This article explains how to install the Puppet server (also known as the PuppetMaster) and client on a Redhat or CentOS server. Note that Puppet uses TCP ports 8140, 61613, and 443.
First add the Puppet repo on both the puppet client and server systems. The following link has several links depending on your distribution.
https://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html#for-red-hat-enterprise-linux-and-derivatives
On the Puppet master, run these commands:
yum install puppetserver -y chkconfig puppetserver on service puppetserver start
On the master, you should have the following directory structure. It may be different from what you see here:
/etc/puppet/ /etc/puppet/fileserver.conf /etc/puppet/auth.conf /etc/puppet/puppet.conf /etc/puppet/manifests
And on the client:
The client must know where the Puppet master is. You can use the “/etc/hosts” file. Puppet does rely on good DNS:
#1.2.3.4 is the puppet master server IP address 1.2.3.4 puppet puppet.agix.local
Install and start services on the client:
yum install puppet -y chkconfig puppet on service puppet start
Get the client to check-in with the server:
puppet agent --test
TIP: if you get errors that you simply can’t solve, try issuing the following commands to delete your certificates from the puppet client. It shouldn’t be necessary but sadly it often is. Also make sure that you tell the server to accept the puppet client’s certificate. That’s documented in the next section.
rm /var/lib/puppet/ssl/certificate_requests/* rm /var/lib/puppet/ssl/certs/*
And you should run the following command:
puppet agent --test
On the server, issue the following command to accept the pending client certificate:
puppet cert sign client.example.com
If you get nothing from the above command, check the firewall(s), check the DNS and check that the Puppet Master is running.
At this point you have a working Puppet client and server. However, there is nothing for the Puppet Master to instruct the client to do. So lets force the client to install the “nmap” program – as an example.
On the server, create the following directory if it doesn’t already exit:
mkdir /etc/puppet/manifests
Now create the manifest file “/etc/puppet/manifests/site.pp” and put the following into that file. TIP: make sure to use the FQDN of the client on the ‘node’ line.
node 'client.example.com' { include nmap include apache } class nmap { package { "nmap": ensure => "5.51", } } class apache { package { "httpd": ensure => "2.2.154", } service { "httpd": ensure => running, enable => true, } }
Restart the master:
service puppetmaster restart
You can also install packages that require RPM’s to be installed first:
class varnish { exec { "varnish-source": command => "/bin/rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm", } package { "varnish": ensure => "3.0.4", } service { "varnish": ensure => running, enable => true, } }
Because puppet is so likely to fail because of the SSL side of things, i’ve included my commands below along with some errors and what i did about it:
[root@client ~]# nmap -bash: nmap: command not found [root@client ~]# puppet agent --test Exiting; no certificate found and waitforcert is disabled [root@client ~]# rm /var/lib/puppet/ssl/certificate_requests/* [root@client ~]# rm /var/lib/puppet/ssl/certs/* [root@client ~]# puppet agent --test info: Caching certificate for ca info: Creating a new SSL certificate request for client.example.com.au info: Certificate Request fingerprint (md5): 40:D6:15:3A:72:96:D2:33:45:B3:5B:4B:8E:C1:A7:35 Exiting; no certificate found and waitforcert is disabled
And then on the puppet server:
[root@server]# puppet cert sign client.example.com.au
And back on the client:
[root@client ~]# puppet agent --test info: Caching certificate for client.example.com.au info: Caching certificate_revocation_list for ca info: Caching catalog for client.example.com.au info: Applying configuration version '1392031971' err: /Stage[main]/Nmap/Package[nmap]/ensure: change from absent to 5.51 failed: Could not update: Failed to update to version 5.51, got version 5.51-3.el6 instead at /etc/puppet/manifests/site.pp:17 notice: Finished catalog run in 39.83 seconds [root@client ~]# nmap -V Nmap 5.51 ( http://nmap.org )