Useful links:
apprentice@puppet:~$ sudo apt-get install postgresql-9.1
apprentice@:~$ pwgen -cnys 40 1
9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf
apprentice@:~$ sudo -u postgres -s
postgres@puppet:/$ createuser -DRSP puppetdb
Enter password for new role:
Enter it again:
postgres@puppet:/$ createdb -O puppetdb puppetdb
postgres@puppet:/$ exit
... allow the puppetdb user to log in in /etc/postgresql/9.1/main/pg_hba.conf
<snip> # Put your actual configuration here local puppetdb puppetdb md5 <snip> local all postgres peer <snip>
... and let the new settings take effect:
apprentice@:~$ sudo service postgresql restart
apprentice@:~$ sudo apt-get install puppetdb puppetdb-terminus
To the [master]
section of /etc/puppet/puppet.conf
, add:
storeconfigs = true storeconfigs_backend = puppetdb
Note | |
---|---|
According to Docs: PuppetDB 1 » Connecting Puppet Masters to PuppetDB, you cannot use port 8080, although that would make perfect sense on localhost.
But that doesn't matter much, because using “localhost” instead of the FQDN got me a |
Create /etc/puppet/routes.yaml
:
--- master: facts: terminus: puppetdb cache: yaml
... and /etc/puppet/puppetdb.conf
:
[main] server = puppet.servers.mydomain.com port = 8081
Edit /etc/puppetdb/conf.d/database.ini
:
[database] classname = org.postgresql.Driver subprotocol = postgresql subname = //localhost:5432/puppetdb username = puppetdb password = 9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf log-slow-statements = 10
... run
apprentice@puppet:~$ sudo /usr/sbin/puppetdb-ssl-setup
... which changes /etc/puppetdb/conf.d/jetty.ini
, which we need not even finetune.
Note | |
---|---|
The password in |
It PuppetQD wasn't already disabled, disable it now, probably in /etc/default/puppetqd
.
apprentice@:~$ for i in puppetdb puppetmaster ; do sudo service $i restart ; done
apprentice@client:~$ sudo puppet agent --no-daemonize --verbose --waitforcert 10
<snip>
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for cit-zb-3-163.rc.rug.nl to PuppetDB at puppet.service.rug.nl:8081: Connection refused - connect(2)
<snip>
This error occurs because the puppet service, the puppetdb service and their certificates do not agree on the hostnames they are using.
This can be resolved by putting in /etc/puppetdb/conf.d/jetty.ini
a line:
certificate-whitelist = /etc/puppetdb/whitelist.txt
... and listing all aliases for the machine in that file.
But we don't bother, because we don't want to run Puppet from the WeBrick server, so we need Apache, and if we 've got Apache anyway, we also want to offload the SSL of PuppetDB to Apache. See the next section.