Setup Puppet Master and Multiple Agents on CentOS 7

Jul 19, 2016 Linux

install and configure puppet on centos 7
Puppet is an open-source configuration management tool written in Ruby by Luke Kanies which includes its own declarative language to describe system configuration.

In this tutorial we install and configure Puppet on CentOS 7 based hosts.

Hosts used:

  • master: CentOS 7.2 64bit, IP: 192.168.2.20
  • agent1: CentOS 7.2 64bit, IP: 192.168.2.21
  • agent2: CentOS 7.2 64bit, IP: 192.168.2.22

Steps:

1. Prerequisites
In order to be able to run puppet environment we need to meet the following requirements.

1.1 Configure hostnames

Puppet nodes use hostnames to communicate, so we need to configure them on each host:

master:

[root@master ~]# vim /etc/hosts
127.0.0.1     localhost localhost.localdomain localhost4 localhost4.localdomain4
::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.20  master
192.168.2.21  agent1
192.168.2.22  agent2

agent1:

[root@agent1 ~]# vim /etc/hosts
127.0.0.1     localhost localhost.localdomain localhost4 localhost4.localdomain4
::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.20  master
192.168.2.21  agent1
192.168.2.22  agent2

agent2:

[root@agent2 ~]# vim /etc/hosts
127.0.0.1     localhost localhost.localdomain localhost4 localhost4.localdomain4
::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.20  master
192.168.2.21  agent1
192.168.2.22  agent2

1.2 NTP client (chrony)

Make sure NTP client is running on each host (in CentOS 7 chrony should work out of the box):

master:

[root@master ~]# systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2016-07-19 21:59:07 CEST; 1h 4min ago
 Main PID: 430 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─430 /usr/sbin/chronyd

Jul 19 21:59:05 master systemd[1]: Starting NTP client/server...
Jul 19 21:59:05 master chronyd[430]: chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +DEBUG +ASYNCDNS +IPV6 +SECHASH)
Jul 19 21:59:06 master chronyd[430]: Frequency 51.055 +/- 0.364 ppm read from /var/lib/chrony/drift
Jul 19 21:59:07 master systemd[1]: Started NTP client/server.
Jul 19 21:59:17 master chronyd[430]: Selected source 195.189.85.132
Jul 19 21:59:17 master chronyd[430]: System clock wrong by 1.112248 seconds, adjustment started

agent1:

[root@agent1 ~]# systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2016-07-19 21:59:07 CEST; 1h 4min ago
 Main PID: 430 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─430 /usr/sbin/chronyd

Jul 19 21:59:05 agent1 systemd[1]: Starting NTP client/server...
Jul 19 21:59:05 agent1 chronyd[430]: chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +DEBUG +ASYNCDNS +IPV6 +SECHASH)
Jul 19 21:59:06 agent1 chronyd[430]: Frequency 51.055 +/- 0.364 ppm read from /var/lib/chrony/drift
Jul 19 21:59:07 agent1 systemd[1]: Started NTP client/server.
Jul 19 21:59:17 agent1 chronyd[430]: Selected source 195.189.85.132
Jul 19 21:59:17 agent1 chronyd[430]: System clock wrong by 1.112248 seconds, adjustment started

agent2:

[root@agent2 ~]# systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2016-07-19 21:59:07 CEST; 1h 4min ago
 Main PID: 430 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─430 /usr/sbin/chronyd

Jul 19 21:59:05 agent2 systemd[1]: Starting NTP client/server...
Jul 19 21:59:05 agent2 chronyd[430]: chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +DEBUG +ASYNCDNS +IPV6 +SECHASH)
Jul 19 21:59:06 agent2 chronyd[430]: Frequency 51.055 +/- 0.364 ppm read from /var/lib/chrony/drift
Jul 19 21:59:07 agent2 systemd[1]: Started NTP client/server.
Jul 19 21:59:17 agent2 chronyd[430]: Selected source 195.189.85.132
Jul 19 21:59:17 agent2 chronyd[430]: System clock wrong by 1.112248 seconds, adjustment started

1.3 Install Puppet Repository

Install puppetlabs repo on each host:

master:

[root@master ~]# yum install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm

agent1:

[root@agent1 ~]# yum install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm

agent2:

[root@agent2 ~]# yum install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm

2. Configure Puppet Hosts

2.1 Configure Master

Install puppet service on master:

[root@master ~]# yum install puppetserver

Modify memory allocation on master:

[root@master ~]# vim /etc/sysconfig/puppetserver

Modify the following line (according to your preferences):

JAVA_ARGS="-Xms1g -Xmx1g -XX:MaxPermSize=256m"

Enable and start puppet service on master:

[root@master ~]# systemctl enable puppetserver
[root@master ~]# systemctl start puppetserver

Open port 8140/TCP on master:

[root@master ~]# firewall-cmd --zone=public --add-port=8140/tcp --permanent

Logout and login as root for the PATH variable changes to take effect, then check puppet path:

[root@master ~]# which puppet
/opt/puppetlabs/bin/puppet

2.2 Configure Agent1

Install puppet-agent service on agent1:

[root@agent1 ~]# yum install puppet-agent

Configure puppet-agent on agent1:

[root@agent1 ~]# vim /etc/puppetlabs/puppet/puppet.conf 
[agent]
server = master

Enable and start puppet agent service on agent1:

[root@agent1 puppet]# systemctl start puppet
[root@agent1 puppet]# systemctl status puppet

Logout and login as root for the PATH variable changes to take effect, then check puppet path:

[root@agent1 ~]# which puppet
/opt/puppetlabs/bin/puppet

2.3 Configure Agent2

Install puppet-agent service on agent2:

[root@agent2 ~]# yum install puppet-agent

Configure puppet-agent on agent2:

[root@agent2 ~]# vim /etc/puppetlabs/puppet/puppet.conf 
[agent]
server = master

Enable and start puppet agent service on agent2:

[root@agent2 puppet]# systemctl start puppet
[root@agent2 puppet]# systemctl status puppet

Logout and login as root for the PATH variable changes to take effect, then check puppet path:

[root@agent2 ~]# which puppet
/opt/puppetlabs/bin/puppet

… configure as many puppet agents as you need according to the procedure above.

3. Manage Puppet Certificates

List current certificate requests on master coming from agent hosts (agent1, agent2):

[root@master ~]# puppet cert list
  "agent1" (SHA256) 90:69:88:1E:B8:24:28:BC:78:E6:30:36:8E:6C:6C:DC:C6:B5:B6:F4:AA:54:B7:0E:27:C0:0A:24:20:10:1B:22
  "agent2" (SHA256) FB:0C:30:FA:21:51:94:95:9E:BB:D1:6E:11:1C:F2:13:4E:99:6B:E8:F8:E5:EA:7E:1E:A4:C9:0F:5D:DB:69:81

Sign certificate requests on master:

[root@master ~]# puppet cert sign agent1
Notice: Signed certificate request for agent1
Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/etc/puppetlabs/puppet/ssl/ca/requests/agent1.pem'
[root@master ~]# puppet cert sign agent2
Notice: Signed certificate request for agent2
Notice: Removing file Puppet::SSL::CertificateRequest agent2 at '/etc/puppetlabs/puppet/ssl/ca/requests/agent2.pem'

View signed certificates on master:

[root@master ~]# puppet cert list --all
+ "agent1" (SHA256) D9:20:19:A1:AC:8F:C9:72:47:3A:C3:7D:55:6B:46:36:E9:F5:AC:27:A6:9A:CB:F9:6E:F6:AB:0D:F3:58:76:59
+ "agent2" (SHA256) 23:E2:54:E5:E3:6D:DF:86:4C:AD:55:CD:B4:9C:0B:52:B9:8D:A2:28:57:E5:7A:73:66:69:6B:83:9D:72:19:5F
+ "master" (SHA256) 65:B2:FB:FF:C4:02:EB:0E:35:05:D6:D8:5D:A1:24:47:E3:56:82:AB:2D:81:BF:C7:42:76:DC:0B:EF:BC:90:13 (alt names: "DNS:puppet", "DNS:master")

Your environment is now ready to be managed by Puppet.

Revoking certificates

From time to time you may want to remove a host from Puppet, rebuild the host and add it back to Puppet environment. You need to revoke signed agents’ certificates:

[root@master puppetlabs]# puppet cert revoke agent1
Notice: Revoked certificate with serial 6
[root@master puppetlabs]# puppet cert revoke agent2
Notice: Revoked certificate with serial 7

Remove ssl directories on agent nodes:

[root@agent1 ~]# rm -rf /etc/puppetlabs/puppet/ssl
[root@agent2 ~]# rm -rf /etc/puppetlabs/puppet/ssl

Restart Puppet service on agent nodes:

[root@agent1 ~]# systemctl restart puppet
[root@agent2 ~]# systemctl restart puppet

Agents should now re-send certificate sign requests to the master node.

On master node check certificate requests from agents:

[root@master ~]# puppet cert list
  "agent1" (SHA256) 21:58:B5:98:47:DD:A4:9C:DF:5C:72:EA:74:83:57:20:AB:41:59:45:55:A8:89:89:6C:36:21:2B:75:8D:CC:A0
  "agent2" (SHA256) 4B:F8:5D:58:81:2E:0C:E5:3B:D3:30:91:BE:E6:78:05:37:9F:77:4E:F3:A5:2F:FA:C8:54:9A:FB:FB:95:91:AC

Sign the certificates on master node:

[root@master ~]# puppet cert sign agent1
Notice: Signed certificate request for agent1
Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/etc/puppetlabs/puppet/ssl/ca/requests/agent1.pem'
[root@master ~]# puppet cert sign agent1
Notice: Signed certificate request for agent1
Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/etc/puppetlabs/puppet/ssl/ca/requests/agent1.pem'

Grzegorz Juszczak

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.