HowTo Install Puppet Server on Debian Bullseye
Introduction
Puppet Server is an essential tool in the realm of IT automation. It enables system administrators to manage the configuration of their systems, ensuring consistency and reliability across their infrastructure. Keeping Puppet Server updated is crucial as each new version brings improvements, new features, and security fixes that help maintain an efficient and secure environment.
Prerequisites
Before we dive into the installation process, there are a few prerequisites to check:
- A system running Debian Bullseye. You can check your Debian version by opening your terminal and typing
lsb_release -a. - Sufficient system resources. The latest version of Puppet Server requires at least 2GB of RAM and a modern processor. Check your system’s resources by using the
free -mandlscpucommands respectively. - Root or sudo access. The installation process requires administrative privileges. Make sure you have these permissions by typing
sudo -v.
Step-by-step Guide to Install the Latest Version of Puppet Server
Step 1: Update System Packages
First, update your system packages by running the following command:
sudo apt-get update && sudo apt-get upgrade -y
Step 2: Add Puppet Repository
Next, add the Puppet repository to your system:
wget https://apt.puppetlabs.com/puppet-release-bullseye.deb
sudo dpkg -i puppet-release-bullseye.deb
sudo apt-get update
Step 3: Install Puppet Server
Now, you can install Puppet Server:
sudo apt-get install puppetserver
Step 4: Configure Puppet Server
Edit the Puppet Server configuration file to specify the amount of RAM for the server:
sudo nano /etc/default/puppetserver
Change the line that starts with JAVA_ARGS to -Xms2g -Xmx2g to the amount of RAM you can dedicate to your puppetserver.
Step 5: Start and Enable Puppet Server
Finally, start and enable Puppet Server:
sudo systemctl start puppetserver
sudo systemctl enable puppetserver
Step 6: Installing and Using r10k (optional)
r10k is a code management tool for Puppet. It allows you to manage your environment configurations, such as production, testing, and development, in a source control repository and automatically install modules from the forge on your Puppet Server.
To install r10k, run:
sudo /opt/puppetlabs/puppet/bin/gem install r10k
To use r10k, you’ll need to create a Puppetfile which describes the modules you want to use, and then use r10k to deploy them with the following command:
sudo r10k puppetfile install
Step 7: Installing and Using eyaml (optional)
eyaml is a Puppet ENC (External Node Classifier) that allows you to store encrypted data in your Puppet code.
To install eyaml, run:
sudo /opt/puppetlabs/puppet/bin/gem install hiera-eyaml
To use eyaml, you’ll need to create keys, encrypt your data, and then you can use it in your Puppet code.
Creating Keys for eyaml
Before you can start encrypting your data with eyaml, you need to create a pair of keys. Here’s how you can do it:
cd /etc/puppetlabs/puppet
sudo eyaml createkeys
This will create a pair of keys, a public key (public_key.pkcs7.pem) and a private key (private_key.pkcs7.pem), in the /etc/puppetlabs/puppet/keys directory. The public key will be used to encrypt data, and the private key will be used to decrypt it.
Encrypting and Storing Sensitive Data
Let’s say you have a password that you want to encrypt and use in your Puppet code. Here’s how you can do it:
Encrypt the password:
eyaml encrypt -s 'mysecretpassword'
This will output an encrypted block that looks something like this:
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALs1gZEHuetdVTxR3H9Vz3vG6RZ4VQZ4Fee2y2A7s5O6bqQj3u4q9f8W3Z4V]
Use the encrypted password in your Puppet code:
You can use the encrypted password in your Puppet code like this:
$user_password = lookup('user::password')
user { 'myuser':
ensure => present,
password => $user_password,
}
In your Hiera data, you would have something like this:
user::password: >
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALs1gZEHuetdVTxR3H9Vz3vG6RZ4VQZ4Fee2y2A7s5O6bqQj3u4q9f8W3Z4V]
This way, the sensitive data is safely encrypted and can be pushed to a repository.
Remember to keep your private key safe and secure. If it’s compromised, anyone can decrypt your data. Also, make sure to back it up. If you lose it, you won’t be able to decrypt your data.
Verifying the Installation
You can check if Puppet Server, r10k, and eyaml are running and their versions by running:
puppetserver --version
r10k version
eyaml version
Installing Puppet Agent and Connecting to Puppet Server
Puppet Agent is the client-side tool which handles the application of configurations compiled on the Puppet Server.
To install Puppet Agent on another machine, run:
wget https://apt.puppetlabs.com/puppet-release-bullseye.deb
sudo dpkg -i puppet-release-bullseye.deb
sudo apt-get update
sudo apt-get install puppet-agent
To connect the Puppet Agent to the Puppet Server, follow these steps:
Configure your PATH to access Puppet commands:
export PATH=/opt/puppetlabs/bin:$PATH
Configure the server setting by editing the puppet.conf file:
sudo nano /etc/puppetlabs/puppet/puppet.conf
Add the following lines:
[main]
server = <your-puppet-server-hostname>
Replace
Connect the agent to the primary server and sign the certificate
On the Puppet Agent machine, run:
sudo puppet agent --test
This will create a certificate signing request (CSR) which is sent to the Puppet Server.
On the Puppet Server
sudo puppetserver ca list
Sign the CSR for your Puppet Agent:
sudo puppetserver ca sign --certname <your-puppet-agent-hostname>
Replace
Now, your Puppet Agent should be connected to the Puppet Server.
Conclusion
In this guide, we’ve walked through the process of installing the latest version of Puppet Server on Debian Bullseye, along with the installation and usage of r10k and eyaml. We’ve also covered how to install and connect a Puppet Agent to the Puppet Server. Keeping your Puppet Server and its components updated is crucial for maintaining an efficient and secure IT environment. Happy automating!