How To Install Puppet on a DigitalOcean VPS

Introduction

If you manage more than one cloud server, your life can be made much easier by employing a configuration-management tool like Puppet or Chef which can be used to provision, configure and manage your VPS and the applications they host. Using Puppet, or Chef, you can easily automate repetitive tasks, quickly deploy critical applications, and proactively manage change: from scaling 2, 5 or 10s of servers to 1000s, on-premise or in the cloud. Puppet is available as both open source and commercial software. While Puppet Enterprise is the commercially supported, packaged release of Puppet, you can manage up to 10 nodes free.

Benefits

Puppet is a cross-platform framework enabling system administrators to perform common tasks. It is a model-driven solution that requires little coding knowledge to use. While Chef calls its models recipes, Puppet refers to them as manifests. A group of manifests is called a module. There are modules to configure packages like Apache, Nginx, and MySQL. You can also use manifests and modules to alter file permissions, users and groups, and more. As one can see, these models, or manifests and modules, can carry out a variety of tasks; making Puppet helpful not only during the initial installation of a VPS, but also throughout the VPS's entire life cycle; and useful in both large and small deployments. In addition, Puppet has an amazing and active community whose members share modules and other useful information in two main repositories (referenced below).

At first glance, a system administrator might dismiss the idea of a configuration-management tool. Some believe that the same results can be achieved with machine images, i.e. snapshots, and shell scripts. As one author so eloquently put it: This is equivalent to a lumberjack who has just heard about chainsaws, but doesn't see why anyone would ever want more than an ax. What many system admins fail to recognize, is the value of the limited time on their hands. One of the strengths that a configuration-management tool brings to the table is automating repetitive tasks, freeing up system admins so they can focus on more important matters.

Planning

Puppet allows for centralized management by employing a client-server, or agent-master, model. The central, or administrative, server is commonly referred to as the Puppet master which services Puppet clients. While only one cloud server is needed to function as the Puppet master, you can have a nearly infinite number of Puppet client, or agent, nodes. However, it is possible to deploy Puppet in such a way where each individual VPS acts as both the Puppet master and client. You must decide on a deployment type before installing:

Agent/master a/k/a client/server

Agent nodes, or Puppet clients, pull their configurations from a Puppet master server. Admins must manage node certificates, but will only have to maintain manifests and modules on the Puppet master server, and can more easily take advantage of features like reporting and external data sources.

You must decide in advance which VPS will be the master and install puppetmaster on it before installing puppet on any agents or clients. The master should be a dedicated machine with a fast processor, lots of RAM, and a fast disk.

Standalone

Every node compiles its own configuration from manifests. Admins must regularly sync Puppet manifests and modules to every node.

Prerequisites

By default, Puppet clients look for the Puppet master server by contacting the host with the name puppet, via DNS.

• Identify, or create, a server to act as the Puppet master and make a note of its IP address;
• Identify, or create, the server(s) that will act as the Puppet client(s);
• Set each server's hostname and fully qualified domain name (FQDN);
• Deploy the NTP daemon on each of your servers. See How To Set Up Time Synchronization on Ubuntu 12.04;
• Create a DNS A record or a CNAME for the hostname puppet within your domain, pointing to the node that will serve as the Puppet master, i.e. puppet.yourdomain.tld.

If you do not wish to use DNS, you should execute the following command: sudo vim /etc/hosts; then tap the "i" key on your keyboard, and add:

127.0.0.1	localhost.localdomain	localhost	puppet
127.0.1.1	ny.yourdomain.tld	ny
1.2.3.4	ny.yourdomain.tld	ny	puppet

To save your changes, tap the "Esc" key on your keyboard, followed by the following keystrokes: ":" then "w" then "q" then "enter" (all without quotes). See Installing and Using the Vim Text Editor on a DigitalOcean Cloud Server. On each Puppet client, add an entry in the client's /etc/hosts file for the Puppet master (below, we assume that one of your Puppet clients is sf.yourdomain.tld at IP address: 1.2.3.5):

127.0.0.1	localhost.localdomain	localhost
127.0.1.1	sf.yourdomain.tld	sf
1.2.3.5	sf.yourdomain.tld	sf
1.2.3.4	ny.yourdomain.tld	ny	puppet

Avoiding Firewall Issues

CentOS ships with extremely restrictive iptables rules, which may need to be modified. If you previously deployed an iptables firewall on your cloud server (or have some servers in a NAT environment), ensure that your master server is allowing, or able to connect to, TCP connections on ports 3000, 8139 & 8140. See How to Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server

Update Your Packages

Once the cloud servers are built and the appropriate ports have been opened in the firewall, update all your packages:

sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade && sudo apt-get -y autoremove && sudo reboot

Install puppetmaster on Central Server

You have several options for installing puppetmaster. You can either use the package available in your operating system's repository or you can use Puppet Labs' apt repository. Because some OS repositories are slow to update their packages, it is recommended to install puppetmaster from the Puppet Labs repository, so that you do not end up with out-dated releases. To enable the Puppet Labs repository:

1. Download the "puppetlabs-release" package for your OS version. You can see a full list of these packages on the front page of http://apt.puppetlabs.com/. They are all named puppetlabs-release-[CODE NAME].deb;
2. Install the package by running dpkg -i .

For example, to install puppetmaster on your central, or administrative, VPS running Ubuntu 12.04 LTS (nicknamed Precise Pangolin), from the Puppet Labs repo, execute the following commands in a terminal:

sudo wget http://apt.puppetlabs.com/puppetlabs-release-precise.deb
sudo dpkg -i puppetlabs-release-precise.deb
sudo apt-get update && sudo apt-get -y install puppetmaster

Installation instructions for other Linux distros, OS X, Windows, the BSDs or Solaris are available, here: Installing Puppet

Configuring puppetmaster on Central Server

Next, execute the following command:

sudo touch /etc/puppet/manifests/site.pp

Puppet's behavior can be customized with a rather large collection of settings. Most of these can be safely ignored, but you'll almost definitely have to modify some of them.

Puppet's main configuration file is found at /etc/puppet/puppet.conf and is ordered with the following headers, or blocks: [main], [agent] and [master]. Settings for agent nodes, or Puppet clients, should go in the [agent] or [main] blocks of puppet.conf. Along the same lines, settings for the Puppet master server should go in the [master] or [main] blocks of puppet.conf.

NOTE: Puppet masters are usually also agent nodes, or Puppet clients, themselves. Settings in [main] will be available to both services and settings in the [master] and [agent] blocks will override the settings in [main].

Standalone Nodes

Settings for standalone Puppet nodes should go in the [main] block of puppet.conf. Puppet's default settings are generally appropriate for standalone nodes. No additional configuration is necessary unless you intend to use centralized reporting or an external node classifier.

Avoiding DNS Pitfalls

At this point, we need to provide puppetmaster its fully qualified domain name (FQDN), so that it can properly format SSL certficates. First, you need to assess your current environment:

• Does the node that's going to function as the Puppet master have only one (1) hostname--that is, NO aliases?

If (i) the answer is "yes" to that question AND (ii) you created a DNS A record for your Puppet master, execute the following commands and edits:

sudo service puppetmaster stop
sudo rm -rf /var/lib/puppet/ssl
sudo vim /etc/puppet/puppet.conf

Then, add the following line, under the [main] header/block:

server = puppet.yourdomain.tld

If you created a DNS CNAME for your Puppet master AND/OR your master server has hostname aliases, then execute the following steps:

sudo service puppetmaster stop
sudo rm -rf /var/lib/puppet/ssl
sudo vim /etc/puppet/puppet.conf

Under the [master] header/block, add a comma-separated list of all of your master server's aliasas, e.g.:

dns_alt_names = puppet, [alias1], [alias2], puppet.yourdomain.tld

Now, execute:

sudo service puppetmaster start

Install puppetmaster's Dependencies

Before moving on to installing puppet on agent/client nodes, update all your packages on the master server one last time:

sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade &&  sudo apt-get -y autoremove && sudo reboot

Install puppet on Client Server(s)

Again, we're going to install puppet from the Puppet Labs repository. On client nodes running Ubuntu 12.04 LTS, execute:

sudo wget http://apt.puppetlabs.com/puppetlabs-release-precise.deb
sudo dpkg -i puppetlabs-release-precise.deb
sudo apt-get update && sudo apt-get -y install puppet

Click here, for: Instructions on enabling Puppet Labs' repos for other Linux distros

REMEMBER: One of Puppet's best features is that it is cross-platform; thus, your clients are NOT required to run the same OS as the Puppet master. From a practical perspective, this flexibility is amazing because it will allow a developer to quickly and efficiently spin up new DigitalOcean droplets of varying OSes, to test and debug their apps. When the staging server is no longer needed, it can be destroyed (to save on monthly costs) with confidence, because Puppet, coupled with DigitalOcean's API and snapshot support, can deploy a new droplet (literally) within seconds the next time a staging environment is needed.

Configure puppet on Client Server(s)

Once puppet is installed, we need to configure the Puppet client so that it can connect to the Puppet master. We do this with the following command and edits:

sudo vim /etc/puppet/puppet.conf

and add the following:

[agent]
server = puppet.yourdomain.tld
report = true
pluginsync = true
certname = [hostname of Puppet client].yourdomain.tld

Now, we need to configure the Puppet client to start automatically, with the following command:

sudo vim /etc/default/puppet

and edit the line that begins with START, so that it reads:

START=yes

Then, start the service:

sudo service puppet start

Repeat these steps for every Puppet client.

Configure Secure Communications

Every time you deploy a new Puppet client, log in to the Puppet master and execute the following command to view a list of SSL certificates waiting to be signed:

sudo puppet cert --list

Then, on the Puppet master, sign the client certificate in queue by executing the following command:

sudo puppet cert --sign [hostname of Puppet client]

Congratulations! The new Puppet client will now be able to successfully connect to, and securely communicate with, the Puppet master.

Manifests & modules

Now that your Puppet master is talking to your Puppet client(s), let's test your setup by using a module to install MySQL on your Puppet client(s); by executing the following commands on the Puppet master:

sudo apt-get -y install git
sudo git clone https://github.com/puppetlabs/puppetlabs-mysql mysql
sudo vim /etc/puppet/manifests/site.pp

Copy & paste the following into site.pp

node [hostname of Puppet client] {
class { 'mysql': }
class { 'mysql::server':
   config_hash => { 'root_password' => '[desired password]' }
}
}

On the Puppet client, execute the following command:

sudo puppet agent --test

The Puppet client will read the directives in the file site.pp on the Puppet master and install MySQL.

Learn to Use Puppet

You can learn, and practice using, Puppet in a safe and convenient virtual environment, by downloading the Learning Puppet VM (free) for VMware or VirtualBox. Although the VM and examples use Puppet Enterprise, the lessons also apply to the open source release of Puppet. Any new Puppet user should start at the Learning Puppet - Index.

Install Optional Software

You can extend and improve Puppet with other software:

• Puppet Dashboard is an open-source report analyzer, node classifier, and web GUI for Puppet;
• The stdlib module adds extra functions, an easier way to write custom facts, and more;
• User-submitted manifests & modules that solve common problems are available at the Puppet Forge & on GitHub.

Additional Resources

• Puppet Labs | Open Source Release Installation Guide;
• Puppet Labs | Puppet Enterprise Installation Guide;
• Puppet Labs Documentation;
• Puppet Module Cheat Sheet;
• The Puppet Community.

As always, if you need help with the basic setup & configuration of Puppet, look to the DigitalOcean Community for assistance by posing your question(s), below.