Puppetmaster XCVII: Getting your new server registered

So, this post has nothing to do with low-rent horror movies. Sorry to disappoint.

What it’s really about is the Puppet server management system deployed to keep general server Linux settings synchronized–stuff like NTP servers and user accounts. Puppet is extremely powerful, but this will only be an introduction to what it can do, as I’m learning as I go.

It may seem a little backward to start with the client configuration, but this really seems like the easiest part to me: tell the client who the server is, sign some certificates, and wait for the updates. The puppet master server is where all the heavy lifting is done.

Once the puppet master server is created and configured with manifests and such (take for granted that they exist already), it’s time to configure your client and get it registered.

STEP 1: INSTALL THE AGENT

me@new-server:~$ sudo aptitude install puppet

An Ubuntu server will tell you all of the packages that must be installed and will give you the option to continue. If you choose to continue, Ubuntu will install all of the packages then warn you that it could not start the puppet agent

 * Starting puppet agent

puppet not configured to start, please edit /etc/default/puppet to enable
   ...done.

which means you need to edit the file the message refers to. So, sudo nano /etc/default/puppet, change

# Start puppet on boot?
START=no

to

# Start puppet on boot?
START=yes

and save the file. Once saved, sudo service puppet start.

STEP 2: AUTHENTICATE THE CLIENT

Puppet uses certificates for authentication, so the master is basically a CA who signs certificates from the clients. Unless you tell the client otherwise, it’ll assume that the puppetmaster’s name is puppet, so you either have to handle that with DNS or by editing the client’s puppet.conf. I took the first route, which seemed easier to me.

On the client, we tell it to send it’s certificate to be signed by the puppetmaster by telling it to test:

me@new-server:~$ sudo puppet agent --test
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
me@new-server:~$

Once that’s done, we have the puppetmaster approve the client’s certificate:

me@puppet:/etc/puppet$ sudo puppetca --list
  new-server.local (6F:47:D1:6B:F3:B0:4B:94:00:92:5E:F7:E5:38:7C:C9)
me@puppet:/etc/puppet$
me@puppet:/etc/puppet$ sudo puppetca --sign new-server.local
notice: Signed certificate request for new-server.local
notice: Removing file Puppet::SSL::CertificateRequest new-server.local at '/var/lib/puppet/ssl/ca/requests/new-server.local.pem'
me@puppet:/etc/puppet$

After the client certificate is signed, it’s no longer in the server’s pending list.

me@puppet:/etc/puppet$ sudo puppetca --list
me@puppet:/etc/puppet$M

At this stage, the client is essentially configured. Within the next 30 minutes, it will contact the puppet master to see if any new or changed catalog items exist for it–if they do, the client will make the changes. If you’re impatient like me, you can force the client to check in by forcing another test:

me@new-server:~$ sudo puppet agent --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for new-server.local
info: Caching certificate_revocation_list for ca
info: Caching catalog for new-server.local
info: Applying configuration version '1330636935'
notice: /Stage[main]//Package[ntp]/ensure: ensure changed 'purged' to 'present'
--- /etc/ntp.conf       2011-09-02 18:42:40.000000000 +0000

Keep in mind that it’s possible that some of the client’s catalog cannot be completed while your user is logged in, depending on what the changes are. For instance, if the catalog for that client changes your user’s UID or GID, you’ll receive an error until your user is no longer logged in.

To be sure that your client is checking in on it’s own, just take a look at it’s syslog:

me@new-server:~$ sudo more /var/log/syslog | grep puppet-agent

Next time, we’ll take a look at the files that make up a “catalog”.

Leave a Reply