1

My current CentOS 7 server is already running Apache web server 2.4x, using default ports 80 and 443. The Puppet Enterprise version 2019.x, using nginx(pe-nginx to be exact), is configured by default to use the exact same ports.

What needs to be changed to make pe-nginx web server use ports 8090 and 444 instead of the default 80 and 443?

According to: https://puppet.com/docs/pe/2019.0/config_console.html I should Disable the HTTPS redirect. Here were instructions I tried:

The pe-nginx webserver listens on port 80 by default. If you need to run your own service on port 80, you can disable the HTTPS redirect.

Edit your Hiera.yaml file to disable HTTP redirect.

puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false

This is the modified file: /etc/puppetlabs/code/environments/production/hiera.yaml

---
version: 5
defaults:
  # The default value for "datadir" is "data" under the same directory as the hiera.yaml
  # file (this file)
  # When specifying a datadir, make sure the directory exists.
  # See https://puppet.com/docs/puppet/latest/environments_about.html for further details on environments.
  # datadir: data
  # data_hash: yaml_data
hierarchy:
  - name: "Per-node data (yaml version)"
    path: "nodes/%{::trusted.certname}.yaml"
  - name: "Other YAML hierarchy levels"
    paths:
      - "common.yaml"
puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false

I am new to yaml but can see that this is probably not right but tried it anyway.

It does not say what to do after changing the file to implement the change, this is what I tried:

puppet infrastructure configure --recover 
Notice: Unable to recover PE configuration: The Lookup Configuration at '/etc/puppetlabs/code/environments/production/hiera.yaml' has wrong type, unrecognized key 'puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect'
2019-05-07T15:41:29.722+00:00 - [Notice]: Compiled catalog for tadm10-adm.test.hfgs.net in environment enterprise in 2.08 seconds
2019-05-07T15:41:42.489+00:00 - [Notice]: Applied catalog in 12.05 seconds

netstat -tulpn | grep -v tcp6|grep ":443\|:80\|:8090\|:444"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      32272/nginx: master
Anthon
  • 69,918
  • 32
  • 186
  • 246
Phil
  • 306
  • 2
  • 10
  • I'm unfamiliar with configuring the PE version, but you're certainly modifying the wrong file. Note that you have changed the meaning of the docs by stripping formatting that in the original distinguishes "Hiera" and "`.yaml`" as separate descriptions of the file you're to modify, not a file name. What you have modified is a configuration file for Puppet's "Hiera" subsystem. What you are meant to modify is one of the associated data files, which normally reside one directory deeper. The docs suggest an `hieradata/` subdirectory, but the config file itself seems to indicate `data/`. – John Bollinger May 07 '19 at 18:19
  • Additionally, perhaps it makes sense in a PE installation, but it seems odd to me that the configuration should be in a per-environment data file. Hiera supports global data, too, which is where I would have guessed that such a detail would be recorded. – John Bollinger May 07 '19 at 18:21
  • Thanks John for the insight. I believe the location of hiera.yaml is correct so have checked in the data directory at that location and it's currently empty, oh well. While I would have liked to figure out how to do that I have good news. I am documenting an answer to this using the Web Console. – Phil May 08 '19 at 13:22

1 Answers1

2

While I never could figure out how to accomplish this using Puppet Labs suggestion of modifying the hiera.yaml file I have figured out how to do this using the Web Console.

The modifications remove all conflicts with the existing Apache httpd that uses ports 80 and 443.

Access to the PE Web Console will now need to be accessed via port 444

This is the fix:

From the Web Console

  1. Select Configure
  2. Select Classification
  3. Select the + icon labeled "PE Infrastructure" production to display Classes
  4. Select PE Console production link
  5. Select Configuration tab
  6. Under "Classes" section - Add new class
  7. Select "puppet_enterprise::profile::console::proxy::http_redirect" from the list
  8. Select Add class button
  9. Select commit 1 change
  10. New class now shows on the page,
  11. Select parameter name: enable_http_redirect from the list
  12. Set value to false
  13. Add parameter

  14. Select commit 1 change

  15. Select parameter name: ssl_listen_port from the list

  16. Set value to 444
  17. Add parameter
  18. Select commit 1 change

When running puppet agent -t I now get an error as shown below

Duplicate declaration: Class[Puppet_enterprise::Profile::Console::Proxy::Http_redirect] is already declared; 
cannot redeclare (file: /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/console/proxy.pp, 
line: 211)

Remove the duplicate declaration from proxy.pp

Edit: /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/console/proxy.pp

#class { 'puppet_enterprise::profile::console::proxy::http_redirect' :
#  ssl_listen_port => Integer($ssl_listen_port),
#}

Re-run puppet agent -t

puppet agent -t

Console Port(Port 443 change)

From the Web Console

  1. Configure
  2. Classification
  3. Select PE Infrastructure production
  4. Configuration tab
  5. Class: puppet_enterprise::profile::console
  6. Add Parameter
  7. Parameter Name: console_port
  8. Value: 444

Run puppet agent -t and check ports

# puppet agent -t
# netstat -tulpn | grep -v tcp6|grep ":443\|:80\|:8090\|:444"
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      11182/nginx: master

Start httpd

# systemctl start httpd
# netstat -tulpn | grep -v tcp6|grep ":443\|:80\|:8090\|:444"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      13353/httpd         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      13353/httpd         
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      11182/nginx: master

Accessing the PE Wen Console is now via port 444

https://hostname:444/#/inspect/overview
Phil
  • 306
  • 2
  • 10
  • You can add both those settings to the Data section of the PE Console group, save, then kick off a puppet run. – steveax May 16 '19 at 03:11