In this video, you will go through the typical installation of a PuppetServer machine in a standalone configuration. For convenience, you will refer to this machine as puppetca.
- [Instructor] In this video, we're going to talk about Puppet Server Machine, from Scratch, which we will call puppetca. And later on, we'll be building upon this configuration, but for now, we're just going to build a stand-alone puppetca, with the IP address 192.168.50.100. And my test machine, is going to be a CentOS Seven Machine. So the first thing you do is install the repository that Puppet maintains.
Now, if you have a Debian-based system, there's an apt repository at apt.puppetlabs.com, and you would install from that. I have a CentOS machine, so I'll use the yum repositories. If you have a Realm machine, Scientific, Linux, Springdale, any of those other ones, you would use this one. And the main thing to note here is that you can also install in Fedora, but these releases here, this release-el-7 would be appropriate for our CentOS Seven, but this actually installs the Puppet version 3.
We want to install version 4. And that's included in the release-pc1. And this pc1 is sort of a new way of distributing Puppet and they're going to be doing the all-in-one, or AIO, it's sometimes abbreviated. So what we're going to do, is copy this repository here. So let's just copy the address of that, go back to our test machine, and yum install that repository. Say yes to install it.
And then, we'll install puppetserver. This will include the dependency of Puppet, which is the puppet-agent RPM. And that puppet-agent is the all-in-one package that I was talking about. And that's why it's 23 megabytes. That's because it includes Ruby. So previously we used the systems Ruby, but now Puppet is including its own Ruby in the package, so that there's no dependency issues there. Because the version of Ruby that Puppet depends on is sometimes not available on the OS in question.
The Puppet server RPM is 32 megabytes, and that's because it includes the Java that it needs to run as well. So all of the Java utilities are included in that package. So once this is installed, first thing we want to do, is go into etc/sysconfig, and just edit the Puppet server configuration file that was created. And you'll see this JAVA_ARGS line right here. And what we want to do is, come in and change this to 500 megabytes, instead of two gigabytes.
And that's just because I'm using a vm, and I don't want to waste so much time waiting for two gigabytes of memory. And I also don't want to have my vm using so much memory when I'm only using it in that test environment. Now if you had a machine with a lot of nodes that it was going to control, you might actually want to increase that to four or eight gigabytes, depending on how many nodes you have. The next thing I want to do is, just make sure that my host file defines this machine as puppet.example.com, and puppet, so that when I refer to puppet, it goes to the local machine.
And I can verify that by just doing PING, and seeing that, yes, that's this machine. The next thing we want to do then is generate a CA certificate. So we'll start, we'll use puppet cert list -a, and this will force Puppet to create a new certificate authority, or CA cert for us. All right. So now we've got a new CA. We can go to etc/puppetlabs/puppet/ssl, ca, and we can see that that certificate was just generated for us.
The next thing we want to do then, is, generate a certificate for this host. So we need to do puppet certificate generate, and we're going to specify some dns alt names for this machine. Do ppet.dev.example.com, puppet.prod.example.com. If you had a bunch of other domains, you would put them in there. Then, this is the name that the certificate we want attached to, so this is puppet.example.com.
And we want to tell it where to find the ca, so we'll just say it's local. Now go and generate a certificate. So now that that certificate's there, we'll see that in the requests directory, there's this certificate request there. What we want to do now is sign it. So we'll do a puppet cert sign puppet.example.com. We have to say that we want to allow the dns alt names, by default they're denied. So, if I didn't add this flag, it would've been denied.
Now if I look in the signed directory, that's there, and the request has been removed. So the request is gone. Now, when we go to start puppet server, puppet server expects these certificates to be in one directory up in the certs directory, and there's nothing there right now. So what we want to do is go puppet certificate find puppet.example.com, and just say that the ca is local. So now if we look in the certs directory, we'll see that that's there.
We also want to find the ca certificate. We'll just do that. And again, if we look up one directory, we'll see that those are there. And if we look at the private keys directory, we'll see that the puppet private key is sitting there as well. So the next thing to do is then, start puppetserver. And, because this is a Java process, and it's going to have to start up a JVM, and then start JRuby inside that JVM.
This can be a lengthy process. Typically on my vms, specifying 500 megabytes, I see this start within 10 to 15 seconds. If you have it set to, say, four gigabytes, depending on the speed of your vm, it can take 30 to 45 seconds. The trade-off is that, once it's actually started, it's significantly faster than the previous releases of Puppet, where they were running through Passenger, or some other system. Now, if all goes well, we should have this puppet server listening on the puppet master port, which is 8,140.
What I like to do is just verify that with LSOF, once this is up. Now that it's up, let's just do lsof, say that we want to just verify that something's listening on the 8140 port, and there is, great. Now, if we try to connect from our client machine, so we'll go over in the client machine and do the puppet agent -t, that should generate a new certificate for this machine. Then it should go and try and find a machine called puppet, but we have a problem because firewall, the firewall, or the system firewall on the machine may be in the way.
So if we did an iptables-save, we can see that there's a bunch of iptables rules. And this actually looks like a firewall de-configuration, so, what we want to do is, add the puppet server port to firewall de, so I'll just do that. We'll say 8140, that's the master port, on TCP. And then, if we want to make sure that this does the same thing when we re-start, I'll make sure it's a permanent rule.
Now that that's in there, puppet client will now be able to talk to our puppet ca. You can see that it generated a certificate for itself. So now, if we go back to this machine, and we say puppet cert list, we'll see that there should be a waiting request. And the idea too would be that we would verify with this SHA256 key, that this is the right chain. So DE:DD:E7, and if I went over here, I would see that it's DE:DD:E7.
And that's the SHA256 fingerprint of that key. So now we'll sign that key. And now, if we look in this signed directory, we now have two keys and that. So now we can do our puppet agent again, and we'll see that it downloaded the certificate for us. There's nothing to do though, because we haven't included any code, but we have a successful puppet server.
Now the code, the puppet code that we want to run, is in the etc/puppetlabs/code directory now. And there's an environments directory. By default, the production environment is created for us. So what we can do, is go into this manifest directory, and we'll just create a site.pp, and we'll have it say something.
And close the manifest. So now if we go back to this machine, we'll see, that we'll get the notifier. And there's our notifier right there. So this is a perfectly functioning stand-alone puppet server and in the next section we'll build on that, and make a load-balancing configuration.
This course was created by Packt Publishing. We are honored to host this training in our library.
- Puppet servers and environments
- Creating a Puppet server machine
- Performance tuning
- Using PuppetDB
- Extending Puppet with custom facts and types
- Using Hiera
- Generating reports
- Testing and troubleshooting Puppet environments