So, I was planning on doing a blog post on setting up Puppet Server and PuppetDB on separate servers, with r10k and Hiera. The blog got a bit too large, so I decided to split it up into a three-part blog series.

I should probably note that this series is targeted towards users of Puppet Open Source and there is an expectation the readers are somewhat familiar with the Bash CLI and basic Linux Admin.

Today, I will be focusing on setting up Puppet Server and PuppetDB on separate servers using the puppetlabs-puppetdb Puppet Module. With blogs on r10k and Hiera to come as parts 2 and 3 respectively.

Today I will walk you through the steps that I learned to build and (mostly) automate the installation and setup of an Open Source Puppet Server, with PuppetDB. The process will be done using Puppet Platform 5.x and RedHat/CentOS 7.x (though the step should mostly apply to any supported OS). We will also be using two servers:

  • One for Puppet Server and r10k
  • One for PuppetDB

Pre-Install steps

  • Make sure port 8140 is open on the Puppet Server
  • Make sure port 8081 is open from the Puppet Server to the PuppetDB
  • Make sure that PuppetDB can connect locally to port 5432 (Default PostgreSQL port)
  • Make sure that the Puppet Server is reachable via Name Resolution (either via Hosts file or DNS). The DNS/Hosts entry MUST match that of the server parameter in puppet.conf. Defaults to hostname of puppet.

Setting up Puppet Server

So the first thing to do on our server that will act as the Puppet Server is install the Puppet Platform 5.x repo, the puppetserver and git packages and start the service:

sudo yum install
sudo yum install -y puppetserver git

The next step is to fine tune the Java memory settings for the Puppet Server to what your server needs. You’ll need to update the /etc/sysconfig/puppetserver file and edit the following line:

JAVA_ARGS="-Xms2g -Xmx2g"

Set those values to whatever best suites your server (mine is currently set to the default 2G for 2 GB RAM).

Next step will be to start the service:

sudo systemctl start puppetserver
sudo systemctl enable puppetserver

Run puppet agent -t --noop to verify that the puppet agent can connect to the local puppet server.

Install/Setup the Puppet Agent on the PuppetDB Server

Now log into you PuppetDB server. It should just be a base CentOS installation at this point.

Install the Puppet Platform 5.x repo using the same command from the Puppet Server installation, then install the puppet-agent package (This was installed as a dependency during the Puppet Server install).

sudo yum install
sudo yum install -y puppet-agent

Next, modify the /etc/puppetlabs/puppet/puppet.conf file with the following contents:

certname = puppetdb.local

server = puppetserver.local

Replace the certname value with the fqdn of the PuppetDB server and the server value with the fqdn or hostname of your Puppet Server as found in DNS or the /etc/hosts file.

Once this is complete, run the Puppet Agent on the PuppetDB server:

sudo puppet agent -t

Then log switch back to the Puppet Server and run:

sudo puppet cert sign puppetdb.local

replace puppetdb.local with the value you placed in the certname setting on the PuppetDB.

Now, run sudo puppet agent -t again on the PuppetDB server to complete the agent setup.

Install the relevent Puppet Modules and code to setup PuppetDB

NOTE: You can setup PuppetDB via Puppet Module, Manually with Packages, or from source. I am only covering the Puppet Module method. For other methods see the PuppetDB Installation Docs

Next step will be to install the puppetlabs-puppetdb module into your Puppet Server’s production environment. Normally I would do this using r10k, but that will be covered in a future blog post.

To install the module, run the following command on the Puppet Server VM:

sudo puppet module install puppetlabs-puppetdb --environment production

Next, cd into the puppet production environment (on the Puppet Server) and open the site.pp file for editing:

cd /etc/puppetlabs/code/environments/production
sudo vim site.pp

Add the following code to it:

  class { '::puppetdb::master::config':
    puppetdb_server => 'puppetdb.local',

node 'puppetdb.local' {
  class { '::puppetdb':
    ssl_listen_address   => 'puppetdb.local',
    open_ssl_listen_port => true,
    postgres_version     => '9.6',

node default {}

Where the node names match whatever your Puppet Server and PuppetDB certnames are. By default Puppet defaults to the FQDN, followed by the Hostname if no certname is manually set in the /etc/puppetlabs/puppet/puppet.conf file.

Once you have done that, you’re all set. Run the following command on both servers:

sudo puppet agent -t

Make sure to run it on the PuppetDB server first as it will install PostgreSQL and PuppetDB, setup the Database and IPTables, then start both the postgresql and puppetdb services.

Then run it on the Puppet Server, where it will install the new puppetdb-related packages and setup the config to connect to PuppetDB.

That’s it. Run the Puppet Agent command once more on each system to ensure that everything is running correctly (It should not show any errors or changes at this point).

Extra Notes

  • The puppet service is not started and enabled by default. Be sure to do this.
  • The node default {} is required in the site.pp if any other nodes are specified.
  • puppetlabs-puppetdb uses puppetlabs-firewall to manage PuppetDB firewall settings. puppetlabs-firewall ONLY uses iptables, so it’s best to disable or uninstall firewalld. You can also disable firewall management in puppetlabs-puppetdb if you want to manage it yourself. I will link the documentation below.
  • This blog assumes access to the internet and external YUM repositories. If you are mirroring or self-hosting repos, then make sure you are pulling in packages from the official PostgreSQL repos for the version you require. Same for the EPEL, Puppet, and CentOS/RedHat repositories.
  • This blog uses Puppet 5.x Platform, which requires PostgreSQL 9.6. These steps should also work with Puppet 4.7 and above (and the associated Puppet Server and PuppetDB versions) which require PostgreSQL 9.4. Please see the docs in the Resources section for more info.