Install and Configure Puppet on CentOS 7 / RHEL 7

ADVERTISEMENT

Install and Configure Puppet on CentOS 7
Install and Configure Puppet on CentOS 7
This tutorial is for an old version of Puppet Master, some links are broken and may not work expected. A new version is available here: How to Install Puppet 4.x On CentOS 7 / RHEL 7.

Puppet is a free and open-source configuration management tool, helps you to centrally deploy and manage the configurations of hundreds of client systems. It is available for GNU/Linux, Mac, BSD, Solaris and Windows-based computer Systems, released under Apache License, written in “Ruby” language. This guide helps you to install puppet on CentOS 7 / RHEL 7.

Puppet’s Architecture:

Agent / Master:

In this architecture, One or more servers run the puppet master application, usually as a Rack application managed by a web server (like Apache with Passenger) and puppet agent application runs on client servers, usually as a background service.

ADVERTISEMENT
Article will continue after the ad

Periodically, puppet agent will send facts to the puppet master and request a catalog. The master will compile and return that node’s catalog, using several sources of information it has access to.

The Stand-Alone Architecture:

In this architecture, client servers run the puppet apply application( self-contained combination of the puppet master and puppet agent applications), usually as a scheduled task or cron job.

Environment:

Here, i will show you how to configure a puppet in master / agent architecture. In this tutorial, i will be using two CentOS 7 systems as mentioned below.

Puppet Master:

Operating system : CentOS 7 Minimal
IP Address       : 192.168.12.10
HostName         : server.itzgeek.local

Puppet client:

Operating System : CentOS 7 Minimal
IP Address       : 192.168.12.20
HostName         : client.itzgeek.local

Prerequsites:

Configure EPEL repository on CentOS 7 / RHEL 7.

Make sure your system (both puppet server and client) is able to resolve the hostname each other, either use /etc/hosts file or DNS server.

To have a production ready puppet setup, we have to use apache with passenger. To get the passenger, download and place the repo file to /etc/yum.repos.d/

Note: Only on the master server.

[root@server ~]# curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo

To install the puppet master / agent, we would require to setup puppet repository on the all the nodes. Enable puppet labs repository by installing below rpm.

Note: Run it on both master and agent nodes.

# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

Install and Configure Puppet on CentOS 7:

Now, its time to install puppet. Install the puppet server using below command.

[root@server ~]# yum -y install puppet-server

As said earlier, we will configure puppet for master / agent architecture. So, this node will acts as a master node. Edit the puppet configuration file and modify the dns_alt_names.

[root@server ~]# vi /etc/puppet/puppet.conf

[main]
dns_alt_names = server,server.itzgeek.local
certname = server.itzgeek.local

If this machine is the only puppet master in your environment, run below command to create the puppet master certificate.

[root@server ~]# puppet master --verbose --no-daemonize

Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 81:C6:BB:8B:1D:71:4C:64:E1:13:54:1B:EC:CF:99:D8:85:90:D1:6C:E8:85:50:3E:03:41:BA:C5:47:A7:4C:E5
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for server.itzgeek.local
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for server.itzgeek.local
Info: Certificate Request fingerprint (SHA256): FF:BE:D4:9B:E4:12:83:79:AE:BE:50:17:76:5F:F5:CD:5F:53:EA:5D:AA:5D:87:9E:7C:C4:BC:1B:8A:C6:FA:5C
Notice: server.itzgeek.local has a waiting certificate request
Notice: Signed certificate request for server.itzgeek.local
Notice: Removing file Puppet::SSL::CertificateRequest server.itzgeek.local at '/var/lib/puppet/ssl/ca/requests/server.itzgeek.local.pem'
Notice: Removing file Puppet::SSL::CertificateRequest server.itzgeek.local at '/var/lib/puppet/ssl/certificate_requests/server.itzgeek.local.pem'
Notice: Starting Puppet master version 3.8.3

Once you get “Notice: Starting Puppet master version <VERSION>“, press ctrl-C to kill the process.

Configure a Production-Ready Web Server:

Puppet comes with a basic puppet master web server, but this cannot be used for real-life loads. We must configure a production quality web server before we start managing our nodes with Puppet.

[root@server ~]# yum -y install httpd httpd-devel mod_ssl ruby-devel rubygems gcc gcc-c++ pygpgme curl

Install Passenger and apache module.

[root@server ~]# yum install -y mod_passenger

Create three directories for the application (a parent directory, a “public” directory, and a “tmp” directory), Copy the ext/rack/config.ru file from the Puppet source code into the parent directory and Set the ownership of the config.ru file.

[root@server ~]# mkdir -p /usr/share/puppet/rack/puppetmasterd
[root@server ~]# mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
[root@server ~]# cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
[root@server ~]# chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

Add virtual host for puppet by creating the below configuration file.

[root@server ~]# vi /etc/httpd/conf.d/puppetmaster.conf

Add below content into the virtual host file, change the green colored entries as per your environement.

# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/server.itzgeek.local.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/server.itzgeek.local.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile   /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        # SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

         DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>        

Restart apache server to take an effect of puppet virtual host, to do that, run following command on terminal.

[root@server ~]# systemctl restart  httpd.service

Disable puppet service and enable apache server to auto start on system boot.

[root@server ~]# systemctl disable puppet.service
[root@server ~]# systemctl enable httpd.service

Firewall:

Puppet listens on port no 8140; Configure the IP tables to allow it.

[root@server ~]# firewall-cmd --zone=public --add-port=8140/tcp --permanent
[root@server ~]# firewall-cmd --reload

Install Puppet on Agent Nodes:

On your client machine, install puppet agent using below command.

Note: You must have puppet repository configured on the agent nodes.

[root@client ~]# yum -y install puppet

Edit the puppet configuration file and set puppet master information on the client stanza.

Note: Modify “server” value as per your environment. In my case, server is “server.itzgeek.local”

[root@client ~]# vi /etc/puppet/puppet.conf

[agent]
server = server.itzgeek.local

Start puppet on agent node and make it to start automatically on system boot.

[root@client ~]# systemctl start  puppet.service
[root@client ~]# systemctl enable puppet.service

You would get below events in the logs.

Oct 21 05:46:45 client systemd: Starting Puppet agent...
Oct 21 05:46:46 client systemd: Started Puppet agent.
Oct 21 05:47:03 client systemd: Reloading.
Oct 21 05:49:10 client puppet-agent[2694]: Did not receive certificate

Sign the Agent Node’s Certificate on Master Server:

In an agent/master deployment, an admin must approve a certificate request for each agent node before that node can fetch configurations. Agent nodes will request certificates the first time they attempt to run.

Log into the puppet master server and run below command to view outstanding requests.

[root@server ~]# puppet cert list

"client.itzgeek.local" (SHA256) D4:88:EC:C5:0A:F7:5D:4E:32:C5:B3:61:E0:51:7B:0C:CD:B3:49:9E:68:0B:E7:5D:75:19:1D:0B:92:8A:E7:C1

Run puppet cert sign to sign a request, or puppet cert sign –all to sign all pending requests.

[root@server ~]# puppet cert sign client.itzgeek.local

Notice: Signed certificate request for client.itzgeek.local
Notice: Removing file Puppet::SSL::CertificateRequest client.itzgeek.local at '/var/lib/puppet/ssl/ca/requests/client.itzgeek.local.pem'

Run the following command on client machine to check the certificate

[root@client ~]# puppet agent -t

Info: Caching certificate for client.itzgeek.local
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for client.itzgeek.local
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.itzgeek.local
Info: Applying configuration version '1445401911'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.09 seconds

That’s All. Now, you have successfully configured puppet master and an agent. It’s time to create a manifests (client configuration). Stay tuned.

This tutorial is for an old version of Puppet Master, some links are broken and may not work expected. A new version is available here: How to Install Puppet 4.x On CentOS 7 / RHEL 7.
ADVERTISEMENT

POSTS YOU MAY LIKE -:)

Share This Post

  • Miguel Martínez

    Hi! my friend,I followed all of your manual’s steps but in my CentOs7 server this configuration doesn’t works.When I put this command= “puppet cert list” I don’t see anything in the terminal… What’s happening?

    For more information: The puppet-server and puppet client can ping each other..

    You can see my system configuration:

    Server:
    _____________________________________________________________
    IP: 192.168.3.200
    HOSTNAME: server.local

    *********/etc/puppet/puppet.conf***************
    [main]
    dns_alt_names = localhost,server.local
    certname = server.local

    # The Puppet log directory.
    # The default value is ‘$vardir/log’.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is ‘$vardir/run’.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is ‘$confdir/ssl’.
    ssldir = $vardir/ssl

    [agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion. Can be loaded in
    # the separate “puppet“ executable using the “–loadclasses“
    # option.
    # The default value is ‘$confdir/classes.txt’.

    ********/etc/puppet/puppet.conf*****************
    Agent
    _____________________________________________________________

    IP: 192.168.3.200
    HOSTNAME: client.local

    **********/etc/puppet/puppet.conf****************

    [main]
    # The Puppet log directory.
    # The default value is ‘$vardir/log’.

    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is ‘$vardir/run’.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is ‘$confdir/ssl’.
    ssldir = $vardir/ssl

    [agent]
    server=server.local
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion. Can be loaded in
    # the separate “puppet“ executable using the “–loadclasses“
    # option.
    # The default value is ‘$confdir/classes.txt’.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration. An
    # extension indicating the cache format is added automatically.
    # The default value is ‘$confdir/localconfig’.
    localconfig = $vardir/localconfig

    **********/etc/puppet/puppet.conf****************

    I’m await your answer,thanks

    • anonymous

      Please check whether the web service is running on puppet server and check audit log for SELinux

      • Miguel Martínez

        Hi!! thanks a lot for your comment!!! Now I see this problem in my apache-web server:

        systemctl status httpd
        —————————————————————————————————-
        “httpd.service – The Apache HTTP Server
        Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
        Active: failed (Result: exit-code) since vie 2016-02-26 16:04:32 CET; 6min ago
        Docs: man:httpd(8)
        man:apachectl(8)
        Process: 1963 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
        Process: 1962 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
        Main PID: 1962 (code=exited, status=1/FAILURE)

        feb 26 16:04:32 server.local systemd[1]: Starting The Apache HTTP Server…
        feb 26 16:04:32 server.local httpd[1962]: AH00526: Syntax error on line 16 of /etc/httpd/conf.d/puppetmaster.conf:
        feb 26 16:04:32 server.local httpd[1962]: SSLCertificateFile: file ‘/var/lib/puppet/ssl/certs/server.local.pem’ does not exist or is empty
        feb 26 16:04:32 server.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
        feb 26 16:04:32 server.local kill[1963]: kill: cannot find process “”
        feb 26 16:04:32 server.local systemd[1]: httpd.service: control process exited, code=exited status=1
        feb 26 16:04:32 server.local systemd[1]: Failed to start The Apache HTTP Server.
        feb 26 16:04:32 server.local systemd[1]: Unit httpd.service entered failed state.
        feb 26 16:04:32 server.local systemd[1]: httpd.service failed.

        ————————————————————————————————

        You can see “Failed to start The Apache HTTP ”

        Then I thought:¿ where is the problem? Then I put this amazing command:

        apachectl configtest :

        “AH00526: Syntax error on line 16 of /etc/httpd/conf.d/puppetmaster.conf:
        SSLCertificateFile: file ‘/var/lib/puppet/ssl/certs/server.local.pem’ does not exist or is empty”

        Then:

        # ls -l /var/lib/puppet/ssl/certs/

        -rw-r–r–. 1 puppet puppet 1948 feb 20 21:26 ca.pem

        ¿Where is the .pem file for my server(server.local.pem)? I suppose I need to regenerate this file…. but ¿How?

        Thanks a lot for your help!!

        • Raj

          Hi,

          The SSL should have got generated when you had run this command.
          mentioned in the article

          puppet master –verbose –no-daemonize

          location: /var/lib/puppet/ssl/

          • Miguel Martínez

            Hi Raj , I did this command before but It didn’t work.
            Now all is working fine!!!! Thanks your for your support.
            I’ll continue with you guide.

  • Abhinit

    Hi,

    I also followed these steps to install/configure Puppet with Passenger but it’s not working.

    The error I get in my client server is below:-

    ~~~~~~~~~~

    Error: Could not retrieve catalog from remote server: Error 500 on SERVER:

    We’re sorry, but something went wrong (500)

    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }

    .dialog {

    width: 25em;

    padding: 0 4em;

    margin: 4em auto 0 auto;

    border: 1px solid #ccc;

    border-right-color: #999;

    border-bottom-color: #999;

    }

    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }

    #operator_info_panel {

    width: 27em;

    ~~~~~~~~~~

    I googled a bit and found out that ‘rack’ is not starting up with Apache.

    [root@server ~]# ps -ef | grep -i rack

    root 12618 12600 0 02:13 pts/1 00:00:00 grep –color=auto -i rack

    [root@server ~]#

    I tried to below but control didn’t return:-

    [root@server ~]# rackup /usr/share/puppet/rack/puppetmasterd/config.ru

    [2016-02-21 02:07:24] INFO WEBrick 1.3.1

    [2016-02-21 02:07:24] INFO ruby 2.0.0 (2014-11-13) [x86_64-linux]

    [2016-02-21 02:07:24] INFO WEBrick::HTTPServer#start: pid=12394 port=9292

    Any help is appreciated..

    • anonymous

      To isolate the issue, try not configuring rack passenger. Just go with build-in puppet web server

      • Abhinit

        Hello,

        Thanks a lot for your reply.

        I followed same, configured Puppet server without Passenger rack and it worked okay. The issue, I think, is with Apache web server starting up Passenger rack.

        I also tried to start rack manually with rackup, but it didn’t work.

  • Bal

    Hi,

    Tried to follow the puppet installation here but looks puppet pkgs are no longer exist.

    Rgds.

    Bal

    • Yes, bal. Im going to update / create a new tutorial on it. Soon it will be released

Shares