Puppet Notes



On Server

yum install puppet-server

Now edit /etc/sysconfig/puppetmaster and uncomment these two lines:


The site-wide manifest is /etc/puppet/manifests/site.pp. Let’s add this:

# Define a few test classes
class testclass1 {
  file { "/tmp/test1":
    ensure => present,
    mode   => 644,
    owner  => root,
    group  => root
class testclass2 {
  file { "/tmp/test2":
    ensure => present,
    mode   => 700,
    owner  => nobody,
    group  => nobody

# Every node has this file
node default {
  include testclass1

# This particular node is a little different
node 'client.example.com' inherits default {
  include testclass2

Start the puppetmaster:

service puppetmaster start

Configuring the Client

yum install puppet

Now edit /etc/sysconfig/puppet and uncomment these:


Test your configuration by:

You now need to sign the SSL request on the server. See the list of SSL certificates:

[root@sauron manifests]# puppetca --list -a
  client.example.com (A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6)  
+ puppet.example.com (7A:78:B2:B8:78:F3:26:53:23:1C:6B:5D:E0:40:C6:06) (alt names: [DNS:puppet](DNS:puppet), [DNS:puppet.example.com](DNS:puppet.example.com))

A “+” sign indicates a signed certificate. Sign the request:

[root@sauron manifests]# puppetca --sign client.example.com
notice: Signed certificate request for client.example.com  
notice: Removing file Puppet::SSL::CertificateRequest client.example.com at '/var/lib/puppet/ssl/ca/requests/client.example.com.pem'

All should be well, so start the puppet service and make sure it starts at boot (you could’ve done this with puppet!):

service puppet start  
chkconfig --level 345 puppet on

Setting up file services

I edit /etc/puppet/fileserver.conf to add this:

 path /var/lib/puppet/files  

Note the [files] stub above. Created a sample file:

cd /var/lib/puppet/files  
mkdir -p etc/nikhil.conf  
echo "Testing" > etc/nikhil.conf

Now in the manifest, add this:

file { "/etc/nikhil.conf":  
    ensure => present,  
    owner => nobody,  
    group => root,  
    mode => 770  
    source => "puppet:///files/etc/nikhil.conf"  

You can kick the puppet to see the file created with the contents on the server.

Note carefully that



The puppet client version should be equal to or lower than the server version. This one fact will save you a lot of trouble.

Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

# ON CLIENT: Remove all keys  
rm -rfv /var/lib/puppet/ssl/*  
# ON CLIENT: Make sure that the user puppet can write to /var/lib/puppet/ssl/  
# ON SERVER: Revoke all certificates signed for client  
puppetca --revoke client.example.com  
puppetca --clean client.example.com

Then try again. Should work.

Could not retrieve catalog from remote server: getaddrinfo: Name or service not known

Connection refused (2) when kicking puppet

Add a listen = true to the client’s /etc/puppet/puppet.conf file. See the Puppet Configuration Reference for other directives.

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

This happens if the client runs a later version than the server. For example, 2.6 on the server and 2.7 on the client.

Could not retrieve catalog from remote server: certificate verify failed

Make sure that the time on both server and client are in sync. Restart the NTP service.

puppet host “is already running”

Issue with kernels. Update to some kernel and reboot.

Tweaks et al

Autosign Certificate requests

Add this to the bottom of /etc/puppet/puppet.conf on the puppetmaster:

  autosign = true

You can also, apparently, create /etc/puppet/autosign.conf and append the domain or CIDR for which the master will autosign.


‘Kicking’ a Puppet

Clients, by default, listen on port 8139. Set up /etc/puppet/auth.conf to have these lines:

path /run  
auth any  
method save  
allow puppet.server.com  
# Must be above these lines!  
path /  
auth any

Restart the puppet daemon. Now kick it from the server:

puppet kick --host client.domain.tld

An exit status of 0 is good. You can kick all clients, but will need a LDAP.

Debugging the Client

service puppet stop  
puppet agent --listen --debug --no-daemonize --verbose

Check your manifest syntax

puppet --parseonly manifest.pp