How To Install Puppet 6.x On CentOS 7 / RHEL 7
Puppet is an open source configuration management tool that helps you to manage the configurations of hundreds of client systems from the central location.
Puppet makes the admin’s life easier by reducing time spent on repetitive task and allows them to concentrate on other works, also ensures that the deployed configuration are consistent across the infrastructure.
Puppet is available for Linux, Mac, BSD, Solaris, and Windows-based computer Systems, released under Apache License, written in “Ruby” language.
This guide helps you to install Puppet 6.x on CentOS 7 / RHEL 7.
Architecture
Agent / Master
In this architecture, managed nodes run the puppet agent software, as a background service. On another hand, one or more servers run the master application, i,e. Puppet server.
Puppet agent periodically sends facts to the puppet master and request a catalog. The master compiles and returns that particular node’s catalog, using the sources of information it has access to.
The Stand-Alone Architecture
In this architecture, each managed nodes has its copy of the configuration info and compiles its catalog. It runs the puppet apply application as a cron job.
Environment
Here, we will configure a puppet in Server/agent architecture.
Puppet Master
Host Name: server.itzgeek.local
IP Address: 192.168.1.10
Operating System: CentOS 7.6
Puppet client
Host Name: client.itzgeek.local
IP Address: 192.168.1.20
Operating System: CentOS 7.6
Prerequisites
Install NTP
Timings of the master and client nodes should be accurately in sync with upstream time servers because the Puppet master server master will be acting as the certificate authority.
(If the time is wrong, it might mistakenly issue agent certificates from the distant past or future date, which other nodes will treat as expired.)
Install the NTP package and perform the time sync with upstream NTP servers.
yum -y install ntpdate ntpdate 0.centos.pool.ntp.org
READ: How to Change Timezone in CentOS 7 / RHEL 7
DNS
Puppet agent uses the hostname to communicate with the Puppet Server. So, make sure agent nodes can resolve the hostname of Puppet Server with the help of /etc/hosts
file or DNS server.
Setup Puppet Repository
To install the Puppet Server/Agents, we would need to add puppet repository on all the nodes.
rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
Install Puppet Server
Puppet Server is the server software that runs on the puppet master node. Puppetmaster pushes the configurations to managed nodes (puppet-agent).
Install the Puppet server using below command.
yum install -y puppetserver
Puppet server is now installed, do not start the puppet server service yet.
Configure Puppet Server
Memory Allocation
By default, Puppet Server JVM is configured to use 2GB of memory. You can change it, depends on how much memory available on your master node; ensure that it is enough for managing all the nodes connected to it.
To change the value of memory allocation, edit the below file.
vi /etc/sysconfig/puppetserver
Change the value.
From:
JAVA_ARGS="-Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
To:
For 512MB, use below settings.
JAVA_ARGS="-Xms512m -Xmx512m -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
Embedded Web Server
Puppet Server uses a Jetty-based web server embedded in the service’s JVM process. You don not need to configure or enable the web server; it works out of the box. It performs well under production-level loads.
The embedded web server’s settings can be modified in webserver.conf. You might need to edit this file if you are using an external CA or running Puppet Server on a non-standard port.
Puppet Configuration
Simple Configurations
Puppet Server does not require any configuration. You can just start the Puppet server service. It will use the default settings.
If you want to change puppet master hostname, follow the below procedure.
Advanced Configurations (optional)
Here, I am going to modify the Puppet Master settings for our requirement.
vi /etc/puppetlabs/puppet/puppet.conf
Place the below lines. Modify it according to your environment.
[master] dns_alt_names = server.itzgeek.local,server [main] certname = server.itzgeek.local server = server.itzgeek.local environment = production runinterval = 1h
Start Puppet Server
Generate a root and intermediate signing CA for Puppet Server.
puppetserver ca setup
Output:
Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
Start and enable the Puppet Server.
systemctl start puppetserver systemctl enable puppetserver
Firewall
The Puppet Master listens on port 8140, so configure the firewall in such way that managed nodes can connect to the master.
firewall-cmd --permanent --add-port=8140/tcp firewall-cmd --reload
Install Puppet Agent
Install the puppet agent on your client using the below command.
yum install -y puppet-agent
Puppet agent also uses some of the default settings to connect to the master node. However, we need to edit the puppet configuration file and set puppet master information.
vi /etc/puppetlabs/puppet/puppet.conf
Set like below.
[main] certname = client.itzgeek.local server = server.itzgeek.local environment = production runinterval = 1h
You can change the value of runinterval depends on the requirement. You can set the value in seconds (10 or 10s), minutes (10m) and hours (1h). This setting controls how long the agent should wait between the two catalog requests.
Start puppet agent on the node and make it start automatically on system boot.
puppet resource service puppet ensure=running enable=true
Output:
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' service { 'puppet': ensure => 'running', enable => 'true', }
Sign Agent Node Certificate on Master Server
In an agent/master deployment, an admin must approve a certificate request coming from each node so that they can fetch the configurations. Agent nodes will request certificates for the first time if they attempt to run.
Log into the puppet master server and run below command to view outstanding requests.
puppetserver ca list
Output:
client.itzgeek.local (SHA256) A6:0E:93:51:FF:53:C8:FA:63:70:72:53:B6:1E:1B:A8:49:79:37:7E:57:00:02:AE:32:44:22:BE:97:F5:08:09
Run puppet cert sign command to sign a request.
puppetserver ca sign --certname client.itzgeek.local
Output:
Successfully signed certificate request for client.itzgeek.local
The puppet master can now communicate to the client machine and control the node.
If you have multiple signing requests from nodes, you can sign all the requests in one command.
puppetserver ca sign --all
Sometimes, you may need to revoke the certificate of a particular node to readd them back.
Replace the <hostname> with your client hostname.
puppetserver ca revoke --certname <AGENT_NAME>
You can list all of the signed and unsigned requests with the below command.
puppetserver ca list --all
Output:
server.itzgeek.local (SHA256) 6E:90:94:6F:31:4F:8C:2A:28:90:D5:C0:6D:71:18:65:5E:86:DE:1C:16:9C:7C:30:8F:BF:DA:87:2D:F7:2C:26 alt names: ["DNS:server.itzgeek.local", "DNS:server", "DNS:server.itzgeek.local"] client.itzgeek.local (SHA256) A6:08:36:5C:DB:73:0D:16:BA:5B:0D:72:76:FD:C7:31:DD:87:6F:EC:D4:4F:7A:87:E9:4F:73:70:D0:09:6E:61
Verify Puppet Client
Once the Puppet Server has signed your client certificate, run the following command on the client machine to test it.
puppet agent --test
Output:
Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Caching catalog for client.itzgeek.local Info: Applying configuration version '1558878523' Notice: Applied catalog in 0.03 seconds
Creating our first manifest
Manifest is a data file which contains client configuration’s, written in Puppet’s declarative language or a Ruby DSL. This section covers some basic manifest to create a directory as well as a file on the managed node.
Main puppet manifest file is located at /etc/puppetlabs/code/environments/production/manifests/site.pp.
vi /etc/puppetlabs/code/environments/production/manifests/site.pp
Now add the following lines to the manifest to create a directory on the managed node.
node 'client.itzgeek.local' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppetesttdir': # Resource type file
ensure => 'directory', # Create as a diectory
owner => 'root', # Ownership
group => 'root', # Group Name
mode => '0755', # Directory permissions
}
}
Now, run the following command on the client node to retrieve the configurations.
puppet agent --test
Output:
Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for client.itzgeek.local Info: Applying configuration version '1472165498' Notice: /Stage[main]/Main/Node[client.itzgeek.local]/File[/tmp/puppetesttdir]/ensure: created Notice: Applied catalog in 0.03 seconds
Verify that directory has been created on the managed node.
[root@client ~]# ls -ld /tmp/puppetesttdir drwxr-xr-x. 2 root root 6 May 26 09:57 /tmp/puppetesttdir
Let’s do the test once again by writing the manifest for creating a file with content into it.
node 'client.itzgeek.local' { # Applies only to mentioned node; if nothing mentioned, applies to all. file { '/tmp/puppettestfile': # Resource type file ensure => 'present', # Make sure it exists owner => 'root', # Ownership group => 'root', # Group Name mode => '0644', # File permissions content => "This File is created by Puppet Server" } }
You can go to the client machine and retrieve the catalog as shown in the previous example or the Puppet agent will periodically get the manifest from Puppet Server depending upon the runinterval you set in the configuration file.
Conclusion
I hope you have learned how to install Puppet Server and Agent on CentOS 7 / RHEL 7. Also, you learned to create a simple manifest file to create a directory on the client node. Please share your feedback in the comments section.