This is an old revision of the document!
Overview
Puppet is centralized pulling automation software which allows you to automate various of steps with a single software like:
- Installation of a Package
- Creation of a user
- Storage Management
- Others
Puppet is composed by two components:
- Master
- Slave/Agent
In a nutshell, the Agent is trying to pull the necessary steps from the master, each couple seconds. It is important to note that, the master doesn't push anything, the Agent is the one pulling the task to be done on itself.
Installation
To install it, we have to configure the Repo and install the server & agent for the master and the agent for the slave.
Please configure the following on both machines:
Configure Repo
[root@puppetmaster certificate_requests]# rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
Retrieving https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
Preparing... ################################# [100%]
package puppet6-release-6.0.0-10.el7.noarch is already installed
[root@puppetmaster certificate_requests]#
After you have the repo configured, let's configure each server, we will start with the master:
Configure Master
Install Puppet Server
[root@puppetmaster etc]# yum install puppetserver Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.karneval.cz * extras: mirror.karneval.cz * updates: mirror.karneval.cz Resolving Dependencies --> Running transaction check ---> Package puppetserver.noarch 0:6.14.1-1.el7 will be installed --> Processing Dependency: puppet-agent >= 5.5.0 for package: puppetserver-6.14.1-1.el7.noarch --> Running transaction check ---> Package puppet-agent.x86_64 0:6.19.1-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =========================================================================================================================================================================================== Package Arch Version Repository Size =========================================================================================================================================================================================== Installing: puppetserver noarch 6.14.1-1.el7 puppet6 61 M Installing for dependencies: puppet-agent x86_64 6.19.1-1.el7 puppet6 26 M Transaction Summary =========================================================================================================================================================================================== Install 1 Package (+1 Dependent package) Total download size: 87 M Installed size: 87 M Is this ok [y/d/N]: y Downloading packages: (1/2): puppet-agent-6.19.1-1.el7.x86_64.rpm | 26 MB 00:00:03 (2/2): puppetserver-6.14.1-1.el7.noarch.rpm | 61 MB 00:00:05 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 15 MB/s | 87 MB 00:00:05 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : puppet-agent-6.19.1-1.el7.x86_64 1/2 usermod: no changes Installing : puppetserver-6.14.1-1.el7.noarch 2/2 usermod: no changes Verifying : puppet-agent-6.19.1-1.el7.x86_64 1/2 Verifying : puppetserver-6.14.1-1.el7.noarch 2/2 Installed: puppetserver.noarch 0:6.14.1-1.el7 Dependency Installed: puppet-agent.x86_64 0:6.19.1-1.el7 Complete!
That will install both, the server and the agent, we can start the service as follows:
Start the pupept Server
[root@puppetmaster etc]# service puppetserver start
Redirecting to /bin/systemctl start puppetserver.service
[root@puppetmaster etc]# service puppetserver status
Redirecting to /bin/systemctl status puppetserver.service
● puppetserver.service - puppetserver Service
Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-11-13 16:50:11 EST; 7s ago
Process: 7345 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
Main PID: 7368 (java)
Tasks: 40 (limit: 4915)
CGroup: /system.slice/puppetserver.service
└─7368 /usr/bin/java -Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError="kill -9 %p" -XX:ErrorFile=/var/log/puppetlabs/pu...
Nov 13 16:49:35 puppetmaster.example.com systemd[1]: Starting puppetserver Service...
Nov 13 16:50:11 puppetmaster.example.com systemd[1]: Started puppetserver Service.
[root@puppetmaster etc]#
Nice, we have a working default server. Let's configure the agent, we will return to the master in a second. As stated before, the agent is the one pulling the requests from the master, but before it can do that, the connection between them NEEDS to be secure. Secure in the IT world means, certificates, so let's check what certificates the Master has:
Check Master Certificates
[root@puppetmaster certificate_requests]# puppetserver ca list --all
Signed Certificates:
puppetmaster.example.com (SHA256) ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B alt names: ["DNS:puppet", "DNS:puppetmaster.example.com"] authorization extensions: [pp_cli_auth: true]
[root@puppetmaster certificate_requests]#
So we see that the master has his own certificate and that is that. But for the agent to work, we need the agent to send his certificate to be signed by the master. So let's setup the agent.
Configure Agent
We will simple install the agent and do little magic.
Install the agent
[root@puppetagent etc]# yum install puppet-agent Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: ftp.energotel.sk * extras: ftp.energotel.sk * updates: ftp.energotel.sk Resolving Dependencies --> Running transaction check ---> Package puppet-agent.x86_64 0:6.19.1-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =========================================================================================================================================================================================== Package Arch Version Repository Size =========================================================================================================================================================================================== Installing: puppet-agent x86_64 6.19.1-1.el7 puppet6 26 M Transaction Summary =========================================================================================================================================================================================== Install 1 Package Total download size: 26 M Installed size: 26 M Is this ok [y/d/N]: y Downloading packages: puppet-agent-6.19.1-1.el7.x86_64.rpm | 26 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : puppet-agent-6.19.1-1.el7.x86_64 1/1 Verifying : puppet-agent-6.19.1-1.el7.x86_64 1/1 Installed: puppet-agent.x86_64 0:6.19.1-1.el7 Complete!
After we have installed it, we have to modify the puppet.conf file (e.g./etc/puppetlabs/puppet/puppet.conf)
Edit Puppet Agent Conf
[root@puppetagent puppet]# vi /etc/puppetlabs/puppet/puppet.conf # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [main] certserver = puppetslave.example.com server = puppetmaster.example.com :wq
Once done, we can start the agent as follows:
Start Puppet Agent
[root@puppetagent puppet]# service puppet start
Redirecting to /bin/systemctl start puppet.service
[root@puppetagent puppet]# service puppet status
Redirecting to /bin/systemctl status puppet.service
● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-11-13 17:23:04 EST; 2s ago
Main PID: 26262 (puppet)
Tasks: 2
CGroup: /system.slice/puppet.service
└─26262 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize
Nov 13 17:23:04 puppetslave.example.com systemd[1]: Started Puppet agent.
[root@puppetagent puppet]#
So let's return to the Master and see how he is doing.
Sign Certificate
Since the agent started (and hopefully not mistakes) the master should've received the certificate (from the agent) to approve:
Check Certificate Requests
[root@puppetmaster certificate_requests]# puppetserver ca list --all
Requested Certificates:
puppetslave.example.com (SHA256) 1F:86:36:82:A1:0E:A6:76:BE:D5:F8:11:93:85:E1:9C:AC:EE:AA:29:AC:85:0F:EB:49:90:A7:CF:FC:40:51:22
Signed Certificates:
puppetmaster.example.com (SHA256) ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B alt names: ["DNS:puppet", "DNS:puppetmaster.example.com"] authorization extensions: [pp_cli_auth: true]
Now, we have 2 certiciates :), so let's approve our agent.
Sign Certificate
[root@puppetmaster certificate_requests]# puppetserver ca sign --certname puppetslave.example.com
Successfully signed certificate request for puppetslave.example.com
[root@puppetmaster certificate_requests]#
[root@puppetmaster certificate_requests]# puppetserver ca list --all
Signed Certificates:
puppetmaster.example.com (SHA256) ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B alt names: ["DNS:puppet", "DNS:puppetmaster.example.com"] authorization extensions: [pp_cli_auth: true]
puppetslave.example.com (SHA256) A4:24:76:E7:3D:B8:5B:35:15:1D:79:61:6B:44:F7:1B:D8:B9:8A:03:C9:5B:C4:0D:10:23:8B:00:75:7F:9A:DA
[root@puppetmaster certificate_requests]#
From now on, we will have trusted connection between the Agent/Slave and the Master.