# Puppet Notes

[TOC]

## Pre-Flight

• The puppet server is puppet.example.com (CentOS 5.8 x64)
• The puppet client is client.example.com (CentOS 6.2 x64)
• Trying puppet 2.6+
• The default ports are 8140 on server and 8139 on client; we won’t be changing this.
• See Tweaking Puppet (and other notes) when you’re finished here.

## On Server

yum install puppet-server


Now edit /etc/sysconfig/puppetmaster and uncomment these two lines:

PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
PUPPETMASTER_LOG=syslog


The site-wide manifest is /etc/puppet/manifests/site.pp. Let’s add this:

# Define a few test classes
class testclass1 {
file { "/tmp/test1":
ensure => present,
mode   => 644,
owner  => root,
group  => root
}
}
class testclass2 {
file { "/tmp/test2":
ensure => present,
mode   => 700,
owner  => nobody,
group  => nobody
}
}

# Every node has this file
node default {
include testclass1
}

# This particular node is a little different
node 'client.example.com' inherits default {
include testclass2
}


Start the puppetmaster:

service puppetmaster start


## Configuring the Client

yum install puppet


Now edit /etc/sysconfig/puppet and uncomment these:

PUPPET_SERVER=puppet.example.com
PUPPET_LOG=/var/log/puppet/puppet.log


• Running /etc/init.d/puppet once --verbose

• Then tailing /var/log/puppet/puppet.log

Thu Apr 12 13:52:12 -0500 2012 Puppet (notice): Reopening log files
Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Creating a new SSL key for client.example.com
Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Caching certificate for ca
Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Creating a new SSL certificate request for client.example.com
Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Certificate Request fingerprint (md5): A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6


You now need to sign the SSL request on the server. See the list of SSL certificates:

[root@sauron manifests]# puppetca --list -a
client.example.com (A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6)
+ puppet.example.com (7A:78:B2:B8:78:F3:26:53:23:1C:6B:5D:E0:40:C6:06) (alt names: [DNS:puppet](DNS:puppet), [DNS:puppet.example.com](DNS:puppet.example.com))


[root@sauron manifests]# puppetca --sign client.example.com
notice: Signed certificate request for client.example.com
notice: Removing file Puppet::SSL::CertificateRequest client.example.com at '/var/lib/puppet/ssl/ca/requests/client.example.com.pem'


All should be well, so start the puppet service and make sure it starts at boot (you could’ve done this with puppet!):

service puppet start
chkconfig --level 345 puppet on


## Setting up file services

I edit /etc/puppet/fileserver.conf to add this:

[files]
path /var/lib/puppet/files
allow 128.255.22.0/24


Note the [files] stub above. Created a sample file:

cd /var/lib/puppet/files
mkdir -p etc/nikhil.conf
echo "Testing" > etc/nikhil.conf


Now in the manifest, add this:

file { "/etc/nikhil.conf":
ensure => present,
owner => nobody,
group => root,
mode => 770
source => "puppet:///files/etc/nikhil.conf"
}


You can kick the puppet to see the file created with the contents on the server.

Note carefully that

• You’d have to specify the puppetmaster with two slashes (e.g. puppet:*//*master.tld/files/nikhil.conf)
• You could omit the master using three slashes (e.g. puppet:*///*files/etc/nikhil.conf)

## Issues

### Versioning

The puppet client version should be equal to or lower than the server version. This one fact will save you a lot of trouble.

### Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

# ON CLIENT: Remove all keys
rm -rfv /var/lib/puppet/ssl/*

# ON CLIENT: Make sure that the user puppet can write to /var/lib/puppet/ssl/

# ON SERVER: Revoke all certificates signed for client
puppetca --revoke client.example.com
puppetca --clean client.example.com


Then try again. Should work.

### Could not retrieve catalog from remote server: getaddrinfo: Name or service not known

• Add an alias for puppet to /etc/hosts (DNS is better)
• Add a server = puppetmaster.domain.tld to /etc/puppet/puppet.conf under the [main] section.

### Connection refused (2) when kicking puppet

Add a listen = true to the client’s /etc/puppet/puppet.conf file. See the Puppet Configuration Reference for other directives.

### Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

This happens if the client runs a later version than the server. For example, 2.6 on the server and 2.7 on the client.

### Could not retrieve catalog from remote server: certificate verify failed

Make sure that the time on both server and client are in sync. Restart the NTP service.

### puppet host “is already running”

Issue with 2.6.18.274 kernels. Update to some 2.6.18.300+ kernel and reboot.

## Tweaks et al

### Autosign Certificate requests

Add this to the bottom of /etc/puppet/puppet.conf on the puppetmaster:

[master]
autosign = true


You can also, apparently, create /etc/puppet/autosign.conf and append the domain or CIDR for which the master will autosign.

*.example.com
10.212.8.0/24


### ‘Kicking’ a Puppet

Clients, by default, listen on port 8139. Set up /etc/puppet/auth.conf to have these lines:

path /run
auth any
method save
allow puppet.server.com

# Must be above these lines!
path /
auth any


Restart the puppet daemon. Now kick it from the server:

puppet kick --host client.domain.tld


An exit status of 0 is good. You can kick all clients, but will need a LDAP.

### Debugging the Client

service puppet stop
puppet agent --listen --debug --no-daemonize --verbose


puppet --parseonly manifest.pp