Install Puppet On CentOS 8 / RHEL 8

Puppet is an open-source configuration management tool that helps us to automate IT infrastructure, including provisioning, configuration management, patching of hundreds of client systems from the central location.

Puppet is available for Linux, Mac, BSD, Solaris, and Windows operating systems. It is written in “Ruby” language and released under Apache License,

This guide helps you to install Puppet on CentOS 8 / RHEL 8.

Architecture

Puppet is configured in an agent-master architecture. In this architecture, managed nodes run the puppet agent software, as a background service. On another hand, one or more servers run the master application, i,e. Puppet server.

Puppet agent periodically sends facts to the puppet master and request a catalog. The master compiles and returns that particular node’s catalog, using the sources of information it has access to.

Environment

Here, we will configure a puppet in Server/agent architecture.

Puppet Master

Host Name: puppetserver.techlabzone.local

IP Address: 192.168.100.10

Operating System: CentOS 8

Puppet client

Host Name: client.techlabzone.local

IP Address: 192.168.100.20

Operating System: CentOS 8

Prerequisites

Install & Configure NTP

The timing of the master and client nodes should be accurately in sync with the NTP server because the Puppet server will be acting as the certificate authority.

DNS

The Puppet agent uses the hostname to communicate with the Puppet Server. So, make sure agent nodes can resolve the hostname of the Puppet Server with the help of /etc/hosts file or DNS server.

Install & Configure Puppet Server

Puppet Server is the server software that runs on the master node. Puppet Server controls the configurations of managed nodes (puppet-agent).

Add Repository

To install the Puppet Server, we would need to add the puppet repository by installing the repository configuration package.

rpm -Uvh https://yum.puppet.com/puppet6-release-el-8.noarch.rpm

Install Puppet

Install the Puppet server using the below command.

yum install -y puppetserver

Memory Allocation

By default, Puppet Server is configured to use 2GB of memory. You can change the memory allocation based on the number of nodes connected to it.

For this demo, I will allocate 512MB of memory.

To change the value of memory allocation, edit the below file.

vi /etc/sysconfig/puppetserver

Change the value.

From:

JAVA_ARGS="-Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

To:

For 512MB, use the below settings.

JAVA_ARGS="-Xms512m -Xmx512m -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

Configure Puppet Server

The Puppet’s configuration file consists of two sections named [master] and [main] for Pupper server and agent respectively.

vi /etc/puppetlabs/puppet/puppet.conf

Modify the file according to your environment. Pupper agents can use any of the hostnames mentioned in the dns_alt_names to connect with the Pupper server.

# Pupper Server Configuration
[master]
dns_alt_names = puppetserver,puppetserver.techlabzone.local

# Puppet Agent Configuration
[main]
certname = puppetserver.techlabzone.local
server = puppetserver.techlabzone.local
runinterval = 30m

Start Puppet Server

Generate the root and intermediate signing CA for Puppet Server.

puppetserver ca setup
Output:

Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
If you get puppetserver: command not found, run source /etc/profile.d/puppet-agent.sh in the terminal or log out from the current session and log in back.

Start and enable the Puppet Server.

systemctl start puppetserver

systemctl enable puppetserver

Firewall

The Puppet server listens on port 8140. So, configure the firewall to let agents can connect to the master.

firewall-cmd --permanent --add-port=8140/tcp

firewall-cmd --reload

Install & Configure Puppet Agent

Add Repository

To install the Puppet agent, we would need to add the puppet repository on all the nodes.

rpm -Uvh https://yum.puppet.com/puppet6-release-el-8.noarch.rpm

Install Agent

Install the puppet agent on your client using the below command.

dnf install -y puppet-agent

Edit the puppet configuration file and set the Puppet server information.

Set server value as per your Puppet server hostname. In my case, the server is puppetserver.techlabzone.local and certname is my client hostname (client.techlabzone.local).

vi /etc/puppetlabs/puppet/puppet.conf

Set like below.

[main]
server = puppetserver.techlabzone.local
certname = client.techlabzone.local
runinterval = 30m

You can change the value of runinterval depends on the requirement. This setting controls how long the agent should wait between the two catalog requests. You can set the value in seconds (10 or 10s), minutes (10m), and hours (1h).

Start puppet agent on the node and make it start automatically on system boot.

puppet resource service puppet ensure=running enable=true
Output:

Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure   => 'running',
  enable   => 'true',
  provider => 'systemd',
}
If you get puppet: command not found, run source /etc/profile.d/puppet-agent.sh in the terminal or log out from the current session and log in back.

Sign Agent Node Certificate on Master Server

We must approve a certificate request coming from each node. Agent nodes will request certificates for the first time if they attempt to run.

Run the below command on the agent node to make an initial connection. You can ignore the warnings/errors.

puppet agent -t

Log into the Pupper server and run below command to view outstanding requests.

puppetserver ca list
Output:

Requested Certificates:
    client.techlabzone.local       (SHA256)  06:D8:8E:AE:CA:0B:B1:E7:90:B5:B9:1B:75:3C:95:69:D8:EF:27:0A:5D:CC:45:BB:15:34:64:D2:6B:2C:CA:98

Run puppet cert sign command to sign a request.

puppetserver ca sign --certname client.techlabzone.local
Output:

Successfully signed certificate request for client.techlabzone.local

The Puppet server can now communicate to the client machine and control the node.

If you have multiple signing requests from nodes, you can sign all the requests in one command.

puppetserver ca sign --all

Sometimes, you may need to revoke the certificate of a particular node to read them back.

Replace the <AGENT_NAME> with your client hostname.

puppetserver ca revoke --certname AGENT_NAME

You can list all of the signed and unsigned requests with the below command.

puppetserver ca list --all
Output:

Signed Certificates:
    puppetserver.techlabzone.local       (SHA256)  E6:2C:6C:1E:9B:C6:AA:D9:84:09:F3:67:45:1B:36:C6:1F:FC:46:5F:92:64:37:19:E3:74:0C:0D:29:D5:C5:F6  alt names: ["DNS:puppetserver.techlabzone.local", "DNS:puppetserver", "DNS:puppetserver.techlabzone.local"]  authorization extensions: [pp_cli_auth: true]
    client.techlabzone.local             (SHA256)  EF:D8:1A:F2:E9:56:A3:1F:DA:A9:8D:9B:71:02:D8:52:F1:44:98:92:A7:5F:DE:FF:5F:55:37:97:EC:9C:9A:96

Verify Puppet Client

Once the Puppet Server has signed your client certificate, run the following command on the client machine to test it.

puppet agent --test
Output:

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for client.techlabzone.local
Info: Applying configuration version '1591351483'
Notice: Applied catalog in 0.01 seconds