Homemade Puppet Course

Jurjen Bokma

November 2013

Abstract

Read a book (Pro Puppet) and did some collected workshops


Table of Contents

Setting up the Puppet Master

  1. root@vhost1:~# echo "deb http://apt.puppetlabs.com wheezy main" > /etc/apt/sources.list.d/puppet.list
    root@vhost1:~# apt-get update
    root@vhost1:~# apt-get install -y --force-yes puppetlabs-release
    root@vhost1:~# rm /etc/apt/sources.list.d/puppet.list
    root@vhost1:~# apt-get update

    Repeat m.m. on the Debian/Ubuntu clients

  2. -bash-4.1# sudo rpm -ivh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm

  3. Put the FQDN in /etc/hosts:

    	    <snip>
    	    10.0.17.1 vhost1.xennet vhost1
    	    <snip>
    	  

    To be sure, the following should succeed:

    root@vhost1:~# host
    vhost1
    root@vhost1:~# host -f
    vhost1.xennet

    Only then install the packages:

    root@vhost1:~# apt-get install -y puppetmaster-passenger puppet-lint puppet-el

  4. On Debian/Ubuntu:

    root@vhost1:~# apt-get install -y puppet

    On CentOS:

    -bash4.1# yum install -y puppet

  5. On a client:

    root@vhost2:~# puppet agent -t

    There will be no certificate:

    root@vhost3:~# puppet agent -t
    #Info: Creating a new SSL key for vhost3.xennet
    Info: Caching certificate for ca
    Info: Creating a new SSL certificate request for vhost3.xennet
    Info: Certificate Request fingerprint (SHA256): C2:CD:F6:58:CA:26:48:81:2D:46:55:23:86:7C:2E:87:71:0C:61:C6:12:7A:41:F3:BB:60:7B:42:8D:F9:12:CB
    Exiting; no certificate found and waitforcert is disabled

    I.d. for the last client:

    -bash-4.1# puppet agent -t

    Now on the server, certificate requests will be waiting to be signed. Sign them.

    root@vhost1:~# puppet cert list
      "vhost2.xennet" (SHA256) 8A:49:F2:DC:4E:C9:BF:4A:2B:85:DB:F1:79:43:A4:39:C7:EB:D7:82:58:AC:BF:33:55:11:81:D2:FA:1F:AC:EC
      "vhost3.xennet" (SHA256) C2:CD:F6:58:CA:26:48:81:2D:46:55:23:86:7C:2E:87:71:0C:61:C6:12:7A:41:F3:BB:60:7B:42:8D:F9:12:CB
      "vhost4.xennet" (SHA256) 07:4C:DA:AB:1E:FA:EB:93:74:AC:46:E4:C8:9D:95:F6:3B:98:A8:61:D7:D6:7F:40:21:5D:0F:7D:C8:07:F5:78
    root@vhost1:~# puppet cert sign vhost2.xennet
    Notice: Signed certificate request for vhost2.xennet
    Notice: Removing file Puppet::SSL::CertificateRequest vhost2.xennet at '/var/lib/puppet/ssl/ca/requests/vhost2.xennet.pem'
    root@vhost1:~# puppet cert sign vhost3.xennet
    root@vhost1:~# puppet cert sign vhost4.xennet

    So puppet runs will succeed on the clients:

    root@vhost2:~# puppet agent -t
    Info: Caching certificate for vhost2.xennet
    Info: Caching certificate_revocation_list for ca
    Info: Retrieving plugin
    Info: Caching catalog for vhost2.xennet
    Info: Applying configuration version '1384116519'
    Info: Creating state file /var/lib/puppet/state/state.yaml
    Notice: Finished catalog run in 0.04 seconds

    See Learning Puppet — Basic Agent/Master Puppet for more about certificates.

    According to Autosigning Client Certificates, to enable autosigning of certificates, you can put a single '*' in /etc/puppet/autosign.conf:

    *
    	  

    And of course it says you shouldn't do that if you're concerned about security.