bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
355155794e3f60c3ef4c364e0dce4b5f3de2f6e5
docs/Servers & Workflows/Linux/Automation/Puppet/Puppet Bolt.md

5.8 KiB
Raw Blame History

Purpose: Puppet Bolt can be leveraged in an Ansible-esque manner to connect to and enroll devices such as Windows Servers, Linux Servers, and various workstations. To this end, it could be used to run ad-hoc tasks or enroll devices into a centralized Puppet server. (e.g. LAB-PUPPET-01.bunny-lab.io)

!!! note "Assumptions" This deployment assumes you are deploying Puppet bolt onto the same server as Puppet. If you have not already, follow the Puppet Deployment documentation to do so before continuing with the Puppet Bolt deployment.

Initial Preparation

# Install Bolt Repository
sudo rpm -Uvh https://yum.puppet.com/puppet-tools-release-el-9.noarch.rpm
sudo yum install -y puppet-bolt

# Verify Installation
bolt --version

# Clone Puppet Bolt Repository into Bolt Directory
#sudo git clone https://git.bunny-lab.io/GitOps/Puppet-Bolt.git /etc/puppetlabs/bolt <-- Disabled for now
sudo mkdir -p /etc/puppetlabs/bolt
sudo chown -R $(whoami):$(whoami) /etc/puppetlabs/bolt
sudo chmod -R 644 /etc/puppetlabs/bolt
#sudo chmod -R u+rwx,g+rx,o+rx /etc/puppetlabs/bolt/modules/bolt <-- Disabled for now

# Initialize A New Bolt Project
cd /etc/puppetlabs/bolt
bolt project init bunny_lab

Configuring Inventory

At this point, you will want to create an inventory file that you can use for tracking devices. For now, this will have hard-coded credentials until a cleaner method is figured out.

# Inventory file for Puppet Bolt
groups:
  - name: linux_servers
    targets:
      - lab-auth-01.bunny-lab.io
      - lab-auth-02.bunny-lab.io
    config:
      transport: ssh
      ssh:
        host-key-check: false
        private-key: "/etc/puppetlabs/bolt/id_rsa_OpenSSH" # (1)
        user: nicole
        native-ssh: true

  - name: windows_servers
    config:
      transport: winrm
      winrm:
        realm: BUNNY-LAB.IO
        ssl: true
        user: "BUNNY-LAB\\nicole.rappe"
        password: DomainPassword # (2)
    groups:
      - name: domain_controllers
        targets:
          - lab-dc-01.bunny-lab.io
          - lab-dc-02.bunny-lab.io
      - name: dedicated_game_servers
        targets:
          - lab-games-01.bunny-lab.io
          - lab-games-02.bunny-lab.io
          - lab-games-03.bunny-lab.io
          - lab-games-04.bunny-lab.io
          - lab-games-05.bunny-lab.io
      - name: hyperv_hosts
        targets:
          - virt-node-01.bunny-lab.io
          - bunny-node-02.bunny-lab.io
  1. Point the inventory file to the private key (if you use key-based authentication instead of password-based SSH authentication.)
  2. Replace this with your actual domain admin / domain password.

Validate Bolt Inventory Works

If the inventory file is created correctly, you will see the hosts listed when you run the command below:

cd /etc/puppetlabs/bolt
bolt inventory show

??? example "Example Output of bolt inventory show" You should expect to see output similar to the following: ``` [root@lab-puppet-01 bolt-lab]# bolt inventory show Targets lab-auth-01.bunny-lab.io lab-auth-02.bunny-lab.io lab-dc-01.bunny-lab.io lab-dc-02.bunny-lab.io lab-games-01.bunny-lab.io lab-games-02.bunny-lab.io lab-games-03.bunny-lab.io lab-games-04.bunny-lab.io lab-games-05.bunny-lab.io virt-node-01.bunny-lab.io bunny-node-02.bunny-lab.io

Inventory source
/tmp/bolt-lab/inventory.yaml

Target count
11 total, 11 from inventory, 0 adhoc

Additional information
Use the '--targets', '--query', or '--rerun' option to view specific targets
Use the '--detail' option to view target configuration and data
```

Initializing Kerberos

If you work with Windows-based devices in a domain environment, you will need to set up Puppet so it can perform Kerberos authentication while interacting with Windows devices. This involves a little bit of setup, but nothing too crazy.

Install Krb5

We need to install the necessary software on the puppet server to allow Kerberos authentication to occur. === "Rocky, CentOS, RHEL, Fedora"

``` sh
sudo yum install krb5-workstation
```

=== "Debian, Ubuntu"

``` sh
sudo apt-get install krb5-user
```

=== "SUSE"

``` sh
sudo zypper install krb5-client
```

Prepare /etc/krb5.conf Configuration

We need to configure Kerberos to know how to reach the domain, this is achieved by editing /etc/krb5.conf to look similar to the following, with your own domain substituting the example values.

[libdefaults]
    default_realm = BUNNY-LAB.IO
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true

[realms]
    BUNNY-LAB.IO = {
        kdc = LAB-DC-01.bunny-lab.io
        kdc = LAB-DC-02.bunny-lab.io
        admin_server = LAB-DC-01.bunny-lab.io
    }

[domain_realm]
    .bunny-lab.io = BUNNY-LAB.IO
    bunny-lab.io = BUNNY-LAB.IO

Initialize Kerberos Connection

Now we need to log into the domain using (preferrably) domain administrator credentials, such as the example below. You will be prompted to enter your domain password.

kinit nicole.rappe@BUNNY-LAB.IO
klist

??? example "Example Output of klist" You should expect to see output similar to the following. Finding a way to ensure the Kerberos tickets live longer is still under research, as 24 hours is not exactly practical for long-term deployments. ``` [root@lab-puppet-01 bolt-lab]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nicole.rappe@BUNNY-LAB.IO

Valid starting       Expires              Service principal
11/14/2024 21:19:44  11/15/2024 07:19:44  krbtgt/BUNNY-LAB.IO@BUNNY-LAB.IO
        renew until 11/15/2024 21:19:40
```