Puppet Tutorial: Configuring Puppet Agent

Sarath Pillai's picture
puppet agent in linux

Now We will configure our puppet agent to fetch configuration(although we do not have any configuration to be applied as of now) from our puppet master server(slashroot1). We have already started puppet master on the machine slashroot1. Our master server is listening connections on the port 8140.

the first step i will suggest doing is to edit the /etc/hosts file of your puppet agent server(slashroot2 in our case), and add puppet master server's ip and hostname(if you have your DNS entry configured for the master server then its well and fine.).

I believe that you have already installed the packages puppet & facter on your agent server as shown in the post "installing puppet agent and master".

Now lets connect our puppet agent to puppet master server for the first time. And see what happens.

[root@slashroot2 ~]# puppet agent --server slashroot1.slashroot.in --no-daemonize --verbose
info: Creating a new SSL key for slashroot2.slashroot.in
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for slashroot2.slashroot.in
info: Certificate Request fingerprint (md5): 59:7A:AE:2C:7B:15:DA:E5:A8:14:7D:FF:1F:5B:7A:66
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session

notice: Did not receive certificate

As shown in the above example you can see that, an SSL key is made for this agent machine and is waiting for the corresponding certificate to be signed by the puppet master server.

An Important fact to note here is a notice shown in the above command result, which says that "notice: Did not receive certificate".

--server in the above command specifies the puppet master server hostname

--no-daemonize tells the puppet agent to not to run as a daemon, and also output the messages to the screen. If you run puppet agent without this option, then you will not get the messages on the screen.

Note: If you do not specify the option --server, puppet agent will look for a host named "puppet". This is the main reason of keeping the puppet master hostname as puppet.

The ssl certificate signing is done only the first time an agent connects to the server.

The notice message(notice: Did not receive certificate)will keep on coming on the screen until the certificate request is signed by the puppet master.

 

How to Sign the SSL certificate from puppet Master?

Now as the client node (slashroot2) is waiting for its certificate to be signed, lets go and sign the certificate request from slashroot1(our puppet master server)

On your puppet master run the below command to show the certificate signing requests.

[root@slashroot1 ~]# puppetca --list
  slashroot2.slashroot.in (59:7A:AE:2C:7B:15:DA:E5:A8:14:7D:FF:1F:5B:7A:66)
[root@slashroot1 ~]#

 

#puppetca --list command will show you the agent certificate requests that are waiting to be signed.

#puppet cert list command will also show you the same thing

Now lets sign the certificate by the following method.

[root@slashroot1 ~]# puppetca --sign slashroot2.slashroot.in
notice: Signed certificate request for slashroot2.slashroot.in
notice: Removing file Puppet::SSL::CertificateRequest slashroot2.slashroot.in at '/var/lib/puppet/ssl/ca/requests/slashroot2.slashroot.in.pem'



Now from the above output you can clearly see that the puppet master server signed the certificate and also removed the old certificate signing request.

Now as soon as the certificate gets signed from the master server you will get the below message on the puppet agent's screen(because we ran puppet agent command with --no-daemonize option on our agent).
 

notice: Did not receive certificate
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for slashroot2.slashroot.in
notice: Starting Puppet client version 2.7.9
info: Caching certificate_revocation_list for ca
info: Caching catalog for slashroot2.slashroot.in
info: Applying configuration version '1355395673'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.14 seconds


Now what does that message mean?
 
It means that our puppet agent got a signed certificate and the certificate is cached. Also the agents tells us that its applying a configuration version number "1355395673" based on the catalog given by the master server.

From now onwards we can restart and stop our puppet agent whenever required.
 
Note: Keep all the client nodes and the puppet server synchronized with one single ntp source. Because ssl connection rely heavily on time being synchronized.

We ran the command #puppet agent --server slashroot1.slashroot.in --no-daemonize --verbose, just for showing the output on the screen as example.In normal cases you can add the puppet server address in the puppet.conf file of your agent machine.
 
So on our agent we will add server address in the [main] section as shown below.

server=slashroot1.slashroot.in

After adding this server option in puppet.conf file simply restarting puppet agent will start it as a daemon. Which will periodically fetch data from the master server.
 
You can start/restart your puppet agent using the below commands.
 
/etc/init.d/puppet start
 
or
 
puppet agent

In our next post we will start with further configuration of puppet master.
 
Rate this article: 
Average: 4.5 (74 votes)

Comments

Very useful :-)

Very Good for starters like me :)

Very easy steps to follow.

May i know the date for next post as I interestedly covered all your articles related puppet.Awaiting for the next post. Please provide asap.

All the articles are really good and helpful. Please let us know when next post will come for puppet.

Sarath Pillai's picture

Hi Harikrishnan,

Many Thanks for your kind words. I will surely write another post that covers writing a puppet module from scratch..
Thanks

Hi ,

Really helping a lot. Thanks Much

Hi ,

Thank you very much for this posts . I am reading almost all the posts from you , and really impressed by this post on Puppet.

Well done folks

After signing the certificate from master, at agent node it fails to cache the certificate. Im getting the below exception

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Server hostname '192.168.*.*' did not match server certificate; expected one of abchostname, DNS:abchostname, DNS:DNS:abchostname.168.150.90, DNS:puppet, DNS:puppet.168.*.*
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': Server hostname '192.168.*.*' did not match server certificate; expected one of abchostname, DNS:abchostname, DNS:abchostname.168.*.*, DNS:puppet, DNS:puppet.168.*.*
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://192.168.*.*/pluginfacts: Server hostname '192.168.*.*' did not match server certificate; expected one of abchostname, DNS:abchostname, DNS:abchostname.168.*.*, DNS:puppet, DNS:puppet.168.*.*
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': Server hostname '192.168.*.*' did not match server certificate; expected one of abchostname, DNS:abchostname, DNS:abchostname.168.*.*, DNS:puppet, DNS:puppet.168.*.*
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://192.168.*.*/plugins: Server hostname '192.168.*.*' did not match server certificate; expected one of abchostname, DNS:abchostname, DNS:abchostname.168.*.*, DNS:puppet, DNS:puppet.168.*.*
Error: Could not retrieve catalog from remote server: Server hostname '192.168.*.*' did not match server certificate; expected one of abchostname, DNS:abchostname, DNS:abchostname.168.*.*, DNS:puppet, DNS:puppet.168.*.*

Where is the next post with further configuration ?

[root@server1 ~]# lsof -i :8140
[root@server1 ~]# puppet agent --server puppet.example.com --no-daemonize --verbose
notice: Starting Puppet client version 2.7.26
Could not run: Could not create PID file: /var/run/puppet/agent.pid

plz provide the next tutorial for managing puppet client through master

thanx buddy for such nice work.......keep it up

Hi Sarath Pillai,

Could you please let me know if you have plan to post next puppet tutorial ? As many of us are waiting for it..

Sarath Pillai's picture

Hi Manoj,

Did you go through the below ones?(these were written long back..Am planning to write a couple of more in the coming days...will let you know once that is done.)

Puppet Manifest Tutorial

Configuring Hiera with Puppet

Thanks

Sarath

Hi Sarath, these were missed as you always make a link of your next tutorial in your post so i though there is no next post. :(

Anyways thanks for providing the links. Appreciate your work. It really helping. Keep up the good work.

Regards
Manoj

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.