Month: February 2013

Running multiple puppet masters


When running multiple puppet masters, you need to dedicate a single puppet master to be your CA server. If you are adding additional puppet master, there is some key config that needs to be set which disables the puppet CA functionality from running on the puppet master. Additionally, you need to set up a proxy pass to forward certificate requests to the puppet CA server. This is detailed below.

1. Install puppet agent and puppet master

Install the puppet and latest epel repo – note the epel repo below is now out of date.

rpm -Uvh
rpm -Uvh

Install the puppet agent and puppet master

yum install puppet puppet-server -y

2. Edit the puppet.conf file and turn off the puppet master from acting as a CA

vi /etc/puppet/puppet.conf

ca = false
ca_server =

3. Start the agent and create and sign the puppet master cert

• On the additional puppet master

puppet agent --test

• On puppet CA server

puppet cert sign --all

• On the puppet master

puppet agent --test

4. Configure iptables

iptables -I INPUT 5 -s -m tcp -p tcp --dport 8140 -j ACCEPT

service iptables save
service iptables restart

Note: If you are adding multiple bridges, assign the correct iptables rules to each vnic adapter and the the applicable source network address.

5. Install the required packages for the puppet master

yum install sudo mod_ssl rubygem-passenger 
mod_passenger policycoreutils-python rsync -y

6. Copy the example puppet virtual host config to /etc/httpd/conf.d/

cp /usr/share/puppet/ext/rack/files/apache2.conf 

7. Edit the puppet-master.conf file and update accordingly

# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

SSLProxyEngine On
ProxyPassMatch ^/([^/]+/certificate.*)$$1

SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1

SSLCertificateFile /var/lib/puppet/ssl/certs/
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1

# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData

# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

DocumentRoot /usr/share/puppet/rack/puppetmaster/public/
RackBaseURI /

Options None
AllowOverride None
Order allow,deny
allow from all

Note: We are using the ProxyPassMatch. This is matching any inbound requests on /certificate and redirecting them to the puppet CA server. Change the config accordingly.

Note: As the puppet master you are building is not a CA server, note the SSLCertificateChainFile, SSLCACertificateFile, SSLCARevocationFile paths are different to a puppet master running the CA server. This reflects where the CA certs reside when the PM is not a CA server itself.

8. Create rack directories

mkdir -p /usr/share/puppet/rack/puppetmaster/{public,tmp}

9. Copy rack file to rack web directory

cp /usr/share/puppet/ext/rack/files/ /usr/share/puppet/rack/puppetmaster/

10. Change ownership of rack file to puppet

chown puppet:puppet /usr/share/puppet/rack/puppetmaster/

11. Set httpd to start on boot and puppet master to not start

chkconfig httpd on
chkconfig puppetmaster off

12. Set up a puppet master to connect to puppetdb

• Run the following on each of your puppet masters:

sudo puppet resource package puppetdb-terminus ensure=latest

• Add this to /etc/puppet/puppetdb.conf. Note: you may have to create this file.


server =
port = 8081

• Add this to /etc/puppet/puppet.conf


storeconfigs = true
storeconfigs_backend = puppetdb

• Add this to /etc/puppet/routes.yaml. Note: you may have to create this file.

terminus: puppetdb
cache: yaml

13. Enable puppet-dashboard reports on the puppet master

• Add to each puppet master in the puppet environment in /etc/puppet/puppet.conf:


reports = store, https, puppet_dashboard
reporturl = https:///reports/upload

14 Copy the following script to the puppet dashboard server and all the puppet masters

• Create /usr/lib/ruby/site_ruby/1.8/puppet/reports/https.rb with the following code

require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'

Puppet::Reports.register_report(:https) do

desc <<-DESC
Send report information via HTTPS to the `reporturl`. Each host sends
its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
The YAML is the `report` parameter of the request."

def process
url = URI.parse(Puppet[:reporturl].to_s)
http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

req =
req.body = self.to_yaml
req.content_type = "application/x-yaml"

http.start do |http|
response = http.request(req)
unless response.code == "200"
Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}"


• Remove the following file from the puppet dashboard and puppet masters


rm -f /usr/lib/ruby/site_ruby/1.8/puppet/reports/http.rb

15 Edit the auth.conf file on each puppet master so inventory can pick up facts.

vim /etc/puppet/auth.conf

path /facts
method find
auth any
allow *

path /inventory
auth any
method search, find
allow dashboard

# this one is not strictly necessary, but it has the merit
# of showing the default policy, which is deny everything else

path /
auth any

Note: The config for /facts and /inventory must go above the config for `path /` – otherwise you may get an access forbidden 404 error message when running the inventory service on puppet-dashboard.