Project

General

Profile

h1. Installing Puppet

Note:

  • This goes through an installation on Ubuntu 12.04.
  • Make sure that the package that is installed is a current version (this example uses 2.7.11). Previous versions of Ubuntu (notably, 10.04 LTS) does not have a current version of puppet, and most documentation is for the latest branch.

 

h3. Install on the Server:

apt-get update
apt-get install puppet puppetmaster puppetmaster-passenger

  This configuration started the Webrick server. To fix, stop the running instance and remove the script out of @/etc/init.d@.

 

h3. Install on the Client

apt-get update
apt-get install puppet

h4. Update:

  • In @/etc/puppet/puppet.conf@, set the hostname for the certificate (@certname@) and the name of the puppetmaster (@server@).
  • Change @/etc/default/puppet@ to start at boot

 

h3. Create Certificate:

  The agent and the master communicate over a secure channel. Besides setting up an encrypted channel, the SSL handshake verifies that both sides really are who they claim to be.

  +To authenticate a client+:

client# puppet agent --no-daemonize --verbose

server# puppet cert --list
client.nceas.ucsb.edu (01:23:45:67:89:AB:CD:EF:FE:DC:BA:98:76:54:32:01)
server# puppet cert --sign client.nceas.ucsb.edu
notice: Signed certificate request for client.nceas.ucsb.edu
notice: Removing file Puppet::SSL::CertificateRequest client.nceas.ucsb.edu at '/var/lib/puppet/ssl/ca/requests/client.nceas.ucsb.edu.pem'

 

  The client checks every 60 seconds to see if there is a signed certificate. If so, it will grab it, then try to get the latest catalog from the puppet master. After the client completes its work, stop the client (control-C) and start the agent service (@service puppet start@).

  With all of the machine name aliasing, it is not uncommon for the initial certificate to be created for a machine name other than what is desired. For example, when the above master was installed, it created a certificate for the machine name @'monitor.nhm.ku.edu'@ instead of @'monitor.dataone.org'@. When an agent attempted to register, the server could sign the agent's certificate, but the agent wouldn't trust the server's certificate, because it wasn't under the hostname the client used for the server.

  To fix this, modify @/etc/puppet/puppet.conf@, in the @[main]@ stanza, and add the line @certname=monitor.dataone.org@. Stop any running puppet instrance, remove all of the certificates and authorities (rm -rf /var/lib/puppet/ssl), and restart (this works for both the client and the agent).

  The puppet master is a Ruby on Rails application that uses Passenger Phusion ("mod_ruby") and listens on port 8140.

Add picture from clipboard (Maximum size: 14.8 MB)