Puppet Server is a new product built from the ground up to provide higher performance and better integration with other Puppet Labs products.
Many of the changes with Puppet Server were a change in the technology stack. Puppet Server was written in Clojure and uses Java rather than Ruby as the underlying engine. This ties it more closely with PuppetDB and other Puppet Labs products. However, for most practical purposes you can use it without learning anything about the technology stack. We’re going to skip over these details in favor of the practical concerns of installing and running.
At this point, we’re going to spin up another virtual machine dedicated to hosting this product. You should open another terminal window, or add a new tab on your existing terminal for this virtual machine. This will allow you to switch back and forth between the machines, which is necessary in this chapter.
If you started up the puppetmaster
VM in the last chapter, you may want to suspend it to save some memory:
learning-puppet4
$
vagrant
suspend
puppetmaster
=
=
>
puppetmaster:
Saving
VM
state
and
suspending
execution...
In the new Terminal window, move into the directory where you checked out the learning-puppet4 Git repository. Start up the puppetserver
instance just like we did the client
instance at the beginning of the book:
learning-puppet4
$
vagrant
up
puppetserver
Bringing
machine
'puppetserver'
up
with
'virtualbox'
provider...
=
=
>
puppetserver:
Importing
base
box
'puppetlabs/centos-7.2-64-nocm'
...
=
=
>
puppetserver:
Matching
MAC
address
for
NAT
networking...
=
=
>
puppetserver:
Checking
if
box
'puppetlabs/centos-7.2-64-nocm'
is
up
to
date...
=
=
>
puppetserver:
Setting
the
name
of
the
VM:
learning-puppet4_puppetserver_1437612
...snip...
=
=
>
puppetserver:
Machine
booted
and
ready!
learning-puppet4
$
vagrant
ssh
puppetserver
[
vagrant@puppetserver
~
]
$
As this is a fresh new virtual machine, install the necessary utilities and a text editor of choice, as you did back in Chapter 2.
$
sudo
yum
install
rsync
git
vim
nano
emacs-nox
Install the latest Puppet Labs Puppet Collection repository on the puppetserver
instance. Starting in the home directory, take the following steps:
$
sudo
yum
install
-y
http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
This command will install and enable the puppetlabs-release-pc1 package repository, which contains the Puppet Server package. Now install the Puppet Server package:
$
sudo
yum
install
-y
puppetserver
Installed:
puppetserver.noarch
0:2.3.0-1.el7
Dependency
Installed:
java-1.8.0-openjdk-headless.x86_64
1:1.8.0.51-1.b16.el7_1
javapackages-tools.noarch
0:3.4.1-6.el7_0
lcms2.x86_64
0:2.5-4.el7
libjpeg-turbo.x86_64
0:1.2.90-5.el7
libxslt.x86_64
0:1.1.28-5.el7
puppet-agent.x86_64
0:1.10.9-1.el7
python-lxml.x86_64
0:3.2.1-4.el7
python-javapackages.noarch
0:3.4.1-6.el7_0
tzdata-java.noarch
0:2015e-1.el7
Complete!
At this point, we’ll need to adjust the firewall on the server. Puppet clients connect to servers on TCP port 8140 by default. Use the following commands to allow incoming TCP connections to this port:
$
sudo
firewall-cmd
--permanent
--zone
=
public
--add-port
=
8140/tcp
success
$
sudo
firewall-cmd
--reload
success
This change allows incoming connections to the Puppet Server.
Guides for altering other firewalls can be found in Appendix B.
Puppet Server takes its configuration values from two places:
[master]
and [main]
blocks of /etc/puppetlabs/puppet/puppet.confThe settings from these files do not overlap. For any configuration option available in the Puppet Server configuration files, the setting in puppet.conf will be ignored.
The Puppet Server configuration files are as follows:
puppet
commands will use different directories.For a single server or testing setup, you don’t need to change any of these values. We’ll cover specific changes that may be necessary shortly.
There are five variables that define the paths which the Puppet Server should use for its files. Unfortunately, these variables exist in two different files and must be kept in sync. See Table 21-1.
puppetserver.conf | puppet.conf | Default value |
---|---|---|
master-conf-dir |
confdir |
/etc/puppetlabs/puppet |
master-code-dir |
codedir |
/etc/puppetlabs/code |
master-var-dir |
vardir |
/opt/puppetlabs/server/data/puppetserver |
master-run-dir |
rundir |
/var/run/puppetlabs/puppetserver |
master-log-dir |
logdir |
/var/log/puppetlabs/puppetserver |
Again, it is essential to keep these variables in sync between the two configuration files. If they differ, then Puppet Server will be looking in one place, and Puppet commands like puppet certificate
will be looking in another.
As recommended back in “Store Server Data Files Separately”, you should change the following values to conform to the Filesystem Hierarchy Standard (FHS) and most sysadmin expectations. The following change places all volatile and dynamic data within the /var/ filesystem.
Edit /etc/puppetlabs/puppet/puppet.conf:
[
user
]
vardir
=
/var/o
pt
/
puppetlabs
/
puppetserver
ssldir
=
$vardir
/
ssl
[
master
]
vardir
=
/var/o
pt
/
puppetlabs
/
puppetserver
ssldir
=
$vardir
/
ssl
Double-check these values after installing the puppetserver
package, as the package installation scripts will change these values in an existing configuration file during installation.
Make the corresponding change in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf:
master
-
var
-
dir
=
/var/o
pt
/
puppetlabs
/
puppetserver
Then, create the directory we just named. Puppet Server will fail to run if the directory was not created prior to initialization:
[
vagrant@puppetserver
~
]
$
mkdir
-p
/var/opt/puppetlabs/puppetserver
[
vagrant@puppetserver
~
]
$
chown
-R
puppet:puppet
/var/opt/puppetlabs/puppetserver
By default, Puppet Server tries to allocate 2 gigabytes of RAM. This is not necessary for a test node, and won’t work with Vagrant unless you add more memory to the node settings.
Tune down the memory reserved by changing the startup parameters. Edit /etc/sysconfig/puppetserver and change the following line:
# Modify this if you'd like to change the memory allocation, enable JMX, etc.
JAVA_ARGS
=
"-Xms512m -Xmx512m"
Note that the default file contains a MaxPermSize
value in this field. It’s OK to remove it, as the server would simply tell you:
Aug03
00:55:02 puppetserver.example.com java[
14652]
: OpenJDK 64-Bit Server VM warning: ignoring optionMaxPermSize
=
256m;
support was removed in 8.0
Puppet Server accepts configuration of TLS keys and certificates in two different places. You can define the following override settings in /etc/puppetlabs/puppetserver/conf.d/webserver.conf:
ssl
-
cert
=
/var/o
pt
/
puppetlabs
/
puppetserver
/
ssl
/
certs
/
puppet
.
example
.
com
.
pem
ssl
-
key
=
/var/o
pt
/
puppetlabs
/
puppetserver
/
ssl
/
private_keys
/
puppet
.
example
.
com
.
pem
ssl
-
ca
-
cert
=
/var/o
pt
/
puppetlabs
/
puppetserver
/
ssl
/
certs
/
ca
.
pem
ssl
-
crl
-
path
=
/var/o
pt
/
puppetlabs
/
puppetserver
/
ssl
/
crl
.
pem
If none of these variables are defined, Puppet Server will fall back to using the following defined or derived settings from /etc/puppetlabs/puppet/puppet.conf, according to Table 21-2.
puppetserver/conf.d/webserver.conf | puppet/puppet.conf |
---|---|
ssl-ca |
localcacert |
ssl-cert |
hostcert |
ssl-key |
hostprivkey |
ssl-crl-path |
hostcrl |
You can use either the settings in the first column or the second column. If you use the settings in webserver.conf, then you must use all four together. Otherwise, leave all four undefined and use the settings in puppet.conf (which is backward compatible with the Puppet master).
At this time, the Certificate Authority continues to use the following settings from puppet.conf. There isn’t an equivalent in puppetserver/conf.d/ files yet:
[
master
]
cacert
=
/etc/
puppetlabs
/
puppet
/
ssl
/
certs
/
ca
.
pem
cacrl
=
/etc/
puppetlabs
/
puppet
/
ssl
/
crl
.
pem
hostcert
=
/etc/
puppetlabs
/
puppet
/
ssl
/
certs
/
puppet
.
example
.
com
.
pem
hostprivkey
=
/etc/
puppetlabs
/
puppet
/
ssl
/
private_keys
/
puppet
.
example
.
com
.
pem
Due to the current mixture of settings in two files, I recommend that you consolidate settings in /etc/puppetlabs/puppet/puppet.conf, and leave the settings blank in webserver.conf. This is the default, as-shipped configuration, so no changes are necessary.
The latest version of Puppet Server may have added new configuration options. Check the latest documentation at “Puppet Server: Differing Behavior in puppet.conf” on the Puppet docs site.
You can see the configuration values for the Puppet master and the Certificate Authority (defined or derived from defaults) with this command:
[
vagrant@puppetserver
~
]
$
sudo
puppet
config
--section
master
cfacter
=
false
confdir
=
/etc/puppetlabs/puppet
codedir
=
/etc/puppetlabs/code
vardir
=
/var/opt/puppetlabs/puppetserver
...etc
The following settings are valid for the Puppet master, but have been replaced by other configuration options in Puppet Server:
autoflush
—replaced by settings in logback.xmlbindaddress
—remove and configure ssl-host
insteadca
—uses CA information from bootstrap.cfg insteadkeylength
—replaced by a fixed value of 4,096 bitslogdir
—replaced by settings in logback.xmlmasterhttplog
—replaced by the access-log-config
setting in webserver.confmasterlog
—replaced by settings in logback.xmlmasterport
—replaced by the ssl-port
setting in webserver.confssl_client_header
—ignored unless allow-header-cert-info
is enabled in auth.confssl_client_verify_header
—ignored unless allow-header-cert-info
is enabled in auth.confssl_server_ca_auth
—ignored in favor of ssl-ca-cert
or cacert
The following settings used by the Puppet master are ignored by Puppet server, with no equivalent option:
capass
caprivatedir
daemonize
http_debug
puppetdlog
railslog
syslogfacility
user
The following three settings are valid for Puppet agents, but will be ignored by Puppet Server:
configtimeout
http_proxy_host
http_proxy_port
Puppet Server uses the well-known JDK logback library. Logback is a successor to the log4j logging library provided with Java.
By default, the logback configuration file can be found at /etc/puppetlabs/puppetserver/logback.xml. This is the standard XML configuration file format as documented in “Logback configuration” on the Logback Project site.
By default, Puppet Server logs all messages at INFO level or higher to /var/log/puppetlabs/puppetserver/puppetserver.log. Review the bolded sections of this logback.xml configuration snippet:
<
appender
name
=
"F1"
class
=
"ch.qos.logback.core.FileAppender"
>
<
file
>
/
var
/
log
/
puppetlabs
/
puppetserver
/
puppetserver
.
log
<
/
file
>
<
append
>
true
<
/
append
>
<
encoder
>
<
pattern
>
%
d
%
-
5
p
[
%
t
]
[
%
c
{
2
}
]
%
m
%
n
<
/
pattern
>
<
/
encoder
>
<
/
appender
>
<
root
level
=
"info"
>
<
appender
-
ref
ref
=
"F1"
/
>
<
/
root
>
If you are familiar with logback or log4j, you can modify this file far beyond the simple examples here.
ConsoleAppender
definition that outputs console messages when running Puppet Server in the foreground debug mode.If you want to send Puppet Server messages to the system logger syslog
, then you may want to replace or supplement the FileAppender
with the following:
<
appender
name
=
"Syslog"
class
=
"ch.qos.logback.core.net.SyslogAppender"
>
<
syslogHost
>
loghost
.
example
.
com
<
/
file
>
<
facility
>
DAEMON
<
/
facility
>
<
/
appender
>
<
root
level
=
"info"
>
.
.
.
<
appender
-
ref
ref
=
"Syslog"
/
>
<
/
root
>
By default, logback scans for configuration files changes every minute. Restarting Puppet Server is not necessary. To disable this, change the scan
attribute on the configuration
element:
<
configuration
scan
=
"true"
>
You can also adjust the scanning interval based on seconds, minutes, hours, or days:
<
configuration
scan
=
"true"
scanPeriod
=
"30 minutes"
>
You will need to ensure the syslog server is configured to accept messages from the network. If logging to the local host, you will need to uncomment the following lines in /etc/rsyslog.conf:
# Provides UDP syslog reception
$ModLoad
imudp
$UDPServerRun
514
Puppet Server authentication and authorization is defined in the /etc/puppetlabs/puppetserver/conf.d/auth.conf configuration file utilizing the trapperkeeper-authorization format.
This file contains an authorization
block that contains the rules used to approve or deny requests.
Within the authorization
block are a list of rules. Each rule contains a name
, a sort-order
parameter, a match-request
definition, and allow
or deny
parameters that match the node’s certificate name ($trusted['certname']
).
The format of the rules is fairly self-evident, and the inline comments can help you understand why the existing rules are there. Multiple values for allow
or deny
should be written as an array.
The splat (*
) value matches any validated node. The allow-unauthenticated: true
setting is used to allow new nodes to submit certificate requests and retrieve the signed certificate.
Here is one of the more complex rules. This rule uses a regular expression capture group to match the node name requested. The allow:
definition utilizes the captured node name to permit only that same node to request its catalog. See the bolded parts:
{
#
A
l
l
o
w
n
o
d
e
s
t
o
r
e
t
r
i
e
v
e
o
n
l
y
t
h
e
i
r
o
w
n
n
o
d
e
d
e
f
i
n
i
t
i
o
n
m
a
t
c
h
-
r
e
q
u
e
s
t
:
{
p
a
t
h
:
"^/puppet/v3/node/(
[^/]+
)$"
t
y
p
e
:
r
e
g
e
x
m
e
t
h
o
d
:
g
e
t
}
a
l
l
o
w
:
"$1"
s
o
r
t
-
o
r
d
e
r
:
500
n
a
m
e
:
"puppetlabs node"
}
,
As shown, the validated node client.example.com can make a GET request for /puppet/v3/node/client.example.com. Any other node requesting the catalog for client.example.com will be denied.
There are separate configuration options for Puppet 3 clients, which do not utilize the Puppet API.
In Puppet Server 2, the default behavior was to enable use of the older /etc/puppetlabs/puppet/auth.conf configuration file originally used by puppet master
. This behavior has been deprecated, and will likely be removed in Puppet Server 3.
Unless you have previously deployed a Puppet master with a customized auth.conf configuration file, you should disable the legacy configuration setting. If the following option can be found in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf, set it to false
:
#
(
o
p
t
i
o
n
a
l
)
A
u
t
h
o
r
i
z
e
a
c
c
e
s
s
t
o
P
u
p
p
e
t
m
a
s
t
e
r
e
n
d
p
o
i
n
t
s
v
i
a
r
u
l
e
s
s
p
e
c
i
f
i
e
d
#
i
n
t
h
e
l
e
g
a
c
y
P
u
p
p
e
t
a
u
t
h
.
c
o
n
f
f
i
l
e
(
i
f
true
o
r
n
o
t
s
p
e
c
i
f
i
e
d
)
o
r
v
i
a
r
u
l
e
s
#
s
p
e
c
i
f
i
e
d
i
n
t
h
e
P
u
p
p
e
t
S
e
r
v
e
r
H
O
C
O
N
-
f
o
r
m
a
t
t
e
d
a
u
t
h
.
c
o
n
f
(
i
f
false
)
.
u
s
e
-
l
e
g
a
c
y
-
a
u
t
h
-
c
o
n
f
:
false
To upgrade a Puppet master with a customized auth.conf, migrate the customizations to the new HOCON format auth file. A guide for converting old auth files is available at “Config File Auth: Deprecated Ruby Parameters” on the Puppet docs site.
Now it is time to start the server. While Puppet Server is a high-performance replacement for the old Puppet master, the Java service takes a bit longer to start. Start it like so:
[
vagrant@puppetserver
~
]
$
sudo
systemctl
enable
puppetserver
[
vagrant@puppetserver
~
]
$
sudo
systemctl
start
puppetserver
You can observe what it does during startup by looking at the logfiles:
$
sudo
tail
-f
/var/log/puppetlabs/puppetserver/puppetserver.log
309
INFO
[
o.e.j.u.log
]
Logging
initialized
@12460ms
742
INFO
[
p.t.s.w.jetty9-service
]
Initializing
web
server
(
s
)
.
874
INFO
[
p.s.j.jruby-puppet-service
]
Initializing
the
JRuby
service
209
INFO
[
puppet-server
]
Puppet
Puppet
settings
initialized
;
run
mode:
master
384
INFO
[
p.s.j.jruby-puppet-agents
]
Finished
creating
JRubyPuppet
instance
1
of
1
410
INFO
[
p.s.c.puppet-server-config-core
]
Initializing
webserver
settings
603
INFO
[
p.s.c.certificate-authority-service
]
CA
Service
adding
a
ring
handler
Observe the final line, which says that it started a CA Service with a ring handler. This obscure message is the only notification you’ll receive that it has created a certificate authority based on its own certname
, and then signed its own certificate.
By signing its own certificate, this Puppet Server has become the root certificate authority for this Puppet installation. Only agents with certificates signed by this certificate authority will be able to access the service. We’ll discuss ways to handle third-party certificate authorities in “Using an External Certificate Authority”.
Puppet Server has its own Ruby installation separate from your system Ruby, and even from the Puppet agent’s Ruby. If you are using server-side plugins that require additional gems, use the puppetserver gem
command to install them.
First, examine the gems that come preinstalled:
[
vagrant@puppetserver
~
]
$
sudo
puppetserver
gem
list
***
LOCAL
GEMS
***
jar-dependencies
(
0.1.13
)
jruby-openssl
(
0.9.7
java
)
json
(
1.8.0
java
)
rake
(
10.1.0
)
rdoc
(
4.1.2
)
The puppetserver gem
command is identical to Ruby’s gem
command, but maintains the JRuby gem-store used by the Puppet Server. If you need other gems for a plugin running on the server, use puppetserver gem
to install them exactly like you’d use Ruby’s gem
command:
$
sudo
puppetserver
gem
install
bundler
--no-ri
--no-rdoc
Fetching:
bundler-1.10.6.gem
(
100%
)
Successfully
installed
bundler-1.10.6
1
gem
installed
Puppet Server uses JRuby, a high-performance, threaded Ruby interpreter. It is compatible with all native Ruby gems, but not with gems that use binary or compiled extensions. It is best to adjust the plugin to use a native Ruby gem whenever possible.
Puppet Server uses IPv6 out of the box without any specific settings. If you are upgrading the Puppet configuration of a Puppet master, you’ll need to remove or comment out the bindaddress
configuration setting used to enable IPv6 on a Puppet master:
[
master
]
# this setting isn't necessary for Puppet Server
#bindaddress = ::
If you query for listening services using netstat -an
, you’ll see the Puppet master listening on a tcp6
socket. This socket accepts both IPv4 and IPv6 connections:
[
vagrant@puppetmaster
~
]
$
netstat
-an
|
grep
8140
tcp6
0
0
:::8140
:::*
LISTEN
Clients will connect to the IPv6 or IPv4 port based on the configuration of the client node, and the addresses available from DNS or the hosts file. If you want nodes to connect using only one of these protocols, provide the address of the Puppet Server in that version’s notation.