Puppet Documentation - general ################################## http://slashroot.in/puppet-tutorial-introduction-puppet-configuration-management -tool http://slashroot.in/puppet-tutorial-how-does-puppet-work http://slashroot.in/puppet-tutorial-installing-puppet-master-and-puppet-agent http://slashroot.in/puppet-tutorial-configuring-puppet-master http://slashroot.in/puppet-tutorial-configuring-puppet-agent http://slashroot.

in/puppet-tutorial-getting-started-puppet-manifests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~ normal and usual configuration of puppet consists of a server (Puppet Master) an d a client(Puppet agent). Puppet agent is a daemon that runs on all the client servers the servers where you require some configuration, or the servers which are going to be managed using puppet.) Puppet Master: This machine contains all the configuration for different hosts. Puppet master will run as a daemon on this master server. Puppet Agent: This is the daemon that will run on all the servers, which are to be managed using puppet. Puppet agent will go and ask the configuration for itself from the puppet master server at a specific time interval. 30 minutes is the default interval when puppet agent daemon will go and fetch co nfig data from puppet master. ******************************************************************************** ********************************** Now there are multiple steps involved whenever a puppet agent of any node connec ts to a puppet master server for fetching data. These steps are mentioned below. Step 1: Whenever a client node connects to the master, the master server analyze s the configuration to be applied to the node, and how to apply that configs on the node. Step 2:Puppet master server Takes and collects all the resources and configurati ons to be applied to the node, and compiles it and make it a catalog. This catalog is given to the puppet agent of the node. Step 3: Puppet agent will apply the configuration on the node, according to the catalog, and then reply back, and submit the report of the configuration applied to the puppet master server. ################################################################# How does Puppet Work with Different Platforms? This is possible with the help of a tool called as Facter. Whenever the agent connects to the puppet master server for configuration data, Facter tool is used to give the complete details about the node(agent) to the pu

ppet master. Facter will provide almost all information about the agent node. The information is very much detailed. See an example output of Facter below. [root@myvm1 ~]# facter architecture => i386 augeasversion => 0.10.0 boardmanufacturer => Intel Corporation boardproductname => 440BX Desktop Reference Platform boardserialnumber => None ##################################################################### http://slashroot.in/puppet-tutorial-installing-puppet-master-and-puppet-agent ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Puppet Tutorial: Installing Puppet master And Puppet Agent puppet version numbering, =2.6 version How to Install Puppet on Redhat/Centos & Fedora? The main prerequisites while installing puppet on redhat/centos and fedora is th at you need to have the following. Ruby Language Ruby Libraries Shadow Ruby Libraries The above mentioned things can be easily installed using YUM package manager.(Yo u can easily get those package in the distribution DVD [root@slashroot2 ~]# yum install ruby-shadow ruby ruby-libs Lets make slashroot1, our puppet master. So a puppet master server must contain the following packages. Pupppet Puppet-server facter [root@slashroot1 ~]# yum install puppet puppet-server facter Loaded plugins: rhnplugin, security This system is not registered with RHN. RHN support will be disabled. Setting up Install Process Parsing package install arguments Resolving Dependencies Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: facter i386 1.6.6-1.el5 epel 68 k puppet noarch 2.7.9-1.el5.rf rpmforge 1.0 M puppet-server noarch 2.7.9-1.el5.rf rpmforge 14 k Installing for dependencies: augeas-libs i386 0.10.0-3.el5 epel 373 k ruby-augeas i386 0.4.1-2.el5.rf rpmforge 26 k

Transaction Summary ================================================================================ Install 5 Package(s) Update 0 Package(s) Remove 0 Package(s) the package "puppet" contains the puppet agent the package "puppet-server" contains the puppet master server the package "facter" will contain the tool which will act as fetching informatio n about the node. ################################################################################ ######### Now lets install the packages required for a puppet node(the server which will f etch information from puppet server). The clients or node requires only the package "puppet" and "facter". we will be configuring this on the host slashroot2(which will act as our node client). [root@slashroot2 ~]# yum install puppet facter Loaded plugins: rhnplugin, security This system is not registered with RHN. RHN support will be disabled. Setting up Install Process Parsing package install arguments Resolving Dependencies Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: facter i386 1.6.6-1.el5 epel 68 k puppet noarch 2.7.9-1.el5.rf rpmforge 1.0 M Installing for dependencies: augeas-libs i386 0.10.0-3.el5 epel 373 k ruby-augeas i386 0.4.1-2.el5.rf rpmforge 26 k ruby-shadow i386 1.4.1-7.el5 epel 9.5 k Transaction Summary ================================================================================ Install 5 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.5 M Is this ok [y/N]: y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ Puppet Tutorial: Configuring Puppet Master ##################################################################### We will start with the initial basic configuration on our puppet master server(s lashroot1). We will go through the configuration files which are necessary. Puppet.conf is the main configuration file of puppet. On most of the distributio n this file is located under, /etc/puppet/ directory. Most of the times this fil

e (/etc/puppet/puppet.conf) is automatically created during the installation. Bu t if it is not there, you can easily create it by the following command. [root@slashroot1 ~]# puppetmasterd --genconfig > /etc/puppet/puppet.conf Puppet.conf file is easier to understand, and is very much self explanatory. Its divided into different sections as the following. [agent] -- this section is for mentioning agent specific parameters. [master] -- this section is for specifying options for puppet master. [main] -- this section will contain all global configuration options.

Main section will contain options like the log directory,pid directory etc.(don' t worry we will go ahead and configure all those, be patient) The first step is to configure the /etc/hosts file and DNS entries with the ip o f puppet master and its FQDN(Fully Qualified Domain Name). Am keeping my puppet master name as puppet.slashroot.in. So my host entries will be something like the below. [root@slashroot1 ~]# cat /etc/hosts # Do not remove the following line, or various programs 127.0.0.1 localhost slashroot1.slashroot.in slashroot1 localhost.localdomain

192.168.0.102 slashroot1.slashroot.in puppet puppet.slashroot.in ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now lets configure the [master] section of our puppet.conf file. We will only be adding certname parameter in [master] section as of now. If you don't have the master section in your puppet.conf file then create it. My master section looks like the below. [master] certname=puppet.slashroot.in Now lets configure an important file in puppet master configuration. Its the sit e.pp file. This is the file which tells what are the configurations that needs t o be applied to the clients(agents). We will be placing this site.pp file in /etc/puppet/manifests/ directory. Just c reate a file called site.pp there with no content. We will be adding configurati on content inside this file later. ################################################################################ ############ What are manifests in puppet? manifest is nothing but a name that puppet calls those files which contain the c onfiguration options for the clients. An important fact to note is that all manifest files will also have a .pp extens

ion just the same as site.pp file You can alter the location of manifests and site.pp file with the help of manife stdir and manifest options in puppet.conf file. As i have mentioned in my post How does Puppet Work Puppet does all its communic ation through SSL. And the default directory for SSL certificates is /var/lib/pu ppet. [root@slashroot1 ~]# ls /var/lib/puppet/ bucket client_data facts reports server_data state clientbucket client_yaml lib rrd ssl yaml Now lets start puppetmaster, which will start master server listening on the por t 8140. Starting puppet master server will also create a self signed certificate for the master server which can be found at /var/lib/puppet/ssl/ca/signed/ [root@slashroot1 signed]# /etc/init.d/puppetmaster start Starting puppetmaster: [root@slashroot1 signed]# ls /var/lib/puppet/ssl/ca/signed/ puppet.slashroot.in.pem [root@slashroot1 signed]# lsof -i :8140 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME puppetmas 3552 puppet 7u IPv4 9583 TCP *:8140 (LISTEN) [root@slashroot1 signed]# What methods can be used to start puppet master server? Puppet master can be started by the below methods. #/etc/init.d/puppetmasterd start OR #puppetmasterd OR #puppet master For troubleshooting purposes you can run puppet master as the following. #puppet master --verbose --no-daemonize ############################################################################### http://slashroot.in/puppet-tutorial-configuring-puppet-agent ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~ I believe that you have already installed the packages puppet & facter on your a gent server as shown in the post "installing puppet agent and master". Now lets connect our puppet agent to puppet master server for the first time. An d see what happens. ################################################################################ ##############

[root@slashroot2 ~]# puppet agent --server slashroot1.slashroot.in --no-daemoniz e --verbose info: Creating a new SSL key for slashroot2.slashroot.in warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for slashroot2.slashroot.in info: Certificate Request fingerprint (md5): 59:7A:AE:2C:7B:15:DA:E5:A8:14:7D:FF :1F:5B:7A:66 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate ########################################################### As shown in the above example you can see that, an SSL key is made for this agen t machine and is waiting for the corresponding certificate to be signed by the puppet master server. An Important fact to note here is a notice shown in the above command result, wh ich says that "notice: Did not receive certificate". --server in the above command specifies the puppet master server hostname --no-daemonize tells the puppet agent to not to run as a daemon, and also output the messages to the screen. If you run puppet agent without this option, then you will not get the messages on the screen. Note: If you do not specify the option --server, puppet agent will look for a ho st named "puppet". This is the main reason of keeping the puppet master hostname as puppet. The ssl certificate signing is done only the first time an agent connects to the server. The notice message(notice: Did not receive certificate)will keep on coming on th e screen until the certificate request is signed by the puppet master.

How to Sign the SSL certificate from puppet Master? Now as the client node (slashroot2) is waiting for its certificate to be signed, lets go and sign the certificate request from slashroot1(our puppet master serv er) On your puppet master run the below command to show the certificate signing requ ests. [root@slashroot1 ~]# puppetca --list slashroot2.slashroot.in (59:7A:AE:2C:7B:15:DA:E5:A8:14:7D:FF:1F:5B:7A:66) [root@slashroot1 ~]# #puppetca --list command will show you the agent certificate requests that are w aiting to be signed.

#puppet cert list command will also show you the same thing Now lets sign the certificate by the following method. [root@slashroot1 ~]# puppetca --sign slashroot2.slashroot.in notice: Signed certificate request for slashroot2.slashroot.in notice: Removing file Puppet::SSL::CertificateRequest slashroot2.slashroot.in at '/var/lib/puppet/ssl/ca/requests/slashroot2.slashroot.in.pem' Now from the above output you can clearly see that the puppet master server sign ed the certificate and also removed the old certificate signing request. Now as soon as the certificate gets signed from the master server you will get t he below message on the puppet agent's screen(because we ran puppet agent comman d with --no-daemonize option on our agent). notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session info: Caching certificate for slashroot2.slashroot.in notice: Starting Puppet client version 2.7.9 info: Caching certificate_revocation_list for ca info: Caching catalog for slashroot2.slashroot.in info: Applying configuration version '1355395673' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.14 seconds Now what does that message mean? It means that our puppet agent got a signed certificate and the certificate is c ached. Also the agents tells us that its applying a configuration version number "1355395673" based on the catalog given by the master server. From now onwards we can restart and stop our puppet agent whenever required. Note: Keep all the client nodes and the puppet server synchronized with one sing le ntp source. Because ssl connection rely heavily on time being synchronized. We ran the command #puppet agent --server slashroot1.slashroot.in --no-daemonize --verbose, just for showing the output on the screen as example.In normal cases you can add the puppet server address in the puppet.conf file of your agent mac hine. So on our agent we will add server address in the [main] section as shown below. server=slashroot1.slashroot.in After adding this server option in puppet.conf file simply restarting puppet age nt will start it as a daemon. Which will periodically fetch data from the master server. You can start/restart your puppet agent using the below commands. /etc/init.d/puppet start or

puppet agent In our next post we will start with further configuration of puppet master. ################################################################################ ######## http://slashroot.in/puppet-tutorial-getting-started-puppet-manifests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~