Puppet? What is it?
If you are a system administrator or a DevOps Engineer and you have been maintaining hundreds or thousands of server, you must know the pain of maintaining a consistent configuration on each of the system. An easy way to do that is to maintain a checklist and whenever a server is setup, ensure that every point in the checklist is ticked. But, whenever there is a minor change to be made in the configuration on every server, it becomes a pain in the butts. Go to every server, edit the file, add the line, save the file, restart the service and repeat. By the time you have completed your task, it would already have costed your organization significant amount of money, time and man power, which could have been saved if there were a thing called – ‘Automation’.
When you think about automating things and especially about maintaining a consistent configuration on hundreds or thousands of servers, one tool you should always know and that is ‘Puppet’. Puppet is an open source software, a configuration management tool, written in Ruby language. It is developed and being maintained by Puppet Labs. Puppet works on Linux, Unix, Mac, Windows operating systems and their flavors, may it be physical servers or virtual ones.
In Puppet, with a few lines of code, you can have a consistent configuration on all your servers. You just need to write a code, test it on one server and apply that configuration on all your servers. For this, you have a centralized server, called as ‘Puppet Master’, which has all the information about all the servers in your infrastructure and the configurations to be applied on them. The other servers which will fetch the relevant information from Puppet master are known as ‘Agent Nodes’ or simple ‘Nodes’.
In this article, we will learn how to install Puppet on the Master node and agent nodes. For this tutorial, we have below setup:
- Puppet Master – CentOS7 – 192.168.186.223
- Puppet Agent Node – CentOS7 – 192.168.186.224
Installation of Puppet Master
Note : Before we proceed for Puppet Master installation, ensure that you have configured NTP server properly, in order to set system time correctly.
1. Download PuppetLabs Package
To download the PuppetLabs package, use wget
command as shown below:
$ cd ~ $ wget http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
2. Install the RPM
To install the downloaded RPM, use rpm
command as shown below:
$ rpm -Uvh puppetlabs-release-el-7.noarch.rpm
3. Install Puppet Master
To install Puppet Master, use yum
command as shown below:
$ yum install puppet-server
This will install Puppet Master in your system. To verify the same, you can use rpm
command as shown below:
$ rpm -qa | grep puppet-server puppet-server-3.8.7-1.el7.noarch
The output will show the RPM package we have just installed. To check the Puppet Master version, we can use puppet --version
command as shown below:
$ puppet --version 3.8.7
4. Start the Puppet Master
Once we have Puppet Master installed, we can start the puppetmaster
service right away.
$ service puppetmaster start # OR $ systemctl start puppetmaster
5. Add the service to startup
This is just to ensure that, the service puppetmaster
is started on every system reboot.
$ systemctl enable puppetmaster
Installation of Puppet Agent Node
1. Download PuppetLabs Package
To download the PuppetLabs package, use wget
command as shown below:
$ cd ~ $ wget http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
2. Install the RPM
To install the downloaded RPM, use rpm
command as shown below:
$ rpm -Uvh puppetlabs-release-el-7.noarch.rpm
3. Install Puppet Agent
To install Puppet Master, use yum
command as shown below:
$ yum install puppet
4. Configure Puppet Master in Agent Node
Now that, we have installed Puppet agent on a node. But it should know which Puppet master it should refer to in order to fetch the configurations. For this, we need to use FQDN (Fully Qualified Domain Name) of the Puppet master, which we can get from the DNS server or add the entry in /etc/hosts
. In this case, we use the later option.
$ cat /etc/hosts 192.168.186.223 centos-server.example.com 192.168.186.224 centos-client.example.com
Now, in the Puppet configuration file, we must mention which Puppet master it should refer to, for fetching the node-specific configurations. We do this by adding following line in the [agent]
section of /etc/puppet/puppet.conf
:
$ cat /etc/puppet/puppet.conf [main] ... ... server=centos-server.example.com ... ...
5. Start the Puppet Agent
Once we have Puppet Agent installed, we can start the puppet
service straight away.
$ service puppetmaster start # OR $ systemctl start puppet
6. Add the service to startup
This is just to ensure that, the service puppet
is started on every system reboot.
$ systemctl enable puppet
Sign the Certificates
Before a Puppet node can use the configurations present on master, Puppet master must sign the certificate created for the agent node. To view the unsigned certificates, you can run puppet cert list
command as below:
$ puppet cert list "centos-client.example.com" (SHA256) CC:E8:31:4F:2A:0F:08:36:2E:A7:52:28:B8:84:EC:3F:89:51:6A:88:EB:B4:60:99:42:18:12:CF:B7:48:6F:4A
In order to sign the certificate from centos-client.example.com
, run the puppet cert sign
command as below:
$ puppet cert sign centos-client.example.com Notice: Signed certificate request for centos-client.example.com Notice: Removing file Puppet::SSL::CertificateRequest centos-client.example.com at '/var/lib/puppet/ssl/ca/requests/centos-client.example.com.pem'
Now, we run the puppet cert list
command to view if there are any changes.
$ puppet cert list
So, there are no unsigned certificates now, indicating that, we have successfully configured the Puppet master and agent. You can verify the same by running puppet agent -t
command on the Puppet agent node.
$ puppet agent -t Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for centos-client.example.com Info: Applying configuration version '1487459767' Notice: Finished catalog run in 0.02 seconds
Common error
When you run the command puppet agent -t
, you might get below error message –
Error: Could not request certificate: Connection refused – connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
To resolve this, you should ensure that-
- Ping is okay from master to agent and vice versa.
- Port 8140 is open on master (
netstat -nltap | grep 8140
) - You are able to telnet to port 8140 on master, from agent node (
telnet puppet-master-ip 8140
). - If telnet is not working, you can add following rule to iptables –
iptables -I INPUT -p tcp -m tcp --dport 8140 -j ACCEPT