Puppet – installation and configuration to Centos 7

In this article we will describe how to manage thousand servers with puppet at same time. We will describe what is it puppet and learn how to realize different purposes with this. For use puppet you must know Linux/UNIX operation systems very good.

Puppet can be used for automatic downloading, installation softwares and configuration for all files. We need this when we want to configure a lot of servers at the same time. It needs when you will execute any program or script in group of servers. One of important things is all operation systems must be up to date.

Puppet is written in Ruby and works under the Apache license. He came from a branch cfEngine. It is convenient to use as Puppet is announcable language. With the help of this article you will use the daily demanded scripts without reading lots of pages about puppet.

Puppet is client/server software. Structure will be as following:

  • Configure puppet to master and agent server. This is just certificate signing between master server and agent.
  • Agent connections, remove certificates and test manifests in different operation systems.

Puppet working with names. This means the names for master server and nodes will be same in all servers an shared in the /etc/hosts for all servers. This used when agent nodes sends requests to the master server for certificate signing, the hostname of the server will be written to the common name of the certificate (Or you must use DNS server and create zone for your puppet structure. All nodes and puppet master server must use this dns server). We have Puppet Master(CentOS7 x64) server and 8 nodes. Four of the nodes CentOS 7 x64, two Ubuntu 14.04 x64 and two FreeBSD 10.1 x64. I used names as following:


pupmaster.unixmen.com – CentOS7 x64
pupnode1.unixmen.com – CentOS7 x64
pupnode2.unixmen.com – CentOS7 x64
pupnode3.unixmen.com – CentOS7 x64
pupnode4.unixmen.com – CentOS7 x64
pupnode5.unixmen.com – Ubuntu 14.04 x64
pupnode6.unixmen.com – Ubuntu 14.04 x64
pupnode7.unixmen.com – FreeBSD 10.1 x64
pupnode8.unixmen.com – FreeBSD 10.1 x64

Update all repositories and packages for all servers (Disable firewall on all servers):

Redhat/Centos  Servers

 [root@pupmaster ~]# yum update –y
 [root@pupnode1 ~]# yum update –y
 [root@pupnode2 ~]# yum update –y
 [root@pupnode3 ~]# yum update –y
 [root@pupnode4 ~]# yum update –y

Ubuntu/Debian/Mint   Servers

root@pupnode5:~# apt-get update
 root@pupnode5:~# apt-get dist-upgrade –y
 root@pupnode6:~# apt-get update
 root@pupnode6:~# apt-get dist-upgrade


FreeBSD  based   Servers

root@pupnode7:/ # portsnap fetch extract update
 root@pupnode7:/ # pkg update –f 
root@pupnode7:~ # pkg2ng
root@pupnode8:~ # portsnap fetch extract update
root@pupnode8:~ # pkg update –f
root@pupnode8:~ # pkg2ng


Install ntp for time synchronization:

 [root@pupmaster ~]# yum install ntp –y
 [root@pupnode1 ~]# yum install ntp –y
 [root@pupnode2 ~]# yum install ntp –y
 [root@pupnode3 ~]# yum install ntp –y
 [root@pupnode4 ~]# yum install ntp –y
 root@pupnode5:~# apt-get install ntp –y
 root@pupnode6:~# apt-get install ntp -y
 root@pupnode7:~ # pkg install ntp –f
 root@pupnode8:~ # pkg install ntp -f


Update time on all servers and change time zone to Europe/Amsterdam and write corn for auto update:
 [root@pupmaster ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode1 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode2 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode3 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode4 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode5 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode6 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode7 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org
 [root@pupnode8 ~]# cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime; ntpdate 0.asia.pool.ntp.org


Use the following line for all Linux servers(This is for time update):

# mkdir -p /var/cron/tabs && echo '0 0 * * * /usr/sbin/ntpdate 0.asia.pool.ntp.org' >> /var/cron/tabs/crontab && crontab /var/cron/tabs/crontab && crontab -l

Just in FreeBSD server, add the following line to the end of /etc/crontab file and restart cron daemon:

 0 0 * * * root    /usr/sbin/ntpdate 0.asia.pool.ntp.org
# /etc/rc.d/cron restart

If you have not DNS server, you must use the following names for all servers. Add the following lines to the /etc/hosts file on all(master and agent servers) servers:   localhost localhost.localdomain
XX.XX.XX.XX pupmaster.unixmen.com pupmaster
XX.XX.XX.XX pupnode1.unixmen.com pupnode1
XX.XX.XX.XX pupnode2.unixmen.com pupnode2
XX.XX.XX.XX pupnode3.unixmen.com pupnode3
XX.XX.XX.XX pupnode4.unixmen.com pupnode4
XX.XX.XX.XX pupnode5.unixmen.com pupnode5
XX.XX.XX.XX pupnode6.unixmen.com pupnode6
XX.XX.XX.XX pupnode7.unixmen.com pupnode7
XX.XX.XX.XX pupnode8.unixmen.com pupnode8


You must set hostnames for master and agent server exactly as the /etc/hosts file. For example hostname for master server will be as pupmaster.unixmen.com.

Install and configure master server
As our master server in the Centos we download new rpm repository and install this:

 [root@pupmaster ~]# rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

Install Puppet server:

 [root@pupmaster ~]# yum install -y puppet-server

Add Puppet Master daemon to the startup:
[root@pupmaster ~]# systemctl enable puppetmaster.service

By default /etc/puppet/puppet.conf file coming already configured. We change only the line autosign = true in the [main] topic for autosign certificates coming from nodes. The /etc/puppet/puppet.conf file will be as follows:

     logdir = /var/log/puppet
     rundir = /var/run/puppet
     ssldir = $vardir/ssl
     autosign = true
     classfile = $vardir/classes.txt
     localconfig = $vardir/localconfig

The name of puppet configuration files is manifest. It is very comfortable splitting rules in a lot of files. Create the /etc/puppet/manifests/site.pp file and add the following line (This line tell load all of pp extension files from the /etc/puppet/manifests/nodes folder):

import 'nodes/*.pp'

Create nodes folder:
[root@pupmaster ~]# mkdir /etc/puppet/manifests/nodes

For test purpose create /etc/puppet/manifests/nodes/files.pp file and add the following lines:

file { "/tmp/hello-file":
     replace => "no",
     owner => "root",
     group => "wheel",
     ensure  => "present",
     content => "From Puppet\n",
     mode    => 644,

This rule on all agent servers will create(if not exists) hello-file file in the /tmp folder. Owner of file root, group wheel, permisson 644 and content will be “From Puppet”.

Start the Puppet Daemon:

 [root@pupmaster ~]# systemctl start puppetmaster.service

Check the 8140 port listening:

 [root@pupmaster ~]# netstat -na|grep 8140
 tcp        0      0  *               LISTEN

If we need revoke some of the agent server certificate, use the following command. This command will revoke certificate for pupnode1.unixmen.com agent.

[root@pupmaster ~]# puppet cert clean pupnode1.unixmen.com


At the end we can get all signed and connected server list with the following command:
[root@pupmaster ~]# puppet cert list –all
+ “pupmaster.unixmen.com” (SHA256) 2D:DE:B2:64:CA:37:74:DF:92:65:DC:F0:53:58:95:F6:81:8F:63:3C:F9:F0:8C:5B:5A:C2:55:AE:A9:03:C4:06 (alt names: “DNS:pupmaster.unixmen.com“, “DNS:puppet”, “DNS:puppet.unixmen.com”)
+ “pupnode1.unixmen.com”  (SHA256) 0A:78:73:3B:C7:4D:7F:30:22:AF:C8:D1:1D:C8:D2:3A:9F:EF:C6:2C:E7:81:57:0B:08:01:94:CB:A6:32:EB:48
+ “pupnode2.unixmen.com”  (SHA256) E0:CA:C0:12:3F:45:2D:8A:3F:7D:3D:7E:87:92:41:0B:4B:C9:B7:AA:32:CB:1F:C8:DD:C1:42:F0:F6:4F:F3:8C
+ “pupnode3.unixmen.com”  (SHA256) 21:A3:FE:B0:11:8C:BF:3A:02:1F:1B:5A:0C:8C:CE:AE:73:FF:24:0E:CD:FC:7D:64:96:A2:52:E7:41:73:00:FA
+ “pupnode4.unixmen.com”  (SHA256) C0:63:7F:DB:23:5B:CE:A8:DF:98:35:DE:48:AC:D5:8C:A1:0E:73:D5:02:25:C1:D7:8E:72:89:AE:BC:6A:BE:23
+ “pupnode5.unixmen.com”  (SHA256) AE:50:6C:DF:7F:97:9C:25:EC:5B:26:2A:4A:21:23:C0:89:43:C2:18:87:72:03:0C:0A:C2:BA:5C:59:66:F3:73
+ “pupnode6.unixmen.com”  (SHA256) F0:43:70:C6:9C:99:43:8F:46:50:37:DD:C1:51:B4:55:1F:FE:73:D1:0C:3B:FD:1D:C0:AD:E4:D3:38:3D:9B:FA
+ “pupnode7.unixmen.com”  (SHA256) E8:C5:94:95:8B:6F:BE:58:66:B9:4E:3A:7D:91:EB:4B:1B:B0:62:F7:28:6E:EB:EE:06:1E:3D:B9:35:1B:E0:9D
+ “pupnode8.unixmen.com”  (SHA256) EF:9D:6B:2C:47:35:F8:BB:F0:93:12:3B:F1:52:9A:87:B6:55:AB:20:EA:BD:BD:DD:AE:50:52:D0:CC:01:DF:2C

If we will not activates autosign certificates coming from agent servers then, we must sing all of them by hand.
We must use command as follows:

 root@pupnode6:~# puppet cert sign pupnode6.unixmen.com


Install the Agents  :