Configuration Automation & Centralized Management With Puppet on Ubuntu

Author: Kent Brede
Last edited 02/25/07
Based on http://reductivelabs.com/trac/puppet/wiki/InstallationGuide

Introduction

This is a step by step tutorial on how to install the server component of Puppet (puppetmaster) on one machine, and the Puppet client (puppetd) on another. We then perform a simple test to make sure Puppet is working properly.

If you're not familiar with Puppet, it's a configuration automation tool that allows you to centralize management of the various *nix flavors running on your network. Puppet supports central management of the important aspects of your systems, such as: files, packages, users, services, cron, mounts, etc. For a more complete description visit Reductive Labs.

Background

This installation is performed on Ubuntu 6.06 LTS Server, but should work for most Debian/Ubuntu flavors with slight modification.

At the time of this writing, current Puppet packages for Ubuntu can be found in Feisty. Look for current Debian packages in Unstable.

During this tutorial we'll be using example.com as our domain name. The server will be given the hostname "puppet" and IP 192.168.10.1. The client hostname is "pclient" with IP 192.168.10.2.

1. Network Requirements

If DNS isn't set up on your network, verify the hosts files on both server and client include entries for both machines. For this scenario the following entries would be added to /etc/hosts. Use your favorite text editor to add lines reflecting your own network settings similar to the lines below.

192.168.10.1 puppet.example.com puppet
192.168.10.2 pclient.example.com pclient

The server runs on port 8140. Make sure there's no firewall blocking port 8140 between the two machines.

2. Apt Setup

Many of the packages we need are in the universe repository. If the following lines aren't uncommented in "sources.list," using your favorite text editor, find and uncomment them on the server.

puppet:# vim /etc/apt/sources.list

# deb http://us.archive.ubuntu.com/ubuntu/ dapper universe
# deb http://security.ubuntu.com/ubuntu dapper-security universe

Since we're using an earlier version of Ubuntu lets configure apt in order to easily grab Puppet packages from Feisty. Adjust the sources as needed to reflect your OS version. If you're not familiar with the steps in this section, see section 3.10 in the Apt-Howto.

Open "sources.list" and add the two lines that follow.

puppet:# vim /etc/apt/sources.list

deb http://us.archive.ubuntu.com/ubuntu/ feisty universe
deb http://security.ubuntu.com/ubuntu feisty-security universe

Update your source list.

puppet:# apt-get update

** Perform the same steps above on "pclient." **

Next, lets configure apt to pull the packages we need for our Puppet setup from Feisty, but allow all other packages to come from the Dapper repository. Add the following lines to the "preferences" file.

On the server:

puppet:# vim /etc/apt/preferences

Package: *
Pin: release a=dapper
Pin-Priority: 700

Package: facter
Pin: release a=feisty
Pin-Priority: 500

Package: puppet
Pin: release a=feisty
Pin-Priority: 500

Package: puppetmaster
Pin: release a=feisty
Pin-Priority: 500

On the client:

pclient:# vim /etc/apt/preferences

Package: *
Pin: release a=dapper
Pin-Priority: 700

Package: facter
Pin: release a=feisty
Pin-Priority: 500

Package: puppet
Pin: release a=feisty
Pin-Priority: 500

3. Software Requirements

In preparation for our Puppet install we need a few libraries and packages installed on both the server and client. At the time of this writing, if this set isn't installed first, a dependency loop will ensue.

puppet:# apt-get install libopenssl-ruby rdoc irb1.8 libopenssl-ruby1.8 libreadline-ruby1.8 libruby1.8 rdoc1.8 ruby1.8

pclient:# apt-get install libopenssl-ruby rdoc irb1.8 libopenssl-ruby1.8 libreadline-ruby1.8 libruby1.8 rdoc1.8 ruby1.8

4. Client Install

Install Puppet and Facter from Feisty.

pclient:# apt-get -t feisty install facter puppet

5. Server Installation

Install Puppet, Facter and Puppetmaster. The post install script will try to start the server and error out as presented. Don't worry about it. We'll create the manifest during step 6.

puppet:# apt-get -t feisty install facter puppet puppetmaster

.....
Starting puppet configuration management tool master server
Manifest /etc/puppet/manifests/site.pp must exist [fail]

6. Server Preparation

The server (puppetmasterd) requires a manifest to be in place before it's able to run. Lets write a manifest that tells puppet to create a file "/tmp/testfile" on the client.

puppet:# vim /etc/puppet/manifests/site.pp

# Create "/tmp/testfile" if it doesn't exist.
class test_class {
    file { "/tmp/testfile":
       ensure => present,
       mode   => 644,
       owner  => root,
       group  => root
    }
}

# tell puppet on which client to run the class
node pclient {
    include test_class
}

Now start the puppet server.

puppet:# /etc/init.d/puppetmaster start

6. Client Preparation

Clients by default will connect to a server on your network with a hostname of "puppet." If your server's hostname isn't "puppet" a directive needs to be inserted into the puppetd configuration file "puppetd.conf." Even though we don't need to in this case, we'll do so for demonstration purposes.

Open "/etc/puppet/puppetd.conf" with your favorite text editor and add "server = puppet.example.com" to the existing file as the example below indicates.

pclient:# vim /etc/puppet/puppetd.conf

[puppetd]
server = puppet.example.com

# Make sure all log messages are sent to the right directory
# This directory must be writable by the puppet user
logdir=/var/log/puppet
vardir=/var/lib/puppet
rundir=/var/run

7. Sign Keys

In order for the two systems to communicate securely we need to create signed SSL certificates. You should be logged into both the server and client machines for this next step.

On the client side run.

pclient:# puppetd --server puppet.example.com --waitforcert 60 --test

You should see the following message.

err: No certificate; running with reduced functionality.
info: Creating a new certificate request for pclient.example.con
info: Requesting certificate
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate

Next, on the server side, run the following command to verify the client is waiting for the cert to be signed.

puppet:# puppetca --list

pclient.example.con

Then sign the certificate.

puppet:# puppetca --sign pclient.example.com

Signed pclient.example.com

If everything went OK you should see this message on pclient.

info: Requesting certificate
warning: peer certificate won't be verified in this SSL session
notice: Ignoring --listen on onetime run
info: Caching configuration at /etc/puppet/localconfig.yaml
notice: Starting configuration run
notice: //pclient/test_class/File[/tmp/testfile]/ensure: created
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished configuration run in 0.11 seconds

8. Test

Check and make sure the file was created.

pclient:# ls -l /tmp/testfile

-rw-r--r-- 1 root root 0 2007-02-18 18:28 /tmp/testfile

For a test lets edit the manifest and direct Puppet to modify the file mode. Change line, "mode => 644," to "mode => 600,"

puppet:# vim /etc/puppet/manifests/site.pp

# Create "/tmp/testfile" if it doesn't exist.
class test_class {
    file { "/tmp/testfile":
       ensure => present,
       mode   => 600,
       owner  => root,
       group  => root
    }
}

# tell puppet on which client to run the class
node pclient {
    include test_class
}

On the client run puppetd in verbose mode (-v) and only once (-o).

pclient:# puppetd -v -o

You should see the following message, which states that /tmp/testfile changed from mode 644 to 600.

notice: Ignoring --listen on onetime run
info: Config is up to date
notice: Starting configuration run
notice: //pclient/test_class/File[/tmp/testfile]/mode: mode changed '644' to '600'
notice: Finished configuration run in 0.26 seconds

To verify the work was completed properly.

pclient:# ls -l /tmp/testfile

-rw------- 1 root root 0 2007-02-18 18:28 /tmp/testfile

9. Conclusion

Congratulations, testing is complete and you have a working Puppet setup. Your next step is to create a functional manifest, test some more, and then fire up the puppetd daemon on the client side. Puppetd by default will automatically poll the server every 30 minutes.

pclient:# /etc/init.d/puppet start

For more information visit Reductive Labs. For friendly knowledgeable help, join Puppet Users or drop by #puppet at irc.freenode.net.

This page is licensed under a Creative Commons License.