This article is more than 1 year old
Getting a grip on Puppet: A guide for beginners
We're not just stringing you along...
QA's Kat McIvor will be taking to the stage at Continuous Lifecycle London to talk about automating security. But her skills don't end there. If config management's your thing, here's Kat's take on getting started with Puppet.
Puppet is another configuration management tool available as part of the DevOps toolbox. It uses a master / node setup to ensure that the correct set of files, programs and configuration is present on each of the nodes it looks after. This may not be so useful in a single machine system, or even when you only have a handful of servers to look after. But as the number of servers we need to look after increases, having a single Puppet master controlling what happens on each of the nodes is much more handy.
Puppet comes in two flavours. Enterprise or Open Source. Enterprise systems have access to the web front end for the Puppet master and an automated build tool which will configure everything for you. They also get access to other features that may not be available to the open source users. However, you will need to pay to control more than ten nodes with the Enterprise edition.
Open Source Puppet is a collection of different services as well as the core Puppet master. You can chose whether or not you want to include services based on your needs, rather than have everything included at once.
Setting up the Puppet master
There are two modes the enterprise Puppet master can use: monolithic or split. A monolithic system will be able to handle up to 500 nodes. For anything larger you'll want to look at using a split installation, moving the database, console and Puppet master to different machines.
To install the open source Puppet system all the configuration must be handled manually, starting with setting up the repositories for Puppet and ending with configuring the certificates for the machine.
As with most configuration management tools, the Puppet master requires a *nix server, but it can handle nodes of any operating system. We will be using Ubuntu 14.04, the open source Puppet community edition and Puppet 4.2 for these examples.
Step 1: Enable the Puppet repositories
wget https://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb
sudo dpkg -i puppetlabs-release-pc1-trusty.deb
sudo apt-get update
Step 2: Install the Puppet server and start it with:
sudo apt-get install -y puppetserver
sudo service puppetserver start
All the configuration files will be present in the /etc/puppetlabs/puppetserver directory. These can be used to control and change the server settings.
Creating the Puppet agent
The Puppet agent will check in with the master every 30 minutes (by default) on port 8140 and request its current config catalogue. To install the agent we need to do similar steps to installing the Puppet master. Again, this is assuming Ubuntu 14.04
Step 1: Enable the repositories
wget https://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb
sudo dpkg -i puppetlabs-release-pc1-trusty.deb
sudo apt-get update
Step 2: Install the agent
sudo apt-get install puppet-agent
Step 3: Update your hosts file
The agent will need to know where to find the Puppet master, we can achieve this by changing the hosts file to point at the current Puppet master with the name 'puppet'. You should change the IP address to be your Puppet master's IP! echo '52.30.70.51 puppet' >> /etc/hosts
Step 4: Start the Puppet agent
The Puppet agent will attempt to talk to the Puppet master and request a certificate. To start the agent use the following line:
sudo /opt/puppetlabs/bin/puppet agent --test
It should come up with an output saying something like:
root@ip-172-31-29-110:~# sudo /opt/puppetlabs/bin/puppet agent --test
Info: Creating a new SSL key for ip-172-31-29-110.eu-west-1.compute.internal
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ip-172-31-29-110.eu-west-1.compute.internal
Info: Certificate Request fingerprint (SHA256):
EC:92:6E:2E:58:E2:15:4E:3D:0D:6D:D8:EC:E4:54:67:E5:9B:89:AD:68:5B:A7:9F:E8:48:EC:0E:5F:B0:B5:5E/
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
(Yes, I'm in aws, don't you love the cloud?)
You can create a symbolic link between the Puppet executable and /usr/bin if you want to call Puppet directly.
sudo ln -s /opt/puppetlabs/bin/puppet /usr/bin/puppet
The check in interval can be changed on the Puppet agent with:
puppet config set runinterval xxx
The time given is in seconds, so the default is 1800. You can see the currently configured time with:
puppet agent --configprint runinterval