November 11, 2016

Create puppet client server

Create puppet client server

As mentioned in the blog create puppet master, we are going to create the puppet client server with the following configuration settings:

Puppet Client:

Operating system : CentOS 7
IP Address       :
HostName         : puppetclient

Install the NTP package and perform the time sync with upstream NTP servers and ensure that this node has the same time settings as the puppet master server.

# yum -y install ntp
# systemctl start ntpd 
# systemctl enable ntpd
# timedatectl set-timezone Europe/Amsterdam
HOSTS file

Change the /etc/hosts like the following: puppetmaster puppetclient 
Puppet Repository:

To install the puppet client server, we also require to add a puppet repository to this node.
Get the PupperLabs repository rpm and install it.

# rpm -Uvh

Install the puppet agent using below command.

# yum install -y puppet-agent

Puppet agent also uses some of the default settings to connect to the master node. So we need to edit the puppet configuration file and set puppet master information.

# vi /etc/puppetlabs/puppet/puppet.conf
certname = puppetclient
server = puppetmaster
environment = production
runinterval = 600

(600 = 10 min, normal 1h)

You can change the value of runinterval depends on the requirement, you can set the value in seconds; this controls how long the agent should wait between the two catalog requests.

Start puppet agent on the node and make it start automatically on system boot.

# /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true


Notice: /Service[puppet]/ensure: ensure changed'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
Sign the Agent Nodes Certificate on Master Server:

In an agent/master deployment, an admin must approve a certificate request coming from each node so that they can fetch the configurations. Agent nodes will request certificates for the first time if they attempt to run.

Log into the puppet master server and run below command to view outstanding requests.

# /opt/puppetlabs/bin/puppet cert list
"puppetclient" (SHA256) CF:8C:39:CC:03:4E:58:88:42:8D:95:DF:66:52:45:32:99:24:91:74:D0:2C:22:BC:DF:23:55:A8:5F:6E:68:C2

Run puppet cert sign command to sign a request.

# [root@slotpuppetmaster ~]# /opt/puppetlabs/bin/puppet cert sign puppetclient
Signing Certificate Request for:
"puppetclient" (SHA256) CF:8C:39:CC:03:4E:58:88:42:8D:95:DF:66:52:45:32:99:24:91:74:D0:2C:22:BC:DF:23:55:A8:5F:6E:68:C2
Notice: Signed certificate request for puppetclient
Notice: Removing file Puppet::SSL::CertificateRequest puppetclient at '/etc/puppetlabs/puppet/ssl/ca/requests/puppetclient.pem'

The puppet master can now communicate to the client machine and control the node.

If you have multiple signing requests from nodes, you can sign all the requests in one command.

 # /opt/puppetlabs/bin/puppet cert sign --all

Sometimes, you may need to revoke the certificate of a particular node to readd them back.

Replace the with your client hostname.

# /opt/puppetlabs/bin/puppet cert clean hostname

You can list all of the signed and unsigned requests.

You should run on the master server, signed requests start with “+“.

# /opt/puppetlabs/bin/puppet cert list --all

Output: I took this before signing our client (puppetclient) node.

 + "puppetmaster" (SHA256)    2C:DA:0B:03:E1:3B:A2:D1:93:B1:D9:14:CF:27:C5:CD:02:F5:87:C2:F3:0E:ED:12:1E:25:2D:32:5B:49:74:F5 (alt names: "DNS:puppet", "DNS:puppetmaster")
 + "puppetclient" (SHA256)     18:9C:C0:AC:CB:1C:49:49:55:B4:6C:8E:5D:B2:E7:25:06:0D:95:8D:3E:A9:CD:4F:0E:4A:DF:AE:9D:74:91:3E
Verify the Puppet Client:

Once the Puppet master is signed your client certificate, run the following command on the client machine to test it.

# /opt/puppetlabs/bin/puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetclient
Info: Applying configuration version '1472165304'
Notice: Applied catalog in 0.05 seconds

Now we have a Master/Architecute where the puppetclient can communicate with the puppetmaster and vice versa.
In my next blog a going to tell about creating a manifest, written in puppet's declarative language. With this manifest you can control the puppetclient.