How to Configure Puppet on Ubuntu Xenial

Puppet Overview

Puppet is a configuration management tool which helps in the automation of tasks with respect to system administrators. It helps system administrators automate the provisioning, configuration and management of a server infrastructure.

Puppet comes in two varieties, Puppet Enterprise and open source Puppet. Both of them run on most Linux distributions, various UNIX platforms, and Windows.


  • You have an account and are logged into
  • You have configured your SSH Key
  • You have sudo privileges or access to the root user
  • One Puppet master. The Puppet master will run Puppet Server, which is resource intensive and requires:
    • at least 4GB of memory
    • at least 2 CPU cores
  • Two Puppet agent nodes

Configuring /etc/hosts

Puppet master server and the puppet agents nodes need to be able to communicate with each other.

1 . On each machine, edit the /etc/hosts file.

nano /etc/hosts

2 . Specify the Puppet master server as follows, substituting the IP address for your Puppet master.

puppet_ip_address    puppet

3 . Save and exit.

Note: By default, Puppet agents will look for the Puppet master at puppet to make it easier to get Puppet set up. This means we must use the name puppet in /etc/hosts. Otherwise, you need to configure the server value in the agent’s puppet.conf.

Installing Puppet Server

Puppet Server is the software that pushes configuration from the Puppet master to the other servers. It runs only on the Puppet master; the other hosts will run the Puppet Agent.

1 . Enable the official Puppet Labs collection repository

curl -O
dpkg -i puppetlabs-release-pc1-xenial.deb
apt-get update

2 . Install the puppet server package

apt-get install puppetserver

(Optional) Configuring Memory Allocation

By default, Puppet Server is configured to use 2 GB of RAM. You can customize this setting based on how much free memory the master server has and how many agent nodes it will manage.

To customize it:

1 . Open /etc/default/puppetserver:

sudo nano /etc/default/puppetserver

2 . Find the JAVA_ARGS line, and use the -Xms and -Xmx parameters to set the memory allocation. We’ll increase ours to 3 gigabytes:

JAVA_ARGS="-Xms3g -Xmx3g -XX:MaxPermSize=256m"

3 . Save and exit

Opening the Firewall

1 . Ensure that port 8140 is open for the Puppet server to communicate.

ufw allow 8140

2 . To activate the updated configuration, reload ufw

sudo ufw reload

Starting Puppet Server

1 . Start the puppet server. It takes time to complete.

systemctl start puppetserver

2 . Verify that the installation is successful

systemctl status puppetserver

which returns

● puppetserver.service - puppetserver Service
   Loaded: loaded (/lib/systemd/system/puppetserver.service; disabled; vendo
   Active: active (running) since Fri 2018-08-10 10:00:56 UTC; 28s ago
  Process: 32404 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/pupp
 Main PID: 32414 (java)
   CGroup: /system.slice/puppetserver.service
           └─32414 /usr/bin/java -Xms3g -Xmx3g -XX:MaxPermSize=256m -Djava.s

Aug 10 09:59:55 puppet-master systemd[1]: Starting puppetserver Service...
Aug 10 09:59:55 puppet-master puppetserver[32404]: OpenJDK 64-Bit Server VM
Aug 10 10:00:56 puppet-master systemd[1]: Started puppetserver Service.

3 . Configure your puppet server to start at boot

systemctl enable puppetserver

With the server running, now we’re ready to set up Puppet Agent on our two agent machines.

Installing the Puppet Agent

The Puppet agent software must be installed on any server that the Puppet master will manage. In most cases, this will include every server in your infrastructure. In our case, it will be installed on the two puppet agents.

Installing the Puppet Agent Package

1 . Enable the official Puppet Labs collection repository

sudo dpkg -i puppetlabs-release-pc1-xenial.deb
sudo apt-get update

2 . Install the puppet-agent Package

sudo apt-get install puppet-agent

3 . Enable the puppet agent to start on boot

systemctl start puppet
systemctl enable puppet

If it has not be done already, make sure you repeat these steps on every puppet agent.

Signing Certificates on Puppet Master

1 . List all unsigned certificate requests on the puppet master

sudo /opt/puppetlabs/bin/puppet cert list

which returns

"" (SHA256) 2C:82:B1:9E:59:2F:C6:5F:B9:EB:31:E4:E8:C5:4E:43:1C:D2:63:68:66:71:1E:45:0C:7D:BF:F1:6D:AA:4C:A0
"" (SHA256) F3:0E:94:5F:3D:43:FD:C5:16:2E:D0:6D:9C:13:01:3E:28:95:E1:7E:2A:58:4B:FE:B6:7E:4B:61:EE:6B:66:5A

A + in front of a certificate indicates it has been signed. The absence of a plus sign indicates our new certificate has not been signed yet.

2 . Sign puppet-agent1 certificate using the puppet cert sign subcommand and the hostname of the certificate as it is displayed in the certificate request

sudo /opt/puppetlabs/bin/puppet cert sign

which returns

Notice: Signed certificate request for
Notice: Removing file Puppet::SSL::CertificateRequest at '/etc/puppetlabs/puppet/ssl/ca/requests/'

Repeat the process for the puppet-agent2.

The Puppet master can now communicate and control the node that the signed certificate belongs to.

Note: You can use the --all option to sign the remaining certificate: sudo /opt/puppetlabs/bin/puppet cert sign --all

Verifying the Installation

Puppet uses a domain-specific language to describe system configurations, and these descriptions are saved to files called “manifests”, which have a .pp file extension. To learn more about manifests, refer to Puppet official documentation.

We’ll create a brief directive to verify that the Puppet Server can manage the Agents as expected.

1 . Create a default manifest (we’ll use testsite.pp)

sudo nano /etc/puppetlabs/code/environments/production/manifests/testsite.pp

2 . Create a file called it_works.txt on agent nodes located in the tmp directory which contains the public IP address of the agent server

file {'/tmp/it_works.txt':                        # resource type file and filename
  ensure  => present,                             # make sure it exists
  mode    => '0644',                              # file permissions
  content => "It works on ${ipaddress_eth0}!\n",  # Print the eth0 IP fact

By default Puppet Server runs the commands in its manifests every 30 minutes. If the file is removed, the ensure option recreates it. The mode directive will set the file permissions, and the content directive add content to the directive.

3 . Apply the manifest on your puppet-agent1

/opt/puppetlabs/bin/puppet agent --test

which returns

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for
Info: Applying configuration version '1534164688'
Notice: Applied catalog in 0.04 seconds

4 . Check the file contents

nano /tmp/it_works.txt

which returns

It works on ip_adress!

What's next ?

If you want to learn more about Puppet, check out how to install and configure Foreman on ubuntu xenial.

Discover the Cloud That Makes Sense