h1. Installing Puppet
Note:
- This goes through an installation on Ubuntu 12.04.
- Make sure that the package that is installed is a current version (this example uses 2.7.11). Previous versions of Ubuntu (notably, 10.04 LTS) does not have a current version of puppet, and most documentation is for the latest branch.
h3. Install on the Server:
apt-get update
apt-get install puppet puppetmaster puppetmaster-passenger
This configuration started the Webrick server. To fix, stop the running instance and remove the script out of @/etc/init.d@.
h3. Install on the Client
apt-get update
apt-get install puppet
h4. Update:
- In @/etc/puppet/puppet.conf@, set the hostname for the certificate (@certname@) and the name of the puppetmaster (@server@).
- Change @/etc/default/puppet@ to start at boot
h3. Create Certificate:
The agent and the master communicate over a secure channel. Besides setting up an encrypted channel, the SSL handshake verifies that both sides really are who they claim to be.
+To authenticate a client+:
client# puppet agent --no-daemonize --verbose
server# puppet cert --list
client.nceas.ucsb.edu (01:23:45:67:89:AB:CD:EF:FE:DC:BA:98:76:54:32:01)
server# puppet cert --sign client.nceas.ucsb.edu
notice: Signed certificate request for client.nceas.ucsb.edu
notice: Removing file Puppet::SSL::CertificateRequest client.nceas.ucsb.edu at '/var/lib/puppet/ssl/ca/requests/client.nceas.ucsb.edu.pem'
The client checks every 60 seconds to see if there is a signed certificate. If so, it will grab it, then try to get the latest catalog from the puppet master. After the client completes its work, stop the client (control-C) and start the agent service (@service puppet start@).
With all of the machine name aliasing, it is not uncommon for the initial certificate to be created for a machine name other than what is desired. For example, when the above master was installed, it created a certificate for the machine name @'monitor.nhm.ku.edu'@ instead of @'monitor.dataone.org'@. When an agent attempted to register, the server could sign the agent's certificate, but the agent wouldn't trust the server's certificate, because it wasn't under the hostname the client used for the server.
To fix this, modify @/etc/puppet/puppet.conf@, in the @[main]@ stanza, and add the line @certname=monitor.dataone.org@. Stop any running puppet instrance, remove all of the certificates and authorities (rm -rf /var/lib/puppet/ssl), and restart (this works for both the client and the agent).
The puppet master is a Ruby on Rails application that uses Passenger Phusion ("mod_ruby") and listens on port 8140.