Puppet fileserver configuration with Scientific Linux 6.1 and SELINUX

The fileserver in Puppet is useful for quickly centralizing configuration files for multiple servers. It works well for serving small text configuration files to clients, but not recommended for large files since it places them into memory before sending them out. For larger files, I recommend using git or rsync instead since it doesn’t affect the performance of the puppetmaster server.

After installing it on Scientific Linux 6.1, I had to go through some extra steps because of the SELINUX restrictions. Here’s the steps I went through to get the Puppet fileserver working.

This guide assumes that you already have a Puppet master installed.

1. Add the puppetmaster variable to /etc/puppet/manifests/site.pp
   $puppetmaster='myserver.com'   (change to the DNS name of your puppetmaster server)
   This is useful in case you change your puppetmaster server or want to copy the existing configuration to another puppetmaster server.
2. Edit /etc/puppet/manifests/fileserver.conf on your Puppetmaster. I called the file mount point “files” in my example.
   [files]
path /var/lib/puppet/files
allow *
Note: I am blocking access to port 443 on my puppetmaster box via iptables. If you want to restrict access to the fileserver via puppet, change the allow * to allow *.mydomain.com (or the IP address of your puppet clients).
3. Create a directory called “files”  in /var/lib/puppet/. You can select another name if you wish, but it has to match the one in /etc/puppet/fileserver.conf.
   cd /var/lib/puppet/
mkdir files
4. Change the SELINUX permissions on this folder to allow “puppet_var_lib_t”
   semanage fcontext -a -t puppet_var_lib_t /var/lib/puppet/files(/.*)
   Note: Semanage is not installed on Red Hat 6.0 by default. You will need to download semanage via
   yum install policycoreutils-python
Or, run “restorecon files” since the parent folder already has the correct permissions. If you don’t set this, you will get errors on the client puppet machines stating they “cannot read file from puppet://”.
5. Copy your configuration file(s) to /var/lib/puppet/files/. Make sure the files have the correct SELINUX permissions set on them. You can check via
   ls -laZ
   If they do not have the right permissions, run
   restorecon [name of file]
6. Inside your puppet class, you can refer to the fileserver via the file{} method.Replace the “/path/to/client-config” with the path of the client config file location.
   Replace the “client-config-source” with the file hosted on the file server. I usually have subfolders for each type of service such as httpd, mysqld.  Backup a copy of the file you plan to replace on the client machine.file { "/path/to/client-config":
owner => "root",
group => "root",
source => "puppet://$puppetserver/files/client-config-source",
}
7. Restart the puppetmaster service. This will start up the fileserver.
   service puppetmaster restart
8. Last but not least, always test before running this on a production server.

“Could not evaluate: Could not retrieve information from environment production source(s) puppet:///file/[my source file] at /etc/puppet/manifests/classes/my_sample_class.pp”

DISCLAIMER: This is for informational purposes only. We are providing absolutely no warranty for this information. Use this information at your own risk. Always perform upgrades on a test server before production and always have a full backup of the system.

Update 4/19/2012 — Thanks Dave Quigley for the tip on semanage. I’ve updated the documentation with semanage instead of chcon. The selinux changes need to be persistent.