Sunday, 19 February 2017

How to Install and Configure Puppet Master and Puppet Agent in Linux

Puppet? What is it?

If you are a system administrator or a DevOps Engineer and you have been maintaining hundreds or thousands of server, you must know the pain of maintaining a consistent configuration on each of the system. An easy way to do that is to maintain a checklist and whenever a server is setup, ensure that every point in the checklist is ticked. But, whenever there is a minor change to be made in the configuration on every server, it becomes a pain in the butts. Go to every server, edit the file, add the line, save the file, restart the service and repeat. By the time you have completed your task, it would already have costed your organization significant amount of money, time and man power, which could have been saved if there were a thing called - 'Automation'.

puppet-installation-configuration

When you think about automating things and especially about maintaining a consistent configuration on hundreds or thousands of servers, one tool you should always know and that is 'Puppet'. Puppet is an open source software, a configuration management tool, written in Ruby language. It is developed and being maintained by Puppet Labs. Puppet works on Linux, Unix, Mac, Windows operating systems and their flavors, may it be physical servers or virtual ones.

In Puppet, with a few lines of code, you can have a consistent configuration on all your servers. You just need to write a code, test it on one server and apply that configuration on all your servers. For this, you have a centralized server, called as 'Puppet Master', which has all the information about all the servers in your infrastructure and the configurations to be applied on them. The other servers which will fetch the relevant information from Puppet master are known as 'Agent Nodes' or simple 'Nodes'.

In this article, we will learn how to install Puppet on the Master node and agent nodes. For this tutorial, we have below setup:
  • Puppet Master - CentOS7 - 192.168.186.223
  • Puppet Agent Node - CentOS7 - 192.168.186.224

Installation of Puppet Master

Note : Before we proceed for Puppet Master installation, ensure that you have configured NTP server properly, in order to set system time correctly.

1. Download PuppetLabs Package

To download the PuppetLabs package, use wget command as shown below:

$ cd ~
$ wget http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

2. Install the RPM

To install the downloaded RPM, use rpm command as shown below:

$ rpm -Uvh puppetlabs-release-el-7.noarch.rpm

3. Install Puppet Master

To install Puppet Master, use yum command as shown below:

$ yum install puppet-server

This will install Puppet Master in your system. To verify the same, you can use rpm command as shown below:

$ rpm -qa | grep puppet-server
puppet-server-3.8.7-1.el7.noarch

The output will show the RPM package we have just installed. To check the Puppet Master version, we can use puppet --version command as shown below:

$ puppet --version
3.8.7

4. Start the Puppet Master

Once we have Puppet Master installed, we can start the puppetmaster service right away.

$ service puppetmaster start
# OR
$ systemctl start puppetmaster

5. Add the service to startup

This is just to ensure that, the service puppetmaster is started on every system reboot.

$ systemctl enable puppetmaster

Installation of Puppet Agent Node

1. Download PuppetLabs Package

To download the PuppetLabs package, use wget command as shown below:

$ cd ~
$ wget http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

2. Install the RPM

To install the downloaded RPM, use rpm command as shown below:

$ rpm -Uvh puppetlabs-release-el-7.noarch.rpm

3. Install Puppet Agent

To install Puppet Master, use yum command as shown below:

$ yum install puppet

4. Configure Puppet Master in Agent Node

Now that, we have installed Puppet agent on a node. But it should know which Puppet master it should refer to in order to fetch the configurations. For this, we need to use FQDN (Fully Qualified Domain Name) of the Puppet master, which we can get from the DNS server or add the entry in /etc/hosts. In this case, we use the later option.

$ cat /etc/hosts
192.168.186.223         centos-server.example.com
192.168.186.224         centos-client.example.com

Now, in the Puppet configuration file, we must mention which Puppet master it should refer to, for fetching the node-specific configurations. We do this by adding following line in the [agent] section of /etc/puppet/puppet.conf :

$ cat /etc/puppet/puppet.conf
[main]
    ...
    ...
    server=centos-server.example.com
    ...
    ...

5. Start the Puppet Agent

Once we have Puppet Agent installed, we can start the puppet service straight away.

$ service puppetmaster start
# OR
$ systemctl start puppet

6. Add the service to startup

This is just to ensure that, the service puppet is started on every system reboot.

$ systemctl enable puppet

Sign the Certificates

Before a Puppet node can use the configurations present on master, Puppet master must sign the certificate created for the agent node. To view the unsigned certificates, you can run puppet cert list command as below:

$ puppet cert list
  "centos-client.example.com" (SHA256) CC:E8:31:4F:2A:0F:08:36:2E:A7:52:28:B8:84:EC:3F:89:51:6A:88:EB:B4:60:99:42:18:12:CF:B7:48:6F:4A

In order to sign the certificate from centos-client.example.com, run the puppet cert sign command as below:

$ puppet cert sign centos-client.example.com
Notice: Signed certificate request for centos-client.example.com
Notice: Removing file Puppet::SSL::CertificateRequest centos-client.example.com at '/var/lib/puppet/ssl/ca/requests/centos-client.example.com.pem'

Now, we run the puppet cert list command to view if there are any changes.

$ puppet cert list



So, there are no unsigned certificates now, indicating that, we have successfully configured the Puppet master and agent. You can verify the same by running puppet agent -t command on the Puppet agent node.

$ puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for centos-client.example.com
Info: Applying configuration version '1487459767'
Notice: Finished catalog run in 0.02 seconds

Common error

When you run the command puppet agent -t, you might get below error message -

Error: Could not request certificate: Connection refused - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled

To resolve this, you should ensure that-
  1. Ping is okay from master to agent and vice versa.
  2. Port 8140 is open on master (netstat -nltap | grep 8140)
  3. You are able to telnet to port 8140 on master, from agent node (telnet puppet-master-ip 8140).
  4. If telnet is not working, you can add following rule to iptables - iptables -I INPUT -p tcp -m tcp --dport 8140 -j ACCEPT


0 comments:

Post a Comment