Installing Puppet master and client in the same host. The Debian way

Since I started learning puppet several weeks ago I wanted to install the client and the server in the same host but using several aliases for the same machine. But there are several funny error related to puppet master and client sharing the same ssl directory: SSL certificate confusion, obscure errors, and SSL revocation horrors.

I took the main ideas from Splitting puppetd from puppetmaster from madduck‘s blog. But using this method you don’t have to create 2 differents ssl directories. Both installations (client and server) will share the same directory. I think it’s easier to implement and maintain.

The golden rule is to create all the SSL stuff (CA, keys, certificates,etc) in the right moment. And you may ask… When is the right moment? After the file /etc/puppet/puppet.conf is created with the certname directive properly updated. As by default puppet create all the SSL stuff using the hostname instead of the alias you want.

This tutorial assume you are using Debian (but should work on its derivatives: Ubuntu, Mint, etc) and have one server with two aliases replying to the same host (via /etc/hosts or DNS) In my case: puppet (server) and mediacenter (client).

Let’s have fun:

  • Install puppetmaster:
apt-get install puppetmaster
  • Stop puppetmaster:
/etc/init.d/puppetmaster stop
  • kill puppet master processes
root@mediacenter:/etc/puppet# ps -ef|grep puppet
puppet    3610     1  0 08:09 ?        00:00:01 /usr/bin/ruby1.8 /usr/bin/puppet master --masterport=8140
root      4053  3035  0 08:28 pts/0    00:00:00 grep puppet
kill 3610
  • Remove ssl directory: (as it has the ssl data related to the hostname instead of the alias you want)
rm -rf /etc/puppet/ssl/
  • create /etc/puppet/puppet.conf
[main]

[master]
certname=puppet.vnet

[agent]
server=puppet.vnet
  • Start puppetmaster:
/etc/init.d/puppetmaster start
  • Check ssl logs on /var/log/daemon.log (ans check ssl directory and certificates have been created using puppet as server name)
mediacenter puppet-master[3758]: Signed certificate request for ca
mediacenter puppet-master[3758]: Rebuilding inventory file
mediacenter puppet-master[3758]: puppet.vnet has a waiting certificate request
mediacenter puppet-master[3758]: Signed certificate request for puppet.vnet
mediacenter puppet-master[3758]: Removing file Puppet::SSL::CertificateRequest puppet.vnet at '/etc/puppet/ssl/ca/requests/puppetmaster.vnet.pem'
mediacenter puppet-master[3758]: Removing file Puppet::SSL::CertificateRequest puppet.vnet at '/etc/puppet/ssl/certificate_requests/puppetmaster.vnet.pem'
mediacenter puppet-master[3815]: Reopening log files
mediacenter puppet-master[3815]: Starting Puppet master version 2.7.1
  • Check ssl directory has been re-created on /etc/puppet:
ls /etc/puppet/ssl
  • Install puppet client:
apt-get install puppet
  • Create a SSL certificate for mediacenter.vnet. In order for the two systems to communicate securely we need to create signed SSL certificates.
root@mediacenter:/etc/puppet# puppetd --no-daemonize --onetime --verbose --waitforcert 30
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for mediacenter.vnet
info: Certificate Request fingerprint (md5): 93:7C:65:BD:77:39:2C:90:F3:15:99:D1:46:18:F1:40
warning: peer certificate won't be verified in this SSL session
  • Check all certificates:
root@mediacenter:/etc/puppet# puppetca --list --all
mediacenter.vnet (93:7C:65:BD:77:39:2C:90:F3:15:99:D1:46:18:F1:40)
+ puppet.vnet (7A:5B:E1:42:00:B3:C9:EE:38:10:47:9E:D2:ED:C2:8C)
  • Check pending certificates (to be signed by the server)
root@mediacenter:/etc/puppet# puppetca --list
mediacenter.vnet
  • Sign mediacenter.vnet certificate
root@mediacenter:/etc/puppet# puppetca --sign mediacenter.vnet
notice: Signed certificate request for mediacenter.vnet
  • Now all certificates are signed. Pay attention to the plus (+) symbol
root@mediacenter:/etc/puppet# puppetca --list --all
+ mediacenter.vnet (B3:87:0C:F5:05:00:29:76:07:B5:1C:D1:2B:DA:20:12)
+ puppet.vnet (7A:5B:E1:42:00:B3:C9:EE:38:10:47:9E:D2:ED:C2:8C)
  • Create the file /etc/puppet/manifests/site.pp
  1. Create “/tmp/testfile” if it doesn’t exist.
class test_class {
   file { "/tmp/testfile":
      ensure => present,
      mode   => 644,
      owner  => root,
      group  => root
    }
}

# tell puppet on which client to run the class
node mediacenter {
    include test_class
}
  • On the client run puppetd in verbose mode (-v) and only once (-o).
puppetd -v -o
  • Then you will see in the logs the following:
mediacenter puppet-master[4620]: Compiled catalog for mediacenter.vnet in environment production in 0.02 seconds
mediacenter puppet-agent[5271]: Caching catalog for mediacenter.vnet
mediacenter puppet-agent[5271]: Applying configuration version '1313132026'
mediacenter puppet-agent[5271]: (/Stage[main]/Test_class/File[/tmp/testfile]/ensure) created
mediacenter puppet-agent[5271]: Finished catalog run in 0.06 seconds
  • Check is the file has been created:
ls -l /tmp/testfile
-rw-r--r-- 1 root root 0 ago 13 18:53 /tmp/testfile
  • Now that all is running OK, configure the puppet agent to start on boot by modifying /etc/default/puppet
# Defaults for puppet - sourced by /etc/init.d/puppet

# Start puppet on boot?
START=yes

# Startup options
DAEMON_OPTS=""
  • Start puppet client
/etc/init.d/puppet start

Now, you can start playing with puppet master and client in the same host. Have fun!

Special thanks to madduck for sharing his time and knowledge!.

Share

6 thoughts on “Installing Puppet master and client in the same host. The Debian way

  1. Pingback: Debian Templates Disk Images Qemu/KVM for libvirt | www.elsotanillo.net de Juan Sierra Pons

  2. Very useful documentation. But isn’t there a typo?
    Instead of:
    [agent]
    server=puppet.vnet
    Shouldn’t it be
    [agent]
    certname=mediacenter

    After I’ve done this (and have added the Hostname puppet and mediacenter added in the /etc/hosts file, it works.

  3. Hi,

    I am glad you liked the post. 🙂
    AFAIK there is not a typo. This configuration works well on my systems.

    Maybe your environment and mine have several minor differences.

    Anyway next week I am planning to make a big intervention in my systems and I will review the configuration. I will let you know

    Best regards

    Juan

  4. Thanks for your hints. This got me into the right direction.

    I think the reason that this setup didn’t work for Hanspetr is as follow: It depends whether puppet master or agent equals the host name (primary) or vis-versa.

    In my case I choose the puppet master owns the host name while the agent gets a secondary name. Then the configuration looks as follow:

    $ hostname –fqdn
    foo.example.com

    [agent]
    certname = bar.example.com
    node_name_value = bar.example.com
    server = foo.example.com

    [master]
    # nothing special needed here

    (I use puppet version 2.7.6)

  5. I do not see the file /var/log/daemon.log after I start the puppetmaster process, after creating and editing the puppet.conf file. Why is this?

    Also, I can’t seem to view the /tmp/testfile after I execute ls -l /tmp/testfile.
    Please help.

    🙁

  6. Are you sure the puppetmaster is running?

    execute “ps -ef|grep puppet” to see if there are any puppet process running.

    Also in the /var/log directory execute “grep puppet * -R” to see if there are something writen in other file.

    Hope it helps

    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.