Pro Puppet (8 page)

Read Pro Puppet Online

Authors: Jeffrey McCune James Turnbull

BOOK: Pro Puppet
4.29Mb size Format: txt, pdf, ePub

Listing 1-2.
Puppet Client Connection to the Puppet Master

node1# puppet agent --server=puppet.example.com --no-daemonize --verbose
info: Creating a new certificate request for node1.example.com
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/node1.example.com
.pem
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate

In
Listing 1-2
, we executed the Puppet agent with three options. The first option,
--server
, specifies the name or address of the Puppet master to connect to.

Tip
If we don’t specify a server, Puppet will look for a host called “puppet.” It’s often a good idea to create a CNAME for your Puppet master, for example
puppet.example.com
.

We can also specify this in the
main
section of the
/etc/puppet/puppet.conf
configuration file on the client.

[main]
server=puppet.example.com

Your client must be able to resolve the hostname of the master to connect to (this is why it is useful to have a Puppet CNAME and to specify your Puppet master in the
/etc/hosts
file on your client).

The
--no-daemonize
option runs the Puppet client in the foreground and outputs to standard out. By default, the Puppet client runs as a daemon.

Tip
The
--verbose
option enables verbose output from the client. Adding the
--debug
option can provide further output that is useful for troubleshooting.

In
Listing 1-1
, you can see the output from our connection. The agent has created a certificate signing request and a private key to secure our connection. Puppet uses SSL certificates to authenticate connections between the master and the agent. The agent sends the certificate request to the master and waits for the master to sign and return the certificate.

At this point, the agent is still running and awaiting the signed certificate. It will continue to check for a signed certificate every two minutes until it receives one or is canceled (using Ctrl-C, for example).

Note
You can change the time the Puppet agent will wait by using the
--waitforcert
option. You can specify a time in seconds or
0
to not wait for a certificate, in which case the agent will exit.

Completing the Connection

To complete the connection and authenticate our agent we now need to sign the certificate the agent has sent to the master. We do this using
puppet cert
(or the
puppetca
binary) on the master.

puppet# puppet cert --list
node1.example.com

Tip
You can find a full list of the binaries that come with Puppet at
http://puppetlabs.com/trac/puppet/wiki/PuppetExecutables
.

The
--list
option displays all the certificates waiting to be signed. We can then sign our certificate using the
--sign
option.

puppet# puppet cert --sign node1.example.com
Signed node1.example.com

You can sign all waiting certificates with the
puppet cert --sign --all
command.

Note
Rather than signing each individual certificate, you can also enable “autosign” mode. In this mode, all incoming connections from specified IP addresses or address ranges are automatically signed. This obviously has some security implications and should only be used if you are comfortable with it. You can find more details at
http://puppetlabs.com/trac/puppet/wiki/FrequentlyAskedQuestions#why-shouldn-t-i-use-autosign-for-all-my-clients
.

On the client, two minutes after we’ve signed our certificate, we should see the following entries (or you can stop and restart the Puppet agent rather than waiting two minutes):

notice: Got signed certificate
notice: Starting Puppet client version 2.6.1

The agent is now authenticated with the master, but we have another message present:

err: Could not retrieve catalog: Could not find default node or by name with 
'node1.example.com, node1' on node node1.example.com

The agent has connected and our signed certificate has authenticated the session with the master. The master, however, doesn’t have any configuration available for our puppet node,
node1.example.com,
and hence we have received an error message. We now have to add some configuration for this agent on the master.

  
Caution
It is important that the time is accurate on your master and agent. SSL connections rely on the clock on hosts being correct. If the clocks are incorrect then your connection may fail with an error indicating that your certificates are not trusted. You should use something like NTP (Network Time Protocol) to ensure your host’s clocks are accurate.

Creating Our First Configuration

Let’s get some more understanding of Puppet’s components, configuration language and capabilities. We learned earlier that Puppet describes the files containing configuration data as manifests. Puppet manifests are made up of a number of major components:

  • Resources – Individual configuration items
  • Files – Physical files you can serve out to your agents
  • Templates – Template files that you can use to populate files
  • Nodes – Specifies the configuration of each agent
  • Classes – Collections of resources
  • Definitions – Composite collections of resources

These components are wrapped in a configuration language that includes variables, conditionals, arrays and other features. Later in this chapter we’ll introduce you to the basics of the Puppet language and its elements. In the next chapter, we’ll extend your knowledge of the language by taking you through an implementation of a multi-agent site managed with Puppet.

Note
In addition to these components, Puppet also has the concept of a “module,” which is a portable collection of manifests that contain resources, classes, definitions, files, and templates. We’ll see our first module shortly.

Extending the site.pp file

Other books

Lethal Confessions by V. K. Sykes
Infinity Rises by S. Harrison
Fallen by Celeste Bradley
The Architecture of Fear by Kathryn Cramer, Peter D. Pautz (Eds.)