Puppet agent post install tasks

Before running the agent, we must make a few configuration changes:
We will probably need to configure some settings in each agent's puppet.conf file, to connect it to our puppet master server and change certain behavior.

Let's edit the agent's puppet.conf:

$ sudo vi /etc/puppet/puppet.conf

It will look exactly like the Puppet master's initial configuration file:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

Again, delete the 'templatedir' line. Then delete the [master] section, and all of the lines below it.

Assuming that the Puppet master is reachable at "puppet", the agent should be able to connect to the master. If the master is not available at "puppet", we will need to add the Puppet master's FQDN. We recommend configuring this regardless (substitute the FQDN with our own):

[agent]
server = puppet.localdomain

So, now it looks like this:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter

[agent]
server = puppet.localdomain

hostname

We need to setup forward and reverse DNS entries, however, here, we will bypass it and use /etc/hosts file for a quicker setup.

On agent node:

$ sudo hostname agent

Then, open up /etc/hosts/, add the following two lines:

172.31.12.201 puppet.localdomain
172.31.12.202 agent.localdomain

where the ips are private ip addresses of EC2 nodes.

We need to do the similar thing on Puppet master:

$ sudo hostname puppet

Then, open up /etc/hosts/, add the following two lines:

172.31.12.201 puppet.localdomain
172.31.12.202 agent.localdomain

Running Puppet agent

The Puppet agent is ready to run:

$ sudo service puppet start
 * Starting puppet agent                                                                                     [ OK ]

If everything is configured properly, we should not see any output. The first time we run the Puppet agent, it generates an SSL certificate and sends a signing request to the Puppet master. After the Puppet master signs the agent's certificate, it will be able to communicate with the agent node.

Sign Request On Master

The first time Puppet runs on an agent node, it will send a certificate signing request to the Puppet master. Before the master will be able to communicate and control the agent node, it must sign that particular agent node's certificate.

In this section, we will describe how to sign and check for signing requests.

On the Puppet master, run the following command to list all unsigned certificate requests:

$ sudo puppet cert list

If we just set up our first agent node, we will see one request. It will look something like the following, with the agent node's FQDN as the hostname:

  "agent.us-west-1.compute.internal" (SHA256) 34:A8:41:7E:07:BE:8C:E4:9D:3D:1F:CA:D7:BA:08:A7:0D:0A:B1:64:1E:B0:A2:5F:A2:68:72:60:E7:67:F4:1A

Note that there is no + in front of it. This indicates that it has not been signed yet.

Sign a Request

As mentioned in previous sections, in an agent/master deployment, an admin must approve a certificate request for each agent node before that node can fetch configurations. Agent nodes will request certificates the first time they attempt to run.

To sign a certificate request, use the puppet cert sign command, with the hostname of the certificate we want to sign. For example, to sign 'agent.us-west-1.compute.internal', we would use the following command:

ubuntu@puppet:~$ sudo puppet cert sign agent.us-west-1.compute.internal
Notice: Signed certificate request for agent.us-west-1.compute.internal
Notice: Removing file Puppet::SSL::CertificateRequest agent.us-west-1.compute.internal at '/var/lib/puppet/ssl/ca/requests/agent.us-west-1.compute.internal.pem'

As we can see from the output, now the certificate request from our Puppet agent has been signed.

The Puppet master can now communicate and control the node that the signed certificate belongs to.

Now it's the time to learn how to use main manifest with a file resource/module - Puppet master/agent basic tasks - main manifest with a file resource/module and immediate execution on an agent node .