Puppet Notes

[TOC]

Pre-Flight

  • The puppet server is puppet.example.com (CentOS 5.8 x64)
  • The puppet client is client.example.com (CentOS 6.2 x64)
  • Trying puppet 2.6+
  • The default ports are 8140 on server and 8139 on client; we
    won’t be changing this.
  • See Tweaking Puppet (and
    other notes)
    when
    you’re finished here.

On Server

yum install puppet-server

Now edit /etc/sysconfig/puppetmaster and uncomment these two lines:

PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
PUPPETMASTER_LOG=syslog

The site-wide manifest is /etc/puppet/manifests/site.pp. Let’s add
this:

# Define a few test classes
class testclass1 {
  file { "/tmp/test1":
    ensure => present,
    mode   => 644,
    owner  => root,
    group  => root
  }
}
class testclass2 {
  file { "/tmp/test2":
    ensure => present,
    mode   => 700,
    owner  => nobody,
    group  => nobody
  }
}

# Every node has this file
node default {
  include testclass1
}

# This particular node is a little different
node 'client.example.com' inherits default {
  include testclass2
}

Start the puppetmaster:

service puppetmaster start

Configuring the Client

yum install puppet

Now edit /etc/sysconfig/puppet and uncomment these:

PUPPET_SERVER=puppet.example.com  
PUPPET_LOG=/var/log/puppet/puppet.log

Test your configuration by:

  • Running /etc/init.d/puppet once --verbose

  • Then tailing /var/log/puppet/puppet.log

    Thu Apr 12 13:52:12 -0500 2012 Puppet (notice): Reopening log files  
    Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Creating a new SSL key for client.example.com  
    Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Caching certificate for ca  
    Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Creating a new SSL certificate request for client.example.com  
    Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Certificate Request fingerprint (md5): A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6
    

You now need to sign the SSL request on the server. See the list of SSL
certificates:

[root@sauron manifests]# puppetca --list -a
  client.example.com (A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6)  
+ puppet.example.com (7A:78:B2:B8:78:F3:26:53:23:1C:6B:5D:E0:40:C6:06) (alt names: [DNS:puppet](DNS:puppet), [DNS:puppet.example.com](DNS:puppet.example.com))

A ‚Äú+‚ÄĚ sign indicates a signed certificate. Sign the request:

[root@sauron manifests]# puppetca --sign client.example.com
notice: Signed certificate request for client.example.com  
notice: Removing file Puppet::SSL::CertificateRequest client.example.com at '/var/lib/puppet/ssl/ca/requests/client.example.com.pem'

All should be well, so start the puppet service and make sure it starts
at boot (you could’ve done this with puppet!):

service puppet start  
chkconfig --level 345 puppet on

Setting up file services

I edit /etc/puppet/fileserver.conf to add this:

[files]  
 path /var/lib/puppet/files  
 allow 128.255.22.0/24

Note the [files] stub above. Created a sample file:

cd /var/lib/puppet/files  
mkdir -p etc/nikhil.conf  
echo "Testing" > etc/nikhil.conf

Now in the manifest, add this:

file { "/etc/nikhil.conf":  
    ensure => present,  
    owner => nobody,  
    group => root,  
    mode => 770  
    source => "puppet:///files/etc/nikhil.conf"  
}

You can kick the puppet to see the file created with the contents on the
server.

Note carefully that

  • You‚Äôd have to specify the puppetmaster with two slashes (e.g.
    puppet:*//*master.tld/files/nikhil.conf)
  • You could omit the master using three slashes (e.g.
    puppet:*///*files/etc/nikhil.conf)

Issues

Versioning

The puppet client version should be equal to or lower than the server
version. This one fact will save you a lot of trouble.

Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

# ON CLIENT: Remove all keys  
rm -rfv /var/lib/puppet/ssl/*  
  
# ON CLIENT: Make sure that the user puppet can write to /var/lib/puppet/ssl/  
  
# ON SERVER: Revoke all certificates signed for client  
puppetca --revoke client.example.com  
puppetca --clean client.example.com

Then try again. Should work.

Could not retrieve catalog from remote server: getaddrinfo: Name or service not known

  • Add an alias for puppet to /etc/hosts (DNS is better)
  • Add a server = puppetmaster.domain.tld to
    /etc/puppet/puppet.conf under the [main] section.

Connection refused (2) when kicking puppet

Add a listen = true to the client’s /etc/puppet/puppet.conf file.
See the Puppet Configuration Reference
for other directives.

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

This happens if the client runs a later version than the server. For
example, 2.6 on the server and 2.7 on the client.

Could not retrieve catalog from remote server: certificate verify failed

Make sure that the time on both server and client are in sync. Restart
the NTP service.

puppet host ‚Äúis already running‚ÄĚ

Issue with 2.6.18.274 kernels.
Update to some 2.6.18.300+ kernel and reboot.

Tweaks et al

Autosign Certificate requests

Add this to the bottom of /etc/puppet/puppet.conf on the puppetmaster:

[master]  
  autosign = true

You can also, apparently, create /etc/puppet/autosign.conf and append
the domain or CIDR for which the master will autosign.

*.example.com  
10.212.8.0/24

‚ÄėKicking‚Äô a Puppet

Clients, by default, listen on port 8139. Set up /etc/puppet/auth.conf
to have these lines:

path /run  
auth any  
method save  
allow puppet.server.com  
  
# Must be above these lines!  
path /  
auth any

Restart the puppet daemon. Now kick it from the server:

puppet kick --host client.domain.tld

An exit status of 0 is good. You can kick all clients, but will need a
LDAP.

Debugging the Client

service puppet stop  
puppet agent --listen --debug --no-daemonize --verbose

Check your manifest syntax

puppet --parseonly manifest.pp

Sources