Getting a grip on Puppet: A guide for beginners

We're not just stringing you along...

QA's Kat McIvor will be taking to the stage at Continuous Lifecycle London to talk about automating security. But her skills don't end there. If config management's your thing, here's Kat's take on getting started with Puppet.

Puppet is another configuration management tool available as part of the DevOps toolbox. It uses a master / node setup to ensure that the correct set of files, programs and configuration is present on each of the nodes it looks after. This may not be so useful in a single machine system, or even when you only have a handful of servers to look after. But as the number of servers we need to look after increases, having a single Puppet master controlling what happens on each of the nodes is much more handy.

Puppet comes in two flavours. Enterprise or Open Source. Enterprise systems have access to the web front end for the Puppet master and an automated build tool which will configure everything for you. They also get access to other features that may not be available to the open source users. However, you will need to pay to control more than ten nodes with the Enterprise edition.

Open Source Puppet is a collection of different services as well as the core Puppet master. You can chose whether or not you want to include services based on your needs, rather than have everything included at once.

Setting up the Puppet master

There are two modes the enterprise Puppet master can use: monolithic or split. A monolithic system will be able to handle up to 500 nodes. For anything larger you'll want to look at using a split installation, moving the database, console and Puppet master to different machines.

To install the open source Puppet system all the configuration must be handled manually, starting with setting up the repositories for Puppet and ending with configuring the certificates for the machine.

As with most configuration management tools, the Puppet master requires a *nix server, but it can handle nodes of any operating system. We will be using Ubuntu 14.04, the open source Puppet community edition and Puppet 4.2 for these examples.

Step 1: Enable the Puppet repositories

wget https://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb

sudo dpkg -i puppetlabs-release-pc1-trusty.deb

sudo apt-get update

Step 2: Install the Puppet server and start it with:

sudo apt-get install -y puppetserver

sudo service puppetserver start

All the configuration files will be present in the /etc/puppetlabs/puppetserver directory. These can be used to control and change the server settings.

Creating the Puppet agent

The Puppet agent will check in with the master every 30 minutes (by default) on port 8140 and request its current config catalogue. To install the agent we need to do similar steps to installing the Puppet master. Again, this is assuming Ubuntu 14.04

Step 1: Enable the repositories

wget https://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb

sudo dpkg -i puppetlabs-release-pc1-trusty.deb

sudo apt-get update

Step 2: Install the agent

sudo apt-get install puppet-agent

Step 3: Update your hosts file

The agent will need to know where to find the Puppet master, we can achieve this by changing the hosts file to point at the current Puppet master with the name 'puppet'. You should change the IP address to be your Puppet master's IP! echo '52.30.70.51 puppet' >> /etc/hosts

Step 4: Start the Puppet agent

The Puppet agent will attempt to talk to the Puppet master and request a certificate. To start the agent use the following line:

sudo /opt/puppetlabs/bin/puppet agent --test

It should come up with an output saying something like:

root@ip-172-31-29-110:~# sudo /opt/puppetlabs/bin/puppet agent --test

Info: Creating a new SSL key for ip-172-31-29-110.eu-west-1.compute.internal

Info: Caching certificate for ca

Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for ip-172-31-29-110.eu-west-1.compute.internal

Info: Certificate Request fingerprint (SHA256):

EC:92:6E:2E:58:E2:15:4E:3D:0D:6D:D8:EC:E4:54:67:E5:9B:89:AD:68:5B:A7:9F:E8:​48​:EC:0E:5F:B0:B5:5E/

Info: Caching certificate for ca

Exiting; no certificate found and waitforcert is disabled

(Yes, I'm in aws, don't you love the cloud?)

You can create a symbolic link between the Puppet executable and /usr/bin if you want to call Puppet directly.

sudo ln -s /opt/puppetlabs/bin/puppet /usr/bin/puppet

The check in interval can be changed on the Puppet agent with:

puppet config set runinterval xxx

The time given is in seconds, so the default is 1800. You can see the currently configured time with:

puppet agent --configprint runinterval


Biting the hand that feeds IT © 1998–2017