Automate Server Patching with Puppet

In this build I'm going to attempt to simplify the "How To" get puppet working with Windows via Chocolatey.  Sounds simple but it took me several days to get this working as I intended.  In addition I wanted to be able to manage puppet from a web UI.  After doing some research I chose to go with Foreman.  

Server Side Build:


Pick the right OS (for Forman!).  

You can pick many OS version that support puppet, foreman however is a different story.   In this build I got to start over with the latest version of CentOS 7.  Install the OS and ensure that your DNS is setup correctly.  You need to be sure that the name of the server and the reverse name of the server match perfectly and it cannot be local host.  Foreman installer will fail if it is.  I named my server puppet.<mydomain>

Open the ports that the software will need also:

firewall-cmd --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=8443/tcp
firewall-cmd --zone=public --add-port=8140/tcp

Configure the server components (Forman and Puppet).  


You can follow the offical guide found here:  https://www.theforeman.org/manuals/1.17/quickstart_guide.html  

yum -y install https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install https://yum.theforeman.org/releases/1.17/el7/x86_64/foreman-release.rpm
yum -y install foreman-installer
foreman-installer  **

**(Grab and save the default user name, password and URLs from the output of foreman-installer!!!!!!)

I would recommend a reboot after the install to get the paths to work correct. By default it installs puppet into the "/opt/puppetlabs/bin/puppet" path but running puppet right after the install fails.

Install the proper modules:

  • puppet module install puppetlabs/windows 
  • puppet module list

Output should look as follows you can add the other modules with the same command above if any are missing:
/etc/puppetlabs/code/environments/production/modules
├── puppet-download_file (v2.1.0)
├── puppet-windows_env (v2.3.0)
├── puppet-windowsfeature (v2.1.0)
├── puppetlabs-acl (v1.1.1)
├── puppetlabs-chocolatey (v2.0.1)
├── puppetlabs-dsc (v1.6.0)
├── puppetlabs-iis (v4.3.1)
├── puppetlabs-powershell (v2.1.5)
├── puppetlabs-reboot (v1.2.1)
├── puppetlabs-registry (v1.1.4)
├── puppetlabs-stdlib (v4.8.0)
├── puppetlabs-windows (v5.0.0)
├── puppetlabs-wsus_client (v1.0.3)

Build a Custom Module for deploying software with Chocolatey:

All the modules above are installed into the /etc/puppetlabs/code/environments/production/modules folder. and what we need to do is create a new module with specific code in order to be seen by puppet and forman.
  • cd to /etc/puppetlabs/code/environments/production/modules
  • mkdir serversoftware
  • cd serversoftware
  • mkdir manifests
  • vi init.pp  and copy and paste the following text (this will install these 3 programs on your servers that you setup the agents on once its linked to a host group more about that later).

class serversoftware {
include chocolatey
package { 'windirstat':
ensure => present,
provider => 'chocolatey',
}
package { '7zip':
ensure => present,
provider => 'chocolatey',
}
package { 'notepadplusplus':
ensure => present,
provider => 'chocolatey',
}

Ensure you syntax with the following command, then apply it:
puppet parser validate /etc/puppetlabs/code/environments/production/modules/serversoftware/manifests/init.pp
puppet apply /etc/puppetlabs/code/environments/production/modules/serversoftware/manifests/init.pp

Client (Windows Server) side configuration:


Install Choco (on client servers)

  • Open administrative powershell window
  • Run:  Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
  • Run: choco install puppet-agent -installArgs '"PUPPET_MASTER_SERVER=puppet.<yourdomain>"' -y


Once agent is installed issue a certificate:

Ssh into puppet.<yourdomain>
cd /opt/puppetlabs/bin/
puppet  cert list
puppet cert sign --all

 Restart the puppet service on the windows systems:

sc stop puppet
sc start puppet
Confirm connection on https://puppet.<yourdomain>

Login to foreman to do the finial configuration:

Browse to your server http://puppet.<yourdomain> and login with the password that was output from foreman-installer.  If your clients are setup right and talking to the server you should see them in a good state on the dashboard screen.




To add classes, click the gear, then classes.  Click on the import button.



You will see a handful of classes and check the box next to them to add them to the foreman environment.   When you click classes you should now see your custom class.  



Last step is to create a host group and assign the class to that group.  Click on the gear and select host groups.  
  • Click on create new.  
  • Give the group a name (Windows 2008x64 Servers)
  • Assign an environment (Production) by default.
  • Click on the classes tab, and select serversoftware, click the plus sign to add it.  It should appear in included classes.
  • Click on Operating Systems
  • Change the Architecture to x64
  • Change Operating System to "Windows 6.3.9600"
  • Click Submit
  • Because the hosts already have been talking to the server, you may need to manually add the existing hosts to the newly created group.  Do this by clicking on all hosts and edit each of the hosts your testing with, and select the group you want them to be in.  Newly added hosts should automatically joint he group when you add them later.

At this point when the puppet agent checks in it will install, notepad++, WindirStat and 7Zip!!

The puppet agent by defaults writes its logs to the windows application event viewer.








:

Comments

Popular posts from this blog

Integrate Choco with SCCM

Windows 11 22H2 production setup!

Automate Server Patching with Puppet (Part 2)