Puppet Nodes#

Adding a Machine#

Add the host to /etc/puppet/modules/cfeng/manifests/groups.pp and /etc/puppet/autosign.conf. Then run#


After that, run#

sudo puppet cert clean <fqdn>

to remove any old keys that may be associated with the machine’s IP address.#

Run Puppet Agent#

Following command should pull the catalog from puppetmaster and implement necessary classes defined for the node:#

sudo puppet agent --server=puppet --onetime --no-daemonize --verbose

Removing a Machine#

To remove a machine from the Puppet configuration pool:#

#On the puppetmaster
sudo puppet node deactivate <fqdn>



login to puppet#

cd /etc/puppet/modules # This directory contains all the modules

e.g., all the policies that are related to hdfs and were previously implemented in ‘hdfs.conf’ for CFengine are translated to :#


For easier understanding of what each of these policies does, look at the corresponding ‘hdfs.conf’ file. One can directly modify these files. Just note that the cron running runs hourly during (0-10) minutes. Once you modify any of these policies, do a dry run on the node where the effect can be seen :#

sudo puppet agent --server=puppet --onetime --no-daemonize --verbose --noop # The noop option will do a dry run

Node Groups#

All the node groups are defined as array variables in #


e.g., in the group name ‘osgrpms’ there are several subgroups :#

$osgrpms = unique(flatten([$compute_nodes, $login_servers]))

In order to add another group of nodes, first define a group in “groups.pp”#

$newgroup = ['node01','node02','node03',]

Then add it to an existing group :#

$osgrpms = unique(flatten([$compute_nodes, $login_servers, $newgroup]))

Class Definitions#

For each node groups, a set of policies are defined in a class, e.g.,#

/etc/puppet/modules/hdfs/manifests/datanodes.pp # This has hdfs policies for group datanodes

These policies are implemented through another module,#



if ($hostname in $datanodes) {
    include hdfs::datanodes

One can add new classes following the structure of the existing ones#

Mercurial Commit#

Commit the changes you made in “/etc/puppet/” to the mercurial repo name “puppet”#

hg commit -I "hdfs/manifests/*.pp" -m "Please forgive us these hacks as we forgive those who have hacked against us." -u "Tapas Sarangi <tapas@hep.wisc.edu>"
hg push

Puppet SSL#

The puppetmaster verifies the identity of machines, and serves them the proper catalog, when they connect using a signed security certificate. Therefore, each machine requests a certificate the first time that it connects to the puppetmaster. The puppetmaster must sign the certificate before allowing connections from the machine to proceed.#

When kickstarting a machine with a new hostname, the hostname should be added to /etc/puppet/autosign.conf. That way, the puppetmaster will automatically sign the certificate, and the connection will proceed. If the machine is not added to autosign.conf, or otherwise needs to have its certificate signed manually, login to the puppetmaster and check for certificate that are waiting to be signed :#

sudo puppet cert list  # This will give you the list of hosts waiting 
sudo puppet cert sign <hostname> # This will sign the certificate

When a machine with an existing hostname is kickstarted, the old certificate still exists in puppetmaster. You should clean the keys from that hostname before running the kickstart install:#

#On the puppetmaster
sudo puppet cert clean <fqdn> # This will clean the keys for the <hostname>

If the certificate for a machine gets all fouled up and it can’t connect, remove the certificate and let it request a new one.#

#On the host
sudo su
cd /var/lib/puppet/ssl
rm -rf */*.pem

#On the puppetmaster
sudo puppet cert clean <fqdn> # This will clean the keys for the <hostname>
# puppet-master is running behind apache and it will keep the certificate in memory
sudo /etc/init.d/httpd restart  # CAREFUL about the hourly cron timing. Avoid first 20 minutes of the hour to do this.

#On the host
sudo puppet agent --server=puppet --no-daemonize --onetime --verbose --noop

#Finally on the puppetmaster
sudo puppet cert sign <fqdn>