Mastering Puppet: A Step‑by‑Step Guide to Build a Secure Master‑Client Infrastructure

How Puppet Works

Puppet enables administrators to concentrate on the desired state of managed nodes while abstracting implementation details. It can operate in standalone mode or in a client‑server (C/S) architecture; large‑scale deployments typically use the C/S model where the client runs puppet agent and the server runs puppetmaster.

Workflow

1) The client invokes facter, which gathers host variables such as hostname, memory size, and IP address, then sends this information to the server over SSL.

2) The puppetmaster receives the facts, matches the node to a node definition in the main manifest, performs syntax checking, parses the manifest, and generates an intermediate catalog (pseudo‑code) which is sent back to the client.

3) The client applies the catalog, executes the declared resources, and reports the execution result to the server.

4) The server logs the client’s execution outcome.

Key points to note

Communication between client and master is secured by SSL certificates; only clients authenticated by the master’s certificate can communicate.

Puppet continuously enforces the declared state—e.g., ensuring a file exists or the SSH service is running—on each run (default interval is 30 minutes).

Setting Up the Puppetmaster

Configure the server hostname (modify /etc/hosts for small setups). Example commands:

# vim /etc/sysconfig/network
HOSTNAME=master.itzhushou.cn
# vim /etc/hosts
192.168.1.10    master.itzhushou.cn
192.168.1.20    client1.itzhushou.cn
192.168.1.30    client2.itzhushou.cn
# reboot
# service ntpd start
# chkconfig ntpd on
# iptables -I INPUT -p udp --dport 123 -j ACCEPT
# service iptables save

Install Ruby (Puppet is Ruby‑based) and Facter:

# yum -y install compat-readline5 ruby
# ruby -v
# useradd -s /sbin/nologin puppet
# tar zxf facter-1.7.1.tar.gz -C /usr/
# cd /usr/facter-1.7.1/
# ruby install.rb

Compile and install Puppet:

# tar zxf puppet-2.7.21.tar.gz -C /usr/
# cd /usr/puppet-2.7.21/
# ruby install.rb

Copy configuration files and set up directories:

# cp conf/redhat/fileserver.conf /etc/puppet/
# cp conf/redhat/puppet.conf /etc/puppet/
# cp conf/redhat/server.init /etc/init.d/puppetmaster
# chmod +x /etc/init.d/puppetmaster
# mkdir -p /etc/puppet/manifests /etc/puppet/modules
# echo "modulepath = /etc/puppet/modules:/usr/share/puppet/modules" >> /etc/puppet/puppet.conf
# service puppetmaster start
# iptables -I INPUT -p tcp --dport 8140 -j ACCEPT
# service iptables save

Setting Up a Puppet Agent (Client)

Configure the client hostname and hosts file, then install Ruby and Facter similarly to the master:

# vim /etc/sysconfig/network
HOSTNAME=client1.itzhushou.cn
# vim /etc/hosts
192.168.1.10    master.itzhushou.cn
192.168.1.20    client1.itzhushou.cn
192.168.1.30    client2.itzhushou.cn
# reboot
# ntpdate 192.168.1.40
# yum -y install compat-readline5 ruby
# tar zxf facter-1.7.1.tar.gz -C /usr/
# cd /usr/facter-1.7.1/
# ruby install.rb
# tar zxf puppet-2.7.21.tar.gz -C /usr/
# cd /usr/puppet-2.7.21/
# ruby install.rb
# cp conf/redhat/puppet.conf /etc/puppet/
# cp conf/redhat/client.init /etc/init.d/puppetclient
# chmod +x /etc/init.d/puppetclient
# service iptables stop

Register the client with the master:

# puppet agent --server=master.itzhushou.cn --no-daemonize --verbose

On the master, list and sign pending certificates:

# puppet cert --list
# puppet cert sign --all

Verify registration by checking the signed certificates directory:

# ls /var/lib/puppet/ssl/ca/signed/

Practical Application: Changing SSH Port Across Nodes

Goal: Ensure all Linux nodes run SSH on port 9922 and restart the sshd service.

Confirm the openssh package is installed.

Ensure the SSH configuration file exists.

Verify that sshd is managed as a system service.

Create an ssh module with the following directory layout:

# mkdir -p /etc/puppet/modules/ssh/{manifests,templates,files}
# mkdir -p /etc/puppet/manifests/nodes

Manifest install.pp ensures the package is present:

class ssh::install {
  package { "openssh":
    ensure => present,
  }
}

Manifest config.pp manages /etc/ssh/sshd_config:

class ssh::config {
  file { "/etc/ssh/sshd_config":
    ensure  => present,
    owner   => "root",
    group   => "root",
    mode    => "0600",
    source  => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
    require => Class["ssh::install"],
    notify  => Class["ssh::service"],
  }
}

Manifest service.pp ensures the sshd service is running:

class ssh::service {
  service { "sshd":
    ensure     => running,
    hasstatus  => true,
    hasrestart => true,
    enable     => true,
    require    => Class["ssh::config"],
  }
}

Root manifest init.pp includes the three classes:

class ssh {
  include ssh::install, ssh::config, ssh::service
}

Place a customized sshd_config (with Port 9922) in /etc/puppet/modules/ssh/files/ssh/, set proper ownership, and declare the nodes in nodes/ssh.pp:

node 'client1.itzhushou.cn' { include ssh }
node 'client2.itzhushou.cn' { include ssh }

Import the node definitions in site.pp and restart the master:

# echo "import \"nodes/ssh.pp\"" >> /etc/puppet/manifests/site.pp
# /etc/init.d/puppetmaster restart

On each client, run the agent to apply the changes: # puppet agent -t Verify that the SSH daemon now listens on the new port and that the service is active.

Source: http://blog.51cto.com/13555423/2083745?from=singlemessage