Install and configure PuppetDB
Prev Wheezy Puppetmaster Next

Install and configure PuppetDB

Useful links:

  1. Install PostgreSQL

    apprentice@puppet:~$ sudo apt-get install postgresql-9.1

  2. Create the PuppetDB database

    apprentice@:~$ pwgen -cnys 40 1
      9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf
      apprentice@:~$ sudo -u postgres -s
      postgres@puppet:/$ createuser -DRSP puppetdb
      Enter password for new role: 
      Enter it again: 
      postgres@puppet:/$ createdb -O puppetdb puppetdb
      postgres@puppet:/$ exit

    ... allow the puppetdb user to log in in /etc/postgresql/9.1/main/pg_hba.conf 

    <snip>
# Put your actual configuration here
local   puppetdb        puppetdb                                md5
<snip>
local   all             postgres                                peer
<snip>

    ... and let the new settings take effect:

    apprentice@:~$  sudo service postgresql restart

  3. Install PuppetDB

    apprentice@:~$ sudo apt-get install puppetdb puppetdb-terminus

  4. Configure Puppet to find PuppetDB

    To the [master] section of /etc/puppet/puppet.conf, add: 

    storeconfigs = true
storeconfigs_backend = puppetdb

    [Note]Note

    According to Docs: PuppetDB 1 » Connecting Puppet Masters to PuppetDB, you cannot use port 8080, although that would make perfect sense on localhost. But that doesn't matter much, because using localhost instead of the FQDN got me a hostname does not match the server certificate when running the puppet agent.

    Create /etc/puppet/routes.yaml: 

    ---
master:
facts:
terminus: puppetdb
cache: yaml

    ... and /etc/puppet/puppetdb.conf: 

    [main]
server = puppet.servers.mydomain.com
port = 8081

  5. Configure PuppetDB itself

    Edit /etc/puppetdb/conf.d/database.ini: 

    [database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //localhost:5432/puppetdb
username = puppetdb
password = 9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf
log-slow-statements = 10

    ... run

    apprentice@puppet:~$ sudo /usr/sbin/puppetdb-ssl-setup

    ... which changes /etc/puppetdb/conf.d/jetty.ini, which we need not even finetune.

    [Note]Note

    The password in jetty.ini is not the same as the password to the PostgreSQL database.

  6. Disable PuppetQD

    It PuppetQD wasn't already disabled, disable it now, probably in /etc/default/puppetqd.

  7. Restart the Puppet daemons

    apprentice@:~$ for i in puppetdb puppetmaster ; do sudo service $i restart ; done

  8. Run the agent on a client

    apprentice@client:~$ sudo puppet agent --no-daemonize --verbose --waitforcert 10
    <snip>
    err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for cit-zb-3-163.rc.rug.nl to PuppetDB at puppet.service.rug.nl:8081: Connection refused - connect(2)

    <snip>

This error occurs because the puppet service, the puppetdb service and their certificates do not agree on the hostnames they are using. This can be resolved by putting in /etc/puppetdb/conf.d/jetty.ini a line: 

certificate-whitelist = /etc/puppetdb/whitelist.txt

... and listing all aliases for the machine in that file.

But we don't bother, because we don't want to run Puppet from the WeBrick server, so we need Apache, and if we 've got Apache anyway, we also want to offload the SSL of PuppetDB to Apache. See the next section.

Prev Up Next
Do something to the client  Home  Using Passenger