When you think of a configuration management tool, the one pop up in your mind is Puppet. Puppet is an open source configuration management tool, helps you to deploy and manage the configurations of hundreds of client systems from the central location.
Puppet makes the system admin’s life easier by cutting down on time spending on repetitive task and allows them to work on other productive works, also ensures that all the configuration are consistent across the infrastructure.
Puppet is available for Linux, Mac, BSD, Solaris, and Windows-based computer Systems, released under Apache License, written in “Ruby” language.
This guide helps you to install Puppet Server on Ubuntu 18.04 / Ubuntu 16.04 & Debian 9.
Architecture
Agent / Master
In this architecture, one or more servers run the puppet master application and puppet agent application runs on managed nodes (client servers), usually as a background service.
Puppet agent will send facts to the puppet master and request a catalog in the particular interval. The puppet master will compile and return that particular node’s catalog, using the sources of information it has access to.
Stand-Alone Architecture
In this architecture, the client node runs the puppet apply application, usually as a cron job.
Environment
Here, we will configure a puppet in master/agent architecture and will use two systems, as mentioned below.
Puppet Master
Host Name: server.itzgeek.local
IP Address: 192.168.1.10
Puppet client
Host Name: client.itzgeek.local
IP Address: 192.168.1.20
Prerequisites
Install NTP
Time must be set accurately on a puppet master as it will be acting as a certificate authority to sign the certificates coming from the client nodes. We will use NTP for this purpose.
Install the NTP package and perform the time sync with upstream NTP servers.
sudo apt update sudo apt install -y ntp ntpdate sudo ntpdate -u 0.ubuntu.pool.ntp.org
Timezone
Ensure that all the nodes are in same time zone using.
date
Output:
Tue Sep 4 22:28:34 EDT 2018
If there are any discrepancies, change it accordingly. List the available time zones.
timedatectl list-timezones
Set the time zone using the following command.
sudo timedatectl set-timezone America/New_York
DNS
Puppet agent uses the hostname to communicate with the Puppet Server. So, make sure the agent node can resolve the hostname of the Puppet Server. Either setup /etc/hosts
file or DNS server.
/etc/hosts File:
sudo nano /etc/hosts
Add a host entry similar to the below line.
192.168.1.10 server.itzgeek.local server
Setup PuppetLabs repository
To install the puppet master/agent, we would require to set up a puppet repository on all nodes.
### Ubuntu 18.04 ### wget https://apt.puppetlabs.com/puppet6-release-bionic.deb sudo dpkg -i puppet6-release-bionic.deb sudo apt update ### Ubuntu 16.04 ### wget https://apt.puppetlabs.com/puppet6-release-xenial.deb sudo dpkg -i puppet6-release-xenial.deb sudo apt update ### Debian 9 ### wget https://apt.puppetlabs.com/puppet6-release-stretch.deb sudo dpkg -i puppet6-release-stretch.deb sudo apt update
On Ubuntu 18.04, enable the universe repository, which contains packages necessary for Puppet Server.
Install Puppet Server
Puppet Server is the server software that runs on the puppet master node. Install the Puppet server using below command.
sudo apt install -y puppetserver
Puppet server is now installed, do not start the puppet server service yet.
Configure Puppet Server
Memory Allocation (Optional)
By default, Puppet Server JVM is configured to use 2GB of RAM. You can always customize the memory usage depends on how much memory your master node has; ensure that it is enough for managing all the nodes connected to it.
To change the value of memory allocation, edit the below file.
sudo nano /etc/default/puppetserver
Change the value shown like below.
From:
JAVA_ARGS="-Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
To:
For 512MB, use the below settings.
JAVA_ARGS="-Xms512m -Xmx512m -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
Puppet Configuration
Simple Configurations
Puppet Server does not require any configuration, and you can simply start the puppetserver service. It will use the default settings.
For ex: dns_alt_names (puppet, <hostname of the server>).
Advanced Configurations (Optional)
Here, I’m going to modify the Puppet Server settings for our requirement.
sudo nano /etc/puppetlabs/puppet/puppet.conf
Place the below lines. Modify it according to your environment.
[master]
dns_alt_names = server.itzgeek.local,server
[main]
certname = server.itzgeek.local
server = server.itzgeek.local
environment = production
runinterval = 15m
Start Puppet Server
Generate a root and intermediate signing CA for Puppet Server.
sudo /opt/puppetlabs/bin/puppetserver ca setup
Output:
Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
Start and enable the Puppet Server.
sudo systemctl start puppetserver sudo systemctl enable puppetserver
Install Puppet Agent
Setup the Puppet repository on your agent node as shown earlier and then install the puppet agent using below command.
sudo apt install -y puppet-agent
Puppet agent also uses some of the default settings to connect to the master node. But, we need to edit the puppet configuration file and set puppet master information.
sudo nano /etc/puppetlabs/puppet/puppet.conf
[main] certname = client.itzgeek.local server = server.itzgeek.local environment = production runinterval = 15m
You can change the value of runinterval depends on the requirement. This controls how long an agent should wait between the two catalog requests.
Start puppet agent on the node and make it start automatically on system boot.
sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
You would get an output like below.
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' service { 'puppet': ensure => 'running', enable => 'true', }
Sign Agent Node Certificate on Master Server
In an agent/master deployment, an admin must approve a certificate request for each agent node before that node can fetch configurations. Agent nodes will request certificates for the first time they attempt to run.
Log into the puppet master server and run below command to view outstanding requests.
sudo /opt/puppetlabs/bin/puppetserver ca list
Output:
Requested Certificates: client.itzgeek.local (SHA256) 07:B1:57:5B:DE:AF:9F:4A:DF:4A:D1:CD:C4:2A:F9:9F:D9:76:CD:C5:F1:60:09:9C:B4:BA:76:D6:7B:3C:6F:0D
Run the below command to sign a request.
sudo /opt/puppetlabs/bin/puppetserver ca sign --certname client.itzgeek.local
Output:
Successfully signed certificate request for client.itzgeek.local
To sign all the certificate signing requests in one command.
sudo /opt/puppetlabs/bin/puppetserver ca sign --all
In some cases, you may need to revoke the certificate of a particular node to read them back. Replace the <AGENT_NAME> with your client hostname.
sudo /opt/puppetlabs/bin/puppetserver ca revoke --certname <AGENT_NAME>
List all of the signed and unsigned requests. You should run on the master server.
sudo /opt/puppetlabs/bin/puppetserver ca list --all
Output:
Signed Certificates: server.itzgeek.local (SHA256) E5:A4:93:45:EF:82:3B:FF:6E:36:D2:9A:F0:75:15:67:94:33:06:2F:84:9F:D1:45:CE:C6:1C:86:D4:57:B8:25 alt names: ["DNS:server.itzgeek.local", "DNS:server", "DNS:server.itzgeek.local"] client.itzgeek.local (SHA256) AB:3B:F0:D0:62:69:50:DD:50:45:CE:AD:A5:2C:4F:9E:EB:19:D6:C6:9C:34:A3:C5:CD:84:8F:BA:50:04:4A:D0
Verify Puppet Agent
Once the Puppet master is signed your client certificate, run the following command on the client machine to test it.
sudo /opt/puppetlabs/bin/puppet agent --test
Output:
Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Caching catalog for client.itzgeek.local Info: Applying configuration version '1558888335' Notice: Applied catalog in 0.02 seconds
Create manifest
Manifest is a data file which contains client configuration’s, written in Puppet’s declarative language or a Ruby DSL. This section covers the basic manifest to create a directory as well as a file on the client machine.
Main puppet manifest file is located at /etc/puppetlabs/code/environments/production/manifests directory. Create a new manifest file.
sudo nano /etc/puppetlabs/code/environments/production/manifests/site.pp
Now add the following lines to the manifest to create a directory on the client node.
node 'client.itzgeek.local' { # Applies only to mentioned node. If nothing mentioned, applies to all. file { '/tmp/puppetdir': # Resource type file ensure => 'directory', # Create as a diectory owner => 'root', # Ownership group => 'root', # Group Name mode => '0755', # Directory permissions } }
Now, run the following command on the client node to retrieve the configurations.
sudo /opt/puppetlabs/bin/puppet agent --test
Output:
Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Caching catalog for client.itzgeek.local Info: Applying configuration version '1558888460' Notice: /Stage[main]/Main/Node[client.itzgeek.local]/File[/tmp/puppetdir]/ensure: created Notice: Applied catalog in 0.16 seconds
Verify that directory has been created on the client node.
ls -ld /tmp/puppetdir/
Output:
drwxr-xr-x 2 root root 4096 May 26 22:03 /tmp/puppetdir/
Let’s writing a manifest for creating a file with content into it.
node 'client.itzgeek.local' { # Applies only to mentioned node. If nothing mentioned, applies to all. file { '/tmp/puppetfile': # Resource type file ensure => 'present', # Make sure it exists owner => 'root', # Ownership group => 'root', # Group Name mode => '0644', # File permissions content => "This File is created by Puppet Server" # Content of the file } }
You can go to the client machine and retrieve the catalog as shown the previous example or wait for 15 minutes to auto apply the catalog.
Conclusion
I hope this post helped you to install Puppet Server on Ubuntu 18.04 / Ubuntu 16.04 & Debian 9. Please share your feedback in the comments section.