Puppet Courselinuxacademy


installations and services

./puppet-enterprise-installer -a filewithresponses
this use a file to respond to the questions, but you need to have all the responses in the filewithresponses

-A instead if you want provide a file with some of responses but still you want response to some of the question in an interactive way

if you receive an url like http:// but without the dns name meanst there is a problem to reach localhost or a problem in the fully qualified domain

pe-activemq = messages service from mcollective service
pe-mcollective = this is a orchestration service, do actions based on the received messages

pe-puppet-dashboard-workers is a service for trobleshouting on the workers
pe-memcache only for puppet enterprise with dashboard

/opt/puppet/share/installer/answers for the answers files

cd /etc/puppetlabs/license.key


install puppet enterprise agent
curl -k https://puppetentrpise.name.com:8140/packages/current/install.bash | bash

for test the puppet agent
puppet agent -t

show all the certificate
puppet cert list -a

what a node do during the first connection before apply the catalog choosen for its is a convergenze
convergenze does this things:

  • connect to puppet master
  • receive the compile catalog of the configuration policies
  • download into the agent
  • enforce the policies defined

puppet agent —server mypuppetserver.mycompany.com

configuration for enterprise

configuration for opensource

logs you can find in the general centos


RAL and commands

RAL (Resource Abstraction Layer) contributes to Puppet's ability to take a description of a resource and implement it using providers

puppet resource [type] [name]

puppet resource user giuseppe
user { 'giuseppe':
  ensure  => 'present',
  comment => 'Giuseppe,,,',
  gid     => '1001',
  groups  => ['adm', 'cdrom', 'sudo', 'dip', 'plugdev', 'lpadmin', 'sambashare'],
  home    => '/home/giuseppe',
  shell   => '/usr/bin/fish',
  uid     => '1001',
puppet resource package | head -10
package { 'PAM':
  ensure => '0.4.2',
package { 'Pillow':
  ensure => '2.3.0',

short version of describe -s

 puppet describe -s


facter | grep memory
memoryfree => 6.22 GB
memoryfree_mb => 6371.13 
memorysize => 7.69 GB 
memorysize_mb => 7876.33
memorytotal => 7.69 GB
facter memorytotal
 facter hostname

we can use like variables
if the memory is less than install a package ecc
if the osFamily is redhad use yum like provider



  • [main]
  • [master]
  • [agent]
  • [user] : this is for the puppet apply command

a certname setting located in [main] if defined in the [master] section will be over written by the certname in the [master] section for the puppet master

to apply changes at the puppet.conf a restart to the pe-puppet service is required

variable interpolation

use and initialize

use like

we can use different environment for test/dev/production


  • noop : only simulation
  • priority: set the agent with the priority using nice, we don't want remove cpu to a database to run puppet
  • report: default true
  • usecacheonfailure: if the process fail fall back to the last catalogs
  • runinterval : how often check the master
  • waitforcer : keep trying to run puppet agent if the certificate is not initially available

it is possible configurare this settings from the command line

puppet config set report false --section agent

this will write in the conf file but it will not check the syntax so be careful

Live Management

inside the console
you can search filtering:

  • class assigned to the node
  • facter

the facter can be the hostname , and it is possible use regex like hostname = anthony? one charapter

Module Structure & Class Naming

cd module
mkdir localusers
mkdir {manifest,files,template,test}
cd manifest
nano init.pp

mkdir groups
cd groups
nano wheel.pp
class localusers::groups:whell {


nano finance.pp

puppet parser validate wheell.pp

DSL Overview

managedhome = if it is not exist will create and is the ensure=absent
password hash is the /etc/shadow

to do a good test
puppet apply —debug —noop

if statements

if condiction {
} elsif condiction {
} else {

negative if

negative if = Unless

Unless $memorytotal > 1024 {
    $maxclient = 300

Dependency metaparameter

  • require and before are for the same purpose but to apply to opposite direction, in the same way
  • subscribe and notify

Common Resource Types: metaparameters

  • schedule : create a window of time for the resource to be managed
  • alias: creates an alias for the resource name
  • audit: check if the resource is modified since the last puppet run
  • noop: avoid the resoure is execute, it is not necessary remove or comment
  • loglevel: 9 levels from debug to verbose
  • tag: tag resource and for example if is datacenter A use the resource tagged or not.

Conditional Statements

case to select a service

case $osfamily {
    'RedHat': { $ssh_name = 'sshd'}
    'Debian': { $ssh_name = 'sshd'}
    default: { fail('Os not support by puppet module ssh') }

service { 'ssh-service':
    name   => $ssh_name,
    ensure => running,
    enable => true,    

case with package

$dsnutil = $osfamiliy ? {
    'RedHat' => 'bind-utils',
    'Debian' => 'dnsutils',

package { $dsnutil:
    ensure => present,

if with regex
anything start with anthony and has a digit/s

if $::hostname =~ /^anthony {
    notice ( "you have arrived at server $0 ")

$0 will evaluate everything is evaluate in the if expression in the case the hostname of the machine

download the agent from the master

curl -k https://puppetmasterfullyqualifiedname:8140/packages/current/install.bash | sudo bash

alias metaparameters

file { '/etc/ssh/sshd_config':
    ensure => file,
    source => 'pupppet:///modules/base/ssh_config',
    notify => Service['ssh-service-name-two'],


service { 'ssh-service':
    name => $ssh_name,
    ensure => running,
    alias => 'ssh-service-name-two',
    enable => true,


$systemupdate = $osfamily ? {
    'Redhat' => '/usr/bin/yum update -y',
    'Debian' => '/usr/bin/apt-get upgrade -y'

schedule { 'system-daily':
    period => daily,
    range => '00:00 - 01:00',

exec { $systemupdate:
    schedule => 'system-daily',

it runs daily if the puppet agent runs in the period indicated

Variables, Parametrization, And Scope

all the file resource created if

File {
owner => 'root',
group => 'finance',
mode => '600',

$homedir = "/root"
$content = "my file content"

file { "${homedir}/myfile.txt":
content => $content,

Variable can't be reassign in the same scope, but it can be in a different scope

$var = "hello"
$variable = '$var world'

will produce
$var world

$variable = "$var world"

will produce
hello world


$var= ['item1','item2']
$var += ['item3']

will produce


  • Class scope
  • Node scope
  • Top scope

Puppet evaluate in this order class => node => top
facts are top scope ::osfamily

if you declare a variable inside site.pp not in a class or node definition is a top scope variable.

nano site.pp

mytopscopevariable="top scope val"

nano init.pp

class test {
    mytopscopevariable="class scope val"
    notify {" ${mytopscopevariable}":}

this will be print "class scope val"

instead if you specify the ::
nano init.pp

class test {
    mytopscopevariable="class scope val"
    notify {" ${::mytopscopevariable}":}

this will be print "top scope val"

to access variable to another class use the following

name => $base::params:ssh_name

this access to the variable called ssh_name in the class params of the module base


from https://docs.puppetlabs.com/puppet/latest/reference/lang_classes.html#inheritance

class apache {
  service {'apache':
    require => Package['httpd'],

class apache::ssl inherits apache {
  # host certificate is required for SSL to function
  Service['apache'] {
    require +> [ File['apache.pem'], File['httpd.conf'] ],
    # Since `require` will retain its previous values, this is equivalent to:
    # require => [ Package['httpd'], File['apache.pem'], File['httpd.conf'] ],


define functions return true or false if something exist or no

if defined(Service['httpd']) {
    notify {'the service resource type has been defined':}

file: returns contents of a file from the server
generate: returns the result of a run shell command
regsubst : $var= regsubst($string,'regex to evaluate here') , it returns the string elaborated by the regex
sha1 : returns the sha1 hash value from a string



 - yaml
 - defaults:

it search beofre the .yaml files inside the
/var/lib/hiera (or on windows %CommondAppData%\Puppetlabs\hiera\var)
using the order defined clientcert, environment, osfamily
if it doesnt' find nothing pass to json

it is possible specify also other fact or fully dns

with the :datadir: you can change the default /var/lib/hiera directory

hiera functions

  • hiera: priority lookup, it grab the first matching value using the hierarchy
  • hiera_array: all the possible match of data, combined in an array, hierarchy order
  • hiera_hash: similar to array but merged in a single value

on puppet master
cd /etc/puppetlabs/puppet
mkdir hieradata
cd hieradata
mkdir node
cd /etc/puppetlabs/puppet
nano hiera.yaml

 - yaml
 - "%{environment}"
 - common
    :datadir: /etc/puppetlabs/puppet/hieradata

cd hieradata
touch production.yaml
touch development.yaml
puppet config print certname

  1. print the certificate to use in the name

cd node
nano giuseppe.mylabtest.com

domain_name: giuseppe.mylabtest.com
api_key: giuseppe1_api1_key

nano common.yaml

domain_name: commondomain.mylabtest.com
api_key: common_key

nano development.yaml

domain_name: dev.mylabtest.com
api_key: dev_key

nano production.yaml

domain_name: prod.mylabtest.com
api_key: prod_key

we can test using the command line

hiera domain_name client_name=giuseppe.mylabtest.com

or use
[[hiera domain_name environment=random

or we can simulate a fact
vim redhat.com
domain_name: redhat.mydomain.com
api_key: redhat_apykey

to test
hiera domain_name ::osfamily=redhat
hiera domain_name ::osfamily=debian
#because there is no debian.yaml so the common is taken

if I remove from redhat.yaml the line with the domain name
the value of common is taken

Site.pp and Node Definition Matching

  1. webserver01.mylabserver.com (exact node before regular expression after)
  2. webserver01.mylabserver (exact node before regular expression after)
  3. webserver01 (exact node before regular expression after)
  4. default node (exact node before regular expression after)

if one node match multiple regular expression , puppet pick up one but it is not guarantee which

External Node Classifiers

if you have a node that match the site.pp and the ENC a merge will performed

if a class or a module is available in the puppet master doens't mean it is also available in the console, we need to enable

If we declare a class two times in the console and also in the site.pp we will have a runtime error, we should use instead include

If you define a variable in the node scope refer by site.pp and you have also a variable in the console, the node scope is a top level scope so it overwrite the console scope.
If we define outside the node scope inside the general site.pp file we will have an error because it is the same scope and it is not possible define a variable two times.


all the name for puppet master

how to fix from failed install

  • fix configuration issue
  • run puppet-enterprise-unistaller
  • install again

add the command prune (a rake task) in cron to clean the reports monthly

the best way to resolve the problem related to the dashboard is restart the service

pe-puppet-dashboard-worker service


you need to popolate the file metadata.json autocreated when the module generate is used, this file contains basic module info and dependecies
modulefile is the old required and it was replaced by metadata.json

Deactivate a node

  1. stop the agent on the node
  2. deactivate the node on the master, this is the only way to have the license back puppet node deactivate <certname> , this can require also 24 hours for cache
  3. revoke the cert on the master puppet cert clean
  4. restart the service pe-puppetserver restart after clean the cert
  5. delete the node on the console
  6. stop the mcollective node service
  7. remove the mcollective certificate from the node rm -rf /etc/puppetlabs/mcollective/ssl


puppet config print certname

if there are two different values in the main and master section for example the most recent file will be used
puppet config print certname --section master

this instead print the value in the indicated section
rm -rf $(puppet master --configprint ssldir)

to clean the configuration directory
or for the client
rm -rf $(puppet config print ssldir)

print all the user

puppet resource user

start the service

puppet resource service ensure=running

install a package if is not present

puppet resource package ensure=present

Resource Type Titles

  • puppet parser validate , check syntax { or , but not for example if you write filee instead of file or if write ensuuure instead ensure
  • you can't manage a resource two times , you can't have two file with the same name BUT
  • you can have a package { 'motd'} and a file { 'motd'} because they are different type
  • puppet is case sensitive, file {'motd'} is different from file file {'Motd'} so you can use in the same class/node
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License