How To Install Puppet on a DigitalOcean VPS
Introduction
If you manage more than one cloud server, your life can be made much easier by employing a configuration-management tool like Puppet or Chef which can be used to provision, configure and manage your VPS and the applications they host. Using Puppet, or Chef, you can easily automate repetitive tasks, quickly deploy critical applications, and proactively manage change: from scaling 2, 5 or 10s of servers to 1000s, on-premise or in the cloud. Puppet is available as both open source and commercial software. While Puppet Enterprise is the commercially supported, packaged release of Puppet, you can manage up to 10 nodes free.
Benefits
Puppet is a cross-platform framework enabling system administrators to perform common tasks. It is a model-driven solution that requires little coding knowledge to use. While Chef calls its models recipes, Puppet refers to them as manifests. A group of manifests is called a module. There are modules to configure packages like Apache, Nginx, and MySQL. You can also use manifests and modules to alter file permissions, users and groups, and more. As one can see, these models, or manifests and modules, can carry out a variety of tasks; making Puppet helpful not only during the initial installation of a VPS, but also throughout the VPS's entire life cycle; and useful in both large and small deployments. In addition, Puppet has an amazing and active community whose members share modules and other useful information in two main repositories (referenced below).
At first glance, a system administrator might dismiss the idea of a configuration-management tool. Some believe that the same results can be achieved with machine images, i.e. snapshots, and shell scripts. As one author so eloquently put it: This is equivalent to a lumberjack who has just heard about chainsaws, but doesn't see why anyone would ever want more than an ax. What many system admins fail to recognize, is the value of the limited time on their hands. One of the strengths that a configuration-management tool brings to the table is automating repetitive tasks, freeing up system admins so they can focus on more important matters.
Planning
Puppet allows for centralized management by employing a client-server, or agent-master, model. The central, or administrative, server is commonly referred to as the Puppet master which services Puppet clients. While only one cloud server is needed to function as the Puppet master, you can have a nearly infinite number of Puppet client, or agent, nodes. However, it is possible to deploy Puppet in such a way where each individual VPS acts as both the Puppet master and client. You must decide on a deployment type before installing:
Agent/master a/k/a client/server
Agent nodes, or Puppet clients, pull their configurations from a Puppet master server. Admins must manage node certificates, but will only have to maintain manifests and modules on the Puppet master server, and can more easily take advantage of features like reporting and external data sources.
You must decide in advance which VPS will be the master and install puppetmaster on it before installing puppet on any agents or clients. The master should be a dedicated machine with a fast processor, lots of RAM, and a fast disk.
Standalone
Every node compiles its own configuration from manifests. Admins must regularly sync Puppet manifests and modules to every node.
Prerequisites
By default, Puppet clients look for the Puppet master server by contacting the host with the name puppet, via DNS.
- Identify, or create, a server to act as the Puppet master and make a note of its IP address;
- Identify, or create, the server(s) that will act as the Puppet client(s);
- Set each server's hostname and fully qualified domain name (FQDN);
- Deploy the NTP daemon on each of your servers. See How To Set Up Time Synchronization on Ubuntu 12.04;
- Create a DNS A record or a CNAME for the hostname puppet within your domain, pointing to the node that will serve as the Puppet master, i.e. puppet.yourdomain.tld.
If you do not wish to use DNS, you should execute the following command: sudo vim /etc/hosts; then tap the "i" key on your keyboard, and add:
127.0.0.1 | localhost.localdomain | localhost | puppet |
127.0.1.1 | ny.yourdomain.tld | ny | |
1.2.3.4 | ny.yourdomain.tld | ny | puppet |
To save your changes, tap the "Esc" key on your keyboard, followed by the following keystrokes: ":" then "w" then "q" then "enter" (all without quotes). See Installing and Using the Vim Text Editor on a DigitalOcean Cloud Server. On each Puppet client, add an entry in the client's /etc/hosts file for the Puppet master (below, we assume that one of your Puppet clients is sf.yourdomain.tld at IP address: 1.2.3.5):
127.0.0.1 | localhost.localdomain | localhost | |
127.0.1.1 | sf.yourdomain.tld | sf | |
1.2.3.5 | sf.yourdomain.tld | sf | |
1.2.3.4 | ny.yourdomain.tld | ny | puppet |
Avoiding Firewall Issues
CentOS ships with extremely restrictive iptables rules, which may need to be modified. If you previously deployed an iptables firewall on your cloud server (or have some servers in a NAT environment), ensure that your master server is allowing, or able to connect to, TCP connections on ports 3000, 8139 & 8140. See How to Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server
Update Your Packages
Once the cloud servers are built and the appropriate ports have been opened in the firewall, update all your packages:
sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade && sudo apt-get -y autoremove && sudo reboot
Install puppetmaster on Central Server
You have several options for installing puppetmaster. You can either use the package available in your operating system's repository or you can use Puppet Labs' apt repository. Because some OS repositories are slow to update their packages, it is recommended to install puppetmaster from the Puppet Labs repository, so that you do not end up with out-dated releases. To enable the Puppet Labs repository:
- Download the "puppetlabs-release" package for your OS version. You can see a full list of these packages on the front page of http://apt.puppetlabs.com/. They are all named puppetlabs-release-[CODE NAME].deb;
- Install the package by running dpkg -i
.
For example, to install puppetmaster on your central, or administrative, VPS running Ubuntu 12.04 LTS (nicknamed Precise Pangolin), from the Puppet Labs repo, execute the following commands in a terminal:
sudo wget http://apt.puppetlabs.com/puppetlabs-release-precise.deb sudo dpkg -i puppetlabs-release-precise.deb sudo apt-get update && sudo apt-get -y install puppetmaster
Installation instructions for other Linux distros, OS X, Windows, the BSDs or Solaris are available, here: Installing Puppet
Configuring puppetmaster on Central Server
Next, execute the following command:
sudo touch /etc/puppet/manifests/site.pp
Puppet's behavior can be customized with a rather large collection of settings. Most of these can be safely ignored, but you'll almost definitely have to modify some of them.
Puppet's main configuration file is found at /etc/puppet/puppet.conf and is ordered with the following headers, or blocks: [main], [agent] and [master]. Settings for agent nodes, or Puppet clients, should go in the [agent] or [main] blocks of puppet.conf. Along the same lines, settings for the Puppet master server should go in the [master] or [main] blocks of puppet.conf.
NOTE: Puppet masters are usually also agent nodes, or Puppet clients, themselves. Settings in [main] will be available to both services and settings in the [master] and [agent] blocks will override the settings in [main].
Standalone Nodes
Settings for standalone Puppet nodes should go in the [main] block of puppet.conf. Puppet's default settings are generally appropriate for standalone nodes. No additional configuration is necessary unless you intend to use centralized reporting or an external node classifier.
Avoiding DNS Pitfalls
At this point, we need to provide puppetmaster its fully qualified domain name (FQDN), so that it can properly format SSL certficates. First, you need to assess your current environment:
- Does the node that's going to function as the Puppet master have only one (1) hostname--that is, NO aliases?
If (i) the answer is "yes" to that question AND (ii) you created a DNS A record for your Puppet master, execute the following commands and edits:
sudo service puppetmaster stop sudo rm -rf /var/lib/puppet/ssl sudo vim /etc/puppet/puppet.conf
Then, add the following line, under the [main] header/block:
server = puppet.yourdomain.tld
If you created a DNS CNAME for your Puppet master AND/OR your master server has hostname aliases, then execute the following steps:
sudo service puppetmaster stop sudo rm -rf /var/lib/puppet/ssl sudo vim /etc/puppet/puppet.conf
Under the [master] header/block, add a comma-separated list of all of your master server's aliasas, e.g.:
dns_alt_names = puppet, [alias1], [alias2], puppet.yourdomain.tld
Now, execute:
sudo service puppetmaster start
Install puppetmaster's Dependencies
Before moving on to installing puppet on agent/client nodes, update all your packages on the master server one last time:
sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade && sudo apt-get -y autoremove && sudo reboot
Install puppet on Client Server(s)
Again, we're going to install puppet from the Puppet Labs repository. On client nodes running Ubuntu 12.04 LTS, execute:
sudo wget http://apt.puppetlabs.com/puppetlabs-release-precise.deb sudo dpkg -i puppetlabs-release-precise.deb sudo apt-get update && sudo apt-get -y install puppet
Click here, for: Instructions on enabling Puppet Labs' repos for other Linux distros
REMEMBER: One of Puppet's best features is that it is cross-platform; thus, your clients are NOT required to run the same OS as the Puppet master. From a practical perspective, this flexibility is amazing because it will allow a developer to quickly and efficiently spin up new DigitalOcean droplets of varying OSes, to test and debug their apps. When the staging server is no longer needed, it can be destroyed (to save on monthly costs) with confidence, because Puppet, coupled with DigitalOcean's API and snapshot support, can deploy a new droplet (literally) within seconds the next time a staging environment is needed.
Configure puppet on Client Server(s)
Once puppet is installed, we need to configure the Puppet client so that it can connect to the Puppet master. We do this with the following command and edits:
sudo vim /etc/puppet/puppet.conf
and add the following:
[agent] server = puppet.yourdomain.tld report = true pluginsync = true certname = [hostname of Puppet client].yourdomain.tld
Now, we need to configure the Puppet client to start automatically, with the following command:
sudo vim /etc/default/puppet
and edit the line that begins with START, so that it reads:
START=yes
Then, start the service:
sudo service puppet start
Repeat these steps for every Puppet client.
Configure Secure Communications
Every time you deploy a new Puppet client, log in to the Puppet master and execute the following command to view a list of SSL certificates waiting to be signed:
sudo puppet cert --list
Then, on the Puppet master, sign the client certificate in queue by executing the following command:
sudo puppet cert --sign [hostname of Puppet client]
Congratulations! The new Puppet client will now be able to successfully connect to, and securely communicate with, the Puppet master.
Manifests & modules
Now that your Puppet master is talking to your Puppet client(s), let's test your setup by using a module to install MySQL on your Puppet client(s); by executing the following commands on the Puppet master:
sudo apt-get -y install git sudo git clone https://github.com/puppetlabs/puppetlabs-mysql mysql sudo vim /etc/puppet/manifests/site.pp
Copy & paste the following into site.pp
node [hostname of Puppet client] { class { 'mysql': } class { 'mysql::server': config_hash => { 'root_password' => '[desired password]' } } }
On the Puppet client, execute the following command:
sudo puppet agent --test
The Puppet client will read the directives in the file site.pp on the Puppet master and install MySQL.
Learn to Use Puppet
You can learn, and practice using, Puppet in a safe and convenient virtual environment, by downloading the Learning Puppet VM (free) for VMware or VirtualBox. Although the VM and examples use Puppet Enterprise, the lessons also apply to the open source release of Puppet. Any new Puppet user should start at the Learning Puppet - Index.
Install Optional Software
You can extend and improve Puppet with other software:
- Puppet Dashboard is an open-source report analyzer, node classifier, and web GUI for Puppet;
- The stdlib module adds extra functions, an easier way to write custom facts, and more;
- User-submitted manifests & modules that solve common problems are available at the Puppet Forge & on GitHub.
Additional Resources
- Puppet Labs | Open Source Release Installation Guide;
- Puppet Labs | Puppet Enterprise Installation Guide;
- Puppet Labs Documentation;
- Puppet Module Cheat Sheet;
- The Puppet Community.
As always, if you need help with the basic setup & configuration of Puppet, look to the DigitalOcean Community for assistance by posing your question(s), below.
4 Comments