Created
December 30, 2014 15:50
-
-
Save basharam/6b1da1be407d92076feb to your computer and use it in GitHub Desktop.
Puppet Master/Agent setup on Ubuntu 12.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Puppet Master/Agent setup on Ubuntu 12.04 | |
| ###Machine1(Master node/server): | |
| OS: Ubuntu 12.04 | |
| vi etct/hosts | |
| 192.168.171.81 master | |
| ####Install on Master | |
| sudo apt-get -y install puppetmaster | |
| verify puppet version | |
| $ puppet help | |
| ... | |
| .. | |
| ..... | |
| See 'puppet help <subcommand>' for help on a specific subcommand. | |
| Puppet v3.7.3 | |
| $ | |
| ####Lock the Version: | |
| Changes from version to version can occasionally cause your Puppet environment to stop working properly. For this reason, you will want to maintain a consistent Puppet version across your entire infrastructure. If you decide to upgrade to a newer version, make sure that you upgrade your master before any agent nodes, as the master cannot manage agents that have a higher version number. | |
| create 00-puppet.pref file at `/etc/apt/preferences.d/` and add below lines. | |
| # /etc/apt/preferences.d/00-puppet.pref | |
| Package: puppet puppet-common puppetmaster-passenger | |
| Pin: version 3.7* | |
| Pin-Priority: 501 | |
| ####Set Up Names and Certificate | |
| Puppet uses SSL certificates to authenticate communication between master and agent nodes. The Puppet master acts as a certificate authority (CA), and must generate its own certificates which is used to sign agent certificate requests. We will setup the master's certificates now. | |
| Delete any existing SSL certificates that were created during the package install. The default location of Puppet's SSL certificates is `/var/lib/puppet/ssl:` | |
| sudo rm -rf /var/lib/puppet/ssl | |
| ####Configure Certificate | |
| When creating the puppet master's certificate, include every DNS name at which agent nodes can contact the master. In the case of our example, we will use "puppet" and "puppet.nyc2.example.com", the short hostname and FQDN ( A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet.), respectively. | |
| Edit the master's puppet.conf file: | |
| sudo vi /etc/puppet/puppet.conf | |
| It will look something like the following: | |
| [main] | |
| logdir=/var/log/puppet | |
| vardir=/var/lib/puppet | |
| ssldir=/var/lib/puppet/ssl | |
| rundir=/var/run/puppet | |
| factpath=$vardir/lib/facter | |
| #templatedir=$confdir/templates | |
| [master] | |
| # These are needed when the puppetmaster is run by passenger | |
| # and can safely be removed if webrick is used. | |
| ssl_client_header = SSL_CLIENT_S_DN | |
| ssl_client_verify_header = SSL_CLIENT_VERIFY | |
| Delete the line with the` templatedir` option, as that option is deprecated. | |
| Add the following two lines to the end of the [main] section (replace the highlighted text with the private FQDN): | |
| dns_alt_names=puppet, master #(or FQDN) | |
| certname=puppet | |
| Certificate is automatically generated when you start PuppetMaster | |
| sudo service puppetmaster start | |
| verify by ls that new ssl folder is created at `/var/lib/puppet/` and you can verify certificate details with `sudo ls /var/lib/puppet/ssl/certs/` and `sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text|grep -i dns`. It should show all of your DNS names. | |
| sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text|grep -i dns | |
| DNS:master, DNS:puppet | |
| ###Connect from Slave/Node (Machine 2) | |
| OS: Ubuntu 12.04 | |
| Add machine1 ip in hosts file on machine 2 | |
| vi /etc/hosts | |
| 127.0.0.1 localhost | |
| 127.0.1.1 Jd-VirtualBox | |
| 192.168.171.81 master | |
| install puppet agent | |
| sudo apt-get -y install puppet | |
| ####Configure Puppet Agent | |
| sudo vi /etc/puppet/puppet.conf | |
| will look like this | |
| [main] | |
| logdir=/var/log/puppet | |
| vardir=/var/lib/puppet | |
| ssldir=/var/lib/puppet/ssl | |
| rundir=/var/run/puppet | |
| factpath=$vardir/lib/facter | |
| #templatedir=$confdir/templates | |
| prerun_command=/etc/puppet/etckeeper-commit-pre | |
| postrun_command=/etc/puppet/etckeeper-commit-post | |
| [master] | |
| # These are needed when the puppetmaster is run by passenger | |
| # and can safely be removed if webrick is used. | |
| ssl_client_header = SSL_CLIENT_S_DN | |
| ssl_client_verify_header = SSL_CLIENT_VERIFY | |
| It will look exactly like the Puppet master's initial configuration file. | |
| Again, delete the templatedir line. Then delete the [master] section, and all of the lines below it. | |
| Add master DNS name under [agent] heading. or just add the agent heading at the end of the file for | |
| Puppet to connect the server(Machine1). | |
| [agent] | |
| server=master | |
| The puppet agent is disabled by default. To enable, update its default file: | |
| sudo vi /etc/default/puppet | |
| And change value of START to "yes": | |
| START=yes | |
| Save and exit `/etc/default/puppet`. | |
| puppet version on node | |
| $puppet help | |
| ...... | |
| $Puppet v2.7.11 | |
| ####Again Lock the Version on Agent | |
| As with the Puppet master, we will want to use the apt pin feature to lock the version of the Puppet agent: | |
| sudo vi /etc/apt/preferences.d/00-puppet.pref | |
| Add the following lines to lock the puppet and puppet-common packages to the 2.7.* (change this to match your installed version): | |
| #/etc/apt/preferences.d/00-puppet.pref | |
| Package: puppet puppet-common | |
| Pin: version 2.7* | |
| Pin-Priority: 501 | |
| Save and exit. Your Puppet version is now locked. | |
| Start puppet | |
| sudo service puppet start | |
| Note: If this is your first Puppet agent, it is recommended that you attempt to sign the certificate on the Puppet master before adding your other agents. Once you have verified that everything works properly, then you can go back and add the remaining agent nodes without any hassle. | |
| ####Sign Request On Master or Sign Slave Certificate on Master | |
| The first time Puppet runs on an agent node, it will send a certificate signing request to the Puppet master. Before the master will be able to communicate and control the agent node, it must sign that particular agent node's certificate. We will describe how to sign and check for signing requests. | |
| on-master-machine1$ sudo puppet cert --list | |
| If you just set up your first agent node, you will see one request. It will look something like the following, with the agent node's FQDN as the hostname: | |
| "Jd-VirtualBox" (SHA256) B7:16:FD:1F:F7:1E:40:53:C1:D4:1B:3C:75:F4:7C:0B:A9:4C:1B:5D:95:2B:79:C0:09:FF:2B:F4:4A:BB:AA:EE | |
| To sign a certificate request, use the `puppet cert sign` command, with the hostname of the certificate you want to sign. For example, | |
| on-master-machine1$sudo puppet cert --sign Jd-VirtualBox | |
| results | |
| Notice: Signed certificate request for Jd-VirtualBox | |
| Notice: Removing file Puppet::SSL::CertificateRequest Jd-VirtualBox at '/var/lib/puppet/ssl/ca/requests/Jd-VirutalBox.pem' | |
| The Puppet master can now communicate and control the node that the signed certificate belongs to. | |
| If you want to sign all of the current requests, use the -all option, like so: | |
| sudo puppet cert sign --all | |
| ####Revoke Certificates | |
| You may want to remove a host from Puppet, or rebuild a host then add it back to Puppet. In this case, you will want to revoke the host's certificate from the Puppet master. To do this, you will want to use the clean action: | |
| sudo puppet cert clean hostname | |
| ####View All Signed Requests | |
| If you want to view all of the requests, signed and unsigned, run the following command: | |
| sudo puppet cert list --all | |
| + "Jd-VirtualBox" (SHA256) B7:16:FD:1F:F7:1E:40:53:C1:D4:1B:3C:75:F4:7C:0B:A9:4C:1B:5D:95:2B:79:C0:09:FF:2B:F4:4A:BB:AA:EE | |
| + "puppet" (SHA1) D6:8C:47:4F:D6:BD:B3:A9:32:A7:C1:A8:47:DE:32:DA:F7:CE:86:09 (alt names: "DNS:master", "DNS:puppet") | |
| ##Helloworld to verify master and agent setup | |
| The puppet agent periodically checks in with the puppet master (typically every 30 minutes). During this time, it will send facts about itself to the master, and pull a current catalog--a compiled list of resources and their desired states that are relevant to the agent, determined by the main manifest. The agent node will then attempt to make the appropriate changes to achieve its desired state. This cycle will continue as long as the Puppet master is running and communicating with the agent nodes | |
| #### Manifest file | |
| The main manifest file on the Puppet master is located at /etc/puppet/manifests/site.pp | |
| add the following lines to describe a file resource: | |
| file {'/tmp/Helloworld.txt': # resource type file and filename | |
| ensure => present, # make sure it exists | |
| mode => 0644, # file permissions | |
| content => "Helloworld from master.\n", | |
| } | |
| You can either wait until the agent checks in with the master automatically, or you can restart puppet agent on machine2/node/slave. | |
| Jd-VirtualBox$ sudo service puppet restart | |
| verify the result | |
| Jd-VirtualBox$ cat /tmp/Helloworld.txt | |
| Jd-VirtualBox$Helloworld from master. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Puppet Master/Agent setup on Ubuntu 12.04
Machine1(Master node/server):
OS: Ubuntu 12.04
vi etct/hosts
Install on Master
verify puppet version
Lock the Version:
Changes from version to version can occasionally cause your Puppet environment to stop working properly. For this reason, you will want to maintain a consistent Puppet version across your entire infrastructure. If you decide to upgrade to a newer version, make sure that you upgrade your master before any agent nodes, as the master cannot manage agents that have a higher version number.
create 00-puppet.pref file at
/etc/apt/preferences.d/and add below lines.Package: puppet puppet-common puppetmaster-passenger
Pin: version 3.7*
Pin-Priority: 501
Set Up Names and Certificate
Puppet uses SSL certificates to authenticate communication between master and agent nodes. The Puppet master acts as a certificate authority (CA), and must generate its own certificates which is used to sign agent certificate requests. We will setup the master's certificates now.
Delete any existing SSL certificates that were created during the package install. The default location of Puppet's SSL certificates is
/var/lib/puppet/ssl:Configure Certificate
When creating the puppet master's certificate, include every DNS name at which agent nodes can contact the master. In the case of our example, we will use "puppet" and "puppet.nyc2.example.com", the short hostname and FQDN ( A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet.), respectively.
Edit the master's puppet.conf file:
sudo vi /etc/puppet/puppet.conf
It will look something like the following:
Delete the line with the
templatediroption, as that option is deprecated.Add the following two lines to the end of the [main] section (replace the highlighted text with the private FQDN):
Certificate is automatically generated when you start PuppetMaster
sudo service puppetmaster start
verify by ls that new ssl folder is created at
/var/lib/puppet/and you can verify certificate details withsudo ls /var/lib/puppet/ssl/certs/andsudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text|grep -i dns. It should show all of your DNS names.Connect from Slave/Node (Machine 2)
OS: Ubuntu 12.04
Add machine1 ip in hosts file on machine 2
install puppet agent
Configure Puppet Agent
will look like this
The puppet agent is disabled by default. To enable, update its default file:
And change value of START to "yes":
Save and exit
/etc/default/puppet.puppet version on node
Again Lock the Version on Agent
As with the Puppet master, we will want to use the apt pin feature to lock the version of the Puppet agent:
sudo vi /etc/apt/preferences.d/00-puppet.pref
Add the following lines to lock the puppet and puppet-common packages to the 2.7.* (change this to match your installed version):
Save and exit. Your Puppet version is now locked.
Start puppet
Note: If this is your first Puppet agent, it is recommended that you attempt to sign the certificate on the Puppet master before adding your other agents. Once you have verified that everything works properly, then you can go back and add the remaining agent nodes without any hassle.
Sign Request On Master or Sign Slave Certificate on Master
The first time Puppet runs on an agent node, it will send a certificate signing request to the Puppet master. Before the master will be able to communicate and control the agent node, it must sign that particular agent node's certificate. We will describe how to sign and check for signing requests.
If you just set up your first agent node, you will see one request. It will look something like the following, with the agent node's FQDN as the hostname:
To sign a certificate request, use the
puppet cert signcommand, with the hostname of the certificate you want to sign. For example,results
The Puppet master can now communicate and control the node that the signed certificate belongs to.
If you want to sign all of the current requests, use the -all option, like so:
Revoke Certificates
You may want to remove a host from Puppet, or rebuild a host then add it back to Puppet. In this case, you will want to revoke the host's certificate from the Puppet master. To do this, you will want to use the clean action:
sudo puppet cert clean hostname
View All Signed Requests
If you want to view all of the requests, signed and unsigned, run the following command:
Helloworld to verify master and agent setup
The puppet agent periodically checks in with the puppet master (typically every 30 minutes). During this time, it will send facts about itself to the master, and pull a current catalog--a compiled list of resources and their desired states that are relevant to the agent, determined by the main manifest. The agent node will then attempt to make the appropriate changes to achieve its desired state. This cycle will continue as long as the Puppet master is running and communicating with the agent nodes
Manifest file
The main manifest file on the Puppet master is located at
/etc/puppet/manifests/site.ppadd the following lines to describe a file resource:
You can either wait until the agent checks in with the master automatically, or you can restart puppet agent on machine2/node/slave.
verify the result