Installing puppetdb


It just makes sense to use the puppet database in your puppet environment. It is used to store the inventory facts about every node in your puppet environment and as this can be big, you need to have a good back end database which can handle this. Here is how I installed puppet DB

There are no special requirements for SELINUX when installing puppet DB. Keep SELINUX set to enforcing mode.

1. Install the puppet repo

rpm -Uvh
rpm -Uvh

2. Install the puppet agent and request a CSR

yum install puppet -y
puppet agent --test

3. Sign the puppet agents CSR on the puppet master

puppet cert --list
puppet cert sign --

4. Install puppet DB on the puppet DB server

puppet resource package puppetdb ensure=latest

5. Install postgres

Install instructions taken from

vi /etc/yum.repos.d/CentOS-Base.repo

To the [base] and [updates] sections in /etc/yum.repos.d/CentOS-Base.repo, you need to append a line


Download and install the rpm repos for postgres

<code>rpm -Uvh <a href=”; title=””></a&gt;

yum list postgres*
yum install postgresql91-server -y

6. Start the postgres service and run at boot

service postgresql-9.1 initdb
service postgresql-9.1 start
chkconfig postgresql-9.1 on

7. Configure postgres

vi /var/lib/pgsql/9.1/data/postgresql.conf

listen_addresses = '*'
log_line_prefix = '%t %u %d'

8. Create the puppet DB

sudo -u postgres sh
cd /var/lib/puppetdb
createuser -DRSP puppetdb
createdb -O puppetdb puppetdb

9. Allow host access to the postgresql pupetdb

vi /var/lib/pgsql/9.1/data/pg_hba.conf

local all all trust
host puppetdb puppetdb trust

• Comment out this line (near the end of pg_hba.conf)

#local all all peer

• Restart the postgres service

service postgresql-9.1 restart

• Test login

psql -h puppetdb puppetdb


psql -d puppetdb -U puppetdb -W

10. Configure puppdb conf.d/config.ini file

vi /etc/puppetdb/conf.d/config.ini

Below details an example config.ini file

# See for more thorough explanations of each section and
# option.


# Store mq/db data in a custom directory
vardir = /var/lib/puppetdb

# Use an external log4j config file

logging-config = /etc/puppetdb/conf.d/../

# Maximum number of results that a resource query may return

resource-query-limit = 20000


classname = org.postgresql.Driver
subprotocol = postgresql
subname = //localhost:5432/puppetdb
username = puppetdb
password =


port = 8080


# How many command-processing threads to use, defaults to (CPUs / 2)
# threads = 4

11. Start the puppetdb services

sudo puppet resource service puppetdb ensure=running enable=true

12. Open puppetdb port 8081 in iptables

Modify where necessary

iptables -I INPUT 5 -s -m tcp -p tcp --dport 8081 -j ACCEPT
iptables -I INPUT 6 -s -m tcp -p tcp --dport 8080 -j ACCEPT

service iptables save
service iptables restart

The 2nd firewall rule is used to access the puppetdb-dashboard

13. Set up a puppet master to connect to puppetdb

• Run the following on each of your puppet masters:

sudo puppet resource package puppetdb-terminus ensure=latest

• Add this to /etc/puppet/puppetdb.conf. Note: you may have to create this file.


server =
port = 8081

• Add this to /etc/puppet/puppet.conf


storeconfigs = true
storeconfigs_backend = puppetdb

• Add this to /etc/puppet/routes.yaml. Note: you may have to create this file.

terminus: puppetdb
cache: yaml

14. Restart the puppet service on each puppet master

service httpd restart

15. Check in an agent and monitor the puppetdb logs

On the puppetdb server, monitor the puppetdb log

tail -f /var/log/puppetdb/puppetdb.log

On an agent run the following:

puppet agent --test

16. (Optional) Open up access to the puppet DB dashboard


To access the puppetdb, you need to make some configuration changes. Edit the following file




host =

Access the puppet DB using the following URL, changing the host name accordingly

Troubleshooting issue:

If the puppet DB, port 8080 and 8081 are not listening when the puppetdb service is set to start and you see in /var/log/puppetdb/puppdb.log the following error:

2013-02-26 19:40:43,327 ERROR [main] [puppetlabs.utils] Uncaught exception /etc/puppetdb/ssl/keystore.jks (No such file or directory)

Run the following command and reboot the server

sudo /usr/sbin/puppetdb-ssl-setup

This will create a keystore and truststore in /etc/puppetdb/ssl and will print the password to both files in /etc/puppetdb/ssl/puppetdb_keystore_pw.txt.


Installing a puppet master and ca server


Here are my install notes on how I set up my puppet server. Note, with EPEL 6.8, passenger is available via yum. This is a much better way to install passenger, rather than using ruby gems.

1 – Install EPEL and puppet repos

rpm -Uvh
rpm -ivh

2- Install required packages

yum install puppet-server puppet sudo mod_ssl rubygem-passenger
mod_passenger policycoreutils-python vim rsync -y

3. Create a puppet CA cert

puppet master --no-daemonize --verbose

ctrl+c to break out of puppet master deamon once the puppet daemon is running when you see the following message

Notice: Starting Puppet master version 3.x.x

4. Copy the example puppet virtual host config to /etc/httpd/conf.d/

cp /usr/share/puppet/ext/rack/files/apache2.conf

5. Edit the puppet-master.conf file and update accordingly

# you probably want to tune these settings

PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500

PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCertificateFile /var/lib/puppet/ssl/certs/
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.

SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1

# The `ExportCertData` option is needed for agent certificate expiration warnings

SSLOptions +StdEnvVars +ExportCertData

# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

DocumentRoot /usr/share/puppet/rack/puppetmaster/public/
RackBaseURI /

Options None
AllowOverride None
Order allow,deny
allow from all

6. Create rack directories

mkdir -p /usr/share/puppet/rack/puppetmaster/{public,tmp}

7. Copy rack file to rack web directory

cp /usr/share/puppet/ext/rack/files/

8. Change ownership of rack file to puppet

chown puppet:puppet /usr/share/puppet/rack/puppetmaster/

9. Set httpd to start on boot and puppet master to not start

chkconfig httpd on
chkconfig puppetmaster off

10. IPTABLES configuration

This is environment specific depending on the bridges you need to create to let the puppet master communicate to its various networks. Port 8140 needs to be open on the puppet master for each interface you have added, specifying the source networks and interface adapter as applicable. Below is an example taken from the UK Cressex LAB puppet master deployment. All IPTABLES information is covered later in the document under the configured puppet environments section.

Here is the following content of the /etc/sysconfig/iptables

# Generated by iptables-save v1.4.

:OUTPUT ACCEPT [24:2304]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s -i eth0 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s -i eth1 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s -i eth2 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s -i eth3 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s -i eth4 -p tcp -m tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


You can add these rules following the example command below

iptables -I INPUT 6 -i eth1 -p tcp -s --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT

service iptables save

or by editing the /etc/sysconfig/iptables and running iptables-save and service iptables restart

11. Start apache

service httpd start

12. check that httpd is running and test connectivity

If everything is working correctly, you should see

The environment must be purely alphanumeric, not ”

Hope this helps some people. There are some more blogs I have written concerning how to install puppet DB, puppet dashboard and adding additional puppet masters.

Puppet integration with NetApp

I was look at the puppet forge the other day and noticed that NetApp integrates with Puppet which made me smile. Take a look here:

I have copied some of the readme notes. Here is an extract

NetApp operations

As part of this module, there is a defined type called ‘netapp::vqe’, which can be used to create a volume, add a qtree and create an NFS export. An example of this is:

netapp::vqe { 'volume_name':
ensure        => present,
size          => '1t',
aggr          => 'aggr2',
spaceres      => 'volume',
snapresv      => 20,
autoincrement => true,
persistent    => true

This will create a NetApp volume called ‘v_volume_name’ with a qtree called ‘q_volume_name’. The volume will have an initial size of 1 Terabyte in Aggregate aggr2. The space reservation mode will be set to volume, and snapshot space reserve will be set to 20%. The volume will be able to auto increment, and the NFS export will be persistent. To be honest, that is awesome if you need to build up and automate say infrastructure deployments.

I have used many auto deployments tools in my time, but I have never seen such a great adoption as I have done with Puppet. This just proves it. Why is this? Well, I think the main reasons are that puppet is open source and it doesn’t require you to lock your self in with a particular product, i.e. it runs on CentOS, WIndows, Ubuntu etc. It is also very flexbile and you code it in a way that doesn’t require integration with the target node. So in the example, NetApp is completely unaware of puppet, so NetApp needs no integration. This is because puppet can interact with the NetApp Manageability SDK Ruby libraries. How cool is that?

A great example of how good opensource can really be.

Hoorah to Puppet and NetApp!