Puppet: Dipping my toes in the water

A need has arisen to get to grips with Puppet, a configuration management tool aimed at simplifying the management of large clusters of servers by creating a 'template' that's then applied to multiple devices, rather than making configuration changes manually to each server.

The tutorial below is heavily drawn from Melissa Anderson's Digital Ocean tutorial here, but I tend to find writing something down helps it stick, so here goes.


You will need 3 Ubuntu 16.04 Servers, each with a non-root user with sudo privileges. I used virtual machines rather than physical hardware.


Each puppet client, known as an 'agent' needs to be able to locate the puppet master. This is done using DNS. By default a puppet agent will lookup 'puppet' so for simplicity add the IP of the master to your /etc/hosts file-

nano /etc/hosts

Add the following, editing to include the correct IP-    puppet

Configuring the Puppet Master

Firstly we will need to install the puppet repository-
curl -O
sudo dpkg -i puppetlabs-release-pc1-xenial.deb
sudo apt-get update

And then install the puppetserver package-
sudo apt-get install puppetserver

The tutorial recommends on increasing the available RAM to the puppetmaster to 3 Gb. This seems a little excessive, but OK-

Open the file-
sudo nano /etc/default/puppetserver

Edit the contents to include 3g-
JAVA_ARGS="-Xms3g -Xmx3g -XX:MaxPermSize=256m"

Start the service-
sudo systemctl start puppetserver

Check to make sure the Puppet Master is running without any issues-
sudo systemctl status puppetserver

If its running, enable it on bootup-
sudo systemctl enable puppetserver

Configuring the Puppet Agents

The following instructions will need repeating on all agents. 

We will also need to install the puppet repository on the agents-
curl -O
sudo dpkg -i puppetlabs-release-pc1-xenial.deb
sudo apt-get update

And then install the puppet package-
sudo apt-get install puppet

Start the service-
sudo systemctl start puppet

And enable it on bootup-
sudo systemctl enable puppet

Signing Agent Certificates

For security, puppet uses certificates to verify the agents are who they say they are. When a new agent contacts the master, it's necessary to verify the certificate before it can pull a configuration. There are certain ways to automate this, but for now we will do it manually.

To list all certificate requests run the following command-
sudo /opt/puppetlabs/bin/puppet cert list

You should see something like the following. If a row is prefixed with a '+' it means its already been signed-
  "sys01-puppet-agent-01" (SHA256) 25:79:4C:97:7B:19:EB:ED:C5:03:AC:7C:AA:BA:73:2D:F9:98:11:CC:74:01:F4:7B:00:84:08:CF:59:F6:28:EF
  "sys01-puppet-agent-02" (SHA256) 77:BB:A2:A3:18:EA:DC:5D:F5:78:17:8C:FA:14:67:1D:85:A8:57:4B:2E:0A:18:3B:E6:8C:2B:D3:FA:EA:F0:03

To sign a certificate you can run the command below. In a high security environment you'd want to verify the fingerprint, but for now lets just go ahead-
/opt/puppetlabs/bin/puppet cert sign sys01-puppet-agent-01

You should see the following-
Signing Certificate Request for:
  "sys01-puppet-agent-01" (SHA256) 25:79:4C:97:7B:19:EB:ED:C5:03:AC:7C:AA:BA:73:2D:F9:98:11:CC:74:01:F4:7B:00:84:08:CF:59:F6:28:EF
Notice: Signed certificate request for sys01-puppet-agent-01
Notice: Removing file Puppet::SSL::CertificateRequest sys01-puppet-agent-01 at '/etc/puppetlabs/puppet/ssl/ca/requests/sys01-puppet-agent-01.pem'

You can also sign all pending requests at once-

sudo /opt/puppetlabs/bin/puppet cert sign --all

Starting to manage the agents

Now the agents are connected and authorised we can start managing them via the puppet master. A configuration is saved in a file known as a manifest, and these files end in .pp

Lets create the default manifest-
sudo nano /etc/puppetlabs/code/environments/production/manifests/site.pp

Enter the following-
file {'/tmp/it_works.txt':                        # resource type file and filename
  ensure  => present,                             # make sure it exists
  mode    => '0644',                              # file permissions
  content => "It works on ${ipaddress_eth0}!\n",  # Print the eth0 IP fact

By default each agent will 'pull' its configuration every 30 minutes, however it's possible to force it by running the following command on an agent.
sudo /opt/puppetlabs/bin/puppet agent --test

You should see the following output-
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for sys01-puppet-agent-01
Info: Applying configuration version '1496184394'

And you can then cat /tmp/it_works.txt to verify it's worked-

root@SYS01-PUPPET-AGENT-01:/home/matthew# cat /tmp/it_works.txt 
It works on !

Note: For some reason my 'fact' hasn't substituted. This is something I will look into.

For the second agent, you can wait half an hour (or less, depending on when it last updated), and it_works.txt should work without any user input on the agent itself.


The above tutorial covers the very basics of using Puppet. A big thanks to Melissa Anderson for the original content that helped me get to grips with it.

Having studied some of the documentation and walked through the above steps,  it appears logical to use and I've not been overwhelmed by jargon or buzzwords, so far.

I currently have several VMs that are all manually managed, so I'm looking forward to using this tool to make things easier, and reproducible. 

No comments:

Post a Comment