Puppet Notes Revision as of Sunday, 20 December 2015 at 19:56 UTC

Pre-Flight

The puppet server is puppet.example.com (CentOS 5.8 x64)
The puppet client is client.example.com (CentOS 6.2 x64)
Trying puppet 2.6+
The default ports are 8140 on server and 8139 on client; we
won’t be changing this.
See Tweaking Puppet (and
other notes) when
you’re finished here.

On Server

yum install puppet-server

Now edit /etc/sysconfig/puppetmaster and uncomment these two lines:

PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
PUPPETMASTER_LOG=syslog

The site-wide manifest is /etc/puppet/manifests/site.pp. Let’s add
this:

  # Define a few test classes
  class testclass1 {
    file { "/tmp/test1":
      ensure => present,
      mode   => 644,
      owner  => root,
      group  => root
    }
  }
  class testclass2 {
    file { "/tmp/test2":
      ensure => present,
      mode   => 700,
      owner  => nobody,
      group  => nobody
    }
  }
  
  # Every node has this file
  node default {
    include testclass1
  }
  
  # This particular node is a little different
  node 'client.example.com' inherits default {
    include testclass2
  }

Start the puppetmaster:

service puppetmaster start

Configuring the Client

yum install puppet

Now edit /etc/sysconfig/puppet and uncomment these:

PUPPET_SERVER=puppet.example.com
PUPPET_LOG=/var/log/puppet/puppet.log

Test your configuration by:

Running /etc/init.d/puppet once --verbose
Then tailing /var/log/puppet/puppet.log

Thu Apr 12 13:52:12 -0500 2012 Puppet (notice): Reopening log files
Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Creating a new SSL key for client.example.com
Thu Apr 12 13:52:12 -0500 2012 Puppet (info): Caching certificate for ca
Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Creating a new SSL certificate request for client.example.com
Thu Apr 12 13:52:13 -0500 2012 Puppet (info): Certificate Request fingerprint (md5): A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6

You now need to sign the SSL request on the server. See the list of SSL
certificates:

[root@sauron manifests]# puppetca --list -a
client.example.com (A8:FE:8B:19:A8:9F:23:4C:19:27:65:7F:98:4D:E2:E6)
+ puppet.example.com (7A:78:B2:B8:78:F3:26:53:23:1C:6B:5D:E0:40:C6:06) (alt names: DNS:puppet, DNS:puppet.eng.uiowa.edu, DNS:puppet.example.com)

A “+” sign indicates a signed certificate. Sign the request:

[root@sauron manifests]# puppetca --sign
client.example.com
notice: Signed certificate request for client.example.com
notice: Removing file Puppet::SSL::CertificateRequest client.example.com at '/var/lib/puppet/ssl/ca/requests/client.example.com.pem'

All should be well, so start the puppet service and make sure it starts
at boot (you could’ve done this with puppet!):

service puppet start
chkconfig --level 345 puppet on

Setting up file services

I edit /etc/puppet/fileserver.conf to add this:

[files]
path /var/lib/puppet/files
allow 128.255.22.0/24

Note the [files] stub above. Created a sample file:

cd /var/lib/puppet/files
mkdir -p etc/nikhil.conf
echo "Testing" > etc/nikhil.conf

Now in the manifest, add this:

file { "/etc/nikhil.conf":
     ensure => present,
     owner => nobody,
     group => root,
     mode => 770
     source => "puppet:///files/etc/nikhil.conf"
}

You can kick the puppet to see the file created with the contents on the
server.

Note carefully that

You’d have to specify the puppetmaster with two slashes (e.g.
puppet:'''//'''master.tld/files/nikhil.conf)
You could omit the master using three slashes (e.g.
puppet:'''///'''files/etc/nikhil.conf)

Issues

Versioning

The puppet client version should be equal to or lower than the server
version. This one fact will save you a lot of trouble.

Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

# ON CLIENT: Remove all keys
rm -rfv /var/lib/puppet/ssl/*

# ON CLIENT: Make sure that the user puppet can write to /var/lib/puppet/ssl/

# ON SERVER: Revoke all
certificates signed for client
puppetca --revoke client.example.com
puppetca --clean client.example.com

Then try again. Should work.

Could not retrieve catalog from remote server: getaddrinfo: Name or service not known

Add an alias for puppet to /etc/hosts (DNS is better)
Add a server = puppetmaster.domain.tld to
/etc/puppet/puppet.conf under the [main] section.

Connection refused (2) when kicking puppet

Add a listen = true to the client’s /etc/puppet/puppet.conf file.
See the Puppet Configuration
Reference
for other directives.

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

This happens if the client runs a later version than the server. For
example, 2.6 on the server and 2.7 on the client.

Could not retrieve catalog from remote server: certificate verify failed

Make sure that the time on both server and client are in sync. Restart
the NTP service.

puppet host “is already running”

Issue with 2.6.18.274
kernels. Update to some
2.6.18.300+ kernel and reboot.

Tweaks et al

Autosign Certificate requests

Add this to the bottom of /etc/puppet/puppet.conf on the puppetmaster:

[master]
autosign = true

You can also, apparently, create /etc/puppet/autosign.conf and append
the domain or CIDR for which the master will autosign.

*.example.com
10.212.8.0/24

‘Kicking’ a Puppet

Clients, by default, listen on port 8139. Set up /etc/puppet/auth.conf
to have these lines:

path /run
auth any
method save
allow puppet.server.com

# Must be above these lines!
path /
auth any

Restart the puppet daemon. Now kick it from the server:

puppet kick --host client.domain.tld

An exit status of 0 is good. You can kick all clients, but will need a
LDAP.

Debugging the Client

service puppet stop
puppet agent --listen --debug --no-daemonize --verbose

Check your manifest syntax

puppet --parseonly manifest.pp

Sources

Category:Installation Logs
Category:Nikhil’s Notes
Category:From a past sysadmin
life