Linux, Windows, Virtualization, OpenSource & Blogging

How to Install Puppet 4.x On CentOS 7 / RHEL 7


Puppet is an open source configuration management tool that helps you to manage the configurations of hundreds of client systems from the central location. Puppet makes the admin’s life easier by reducing time spent on repetitive task and allows them to concentrate on other works, also ensures that the deployed configuration are consistent across the infrastructure.

Puppet is available for Linux, Mac, BSD, Solaris and Windows-based computer Systems, released under Apache License, written in “Ruby” language.

This guide helps you to install Puppet Server on CentOS 7 / RHEL 7.

Getting Started

Puppet 4.6 (latest) consists of,

  • A puppet-agent installs Puppet, Ruby, Factor3, Hiera3, and supporting codes.
  • A puppetserver package installs Puppet Server 2.5
  • A puppetdb package that installs PuppetDB 4 (Out of our scope)


Agent / Master

In this architecture, managed nodes run the puppet agent software,  as a background service. On another hand, one or more servers run the master application, i,e. Puppet server.

Puppet agent periodically sends facts to the puppet master and request a catalog. The master compiles and returns that particular node’s catalog, using the sources of information it has access to.

The Stand-Alone Architecture

In this architecture, each managed nodes has its copy of the configuration info and compiles its catalog.  It runs the puppet apply application, as a cron job.


Here, we will configure a puppet in master/agent architecture and will use two CentOS 7.

Puppet Master

Operating system : CentOS 7
IP Address       :
HostName         : server.itzgeek.local

Puppet client

Operating System : CentOS 7
IP Address       :
HostName         : client.itzgeek.local


Install NTP

Timings of the master and client nodes should be accurately in sync with upstream time servers because Puppet master server master will be acting as the certificate authority.

(If the time is wrong, it might mistakenly issue agent certificates from the distant past or future date, which other nodes will treat as expired.)

Install the NTP package and perform the time sync with upstream NTP servers.

#  yum -y install ntpdate
#  ntpdate
Ensure that all the nodes are in same time zone using date command. If there are any discrepancies, change it accordingly.

List the available time zones.

# timedatectl list-timezones

Set the time zone using the following command.

# timedatectl set-timezone Europe/London


Puppet architecture uses the hostname to communicate with the managed nodes, so make sure nodes can resolve the hostname each other, either setup /etc/hosts file or DNS server.

Puppet Repository

To install the puppet master/agent, we would require adding a puppet repository on the all the nodes. Get the PupperLabs repository rpm and install it.

Setup repository on both master and agent nodes.

# rpm -Uvh

Install Puppet Server

Puppet Server is the server software that runs on the puppet master node. Puppetmaster pushes the configurations to managed nodes (puppet-agent).

Install the Puppet server using below command.

# yum install -y puppetserver

Puppet server is now installed, do not start the puppet server service yet.

Configure Puppet Server

Memory Allocation (Optional)

By default, Puppet Server JVM is configured to use 2GB of memory. You can change it, depends on how much memory available on your master node; ensure that it is enough for managing all the nodes connected to it.

To change the value of memory allocation, edit the below file.

# vi /etc/sysconfig/puppetserver

Change the value shown like below.


JAVA_ARGS="-Xms2g -Xmx2g


For 512MB, use below settings.

JAVA_ARGS="-Xms512m -Xmx512m"

Start Puppet Server

Puppet Master does not require any configuration; you can simply start the puppetserver service. It will use the default settings.

The default Puppet master hostname is “puppet”, so you need to use server = puppet in the puppet-agent configuration file.

For. ex: dns_alt_names (puppet, <hostname of the server>).

If you want to change puppet master hostname, follow the below procedure.

Advanced Configurations (optional)

Here, I’m going to modify the Puppet Master settings for our requirement.

# vi /etc/puppetlabs/puppet/puppet.conf

Place the below lines. Modify it according to your environment.

dns_alt_names = server.itzgeek.local,server
certname = server.itzgeek.local
server = server.itzgeek.local
environment = production
runinterval = 1h

Start and enable the Puppet Server.

# systemctl start puppetserver
# systemctl enable puppetserver


The Puppet Master listens on port 8140, so configure the firewall in such way that managed nodes can connect to the master.

# firewall-cmd --permanent --zone=public --add-port=8140/tcp
# firewall-cmd --reload

Puppet Server vs. Apache/Passenger Puppet Master

Puppet Server is now a drop-in replacement for the existing Apache/Passenger Puppet master stack. So we will not be configuring the passenger-stack here.

Install Puppet Agent

Install the puppet agent using below command.

# yum install -y puppet-agent

Puppet agent also uses some of the default settings to connect to the master node. But, we need to edit the puppet configuration file and set puppet master information.

Set “server” value as per your master node name. In my case, the server is “server.itzgeek.local” and certname is my client hostname (client.itzgeek.local).
# vi /etc/puppetlabs/puppet/puppet.conf

certname = client.itzgeek.local
server = server.itzgeek.local
environment = production
runinterval = 1h

You can change the value of runinterval depends on the requirement, you can set the value in seconds; this controls how long agent should wait between the two catalog requests.

Start puppet agent on the node and make it start automatically on system boot.

# /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true


Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure => 'running',
  enable => 'true',

Sign the Agent Nodes Certificate on Master Server

In an agent/master deployment, an admin must approve a certificate request coming from each node so that they can fetch the configurations. Agent nodes will request certificates for the first time if they attempt to run.

Log into the puppet master server and run below command to view outstanding requests.

# /opt/puppetlabs/bin/puppet cert list

"client.itzgeek.local" (SHA256) 63:5C:F8:19:76:AE:16:A6:1C:43:12:FE:34:CE:57:EB:45:37:40:98:FF:3E:CC:FE:05:7E:AF:BF:E4:2C:31:FC

Run puppet cert sign command to sign a request.

# /opt/puppetlabs/bin/puppet cert sign client.itzgeek.local

Signing Certificate Request for:
  "client.itzgeek.local" (SHA256) 63:5C:F8:19:76:AE:16:A6:1C:43:12:FE:34:CE:57:EB:45:37:40:98:FF:3E:CC:FE:05:7E:AF:BF:E4:2C:31:FC
Notice: Signed certificate request for client.itzgeek.local
Notice: Removing file Puppet::SSL::CertificateRequest client.itzgeek.local at '/etc/puppetlabs/puppet/ssl/ca/requests/client.itzgeek.local.pem'

The puppet master can now communicate to the client machine and control the node.

If you have multiple signing requests from nodes, you can sign all the requests in one command.

# /opt/puppetlabs/bin/puppet cert sign --all

Sometimes, you may need to revoke the certificate of a particular node to readd them back.

Replace the <hostname> with your client hostname.

# /opt/puppetlabs/bin/puppet cert clean hostname

You can list all of the signed and unsigned requests. You should run on the master server. Signed requests start with “+“.

# /opt/puppetlabs/bin/puppet cert list --all

Output: I took this before signing our client (client.itzgeek.local) node.

  "client.itzgeek.local" (SHA256) 63:5C:F8:19:76:AE:16:A6:1C:43:12:FE:34:CE:57:EB:45:37:40:98:FF:3E:CC:FE:05:7E:AF:BF:E4:2C:31:FC
+ "server.itzgeek.local" (SHA256) 5B:00:F6:18:6D:DF:14:29:9A:5E:44:0D:E5:12:38:9F:6E:61:18:99:25:86:1A:5B:E4:1F:BE:3D:C3:29:D7:41 (alt names: "DNS:server.itzgeek.local", "DNS:server.itzgeek.local", "DNS:server")

Verify the Puppet Client

Once the Puppet master is signed your client certificate, run the following command on the client machine to test it.

# /opt/puppetlabs/bin/puppet agent --test

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.itzgeek.local
Info: Applying configuration version '1472165304'
Notice: Applied catalog in 0.05 seconds

Creating our first manifest

Manifest is a data file which contains client configuration’s, written in Puppet’s declarative language or a Ruby DSL. This section covers some basic manifest to create a directory as well as a file on the managed node.

Main puppet manifest file is located at /etc/puppetlabs/code/environments/production/manifests/site.pp

Now add the following lines to the manifest to create a directory on the managed node.

If the node variable is not set, this manifest will apply to all the nodes connected to the puppet master.
node 'client.itzgeek.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppetesttdir': # Resource type file
 ensure => 'directory', # Create as a diectory
 owner => 'root', # Ownership
 group => 'root', # Group Name
 mode => '0755', # Directory permissions

Now, run the following command on the client node to retrieve the configurations.

# /opt/puppetlabs/bin/puppet agent --test


Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.itzgeek.local
Info: Applying configuration version '1472165498'
Notice: /Stage[main]/Main/Node[client.itzgeek.local]/File[/tmp/puppetesttdir]/ensure: created
Notice: Applied catalog in 0.03 seconds

Verify that directory has been created on the managed node.

[root@client ~]# ls -ld /tmp/puppetesttdir
drwxr-xr-x. 2 root root 6 Aug 26 10:50 /tmp/puppetesttdir

Let’s do the test once again by writing the manifest for creating a file with content into it.

node 'client.itzgeek.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppettestfile': # Resource type file
 ensure => 'present', # Make sure it exists
 owner => 'root', # Ownership
 group => 'root', # Group Name
 mode => '0644', # File permissions
 content => "This File is created by Puppet Server"

You can go to the client machine and retrieve the catalog as shown in the previous example.

That’s All. Now, you have successfully configured puppet server and an agent. Learn more on creating manifests for puppet.


You might also like

How to Install Puppet 4.x On CentOS 7 / RHEL 7