Puppet Master/Agent setup on Ubuntu 12.04

puppet-master-agent-setup

#Puppet Master/Agent setup on Ubuntu 12.04

###Machine1(Master node/server):

OS: Ubuntu 12.04

    vi etct/hosts
    192.168.171.81 master

####Install on Master
    sudo apt-get -y install puppetmaster

verify puppet version

    $ puppet help
    ...
    ..
    .....
    See 'puppet help <subcommand>' for help on a specific subcommand.
    Puppet v3.7.3
    $
####Lock the Version:

Changes from version to version can occasionally cause your Puppet environment to stop working properly. For this reason, you will want to maintain a consistent Puppet version across your entire infrastructure. If you decide to upgrade to a newer version, make sure that you upgrade your master before any agent nodes, as the master cannot manage agents that have a higher version number.

create 00-puppet.pref file at `/etc/apt/preferences.d/` and add below lines.

    # /etc/apt/preferences.d/00-puppet.pref
    Package: puppet puppet-common puppetmaster-passenger
    Pin: version 3.7*
    Pin-Priority: 501

####Set Up Names and Certificate
Puppet uses SSL certificates to authenticate communication between master and agent nodes. The Puppet master acts as a certificate authority (CA), and must generate its own certificates which is used to sign agent certificate requests. We will setup the master's certificates now.

Delete any existing SSL certificates that were created during the package install. The default location of Puppet's SSL certificates is `/var/lib/puppet/ssl:`

    sudo rm -rf /var/lib/puppet/ssl

####Configure Certificate

When creating the puppet master's certificate, include every DNS name at which agent nodes can contact the master. In the case of our example, we will use "puppet" and "puppet.nyc2.example.com", the short hostname and FQDN ( A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet.), respectively.

Edit the master's puppet.conf file:

    sudo vi /etc/puppet/puppet.conf

It will look something like the following:

    [main]
    logdir=/var/log/puppet
    vardir=/var/lib/puppet
    ssldir=/var/lib/puppet/ssl
    rundir=/var/run/puppet
    factpath=$vardir/lib/facter
    #templatedir=$confdir/templates

    [master]
    # These are needed when the puppetmaster is run by passenger
    # and can safely be removed if webrick is used.
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

Delete the line with the` templatedir` option, as that option is deprecated.

Add the following two lines to the end of the [main] section (replace the highlighted text with the private FQDN):

    dns_alt_names=puppet, master #(or  FQDN)
    certname=puppet

Certificate is automatically generated when you start PuppetMaster

    sudo service puppetmaster start

verify by ls that new ssl folder is created at `/var/lib/puppet/` and you can verify certificate details with `sudo ls /var/lib/puppet/ssl/certs/` and `sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem  -text|grep -i dns`. It should show all of your DNS names.

    sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem  -text|grep -i dns
            DNS:master, DNS:puppet


###Connect from Slave/Node (Machine 2)

OS: Ubuntu 12.04

Add machine1 ip in hosts file on machine 2

    vi /etc/hosts
    127.0.0.1	localhost
    127.0.1.1	Jd-VirtualBox
    192.168.171.81 master

install puppet agent

    sudo apt-get -y install puppet


####Configure Puppet Agent


    sudo vi /etc/puppet/puppet.conf

will look like this

    [main]
    logdir=/var/log/puppet
    vardir=/var/lib/puppet
    ssldir=/var/lib/puppet/ssl
    rundir=/var/run/puppet
    factpath=$vardir/lib/facter
    #templatedir=$confdir/templates
    prerun_command=/etc/puppet/etckeeper-commit-pre
    postrun_command=/etc/puppet/etckeeper-commit-post

    [master]
    # These are needed when the puppetmaster is run by passenger
    # and can safely be removed if webrick is used.
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

It will look exactly like the Puppet master's initial configuration file.

Again, delete the templatedir line. Then delete the [master] section, and all of the lines below it.
Add master DNS name under [agent] heading. or just add the agent heading at the end of the file for
Puppet to connect the server(Machine1).

    [agent]
    server=master

The puppet agent is disabled by default. To enable, update its default file:

    sudo vi /etc/default/puppet

And change value of START to "yes":

    START=yes

Save and exit `/etc/default/puppet`.

puppet version on node

    $puppet help
    ......
    $Puppet v2.7.11




####Again Lock the Version on Agent

As with the Puppet master, we will want to use the apt pin feature to lock the version of the Puppet agent:

    sudo vi /etc/apt/preferences.d/00-puppet.pref

Add the following lines to lock the puppet and puppet-common packages to the 2.7.* (change this to match your installed version):

    #/etc/apt/preferences.d/00-puppet.pref
    Package: puppet puppet-common
    Pin: version 2.7*
    Pin-Priority: 501

Save and exit. Your Puppet version is now locked.

Start puppet

    sudo service puppet start

Note: If this is your first Puppet agent, it is recommended that you attempt to sign the certificate on the Puppet master before adding your other agents. Once you have verified that everything works properly, then you can go back and add the remaining agent nodes without any hassle.


####Sign Request On Master or Sign Slave Certificate on Master


The first time Puppet runs on an agent node, it will send a certificate signing request to the Puppet master. Before the master will be able to communicate and control the agent node, it must sign that particular agent node's certificate. We will describe how to sign and check for signing requests.

    on-master-machine1$ sudo puppet cert --list

If you just set up your first agent node, you will see one request. It will look something like the following, with the agent node's FQDN as the hostname:

    "Jd-VirtualBox" (SHA256) B7:16:FD:1F:F7:1E:40:53:C1:D4:1B:3C:75:F4:7C:0B:A9:4C:1B:5D:95:2B:79:C0:09:FF:2B:F4:4A:BB:AA:EE

To sign a certificate request, use the `puppet cert sign` command, with the hostname of the certificate you want to sign. For example,

    on-master-machine1$sudo puppet cert --sign Jd-VirtualBox

results

    Notice: Signed certificate request for Jd-VirtualBox
    Notice: Removing file Puppet::SSL::CertificateRequest Jd-VirtualBox at '/var/lib/puppet/ssl/ca/requests/Jd-VirutalBox.pem'


The Puppet master can now communicate and control the node that the signed certificate belongs to.

If you want to sign all of the current requests, use the -all option, like so:

    sudo puppet cert sign --all


####Revoke Certificates

You may want to remove a host from Puppet, or rebuild a host then add it back to Puppet. In this case, you will want to revoke the host's certificate from the Puppet master. To do this, you will want to use the clean action:

    sudo puppet cert clean hostname

####View All Signed Requests

If you want to view all of the requests, signed and unsigned, run the following command:

    sudo puppet cert list --all

    + "Jd-VirtualBox" (SHA256) B7:16:FD:1F:F7:1E:40:53:C1:D4:1B:3C:75:F4:7C:0B:A9:4C:1B:5D:95:2B:79:C0:09:FF:2B:F4:4A:BB:AA:EE

    + "puppet"                   (SHA1) D6:8C:47:4F:D6:BD:B3:A9:32:A7:C1:A8:47:DE:32:DA:F7:CE:86:09 (alt names: "DNS:master", "DNS:puppet")



##Helloworld to verify master and agent setup

The puppet agent periodically checks in with the puppet master (typically every 30 minutes). During this time, it will send facts about itself to the master, and pull a current catalog--a compiled list of resources and their desired states that are relevant to the agent, determined by the main manifest. The agent node will then attempt to make the appropriate changes to achieve its desired state. This cycle will continue as long as the Puppet master is running and communicating with the agent nodes


 #### Manifest file

The main manifest file on the Puppet master is located at /etc/puppet/manifests/site.pp

 add the following lines to describe a file resource:

    file {'/tmp/Helloworld.txt': # resource type file and filename
    ensure  => present,                                               # make sure it exists
    mode    => 0644,                                                  # file permissions
    content => "Helloworld from master.\n",
}


You can either wait until the agent checks in with the master automatically, or you can restart puppet agent on machine2/node/slave.


    Jd-VirtualBox$ sudo service puppet restart

verify the result


    Jd-VirtualBox$ cat /tmp/Helloworld.txt
    Jd-VirtualBox$Helloworld from master.

Puppet Master/Agent setup on Ubuntu 12.04

---

Machine1(Master node/server):

---

OS: Ubuntu 12.04

vi etct/hosts

192.168.171.81 master

Install on Master

sudo apt-get -y install puppetmaster

verify puppet version

$ puppet help
...
..
.....
See 'puppet help <subcommand>' for help on a specific subcommand.
Puppet v3.7.3
$

Lock the Version:

Changes from version to version can occasionally cause your Puppet environment to stop working properly. For this reason, you will want to maintain a consistent Puppet version across your entire infrastructure. If you decide to upgrade to a newer version, make sure that you upgrade your master before any agent nodes, as the master cannot manage agents that have a higher version number.

create 00-puppet.pref file at /etc/apt/preferences.d/ and add below lines.

# /etc/apt/preferences.d/00-puppet.pref

Package: puppet puppet-common puppetmaster-passenger
Pin: version 3.7*
Pin-Priority: 501

Set Up Names and Certificate

Puppet uses SSL certificates to authenticate communication between master and agent nodes. The Puppet master acts as a certificate authority (CA), and must generate its own certificates which is used to sign agent certificate requests. We will setup the master's certificates now.

Delete any existing SSL certificates that were created during the package install. The default location of Puppet's SSL certificates is /var/lib/puppet/ssl:

sudo rm -rf /var/lib/puppet/ssl

Configure Certificate

When creating the puppet master's certificate, include every DNS name at which agent nodes can contact the master. In the case of our example, we will use "puppet" and "puppet.nyc2.example.com", the short hostname and FQDN ( A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet.), respectively.

Edit the master's puppet.conf file:

sudo vi /etc/puppet/puppet.conf

It will look something like the following:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

Delete the line with thetemplatedir option, as that option is deprecated.

Add the following two lines to the end of the [main] section (replace the highlighted text with the private FQDN):

dns_alt_names=puppet, master #(or FQDN)
certname=puppet

Certificate is automatically generated when you start PuppetMaster

sudo service puppetmaster start

verify by ls that new ssl folder is created at /var/lib/puppet/ and you can verify certificate details with sudo ls /var/lib/puppet/ssl/certs/ and sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text|grep -i dns. It should show all of your DNS names.

sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text|grep -i dns
DNS:master, DNS:puppet

---

Connect from Slave/Node (Machine 2)

---

OS: Ubuntu 12.04

Add machine1 ip in hosts file on machine 2

vi /etc/hosts
127.0.0.1 localhost
127.0.1.1 Jd-VirtualBox
192.168.171.81 master

install puppet agent

sudo apt-get -y install puppet

Configure Puppet Agent

sudo vi /etc/puppet/puppet.conf

will look like this

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

It will look exactly like the Puppet master's initial configuration file.

Again, delete the templatedir line. Then delete the [master] section, and all of the lines below it.
Add master DNS name under [agent] heading. or just add the agent heading at the end of the file for
Puppet to connect the server(Machine1).

[agent]
server=master

The puppet agent is disabled by default. To enable, update its default file:

sudo vi /etc/default/puppet

And change value of START to "yes":

START=yes

Save and exit /etc/default/puppet.

puppet version on node

$puppet help
......
$Puppet v2.7.11

Again Lock the Version on Agent

As with the Puppet master, we will want to use the apt pin feature to lock the version of the Puppet agent:

sudo vi /etc/apt/preferences.d/00-puppet.pref

Add the following lines to lock the puppet and puppet-common packages to the 2.7.* (change this to match your installed version):

#/etc/apt/preferences.d/00-puppet.pref
Package: puppet puppet-common
Pin: version 2.7*
Pin-Priority: 501

Save and exit. Your Puppet version is now locked.

Start puppet

sudo service puppet start

Note: If this is your first Puppet agent, it is recommended that you attempt to sign the certificate on the Puppet master before adding your other agents. Once you have verified that everything works properly, then you can go back and add the remaining agent nodes without any hassle.

Sign Request On Master or Sign Slave Certificate on Master

The first time Puppet runs on an agent node, it will send a certificate signing request to the Puppet master. Before the master will be able to communicate and control the agent node, it must sign that particular agent node's certificate. We will describe how to sign and check for signing requests.

on-master-machine1$ sudo puppet cert --list

If you just set up your first agent node, you will see one request. It will look something like the following, with the agent node's FQDN as the hostname:

"Jd-VirtualBox" (SHA256) B7:16:FD:1F:F7:1E:40:53:C1:D4:1B:3C:75:F4:7C:0B:A9:4C:1B:5D:95:2B:79:C0:09:FF:2B:F4:4A:BB:AA:EE

To sign a certificate request, use the puppet cert sign command, with the hostname of the certificate you want to sign. For example,

on-master-machine1$sudo puppet cert --sign Jd-VirtualBox

results

Notice: Signed certificate request for Jd-VirtualBox
Notice: Removing file Puppet::SSL::CertificateRequest Jd-VirtualBox at '/var/lib/puppet/ssl/ca/requests/Jd-VirutalBox.pem'

The Puppet master can now communicate and control the node that the signed certificate belongs to.

If you want to sign all of the current requests, use the -all option, like so:

sudo puppet cert sign --all

Revoke Certificates

You may want to remove a host from Puppet, or rebuild a host then add it back to Puppet. In this case, you will want to revoke the host's certificate from the Puppet master. To do this, you will want to use the clean action:

sudo puppet cert clean hostname

View All Signed Requests

If you want to view all of the requests, signed and unsigned, run the following command:

sudo puppet cert list --all

+ "Jd-VirtualBox" (SHA256) B7:16:FD:1F:F7:1E:40:53:C1:D4:1B:3C:75:F4:7C:0B:A9:4C:1B:5D:95:2B:79:C0:09:FF:2B:F4:4A:BB:AA:EE

+ "puppet" (SHA1) D6:8C:47:4F:D6:BD:B3:A9:32:A7:C1:A8:47:DE:32:DA:F7:CE:86:09 (alt names: "DNS:master", "DNS:puppet")

Helloworld to verify master and agent setup

The puppet agent periodically checks in with the puppet master (typically every 30 minutes). During this time, it will send facts about itself to the master, and pull a current catalog--a compiled list of resources and their desired states that are relevant to the agent, determined by the main manifest. The agent node will then attempt to make the appropriate changes to achieve its desired state. This cycle will continue as long as the Puppet master is running and communicating with the agent nodes

Manifest file

The main manifest file on the Puppet master is located at /etc/puppet/manifests/site.pp

add the following lines to describe a file resource:

file {'/tmp/Helloworld.txt': # resource type file and filename
ensure => present, # make sure it exists
mode => 0644, # file permissions
content => "Helloworld from master.\n",
}

You can either wait until the agent checks in with the master automatically, or you can restart puppet agent on machine2/node/slave.

Jd-VirtualBox$ sudo service puppet restart

verify the result

Jd-VirtualBox$ cat /tmp/Helloworld.txt
Jd-VirtualBox$Helloworld from master.