Puppet : How to Install and Configure Puppet Master



Puppet is an “old school” configuration management tool. It helps you enforce configurations with great ease although it is more complex than Ansible to use. Puppet’s declarative language can be compared to a programming language and is difficult to master. However, once you understand how it works, it’s fairly easy to use.

Puppet is very good at maintaining a strict set of configurations, but if you aim at verifying the configurations before applying them, you’ll find that Puppet is not the sharpest tool in the shed. Puppet does have the audit metaparameter that you can use in your resources to track changes, but it doesn’t let you display where it differs from your manifest. In fact it doesn’t allow you to add the auditmetaparameter to your “active” module or manifests. It sits in a separate manifest that audits the requested resources.

The version of Puppet used in this and upcoming tutorials is v3.8.

Installing and configuring Puppet Master

The people at Puppet Labs have their own repository servers for puppet, which is very easy when it comes down to installing and maintaining the server and agent. Although the EPEL repository also provides puppet packages, they tend to be old or not up to date. Hence, I recommend using the Puppet Labs’ yum repositories.

Steps :

This tutorial covers a monolithic install. Perform the following steps:

  1. Enable the optional channel via the following command; you’ll need this to install the Puppet Server component:
    ~]# subscription-manager repos --enable rhel-6-server-optional-rpms
  2. Download the puppetlabs repository installer, as follows:
    ~]# curl -Lo /tmp/puppetlabs-release-el-7.noarch.rpm https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
  3. Now, install the puppetlabs repository by executing the following:
    ~]# yum install -y /tmp/puppetlabs-release-el-7.noarch.rpm
  4. Install puppet-server by typing out this command:
    ~]# yum install -y puppet-server
  5. Set up Puppet Master by adding the following to the [main] section of /etc/puppet/puppet.conf:
    dns_alt_names = puppetmaster.critter.be,rhel7.critter.be
    always_cache_features = true
  6. Next, verify the generation of a CA certificate for the puppet environment through this command line:
    ~]# puppet master --verbose --no-daemonize
  7. Press CTRL + C when it displays the following information:
    Notice: Starting Puppet master version <version number>
  8. Now, allow traffic to the Puppet Master port (8140/tcp) via the following commands:
    ~]# firewall-cmd --permanent –add-port=8140/tcp
    ~]# firewall-cmd --reload
  9. Start Puppet Master by executing the following:
    ~]# systemctl start puppetmaster
  10. Finally, enable Puppet Master at boot, as follows:
    ~]# systemctl enable puppetmaster

The basic HTTP daemon that Puppet Master uses is not made to provide service for an enterprise. Puppet Labs recommends using Apache with Passenger to provide the same service as Puppet Master for a bigger range of systems (more than 10).

You can either compile the Passenger module yourself, or you can just use EPEL (for the rubygem(rack) package) and the Passenger repository. I choose the latter. Here are the steps that you need to perform:

  1. Install the Passenger repository by running the following command:
    curl -Lo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
  2. Now, download the EPEL repository installer, as follows:
    ~]# curl -Lo /tmp/epel-release-latest-7.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  3. Install the rpm EPEL repository (with yum) via the following command:
    ~]# yum install -y /tmp/epel-release-latest-7.noarch.rpm
  4. Next, install the necessary packages for the Puppet web interface. For this, you can execute the following command line:
    ~]# yum install -y httpd mod_ssl mod_passenger
  5. Set up Puppet Master’s virtual host directories and ownership, as follows:
    ~]# mkdir -p /var/www/puppetmaster/{public,tmp} -p && chown -R apache:apache /var/www/puppetmaster
  6. Copy the rack configuration file to Puppet Master’s virtual host root using the following command:
    ~]# cp /usr/share/puppet/ext/rack/config.ru /var/www/puppetmaster/.
  7. Next, change the ownership of the config.ru file. This is very important! You can do this through the following command:
    ~#] chown -R puppet:puppet /var/www/puppetmaster/config.ru
  8. Then, create an Apache virtual host configuration file at /etc/httpd/conf.d/puppetmaster.conf containing the following:
    # passenger performance tuning settings:
    # Set this to about 1.5 times the number of CPU cores in your master:
    PassengerMaxPoolSize 3
    # Recycle master processes after they service 1000 requests
    PassengerMaxRequests 1000
    # Stop processes if they sit idle for 10 minutes
    PassengerPoolIdleTime 600
    Listen 8140
    <VirtualHost *:8140>
        # Make Apache hand off HTTP requests to Puppet earlier, at the cost of
        # interfering with mod_proxy, mod_rewrite, etc. See note below.
        PassengerHighPerformance On
        SSLEngine On
        # Only allow high security cryptography. Alter if needed for compatibility.
        SSLProtocol ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder     on
        SSLCertificateFile      /var/lib/puppet/ssl/certs/rhel7.critter.be.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/rhel7.critter.be.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLCARevocationCheck   chain
        SSLVerifyClient         optional
        SSLVerifyDepth          1
        SSLOptions              +StdEnvVars +ExportCertData
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking. If you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        # These request headers are used to pass the client certificate
        # authentication information on to the Puppet master process
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
        DocumentRoot /var/www/puppetmaster/public
        <Directory /var/www/puppetmaster/>
          Options None
          AllowOverride None
          # Apply the right behavior depending on Apache version.
          <IfVersion < 2.4>
            Order allow,deny
            Allow from all
          <IfVersion >= 2.4>
            Require all granted
        ErrorLog /var/log/httpd/puppetmaster_ssl_error.log
        CustomLog /var/log/httpd/puppetmaster_ssl_access.log combined


    Make sure that you replace the certificate directives with the certificate file paths of your own system.

  9. Disable the puppetmaster service via the following:
    ~]# systemctl disable puppetmaster
  10. Use the following command line to stop the puppetmaster service:
    ~]# systemctl stop puppetmaster
  11. Now, start Apache, as follows:
    ~]# systemctl start httpd
  12. Enable Apache on boot through the following command line:
    ~]# systemctl enable httpd
  13. Check your HTTP daemon’s status using the following:
    ~]# systemctl status httpd

Puppet can also run in a masterless mode. In this case, you don’t install a server but only the clients on all the systems that you wish to manage in this way.


Please enter your comment!
Please enter your name here