Puppet is a system for automating system administration tasks. To learn more about Puppet, please go to their site:
http://reductivelabs.com/trac/puppet
This article will be an outline of the installation and basic configuration of Puppet for both server and clients.
This portion of the document outlines both server and client installation.
The server, what we call 'puppetmaster.example.com', needs the 'puppetmasterd' service running. Generally this is provided as a separate package. The following outlines the appropriate commands necessary to install the Puppet server software on both Redhat EL, and Debian/Ubuntu.
Redhat Enterprise Linux:
Redhat Enterprise Linux does not have Puppet in the standard base channels. However, since the inception of EPEL (Extra Packages for Enterprise Linux) you can subscribe to a Fedora/Epel repo and install via Yum/Up2date just the same.
You can find a list of Fedora mirrors here: http://fedoraproject.org/get-fedora. Note that you want to find an appropriate EPEL repo for your OS and Architecture. The following assumes that you are running EL5.
root@linuxbox ~]# touch /etc/yum.repos.d/epel-5.repo
Add the following to '/etc/yum.repos.d/epel-5.repo:
[epel-5] name=Red Hat Enterprise Linux $releasever - $basearch - EPEL baseurl=http://linux.nssl.noaa.gov/epel/5Server/x86_64 enabled=1 gpgcheck=0
Note: I set gpgcheck=0 to not check for a GPG signature. You probably don't want to do this on a production box. A proper way to perform these updates is to 'rpm --import' the GPG key from the repo you are using.
Once you have the repo added, you can simply install the package.
root@linuxbox ~]# yum install puppet-server
Note: Fedora Core likely has puppet and puppet-server in the Exras repo. Therefore you can simply just run the above command without adding and 3rd party repos.
Once installing the packages, you may wish to set 'enabled=0' in the repo config to avoid conflicts with production RHN repos.
Debian/Ubuntu:
Debian/Ubuntu require that you add a 'Universe' repository. Once a 'Universe' repo is added, you can simply fun the following commands:
root@linuxbox ~]# apt-get update root@linuxbox ~]# apt-get install puppetmaster
Tas it.
Client installation is just the same as the server, but the package is just 'puppet'.
Redhat Enterprise Linux:
root@linuxbox ~]# yum install puppet
Debian/Ubuntu:
root@linuxbox ~]# apt-get update root@linuxbox ~]# apt-get install puppet
This portion of the document outlines basic configuration enabling the server and clients to communication.
The first thing you want to do is ensure that the server daemon is configured to run on startup, and also that it is currently running:
Redhat/Fedora
root@puppetmaster ~]# chkconfig puppetmaster on root@puppetmaster ~]# /etc/init.d/puppetmaster start
Debian/Ubuntu
root@puppetmaster ~]# update-rc.d puppetmaster start 99 2 3 4 5 . stop 20 0 1 6 . root@puppetmaster ~]# /etc/init.d/puppetmaster start
Redhat/Fedora
Add the following to '/etc/puppet/puppet.conf' under the '[puppetd]' block section:
server = puppetmaster.example.com
Debian/Ubuntu
Add the following to '/etc/puppet/puppetd.conf' under the '[puppetd]' block section:
server = puppetmaster.example.com
Note: Replace 'puppetmaster.example.com' with the hostname or IP of your Puppet server.
The client auto-generates a certificate for use. The first time that puppetd is run, it will attempt to authenticate with that certificate. Upon failure, puppetd (the client) will wait for a predetermined amount of time and then continue trying. However, the first time puppetd is run the certificate is sent to the server where it must be signed.
Run puppetd on the server... do so in the forground so you can watch:
root@puppetclient ~]# puppetd --debug --no-daemonize
You will likely receive a lot of output, and then finally will get the following message:
notice: Did not receive certificate
This is expected since puppetd (the client) is waiting for a signed certificate from the server before it can fully communicate.
Lets go back to the server.
On the server you need to sign the new client certificate. You should see the unsigned certificate with the following command:
root@puppetmaster ~]# puppetca --list puppetclient.example.com
You can now sign the certificate:
root@puppetmaster ~]# puppetca --sign puppetclient.example.com Signed puppetclient.example.com
Good? Good.
You should now be able to rerun puppetd and see proper connectivity:
root@puppetclient ~]# puppetd --debug --no-daemonize
You should see something similar to:
notice: Starting catalog run
This means that the certificate was verified and that the 'catalog' or tasks for that client have begun pulling down from the server.
At the end of the run, you will see something similar to the following:
notice: Finished catalog run in 93.65 seconds
The Client and Server are now communicating properly.
At this point you can stop the process running in the forground, and run it properly:
root@puppetclient ~]# /etc/init.d/puppet start
This will run puppetd in the background.