doc/wiki-dump/Puppet.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101


Setting up a RPKI testbed with Puppet
This document outlines how Google stood up a few virtual machines to serve as
a testbed for evaluating and running RPKI.net packages. The rpki-mgmt project,
at https://github.com/google/rpki-mgmt, contains puppet modules and a setup
script to generate a pupet manifest for the testbed.
The testbed consists of:

A puppet server 
A RPKI Certificate Authority, with Relying Party tools 
One or more log servers 
One or more publication servers 

All of the machines, except for the publication servers, are intended to run
on an internal/private network. The publication servers collect RPKI data from
the CA (Certificate Authority) and republish to the world.
Currently the puppet modules are fairly tightly coulpled to the exact
configuration and host OS (Debian Jessie) used by Google. Hopefully future
versions of the module will be more flexible.
Information gathering
To begin with, you will need to collect/set-up the following:


DNS name for all machines. The host names should match the DNS names, as the puppet modules make use of puppet's node certificates for secure connections to the log servers, and puppet's node certificates are based on the node's hostname. For example: 
   pup.rpki.example.com       IN      A       10.1.1.10


ca.rpki.example.com        IN      A       10.1.1.11
   log.rpki.example.com       IN      A       10.1.1.12
   pub.rpki.example.com       IN      A       10.1.1.13


(Optionally) Banner text for publication servers 

(Optionally) Network range to restrict ssh acceess. Default is unrestricted (0.0.0.0/0) 
(Optionally) Any additional puppet configuration for all nodes (e.g.user(s) to create, their associated ssh key(s)). 

Install VMs
Create all the VMs and perform basic setup (IP address, resolver config, etc.)
Set up pup.rpki.example.com

apt-get install puppetmaster 
Edit the '[main]' section /etc/puppet/puppet.conf 
server=puppet.rpki.example.com 
pluginsync=true 


Run script to generate puppet config
The rpki-mgmt generate script will prompt you for all the information on node
names that was gathered earlier.

wget https://github.com/google/rpki-mgmt/raw/dev/generate-rpki-mgmt-config.sh
bash ./generate-rpki-mgmt-config.sh 

Use newly generated puppet config to configure puppet master

cp /root/rpki-mgmt.pp /etc/puppet/manifests/site.pp 
puppet agent --enable 
puppet agent -t 

Enroll all machines with the puppet master

apt-get install puppet 
edit /etc/puppet/puppet.conf [main] section 
add 'server=pup.rpki.example.com' 
add 'pluginsync=true' 


puppet agent --enable 
puppet agent -t 
this will print a message: Exiting; no certificate found and waitforcert is disabled 
Ignore the error and continue with the next machine 


Sign puppet certificates

On pup.rpki.example.com 
puppet cert list 
puppet cert sign --all 


Run puppet on log servers

puppet agent -t 

Run puppet on all other servers

puppet agent -t 

Install rpki software on rpki master node(s)

apt-get install rpki-ca rpki-rp 
you'll need to set mysql admin password 

Configure RPKI.net software
At this point your testbed environment should be set up, and you are ready to
continue and configure the RPKI.net software. More information on that process
can be found at

https://rpki.net/wiki/doc/RPKI/CA