Installing PuppetMaster and configuring client-server setup on Debian 7

Categories: [school]
Tags: [linux], [puppet], [puppetmaster], [linux-centralized-management-course]

I started by creating three clones of my default Debian VM in VMWare Fusion. I named them debian1-master, debian1 and debian2. Debian1-master will be the master server with Puppetmaster and the two others will be client machines.

Setting up name resolving

Because there is no functional DNS server on my network, I will be using Avahi to get the VMs to resolve each other with their hostnames. The VMs need to find themselves with names, because Puppet uses those names to check the identity of the clients. I did the following steps on every machine:

sudo hostname “machine name” (debian1-master, debian1, debian2)
sudo nano /etc/hostname
sudo nano /etc/hosts
sudo apt-get install avahi-utils
sudo shutdown -r now

After these steps, I tested with ping that the master server would see the client machines:

ping debian1.local
ping debian2.local

puppetmaster-ping

I also tested that the client machines would see the master server:

debian1-pinging-master

debian2-pinging-master

Installing Puppetmaster

On the master server I installed Puppetmaster and configured it:

sudo apt-get install puppetmaster
sudo service puppetmaster stop
sudo rm -r /var/lib/puppet/ssl

In the last line we are deleting the invalid certificates that we can create the valid ones. Next I added the dns_alt_names directive to the /etc/puppet/puppet.conf-file as Tero’s tutorial suggests:

puppet-conf-edit

Then I just started the Puppetmaster:

sudo service puppetmaster start

Configuring client machines

On the client machines you need to install Puppet, configure it to connect to server and set it to start automatically:

sudo apt-get install puppet
sudo nano /etc/puppet/puppet.conf

I added the following to the config file:

[agent]
server = debian1-master.local

puppet-agent-config

Then I edited the /etc/default/puppet file and set the START=no to yes:

start-to-yes

After making the configuration changes I restarted the Puppet agent:

sudo service puppet restart

Sign the client sertificates

On the master server you need to sign the client machine certificates. This is the method Puppet checks that the client machines are allowed to receive orders from the server. You can list the certificates waiting for approval on the master server with this command:

sudo puppet cert --list

You can sign or approve the certs with this command:

sudo puppet cert --sign "machine name"

puppet-sign-certs

Deploying a test module

Start by creating a module directory structure in /etc/puppet/modules directory:

sudo mkdir -p hellotest/manifests
sudo nano hellotest/manifests/init.pp

I wrote this to the init.pp file:

class hellotest {
        file {'/tmp/hellotest':
                content => "testing from master\n",
        }
}

After saving the module I created a new site.pp file that defines what the Puppetmaster should do to the environment:

sudo nano /etc/puppet/manifests/site.pp

I wrote this to the site.pp file:

class {'hellotest':}

This tells Puppetmaster to deploy the created hellotest-module to all client machines.

After this I reloaded the Puppet agent on client machines, so they would fetch the new configuration from the master server:

sudo service puppet restart

And the client machines should have the /tmp/hellotest-file in them ordered by the testing module:

hellotest-moduletest

Configure nodes

To get the PuppetMaster to configure different modules to different clients, you need to use node-marking in th site.pp file. I edited the site.pp file to look like this:

node 'debian1.localdomain' {
        class {'install-apache':}
}

node 'debian2.localdomain' {
        class {'hellotest':}
}

(The install-apache-module is a module that I have done in a earlier post.)

After saving the configuration, I deleted the /tmp/hellotest-file from both client machines to see if the node setting is working. Then I just restarted the Puppet agent on both machines and then tested if there was the hellotest-file on the machines:

hellotest-nodes

Then I tested if Apache was only installed in debian1-machine:

apache-module-testing

Conclusion

Puppetmaster is quite complicated thing to set up, but is very rewarding when the system works as intended.

I originally started to work on this assignment using Vagrant, but instead ended up using virtual machines on my local machine as setting a Vagrant environment took too much time and effort to get running smoothly.

On Lucid32 boxes the Puppet agents didn’t contact to the master server for certificate signing. The VMs could see each other and pinging worked between the machines.
Once I got the Precise32 boxes working on Vagrant, for some reason those VMs would not get in to bridged network as I described in the Vagrantfile.

Sources

Learning Puppet – Basic Agent/Master Puppet (http://docs.puppetlabs.com/learning/agent_master_basic.html)
PuppetMaster on Ubuntu 12.04 – Tero Karvinen (http://terokarvinen.com/2012/puppetmaster-on-ubuntu-12-04)
Tero Karvinen: Linux Centralized Management – PuppetMaster Lecture (http://terokarvinen.com/2013/aikataulu-%E2%80%93-linuxin-keskitetty-hallinta-%E2%80%93-ict4tn011-4-syksylla-2013)