====== Puppet ======

Some notes on setting up puppetmaster and agents.

===== - base setup =====

Debian Jessie has version 3.2 of puppet.
<code>
apt-get install puppetmaster
</code>
this will start the server and open a socket on tcp/8140.

An agent can be installed with the puppet package
<code>
apt-get install puppet
</code>
The agent configuration in /etc/puppet/puppet.conf is barebone but functional. You do need to add the location of the puppet server.
<file>
[main]
	server = mozpm.jaffanet
	logdir=/var/log/puppet
	vardir=/var/lib/puppet
	ssldir=/var/lib/puppet/ssl
	rundir=/var/run/puppet
	factpath=$vardir/lib/facter
	templatedir=$confdir/templates
	prerun_command=/etc/puppet/etckeeper-commit-pre
	postrun_command=/etc/puppet/etckeeper-commit-post

[master]
	# These are needed when the puppetmaster is run by passenger
	# and can safely be removed if webrick is used.
	ssl_client_header = SSL_CLIENT_S_DN 
	ssl_client_verify_header = SSL_CLIENT_VERIFY
</file>

==== - Agent enrollment ====
The puppet agent needs a SSL certificate signed by the puppetmaster. The first run of the agent on a barebone install will contact the puppetmaster to obtain this certificate. And it will fail to continue until the puppetmaster validates the registration.

On the agent:
<code>
root@pa1:/# puppet agent --test
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for pa1.jaffanet
Info: Certificate Request fingerprint (SHA256): 18:B4:C4:22:48:91:F2:DC:1E:BF:20:4B:D5:4D:65:3E:67:F1:23:33:3F:0D:1E:65:92:73:53:03:FA:F4:A8:3D
Exiting; no certificate found and waitforcert is disabled
</code>

The certificate will be waiting for approval on the puppetmaster:
<code>
root@mozpm:/# puppet cert list
  "pa1.jaffanet" (SHA256) 18:B4:C4:22:48:91:F2:DC:1E:BF:20:4B:D5:4D:65:3E:67:F1:23:33:3F:0D:1E:65:92:73:53:03:FA:F4:A8:3D
</code>

<code>
root@mozpm:/# puppet cert sign pa1.jaffanet
Notice: Signed certificate request for pa1.jaffanet
Notice: Removing file Puppet::SSL::CertificateRequest pa1.jaffanet at '/var/lib/puppet/ssl/ca/requests/pa1.jaffanet.pem'
</code>

The resulting certificate is stored in /var/lib/puppet/ssl.

Now we can rerun puppet agent again:
<code>
root@pa1:/# puppet agent --no-daemonize --onetime --verbose
Info: Caching certificate for pa1.jaffanet
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Could not retrieve selinux: Invalid argument - /proc/self/attr/current
Info: Caching catalog for pa1.jaffanet
Info: Applying configuration version '1376941222'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.03 seconds
</code>