A newer version of Puppet Enterprise has been released!
Navigation
- Introduction
- Overview
- Installing
- Upgrading
- Using Puppet Enterprise
- The Accounts Module
- Puppet Compliance
- Known Issues
- Troubleshooting
- Answer File Reference
Upgrading to Puppet Enterprise 1.2
Puppet Enterprise ships with an upgrade script that will do a large part of the work of upgrading your installation. However, you will have to finish the configuration of PE 1.2 manually.
To upgrade to PE 1.2, you must:
- Download and unarchive the PE tarball.
- Run the
puppet-enterprise-upgrader
script. - Check the notes below to find the version you’re upgrading from, and perform any manual tasks required.
Choosing Your Installer Tarball
Before upgrading Puppet Enterprise, you must download it from the Puppet Labs website.
Puppet Enterprise can be downloaded in tarballs specific to your OS version and architecture, or as a universal tarball. Although the universal tarball can be more convenient, it is roughly ten times the size of the version-specific tarball.
Filename ends with… | Will install… |
---|---|
-all.tar |
anywhere |
-debian-<version and arch>.tar |
on Debian |
-el-<version and arch>.tar |
on RHEL, CentOS, Scientific Linux, or Oracle Linux |
-sles-<version and arch>.tar |
on SUSE Linux Enterprise Server |
-solaris-<version and arch>.tar |
on Solaris |
-ubuntu-<version and arch>.tar |
on Ubuntu LTS |
Running the Upgrader
Once you’ve retrieved a PE tarball, you should unarchive it, navigate to the resulting directory, and run ./puppet-enterprise-upgrader
. This script will examine your system to determine which Puppet Enterprise roles are currently installed, then list the packages these roles will require and ask if you want to continue with the upgrade. Note that the list of packages shown is not complete: any new dependencies from your operating system’s repositories will be installed without confirmation, and the upgrade may fail if you are not connected to the source of these packages. Note also that upgrades to PE 1.x systems with the Puppet Dashboard role and no puppet agent role may not upgrade cleanly, as this configuration is no longer supported under PE 1.2. We recommend that you run the puppet-enterprise-installer
script in this situation, although this upgrade path has not been thoroughly tested.
After receiving confirmation, the upgrader will update existing packages, install new packages added in this version of PE, and run additional scripts or puppet manifests to make the system similar (though not necessarily identical) to a new installation of PE 1.2.
Upgrading From PE 1.2.1 Through 1.2.3
Remediate the AltNames Vulnerability
PE versions prior to 1.2.4 are vulnerable to the CVE-2011-3872 AltNames vulnerability. If you haven’t already neutralized any dangerous certificates at your site, you should download and use the remediation toolkit module to do so. See the README files included in the module for full documentation.
Upgrading From PE 1.2.0
Enable File Archiving
The PE 1.2.0 installer incorrectly placed puppet.conf
’s archive_files = true
setting in an inert [inspect]
block. This caused puppet inspect to not upload files when submitting compliance reports.
If you haven’t already, you should edit your puppet.conf file to include archive_files = true
under the [main]
block when upgrading from 1.2.0.
Remediate the AltNames Vulnerability
PE versions prior to 1.2.4 are vulnerable to the CVE-2011-3872 AltNames vulnerability. If you haven’t already neutralized any dangerous certificates at your site, you should download and use the remediation toolkit module to do so. See the README files included in the module for full documentation.
Upgrading From PE 1.1 and Earlier
When upgrading from PE 1.1 and 1.0, you must:
- Create a new database for the inventory service and grant all permissions on it to the dashboard MySQL user.
- Manually edit the
puppet.conf
,auth.conf
,site.pp
, andsettings.yml
files on your puppet master. - Generate and sign certificates for Puppet Dashboard to enable inventory and filebucket viewing.
- Restart
pe-httpd
. - Remediate the AltNames vulnerability, if you have not already done so.
Puppet and Puppet Dashboard will continue to perform their pre-existing tasks properly if you skip the first four steps, but they are necessary to enable new features added in version 1.2.
Upgrades to sites which run the master and Dashboard on different servers can be significantly more complicated, and are supported on a case-by-case basis. Contact Puppet Labs support for more details.
Create a New Inventory Database
To support the inventory service, you must manually create a new database for puppet master to store node facts in. To do this, use the mysql
client on the server providing the database. The server providing the database will almost always be the server running puppet master and Dashboard.
# mysql -uroot -p
Enter password:
mysql> CREATE DATABASE dashboard_inventory_service;
mysql> GRANT ALL PRIVILEGES ON dashboard_inventory_service.* TO 'dashboard'@'localhost';
If you chose a different MySQL user name for Puppet Dashboard when you originally installed PE, use that user name instead of “dashboard”. If the database is served by a remote machine, use the hostname of the master/Dashboard server instead of “localhost”.
Edit /etc/puppetlabs/puppet/puppet.conf
-
To use the new
accounts, mcollectivepe, stdlib,
andbaselines
modules, you must add the the/opt/puppet/share/puppet/modules
directory to Puppet’smodulepath
:[main] modulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules
Note that if you were previously using an older version of the
stdlib
module, or any modules with the same name as theaccounts, mcollectivepe,
orbaselines
modules, you will have to delete them in order to use the modules included with PE 1.2. -
To support the inventory service, you must configure Puppet to save facts to a MySQL database.
[master] facts_terminus = inventory_active_record dbadapter = mysql dbname = dashboard_inventory_service dbuser = dashboard dbpassword = <MySQL password for dashboard user> dbserver = localhost
If you chose a different MySQL user name for Puppet Dashboard when you originally installed PE, use that user name as the
dbuser
instead of “dashboard”. If the database is served by a remote machine, use that server’s hostname instead of “localhost”. -
To support filebucket viewing when using the Puppet Compliance workflow, you must set
archive_files
to true for puppet inspect:[main] archive_files = true
Edit /etc/puppetlabs/puppet/auth.conf
To support the inventory service, you must add the following stanzas to your auth.conf
file:
# Allow Dashboard to retrieve inventory facts:
path /facts
auth yes
method find, search
allow dashboard
# Allow puppet master to save facts to the inventory:
path /facts
auth yes
method save
allow <puppet master's certname>
These stanzas must be inserted before the final stanza, which looks like this:
path /
auth any
If you paste the new stanzas after this final stanza, they will not take effect.
Edit /etc/puppetlabs/puppet/manifests/site.pp
Even if you don’t use site.pp
to classify nodes, you must add the following resource and resource default in order to support Puppet Dashboard’s filebucket viewing capabilities:
# specify remote filebucket
filebucket { 'main':
server => '<puppet master's hostname>',
path => false,
}
File { backup => 'main' }
This will cause all agent nodes to back up their file contents to the puppet master, which will then serve the files to Dashboard on demand.
Edit /etc/puppetlabs/puppet-dashboard/settings.yml
To turn on inventory and filebucket viewing, you must ensure that the following two options in settings.yml
are set to true:
enable_inventory_service: true
use_file_bucket_diffs: true
You’ll also need to ensure that the following three settings point to one of the puppet master’s certified hostnames:
ca_server: '<puppet master's hostname>'
inventory_server: '<puppet master's hostname>'
file_bucket_server: '<puppet master's hostname>'
Also, make sure the following settings exist and are set to the suggested values; if any are missing, you will need to add them to settings.yml yourself:
private_key_path: 'certs/pe-internal-dashboard.private_key.pem'
public_key_path: 'certs/pe-internal-dashboard.public_key.pem'
ca_crl_path: 'certs/pe-internal-dashboard.ca_crl.pem'
ca_certificate_path: 'certs/pe-internal-dashboard.ca_cert.pem'
certificate_path: 'certs/pe-internal-dashboard.cert.pem'
key_length: 1024
cn_name: 'pe-internal-dashboard'
Generate and Sign Certificates for Puppet Dashboard
To support Dashboard’s inventory and filebucket viewing capabilities, you must generate and sign certificates to allow it to request data from the puppet master.
First, navigate to Dashboard’s installation directory:
$ cd /opt/puppet/share/puppet-dashboard
Next, create a keypair and request a certificate:
$ sudo /opt/puppet/bin/rake cert:create_key_pair
$ sudo /opt/puppet/bin/rake cert:request
Next, sign the certificate request:
$ sudo /opt/puppet/bin/puppet cert sign dashboard
Next, retrieve the signed certificate:
$ sudo /opt/puppet/bin/rake cert:retrieve
And finally, make puppet-dashboard
the owner of the certificates directory:
$ sudo chown -R puppet-dashboard:puppet-dashboard certs
Troubleshooting
If these rake tasks fail with errors like can't convert nil into String
, you may be missing a certificate-related setting from the settings.yml file. Go back to the previous section and make sure all of the required settings exist.
Restart pe-httpd
To reload all of the relevant puppet master and Dashboard config files, restart Apache:
$ sudo /etc/init.d/pe-httpd restart
Remediate the AltNames Vulnerability
PE versions prior to 1.2.4 are vulnerable to the CVE-2011-3872 AltNames vulnerability. If you haven’t already neutralized any dangerous certificates at your site, you should download and use the remediation toolkit module to do so. See the README files included in the module for full documentation.
Contents
- Choosing Your Installer Tarball
- Running the Upgrader
- Upgrading From PE 1.2.1 Through 1.2.3
- Upgrading From PE 1.2.0
- Upgrading From PE 1.1 and Earlier
- Create a New Inventory Database
- Edit /etc/puppetlabs/puppet/puppet.conf
- Edit /etc/puppetlabs/puppet/auth.conf
- Edit /etc/puppetlabs/puppet/manifests/site.pp
- Edit /etc/puppetlabs/puppet-dashboard/settings.yml
- Generate and Sign Certificates for Puppet Dashboard
- Restart pe-httpd
- Remediate the AltNames Vulnerability