PuppetMaster on Ubuntu 12.04

Control a whole network of computers from PuppetMaster.
Wikipedia uses puppet for servers, Google uses puppet for OSX laptops. With this article, you can use puppet with Ubuntu servers and desktops.

Prequisites

To follow this article, you should be fluent with command line, apt, sudo, installing and configuring daemons. You should have basic knowledge about public key encryption, client server -model and networking.
I assume you do the obvious stuff without mentioning: Setup and use SSH to connect to your hosts, as logging in and out of hosts is not listed here. Run ‘sudo apt-get update’ before other apt commands.
I tested with Ubuntu 12.04 LTS. If you want to use 10.04 LTS, you can find the new Puppet 2.7.x packages in backports. At least 20 persons have successfully installed PuppetMaster with this guide.

Conventions

We have two computers, hostnames master and slave. Prompt shows where the commands are given, eg. running ‘pwd’ on host master.

master$ pwd

Test connectivity

slave$ ping -c 1 master.local

If your master doesn’t answer, fix that first.
Feel free to use whatever hostnames you want. If you hosts are in the same local network, you can use Avahi/ZeroConf/Rendevouz to use hostname.local names. If your master has a public DNS name or a dynamic name, you can use that, too.
To use .local names, you might need to ‘sudo apt-get -y install avahi-utils’.

Install PuppetMaster

master$ sudo apt-get -y install puppetmaster

Regenerate Master Certificate

Let’s create PuppetMaster certificate with correct names. Clients will only accept certificate if it matches the DNS name they use for contacting the master.
To avoid using hackish “puppet in hosts” method, create a certificate with all names of master. First, remove the old certificate.
If you find ‘rm -r’ frightening, feel free to make backups of the folder or use ‘trash-put’ or ‘trash’ commands.

master$ sudo service puppetmaster stop
master$ sudo rm -r /var/lib/puppet/ssl

Add master’s name to config

master$ sudoedit /etc/puppet/puppet.conf

add these names under [master] heading

dns_alt_names = puppet, master.local, puppet.terokarvinen.com

Certificate is automatically generated when you start PuppetMaster

master$ sudo service puppetmaster start

You can verify certificate details with ‘sudo ls /var/lib/puppet/ssl/certs/’ and ‘sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.terokarvinen.com.pem  -text|grep -i dns’. It should show all of your DNS names.

Connect from Slave

slave$ sudo apt-get -y install puppet
slave$ sudoedit /etc/puppet/puppet.conf

Add master DNS name under [agent] heading. Puppet will connect to server.

[agent]
server = master.local

Allow puppet slave (aka agent) to start

slave$ sudoedit /etc/default/puppet

Change to yes:

START=yes

If you have connected to master before, force slave certificate regeneration with ‘sudo service puppet stop’ and ‘sudo rm -r /var/lib/puppet/ssl’. The new slave certificate will be generated the next time puppet starts.
Start puppet agent

slave$ sudo service puppet restart

Slave should now connect to master.

Sign Slave Certificate on Master

master$ sudo puppet cert --list
master$ sudo puppet cert --sign slave.example.com

Of course, use the actual name of the slave you have chosen.

Create Site Manifest and a Module

Create site manifest, the config file that includes everyghing else:

master$ cd /etc/puppet
master$ sudo mkdir -p manifests/ modules/helloworld/manifests/
master$ sudoedit manifests/site.pp

Add just one line

include helloworld

Create a hello world module

master$ sudoedit modules/helloworld/manifests/init.pp

Write the module

class helloworld {
        file { '/tmp/helloFromMaster':
                content => "See you at http://terokarvinen.com/tag/puppet\n"
        }
}

Test & Enjoy

Puppet will automatically fetch configuration every now and then. Restarting (or usually, just reloading) the service will fetch and apply configuration immediately.

slave$ sudo service puppet restart

Congratulate yourself when you see the file from PuppetMaster

slave$ cat /tmp/helloFromMaster
See you at http://terokarvinen.com/tag/puppet

Administrivia

Tested on two instances of Xubuntu 12.04 LTS beta1 on Vagrant running on Xubuntu 12.04 LTS beta2. Also, at least 20 persons have successfully installed PuppetMaster with this tutorial.
Update: Fixed puppet.conf path on slave. About 20 persons successfully tested this guide. Update: ‘trash’ is now ‘trash-put’, but changed it to ‘rm’ for simplicity.

Next: Puppet Reading List >>

Posted in Uncategorized | Tagged , , , , , , | 17 Comments

17 Responses to PuppetMaster on Ubuntu 12.04

  1. Ville Kaitainen says:

    Notice when connecting from slave and editing puppet.conf, line “slave$ sudoedit /etc/puppet.conf” lacks puppet folder. Correct path “/etc/puppet/puppet.conf”

  2. Thank you, it works ^^
    Can you write another article like doing password change using Puppet?

  3. Thank you for the feedback!
    I’ll think about writing an article about changing passwords. In the meanwhile, have a look at
    http://docs.puppetlabs.com/references/2.7.0/type.html#user
    http://www.puppetcookbook.com/posts/managing-user-password-fails.html

  4. priya says:

    everything else worked but when running this command from slave “cat /tmp/helloFromMaster” it cannot find the file

  5. Tens of students and collegues have succesfully completed this tutorial, so the instructions are probably correct.
    You mention that the last step fails for you. This is often a symptom of following long instructions blindly, without tests. Try spliting your work into small parts (as small as possible) and testing each part separately.

  6. Sean Esopenko says:

    Great example. It’s terse and gives just enough information to get an agent connected to a master. Just what I needed!

  7. Thank you, I’m very happy to hear that.
    Updated: wording.

  8. How to Change Hostname in Linux
    $ sudoedit /etc/hostname
    $ cat /etc/hostname
    teromachine
    $ sudo hostname teromachine
    $ sudoedit /etc/hosts
    $ grep teromachine /etc/hosts
    127.0.0.1 localhost teromachine
    $ sudo service avahi-daemon restart
    Test
    $ hostname
    teromachine
    $ avahi-browse -at |grep teromachine
    + eth0 IPv6 co [73:88:f0:od:73:88] Workstation local
    $ ping -c1 teromachine.local
    1 packets transmitted, 1 received, 0% packet loss, time 0ms

  9. # -*- mode: ruby -*-
    # vi: set ft=ruby :
    # Virtual hosts for testing puppet slaves
    # http://terokarvinen.com/2012/puppetmaster-on-ubuntu-12-04
    # Copyright 2013 Tero Karvinen http://TeroKarvinen.com
    Vagrant::Config.run do |config|
    config.vm.box = “precise32.box”
    config.vm.box_url = “http://files.vagrantup.com/precise32.box”
    config.vm.network :bridged
    # config.vm.forward_port 80, 8080
    end

  10. Puppet Agent (Slave) Debug Log
    slave$ sudo puppet agent –test –verbose –debug –noop

  11. On Ubuntu 16.04 LTS xenial, you enable puppet agent (slave) with

    $ sudo puppet agent --enable

    In Xenial, /etc/default/puppet does not exist and you don’t need to create it.
    Using ‘sudo puppet agent –enable’ is advised in /var/log/syslog: “Skipping run of Puppet configuration client; administratively disabled (Reason: ‘Disabled by default on new or unconfigured old installations’);” and “Use ‘puppet agent –enable’ to re-enable.”. After ‘sudo puppet agent –enable’ and ‘sudo service puppet restart’, puppet agent starts normally, and syslog shows “Finished catalog run in 0.05 seconds”.

  12. Change hostname in Ubuntu 16.04:
    $ sudo hostnamectl set-hostname tero
    $ sudoedit /etc/hosts
    $ head -2 /etc/hosts
    127.0.0.1 localhost
    127.0.1.1 xubuntu tero
    $ sudo service avahi-daemon restart

  13. Nikolai Kleiman says:

    include does not work, class {“helloworld”:} should be used instead

  14. It seems that puppet 3.8.5 that comes with Ubuntu 16.04 doesn’t have puppet (agent/slave) service. But you can create a cronjob by hand. This example cronjob runs every minute. You can change the minute setting to every 15 minutes on production.

    $ sudo service puppet start
    Failed to start puppet.service: Unit puppet.service not found.
    $ cat /etc/cron.d/puppet
    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    #M H d m dow user command
    * * * * * root puppet agent -t >/dev/null
    $ sudo service cron restart

  15. It seems that ‘sudo puppet service start’ is only failing in very specific conditions. In many cases, using cron.d/ is not required.
    If you need to play with cron, see ‘man 5 crontab’ for explanation of the syntax.