Puppet is an open-source configuration management tool that helps us to automate IT infrastructure, including provisioning, configuration management, patching of hundreds of client systems from the central location.
Puppet is available for Linux, Mac, BSD, Solaris, and Windows operating systems. It is written in “Ruby” language and released under Apache License,
This guide helps you to install Puppet on CentOS 8 / RHEL 8.
Architecture
Puppet is configured in an agent-master architecture. In this architecture, managed nodes run the puppet agent software, as a background service. On another hand, one or more servers run the master application, i,e. Puppet server.
Puppet agent periodically sends facts to the puppet master and request a catalog. The master compiles and returns that particular node’s catalog, using the sources of information it has access to.
Environment
Here, we will configure a puppet in Server/agent architecture.
Puppet Master
Host Name: puppetserver.techlabzone.local
IP Address: 192.168.100.10
Operating System: CentOS 8
Puppet client
Host Name: client.techlabzone.local
IP Address: 192.168.100.20
Operating System: CentOS 8
Prerequisites
Install & Configure NTP
The timing of the master and client nodes should be accurately in sync with the NTP server because the Puppet server will be acting as the certificate authority.
DNS
The Puppet agent uses the hostname to communicate with the Puppet Server. So, make sure agent nodes can resolve the hostname of the Puppet Server with the help of /etc/hosts file or DNS server.
Install & Configure Puppet Server
Puppet Server is the server software that runs on the master node. Puppet Server controls the configurations of managed nodes (puppet-agent).
Add Repository
To install the Puppet Server, we would need to add the puppet repository by installing the repository configuration package.
rpm -Uvh https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
Install Puppet
Install the Puppet server using the below command.
yum install -y puppetserver
Memory Allocation
By default, Puppet Server is configured to use 2GB of memory. You can change the memory allocation based on the number of nodes connected to it.
For this demo, I will allocate 512MB of memory.
To change the value of memory allocation, edit the below file.
vi /etc/sysconfig/puppetserver
Change the value.
From:
JAVA_ARGS="-Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
To:
For 512MB, use the below settings.
JAVA_ARGS="-Xms512m -Xmx512m -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
Configure Puppet Server
The Puppet’s configuration file consists of two sections named [master] and [main] for Pupper server and agent respectively.
vi /etc/puppetlabs/puppet/puppet.conf
Modify the file according to your environment. Pupper agents can use any of the hostnames mentioned in the dns_alt_names to connect with the Pupper server.
# Pupper Server Configuration [master] dns_alt_names = puppetserver,puppetserver.techlabzone.local # Puppet Agent Configuration [main] certname = puppetserver.techlabzone.local server = puppetserver.techlabzone.local runinterval = 30m
Start Puppet Server
Generate the root and intermediate signing CA for Puppet Server.
puppetserver ca setup
Output: Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
Start and enable the Puppet Server.
systemctl start puppetserver
systemctl enable puppetserver
Firewall
The Puppet server listens on port 8140. So, configure the firewall to let agents can connect to the master.
firewall-cmd --permanent --add-port=8140/tcp
firewall-cmd --reload
Install & Configure Puppet Agent
Add Repository
To install the Puppet agent, we would need to add the puppet repository on all the nodes.
rpm -Uvh https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
Install Agent
Install the puppet agent on your client using the below command.
dnf install -y puppet-agent
Edit the puppet configuration file and set the Puppet server information.
Set server value as per your Puppet server hostname. In my case, the server is puppetserver.techlabzone.local and certname is my client hostname (client.techlabzone.local).
vi /etc/puppetlabs/puppet/puppet.conf
Set like below.
[main] server = puppetserver.techlabzone.local certname = client.techlabzone.local runinterval = 30m
You can change the value of runinterval depends on the requirement. This setting controls how long the agent should wait between the two catalog requests. You can set the value in seconds (10 or 10s), minutes (10m), and hours (1h).
Start puppet agent on the node and make it start automatically on system boot.
puppet resource service puppet ensure=running enable=true
Output: Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' service { 'puppet': ensure => 'running', enable => 'true', provider => 'systemd', }
Sign Agent Node Certificate on Master Server
We must approve a certificate request coming from each node. Agent nodes will request certificates for the first time if they attempt to run.
Run the below command on the agent node to make an initial connection. You can ignore the warnings/errors.
puppet agent -t
Log into the Pupper server and run below command to view outstanding requests.
puppetserver ca list
Output: Requested Certificates: client.techlabzone.local (SHA256) 06:D8:8E:AE:CA:0B:B1:E7:90:B5:B9:1B:75:3C:95:69:D8:EF:27:0A:5D:CC:45:BB:15:34:64:D2:6B:2C:CA:98
Run puppet cert sign command to sign a request.
puppetserver ca sign --certname client.techlabzone.local
Output: Successfully signed certificate request for client.techlabzone.local
The Puppet server can now communicate to the client machine and control the node.
If you have multiple signing requests from nodes, you can sign all the requests in one command.
puppetserver ca sign --all
Sometimes, you may need to revoke the certificate of a particular node to read them back.
Replace the <AGENT_NAME> with your client hostname.
puppetserver ca revoke --certname AGENT_NAME
You can list all of the signed and unsigned requests with the below command.
puppetserver ca list --all
Output: Signed Certificates: puppetserver.techlabzone.local (SHA256) E6:2C:6C:1E:9B:C6:AA:D9:84:09:F3:67:45:1B:36:C6:1F:FC:46:5F:92:64:37:19:E3:74:0C:0D:29:D5:C5:F6 alt names: ["DNS:puppetserver.techlabzone.local", "DNS:puppetserver", "DNS:puppetserver.techlabzone.local"] authorization extensions: [pp_cli_auth: true] client.techlabzone.local (SHA256) EF:D8:1A:F2:E9:56:A3:1F:DA:A9:8D:9B:71:02:D8:52:F1:44:98:92:A7:5F:DE:FF:5F:55:37:97:EC:9C:9A:96
Verify Puppet Client
Once the Puppet Server has signed your client certificate, run the following command on the client machine to test it.
puppet agent --test
Output: Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Caching catalog for client.techlabzone.local Info: Applying configuration version '1591351483' Notice: Applied catalog in 0.01 seconds