satellite_pe_tools

Configures reports and inventory data to be sent to Satellite 6

Project URL RSS Feed Report issues

Module Stats

20,179 downloads

1,241 latest version

3.1 quality score

Version information

released Oct 6th 2015

This version is compatible with:

Puppet Enterprise >= 3.8.0 < 2015.3.0
, , ,

This module is licensed for use with Puppet Enterprise. You may also evaluate this module for up to 90 days.Learn More

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'puppetlabs-satellite_pe_tools', '1.0.0'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-satellite_pe_tools

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-satellite_pe_tools --version 1.0.0

Documentation

puppetlabs/satellite_pe_tools — version 1.0.0 Oct 6th 2015

satellite_pe_tools

Description
Setup - The basics of getting started with satellite_pe_tools
- Setup requirements
- Beginning with satellite_pe_tools
Usage - Configuration options and additional functionality
Reference - An under-the-hood peek at what the module is doing and how
Limitations - OS compatibility, etc.
Development - Guide for contributing to the module

Description

The satellite_pe_tools module configures Puppet's report processor and facts indirector to allow you to send Puppet reports and facts to your Red Hat Satellite server.

Setup

Setup requirements

This module requires Red Hat Satellite 6 and Puppet Enterprise 3.8.1 or later.

Beginning with satellite_pe_tools

Classify Puppet masters
Set Puppet master facts terminus
Allow Puppet master to send data to Satellite
Allow Puppet master to verify Satellite server identity
Allow Satellite server to verify Puppet master identity
Enable pluginsync and reports in Puppet

To set up communication between Satellite and your Puppet masters, follow these steps:

Classify Puppet masters

Add the satellite_pe_tools class to the PE Master node group in the Puppet Enterprise Console. For details on adding classes to node groups, see the Puppet Enterprise documentation.
Set Puppet master facts terminus

In the PE Master node group in the PE Console, add the facts_terminus parameter to the puppet_enterprise::profile::master class with a string value of 'satellite'. This sets Puppet runs on your Puppet masters to forward the facts to Satellite.
Allow the Puppet master to verify the Satellite server's identity

To use SSL verification so that the Puppet master can verify the Satellite server (to prevents man-in-the-middle attacks), the Certificate Authority (CA) certificate that signed the Satellite server's SSL certificate must be available on the Puppet master.

By default, the CA certificate is located on the Satellite CA server. On Red Hat-based systems, this is automatically managed by the module. Note that the CA cert is transferred over an untrusted SSL connection. If you wish to transfer the cert manually, see below. You must also set the manage_default_ca_cert parameter to false.

On non-Red Hat systems, or if you wish to manually transfer the cert, copy the file /etc/pki/katello/certs/katello-default-ca.crt from the Satellite CA server to /etc/puppetlabs/puppet/ssl/ca/katello-default-ca.crt on each Puppet master. If you place the certificate in a different location or give it a different name, you must set the ssl_ca parameter for the satellite_pe_tools class to the file path of the CA certificate.

If the Satellite SSL certificate is signed by a remote CA, copy the remote CA's certificate to each Puppet master, and then set the ssl_ca parameter for the satellite_pe_tools class to the file path of the CA certificate.

If you do not wish to verify the identity of the Satellite server, you can set theverify_satellite_certificate parameter for the satellite_pe_tools class to false.
Allow the Satellite server to verify the Puppet master's identity

By default, Satellite is configured to verify the SSL identity of the Puppet Enterprise masters connecting to it. If the PE report processor and facts indirector are not using a certificate signed with the Satellite server's CA, the verification fails.

To use SSL verification so that the Satellite server can verify the Puppet master, you must generate a SSL cert and key pair on the Satellite server, and then copy these files to your Puppet master.

Note: In the following steps, 'satellite.example.com' should be replaced by the FQDN of your Puppet master.

4a. On the Satellite server, run the following command: capsule-certs-generate --capsule-fqdn "satellite.example.com --certs-tar "~/satellite.example.com-certs.tar".

4b. Untar the newly created file: tar -xvf ~/satellite.example.com-certs.tar. This creates a new folder: ~/ssl-build.

4c. Copy the following two files to your Puppet master: ~/ssl-build/satellite.example.com/satellite.example.com-puppet-client.crt and ~/ssl-build/satellite.example.com/satellite.example.com-puppet-client.key. We recommend copying the files to /etc/puppetlabs/puppet/ssl/satellite (on PE 2015.x) or /etc/puppet/ssl/satellite (PE 3.x) on your master.

4d. On your Puppet master, set the ownership of these two files to pe-puppet.

Example (Adjust paths and filenames accordingly):
```
chown pe-puppet /etc/puppetlabs/puppet/ssl/satellite/satellite.example.com-puppet-client.crt
chown pe-puppet /etc/puppetlabs/puppet/ssl/satellite/satellite.example.com-puppet-client.key
```
4e. In the Satellite UI, go to Administer -> Settings -> Auth and set the restrict_registered_puppetmasters parameter to true. Additionally, add your Puppet master's FQDN to the trusted_puppetmaster_hosts array on the same page; for example, [satellite.example.com]

4f. Set the ssl_cert and ssl_key parameters in your satellite_pe_tools class to the location on your Puppet master of the two files respectively.

If you do not want the Satellite server to verify the Puppet master identity, then in the Satellite UI, go to Administer -> Settings -> Auth and set the restrict_registered_puppetmasters parameter to false.

Note that this setting presents a security risk, as false reports and facts can be sent to Satellite by a malicious system masquerading as a current Puppet master on your infrastructure that's been added to Satellite as a safe master.
Enable pluginsync and reports in Puppet

On each Puppet agent, make sure the pluginsync and report settings are enabled. (Normally, these settings are enabled by default.)
```
  [agent]
  report = true
  pluginsync = true
```

Usage

class {'satellite_pe_tools':
    satellite_url => "https://satellite.example.com",
    verify_satellite_certificate => true,
}

This example tells the master the location of the Satellite server (https://satellite.example.com) and instructs it to verify the Satellite server's identity.

Debugging

In addition to looking through the usual reports in the Puppet Enterprise Console, you can also view the Satellite API log file, which may provide clues as to what a paticular issue may be. This file is located at /var/log/httpd/foreman-ssl_access_ssl.log on your Satellite server.

An example of a SSL authentication failure (note the '403'):

10.32.125.164 - - [03/Oct/2015:16:06:19 -0700] "POST /api/reports HTTP/1.1" 403 58 "-" "Ruby"

An example of a sucessful SSL authentication (note the '201'):

10.32.125.164 - - [03/Oct/2015:16:06:00 -0700] "POST /api/reports HTTP/1.1" 201 554 "-" "Ruby"

Reference

Class: satellite_pe_tools

The only class of the module, satellite_pe_tools configures Puppet's report processor and facts indirector to communicate with Satellite.

Parameters

All parameters are required unless otherwise specified.

manage_default_ca_cert - Applicable to Red Hat-based systems only. When set to true, the module transfers the Satellite server's default CA certificate from the Satellite server to the master. This uses an untrusted SSL connection. Defaults to true.
satellite_url - The full URL to the Satellite server in the format https://url.to.satellite.
ssl_ca - The file path to the CA certificate used to verify the satellite server identitity. Not used if verify_satellite_certificate is set to false. Default: /etc/puppetlabs/puppet/ssl/ca/katello-default-ca.crt.
ssl_cert - The file path to the certificate signed by the Satellite CA. This is required for Satellite to verify the identity of the Puppet master.
ssl_key - The file path to the key generated by Satellite for the Puppet master. This is required for Satellite to verify the identity of the Puppet master.
verify_satellite_certificate - When set to false, allows the Satellite server to present an unsigned, unrecognized, or invalid SSL certificate. This creates the risk of a host falsifying its identity as the Satellite server. Valid values: true, false. Defaults to true.

Limitations

The satellite_pe_tools module requires Red Hat Satellite 6 and Puppet Enterprise 3.8.1 or later. This module is supported on:

Red Hat 7
CentOS 7
Oracle Linux 7
Scientific Linux 7

Development

This module was built by Puppet Labs specifically for use with Puppet Enterprise (PE).

If you run into an issue with this module, or if you would like to request a feature, please file a ticket.

If you are having problems getting this module up and running, please contact Support.

This Module is only available for users of Puppet Enterprise with a valid Software License Agreement 
for Puppet Enterprise.  This Module is not available for users of Puppet software under an open source license.

By downloading this Module, you agree that you have a valid Software License Agreement with Puppet Labs for 
Puppet Enterprise and you further agree that your use of this Module is governed by the terms of that 
Software License Agreement.

satellite_pe_tools

PDK

Supported

Version information

This version is compatible with:

Start using this module

Documentation

satellite_pe_tools

Table of Contents

Description

Setup

Setup requirements

Beginning with satellite_pe_tools

Usage

Debugging

Reference

Class: satellite_pe_tools

Parameters

Limitations

Development

2015-10-06 - Release 1.0.0

Summary

Dependencies