Homemade Puppet Course
Prev Part I.  Miscellaneous subjects (and those still to be sorted)  Next

Homemade Puppet Course

Jurjen Bokma

November 2013

Abstract

Read a book (Pro Puppet) and did some collected workshops

Table of Contents

Setting up the Puppet Master
Environments
Various Commands
Installing Dashboard
Using Hiera

Setting up the Puppet Master

  1. Add the PuppetLabs Repository on the master, as described in Using the Puppet Labs Package Repositories:

    root@vhost1:~# echo "deb http://apt.puppetlabs.com wheezy main" > /etc/apt/sources.list.d/puppet.list
    root@vhost1:~# apt-get update
    root@vhost1:~# apt-get install -y --force-yes puppetlabs-release
    root@vhost1:~# rm /etc/apt/sources.list.d/puppet.list
    root@vhost1:~# apt-get update

    Repeat m.m. on the Debian/Ubuntu clients

  2. Add PuppetLabs Repository on CentOS

    -bash-4.1# sudo rpm -ivh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm

  3. Install Puppet Master

    Put the FQDN in /etc/hosts: 

    	    <snip>
	    10.0.17.1 vhost1.xennet vhost1
	    <snip>

    To be sure, the following should succeed:

    root@vhost1:~# host
    vhost1
    root@vhost1:~# host -f
    vhost1.xennet

    Only then install the packages:

    root@vhost1:~# apt-get install -y puppetmaster-passenger puppet-lint puppet-el

  4. Install Puppet Client

    On Debian/Ubuntu:

    root@vhost1:~# apt-get install -y puppet

    On CentOS:

    -bash4.1# yum install -y puppet

  5. Connect clients to Master

    On a client:

    root@vhost2:~# puppet agent -t

    There will be no certificate:

    root@vhost3:~# puppet agent -t
    #Info: Creating a new SSL key for vhost3.xennet
    Info: Caching certificate for ca
    Info: Creating a new SSL certificate request for vhost3.xennet
    Info: Certificate Request fingerprint (SHA256): C2:CD:F6:58:CA:26:48:81:2D:46:55:23:86:7C:2E:87:71:0C:61:C6:12:7A:41:F3:BB:60:7B:42:8D:F9:12:CB
    Exiting; no certificate found and waitforcert is disabled

    I.d. for the last client:

    -bash-4.1# puppet agent -t

    Now on the server, certificate requests will be waiting to be signed. Sign them.

    root@vhost1:~# puppet cert list
      "vhost2.xennet" (SHA256) 8A:49:F2:DC:4E:C9:BF:4A:2B:85:DB:F1:79:43:A4:39:C7:EB:D7:82:58:AC:BF:33:55:11:81:D2:FA:1F:AC:EC
      "vhost3.xennet" (SHA256) C2:CD:F6:58:CA:26:48:81:2D:46:55:23:86:7C:2E:87:71:0C:61:C6:12:7A:41:F3:BB:60:7B:42:8D:F9:12:CB
      "vhost4.xennet" (SHA256) 07:4C:DA:AB:1E:FA:EB:93:74:AC:46:E4:C8:9D:95:F6:3B:98:A8:61:D7:D6:7F:40:21:5D:0F:7D:C8:07:F5:78
    root@vhost1:~# puppet cert sign vhost2.xennet
    Notice: Signed certificate request for vhost2.xennet
    Notice: Removing file Puppet::SSL::CertificateRequest vhost2.xennet at '/var/lib/puppet/ssl/ca/requests/vhost2.xennet.pem'
    root@vhost1:~# puppet cert sign vhost3.xennet
    root@vhost1:~# puppet cert sign vhost4.xennet

    So puppet runs will succeed on the clients:

    root@vhost2:~# puppet agent -t
    Info: Caching certificate for vhost2.xennet
    Info: Caching certificate_revocation_list for ca
    Info: Retrieving plugin
    Info: Caching catalog for vhost2.xennet
    Info: Applying configuration version '1384116519'
    Info: Creating state file /var/lib/puppet/state/state.yaml
    Notice: Finished catalog run in 0.04 seconds

    See Learning Puppet — Basic Agent/Master Puppet for more about certificates.

    According to Autosigning Client Certificates, to enable autosigning of certificates, you can put a single '*' in /etc/puppet/autosign.conf: 

    *

    And of course it says you shouldn't do that if you're concerned about security.

Prev Up Next
Puppet Technology Glossary Home  Environments