====== Puppet ======
Some notes on setting up puppetmaster and agents.
===== - base setup =====
Debian Jessie has version 3.2 of puppet.
apt-get install puppetmaster
this will start the server and open a socket on tcp/8140.
An agent can be installed with the puppet package
apt-get install puppet
The agent configuration in /etc/puppet/puppet.conf is barebone but functional. You do need to add the location of the puppet server.
[main]
server = mozpm.jaffanet
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
==== - Agent enrollment ====
The puppet agent needs a SSL certificate signed by the puppetmaster. The first run of the agent on a barebone install will contact the puppetmaster to obtain this certificate. And it will fail to continue until the puppetmaster validates the registration.
On the agent:
root@pa1:/# puppet agent --test
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for pa1.jaffanet
Info: Certificate Request fingerprint (SHA256): 18:B4:C4:22:48:91:F2:DC:1E:BF:20:4B:D5:4D:65:3E:67:F1:23:33:3F:0D:1E:65:92:73:53:03:FA:F4:A8:3D
Exiting; no certificate found and waitforcert is disabled
The certificate will be waiting for approval on the puppetmaster:
root@mozpm:/# puppet cert list
"pa1.jaffanet" (SHA256) 18:B4:C4:22:48:91:F2:DC:1E:BF:20:4B:D5:4D:65:3E:67:F1:23:33:3F:0D:1E:65:92:73:53:03:FA:F4:A8:3D
root@mozpm:/# puppet cert sign pa1.jaffanet
Notice: Signed certificate request for pa1.jaffanet
Notice: Removing file Puppet::SSL::CertificateRequest pa1.jaffanet at '/var/lib/puppet/ssl/ca/requests/pa1.jaffanet.pem'
The resulting certificate is stored in /var/lib/puppet/ssl.
Now we can rerun puppet agent again:
root@pa1:/# puppet agent --no-daemonize --onetime --verbose
Info: Caching certificate for pa1.jaffanet
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Info: Caching catalog for pa1.jaffanet
Info: Applying configuration version '1376941222'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.03 seconds