Puppet Notes Revision as of Monday, 21 December 2015 at 02:30 UTC

Pre-Flight

On Server

 yum install puppet-server

Now edit /etc/sysconfig/puppetmaster and uncomment these two lines:

 PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
 PUPPETMASTER_LOG=syslog

The site-wide manifest is /etc/puppet/manifests/site.pp. Let’s add
this:

  # Define a few test classes
  class testclass1 {
    file { "/tmp/test1":
      ensure => present,
      mode   => 644,
      owner  => root,
      group  => root
    }
  }
  class testclass2 {
    file { "/tmp/test2":
      ensure => present,
      mode   => 700,
      owner  => nobody,
      group  => nobody
    }
  }
  
  # Every node has this file
  node default {
    include testclass1
  }
  
  # This particular node is a little different
  node 'client.example.com' inherits default {
    include testclass2
  }

Start the puppetmaster:

 service puppetmaster start

Configuring the Client

 yum install puppet

Now edit /etc/sysconfig/puppet and uncomment these:

 PUPPET_SERVER=puppet.example.com
 PUPPET_LOG=/var/log/puppet/puppet.log

Test your configuration by:

 Thu Apr 12 13:52:12 -0500 2012 Puppet (notice): Reopening log files
 Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Creating a new SSL key for client.example.com
 Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Caching certificate for ca
 Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Creating a new SSL certificate request for client.example.com
 Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Certificate Request fingerprint (md5): A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6

You now need to sign the SSL request on the server. See the list of SSL
certificates:

 [root@sauron manifests]# puppetca --list -a
   client.example.com (A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6)
 + puppet.example.com (7A:78:B2:B8:78:F3:26:53:23:1C:6B:5D:E0:40:C6:06) (alt names: DNS:puppetDNS:puppet.eng.uiowa.eduDNS:puppet.example.com)

A “+” sign indicates a signed certificate. Sign the request:

 [root@sauron manifests]# puppetca --sign
client.example.com

 notice: Signed certificate request for client.example.com
 notice: Removing file Puppet::SSL::CertificateRequest client.example.com at '/var/lib/puppet/ssl/ca/requests/client.example.com.pem'

All should be well, so start the puppet service and make sure it starts
at boot (you could’ve done this with puppet!):

 service puppet start
 chkconfig --level 345 puppet on

Setting up file services

I edit /etc/puppet/fileserver.conf to add this:

 [files]
  path /var/lib/puppet/files
  allow 128.255.22.0/24

Note the [files] stub above. Created a sample file:

 cd /var/lib/puppet/files
 mkdir -p etc/nikhil.conf
 echo "Testing" > etc/nikhil.conf

Now in the manifest, add this:

 file { "/etc/nikhil.conf":
     ensure => present,
     owner => nobody,
     group => root,
     mode => 770
     source => "puppet:///files/etc/nikhil.conf"
 }

You can kick the puppet to see the file created with the contents on the
server.

Note carefully that

Issues

Versioning

The puppet client version should be equal to or lower than the server
version. This one fact will save you a lot of trouble.

Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

 # ON CLIENT: Remove all keys
 rm -rfv /var/lib/puppet/ssl/*
 
 # ON CLIENT: Make sure that the user puppet can write to /var/lib/puppet/ssl/
 
 # ON SERVER: Revoke all
certificates
 signed for client
 puppetca --revoke client.example.com
 puppetca --clean client.example.com

Then try again. Should work.

Could not retrieve catalog from remote server: getaddrinfo: Name or service not known

Connection refused (2) when kicking puppet

Add a listen = true to the client’s /etc/puppet/puppet.conf file.
See the Puppet Configuration
Reference

for other directives.

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

This happens if the client runs a later version than the server. For
example, 2.6 on the server and 2.7 on the client.

Could not retrieve catalog from remote server: certificate verify failed

Make sure that the time on both server and client are in sync. Restart
the NTP service.

puppet host “is already running”

Issue with 2.6.18.274
kernels
. Update to some
2.6.18.300+ kernel and reboot.

Tweaks et al

Autosign Certificate requests

Add this to the bottom of /etc/puppet/puppet.conf on the puppetmaster:

 [master]
   autosign = true

You can also, apparently, create /etc/puppet/autosign.conf and append
the domain or CIDR for which the master will autosign.

 *.example.com
 10.212.8.0/24

‘Kicking’ a Puppet

Clients, by default, listen on port 8139. Set up /etc/puppet/auth.conf
to have these lines:

 path /run
 auth any
 method save
 allow puppet.server.com
 
 # Must be above these lines!
 path /
 auth any

Restart the puppet daemon. Now kick it from the server:

 puppet kick --host client.domain.tld

An exit status of 0 is good. You can kick all clients, but will need a
LDAP.

Debugging the Client

 service puppet stop
 puppet agent --listen --debug --no-daemonize --verbose

Check your manifest syntax

 puppet --parseonly manifest.pp

Sources