Mastering Puppet: A Step‑by‑Step Guide to Build a Secure Master‑Client Infrastructure

How Puppet Works

Puppet enables administrators to concentrate on the desired state of managed nodes while abstracting implementation details. It can operate in standalone mode or in a client‑server (C/S) architecture; large‑scale deployments typically use the C/S model where the client runs

puppet agent

and the server runs

puppetmaster

.

Workflow

1) The client invokes

facter

, which gathers host variables such as hostname, memory size, and IP address, then sends this information to the server over SSL.

2) The puppetmaster receives the facts, matches the node to a

node

definition in the main manifest, performs syntax checking, parses the manifest, and generates an intermediate catalog (pseudo‑code) which is sent back to the client.

3) The client applies the catalog, executes the declared resources, and reports the execution result to the server.

4) The server logs the client’s execution outcome.

Key points to note

Communication between client and master is secured by SSL certificates; only clients authenticated by the master’s certificate can communicate.

Puppet continuously enforces the declared state—e.g., ensuring a file exists or the SSH service is running—on each run (default interval is 30 minutes).

Setting Up the Puppetmaster

Configure the server hostname (modify

/etc/hosts

for small setups). Example commands:

<code># vim /etc/sysconfig/network
HOSTNAME=master.itzhushou.cn
# vim /etc/hosts
192.168.1.10    master.itzhushou.cn
192.168.1.20    client1.itzhushou.cn
192.168.1.30    client2.itzhushou.cn
# reboot
# service ntpd start
# chkconfig ntpd on
# iptables -I INPUT -p udp --dport 123 -j ACCEPT
# service iptables save</code>

Install Ruby (Puppet is Ruby‑based) and Facter:

<code># yum -y install compat-readline5 ruby
# ruby -v
# useradd -s /sbin/nologin puppet
# tar zxf facter-1.7.1.tar.gz -C /usr/
# cd /usr/facter-1.7.1/
# ruby install.rb</code>

Compile and install Puppet:

<code># tar zxf puppet-2.7.21.tar.gz -C /usr/
# cd /usr/puppet-2.7.21/
# ruby install.rb</code>

Copy configuration files and set up directories:

<code># cp conf/redhat/fileserver.conf /etc/puppet/
# cp conf/redhat/puppet.conf /etc/puppet/
# cp conf/redhat/server.init /etc/init.d/puppetmaster
# chmod +x /etc/init.d/puppetmaster
# mkdir -p /etc/puppet/manifests /etc/puppet/modules
# echo "modulepath = /etc/puppet/modules:/usr/share/puppet/modules" >> /etc/puppet/puppet.conf
# service puppetmaster start
# iptables -I INPUT -p tcp --dport 8140 -j ACCEPT
# service iptables save</code>

Setting Up a Puppet Agent (Client)

Configure the client hostname and hosts file, then install Ruby and Facter similarly to the master:

<code># vim /etc/sysconfig/network
HOSTNAME=client1.itzhushou.cn
# vim /etc/hosts
192.168.1.10    master.itzhushou.cn
192.168.1.20    client1.itzhushou.cn
192.168.1.30    client2.itzhushou.cn
# reboot
# ntpdate 192.168.1.40
# yum -y install compat-readline5 ruby
# tar zxf facter-1.7.1.tar.gz -C /usr/
# cd /usr/facter-1.7.1/
# ruby install.rb
# tar zxf puppet-2.7.21.tar.gz -C /usr/
# cd /usr/puppet-2.7.21/
# ruby install.rb
# cp conf/redhat/puppet.conf /etc/puppet/
# cp conf/redhat/client.init /etc/init.d/puppetclient
# chmod +x /etc/init.d/puppetclient
# service iptables stop</code>

Register the client with the master:

<code># puppet agent --server=master.itzhushou.cn --no-daemonize --verbose</code>

On the master, list and sign pending certificates:

<code># puppet cert --list
# puppet cert sign --all</code>

Verify registration by checking the signed certificates directory:

<code># ls /var/lib/puppet/ssl/ca/signed/</code>

Practical Application: Changing SSH Port Across Nodes

Goal: Ensure all Linux nodes run SSH on port 9922 and restart the sshd service.

Confirm the

openssh

package is installed.

Ensure the SSH configuration file exists.

Verify that

sshd

is managed as a system service.

Create an

ssh

module with the following directory layout:

<code># mkdir -p /etc/puppet/modules/ssh/{manifests,templates,files}
# mkdir -p /etc/puppet/manifests/nodes</code>

Manifest

install.pp

ensures the package is present:

<code>class ssh::install {
  package { "openssh":
    ensure => present,
  }
}</code>

Manifest

config.pp

manages

/etc/ssh/sshd_config

:

<code>class ssh::config {
  file { "/etc/ssh/sshd_config":
    ensure  => present,
    owner   => "root",
    group   => "root",
    mode    => "0600",
    source  => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
    require => Class["ssh::install"],
    notify  => Class["ssh::service"],
  }
}</code>

Manifest

service.pp

ensures the sshd service is running:

<code>class ssh::service {
  service { "sshd":
    ensure     => running,
    hasstatus  => true,
    hasrestart => true,
    enable     => true,
    require    => Class["ssh::config"],
  }
}</code>

Root manifest

init.pp

includes the three classes:

<code>class ssh {
  include ssh::install, ssh::config, ssh::service
}</code>

Place a customized

sshd_config

(with

Port 9922

) in

/etc/puppet/modules/ssh/files/ssh/

, set proper ownership, and declare the nodes in

nodes/ssh.pp

:

<code>node 'client1.itzhushou.cn' { include ssh }
node 'client2.itzhushou.cn' { include ssh }</code>

Import the node definitions in

site.pp

and restart the master:

<code># echo "import \"nodes/ssh.pp\"" >> /etc/puppet/manifests/site.pp
# /etc/init.d/puppetmaster restart</code>

On each client, run the agent to apply the changes:

<code># puppet agent -t</code>

Verify that the SSH daemon now listens on the new port and that the service is active.

Source: http://blog.51cto.com/13555423/2083745?from=singlemessage