Tags Archives: Puppet

An Overview of Puppet

Puppet is based on a client/server architecture where one machine in a Puppet network acts as the server machine with Puppet server software running on it, while the remaining machines act as clients with Puppet agent software running on them.

 

All Puppet manifests are written in the Ruby programming language and saved with an extension of .pp.

 

Puppet works by using manifests to define resources and the state of these resources. Resources can be grouped together using class and definition.

 

A Puppet manifest consists of the following:

 

Files

 

Resources

 

Templates (used to create configuration files on puppet nodes).

 

Nodes (definitions relating to client nodes are located here)

 

Classes

 

 

 

The import statement

 

The “Import” statement found in many manifests is used for loading files when Puppet starts. For example, to import all files contained in a directory, you can use the import statement:

 

import ‘clients/*’.

 

This will import all .pp files stored in that directory.

 

 

Variables

 

A manifest can define a new variable or use an existing variable. Puppet supports many kinds of variables. Example:

 

String Variable Example

 

$package = “ssh”

 

package { $package:
ensure => “installed”
}

 

 

This ensures the package ssh is available and installed.

 

 

Loops

 

Loops are used in order to apply multiple iterations on a section of code until a specific defined condition is met.

They can also be delpoyed to execute repetitive tasks using different set of values. For example, you may wish to create a single task process and then deploy a loop to repeat the task for the different software packages you wish to install.

 

An array is especially useful for repeating a test with different values. For example:

 

$packages = [‘ssh’, ‘vim’, ‘git’]

 

package { $packages:
ensure => “installed”
}

 

This ensures the packages ssh, vim and git are all installed.

 

Conditionals

 

Conditions can be created and applied to dynamically define whether a task or section of code should be executed and a specific action taken.

 

An execute condition supports attributes that work similarly to a simple condition, but only accepting a command output as a condition.

 

Example:

 

if $OperatingSystem != ‘Linux’ {
warning(‘Only Linux OS distributions are supported’)
} else {
notify { ‘The installed OS found is Linux’: }
}

 

 

Modules

 

A Puppet module is a collection of resources, classes, files, definition, and templates.

 

This enables generic modules to be written and used multiple times with very few code alterations.

 

 

Module Configuration

 

The search path for modules is defined using a colon-separated list of directories in the puppetmasterd or masterd using the modulepath parameter:

 

[puppetmasterd]
modulepath = /var/lib/puppet/modules:/data/puppet/modules

 

The search path can also be defined at runtime by setting the PUPPETLAB environment variable (as a colon-separated list of variables).

 

 

Module Internal Organization

 

When you create a new Puppet module, it uses the following structure and contains manifest, distributed file, plugins, and templates arranged in a specific directory structure:

 

MODULE_PATH/
downcased_module_name/
files/
manifests/
init.pp
lib/
puppet/
parser/
functions
provider/
type/
facter/
templates/
README

 

Whenever a module is created, it contains an init.pp manifest file at the specified location in the manifests directory.

 

This manifest file always executes first and contains all the classes associated with that particular module.

 

Additional .pp files can be added directly under the manifests folder. These should be named after the class.

 

Puppet deploys at standalone tool called facter which holds environment level variables, similar to the env variables of a Bash shell.

 

In Puppet, the key-value pair is known as a “fact”. Each resource has its own facts and Puppet users can also create their own custom facts.

 

facter

 

The facter command can be used to list all environment variables and their values. These are built-in with facter out-of-the-box and are referred to as core facts.

 

Users can then add custom facts to the facter collection.

 

To view a variable using facter:

 

facter {Variable Name}

 

Example
[root@puppetmaster ~]# facter virtual
virtualbox

 

Puppet has three types of fact that can be used and defined:

 

Core Facts
Custom Facts
External Facts

 

Core facts are defined at the top level and are accessible to all at any point in the Puppet code system.

 

Before a Puppet agent requests for a catalog from the puppetmaster, the agent first deploys facter to compile a list of information available in itself in the form of a key value pair. Each key-value pair is referred as a fact.

 

Facts can be referenced in manifests as normal variables by using the $ prefix.

 

Example:

 

if ($OperatingSystem == “Linux”) {
$message = “This OS is $OperatingSystem \n”
} else {
$message = “This is an unknown machine\n”
}

 

file { “/tmp/machineOperatingSystem.txt”:
ensure => file,
content => “$message”
}

 

You can also write custom facts in Puppet. For information on how to do this, see the following link on the Puppet site:

 

https://docs.puppet.com/facter/latest/fact_overview.html#writing-structured-facts

 

Continue Reading

How To Use Puppet

Prerequisite is to have Puppet installed and running, both on the Puppet master server and on the Puppet clients.

 

See my IT Knowledge Base article on How To Install Puppet Server and Clients  

 

NOTE: a good source of practical Puppet tips and commands can be found at www.puppetcookbook.com/

 

Another tip: you can run your Puppet code through a quick syntax check at: https://validate.puppet.com/

 

 

Some basic Puppet concepts

 

Resources

 

Puppet code is composed mainly of resource declarations which describe the desired state of the system. This can specify such aspects as that a particular user or file should exist, or that a specific software package should be installed.

 

Resource declarations are formatted thus:

 

resource_type { ‘resource_name’
attribute => value

}

 

For example, we may specify the following user resource declaration:

 

user { ‘smith’:
ensure => present,
uid => ‘1000’,
gid => ‘1000’,
shell => ‘/bin/bash’,
home => ‘/home/smith’
}

 

 

To list all default Puppet resource types:

 

puppet resource –types

 

root@gemini:/opt/puppetlabs/bin# puppet resource –types
augeas
cron
exec
file
filebucket
group
host
mount
notify
package
resources
schedule
scheduled_task
selboolean
selmodule
service
ssh_authorized_key
sshkey
stage
tidy
user
whit
yumrepo
zfs
zone
zpool
root@gemini:/opt/puppetlabs/bin#

 

 

Manifests

 

Puppet programs are known as manifests. Manifests are composed of puppet code and are saved as files with the .pp filename extension.

 

The default main manifest in Puppet is located at /etc/puppetlabs/code/environments/production/manifests/site.pp  (for older versions of Puppet at /etc/puppet/manifests/site.pp.)

 

Classes

 

Puppet classes are code blocks which can be called in code from elsewhere.

 

Classes allows you re-use Puppet code and make it easier to read manifests.

 

Class Definition

 

A class definition contains the code that composes a class.

 

Defining a class makes the class available for use in manifests.

 

The format for a class definition is:

 

class example_class {

code

}

 

 

This defines a class with the name “example_class”.

 

Class Declaration

 

A class declaration occurs when a class is referenced in a manifest. There are two types of class declaration: normal and resource-like.

 

Puppet evaluates the code within the class.

 

A normal class declaration occurs when the “include” keyword is referenced in Puppet code, for example:

 

include example_class

 

This instructs Puppet to evaluate the code in example_class.

 

A resource-like class declaration occurs when a class is declared like a resource, thus:

 

class { ‘example_class’: }

 

“resource-like” class declarations allow you to specify class parameters. These override the default values of class attributes.

 

 

Modules

 

A Puppet module is a collection of manifests and data (which includes such items as facts, files, and templates). These have a specific directory structure.

 

Modules are used for organizing Puppet code, since they allow you to split up your Puppet code into manageable individual manifests.  Modules are the preferred method for organizing Puppet manifests.

 

To add a module to Puppet, save it in the /etc/puppetlabs/code/modules directory.

 

Manifests are defaultwise located under /etc/puppetlabs/code/environments/production/manifests

 

root@gemini:/etc/puppetlabs/code/environments/production# ll
total 28
drwxr-xr-x 5 root root 4096 Jul 20 15:08 ./
drwxr-xr-x 3 root root 4096 Jul 20 15:08 ../
drwxr-xr-x 2 root root 4096 Jun 14 09:16 data/
-rw-r–r– 1 root root 865 Jun 14 09:16 environment.conf
-rw-r–r– 1 root root 518 Jun 14 09:16 hiera.yaml
drwxr-xr-x 2 root root 4096 Jun 14 09:16 manifests/
drwxr-xr-x 2 root root 4096 Jun 14 09:16 modules/
root@gemini:/etc/puppetlabs/code/environments/production#

 

By default, the main manifest for an environment is set to <ENVIRONMENTS DIRECTORY>/<ENVIRONMENT>/manifests 

 

For example /etc/puppetlabs/code/environments/production/manifests as above.

 

You can configure the manifest on a per-environment basis or you can configure a default for all environments.

 

To determine its main manifest, an environment uses the manifest setting in environment.conf. This can be an absolute path or a path relative to the environment’s main directory.

 

If the environment.conf manifest setting is absent, then it references the value of the default_manifest setting found in the puppet.conf file. The default_manifest setting defaults to ./manifests.

 

 

NOTE: The current puppet environment location is now /etc/puppetlabs. This replaces the older location /etc/puppet which is still found in older Puppet documentation and may be in use on older versions of Puppet.

 

Resource declarations

 

Resource declarations are deployed in manifests. Some basic essential resource declarations include:

exec:  for executing commands, such as apt-get
package:  for installing packages via apt
service: to ensure that a service is running
file: to ensure certain files are present

 

 

 

Writing a Puppet manifest

 

The following is a simple basic example of a configuration manifest.

 

This will ensure the package hello is available on a puppet client node (puppetclient_intelvpn)

 

 

Open a default manifest with the name /etc/puppetlabs/code/environments/production/manifests/site.pp file on the master server and add the following configuration:

 

nano /etc/puppetlabs/code/environments/production/manifests/site.pp

 

package { “hello”:
ensure => “installed”
}

 

 

Our agent on client node puppetclient_intelvpn is set by default to retrieve the puppet master configuration every 30 minutes.

 

If we do not wish to wait for this time period, we can trigger the configuration request manually:

 

 

Package hello is currently unavailable on the client. Trigger new configuration request manually with puppet agent –test

 

First set a symlink for puppet in order to avoid having to enter the full path to puppet for each command:

 

root@len:~# ln -s /opt/puppetlabs/puppet/bin/puppet /usr/local/sbin/puppet

 

then do:

 

root@len:~# puppet agent –test
Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetclient_lenvpn
Info: Applying configuration version ‘1626883804’
Notice: /Stage[main]/Main/Package[hello]/ensure: created
Notice: Applied catalog in 18.89 seconds
root@len:~#

 

 

From the above output we can see that new configuration was applied and that the package “hello” has now been made available by Puppet on the client machine:

 

root@len:~# hello
Hello, world!
root@len:~#

 

 

A module to keep ubuntu systems updated:

 

Sourced from the official puppet forge site at https://forge.puppet.com/

 

from https://forge.puppet.com/modules/puppet/unattended_upgrades

 

root@gemini:~# puppet module install puppet-unattended_upgrades –version 5.1.0
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules …
Notice: Downloading from https://forgeapi.puppet.com …
Notice: Installing — do not interrupt …
/etc/puppetlabs/code/environments/production/modules
└─┬ puppet-unattended_upgrades (v5.1.0)
├─┬ puppetlabs-apt (v7.7.1)
│ └── puppetlabs-translate (v2.2.0)
└── puppetlabs-stdlib (v6.6.0)
root@gemini:~#

 

then on the clients do:

 

 

root@len:~# puppet agent –test
Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetclient_lenvpn
Info: Applying configuration version ‘1626886951’
Notice: Applied catalog in 1.97 seconds
root@len:~#

 

then add following to /etc/puppetlabs/code/environments/production/manifests/site.pp

root@gemini:~# nano /etc/puppetlabs/code/environments/production/manifests/site.pp

 

 

node ‘puppetclient_lenvpn’ {

 

include unattended_upgrades

 

}

 

node ‘puppetclient_asusvpn’ {

 

include unattended_upgrades

 

}

 

node ‘puppetclient_intelvpn’ {

 

include unattended_upgrades

 

}

 

then run puppet agent –test

 

on each client:

 

eg on puppetclient_lenvpn:

 

then run puppet agent –test

 

on puppetclient_lenvpn:

 

root@len:/etc/apt# puppet agent –test

 

Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetclient_lenvpn
Info: Applying configuration version ‘1626888562’

Notice: /Stage[main]/Apt/File[preferences]/ensure: created
Info: /Stage[main]/Apt/File[preferences]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content:
— /etc/apt/apt.conf.d/15update-stamp 2013-07-12 19:07:51.000000000 +0200
+++ /tmp/puppet-file20210721-829078-1iei017 2021-07-21 19:29:35.053955262 +0200
@@ -1 +1,2 @@
+// This file is managed by Puppet. DO NOT EDIT.
APT::Update::Post-Invoke-Success {“touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true”;};

Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content: content changed ‘{sha256}174cdb519fd06372847e23c20db869b2ff4b593252c0d2a6274d770eae2d92c9’ to ‘{sha256}2e6eb1f5f20262bfc6b7dfb26a302f00b4ab5fee803abd9e07ad8378cce067d5’
Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Scheduling refresh of Class[Apt::Update]
Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update]
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered ‘refresh’ from 1 event
Notice: /Stage[main]/Unattended_upgrades/Apt::Conf[unattended-upgrades]/Apt::Setting[conf-unattended-upgrades]/File[/etc/apt/apt.conf.d/50unattended-upgrades]/content:
— /etc/apt/apt.conf.d/50unattended-upgrades 2020-04-14 00:37:21.000000000 +0200
+++ /tmp/puppet-file20210721-829078-px7grn 2021-07-21 19:29:56.030091041 +0200
@@ -1,3 +1,4 @@
+// This file is managed by Puppet. DO NOT EDIT.
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
@@ -6,126 +7,49 @@
Unattended-Upgrade::Allowed-Origins {
“${distro_id}:${distro_codename}”;
“${distro_id}:${distro_codename}-security”;
– // Extended Security Maintenance; doesn’t necessarily exist for
– // every release and this system may not have it installed, but if
– // available, the policy for updates is such that unattended-upgrades
– // should also install from here by default.
– “${distro_id}ESMApps:${distro_codename}-apps-security”;
– “${distro_id}ESM:${distro_codename}-infra-security”;
-// “${distro_id}:${distro_codename}-updates”;
-// “${distro_id}:${distro_codename}-proposed”;
-// “${distro_id}:${distro_codename}-backports”;
};

-// Python regular expressions, matching packages to exclude from upgrading
+// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
– // The following matches all packages starting with linux-
-// “linux-“;

– // Use $ to explicitely define the end of a package name. Without
– // the $, “libc6” would match all of them.
-// “libc6$”;
-// “libc6-dev$”;
-// “libc6-i686$”;

– // Special characters need escaping
-// “libstdc\+\+6$”;

– // The following matches packages like xen-system-amd64, xen-utils-4.1,
– // xenstore-utils and libxenstore3.0
-// “(lib)?xen(store)?”;

– // For more information about Python regular expressions, see
– // https://docs.python.org/3/howto/regex.html
};

-// This option controls whether the development release of Ubuntu will be
-// upgraded automatically. Valid values are “true”, “false”, and “auto”.
-Unattended-Upgrade::DevRelease “auto”;
+// List of days in the week that updates should be applied.
+// The days can be specified as localized abbreviated or full names.
+// Or as integers where “0” is Sunday, “1” is Monday etc.
+// Require Unattended-upgrades version >=0.91 to work, else it is ignored
+Unattended-Upgrade::Update-Days {
+};

// This option allows you to control if on a unclean dpkg exit
-// unattended-upgrades will automatically run
+// unattended-upgrades will automatically run
// dpkg –force-confold –configure -a
// The default is true, to ensure updates keep getting installed
-//Unattended-Upgrade::AutoFixInterruptedDpkg “true”;
+Unattended-Upgrade::AutoFixInterruptedDpkg “true”;

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
-//Unattended-Upgrade::MinimalSteps “true”;
+Unattended-Upgrade::MinimalSteps “true”;

-// Install all updates when the machine is shutting down
-// instead of doing it in the background while the machine is running.
-// This will (obviously) make shutdown slower.
-// Unattended-upgrades increases logind’s InhibitDelayMaxSec to 30s.
-// This allows more time for unattended-upgrades to shut down gracefully
-// or even install a few packages in InstallOnShutdown mode, but is still a
-// big step back from the 30 minutes allowed for InstallOnShutdown previously.
-// Users enabling InstallOnShutdown mode are advised to increase
-// InhibitDelayMaxSec even further, possibly to 30 minutes.
-//Unattended-Upgrade::InstallOnShutdown “false”;

-// Send email to this address for problems or packages upgrades
-// If empty or unset then no email is sent, make sure that you
-// have a working mail setup on your system. A package that provides
-// ‘mailx’ must be installed. E.g. “user@example.com”
-//Unattended-Upgrade::Mail “”;

-// Set this value to one of:
-// “always”, “only-on-error” or “on-change”
-// If this is not set, then any legacy MailOnlyOnError (boolean) value
-// is used to chose between “only-on-error” and “on-change”
-//Unattended-Upgrade::MailReport “on-change”;

-// Remove unused automatically installed kernel-related packages
-// (kernel images, kernel headers and kernel version locked tools).
-//Unattended-Upgrade::Remove-Unused-Kernel-Packages “true”;
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+Unattended-Upgrade::InstallOnShutdown “false”;

-// Do automatic removal of newly unused dependencies after the upgrade
-//Unattended-Upgrade::Remove-New-Unused-Dependencies “true”;

-// Do automatic removal of unused packages after the upgrade
+
+
+// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
-//Unattended-Upgrade::Remove-Unused-Dependencies “false”;
+Unattended-Upgrade::Remove-Unused-Dependencies “true”;

-// Automatically reboot *WITHOUT CONFIRMATION* if
-// the file /var/run/reboot-required is found after the upgrade
-//Unattended-Upgrade::Automatic-Reboot “false”;

-// Automatically reboot even if there are users currently logged in
-// when Unattended-Upgrade::Automatic-Reboot is set to true
-//Unattended-Upgrade::Automatic-Reboot-WithUsers “true”;
+// Automatically reboot *WITHOUT CONFIRMATION*
+// if the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot “false”;

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: “now”
-//Unattended-Upgrade::Automatic-Reboot-Time “02:00”;

-// Use apt bandwidth limit feature, this example limits the download
-// speed to 70kb/sec
-//Acquire::http::Dl-Limit “70”;

-// Enable logging to syslog. Default is False
-// Unattended-Upgrade::SyslogEnable “false”;

-// Specify syslog facility. Default is daemon
-// Unattended-Upgrade::SyslogFacility “daemon”;

-// Download and install upgrades only on AC power
-// (i.e. skip or gracefully stop updates on battery)
-// Unattended-Upgrade::OnlyOnACPower “true”;

-// Download and install upgrades only on non-metered connection
-// (i.e. skip or gracefully stop updates on a metered connection)
-// Unattended-Upgrade::Skip-Updates-On-Metered-Connections “true”;


-// Verbose logging
-// Unattended-Upgrade::Verbose “false”;

-// Print debugging information both in unattended-upgrades and
-// in unattended-upgrade-shutdown
-// Unattended-Upgrade::Debug “false”;
+Unattended-Upgrade::Automatic-Reboot-Time “now”;

-// Allow package downgrade if Pin-Priority exceeds 1000
-// Unattended-Upgrade::Allow-downgrade “false”;

 

Notice: /Stage[main]/Unattended_upgrades/Apt::Conf[unattended-upgrades]/Apt::Setting[conf-unattended-upgrades]/File[/etc/apt/apt.conf.d/50unattended-upgrades]/content: content changed ‘{sha256}84fb166f00cc1a0dab73075e6fc9cdbc265ef47dc6d0fe9bdfb054c76cf94947’ to ‘{sha256}06e08c106ff275615b3211d9079c389de4c0dc141d76596acf04197977e00360’
Notice: /Stage[main]/Unattended_upgrades/Apt::Conf[periodic]/Apt::Setting[conf-periodic]/File[/etc/apt/apt.conf.d/10periodic]/content:
— /etc/apt/apt.conf.d/10periodic 2013-07-12 19:07:51.000000000 +0200
+++ /tmp/puppet-file20210721-829078-1t795c6 2021-07-21 19:29:56.082091378 +0200
@@ -1,3 +1,49 @@
+// This file is managed by Puppet. DO NOT EDIT.
+APT::Periodic::Enable “1”;
+# – Enable the update/upgrade script (0=disable)
+#
+APT::Periodic::BackupArchiveInterval “0”;
+# – Backup after n-days if archive contents changed.(0=disable)
+#
+APT::Periodic::BackupLevel “3”;
+# – Backup level.(0=disable), 1 is invalid.
+#
+APT::Periodic::MaxAge “0”;
+# – Set maximum allowed age of a cache package file. If a cache
+# package file is older it is deleted (0=disable)
+#
+APT::Periodic::MinAge “2”;
+# – Set minimum age of a package file. If a file is younger it
+# will not be deleted (0=disable). Usefull to prevent races
+# and to keep backups of the packages for emergency.
+#
+APT::Periodic::MaxSize “0”;
+# – Set maximum size of the cache in MB (0=disable). If the cache
+# is bigger, cached package files are deleted until the size
+# requirement is met (the biggest packages will be deleted
+# first).
+#
APT::Periodic::Update-Package-Lists “1”;
+# – Do “apt-get update” automatically every n-days (0=disable)
+#
APT::Periodic::Download-Upgradeable-Packages “0”;
+# – Do “apt-get upgrade –download-only” every n-days (0=disable)
+#
+APT::Periodic::Download-Upgradeable-Packages-Debdelta “1”;
+# – Use debdelta-upgrade to download updates if available (0=disable)
+#
+APT::Periodic::Unattended-Upgrade “1”;
+# – Run the “unattended-upgrade” security upgrade script
+# every n-days (0=disabled)
+# Requires the package “unattended-upgrades” and will write
+# a log in /var/log/unattended-upgrades
+#
APT::Periodic::AutocleanInterval “0”;
+# – Do “apt-get autoclean” every n-days (0=disable)
+#
+APT::Periodic::Verbose “0”;
+# – Send report mail to root
+# 0: no report (or null string)
+# 1: progress report (actually any string)
+# 2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
+# 3: + trace on

 

Notice: /Stage[main]/Unattended_upgrades/Apt::Conf[periodic]/Apt::Setting[conf-periodic]/File[/etc/apt/apt.conf.d/10periodic]/content: content changed ‘{sha256}82d9ce0d3f5d2c66945d8a1267445e9955409d1ef3cb9934107adccb46bf5f6a’ to ‘{sha256}2219f593d53546c3025c126a2afb1e799dcb073bb51a2d8cd2648070bbbf8d5f’
Notice: /Stage[main]/Unattended_upgrades/Apt::Conf[auto-upgrades]/Apt::Setting[conf-auto-upgrades]/File[/etc/apt/apt.conf.d/20auto-upgrades]/ensure: removed
Notice: /Stage[main]/Unattended_upgrades/Apt::Conf[options]/Apt::Setting[conf-options]/File[/etc/apt/apt.conf.d/10options]/ensure: defined content as ‘{sha256}fbee4ce1e047bf061a71232f5a0f6e373beec970e5afa52ae5bae984cb7d6f61’
Notice: Applied catalog in 22.72 seconds
root@len:/etc/apt#

 

 

 

To instruct Puppet to ensure a systemd service is running

 

In this example we want to make sure the sshd server service is active:

 

first of all, we set the following in the site.pp:

 

root@gemini:~# nano /etc/puppetlabs/code/environments/production/manifests/site.pp

 

node default {
# include module_name
# include ssh

 

service {‘ssh’:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
}

 

then install a relevant puppet module for ssh.

 

We obtain this from the official forge puppet repository site https://forge.puppet.com/modules

 

We are going to use the module from ghoneycutt, available from https://forge.puppet.com/modules/ghoneycutt/ssh

 

So on our puppet master server we do:

 

puppet module install ghoneycutt-ssh –version 3.62.0   

 

(the command can be found on the URL page above)

 

this will download and install the ssh puppet module directly onto our server.

 

Then, on the clients we can do the following:

 

Note: to test that the manifest does actually start ssh if it is not running we have first stopped ssh on the client.

 

As can be seen in the output result, puppet has started ssh on the client successfully:

 

root@asus:~# puppet agent –test
Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetclient_asusvpn
Info: Applying configuration version ‘1626892938’
Notice: /Stage[main]/Main/Node[default]/Service[ssh]/ensure: ensure changed ‘stopped’ to ‘running’ (corrective)
Info: /Stage[main]/Main/Node[default]/Service[ssh]: Unscheduling refresh on Service[ssh]
Notice: Applied catalog in 0.38 seconds
root@asus:~#

 

 

root@asus:~#
root@asus:~# systemctl status ssh
● ssh.service – OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-07-21 20:42:19 CEST; 8min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 2757294 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 2757295 (sshd)
Tasks: 1 (limit: 21459)
Memory: 4.3M
CGroup: /system.slice/ssh.service
└─2757295 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Continue Reading

How To Install Puppet Server and Clients

What is Puppet?

 

To quote from the Wikipedia entry for Puppet:

 

Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use.

 

Puppet is produced by Puppet, Inc, founded by Luke Kanies in 2005. Puppet’s primary product, Puppet Enterprise, is a commercially supported version of its open-source product.

 

Puppet’s automation software uses Puppet’s declarative language to manage various stages of the IT infrastructure lifecycle, including the provisioning, patching, configuration, and management of operating system and application components across enterprise data centers and cloud infrastructures.

 

Puppet uses an open-core model; its free-software version was released under version 2 of the GNU General Public License (GPL) until version 2.7.0,[6] and later releases use the Apache License, while Puppet Enterprise uses a proprietary license.

 

Built as cross-platform software, Puppet and Puppet Enterprise operate on multiple Unix-like systems (including Linux as well as Solaris, BSD, Mac OS X, AIX, HP-UX) and has Microsoft Windows support.

 

Puppet itself is written in Ruby, while Facter is written in C++, while Puppet Server and Puppet DB are written in Clojure.

 

Puppet is designed to manage the configuration of Unix-like and Microsoft Windows systems declaratively.

 

The user describes system resources and their state, either using Puppet’s declarative language or a Ruby DSL (domain-specific language).

 

This information is stored in files called “Puppet manifests”. Puppet discovers the system information via a utility called Facter, and compiles the Puppet manifests into a system-specific catalog containing resources and resource dependency, which are applied against the target systems. Any actions taken by Puppet are then reported.

 

Puppet usually follows client-server architecture. The client is known as an agent and the server is known as the master. For testing and simple configuration, it can also be used as a stand-alone application run from the command line.

 

Puppet Server is installed on one or more servers, and Puppet Agent is installed on all the machines that the user wants to manage.

 

Puppet Agents communicate with the server and fetch configuration instructions. The Agent then applies the configuration on the system and sends a status report to the server.

 

Devices can run Puppet Agent as a daemon, that can be triggered periodically as a cron job or can be run manually whenever needed.

 

 

 

Below are the instructions for installing Puppet master and agent nodes on Ubuntu 20.04 Linux systems.

 

 

Create the hostname definitions for Puppet on server and clients

 

Puppet master and client nodes uses hostnames to communicate with each other. Therefore it is a good idea to assign a unique puppet related hostname for each node in your Puppet system.

 

 

1. Login to the master and each client node one by one and add the following to the /etc/hosts file:

 

 

sudo nano /etc/hosts

# Puppet hostnames:

 

10.147.18.185 puppetmaster puppet
10.147.18.14 puppetclient_asusvpn
10.147.18.84 puppetclient_intelpn
10.147.18.65 puppetclient_lenvpn

 

These IPs are our VPN network addresses.

 

A simple way to distribute this file to save multiple editing is to edit on the one machine, eg geminivpn, and from there to use the following command:

 

for HOST in lenvpn asusvpn intelvpn; do
scp /etc/hosts $HOST:/etc/
done

 

root@gemini:/etc# for HOST in lenvpn asusvpn intelvpn; do scp /etc/hosts $HOST:/etc/; done
hosts 100% 2764 86.9KB/s 00:00
hosts 100% 2764 78.2KB/s 00:00
hosts 100% 2764 91.2KB/s 00:00
root@gemini:/etc#

 

 

Repository Installation for Puppet

 

To add the repo for your distribution, install the release package with the
codename for your distribution. For example, for ubuntu release xenial:

 

 

on the Puppetserver:

 

wget http://apt.puppetlabs.com/puppet-release-xenial.deb;
dpkg -i puppet-release-xenial.deb;
apt-get update -y;
apt-get install puppetserver -y;

 

 

 

Once the installation is completed, update the repository and install the Puppet server by running the following command:

 

apt-get update -y
apt-get install puppetserver -y

 

root@gemini:~# wget http://apt.puppetlabs.com/puppet-release-xenial.deb
–2021-07-20 15:01:15– http://apt.puppetlabs.com/puppet-release-xenial.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)… 52.222.139.78, 52.222.139.62, 52.222.139.2, …
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|52.222.139.78|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 11674 (11K) [application/x-debian-package]
Saving to: ‘puppet-release-xenial.deb’

 

puppet-release-xenial.de 100%[===============================>] 11.40K –.-KB/s in 0.004s

2021-07-20 15:01:15 (2.63 MB/s) – ‘puppet-release-xenial.deb’ saved [11674/11674]

root@gemini:~#

 

root@gemini:~# dpkg -i puppet-release-xenial.deb
Selecting previously unselected package puppet-release.
(Reading database … 173472 files and directories currently installed.)
Preparing to unpack puppet-release-xenial.deb …
Unpacking puppet-release (1.0.0-14xenial) …
Setting up puppet-release (1.0.0-14xenial) …
root@gemini:~#

 

root@gemini:~# apt-get update -y
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://download.zerotier.com/debian/buster buster InRelease
Get:5 https://mega.nz/linux/MEGAsync/xUbuntu_20.04 ./ InRelease [2441 B]
Hit:6 http://apt.puppetlabs.com xenial InRelease
Hit:7 http://security.ubuntu.com/ubuntu focal-security InRelease
Fetched 2441 B in 2s (1122 B/s)
Reading package lists… Done
root@gemini:~# apt-get install puppetserver -y
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
ca-certificates-java java-common openjdk-8-jre-headless puppet-agent
Suggested packages:
default-jre libnss-mdns fonts-dejavu-extra fonts-ipafont-gothic fonts-ipafont-mincho
fonts-wqy-microhei fonts-wqy-zenhei fonts-indic
The following NEW packages will be installed:
ca-certificates-java java-common openjdk-8-jre-headless puppet-agent puppetserver
0 upgraded, 5 newly installed, 0 to remove and 7 not upgraded.
Need to get 114 MB of archives.
After this operation, 313 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 java-common all 0.72 [6816 B]
Get:2 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 openjdk-8-jre-headless amd64 8u292-b10-0ubuntu1~20.04 [28.2 MB]
Get:3 http://apt.puppetlabs.com xenial/puppet amd64 puppet-agent amd64 7.8.0-1xenial [21.1 MB]
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 ca-certificates-java all 20190405ubuntu1 [12.2 kB]
Get:5 http://apt.puppetlabs.com xenial/puppet amd64 puppetserver all 7.2.0-1xenial [65.1 MB]
Fetched 114 MB in 6s (20.6 MB/s)
Selecting previously unselected package java-common.
(Reading database … 173477 files and directories currently installed.)
Preparing to unpack …/java-common_0.72_all.deb …
Unpacking java-common (0.72) …
Selecting previously unselected package openjdk-8-jre-headless:amd64.
Preparing to unpack …/openjdk-8-jre-headless_8u292-b10-0ubuntu1~20.04_amd64.deb …
Unpacking openjdk-8-jre-headless:amd64 (8u292-b10-0ubuntu1~20.04) …
Selecting previously unselected package ca-certificates-java.
Preparing to unpack …/ca-certificates-java_20190405ubuntu1_all.deb …
Unpacking ca-certificates-java (20190405ubuntu1) …
Selecting previously unselected package puppet-agent.
Preparing to unpack …/puppet-agent_7.8.0-1xenial_amd64.deb …
Unpacking puppet-agent (7.8.0-1xenial) …
Selecting previously unselected package puppetserver.
Preparing to unpack …/puppetserver_7.2.0-1xenial_all.deb …
Unpacking puppetserver (7.2.0-1xenial) …
Setting up java-common (0.72) …
Setting up puppet-agent (7.8.0-1xenial) …
Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Setting up ca-certificates-java (20190405ubuntu1) …
head: cannot open ‘/etc/ssl/certs/java/cacerts’ for reading: No such file or directory
Adding debian:T-TeleSec_GlobalRoot_Class_2.pem
Adding debian:DigiCert_Global_Root_G.pem

…… … … … ..

(long list)

.. … … … 

Adding debian:AffirmTrust_Premium.pem
Adding debian:EC-ACC.pem
Adding debian:USERTrust_ECC_Certification_Authority.pem
Adding debian:Trustis_FPS_Root_CA.pem
Adding debian:TrustCor_RootCert_CA-1.pem
done.
Processing triggers for libc-bin (2.31-0ubuntu9.2) …
Processing triggers for systemd (245.4-4ubuntu3.7) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for ca-certificates (20210119~20.04.1) …
Updating certificates in /etc/ssl/certs…
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…

done.
done.

Setting up openjdk-8-jre-headless:amd64 (8u292-b10-0ubuntu1~20.04) …
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/jjs to provide /usr/bin/jjs (jjs) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/orbd to provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/servertool to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/tnameserv to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
Setting up puppetserver (7.2.0-1xenial) …
usermod: no changes
Processing triggers for systemd (245.4-4ubuntu3.7) …
root@gemini:~#

 

Adjust the RAM memory directive for Puppet

 

The default puppet server file configured to use 2GB of memory.

 

If your server doesn’t have enough memory, then reduce the memory size to 1GB or another value:

 

nano /etc/default/puppetserver

 

JAVA_ARGS=”-Xms1g -Xmx1g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger”

 

 

Then start the Puppet service and set it to auto-start on system boot:

 

sudo systemctl start puppetserver
sudo systemctl enable puppetserver

 

root@gemini:~# systemctl start puppetserver

 

● puppetserver.service – puppetserver Service
Loaded: loaded (/lib/systemd/system/puppetserver.service; disabled; vendor preset: enabled)
Active: activating (start) since Tue 2021-07-20 15:21:07 BST; 26s ago
Cntrl PID: 2841401 (bash)
Tasks: 12 (limit: 4915)
Memory: 260.3M
CGroup: /system.slice/puppetserver.service
├─2841401 bash /opt/puppetlabs/server/apps/puppetserver/cli/apps/start
├─2841425 /usr/bin/java -Xms1g -Xmx1g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.S>
└─2841521 sleep 1

 

Jul 20 15:21:07 gemini systemd[1]: Starting puppetserver Service…
~
~

 

 

root@gemini:~# systemctl enable puppetserver
Synchronizing state of puppetserver.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable puppetserver
Created symlink /etc/systemd/system/multi-user.target.wants/puppetserver.service → /lib/systemd/system/puppetserver.service.
root@gemini:~#

 

 

How To Install the Puppet Clients

 

On each Puppet client machine:

 

wget http://apt.puppetlabs.com/puppet-release-xenial.deb;
dpkg -i puppet-release-xenial.deb;
apt-get update -y;
apt-get install puppet-agent -y;

 

root@len:~# wget http://apt.puppetlabs.com/puppet-release-xenial.deb;
–2021-07-20 16:31:12– http://apt.puppetlabs.com/puppet-release-xenial.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)… 143.204.98.17, 143.204.98.74, 143.204.98.15, …
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|143.204.98.17|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 11674 (11K) [application/x-debian-package]
Saving to: ‘puppet-release-xenial.deb’

 

puppet-release-xenia 100%[=====================>] 11.40K –.-KB/s in 0s

2021-07-20 16:31:15 (48.8 MB/s) – ‘puppet-release-xenial.deb’ saved [11674/11674]

 

root@len:~# dpkg -i puppet-release-xenial.deb;
Selecting previously unselected package puppet-release.
(Reading database … 275787 files and directories currently installed.)
Preparing to unpack puppet-release-xenial.deb …
Unpacking puppet-release (1.0.0-14xenial) …
Setting up puppet-release (1.0.0-14xenial) …
root@len:~# apt-get update -y;
Hit:1 http://ppa.launchpad.net/atareao/telegram/ubuntu bionic InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:3 https://brave-browser-apt-release.s3.brave.com bionic InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:5 https://repo.skype.com/deb stable InRelease [4,501 B]
Hit:6 https://brave-browser-apt-release.s3.brave.com stable InRelease
Hit:7 http://download.zerotier.com/debian/buster buster InRelease
Hit:8 http://repository.spotify.com stable InRelease
Get:9 http://archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Hit:10 http://ppa.launchpad.net/audio-recorder/ppa/ubuntu bionic InRelease
Get:11 https://mega.nz/linux/MEGAsync/xUbuntu_20.04 ./ InRelease [2,441 B]
Hit:12 http://ppa.launchpad.net/clipgrab-team/ppa/ubuntu bionic InRelease
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Hit:14 http://old-releases.ubuntu.com/ubuntu cosmic InRelease
Hit:15 http://ppa.launchpad.net/gencfsm/ppa/ubuntu bionic InRelease
Ign:16 http://archive.ubuntu.com/ubuntu eoan InRelease
Get:17 http://apt.puppetlabs.com xenial InRelease [144 kB]
Ign:18 http://archive.ubuntu.com/ubuntu eoan-security InRelease
Hit:19 http://ppa.launchpad.net/nathan-renniewaldock/flux/ubuntu bionic InRelease
Ign:20 http://archive.ubuntu.com/ubuntu eoan-updates InRelease
Hit:21 http://old-releases.ubuntu.com/ubuntu cosmic-security InRelease
Ign:22 http://archive.ubuntu.com/ubuntu eoan-backports InRelease
Hit:23 http://ppa.launchpad.net/sebastian-stenzel/cryptomator/ubuntu bionic InRelease
Hit:24 http://archive.ubuntu.com/ubuntu focal InRelease
Get:25 http://archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:26 http://old-releases.ubuntu.com/ubuntu cosmic-updates InRelease
Hit:27 http://ppa.launchpad.net/wseverin/ppa/ubuntu bionic InRelease
Hit:28 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:29 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Hit:30 http://old-releases.ubuntu.com/ubuntu disco InRelease
Err:31 http://archive.ubuntu.com/ubuntu eoan Release
404 Not Found [IP: 91.189.88.152 80]
Err:32 http://archive.ubuntu.com/ubuntu eoan-security Release
404 Not Found [IP: 91.189.88.152 80]
Err:33 http://archive.ubuntu.com/ubuntu eoan-updates Release
404 Not Found [IP: 91.189.88.152 80]
Err:34 http://archive.ubuntu.com/ubuntu eoan-backports Release
404 Not Found [IP: 91.189.88.152 80]
Hit:35 http://old-releases.ubuntu.com/ubuntu disco-security InRelease
Err:5 https://repo.skype.com/deb stable InRelease
The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <se-um@microsoft.com>
Hit:36 http://old-releases.ubuntu.com/ubuntu disco-updates InRelease
Get:37 http://apt.puppetlabs.com xenial/puppet amd64 Packages [12.5 kB]
Get:38 http://apt.puppetlabs.com xenial/puppet all Packages [5,310 B]
Get:39 http://apt.puppetlabs.com xenial/puppet i386 Packages [11.4 kB]
Reading package lists… Done
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan-security Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan-updates Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan-backports Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.skype.com/deb stable InRelease: The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <se-um@microsoft.com>
root@len:~# apt-get install puppet-agent -y;
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed
puppet-agent
0 to upgrade, 1 to newly install, 0 to remove and 71 not to upgrade.
Need to get 21.1 MB of archives.
After this operation, 133 MB of additional disk space will be used.
Get:1 http://apt.puppetlabs.com xenial/puppet amd64 puppet-agent amd64 7.8.0-1xenial [21.1 MB]
Fetched 21.1 MB in 8s (2,632 kB/s)
debconf: Unable to initialise frontend: Dialog
debconf: (Dialogue frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Selecting previously unselected package puppet-agent.
(Reading database … 275792 files and directories currently installed.)
Preparing to unpack …/puppet-agent_7.8.0-1xenial_amd64.deb …
Unpacking puppet-agent (7.8.0-1xenial) …
Setting up puppet-agent (7.8.0-1xenial) …

Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Processing triggers for libc-bin (2.31-0ubuntu9.2) …

root@len:~# systemctl start puppet; systemctl enable puppet; systemctl status puppet
● puppet.service – Puppet agent
Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: e>
Active: active (running) since Tue 2021-07-20 16:38:06 CEST; 459ms ago
Main PID: 324315 (puppet)
Tasks: 1 (limit: 9329)
Memory: 21.7M
CGroup: /system.slice/puppet.service
└─324315 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/p>

 

Jul 20 16:38:06 len systemd[1]: Started Puppet agent.
root@len:~#

 

 

 

Once it is installed, edit the /etc/puppetlabs/puppet/puppet.conf file on each puppet client machine:

 

nano /etc/puppetlabs/puppet/puppet.conf

 

enter the following:

 

[main]
certname = puppetclient_asusvpn ( _lenvpn _intelvpn according to the machine)
server = puppetmaster

 

[main]
certname = puppetclient_asusvpn
server = puppetmaster

 

 

Finally start & enable:

 

systemctl start puppet; systemctl enable puppet; systemctl status puppet

 

Sign the Puppet Agent Certificates

 

login to the Puppet server and run the following command to list all the available certificates:

 

/opt/puppetlabs/bin/puppetserver ca list –all

 

 

sign all certs with:

 

/opt/puppetlabs/bin/puppetserver ca sign –all

 

 

Firewalling for Puppet

 

Puppet uses port 8140, so you need to open port 8140 on your firewall.

 

For Ubuntu:

 

ufw allow 8140

 

root@gemini:~#
root@gemini:~# ufw allow 8140
Rule added
Rule added (v6)
root@gemini:~#

 

 

Verify:

 

/opt/puppetlabs/bin/puppet agent –test

 

 

We had the following problem with the test:

 

root@len:~# /opt/puppetlabs/bin/puppet agent –test
Error: Server hostname ‘puppetmaster’ did not match server certificate; expected one of gemini, DNS:puppet, DNS:gemini
Error: Could not run: Server hostname ‘puppetmaster’ did not match server certificate; expected one of gemini, DNS:puppet, DNS:gemini
root@len:~#

 

 

This is due to the hostname definition for the puppet server on the clients.

 

So on the clients I modified the file:

 

root@len:~# nano /etc/puppetlabs/puppet/puppet.conf

 

 

and changed

 

[main]
certname = puppetclient_lenvpn
server = puppetmaster

 

to

 

[main]
certname = puppetclient_lenvpn
server = gemini

 

 

I was then able to do:

 

root@len:~# /opt/puppetlabs/bin/puppet agent –test
Info: Creating a new RSA SSL key for puppetclient_lenvpn
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetclient_lenvpn
Info: Certificate Request fingerprint (SHA256): 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
Info: Certificate for puppetclient_lenvpn has not been signed yet
Couldn’t fetch certificate from CA server; you might still need to sign this agent’s certificate (puppetclient_lenvpn).
Exiting now because the waitforcert setting is set to 0.
root@len:~#

 

 

Now on the puppet server we can run:

 

root@gemini:~# /opt/puppetlabs/bin/puppetserver ca list
Requested Certificates:
puppetclient_lenvpn (SHA256) 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
root@gemini:~#

 

 

so, we need to do this for each client as above example for lenvpn:

 

this is then the result:

 

root@gemini:~# /opt/puppetlabs/bin/puppetserver ca list
Requested Certificates:
puppetclient_lenvpn (SHA256) 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
puppetclient_intelvpn (SHA256) AB:53:E7:2A:79:69:0A:6F:92:B5:F2:66:E4:0A:EB:67:28:33:10:BC:30:C5:EB:2A:D3:87:7C:C1:F9:EC:C1:C5
puppetclient_asusvpn (SHA256) C4:14:06:C9:61:E8:B6:E6:A0:7F:FD:D1:4A:F3:AC:9E:AD:8B:7F:9B:2B:93:BA:53:CC:58:FC:A6:70:EB:6F:42
root@gemini:~#

 

 

THEN, on the puppet server, sign the certificates for the clients:

 

you can do this by specifying -all, which will sign the certificates for all the clients using just the one command:

 

root@gemini:~# /opt/puppetlabs/bin/puppetserver ca sign –all
Successfully signed certificate request for puppetclient_lenvpn
Successfully signed certificate request for puppetclient_intelvpn
Successfully signed certificate request for puppetclient_asusvpn
root@gemini:~#

 

 

NOTE: the command still mentioned in much of the online Puppet documentation:

 

puppet cert

 

has since been deprecated and should no longer be used. Instead use the new syntax:

 

puppetserver ca

 

as above.

 

It is also convenient to add a symink from /usr/local/sbin/puppetserver so that the whole path to the puppetserver binary does not have to be entered:

 

ln -s /opt/puppetlabs/bin/puppetserver /usr/local/sbin/puppetserver

 

 

check the agents are working:

 

root@len:~# systemctl status puppet
● puppet.service – Puppet agent
Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-07-20 16:38:06 CEST; 5h 48min ago
Main PID: 324315 (puppet)
Tasks: 1 (limit: 9329)
Memory: 76.1M
CGroup: /system.slice/puppet.service
└─324315 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent –no-daemon>

 

Jul 20 22:06:43 len puppet-agent[324315]: Server hostname ‘puppetmaster’ did not match server certificate>
Jul 20 22:08:43 len puppet-agent[324315]: Server hostname ‘puppetmaster’ did not match server certificate>
root@len:~#

 

 

The Puppet master server (gemini) should now be able to communicate and control the agent nodes.

 

On a Puppet agent node, test the Puppet master and agent communication with the following command:

 

/opt/puppetlabs/bin/puppet agent –test

 

 

If everything is working, you will see the following output:

 

root@len:~# /opt/puppetlabs/bin/puppet agent –test
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetclient_lenvpn
Info: Certificate Request fingerprint (SHA256): 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
Info: Downloaded certificate for puppetclient_lenvpn from https://gemini:8140/puppet-ca/v1
Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetclient_lenvpn
Info: Applying configuration version ‘1626812868’
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds
root@len:~#

 

 

 

Ensure Time is Set Uniformly on Puppet Clients and Server

 

 

Make sure Puppet clients and server have the same time and using the same time zone:

 

root@gemini:/# date
Wed Jul 21 17:27:56 BST 2021
root@gemini:/#
root@gemini:~# timedatectl set-timezone Europe/Berlin
root@gemini:~# date
Wed Jul 21 18:28:49 CEST 2021
root@gemini:~#

 

 

 

For notes on how to use Puppet, see my article http://3.222.27.169/it-knowledge-base/how-to-use-puppet/

 

 

 

 

Continue Reading