How To Install Puppet 6.x On CentOS 7 / RHEL 7

0

Puppet is an open source configuration management tool that helps you to manage the configurations of hundreds of client systems from the central location.

Puppet makes the admin’s life easier by reducing time spent on repetitive task and allows them to concentrate on other works, also ensures that the deployed configuration are consistent across the infrastructure.

Puppet is available for Linux, Mac, BSD, Solaris, and Windows-based computer Systems, released under Apache License, written in “Ruby” language.

This guide helps you to install Puppet 6.x on CentOS 7 / RHEL 7.

Architecture

Agent / Master

In this architecture, managed nodes run the puppet agent software, as a background service. On another hand, one or more servers run the master application, i,e. Puppet server.

Puppet agent periodically sends facts to the puppet master and request a catalog. The master compiles and returns that particular node’s catalog, using the sources of information it has access to.

The Stand-Alone Architecture

In this architecture, each managed nodes has its copy of the configuration info and compiles its catalog. It runs the puppet apply application as a cron job.

Environment

Here, we will configure a puppet in Server/agent architecture.

Puppet Master

Host Name: server.itzgeek.local
IP Address: 192.168.1.10
Operating System: CentOS 7.6

Puppet client

Host Name: client.itzgeek.local
IP Address: 192.168.1.20
Operating System: CentOS 7.6

Prerequisites

Install NTP

Timings of the master and client nodes should be accurately in sync with upstream time servers because the Puppet master server master will be acting as the certificate authority.

(If the time is wrong, it might mistakenly issue agent certificates from the distant past or future date, which other nodes will treat as expired.)

Install the NTP package and perform the time sync with upstream NTP servers.

yum -y install ntpdate
ntpdate 0.centos.pool.ntp.org
Ensure that all the nodes are in same time zone using date command. If there are any discrepancies, change it accordingly.

READ: How to Change Timezone in CentOS 7 / RHEL 7

DNS

Puppet agent uses the hostname to communicate with the Puppet Server. So, make sure agent nodes can resolve the hostname of Puppet Server with the help of /etc/hosts file or DNS server.

Setup Puppet Repository

To install the Puppet Server/Agents, we would need to add puppet repository on all the nodes.

Setup Puppet’s repository on both master and agent node.
rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

Install Puppet Server

Puppet Server is the server software that runs on the puppet master node. Puppetmaster pushes the configurations to managed nodes (puppet-agent).

Install the Puppet server using below command.

yum install -y puppetserver

Puppet server is now installed, do not start the puppet server service yet.

Configure Puppet Server

Memory Allocation

By default, Puppet Server JVM is configured to use 2GB of memory. You can change it, depends on how much memory available on your master node; ensure that it is enough for managing all the nodes connected to it.

To change the value of memory allocation, edit the below file.

vi /etc/sysconfig/puppetserver

Change the value.

From:

JAVA_ARGS="-Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

To:

For 512MB, use below settings.

JAVA_ARGS="-Xms512m -Xmx512m -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

Embedded Web Server

Puppet Server uses a Jetty-based web server embedded in the service’s JVM process. You don not need to configure or enable the web server; it works out of the box. It performs well under production-level loads.

The embedded web server’s settings can be modified in webserver.conf. You might need to edit this file if you are using an external CA or running Puppet Server on a non-standard port.

Puppet Configuration

Simple Configurations

Puppet Server does not require any configuration. You can just start the Puppet server service. It will use the default settings.

The default Puppet Server hostname (dns_alt_names) is puppet, so you need to use server = puppet in the puppet-agent configuration file.

If you want to change puppet master hostname, follow the below procedure.

Advanced Configurations (optional)

Here, I am going to modify the Puppet Master settings for our requirement.

vi /etc/puppetlabs/puppet/puppet.conf

Place the below lines. Modify it according to your environment.

[master]
dns_alt_names = server.itzgeek.local,server

[main]
certname = server.itzgeek.local
server = server.itzgeek.local
environment = production
runinterval = 1h

Start Puppet Server

Generate a root and intermediate signing CA for Puppet Server.

puppetserver ca setup

Output:

Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
If you get puppetserver: command not found, run source /etc/profile.d/puppet-agent.sh in the terminal or log out from the current session and log in back.

Start and enable the Puppet Server.

systemctl start puppetserver
systemctl enable puppetserver

Firewall

The Puppet Master listens on port 8140, so configure the firewall in such way that managed nodes can connect to the master.

firewall-cmd --permanent --add-port=8140/tcp
firewall-cmd --reload

Install Puppet Agent

Install the puppet agent on your client using the below command.

yum install -y puppet-agent

Puppet agent also uses some of the default settings to connect to the master node. However, we need to edit the puppet configuration file and set puppet master information.

Set server value as per your master node name. In my case, the server is server.itzgeek.local, and certname is my client hostname (client.itzgeek.local).
vi /etc/puppetlabs/puppet/puppet.conf

Set like below.

[main]
certname = client.itzgeek.local
server = server.itzgeek.local
environment = production
runinterval = 1h

You can change the value of runinterval depends on the requirement. You can set the value in seconds (10 or 10s), minutes (10m) and hours (1h). This setting controls how long the agent should wait between the two catalog requests.

Start puppet agent on the node and make it start automatically on system boot.

puppet resource service puppet ensure=running enable=true

Output:

Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure => 'running',
  enable => 'true',
}
If you get puppet: command not found, run source /etc/profile.d/puppet-agent.sh in the terminal or log out from the current session and log in back.

Sign Agent Node Certificate on Master Server

In an agent/master deployment, an admin must approve a certificate request coming from each node so that they can fetch the configurations. Agent nodes will request certificates for the first time if they attempt to run.

Log into the puppet master server and run below command to view outstanding requests.

puppetserver ca list

Output:

client.itzgeek.local   (SHA256)  A6:0E:93:51:FF:53:C8:FA:63:70:72:53:B6:1E:1B:A8:49:79:37:7E:57:00:02:AE:32:44:22:BE:97:F5:08:09

Run puppet cert sign command to sign a request.

puppetserver ca sign --certname client.itzgeek.local

Output:

Successfully signed certificate request for client.itzgeek.local

The puppet master can now communicate to the client machine and control the node.

If you have multiple signing requests from nodes, you can sign all the requests in one command.

puppetserver ca sign --all

Sometimes, you may need to revoke the certificate of a particular node to readd them back.

Replace the <hostname> with your client hostname.

puppetserver ca revoke --certname <AGENT_NAME>

You can list all of the signed and unsigned requests with the below command.

puppetserver ca list --all

Output:

server.itzgeek.local   (SHA256)  6E:90:94:6F:31:4F:8C:2A:28:90:D5:C0:6D:71:18:65:5E:86:DE:1C:16:9C:7C:30:8F:BF:DA:87:2D:F7:2C:26    alt names: ["DNS:server.itzgeek.local", "DNS:server", "DNS:server.itzgeek.local"]
client.itzgeek.local   (SHA256)  A6:08:36:5C:DB:73:0D:16:BA:5B:0D:72:76:FD:C7:31:DD:87:6F:EC:D4:4F:7A:87:E9:4F:73:70:D0:09:6E:61

Verify Puppet Client

Once the Puppet Server has signed your client certificate, run the following command on the client machine to test it.

puppet agent --test

Output:

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for client.itzgeek.local
Info: Applying configuration version '1558878523'
Notice: Applied catalog in 0.03 seconds

Creating our first manifest

Manifest is a data file which contains client configuration’s, written in Puppet’s declarative language or a Ruby DSL. This section covers some basic manifest to create a directory as well as a file on the managed node.

Main puppet manifest file is located at /etc/puppetlabs/code/environments/production/manifests/site.pp.

vi /etc/puppetlabs/code/environments/production/manifests/site.pp

Now add the following lines to the manifest to create a directory on the managed node.

If the node variable is not set, this manifest will apply to all the nodes connected to the puppet master.
node 'client.itzgeek.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppetesttdir': # Resource type file
 ensure => 'directory', # Create as a diectory
 owner => 'root', # Ownership
 group => 'root', # Group Name
 mode => '0755', # Directory permissions
}
}

Now, run the following command on the client node to retrieve the configurations.

puppet agent --test

Output:

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.itzgeek.local
Info: Applying configuration version '1472165498'
Notice: /Stage[main]/Main/Node[client.itzgeek.local]/File[/tmp/puppetesttdir]/ensure: created
Notice: Applied catalog in 0.03 seconds

Verify that directory has been created on the managed node.

[root@client ~]# ls -ld /tmp/puppetesttdir
drwxr-xr-x. 2 root root 6 May 26 09:57 /tmp/puppetesttdir

Let’s do the test once again by writing the manifest for creating a file with content into it.

node 'client.itzgeek.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppettestfile': # Resource type file
 ensure => 'present', # Make sure it exists
 owner => 'root', # Ownership
 group => 'root', # Group Name
 mode => '0644', # File permissions
 content => "This File is created by Puppet Server"
}
}

You can go to the client machine and retrieve the catalog as shown in the previous example or the Puppet agent will periodically get the manifest from Puppet Server depending upon the runinterval you set in the configuration file.

Conclusion

I hope you have learned how to install Puppet Server and Agent on CentOS 7 / RHEL 7. Also, you learned to create a simple manifest file to create a directory on the client node. Please share your feedback in the comments section.

You might also like