Puppet: remote clients are not updated by puppetmaster

Question

I'll start with the fact that I'm noob to Puppet, I have 2 servers; one is called puppetmaster and the other is called puppetclient. I've installed puppet-3.2.2 and created some basic nodes.pp file, the nodes.pp file includes settings for both puppetmaster and puppetclient. When i apply the relevant manifest the changes are only affecting the puppetmaster but not the client. On the server I see the next error:

[root@puppetmaster puppet]# puppet apply manifests/nodes.pp 
hostname: Unknown host
dnsdomainname: Unknown host
hostname: Unknown host
dnsdomainname: Unknown host
hostname: Unknown host
dnsdomainname: Unknown host
Notice: Finished catalog run in 0.71 seconds
[root@puppetmaster puppet]#

Even though a DNS server is configured on /etc/sysconfig/network-scripts/ifcfg-eth0 and in /etc/resolv.conf. While checking the puppetmaster log i see the next error:

[2013-08-08 11:03:00] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:34:in `accept'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:34:in `listen'
    /usr/lib/ruby/1.8/webrick/server.rb:173:in `call'
    /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
    /usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
    /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
    /usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
    /usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
    /usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
    /usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
    /usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:32:in `listen'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `initialize'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `new'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:28:in `synchronize'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:28:in `listen'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:92:in `listen'
    /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:104:in `start'
    /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:137:in `start'
    /usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:215:in `main'
    /usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:165:in `run_command'
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:456:in `plugin_hook'
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
    /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:504:in `exit_on_fail'
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
    /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:132:in `run'
    /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:86:in `execute'
    /usr/bin/puppet:4
[root@puppetmaster ~]#

The puppet log on the client is blank. I investigated a little bit on the internet and saw that there's some command called puppetca in older version but as it seems, it's not part of the 3.2.2 version. Anyone knows how to get it to work?

Any reason not to use the puppetlabs repository? using a recent puppet will be really helpful. Also, why webrick? IIRC that was deprecated quite a while back. — dawud, Aug 08 '13 at 08:22
That's the repo i'm using: `baseurl=http://yum.puppetlabs.com/el/$releasever/products/$basearch/` , is it not the regular one? — Itai Ganot, Aug 08 '13 at 08:28

Craig Watson · Answer 1 · 2013-08-08T09:12:21.933

Firstly, you should be using the PuppetLabs Yum repositories - details here.

Secondly, you should either be using Passenger or Mongel behind Apache - WEbrick is a very basic web-server and will not scale well beyond one or two nodes. Using Passenger is the most scalable option and is relatively easy to set up, so it should save you bundles of time in the long-run. Take a look at the PuppetLabs Passenger docs for more details.

Your DNS should be set up so that the CNAME puppet.mydomain (replacing mydomain with your FQDN) should point to your master - this is how nodes will automatically discover your master. If they cannot find puppet.mydomain and no further configuration is provided on either the CLI or in /etc/puppet/puppet.conf, the nodes will not be able to contact the master.

When running Puppet on the master, you can use puppet apply --modulepath=/etc/puppet/modules /etc/puppet/manifests/site.pp to bootstrap your master's configuration (Puppet can - and ideally should - be used to configure the master itself), and subsequent runs can be run by invoking either puppet agent --test or the puppet apply command above.

Thirdly, you should be using Puppet modules instead of adding configuration to manifests/nodes.pp. Take this example:

manifests/nodes.pp:

node mynode {
  include mymodule
}

modules/mymodule/init.pp:

class mymodule {
  file { '/path/to/some/file':
    ensure => file,
    owner  => 'myuser',
    group  => 'mygroup',
    mode   => '0755',
    source => 'puppet:///modules/mymodule/myfile',
  }
}

In this example, your module will deploy the file, and your node definition within your manifest uses include to import the module into that node's manifest.

The puppetca command has been superceded by puppet cert. Once you have your master configured, you will need to use this command to sign your nodes' certificates. Example:

On node:puppet agent --test (generate the SSL certificate and ship it to the master)

On master: puppet cert list (to list the outstanding unsigned certificates)

On master: puppet cert sign mynode.myfqdn (to sign the node's certificate)

On node: puppet agent --test (to re-run Puppet, now that your node's certificate has been signed)

Puppet: remote clients are not updated by puppetmaster

1 Answers1