How to Configure Puppet Agents

1. Become an administrator who is assigned the Puppet Management rights profile.
2. Set Puppet Server properties on the Puppet Agent.

   While the puppet:agent service is disabled, set the ca_server and server properties as shown in the example of Example 2-1.

   Refresh the puppet:agent service.

   Note:

   Do not enable the puppet:agent service instance until after the Puppet Agent (agent) requests the certificate and the agent successfully signs in to the Puppet Server (server).
3. Test the connection from the agent to the server.

   On the agent, run the puppet agent --test command to create a new SSL key and request authentication between the agent and the server.

4. On the node that runs the Puppet Server, identify any outstanding certificate requests coming from agents that are attempting to connect to the server.

   Run the following command on the server:

   $ puppetserver ca list

   This command output should show that the agent is issuing a request.

5. On the server, sign the certificate for the agent that makes the request.

   $ puppetserver ca sign agent

   Note:

   It is best to sign certificates manually for Puppet. However, if your environment does not require manually signed certificates, configure the CA Puppet Server to sign certain CSRs automatically. See SSL configuration: autosigning certificate requests.
6. Retest the connection from the agent to the server.

   # puppet agent --test

   This step ensures that the authentication between the server and the agent has occurred.

7. Enable the SMF service instance for the agent.

   $ svcadm enable puppet:agent
   $ svcs puppet:agent

   The output should show that the SMF puppet:agent service instance is online.

Example 2-1 Configuring a Puppet Agent

Do not edit the /etc/puppetlabs/puppet/puppet.conf Puppet configuration file manually. Such changes are not saved. SMF property values generate this Puppet configuration file. This configuration file is updated when you update the associated SMF property values, as shown in the following example. For descriptions of the properties shown here and other configuration values that you can set, see Short list of important settings and Configuration Reference.

While the puppet:agent service is disabled, set the ca_server and server properties. The server property value is the host name of the server. Typically, the ca_server value is also the host name of the server.

In this example, the host name of the Puppet Server is pupsvr and the fully qualified domain name of the Puppet Agent is agent.example.com.

# svccfg -s puppet:agent
svc:/application/puppet:agent> setprop config/ca_server = host: pupsvr
svc:/application/puppet:agent> setprop config/server = host: pupsvr
svc:/application/puppet:agent> setprop config/runinterval = astring: 1d
svc:/application/puppet:agent> refresh
svc:/application/puppet:agent> exit

Verify that the property values are correct:

# svcprop -p config puppet:agent

When you refresh the puppet:agent service instance and that instance comes online, any changes that you make by setting SMF property values are reflected in the puppet.conf file.

Test the connection on the agent.example.com agent:

$ puppet agent --test
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent.example.com
Info: Certificate Request fingerprint (SHA256): E0:1D:0F:18:72:B7:CE:A7:83:E4:48:D5:F8:93:36:15:55:
0A:B9:C8:E5:B1:CE:D9:3E:0A:68:01:BE:F7:76:47
Exiting; no certificate found and waitforcert is disabled

Identify outstanding authentication requests on the server:

$ puppetserver ca list
"agent.example.com" (SHA256) E0:1D:0F:18:72:B7:CE:A7:83:E4:48:D5:F8:93:36:15:55:
0A:B9:C8:E5:B1:CE:D9:3E:0A:68:01:BE:F7:76:47

Sign the outstanding request:

$ puppetserver ca sign agent.example.com
Notice: Signed certificate request for agent.example.com
Notice: Removing file Puppet:SSL:CertificateRequest agent at '/etc/puppetlabs/puppet/ssl/ca/requests/solaris.pem'

Retest the connection on the agent:

$ puppet agent --test
Info: Caching certificate for agent.example.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for agent.example.com
Info: Retrieving plugin
Info: Caching catalog for agent.example.com
Info: Applying configuration version '1400782295'
Notice: Finished catalog run in 0.18 seconds

Enable the puppet:agentservice:

$ svcadm enable puppet:agent
$ svcs puppet:agent
STATE         STIME    FMRI
online        18:20:32 svc:/application/puppet:agent

View the following abridged example configuration file:

$ cat /etc/puppetlabs/puppet/puppet.conf
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#     DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
#
# See puppet.conf(5) and http://docs.puppetlabs.com/guides/configuring.html
# for details.

[agent]

ca_server = pupsvr
logdest = /var/log/puppetlabs/puppet/puppet-agent.log
runinterval = 1d
server = pupsvr

Next Steps

After you install Puppet and perform all of the necessary configuration and validation tasks, you are ready to use Puppet to manage system configurations.

For more information about using Pupput in Oracle Solaris, see:

• Working With Puppet Resources and Resource Types in Oracle Solaris

• Writing Puppet Manifests, Classes, and Modules in Oracle Solaris

• Using Puppet to Manage System Configuration in Oracle Solaris