Introduction to Puppet
Overview
Puppet is a centralized configuration management system designed for Linux and Unix platforms, utilizing a client-server architecture. It employs its own declarative language to manage system resources such as configuration files, users, cron jobs, packages, and services. The primary design goal of Puppet is to simplify resource management while properly handling dependencies between resources.
How Puppet Works
Puppet operates with one or more master servers and numerous client agents. All clients periodically (default: 30 minutes) use the Facter tool to collect basic system information and send it to the server via HTTPS using the XML-RPC protocol. The server analyzes the client hostname, identifies the appropriate configuration code, compiles it, and sends the compiled configuration back to the client. The client then executes the code to apply configurations and reports the execution status back to the Puppet server.
XML-RPC is a remote procedure call mechanism that uses HTTP as the transport protocol and XML for transmitting commands and data.
Puppet Workflow
- The client puppet agent calls Facter, which discovers system variables like hostname, memory size, and IP address. The puppet agent sends this information to the server via SSL.
- The server's puppet master identifies the client hostname, locates the corresponding node configuration in the manifest, and parses it. Only code related to the node is processed, with Facter-provided information available as variables. The parsing includes syntax checking, and if successful, generates intermediate "pseudo-code" sent to the client.
- The client receives and executes the pseudo-code, then reports the execution results to the server.
- The server logs the client's execution results.
Two important aspects of Puppet's operation:
- Cliant-server communication is secured with SSL and certificates. Only clients with valid certificates can communicate with the master.
- Puppet maintains the desired system state. If a file is deleted or a service stops, Puppet will recreate the file or restart the service during the next run (default: 30 minutes).
Installation and Deployment
Environment Preparation (Master and Agent)
# systemctl stop firewalld
# /usr/sbin/ntpdate pool.ntp.org
# setenforce 0
Hostname and Host Resolution
echo "10.0.0.60 puppet-master.example.com" >>/etc/hosts
echo "10.0.0.61 puppet-agent.example.com" >>/etc/hosts
Installing Facter and Puppet
# yum install ruby -y
# groupadd puppet
# useradd -g puppet -s /bin/false -M puppet
# wget https://downloads.puppetlabs.com/facter/facter-3.14.0.tar.gz
# wget https://downloads.puppetlabs.com/puppet/puppet-6.25.0.tar.gz
# tar xf facter-3.14.0.tar.gz
# cd facter-3.14.0
# ruby install.rb
# facter # Verify Facter is working
# tar xf puppet-6.25.0.tar.gz
# cd puppet-6.25.0
# ruby install.rb
# cp conf/redhat/* /etc/puppet/
# cp conf/auth.conf /etc/puppet/
Master Server Setup
# mkdir /etc/puppet/manifests
# cp /etc/puppet/server.init /etc/init.d/puppetmaster
# chmod 755 /etc/init.d/puppetmaster
# systemctl start puppetmaster
# ss -tunlp | grep 8140 # Check if port is listening
Certificate Authorization (Request-Query-Authorize)
# puppet agent --test --server puppet-master.example.com # Agent requests certificate
# puppetserver ca list # Master checks pending requests
# puppetserver ca sign --certname puppet-agent.example.com # Authorize specific agent
# puppetserver ca sign --all # Authorize all pending requests
# ls /etc/puppetlabs/puppetserver/ssl/ca/signed/ # Verify signed certificates
# puppet agent --test --server puppet-master.example.com # Agent runs again
# rm -rf /etc/puppetlabs/puppet/ssl/ # If errors occur, clean SSL data
# rm -rf /etc/puppetlabs/puppetserver/ssl/ca/signed/puppet-agent.example.com
Resources
Puppet manages resources through various types:
file: File managementpackage: Software package managementservice: System service managementcron: Scheduled task configuratonexec: Execution of shell commends
Practical Examples
File Configuration
The master server stores all configuration code in manifests. Clients download and apply these manifests.
# cat /etc/puppet/manifests/site.pp
node default {
file { "/tmp/hello.txt":
content => "Hello, Puppet!\n"
}
}
Verify on the agent:
# puppet agent --test --server puppet-master.example.com
# cat /tmp/hello.txt
File with Specific Permissions
# cat /etc/puppet/manifests/site.pp
node default {
file { "/tmp/config.txt":
owner => "root",
group => "puppet",
mode => "0755",
content => "Configuration file\n"
}
}
Verify on the agent:
# puppet agent --test --server puppet-master.example.com
# ls -l /tmp/config.txt
# cat /tmp/config.txt
User and Group Management
group { "appgroup":
gid => 2000,
ensure => present
}
user { "appuser":
name => "appuser",
uid => 2000,
gid => 2000,
home => "/home/appuser",
shell => "/bin/bash",
managehome => true,
groups => ["puppet", "wheel"],
ensure => present
}
Cron Job Management
# cat /etc/puppet/manifests/site.pp
cron { "daily_backup":
command => "/usr/local/bin/backup.sh >/dev/null 2>&1",
hour => 2,
minute => 0,
ensure => present
}
Verify on the agent:
# puppet agent --test --server puppet-master.example.com
# crontab -l
File Synchronization
Configure file server on master:
# cat /etc/puppet/fileserver.conf
[configs]
path /etc/puppet/configs
allow *
Restart the master service and add files to the directory:
# systemctl restart puppetmaster
# mkdir /etc/puppet/configs
# cp /etc/hosts /etc/puppet/configs/
Update the manifest:
# cat /etc/puppet/manifests/site.pp
file { "/etc/hosts":
source => "puppet://puppet-master.example.com/configs/hosts",
mode => 0644
}
Node-Specific Configuration
# cat /etc/puppet/manifests/site.pp
node default {
file { "/tmp/common.txt":
content => "Common configuration\n"
}
}
node 'puppet-agent.example.com' {
file { "/etc/localtime":
source => "puppet://puppet-master.example.com/timezones/UTC",
mode => 0644
}
}
Important Configuration Files
puppet.conf: Main configuration filepuppetserver.init: Server startup scriptpuppet.conf: Client configurationfileserver.conf: File server configurationpuppetserver.conf: Server environment variablespuppet.conf: Client environment variables