Client Management¶
This chapter provides guidance to install and configure SIMP clients based on the standard SIMP system installed using the SIMP DVD.
System Requirements¶
Before installing clients, the system should consist of the following minimum requirements:
- Hardware/Virtual Machine (VM) : Capable of running RHEL 6 or 7 ; 64-bit compatible
- RAM: 512 MB
- HDD: 5 GB
Configuring the Puppet Master¶
Perform the following actions as root
on the Puppet Master system
prior to attempting to install a client.
Configure DNS¶
Most static files are pulled over rsync
by Puppet in this
implementation for network efficiency. Specific directories of interest
are noted in this section.
It is possible to use an existing DNS setup; however, the following table lists the steps for a local setup.
- Navigate to
/var/simp/rsync/OSTYPE/MAJORRELEASE/bind_dns
- Modify the named files to correctly reflect the environment. At a
minimum, the following files under
/srv/rsync/bind_dns/default
should be edited:
named/etc/named.conf
named/etc/zones/your.domain
named/var/named/forward/your.domain.db
named/var/named/reverse/0.0.10.db
Important
For the named/var/named/forward/your.domain.db
and
named/var/named/reverse/0.0.10.db
files, add clients as needed.
Make sure to rename both of these files to more appropriately match
your system configuration.
- At a minimum, review
named/etc/named.conf
and check/update the following:
- At a minimum, review
- Type
puppet agent -t --tags named
on the Puppet Master to apply the changes. Validate DNS and ensure the/etc/resolv.conf
is updated appropriately - If an error about the rndc.key appears when starting bind, copy the
rndc.key
to/etc
then re-run the puppet command:cp -p /var/named/chroot/etc/rndc.key /etc/rndc.key
Configure DHCP¶
Perform the following actions as root
on the Puppet Master system
prior to attempting to install a client.
Open the /var/simp/rsync/OSTYPE/MAJORRELEASE/dhcpd/dhcpd.conf
file
and edit it to suit the necessary environment.
Make sure the following is done in the dhcpd.conf
:
- The
next-server
setting in the pxeclients class block points to the IP Address of the TFTP server.- Create a Subnet block and edit the following:
- Make sure the router and netmask are correct for your environment.
- Enter the hardware ethernet and fixed-address for each client that will be kickstarted. SIMP environments should not allow clients to pick random IP Address in a subnet. The MAC address must be associated with and IP Address here. (You can add additional ones as needed.)
- Enter the domain name for option domain-name
- Enter the IP Address of the DNS server for option domain-name-servers
Save and close the file.
Run puppet agent -t
on the Puppet Master to apply the changes.
Configure PXE Boot¶
Sample kickstart templates have been provided in the /var/www/ks
directory on the SIMP server and on the SIMP DVD under /ks
. Pre-boot images are locate in the DVD under /images/pxeboot
. If you have an existing Preboot Execution Environment (PXE) setup you can use these to PXE a SIMP client. Follow your own sites procedures for this.
In this section we describe how to configure the Kickstart and TFTP servers to PXE boot a SIMP client. (The DHCP server setup, also required for PXE booting, is discussed in and earlier chapter.)
Note
This example sets up a PXE boot for a system that is the same OS as the SIMP Server. If you are setting up a PXE boot for a different OS then you must make sure that the OS packages are available for all systems you are trying to PXE boot through YUM. There are notes through out the instructions to help in setting multiple OS but they are not comprehensive. You should understand DHCP, KS, YUM and TFTP relationships for PXE booting before attempting this.
Setting Up Kickstart¶
This section describes how to configure the kickstart server.
- Locate the following files in the
/var/www/ks
directory: pupclient_x86_64.cfg
diskdetect.sh
- Locate the following files in the
- Open each of the files and follow the instructions provided within them to replace the variables. You need to know the IP Addresses of the YUM, Kickstart, and TFTPserver. (They default to the simp server in simp config).
pupclient_x86_64.cfg
:1.) Note: #KSSERVER# should be replaced with Kickstart Server IP not Yum IP. (They are the same if you used the defaults.) 2.) In the URL line use the YUMSERVER ip not the Kickstart server IP. (Although on a default SIMP system the YUM and kicktart server are the same server so it is not a problem.) 3.) Use the commands in the top of the file in the comments section to generate the password hashes.
diskdetect.sh
: Thediskdetect.sh
script is responsible for detecting the first active disk and applying a disk configuration. Edit this file to meet any necessary requirements or use this file as a starting point for further work. It will work as is for most systems as long as your disk device names are in the list.
Type
chown root.apache /var/www/ks/*
to ensure that all files are owned byroot
and in theapache
group.Type
chmod 640 /var/www/ks/*
to change the permissions so the owner can read and write the file and theapache
group can only read.
Note
The URLs and locations in the file are setup for a default SIMP install. That means the same OS and version as the SIMP server, all servers in one location (on the SIMP server) and in specific directories. If you have installed these servers in a different location then the defaults, you may need to edit URLs or directories.
Note
If you want to PXE boot more than this operating system, make a copy of these files, name them appropriately and update URLS and links inside and anything else you may need. (You must know what you are doing before attempting this.) If you are booting more than one OS you must also make sure your YUM server has the OS packages for the other OSs. By default the YUM server on SIMP has the packages only for the version of OS installed on the SIMP server.
Setting up TFTP¶
This section describes the process of setting up static files and manifests for TFTP.
Static Files¶
Verify the static files are in the correct location:
Type cd /var/simp/rsync/OSTYPE/MAJORRELEASE/tftpboot
and
then type ls
to check for the existence of the
linux-install/OSTYPE-MAJORRELEASE_ARCH
directory.
OSTYPE and MAJORRELEASE under rsync are the version of the SIMP server
where OSTYPE and MAJORRELEASE under linux-install are the OS type and OS major version of the systems you will be PXE booting.
Under this directory your should find a directory named OSTYPE-MAJORRELEASE.MINORRELEASE-ARCH and a link to this directory named OSTYPE-MAJORRELEASE-ARCH.
Under OSTYPE-MAJORRELEASE.MINORRELEASE-ARCH your should find the files:
- initrd.img
- vmlinuz
If these are not there then you must create the directories as needed and copy the files from
/var/www/yum/OSTYPE/MAJORRELEASE/ARCH/images/pxeboot
or from the images directory on the SIMP DVD.
Important
The link is what is used in the TFTP configuration files.
Note
If you want to be able to PXE boot different OS, then add a directory for each on and obtain the pxeboot images and copy them under the linux-install directory. SIMP only provides images for the OS for the SIMP server.
Manifest¶
Create a site manifest for the TFTP server on the Puppet server.
- Create the file
/etc/puppet/environment/simp/modules/site/manifests/tftpboot.pp
. Use the source code example below. - Replace KSSERVER with the IP address of Kickstart server (or the code to look up the IP Address using Hiera).
- Replace OSTYPE, MAJORRELEASE and ARCH with the correct value for the systems you will be PXE booting.
- MODEL NAME is usually of the form OSTYPE-MAJORRELEASE-ARCH for consistency.
- Create the file
class site::tftpboot {
include 'tftpboot'
tftpboot::linux_model { 'MODEL NAME':
kernel => 'OSTYPE-MAJORRELEASE-ARCH/vmlinuz',
initrd => 'OSTYPE-MAJORRELEASE-ARCH/initrd.img',
ks => "http://KSSERVER/ks/pupclient_x86_64.cfg",
extra => "ksdevice=bootif\nipappend 2"
}
tftpboot::assign_host { 'default': model => 'MODEL NAME' }
}
- Add the tftpboot site manifest on your puppet server node via Hiera.
Create the file (or edit if it exists): /etc/puppet/environments/simp/hieradata/hosts/<tftp.server.fqdn>.yaml
.
(By default the TFTP server is the same as your puppet server o in the deault case it will exist.)
Add the following example code to that yaml file.
---
classes:
- 'site::tftpboot'
3. After updating the above file, type puppet agent -t --tags tftpboot
on the Puppet server.
Note
To PXE boot more OSs create, in the tftpboot.pp file, a tftpboot::linux_model block for each OS type using the extra directories and kickstart files created using the notes in previous sections. Point individual systems to them by adding assign_host lines with their MAC pointing to the appropriate model name.
Setting Up the Client¶
The following lists the steps to PXE boot the system and set up the client.
- Set up your client’s BIOS or virtual settings to boot off the network.
- Make sure the MAC address of the client is set up in DHCP (see Configure DHCP for more info.)
- Restart the system.
- Once the client installs, reboots, and begins to bootstrap, it will check in for the first time.
- Puppet will not autosign puppet certificates by default and waitforcert is
enabled. The client will check in every 30 seconds for a signed cert. Log on
to the puppet server and run
puppet cert sign <puppet.client.fqdn>
.
Upon successful deployment of a new client, it is highly recommended that LDAP administrative accounts be created.
Troubleshooting Issues¶
If the client has been kickstarted, but is not communicating with the Puppet server, try the following options:
- Check the forward and reverse DNS entries on the client and server; both must be correct.
- Check the time on the systems. More than an hour’s difference will cause serious issues with certificates.
- Remove
/var/lib/puppet/ssl
on the client system; runpuppet cert --clean ***<Client Host Name>***
on the Puppet server; and try again.
Troubleshoot Certificate Issues¶
If host certificates do not appear to be working and the banner is not getting rsync’d to the clients, ensure that all certificates verify against the installed CA certificates.
The table below lists the steps to determine which certificates are working and which are not.
- Navigate to
/etc/puppet/environments/simp/keydist
- Run
find . -name “****<Your.Domain>*.pub” -exec openssl verify -CApath cacerts {} \;
Important
The screen displays ./<Host Name>.<Your.Domain>/<Host
Name>.<Your.Domain>.pub: OK
If anything other than OK appears for each
host, analyze the error and ensure that the CA certificates are correct.
If the TXT_DB error number 2 appears, revoke the certificate that is being regenerated. The table below lists the steps to revoke the certificate.
- Navigate to
/etc/puppet/environments/simp/keydist;
- Run
OPENSSL_CONF=default.cnf openssl ca -revoke ../../keydist/***<Host to Revoke>*/*<Host to Revoke>*.pub**