Puppet

Puppet is a ruby-based configuration tool that keeps all of the different configurations on a central site (the “puppetmaster”) and the client machines (the “agents”) ask for the latest configuration, see if anything has changed and, if so, apply the changes.

Note

  • This goes through an installation on Ubuntu 12.04.
  • Make sure that the package that is installed is a current version (this example uses 2.7.11). Previous versions of Ubuntu (notably, 10.04 LTS) does not have a current version of puppet, and most documentation is for the latest branch.

Install on the Server

apt-get update apt-get install puppet puppetmaster puppetmaster-passenger

Note

This configuration started the Webrick server. To fix, stop the running instance and remove the script out of /etc/init.d.

Install on the Client

apt-get update apt-get install puppet

Update

  • In /etc/puppet/puppet.conf, set the hostname for the certificate (certname) and the name of the puppetmaster (server).
  • Change /etc/default/puppet to start at boot

Create Certificate

The agent and the master communicate over a secure channel. Besides setting up an encrypted channel, the SSL handshake verifies that both sides really are who they claim to be.

To authenticate a client:

client# puppet agent –no-daemonize –verbose

server# puppet cert –list
client.nceas.ucsb.edu (01:23:45:67:89:AB:CD:EF:FE:DC:BA:98:76:54:32:01)

server# puppet cert –sign client.nceas.ucsb.edu notice: Signed certificate request for client.nceas.ucsb.edu notice: Removing file Puppet::SSL::CertificateRequest client.nceas.ucsb.edu at ‘/var/lib/puppet/ssl/ca/requests/client.nceas.ucsb.edu.pem’

The client checks every 60 seconds to see if there is a signed certificate. If so, it will grab it, then try to get the latest catalog from the puppet master. After the client completes its work, stop the client (control-C) and start the agent service (service puppet start).

With all of the machine name aliasing, it is not uncommon for the initial certificate to be created for a machine name other than what is desired. For example, when the above master was installed, it created a certificate for the machine name 'monitor.nhm.ku.edu' instead of 'monitor.dataone.org'. When an agent attempted to register, the server could sign the agent’s certificate, but the agent wouldn’t trust the server’s certificate, because it wasn’t under the hostname the client used for the server.

To fix this, modify /etc/puppet/puppet.conf, in the [main] stanza, and add the line certname=monitor.dataone.org. Stop any running puppet instrance, remove all of the certificates and authorities (rm -rf /var/lib/puppet/ssl), and restart (this works for both the client and the agent).

The puppet master is a Ruby on Rails application that uses Passenger Phusion (“mod_ruby”) and listens on port 8140.

This material is based upon work supported by the National Science Foundation under Grant Numbers 083094 and 1430508.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.