Install Puppet 3.6.1 on Centos 6.5

Puppet Logo

Puppet is an increasingly popular, cross platform, scalable automation infrastructure.  It comes in two versions - a community edition and an enterprise version.  For further information about Puppet and the differences between the two versions, please refer to the PuppetLabs website or directly to the version comparison page.  This article deals with the installation of the community release of the product.  A summary of software versions are as follows:

  • Platform - Centos 6.5 x86_64, minimal install, fully patched up to 6/6/2014
  • Apache http server 2.2.15
  • Passenger version 4.0.44
  • Puppet server 3.6.1 


For this article I am re-using a previous article's Cobbler installation because my plan is to integrate the two systems in a future follow-up article.  Here is a diagram of the lab set-up.

Build network incorporating Puppet ​ ​

VM Specification

The Puppet Master server specification is as follows:

  • 8GB RAM
  • 1 vCPU
  • 16GB virtual disk
  • 1 E1000 virtual NIC

​Base Server Build

  • Build a x86_64 centos 6.5 server, minimal install.  Download the installation ISO mentioned on this page
  • Give the server an appropriate language, keyboard type, name, IP details
  • Update the freshly installed server with the latest operating system patches
yum update -y
  • Install and start ntp
yum install ntp
chkconfig ntpd on
service ntpd start
  • Disable SELinux
setenforce 0
  • edit /etc/sysconfig/selinux and change the value of the SELINUX entry as follows

Reboot server and check selinux status to ensure you have correctly disabled it


​Install and Configure Puppet Server

Add Repositories and Install Software

  • Add Puppetlabs repository
rpm -ivh
  • Install Puppet Master software
yum install -y puppet-server

This will install a load of dependencies including

augeas-libs compat-readline5 dmidecode facter hiera libselinux-ruby pciutils puppet ruby ruby-augeas ruby-irb ruby-libs ruby-rdoc ruby-rgen ruby-shadow rubygem-json rubygems virt-what

​Setup Certificate Authority

Before creating the server certificates it is important to decide by which names clients will attempt to contact the server.  These names must then be added to the Puppet configuration file

  • Open /etc/puppet/puppet.conf
  • Under the [main] section, add
dns_alt_names = puppet,
  • Create the CA certificate and Puppet master certificate
puppet master --verbose --no-daemonize
  • End process once Puppet master version appears on the screen (in my case, version 3.6.1) by pressing 'ctrl + c'

This will also install a /etc/init.d/puppetmaster script

  • Start the Puppet Server
service puppetmaster start

Create and Configure Basic Environment Directories

The environment directories location needs to be set.

  • Add the following to /etc/puppet/puppet.conf, under the [main] section
environmentpath = $confdir/environments
  • Create the following directories to match with that:
mkdir /etc/puppet/environments/production
mkdir /etc/puppet/environments/production/manifests
mkdir /etc/puppet/environments/production/modules

Install Production Quality Web Server

Puppet comes with a Ruby based web server but by their own (PuppetLabs) the server is not scalable enough to meet production requirements.  Even though I do not plan to deploy this test server to production, I am wanting to test the solution that would be deployed to production.  As such we will install a production quality, scalable web server (Apache) to handle the Puppet requests.

Passenger allows Ruby applications to run within Apache.  We need to compile this application as part of this installation.

  • Install required packages
yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems gcc
​yum install -y gcc-c++ curl-devel zlib-devel make automake openssl-devel
  • Install Rack / Passenger
gem install rack passenger

(from the list of applications, deselect Python)

At the end of the compilation you will receive a message that includes the following configuration for the apache configuration file.

  • Create /etc/httpd/conf.d/passenger.conf and add the following:
   LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.44/buildout/apache2/
   <IfModule mod_passenger.c>
     PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.44
     PassengerDefaultRuby /usr/bin/ruby

Passenger compile completion message

It is necessary now to set up the actual web application (instructions from this PuppetLabs page)

  • Create a directory to house the application
mkdir -p /usr/share/puppet/rack/puppetmasterd
  • ​Create three subdirectories under application directory
mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
  • Copy the PuppetLabs-supplied apache web server config file to application directory
cp /usr/share/puppet/ext/rack/ /usr/share/puppet/rack/puppetmasterd/
  • Set ownership of the file to Puppet user and group
chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/
  • Create a /etc/httpd/conf.d/puppermaster.conf file and copy the following into it
# RHEL/CentOS:
# LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/
# PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x
# PassengerRuby /usr/bin/ruby

# And the passenger performance tuning settings:
PassengerHighPerformance On
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 12
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600

Listen 8140
<VirtualHost *:8140>
    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    # SSLCARevocationCheck      chain
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking. If you are using Apache 2.4+ you must
    # specify 'SSLCARevocationCheck chain' to actually use the CRL.

    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public

    <Directory /usr/share/puppet/rack/puppetmasterd/>
      Options None
      AllowOverride None
      # Apply the right behavior depending on Apache version.
      <IfVersion < 2.4>
        Order allow,deny
        Allow from all
      <IfVersion >= 2.4>
        Require all granted

    ErrorLog /var/log/httpd/
    CustomLog /var/log/httpd/ combined

Configure Iptables

Add the following line to iptables file just after the ssh/22 entry

-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
  • Restart iptables
service iptables restart

Start the Web Server

The basic server installation is now complete.  All that remains is to:

  • Start apache http server
service httpd start
  • Set apache to start on system boot
chkconfig httpd on

Install and Configure a Puppet Client

  • Build a x86_64 centos 6.5 server, minimal install
  • Give the server an appropriate language, keyboard type, name, IP details
  • Update the freshly installed server with the latest operating system patches
yum update -y
  • Install and start ntp
yum install ntp
chkconfig ntpd on
service ntpd start
  • Ensure client can resolve puppet server via 'puppet' and '' via your chosen name resolution method
  • Add Puppet repository
​rpm -ivh
  • ​Install Puppet agent software
yum install - y puppet
  • On the client, test and Resolve Any Issues
puppet agent --test

  • On Puppet server check certificate request and approve
puppet cert --list
  • On the Puppet server, Sign certifcate request - copy and paste client name from list
puppet cert --sign <clientName>

Public key of client has been added to CA, enabling connectivity to the client from the server

  • On the client, run test
puppet agent --test

The result should be something like this:

Puppet Client Successfully Communicating with Puppet Master

You now have a very basic Puppet client and server set-up, with which you can test some automated configuration.  I will cover some simple manifest testing in the next article.  Another article will deal with web UI for inspecting environment status reporting.  The last article will show how to integrate Cobbler and Puppet, using Cobbler to bootstrap the Puppet installation.