Navigation
Voterbox
Puppet: Basic Configuration for Client / Server Connectivity
This portion of the document outlines basic configuration enabling the server and clients to communication.
Server Configuration
The first thing you want to do is ensure that the server daemon is configured to run on startup, and also that it is currently running:
Redhat/Fedora
root@puppetmaster ~]# chkconfig puppetmaster on
root@puppetmaster ~]# /etc/init.d/puppetmaster start
Debian/Ubuntu
root@puppetmaster ~]# update-rc.d puppetmaster start 99 2 3 4 5 . stop 20 0 1 6 .
root@puppetmaster ~]# /etc/init.d/puppetmaster startClient Configuration
Redhat/Fedora
Add the following to '/etc/puppet/puppet.conf' under the '[puppetd]' block section:
server = puppetmaster.example.com
Debian/Ubuntu
Add the following to '/etc/puppet/puppetd.conf' under the '[puppetd]' block section:
server = puppetmaster.example.com
Note: Replace 'puppetmaster.example.com' with the hostname or IP of your Puppet server.
Generate Client Certificate Request
The client auto-generates a certificate for use. The first time that puppetd is run, it will attempt to authenticate with that certificate. Upon failure, puppetd (the client) will wait for a predetermined amount of time and then continue trying. However, the first time puppetd is run the certificate is sent to the server where it must be signed.
Run puppetd on the server... do so in the forground so you can watch:
root@puppetclient ~]# puppetd --debug --no-daemonize
You will likely receive a lot of output, and then finally will get the following message:
notice: Did not receive certificate
This is expected since puppetd (the client) is waiting for a signed certificate from the server before it can fully communicate.
Lets go back to the server.
Signing the Client Certificate
On the server you need to sign the new client certificate. You should see the unsigned certificate with the following command:
root@puppetmaster ~]# puppetca --list
puppetclient.example.com
You can now sign the certificate:
root@puppetmaster ~]# puppetca --sign puppetclient.example.com
Signed puppetclient.example.com
Good? Good.
Verify Client Connectivity
You should now be able to rerun puppetd and see proper connectivity:
root@puppetclient ~]# puppetd --debug --no-daemonize
You should see something similar to:
notice: Starting catalog run
This means that the certificate was verified and that the 'catalog' or tasks for that client have begun pulling down from the server.
At the end of the run, you will see something similar to the following:
notice: Finished catalog run in 93.65 secondsConclusion
The Client and Server are now communicating properly.
At this point you can stop the process running in the forground, and run it properly:
root@puppetclient ~]# /etc/init.d/puppet start
This will run puppetd in the background.