Install Puppet Master-Agent on CentOS 7

Puppet is a configuration management tool for Unix-like and Microsoft Windows systems – which is basically provisioning automation i.e. the steps you want to preform on your freshly spawned virtual machine. Puppet uses declarative language for specification, and these configuration declaration files are termed as “Puppet manifests”. Puppet treats anything configurable as a “resource” i.e. file, service, package, user, cron, etc. The Puppet manifest is about describing the resources and their required states. Puppet gets the dynamic data (i.e. OS dependent) using Facter utility, for example Apache web server package is named ‘apache2’ in Ubunut, and ‘httpd’ for CentOS systems, Puppet allows variables in manifest (.pp file) to get such info on the fly, and set the right installation command.

If the term configuration management doesn’t make you feel yourself a noob, you can skip the following 2 posts and jump right to the Puppet Master-Agent installation section.

1. Pre-installation tasks

Before setting up any Puppet Agent nodes, we need to perform some pre-installation steps and have the Puppet Server ready.
disable SELinux
sudo set enforce 0
The above command will disable SELinux for the session i.e. until next reboot – to permanently disable it set SELINUX=disabled in /etc/selinux/config file.
Stop firewalld
as agents must be able to connect to the master node on 8140 port.
sudo systemctl stop firewalld
Resolve hostnames
As changing it later ‘d most probably break the installation.
Setting Puppet server hostname
setting it to puppet will be helpful as Puppet Master-agent installation by default expects it to be puppet, hence saving ourselves some trivial troubleshooting.
# hostnamectl set-hostname puppet
# hostname -s
Setting Puppet agent hostname
# hostnamectl set-hostname puppet-agent1
# hostname -s
Adding Puppet Master in /etc/hosts
All the nodes (Puppet server and agents) must have a unique hostname. Forward and reverse DNS must both be configured correctly, simply add the Puppet server in each of the Puppet you agent you’ll be installing. On CentOS you need to write it in /etc/hosts file on each node. The format for adding a host is  IP_address host_name aliases. Using file editor of your choice i.e. gedit, vi, vim, add the following line in your /etc/hosts file: puppet puppet-master
Test the network
ping or ping puppet
The output of the above mentioned preliminary tasks/command on the puppet agent:
[nahmed@puppet-agent1 ~]$ sudo set enforce 0
[nahmed@puppet-agent1 ~]$ sudo systemctl stop firewalld
[nahmed@puppet-agent1 ~]$ hostnamectl set-hostname puppet-agent1
[nahmed@puppet-agent1 ~]$  ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet  netmask  broadcast
inet6 fe80::20c:29ff:fed8:4cf9  prefixlen 64  scopeid 0x20<link>
[nahmed@puppet-agent1 ~]$  ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.233 ms
64 bytes from icmp_seq=3 ttl=64 time=0.613 ms[nahmed@puppet-agent1 ~]$  sudo vi /etc/hosts
[sudo] password for nahmed:
[nahmed@puppet-agent1 ~]$ cat /etc/hosts puppet puppet-master   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[nahmed@puppet-agent1 ~]$  ping puppet
PING puppet ( 56(84) bytes of data.
64 bytes from puppet ( icmp_seq=1 ttl=64 time=0.235 ms
64 bytes from puppet ( icmp_seq=2 ttl=64 time=0.551 ms
Syncing time on all the nodes is important
Puppet server’s time is important as it’s the certificate authority for puppet agents i.e. If the time of the puppet server wrong, it might issue agent certificates from the distant past or future, which other nodes will treat as expired. The recommended and widely used approach to have time synced is use of NTP
Here’s a guide for installing NTP and syncing time across your nodes – Install and configure ntpd.

2. Puppet Server

At this point you must have completed the pre-insallation requirements, let’s move to the real work, installing puppet server. As mentioned earlier, it’s a good practice (also recommended) to install puppet server before setting-up or installing any puppet agent.
Add the Puppet repo
$ sudo rpm -Uvh
The output:
[nahmed@puppet ~]$  sudo rpm -Uvh
warning: /var/tmp/rpm-tmp.5HvpZd: Header V4 RSA/SHA512 Signature, key ID 4bd6ec30: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
1:puppetlabs-release-pc1-1.1.0-2.el################################# [100%]
Verify if the repo has been added
$ yum repolist | grep puppet
The output:
[nahmed@puppet ~]$  yum repolist | grep puppet
puppetlabs-pc1/x86_64      Puppet Labs PC1 Repository el 7 - x86_64
Install puppet server using yum
$ sudo  yum -y install puppetserver
The output:
[nahmed@puppet ~]$  sudo  yum -y install puppetserver
puppetserver.noarch 0:2.7.0-1.el7

Dependency Installed:
java-1.8.0-openjdk-headless.x86_64 1:
libyaml.x86_64 0:0.1.4-11.el7_0
lksctp-tools.x86_64 0:1.0.13-3.el7
puppet-agent.x86_64 0:1.8.0-1.el7
ruby.x86_64 0:
ruby-irb.noarch 0:
ruby-libs.x86_64 0:
rubygem-bigdecimal.x86_64 0:1.2.0-25.el7_1
rubygem-io-console.x86_64 0:0.4.2-25.el7_1
rubygem-json.x86_64 0:1.7.7-25.el7_1
rubygem-psych.x86_64 0:2.0.0-25.el7_1
rubygem-rdoc.noarch 0:4.0.0-25.el7_1
rubygems.noarch 0:2.0.14-25.el7_1

Dependency Updated:
tzdata-java.noarch 0:2016h-1.el7

Start and enable (to start on reboots) the Puppet Server
$ systemctl start puppetserver
$ systemctl enable puppetserver
The output:
[nahmed@puppet ~]$ sudo systemctl start puppetserver
[nahmed@puppet ~]$ sudo systemctl status puppetserver
puppetserver.service - puppetserver Service
Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled)
Active: active (running) since Mon 2016-11-21 02:49:40 PST; 1min 53s ago
Process: 3511 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
Main PID: 3518 (java)
CGroup: /system.slice/puppetserver.service
└─3518 /usr/bin/java -Xms1g -Xmx1g -XX:MaxPermSize=256m -Djava.sec...

Nov 21 02:47:14 puppet systemd[1]: Starting puppetserver Service...
Nov 21 02:47:14 puppet puppetserver[3511]: OpenJDK 64-Bit Server VM warning:...0
Nov 21 02:49:40 puppet systemd[1]: Started puppetserver Service.
Hint: Some lines were ellipsized, use -l to show in full.
[nahmed@puppet ~]$ sudo systemctl enable puppetserver
ln -s '/usr/lib/systemd/system/puppetserver.service' '/etc/systemd/system/'

Memory Allocation for Puppetserver (Optional)

With the above steps your puppet server will up and waiting for puppet agent to connect. There’s one extra step I’d like to talk about is upping the memory allocation for puppet server.
The default allocated memory is 2GB of RAM, good enough for most of the use-cases. However, if you have some requirement to increase or decrease the memory allocation for your Puppet Server, you can do so by editing the config file.
Location of config file
  • /etc/sysconfig/puppetserver — RHEL
  • /etc/default/puppetserver — Debian
Open the config file using editor of your choice – you’ll find the following line in it.
# Modify this if you'd like to change the memory allocation, enable JMX, etc
JAVA_ARGS="-Xms2g -Xmx2g"
The 2g part is where the memory allocation is defined i.e. 2GB. For example, for 1GB of memory, the line will become JAVA_ARGS=”-Xms1g -Xmx1g”; similarly, for 512MB, it’ll become JAVA_ARGS=”-Xms512m -Xmx512m
Restart the puppetserver service after making any changes to the config
$ systemctl restart puppetserver

3. Puppet Agent(s)

Till now you must have the puppet server installed and up, now you can proceed with puppet agent installation.
Note: Using the following steps you can setup as many puppet agents as much you want i.e. execute the steps on each puppet agent machine.
The installation is quite what you did for installing puppet server.
Add the Puppet repo
$ sudo rpm -Uvh
The output:
[nahmed@puppet-agent1 ~]$  sudo rpm -Uvh
warning: /var/tmp/rpm-tmp.AlTNZt: Header V4 RSA/SHA512 Signature, key ID 4bd6ec30: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
1:puppetlabs-release-pc1-1.1.0-2.el################################# [100%]
Verify if the repo has been added
$ yum repolist | grep puppet
The output:
[nahmed@localhost ~]$ yum repolist | grep puppet
puppetlabs-pc1/x86_64      Puppet Labs PC1 Repository el 7 - x86_64         102
Install puppet agent using yum
$ sudo  yum -y install puppet-agent
The output:
[nahmed@puppet-agent1 ~]$  sudo  yum -y install puppet-agent
Installing : puppet-agent-1.8.0-1.el7.x86_64                              1/1
Verifying  : puppet-agent-1.8.0-1.el7.x86_64                              1/1Installed:
puppet-agent.x86_64 0:1.8.0-1.el7Complete!
telnet Puppet Master for port 8140
To verify, if puppet master is listening at port 8140, and connection is possible from puppet agent.
[nahmed@puppet-agent1 ~]$ telnet puppet 8140
Connected to puppet.
Escape character is '^]'.
Connection closed by foreign host.
Start the puppet agent
$ sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
The output:
[nahmed@puppet-agent1 ~]$ sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',

Registering Puppet agent on the Puppet server

The very first time you start a puppet agent, it’ll attempt to register itself to the Puppet master. What it does is, it generates a SSL certificate, and sends a certificate signing request (CSR) to the Puppet server, which is the certificate authority (CA). For signing the agent’s CSR we need to execute a command on the Puppet server. On the Puppet master, for checking any pending requests:
sudo /opt/puppetlabs/bin/puppet cert list
The output:
[nahmed@puppet ~]$ sudo /opt/puppetlabs/bin/puppet cert list
"puppet-agent1.localdomain" (SHA256) 46:C5:97:49:70:16:61:5C:08:B0:23:C0:A3:82:E6:AD:B0:3F:94:A0:60:39:CA:AE:A4:ED:5C:5D:D0:C9:6B:61
For signing, execute the following command, replacing <NAME> (which will the fqdn of the puppet agent), with name you got when ran the above cert list command :
sudo /opt/puppetlabs/bin/puppet cert sign <NAME>
The output:
[nahmed@puppet ~]$ sudo /opt/puppetlabs/bin/puppet cert --sign "puppet-agent1.localdomain"
Signing Certificate Request for:
"puppet-agent1.localdomain" (SHA256) 46:C5:97:49:70:16:61:5C:08:B0:23:C0:A3:82:E6:AD:B0:3F:94:A0:60:39:CA:AE:A4:ED:5C:5D:D0:C9:6B:61
Notice: Signed certificate request for puppet-agent1.localdomain
Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent1.localdomain at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-agent1.localdomain.pem'
In case you have multiple agents, and want to sign there requests at once execute the following command:
sudo /opt/puppetlabs/bin/puppet cert sign --all
The output:
[nahmed@puppet ~]$ sudo /opt/puppetlabs/bin/puppet cert list --all
+ "puppet.localdomain"        (SHA256) C4:9F:EF:B4:57:38:F6:C8:C5:81:C1:2A:A3:8F:9C:14:57:A9:B9:10:0D:6B:1A:70:28:9B:35:98:07:75:1D:0D (alt names: "DNS:puppet", "DNS:puppet.localdomain")
+ "puppet-agent1.localdomain" (SHA256) 83:C5:F5:8A:61:2C:70:C8:BA:C5:B8:6B:71:15:6B:69:14:7E:B7:46:D6:A9:45:FC:9B:E4:B6:C8:A4:A5:03:9E
Note: /opt/puppetabs/ is basically the installation directory, you can verify it with the value of INSTALL_DIR param in the /etc/sysconfig/puppetserver file.
Congrats! Your Puppet Master-agent deployment is ready. Once the Puppet master signs it, the agent node will get listed, and Puppet master can communicate i.e. Puppet agent can fetch and apply the configuration catalogs, set or changed for it, on the Puppet server. To add any other Puppet agent node, just execute the same set of commands you did for puppet-agent1, and sign the certificate from the Puppet Master.

Writing Catalogs (Optional)

As the purpose of this installation is to have a Puppet master-agent setup, so you can manage your nodes/machines (Puppet agents) just from a single point (i.e. Puppet master). In Puppet’s lexicon the configurations files are called “manifests”. The Puppet manifests have *.pp extension. In Puppet Master-agent setup by default master keeps manifests at /etc/puppetlabs/code/environments/production/manifests
Let’s create a placeholder file for now:
sudo touch /etc/puppetlabs/code/environments/production/manifests/puppet-agents.pp
Note that the main manifest is empty right now, so Puppet won’t perform any configuration on the agent nodes.
Manifest execution
The Puppet agents periodically keep checking the manifest (every 30 minutes) at the Puppet server. During this checking, the Puppet agent sends facts about itself to the master, and pulls the manifest for it i.e. list of resources (service, file, etc) and their desired states. The agent performs the necessary (puppet provisioning) steps to keep itself at par with the manifest (just pulled from the master). This cycle will continue as long as the agents certificate is not revoked or, Puppet master is running and communicating with the agent nodes.
The typical time for manifest syncing is 30 minutes, in case we want to execute the desired changes on a particular agent node immediately, execute the following command on that particular agent node:
/opt/puppetlabs/bin/puppet agent --test
The output:
[nahmed@puppet-agent1 ~]$ puppet agent -t
Info: Caching certificate for puppet-agent1.localdomain
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for puppet-agent1.localdomain
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Notice: /File[/home/nahmed/.puppetlabs/opt/puppet/cache/facts.d]/mode: mode changed '0775' to '0755'
Info: Retrieving plugin
Info: Caching catalog for puppet-agent1.localdomain
Info: Applying configuration version '1479729237'
Info: Creating state file /home/nahmed/.puppetlabs/opt/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.03 seconds

Leave a Reply

Your email address will not be published. Required fields are marked *