Useful links:
Install PostgreSQL
apprentice@puppet:~$ sudo apt-get install postgresql-9.1
Create the PuppetDB database
apprentice@:~$ pwgen -cnys 40 1
9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf
apprentice@:~$ sudo -u postgres -s
postgres@puppet:/$ createuser -DRSP puppetdb
Enter password for new role:
Enter it again:
postgres@puppet:/$ createdb -O puppetdb puppetdb
postgres@puppet:/$ exit
... allow the puppetdb user to log in in /etc/postgresql/9.1/main/pg_hba.conf
<snip> # Put your actual configuration here local puppetdb puppetdb md5 <snip> local all postgres peer <snip>
... and let the new settings take effect:
apprentice@:~$ sudo service postgresql restart
Install PuppetDB
apprentice@:~$ sudo apt-get install puppetdb puppetdb-terminus
Configure Puppet to find PuppetDB
To the [master]
section of /etc/puppet/puppet.conf
, add:
storeconfigs = true storeconfigs_backend = puppetdb
Note | |
---|---|
According to Docs: PuppetDB 1 » Connecting Puppet Masters to PuppetDB, you cannot use port 8080, although that would make perfect sense on localhost.
But that doesn't matter much, because using “localhost” instead of the FQDN got me a |
Create /etc/puppet/routes.yaml
:
--- master: facts: terminus: puppetdb cache: yaml
... and /etc/puppet/puppetdb.conf
:
[main] server = puppet.servers.mydomain.com port = 8081
Configure PuppetDB itself
Edit /etc/puppetdb/conf.d/database.ini
:
[database] classname = org.postgresql.Driver subprotocol = postgresql subname = //localhost:5432/puppetdb username = puppetdb password = 9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf log-slow-statements = 10
... run
apprentice@puppet:~$ sudo /usr/sbin/puppetdb-ssl-setup
... which changes /etc/puppetdb/conf.d/jetty.ini
, which we need not even finetune.
Note | |
---|---|
The password in |
Disable PuppetQD
It PuppetQD wasn't already disabled, disable it now, probably in /etc/default/puppetqd
.
Restart the Puppet daemons
apprentice@:~$ for i in puppetdb puppetmaster ; do sudo service $i restart ; done
Run the agent on a client
apprentice@client:~$ sudo puppet agent --no-daemonize --verbose --waitforcert 10
<snip>
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for cit-zb-3-163.rc.rug.nl to PuppetDB at puppet.service.rug.nl:8081: Connection refused - connect(2)
<snip>
This error occurs because the puppet service, the puppetdb service and their certificates do not agree on the hostnames they are using.
This can be resolved by putting in /etc/puppetdb/conf.d/jetty.ini
a line:
certificate-whitelist = /etc/puppetdb/whitelist.txt
... and listing all aliases for the machine in that file.
But we don't bother, because we don't want to run Puppet from the WeBrick server, so we need Apache, and if we 've got Apache anyway, we also want to offload the SSL of PuppetDB to Apache. See the next section.