For this example I have:
- Puppet Master, IP 172.16.0.2 name Nova domain localdomain
- Puppet Client, IP 172.16.0.100 name Zealot domain localdomain
We can either have a proper DNS setup, or just use hosts files for the test:
172.16.0.2 Nova.localdomain Nova
172.16.0.100 Zealot.localdomain Zealot
First I install the packages on the master. One thing to be careful is DNS and server names, as Puppet uses SSL certs this is quite sensitive.
$ sudo apt-get install puppetmaster
Now we create the master's certificate. Parameters are for the official name and the alias.
$ puppet cert generate Nova --dns_alt_names=Nova.localdomain
Now we can create our first Puppet command. We are going to create a file in the /tmp folder with specific permissions:
$ sudo vim /etc/puppet/manifests/site.pp
class test_class {
file { "/tmp/hello":
ensure => present,
mode => 644,
owner => root,
group => root
}
}
# tell puppet on what clients to run this class
node Zealot {
include test_class
}
Now, we go to the client. We install puppet client:
$ sudo apt-get install puppet
Now, we will contact the master to request a certificate and get it signed. Basically we will make the request, and right away we will sign it in the master. From the client, we execute:
$ sudo puppetd --no-daemonize --server nova --test --waitforcert 60
This will lunch a petition to the master, it will wait for 60 seconds for us to sign it. Now, if we go to the master we can see the requested certificate:
$ sudo puppetca list --all
"Zealot.localdomain" (6B:4E:76:01:EB:7C:69:04:69:76:2C:B6:CF:24:37:7A)
+ "nova" (2E:0F:CC:95:C2:07:37:9F:23:77:A2:C1:AC:F5:E6:36)
+ "nova.localdomain" (A5:A2:77:33:10:11:A1:67:EF:33:B0:EA:07:54:05:12) (alt names: "DNS:Nova", "DNS:nova.localdomain")
Now we sign it:
$ sudo puppetca sign Zealot.localdomain
notice: Signed certificate request for Zealot.localdomain
notice: Removing file Puppet::SSL::CertificateRequest localhost at '/var/lib/puppet/ssl/ca/requests/Zealot.localdomain.pem'
We got it signed. Now, after a few seconds we will see the client processing the certificate. the output will be similar to this one:
info: Requesting certificate
warning: peer certificate won't be verified in this SSL session
info: Caching configuration at /etc/puppet/localconfig.yaml
notice: Starting configuration run
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished configuration run in 0.XX seconds
warning: peer certificate won't be verified in this SSL session
info: Caching configuration at /etc/puppet/localconfig.yaml
notice: Starting configuration run
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished configuration run in 0.XX seconds
If we see any error message at this point, most likely there's some problem with certificate names or resolutions. If everything went smooth, now we can edit the configuration on the client to auto start puppet:
$ sudo vim /etc/default/puppet
We update the line START=yes
After that, we specify the master in the /etc/puppet/puppet.conf
#puppet.conf
[main]
...
[agent]
server=Nova
$ sudo service puppet start
After a while we should be able to see the file /tmp/hello we instructed on the master's manifesto. By default puppet pull the configurations every 30 minutes, but if you want to pull on a different schedule we can add the parameter runinterval = X (number of minutes) on the [main] section of the client's file /etc/puppet/puppet.conf
No comments:
Post a Comment