to the Internet to connect to remote package repositories, or a local repository containing the packages.

Use the command 'yum install <packagename>' to install the indicated packages.

Setting up the DHCP server

packages: dhcp

Edit /etc/dhcpd.conf and configure a subnet range to be served. The example provided is one that is being used in a VMware environment.

[excerpt from sample /etc/dhcpd.conf]

	default-lease-time 1800;		# 30 minutes
	max-lease-time 7200;			# 2 hours

	subnet 192.168.201.0 netmask 255.255.255.0 {
		range 192.168.201.64 192.168.201.96;
		option broadcast-address 192.168.201.255;
		option domain-name-servers 192.168.201.3;
		option domain-name "example.com";
		option routers 192.168.201.2;

		host puppetmaster {
			hardware ethernet 0:c:29:42:3a:25;
			fixed-address 192.168.201.13;
			option host-name "puppetmaster.example.com";
		}
		host client1 {
			hardware ethernet 0:c:29:42:c4:7c;
			fixed-address 192.168.201.50;
			option host-name "client1.example.com";
		}
		host client2 {
			hardware ethernet 0:c:29:42:9f:8e;
			fixed-address 192.168.201.51;
			option host-name "client2.example.com";
		}
	}

As each client machine must be listed in the above group section, it might be useful to generate that portion of the DHCPD config file from a flat text file that contains a list of names and MAC addresses.

Start the dhcpd service and enable it to be run on bootup.

	# service dhcpd start
	# chkconfig dhcpd on

Setting up the DNS Server

packages: named

The default configuration will only listen on the localhost address. You will need to set the listen-on and allow-query addresses in the options section of /etc/named.conf so that named can respond to queries on the local network.

options {
   // ...
   listen-on port 53 { 192.168.201.3; 127.0.0.1; };
   allow-query { 192.168.201.0/24; 127.0.0.1/32; };

};

Add forward and reverse zones for the address range in use:

zone "example.com" in{
  type master;
  file "example.com";
};
// reverse map for class C 192.168.1.0
zone "201.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.201.rev";
};

Create the forward zone in /var/named/example.com:

$TTL 6D
@               IN      SOA     dns.example.com. root.example.com. (
                                200806256       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
                        NS      dns.example.com.
;
localhost     A       127.0.0.1

; address of machine acting as DNS server
dns           A       192.168.201.3
puppetmaser   A       192.168.201.13

client1       A       192.168.201.50
client1a      CNAME   client1
client1b      CNAME   client1
client2       A       192.168.201.51

Create the reverse zone in /var/named/192.168.201.rev:

$TTL 6D
@               IN      SOA     dns.example.com. root.example.com. (
                                200806201       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
                        NS      dns.example.com.
;
;
3       IN PTR  dns.example.com.
13      IN PTR  puppetmaster.example.com.
50      IN PTR client1.example.com.
51      IN PTR client2.example.com.

Start the named service and enable it to run on bootup.

	# service named start
	# chkconfig named on

Setting up the Web server

packages: httpd

Download the latest versions of the kickstart files and binary RPMs as identified in the | Puppet demonstration.

  • Client Kickstart
  • Server Kickstart
  • Custom SELinux Policy packages

Create a directory to hold the kickstart files, /var/www/html/kickstart. Copy the client and server kickstart files into this directory.

Create a directory to hold the packages, /var/www/html/packages. Copy the custom SELinux Policy packages and the Puppet configuration tarball into this directory.

Start the httpd service and enable it to be run on bootup.

	# service httpd start
	# chkconfig httpd on


Kickstart Customization and System Installation

Documentation at the beginning of the kickstart files details some boot time options that can be specified to customize the installation.

Some generic notes about the kickstarts:

  • Depending on the network environment the kickstart can be configured to use DHCP for address provisioning or static addressing. The default is to use DHCP, however a sample static address configuration is included for reference. If addresses are assigned statically, the kickstarts will need to be modified for each client/server installation (to provide the appropriate address).
  • If installing FC11 from CD/DVD access to a yum repository (via external network connection or local mirror) is required as some packages required for the installs are not included in the CD/DVD install media.
  • Installs are currently interactive. To convert the kickstarts to a fully automated install comment out the "interactive" directive at the beginning of the files.