Puppet, From puppet Labs is well know open-source software configuration management tool which helped System Administrator to automate configuration, provisioning, maintaining of OS infrastructure. It runs on many Unix-like systems as well as on Microsoft Windows, and includes its own declarative language to describe system configuration.

In big infrastructure, where we have hundreds and thousands of machines per Data center, its quit important to manage few basic repeating task on every machine that play key rule for managing setup smooth and help to ensure that everything running smooth with minimum human intervention and rest of work is automatically pushed and ensure through puppet server of local data center. This prevent to work on these task that could use to improve other aspects of overall setup.

In this post we will how to install and configure puppet master server 3.8.7 on CentOS6 with Client machine on CentOS6 and Ubuntu 14.04.

SetUP

For this setup, we are CentOS6 and Ubuntu 14.04 machines

Puppet Master -- CentOS6

Puppet Client -- CentOS6 and Ubuntu14.04

Below are machine details used in setup

Serve Rule	 Hostname		    IP Address
-----------      --------                   ----------
Puppet Server -- puppetmaster.geekpills.com 192.168.122.26
Puppet Client -- srv57.geekpills.com 	    192.168.122.51
Puppet Client -- srvu1.geekpills.com        192.168.122.156

All of these machine are upgraded as of now Feb 2018.

Before we start working on this setup, we should clear on two points
1. Machine should resolve Hostname. In big setup we use DNS server. I am using /etc/hosts file for Name resolution.
2. Time should sync between nodes, usually we configure NTP for same.

With these points, this must be clear to every reader that all machine able to resolve Hostname and sync Time with same NTP Server.

Installation of Puppet Master

So we have CentOS6 machine, which we are going to configure as puppet master machine. For installation of Puppet Master packages on CentOS/RHEL/Fedora machine we have to install puppetlabs packages first like mentioned below.

# yum -y install http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

Once we install this package, this will enable puppetlabs repository on this machine, so now we can install puppet-master packages with below mentioned command

# yum -y install puppet-server

with this we command we have puppet-master installed on machine. We can check puppet version like below command.

[root@puppetmaster ~]# puppet -V
3.8.7

Configure Basic Puppet

So now we know puppet-master is installed on machine, we need to configure puppet-master server. Although there could be many puppet configuration that need to be changed in various cases, but most basic one is /etc/puppet/puppet.conf.

We are just printing effective line of puppet.conf, only colored one were edited in file

# awk '$1!="#" && NF >= 1 ' /etc/puppet/puppet.conf 
[main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl
    dns_alt_names = puppetmater,puppetmaster.geekpills.com    
[master]
    environmentpath = $confdir/environments
    basemodulepath = $confdir/modules:/opt/puppet/share/modules
[agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig

we could configure puppet for many setup and environments if we separate there configuration file on time and save them properly in main puppet configuration. So for same we are going to create different environment for production setup like below.

mkdir -p /etc/puppet/environments/production/{modules,manifests}

So now we have production setup and separate directory structure of its modules and manifests. We also need to create environment.conf file for production setup.

# cat /etc/puppet/environments/production/environment.conf 
modulepath = /etc/puppet/environments/production/modules
environment_timeout = 5s

Generating master certificate

Now create new CA certificates for puppet master by running the following mentioned command.

[root@puppetmaster puppet]# puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 10:C7:28:9E:40:12:ED:AB:5E:88:68:F3:C0:A6:F7:89:C1:01:52:73:F2:DE:40:BF:2D:ED:39:91:D0:12:D3:59
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for puppetmaster
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetmaster
Info: Certificate Request fingerprint (SHA256): 52:7F:15:98:2D:2C:63:55:F9:B6:F1:88:80:B6:8F:CB:4D:0B:69:1C:CB:73:6C:3A:66:7C:A8:DC:04:85:05:99
Notice: puppetmaster has a waiting certificate request
Notice: Signed certificate request for puppetmaster
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/ca/requests/puppetmaster.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppetmaster at '/var/lib/puppet/ssl/certificate_requests/puppetmaster.pem'
Notice: Starting Puppet master version 3.8.7

We can see these puppet master certificate with below command.

[root@puppetmaster ~]# puppet cert list --all
+ "puppetmaster" (SHA256) A5:78:9B:0A:F3:09:1B:2A:8A:0A:4D:6E:1B:18:5F:45:4B:03:71:A3:00:21:66:B7:46:9E:72:AF:C9:60:E8:51 (alt names: "DNS:puppetmaster", "DNS:puppetmaster.geekpills.com", "DNS:puppetmater")

These certificate are located in “/var/lib/puppet/ssl”, if you wish you can delete these certificate and create again.But please keep in mind every client certificate request or signed certificate will also located in same directory.

Till here Puppet-master configuration is complete. Now we could proceed to Client configuration.

Puppet Client Configuration on CentOS6

For this client configuration we are using same operating system CentOS6. We will try to isntall and configure puppet Client on this machine.

First of all we have to install puppetlabs repository package to enable its repository on this machine.

# yum -y install http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

with above command, now machine able to install puppet client with below command.

# yum install puppet -y



Configure puppet agent

with couple of above commands, we have done with puppet agent installation of centos6. Now we need configure puppet agent according to puppetmaster configured earlier.

To configure Puppet agent we just need to mention server information in /etc/puppet/puppet.conf like below.

[root@srv57 ~]# awk '$1!="#" && NF >= 1 ' /etc/puppet/puppet.conf 
[main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl
[agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    server = puppetmaster

Creating of Agent certificate

once this done you need to create certificate on Puppet Agent like below command.

root@srvu1:~# puppet agent --verbose --no-daemonize --onetime
Info: Creating a new SSL key for srvu1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for srvu1
Info: Certificate Request fingerprint (SHA256): 66:2E:2B:90:FE:73:5E:55:49:C1:95:5F:19:BF:5F:7E:ED:B9:8C:F1:63:FB:75:C5:A7:FD:42:C5:02:41:CC:D3
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

Once certificate creation done from agent side you also need to sign it from puppet master side.

[root@puppetmaster ~]# puppet cert list
  "srv57" (SHA256) 37:56:2D:E5:B3:D3:BC:7E:18:CB:90:38:99:4B:96:EF:52:06:98:1E:97:20:5A:1E:94:8B:7E:C8:55:3E:77:93


[root@puppetmaster ~]# puppet cert sign srv57
Notice: Signed certificate request for srv57
Notice: Removing file Puppet::SSL::CertificateRequest srv57 at '/var/lib/puppet/ssl/ca/requests/srv57.pem'

We can see certificate waiting for sign and can sign them like mentioned. Once this done we are done with very basic configuration of Puppet Agent on centOS6. Let’s see how to install Puppet Agent on Ubuntu 14.04 machine.

installation of Puppet Agent on Ubuntu 14.04

Ubuntu uses apt-get package manager to install packages, but it also required to add Ubuntu repository like below.

This is only belongs to ubuntu 14.04
wget https://apt.puppetlabs.com/puppetlabs-release-trusty.deb
dpkg -i puppetlabs-release-trusty.deb 

Above commands adds repository, below commands will install puppet agent
apt-get update
apt-get install puppet

Configure Ubuntu Puppet Agent

Once we install puppet agent we have to configure puppet agent so that it would connect puppet-master machine.

Puppet main configuration file is same it was with CentOS6 /etc/puppet/puppet.conf, so we mention puppet server name in it like below.

root@srvu1:~#  awk '$1!="#" && NF >= 1 ' /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
[master]
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
server = puppetmaster

Once we are done with editing main configuration part, we have to enable puppet service.

# puppet agent --enable

Creating puppet agent certificate

Now we have to create puppet agent certificate like mention below , this certificate will wait on puppet master to sign.

root@srvu1:~# puppet agent --verbose --no-daemonize --onetime
Info: Creating a new SSL key for srvu1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for srvu1
Info: Certificate Request fingerprint (SHA256): 66:2E:2B:90:FE:73:5E:55:49:C1:95:5F:19:BF:5F:7E:ED:B9:8C:F1:63:FB:75:C5:A7:FD:42:C5:02:41:CC:D3
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

Now we have to sign certificate from server side

[root@puppetmaster ~]# puppet cert list
  "srvu1" (SHA256) 66:2E:2B:90:FE:73:5E:55:49:C1:95:5F:19:BF:5F:7E:ED:B9:8C:F1:63:FB:75:C5:A7:FD:42:C5:02:41:CC:D3


[root@puppetmaster ~]# puppet cert sign srvu1
Notice: Signed certificate request for srvu1
Notice: Removing file Puppet::SSL::CertificateRequest srvu1 at '/var/lib/puppet/ssl/ca/requests/srvu1.pem'

Once we sign certificate we could run it again like below.This will show below error

root@srvu1:~# puppet agent --verbose --no-daemonize --onetime
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find default node or by name with 'srvu1' on node srvu1
Notice: Using cached catalog
Info: Applying configuration version '1517950914'

Node definition

If you remember we had configured a directory structure for production setup, we should add node definition there.

Now configuration of puppet master and its CentOS, Ubuntu nodes are ready get instructions from puppet master. We also need to define nodes and manifest for same that will work on another post. I have created only blank manifests file like below.

[root@puppetmaster ~]# cat /etc/puppet/environments/production/manifests/nodes.pp 
node 'srv57'{

}


node 'srvu1' {


}

With only this file we have resolve node definitions like below and above mentioned error is no more will display.

root@srvu1:~# puppet agent --verbose --no-daemonize --onetime
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for srvu1
Info: Applying configuration version '1517984314'
Notice: Finished catalog run in 0.02 seconds

Now we could create some code for srvu1 Host, like below.

node 'srvu1' {
 user { app:
    ensure => present,
    uid    => '544',
    shell  => '/bin/bash',
    home   => "/home/app",
  }

}

Now this time when we run “puppet agent command” on srvu1, it will create that user.

root@srvu1:~# grep app /etc/passwd

root@srvu1:~# puppet agent --verbose --no-daemonize --onetime
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for srvu1
Info: Applying configuration version '1517987947'
Notice: /Stage[main]/Main/Node[srvu1]/User[app]/ensure: created
Notice: Finished catalog run in 0.12 seconds

root@srvu1:~# grep app /etc/passwd
app:x:544:1001::/home/app:/bin/bash

This way we can create manifests and will automate our work.