Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
Open Source Puppet Installation
Puppet, in the world of software configuration management, is a powerful tool designed to automate the management of multiple servers. It operates using a client-server architecture, where the Puppet agent plays a key role.
This guide will provide comprehensive instructions on installing Open Source Puppet versions 6, 7, and 8, covering the setup of repositories, agents and the Puppet server itself.
This guide includes specific commands for installation and setup, demonstrated for Red Hat and Ubuntu. If you're using different platforms, make sure to adjust these commands to suit your environment.
Puppet Versions
Prior to initiating an installation of the Puppet agent or server, it's essential to verify the compatibility of the Puppet version you plan to use. This is to ensure that the version is not nearing or has already reached its end-of-life status. The table below provides a comprehensive overview of the current support status and end-of-life dates for various Puppet versions:
| Puppet Version | Supported | End of Life |
|---|---|---|
| 6 | Feb 2023 | |
| 7 | TBD | |
| 8 | TBD |
Operating System Compatibility for Puppet Server
Ensuring compatibility between the operating system and Puppet Server is a key step before proceeding with its installation. Not every operating system may be compatible or may not have undergone extensive testing with specific versions of Puppet Server. To facilitate a successful installation and optimal operation of Puppet Server, it's important to be aware of the compatible operating systems. The table below provides an in-depth view of which operating systems are supported or have been confirmed to be compatible with various versions of Puppet Server:
| Operating System | Puppet Server 6 | Puppet Server 7 | Puppet Server 8 |
|---|---|---|---|
| Debian 9 | |||
| Debian 10 | |||
| Debian 11 | |||
| Red Hat 6 | |||
| Red Hat 7 | |||
| Red Hat 8 | |||
| Red Hat 9 | |||
| Ubuntu 16.04 | |||
| Ubuntu 18.04 | |||
| Ubuntu 20.04 | |||
| Ubuntu 22.04 | |||
| SLES 12 | |||
| SLES 15 |
Operating System Compatibility for Puppet Agent
To ensure a smooth installation of the Puppet Agent, it's important to check its compatibility with your operating system. The compatibility of software can vary, and not all operating systems may be supported or have been thoroughly tested with the specific version of Puppet Agent you intend to use. The following table offers detailed information on which operating systems are supported or have been tested for compatibility with different versions of Puppet Agent:
| Operating System | Puppet Agent 6 | Puppet Agent 7 | Puppet Agent 8 |
|---|---|---|---|
| Debian 9 | |||
| Debian 10 | |||
| Debian 11 | |||
| Fedora 34 | |||
| Fedora 36 | |||
| Red Hat 6 | |||
| Red Hat 7 | |||
| Red Hat 8 | |||
| Red Hat 9 | |||
| SLES 11 | |||
| SLES 12 | |||
| SLES 15 | |||
| Ubuntu 18.04 | |||
| Ubuntu 20.04 | |||
| Ubuntu 22.04 |
Time Keeping
Timekeeping is a significant aspect of managing Puppet agents. Puppet, being a configuration management system, relies heavily on time-sensitive operations to ensure consistency and reliability across the managed infrastructure.
Puppet uses a certificate-based authentication system between the Puppet server and agents. These certificates have timestamps that indicate their validity period. If the system clocks are out of sync:
- Agents might have issues fetching or renewing certificates.
- Certificates might be considered invalid if the time is incorrect, leading to authentication failures.
To maintain accurate timekeeping, most systems use Network Time Protocol (NTP) services. It's advisable to configure all Puppet agents and the master server to synchronize their clocks with a reliable NTP server. This ensures that the entire Puppet-managed infrastructure operates with synchronized time, reducing the likelihood of the issues mentioned above.
Hostname Resolution
Using a CNAME (Canonical Name) record in DNS (Domain Name System) is a common approach to streamline the connection process between Puppet agents and a Puppet server. A CNAME record acts as an alias, redirecting traffic from a custom hostname to the Puppet server's actual hostname or IP address. This method is particularly beneficial in environments where the server's IP address may frequently change, or in scenarios where a more memorable or standardized hostname is preferred for the Puppet agents to connect to.
Here's a screenshot from my domain registrar, illustrating how a CNAME record is entered:
Another method to facilitate this connection is by adding an entry to the local /etc/hosts file on the Puppet agents, directing them to the Puppet server. This can be done using text editors like vi or nano. Alternatively, you can append the entry directly to the file using the following command:
echo '192.0.2.15 puppet' >> /etc/hosts
Puppet Repository
The Puppet repository serves as a centralized storage hub for Puppet software packages. It plays an important role in the downloading and updating processes of Puppet agents/servers and other Puppet-related software components. When setting up or updating Puppet on a system, this repository is accessed to fetch the necessary files, ensuring that you're working with the most current version of Puppet. The ease of installing and maintaining Puppet across various systems in your infrastructure is significantly enhanced by the availability of this repository.
To install the Puppet repository on your server, use the appropriate script below which automatically determines the supported version of OS running on your system and installs the corresponding Puppet repository:
# Determine the Major Release version of the Red Hat server
release=$(grep 'VERSION_ID' /etc/os-release | sed -E 's/.*="([0-9]+).*"/\1/')
# Install the Puppet Repository
rpm -Uvh https://yum.puppet.com/puppet6-release-el-$release.noarch.rpm
# Identify the version codename of the Ubuntu server
release=$(grep 'VERSION_CODENAME' /etc/os-release | sed -E 's/.*="?(.*)"?/\1/')
# Download and install the Puppet Repository
wget https://apt.puppet.com/puppet6-release-$release.deb
dpkg -i puppet6-release-$release.deb
# Determine the Major Release version of the Red Hat server
release=$(grep 'VERSION_ID' /etc/os-release | sed -E 's/.*="([0-9]+).*"/\1/')
# Install the Puppet Repository
rpm -Uvh https://yum.puppet.com/puppet7-release-el-$release.noarch.rpm
# Identify the version codename of the Ubuntu server
release=$(grep 'VERSION_CODENAME' /etc/os-release | sed -E 's/.*="?(.*)"?/\1/')
# Download and install the Puppet Repository
wget https://apt.puppet.com/puppet7-release-$release.deb
dpkg -i puppet7-release-$release.deb
# Determine the Major Release version of the Red Hat server
release=$(grep 'VERSION_ID' /etc/os-release | sed -E 's/.*="([0-9]+).*"/\1/')
# Install the Puppet Repository
rpm -Uvh https://yum.puppet.com/puppet8-release-el-$release.noarch.rpm
# Identify the version codename of the Ubuntu server
release=$(grep 'VERSION_CODENAME' /etc/os-release | sed -E 's/.*="?(.*)"?/\1/')
# Download and install the Puppet Repository
wget https://apt.puppet.com/puppet8-release-$release.deb
dpkg -i puppet8-release-$release.deb
Puppet Server
After setting up the Puppet repository on your Puppet server, the next step is to install the Puppet Server itself. The Puppet Server is a key component in the Puppet architecture, acting as the central authority for configuration management in your infrastructure. It compiles and stores configuration catalogs for each client (or Puppet agent) and serves them accordingly.
To install the Puppet Server, use the appropriate commands below for the version of OS you are running:
Installing the
puppetserverpackage automatically installs thepuppet-agentpackage.
yum -y install puppetserver
apt update
apt-get install puppetserver -y
PATH variable
When the Puppet server is installed, profile script /etc/profile.d/puppet-agent.sh is added to the server. This ensure that /opt/puppetlabs/bin is added to your PATH variable at login. To update the PATH variable for the current session, run:
source /etc/profile.d/puppet-agent.sh
Configuring Firewall for Puppet Server
Managing the firewall is important for securing your Puppet Server. The Puppet Server uses TCP port 8140, and this port is open for communication with Puppet agents.
If you are using firewalls locally on your servers, then to allow Puppet agents to communicate with the Puppet server, run the required firewall command below:
# Add firewall rule
iptables -I INPUT -p tcp -m tcp --dport 8140 -j ACCEPT
# Make rule persistent across reboots
service iptables save
# Add firewall rule
firewall-cmd --add-service=puppetmaster
# Make rule persistent across reboots
firewall-cmd --add-service=puppetmaster --permanent
# Add firewall rule and make rule persistent across reboots
ufw allow 8140/tcp
Puppet Services
It is important that the Puppet server and agent services are enabled to start on boot. It is also important to ensure the service is started manually following install.
To enable & start the puppet services, run:
# Enable and start Puppet services
systemctl enable puppetserver puppet --now
# Enable puppet server service
chkconfig puppetserver on
# Enable puppet agent service
chkconfig puppet on
# Start puppetserver service
service puppetserver start
# Start puppet agent service
service puppet start
Certificates
In Puppet, it's important to note that even on the Puppet server, a Puppet agent is still operational. These agents rely on certificates to establish secure authentication with the Puppet server (in this case, the server itself). A new certificate is generated either when the Puppet service starts or during the first execution of puppet agent -t.
For these Puppet Agent certificates to be valid, they must be signed on the Puppet Server. The process begins by listing the pending certificates using the command:
puppetserver ca list
From the output, identify your server's certificate name, which is typically the Fully Qualified Domain Name (FQDN) of your server. Once located, you can sign the certificate using the following command. Signing the certificate effectively grants approval for the agent to gather and apply configurations:
puppetserver ca sign --certname '<certificate name>'
This process ensures secure communication and operation between the Puppet agent and the Puppet server.
Post Install Test
To ensure the Puppet server was installed successfully you will want to perform a Puppet agent run using the below command:
puppet agent -t
The output should display the message Notice: Applied catalog in n.nn seconds. This indicates that Puppet is functioning properly and operating as expected.
Puppet Agent
This section only requires following on your Puppet agent nodes. For your Puppet server, the agent is automatically installed as part of Puppet server software install.
After setting up the Puppet repository on your client nodes, the next step is to install the Puppet agent itself. The Puppet agent is responsible for pulling configuration information from the Puppet server to ensure the client configuration matches the desired state as defined in the code.
To install the Puppet agent, run:
# Install Puppet agent
yum -y install puppet-agent
# Update list of available packages
apt update
# Install Puppet agent
apt-get install puppet-agent -y
Agent PATH Variable
When the Puppet server is installed, profile script /etc/profile.d/puppet-agent.sh is added to the server. This ensure that /opt/puppetlabs/bin is added to your PATH variable at login, which ensures you can use the newly installed Puppet commands. To update the PATH variable for the current session, run:
source /etc/profile.d/puppet-agent.sh
Agent Service
It is important that the Puppet agent services are enabled to start on boot as this ensures Puppet is up and running following reboots, unexpected or planned. It is also important to ensure the service is started manually following install.
To enable & start the Puppet agent service, run:
# Enable and start Puppet agent service
systemctl enable puppet --now
# Enable Puppet agent service
chkconfig puppet on
# Start Puppet agent service
service puppet start
Agent Certificates
Certificates play a vital role in the Puppet agents' ecosystem. They are essential for securely authenticating each agent with the Puppet server. This secure authentication is a cornerstone for ensuring that all communication and configuration management tasks are executed exclusively by authorized devices within the network. The generation of a certificate occurs either at the initiation of the puppet service or during the initial run of the command puppet agent -t.
To validate and activate these certificates, a signing process is required on the Puppet Server. To initiate this process, you need to log onto your Puppet server. Begin by verifying the presence of your certificate with the following command:
puppetserver ca list
This command will display a list of all pending certificates. From this list, identify the name of your server's certificate, which is usually represented by the server's Fully Qualified Domain Name (FQDN). Once identified, proceed to sign the certificate using the command below:
puppetserver ca sign --certname '<certificate name>'
This action will sign the certificate, thereby authorizing the corresponding Puppet agent to engage in secure communications and configuration management with the Puppet server. This step is fundamental in establishing a trusted network of devices managed by Puppet.
Verifying Puppet Agent Installation
After installing the Puppet agent, it's important to verify that the installation was completed correctly. To do this, execute the following command in your terminal:
puppet agent -t
You should expect to see an output similar to the following:
Notice: Applied catalog in n.nn seconds
This message indicates that the Puppet agent has been installed successfully and is operating as expected.
Conclusion
This guide detailed the steps for installing Puppet repositories, server and agents, including all necessary prerequisites to establish secure communication between Puppet agents and the Puppet server.
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.