An Introduction To Puppet
What is Puppet ?
======================
Puppet is a software which is using for system automation and management. It manages your servers, your described machine configurations in an easy-to-read declarative language, and will bring your systems into the desired state and keep them there.Before talking more about puppet I want to refresh your thoughts about automation. The product is owned by puppet labs Inc the leader in IT automation .
======================
Puppet is a software which is using for system automation and management. It manages your servers, your described machine configurations in an easy-to-read declarative language, and will bring your systems into the desired state and keep them there.Before talking more about puppet I want to refresh your thoughts about automation. The product is owned by puppet labs Inc the leader in IT automation .
What is Automation ?
======================
System automation is the use or introduction of automatic configurations , scripts or other process to perform the daily task automatically.
======================
System automation is the use or introduction of automatic configurations , scripts or other process to perform the daily task automatically.
Why Automation ?
======================
Speed : It will help us to complete the tasks in less time
======================
Speed : It will help us to complete the tasks in less time
consistency : It will avoid human errors which may occur during the repetition
Easy : Free from hazards and avoid boredom of repetition
What to Automate ?
======================
Since the servers a infrastructure consist of a certain complexity and valuable data it will not be a wise decision if we choose a wrong thing to automate. So we have to consider few things before start with automation.
======================
Since the servers a infrastructure consist of a certain complexity and valuable data it will not be a wise decision if we choose a wrong thing to automate. So we have to consider few things before start with automation.
Installing Puppet: Red Hat Enterprise Linux (and Derivatives)
Step 1: Enable Dependencies (RHEL Only)
Step 2: Enable the Puppet Package Repository
Optionally: Enable Prereleases
Step 3: Install Puppet on the Puppet Master Server Upgrading
Step 4: Install Puppet on Agent Nodes Upgrading
Step 1: Enable Dependencies (RHEL Only)
Note: Make Sure you server should have internet access to get repository form internet directly.
To enable the repository, run the command below that corresponds to your OS version:
Enterprise Linux 7
$ sudo rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Enterprise Linux 6
$ sudo rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Enterprise Linux 5
$ sudo rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-5.noarch.rpm
Example :
[root@ip-10-38-18-93 ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Preparing... ################################# [100%]
Updating / installing...
1:puppetlabs-release-22.0-2 ################################# [100%]
OR
Step 2: Enable the Puppet Package Repository Optionally: Enable Prereleases
[root@ip-10-38-18-93 ~]# vi /etc/yum.repos.d/puppetlabs.repo
[puppetlabs-devel]
name=Puppet Labs Devel <%= @dist.capitalize -%> <%= @version -%> - $basearch
baseurl=https://yum.puppetlabs.com/<%= @dist.downcase -%>/<%= @codename -%>/devel/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
enabled=1
gpgcheck=1
Step 3: Install Puppet on the Puppet Master Server
On your Puppet masters, run:
[root@ip-10-38-18-93 ~]# yum install puppet-server
Dependencies Resolved================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
puppet-server noarch 3.8.7-1.el7 puppetlabs-products 22 k
Installing for dependencies:
augeas-libs x86_64 1.4.0-2.el7 rhui-REGION-rhel-server-releases 355 k
facter x86_64 1:2.4.6-1.el7 puppetlabs-products 98 k
hiera noarch 1.3.4-1.el7 puppetlabs-products 23 k
libselinux-ruby
x86_64 2.5-6.el7 rhui-REGION-rhel-server-releases 120 k
puppet noarch 3.8.7-1.el7 puppetlabs-products 1.5 M
ruby x86_64 2.0.0.648-29.el7 rhui-REGION-rhel-server-releases 68 k
ruby-augeas x86_64 0.5.0-1.el7 rhui-REGION-rhel-server-rh-common 24 k
ruby-irb noarch 2.0.0.648-29.el7 rhui-REGION-rhel-server-releases 89 k
ruby-libs x86_64 2.0.0.648-29.el7 rhui-REGION-rhel-server-releases 2.8 M
ruby-shadow x86_64 1:2.2.0-2.el7 puppetlabs-deps 14 k
rubygem-bigdecimal
x86_64 1.2.0-29.el7 rhui-REGION-rhel-server-releases 80 k
rubygem-io-console
x86_64 0.4.2-29.el7 rhui-REGION-rhel-server-releases 51 k
rubygem-json x86_64 1.7.7-29.el7 rhui-REGION-rhel-server-releases 76 k
rubygem-psych x86_64 2.0.0-29.el7 rhui-REGION-rhel-server-releases 78 k
rubygem-rdoc noarch 4.0.0-29.el7 rhui-REGION-rhel-server-releases 319 k
rubygems noarch 2.0.14.1-29.el7 rhui-REGION-rhel-server-releases 216 k
Transaction Summary
================================================================================
Install 1 Package (+16 Dependent packages)
Total download size: 5.9 M
Installed size: 16 M
Is this ok [y/d/N]: y
Updated:
puppetserver.noarch 0:5.0.0.master-0.1SNAPSHOT.2017.04.17T1010.el7
Complete!
==========================================================================
sudo yum install puppe-tserver
This installs Puppet and an init script (/etc/init.d/puppetmaster) that runs a test-quality Puppet master server.
This installs Puppet and an init script (/etc/init.d/puppetmaster) that runs a test-quality Puppet master server.
Upgrading
To upgrade a Puppet master to the latest version of Puppet 3, run:
sudo puppet resource package puppet-server ensure=latest
After upgrading, restart the Puppet master web server.
Step 4: Install Puppet on Agent Nodes
On your other nodes, run sudo yum install puppet. This will install Puppet and an init script (/etc/init.d/puppet) for running the puppet agent daemon.
Puppet Master and Agent Configuration:
Master -ip-10-38-18-93
Agent - ip-10-38-19-43
Firewall
Puppet master run TCP port 8140, it needs to be open on master's firewall, and client must be able to route and connect to master.
#iptables -A INPUT -p tcp -m state --state NEW --dport 8140 -j ACCEPT
Configuration Master server
[root@ip-10-38-18-93 puppet]# ll
total 16
-rw-r--r--. 1 root root 4178 Apr 25 2016 auth.conf
drwxr-xr-x. 3 root root 25 Apr 19 10:23 environments
-rw-r--r--. 1 root root 1459 Apr 19 10:45 fileserver.conf
drwxr-xr-x. 2 root root 6 Apr 25 2016 manifests
drwxr-xr-x. 2 root root 6 Apr 25 2016 modules
-rw-r--r--. 1 root root 1701 Apr 19 10:43 puppet.conf
[root@ip-10-38-18-93 puppet]#
total 16
-rw-r--r--. 1 root root 4178 Apr 25 2016 auth.conf
drwxr-xr-x. 3 root root 25 Apr 19 10:23 environments
-rw-r--r--. 1 root root 1459 Apr 19 10:45 fileserver.conf
drwxr-xr-x. 2 root root 6 Apr 25 2016 manifests
drwxr-xr-x. 2 root root 6 Apr 25 2016 modules
-rw-r--r--. 1 root root 1701 Apr 19 10:43 puppet.conf
[root@ip-10-38-18-93 puppet]#
puppet.conf
==========
This file has three main section
1. Main - Global Section used by the all command and services
2. Master - used by the Master service and the puppet cert command
3. Agent - Used by the puppet agent services
Example : Based on My environment and need
===============================================================
[root@ip-10-38-18-93 puppet]# vi puppet.conf
[main]
server = ip-10-38-18-93.eu-west-2.compute.internal
logdir = /var/log/puppet
rundir = /var/run/puppet
user = puppet
group = puppet
archive_files = true
archive_file_server = ip-10-38-18-93.eu-west-2.compute.internal
certname = ip-10-38-18-93.eu-west-2.compute.internal
[master]
certname = ip-10-38-18-93.eu-west-2.compute.internal
dns_alt_names = ip-10-38-18-93,ip-10-38-18-93.eu-west-2.compute.internal
ca_name = 'Puppet CA generated on ip-10-38-18-93.eu-west-2.compute.internal' reports = http,puppetdb
reporturl = https://localhost:443/reports/upload
node_terminus = exec
external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
ssl_client_header = SSL_CLIENT_S_DN
storeconfigs_backend = puppetdb
storeconfigs = true
autosign = true
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
report = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
graph = true
pluginsync = true
environment = production
========================================================================
server = ip-10-38-18-93.eu-west-2.compute.internal
logdir = /var/log/puppet
rundir = /var/run/puppet
user = puppet
group = puppet
archive_files = true
archive_file_server = ip-10-38-18-93.eu-west-2.compute.internal
certname = ip-10-38-18-93.eu-west-2.compute.internal
[master]
certname = ip-10-38-18-93.eu-west-2.compute.internal
dns_alt_names = ip-10-38-18-93,ip-10-38-18-93.eu-west-2.compute.internal
ca_name = 'Puppet CA generated on ip-10-38-18-93.eu-west-2.compute.internal' reports = http,puppetdb
reporturl = https://localhost:443/reports/upload
node_terminus = exec
external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
ssl_client_header = SSL_CLIENT_S_DN
storeconfigs_backend = puppetdb
storeconfigs = true
autosign = true
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
report = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
graph = true
pluginsync = true
environment = production
========================================================================
auth.conf -
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
### Authenticated ACLs - these rules apply only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
### Authenticated ACLs - these rules apply only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
fileserver.conf -
Puppet automatically serves files from thefiles directory of every module, and most users find this sufficient
# If you need to serve files from a directory that is NOT in a module,
# you must create a static mount point in this file:
#
[extra_files]
path /etc/puppet/files
allow *
# you must create a static mount point in this file:
#
[extra_files]
path /etc/puppet/files
allow *
Now Create a files directory :
[root@ip-10-38-18-93 puppet]# mkdir files
[root@ip-10-38-18-93 puppet]# ll
total 16
-rw-r--r--. 1 root root 4178 Apr 25 2016 auth.conf
drwxr-xr-x. 3 root root 25 Apr 19 10:23 environments
drwxr-xr-x. 2 root root 6 Apr 19 11:05 files
-rw-r--r--. 1 root root 1459 Apr 19 10:45 fileserver.conf
drwxr-xr-x. 2 root root 6 Apr 25 2016 manifests
drwxr-xr-x. 2 root root 6 Apr 25 2016 modules
-rw-r--r--. 1 root root 1452 Apr 19 10:54 puppet.conf
[root@ip-10-38-18-93 puppet]# ll
total 16
-rw-r--r--. 1 root root 4178 Apr 25 2016 auth.conf
drwxr-xr-x. 3 root root 25 Apr 19 10:23 environments
drwxr-xr-x. 2 root root 6 Apr 19 11:05 files
-rw-r--r--. 1 root root 1459 Apr 19 10:45 fileserver.conf
drwxr-xr-x. 2 root root 6 Apr 25 2016 manifests
drwxr-xr-x. 2 root root 6 Apr 25 2016 modules
-rw-r--r--. 1 root root 1452 Apr 19 10:54 puppet.conf
1. Start Puppet Master service
[root@ip-10-38-18-93 ~]# systemctl status puppet● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@ip-10-38-18-93 ~]# systemctl status puppetmaster
● puppetmaster.service - Puppet master
Loaded: loaded (/usr/lib/systemd/system/puppetmaster.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2017-04-19 12:43:34 EDT; 2h 24min ago
Main PID: 743 (puppet)
CGroup: /system.slice/puppetmaster.service
└─743 /usr/bin/ruby /usr/bin/puppet master --no-daemonize
Apr 19 12:43:34 ip-10-38-18-93.eu-west-2.compute.internal systemd[1]: Started Puppet master.
Apr 19 12:43:34 ip-10-38-18-93.eu-west-2.compute.internal systemd[1]: Starting Puppet master...
Apr 19 12:43:38 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Starting Puppet master version 3.8.7
Apr 19 13:33:10 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: ip-10-38-18-43.eu-west-2.compute.internal has a waiting certificate request
Apr 19 13:33:10 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Signed certificate request for ip-10-38-18-43.eu-west-2.compute.internal
Apr 19 13:33:10 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Removing file Puppet::SSL::CertificateRequest ip-10-38-18-43.eu-west-2.compute....al.pem'
Apr 19 15:01:23 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Apr 19 15:01:38 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Apr 19 15:03:08 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Apr 19 15:03:23 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Hint: Some lines were ellipsized, use -l to show in full.
Note:
In Puppet Enterprise, the agent service is automatically configured and started; you don’t need to manually start it.
In open source Puppet, you can enable the service with:
sudo puppet resource service puppet ensure=running enable=true [root@ip-10-38-18-93 ~]# systemctl status puppetmaster
● puppetmaster.service - Puppet master
Loaded: loaded (/usr/lib/systemd/system/puppetmaster.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-04-19 12:43:34 EDT; 2h 24min ago
Main PID: 743 (puppet)
CGroup: /system.slice/puppetmaster.service
└─743 /usr/bin/ruby /usr/bin/puppet master --no-daemonize
Apr 19 12:43:34 ip-10-38-18-93.eu-west-2.compute.internal systemd[1]: Started Puppet master.
Apr 19 12:43:34 ip-10-38-18-93.eu-west-2.compute.internal systemd[1]: Starting Puppet master...
Apr 19 12:43:38 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Starting Puppet master version 3.8.7
Apr 19 13:33:10 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: ip-10-38-18-43.eu-west-2.compute.internal has a waiting certificate request
Apr 19 13:33:10 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Signed certificate request for ip-10-38-18-43.eu-west-2.compute.internal
Apr 19 13:33:10 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Removing file Puppet::SSL::CertificateRequest ip-10-38-18-43.eu-west-2.compute....al.pem'
Apr 19 15:01:23 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Apr 19 15:01:38 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Apr 19 15:03:08 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Apr 19 15:03:23 ip-10-38-18-93.eu-west-2.compute.internal puppet[743]: Notice: Config file /etc/puppet/puppet.conf changed; triggering re-parse of all config files.
Hint: Some lines were ellipsized, use -l to show in full.
[root@ip-10-38-18-93 ~]# chkconfig puppetmaster on
Note: Forwarding request to 'systemctl enable puppetmaster.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/puppetmaster.service to /usr/lib/systemd/system/puppetmaster.service.
=====================================================================================================================
Configure Puppet Agent
1. Configure puppet repo on server
$ sudo rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
root@ip-10-38-18-43 ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Preparing... ################################# [100%]
Updating / installing...
1:puppetlabs-release-22.0-2 ################################# [100%]
[root@ip-10-38-18-43 ~]#
2. #yum install puppet
3. Check puppet agent status
[root@ip-10-38-18-43 ~]# service puppet start
Redirecting to /bin/systemctl start puppet.service
[root@ip-10-38-18-43 ~]# service puppet status
Redirecting to /bin/systemctl status puppet.service
● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2017-04-19 13:33:07 EDT; 5s ago
Main PID: 9481 (puppet)
CGroup: /system.slice/puppet.service
└─9481 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize
Apr 19 13:33:07 ip-10-38-18-43.eu-west-2.compute.internal systemd[1]: Started Puppet agent.
Apr 19 13:33:07 ip-10-38-18-43.eu-west-2.compute.internal systemd[1]: Starting Puppet agent...
Apr 19 13:33:10 ip-10-38-18-43.eu-west-2.compute.internal puppet-agent[9481]: Could not request certifi...
Hint: Some lines were ellipsized, use -l to show in full.
Note:
In Puppet Enterprise, the agent service is automatically configured and started; you don’t need to manually start it.
In open source Puppet, you can enable the service with:
Configure Puppet Agent
1. Configure puppet repo on server
$ sudo rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
root@ip-10-38-18-43 ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Preparing... ################################# [100%]
Updating / installing...
1:puppetlabs-release-22.0-2 ################################# [100%]
[root@ip-10-38-18-43 ~]#
2. #yum install puppet
3. Check puppet agent status
[root@ip-10-38-18-43 ~]# service puppet start
Redirecting to /bin/systemctl start puppet.service
[root@ip-10-38-18-43 ~]# service puppet status
Redirecting to /bin/systemctl status puppet.service
● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2017-04-19 13:33:07 EDT; 5s ago
Main PID: 9481 (puppet)
CGroup: /system.slice/puppet.service
└─9481 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize
Apr 19 13:33:07 ip-10-38-18-43.eu-west-2.compute.internal systemd[1]: Started Puppet agent.
Apr 19 13:33:07 ip-10-38-18-43.eu-west-2.compute.internal systemd[1]: Starting Puppet agent...
Apr 19 13:33:10 ip-10-38-18-43.eu-west-2.compute.internal puppet-agent[9481]: Could not request certifi...
Hint: Some lines were ellipsized, use -l to show in full.
Note:
In Puppet Enterprise, the agent service is automatically configured and started; you don’t need to manually start it.
In open source Puppet, you can enable the service with:
sudo puppet resource service puppet ensure=running enable=true [root@ip-10-38-18-43 ~]# puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/enable: enable changed 'false' to 'true'
service { 'puppet':
ensure => 'running',
enable => 'true',
}
[root@ip-10-38-18-43 ~]#[root@ip-10-38-18-43 ~]# systemctl status puppet
● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-04-19 15:04:56 EDT; 24min ago
Main PID: 18790 (puppet)
CGroup: /system.slice/puppet.service
└─18790 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:383:in `main'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:329:in `run_command'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `block (2 levels) in run'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `block in run'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `run'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
Apr 19 15:04:57 ip-10-38-18-43.eu-west-2.compute.internal puppet[18790]: from /usr/bin/puppet:8:in `<main>'
How to regenerate certificate on Master
1.
Take a backup of Back up the /etc/puppetlabs/puppet/ssl/2.
Stop the Puppet agent service with
sudo puppet resource service puppet ensure=stopped
[root@ip-10-38-18-93 ssl]# puppet resource service puppet ensure=stopped
service { 'puppet':
ensure => 'stopped',
3.
Locate Puppet’s ssldir by [reading the setting from Puppet][config_print]; run either
sudo puppet config print ssldir --section master or
sudo puppet master --configprint ssldir
4.
Delete all files in the ssldir with
[root@ip-10-38-18-93 ssl]# puppet config print ssldir --section master
/etc/puppet/ssl
[root@ip-10-38-18-93 ssl]# cd /etc/puppet/ssl
[root@ip-10-38-18-93 ssl]# ll
total 4
drwxr-xr-x. 5 puppet puppet 158 Apr 19 11:16 ca
drwxr-xr-x. 2 puppet puppet 6 Apr 19 11:16 certificate_requests
drwxr-xr-x. 2 puppet puppet 73 Apr 19 11:16 certs
-rw-r--r--. 1 puppet puppet 999 Apr 19 11:16 crl.pem
drwxr-x---. 2 puppet puppet 6 Apr 19 11:16 private
drwxr-x---. 2 puppet puppet 59 Apr 19 11:16 private_keys
drwxr-xr-x. 2 puppet puppet 59 Apr 19 11:16 public_keys
[root@ip-10-38-18-93 ssl]# rm -rf *
[root@ip-10-38-18-93 ssl]# ll
total 0
[root@ip-10-38-18-93 ssl]#
5.
Regenerate the CA by running sudo puppet cert list -a. You should see this message:
Notice: Signed certificate request for ca[root@ip-10-38-18-93 ssl]# puppet cert list -aNotice: Signed certificate request for ca[root@ip-10-38-18-93 ssl]#
6.
Generate the Puppet master’s new certs with
sudo puppet master --no-daemonize --verbose.
· When you see
Notice: Starting Puppet master <your Puppet version>, type CTRL + C.
7.
Start the Puppet master service by reversing whatever you did in step 3. (E.g.,
sudo puppet resource service apache2 ensure=running.)
Clear and Regenerate Certs for Puppet Agents
To replace the certs on agents, you’ll need to log into each agent node and do the following:
1. Stop the Puppet agent service. On *nix nodes, run sudo puppet resource service puppet ensure=stopped.
[root@ip-10-38-18-43 ec2-user]# puppet resource service puppet ensure=stopped
Notice: /Service[puppet]/ensure: ensure changed 'running' to 'stopped'
service { 'puppet':
ensure => 'stopped',
}
2. Locate Puppet’s ssldir and delete everything in it. The ssldir can be located by running puppet config print ssldir --section agent or puppet agent --configprint ssldir — be sure to run that command with sudo on *nix nodes and with Administrator privileges on Windows nodes.
[root@ip-10-38-18-43 ec2-user]# puppet agent --configprint ssldir
/var/lib/puppet/ssl
3. Re-start the Puppet agent service. On *nix nodes, run sudo puppet resource service puppet ensure=running. On Windows nodes, run the same command (minus sudo) with Administrator privileges.
[root@ip-10-38-18-43 ec2-user]# puppet agent --configprint ssldir
/var/lib/puppet/ssl
[root@ip-10-38-18-43 ec2-user]# cd /var/lib/puppet/ssl
[root@ip-10-38-18-43 ssl]# ll
total 0
drwxr-xr-x. 5 puppet puppet 158 Apr 19 13:38 ca
drwxr-xr-x. 2 puppet puppet 59 Apr 19 13:33 certificate_requests
drwxr-xr-x. 2 puppet puppet 126 Apr 19 17:37 certs
drwxr-x---. 2 puppet puppet 6 Apr 19 13:33 private
drwxr-x---. 2 puppet puppet 112 Apr 19 17:37 private_keys
drwxr-xr-x. 2 puppet puppet 112 Apr 19 17:37 public_keys
[root@ip-10-38-18-43 ssl]# rm -rf *
Once the Puppet agent starts, it will automatically generate keys and request a new certificate from the CA Puppet master.
4. If you are not using autosigning, you will need to sign each agent node’s certificate request. You can do this by logging into the CA Puppet master server, running sudo puppet cert list to see pending requests, and running sudo puppet cert sign <NAME> to sign requests.
[root@ip-10-38-18-43 ssl]# puppet cert list
Notice: Signed certificate request for ca
[root@ip-10-38-18-43 ssl]# puppet resource service puppet ensure=running
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
Disable puppet auto sign certificates feature :
Once an agent node’s new certificate is signed, it will fetch it automatically within a few minutes and begin a Puppet run.
In case you want to explicitly disable puppet auto sign certificates feature you need to make a small change in the puppet master main config file – /etc/puppet/puppet.conf and add this line under the [master] block.
vi /etc/puppet/puppet.conf
[Master]
Disabling AUTO SIGN
autosign = false
=========================================================================================
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint:Solution:
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean ip-10-38-18-93.eu-west-2.compute.internal
On the agent:
1a. On most platforms: find /var/lib/puppet/ssl -name ip-10-38-18-93.eu-west-2.compute.internal.pem -delete
1b. On Windows: del "/var/lib/puppet/ssl/ip-10-38-18-93.eu-west-2.compute.internal.pem" /f
2. puppet agent -t
Exiting; no certificate found and waitforcert is disabled – Installing puppet
On puppet Master
puppet cert sign --all
puppet cert clean --all
On the Agent
rm -rf /var/lib/puppet/ssl/*
But still nothing when I tried to generate the SSL cert from PuppetMaster
root@ubuntu1:~# puppet agent --no-daemonize --onetime --verbose
Exiting; no certificate found and waitforcert is disabled
It turns out the client requests the revocation list from the master, you can disable that by setting it’s property to false. You add this line in the puppet.conf file
[root@ip-10-38-18-43 ec2-user]# vi /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
certificate_revocation = false
[agent]
ssldir = $vardir/ssl
server = ip-10-38-18-93.eu-west-2.compute.internal
certname = ip-10-38-18-43.eu-west-2.compute.internal
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
report = true
graph = true
pluginsync = true
Then run
On puppet Master
puppet cert sign --all
puppet cert clean --all
On the Agent
rm -rf /var/lib/puppet/ssl/*
Then you can then you can now generate a new cert successfully
[root@ip-10-38-18-43 ec2-user]# puppet agent --no-daemonize --server ip-10-38-18-93.eu-west-2.compute.internal --onetime --verbose
Info: Creating a new SSL key for ip-10-38-18-43.eu-west-2.compute.internal
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ip-10-38-18-43.eu-west-2.compute.internal
Info: Certificate Request fingerprint (SHA256): 4D:0B:82:38:CD:B9:72:14:71:77:BE:31:F7:FD:AA:B1:EE:DA:92:14:71:FA:6F:00:D1:25:4C:76:61:1A:F8:4F
Info: Caching certificate for ip-10-38-18-43.eu-west-2.compute.internal
Info: Caching certificate for ca
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 400 on SERVER: Failed to find ip-10-38-18-43.eu-west-2.compute.internal via exec: Execution of '/etc/puppetlabs/puppet-dashboard/external_node ip-10-38-18-43.eu-west-2.compute.internal' returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find terminus puppetdb for indirection facts
Notice: Using cached catalog
Error: Could not retrieve catalog; skipping run
And then sign it from the master
root@puppet-razor:~# puppet cert --list
puppet cert sign --all
puppet cert clean --all
On the Agent
rm -rf /var/lib/puppet/ssl/*
But still nothing when I tried to generate the SSL cert from PuppetMaster
root@ubuntu1:~# puppet agent --no-daemonize --onetime --verbose
Exiting; no certificate found and waitforcert is disabled
It turns out the client requests the revocation list from the master, you can disable that by setting it’s property to false. You add this line in the puppet.conf file
[root@ip-10-38-18-43 ec2-user]# vi /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
certificate_revocation = false
[agent]
ssldir = $vardir/ssl
server = ip-10-38-18-93.eu-west-2.compute.internal
certname = ip-10-38-18-43.eu-west-2.compute.internal
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
report = true
graph = true
pluginsync = true
Then run
On puppet Master
puppet cert sign --all
puppet cert clean --all
On the Agent
rm -rf /var/lib/puppet/ssl/*
Then you can then you can now generate a new cert successfully
[root@ip-10-38-18-43 ec2-user]# puppet agent --no-daemonize --server ip-10-38-18-93.eu-west-2.compute.internal --onetime --verbose
Info: Creating a new SSL key for ip-10-38-18-43.eu-west-2.compute.internal
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ip-10-38-18-43.eu-west-2.compute.internal
Info: Certificate Request fingerprint (SHA256): 4D:0B:82:38:CD:B9:72:14:71:77:BE:31:F7:FD:AA:B1:EE:DA:92:14:71:FA:6F:00:D1:25:4C:76:61:1A:F8:4F
Info: Caching certificate for ip-10-38-18-43.eu-west-2.compute.internal
Info: Caching certificate for ca
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 400 on SERVER: Failed to find ip-10-38-18-43.eu-west-2.compute.internal via exec: Execution of '/etc/puppetlabs/puppet-dashboard/external_node ip-10-38-18-43.eu-west-2.compute.internal' returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find terminus puppetdb for indirection facts
Notice: Using cached catalog
Error: Could not retrieve catalog; skipping run
And then sign it from the master
root@puppet-razor:~# puppet cert --list
