Skip navigation.

Puppet Tutorial for Linux part 2: Client and Server

Puppet tutorial series

In Part 1 of this Puppet tutorial we saw how to install Puppet on a Linux machine from source, and create a basic manifest which controls the NTP service. In this episode we’ll cover setting up a Puppet server and then using it to control multiple client machines.

Installing servers with Puppet

In the first part of the tutorial, we installed Puppet directly from the source. This is a great way to learn and experiment, but for production purposes we would like to use a standard package - in this case, an Ubuntu package we can install via apt-get. This way, you can ensure that the same version of Puppet is present on your servers and update it automatically if need be. The Ubuntu package also has a few bonus features that the source package doesn’t.

If you want to follow along with the tutorial using your existing Puppet source install, that’s fine. It’s a good idea to make sure you’re using the same version of Puppet on both client and server, or you may run into obscure and annoying problems, so either install from the same source package on your client machine, or set up two fresh machines with the Ubuntu package as described below.

The version of Puppet in the standard Ubuntu repositories is a little old, so add Mathias Gug’s puppet-backports repository to your machine so that you can get a more recent version:

# add-apt-repository ppa:mathiaz/puppet-backports
# apt-get update
# apt-get install puppet puppetmaster

You can now start the Puppetmaster daemon and make the service persistent:

# update-rc.d puppetmaster defaults
# puppet master --mkusers

If there is a firewall between the Puppetmaster and its clients (eg an iptables firewall on the Puppetmaster server itself) you will need to open TCP port 8140 to the clients.

Create a client manifest

In Part 1 of the Puppet Tutorial we created a file /etc/puppet/manifests/nodes.pp, which lists the nodes (machines) that Puppet knows about, and what configuration they should have. Currently it looks like this:

node myserver {
    include ntp

As we’re adding a new node to the system, we need to modify the file so that it reads like this:

node myserver {
    include ntp

node myclient {
    include ntp

Authorising a client

Puppet uses SSL (Secure Sockets Layer), an encrypted protocol, to communicate between master and clients. This means that only a client with a correctly signed SSL certificate can access the Puppetmaster and receive its configuration. To exchange certificates between the master and client, follow this procedure.

Configuring the client to contact the server

Edit your /etc/puppet/puppet.conf file to tell the client where to find the Puppetmaster:

server =

Generate a certificate request

On the client, run:

# puppet agent --test
info: Creating a new certificate request for
info: Creating a new SSL key at /etc/puppet/ssl/private_keys/
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
notice: Set to run 'one time'; exiting with no certificate

Sign the certificate

On the master:

# puppetca -l

There is a certificate request pending for myclient. To sign it, run:

# puppetca -s
notice: Signed certificate request for
notice: Removing file Puppet::SSL::CertificateRequest at 

If there is no certificate request listed, the client was not able to contact the server for some reason. Check that you have the right server address set in puppet.conf on the client, and that TCP port 8140 is open on both the master and client firewalls. The puppet master daemon also needs to be running on the master.

Run Puppet for the first time

On the client, you should now be able to run:

# puppet agent --test
notice: Got signed certificate
info: Caching catalog at /var/puppet/state/localconfig.yaml
notice: Starting catalog run
notice: //ntp/Service[ntp]/ensure: ensure changed 'stopped' to 'running'
notice: Finished catalog run in 0.92 seconds

Just as on the server in the first part of the tutorial, Puppet is now applying the ntp class to myclient. At the moment all this class does is ensure the ntp service is running, but of course it could do many more interesting things. And that’s what we’ll look at next time in Part 3.

Puppet books

If you’re excited about Puppet and want to learn more, may I modestly recommend the Puppet 2.7 Cookbook? The Puppet 2.7 Cookbook takes you beyond the basics to explore the full power of Puppet, showing you in detail how to tackle a variety of real-world problems and applications. At every step it shows you exactly what commands you need to type, and includes full code samples for every recipe.

Docs project?

Hi this is great stuff … perhaps you’d like to contribute to our docs project (

All of our content is in git and it would be pretty easy to get this kind of thing merged in … we can definitely use some more talented folks helping improve the core docs — there is some tutorial content already but I’m sure it can be made better.

If you’d like some more details, shoot me an email — michael @


puppet configuration


I have configured puppet on centos for testing purpose. server is working fine. but getting error at the time of connect from client. Please help me. I got following error

[root@manoj puppet]# puppet agent –test
err: Could not retrieve catalog from remote server: Connection refused – connect(2)
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
[root@manoj puppet]# puppet agent –test –server=
err: Could not retrieve catalog from remote server: Connection refused – connect(2)
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

Need help on setting up Centralized Server using Puppet

Dear John,

Thank you for such a nice article. I am seriously thinking of using Puppet for my work.

Here is my problem in brief , could you please help me with my confusion.

The entire set up is in INTRANET.

I am working on SuSe Linux Platform. Some times ago i got an issue with an application for which i had to update that in all desktops (SLED == SuSe Linux Desktop).

Since this time number of desktops were less then it was possible to go and update package manually. But in coming days the number of desktops are going to be large around 1000.

So my concern over here is as follows.

1) I want to develop something by which user @ each desktop will run
command and it will list out the packages to be updated.

2) Or something like i can push the updates seamlessly to all desktops.

One thing which i am thinking is to write a shell script on central server , which will get into all desktops one-by-one and run the update command through SSH. For this i will have to have password less authentication from all desktops (Which is bit risky).

So i am thinking of Puppet which can full-fill my second thought.

Now the problem what i may be facing is , since this is intranet setup so how would i ensure that the latest package what i have in my central repository is pushed over to all desktops.

What Class i will have to write so that it will go to desktop(s) and run something like “rpm -UVH xxxxxx.rpm” ?

Any help would be much appreciated.


Pushing package updates with Puppet

Yes, I think Puppet is definitely a good way to achieve this. You can either have Puppet distribute the RPM file directly onto the servers and install it via an exec, something like this:

  file { "/tmp/application.rpm":
    source => "puppet:///application/application.rpm",
    notify => Exec["install-app"],

  exec { "install-app":
    command => "/usr/bin/rpm -Uvh /tmp/application.rpm",
    refreshonly => True,

Then if you ever update the RPM file in the Puppet repo, Puppet will push out the new version and install it.

Alternatively, and which would be better for managing several RPMs, set up your own Yum repo. This is quite easy to do - it’s basically just a web server pointing to the RPM files and you can find instructions on the web for how to set this up. Use Puppet to add the repo definition to all your client machines. Then if you specify the package in Puppet in this way:

  package { "application":
    ensure => latest,

Puppet will always install the latest version available in your repo. When you want to push out a new version, just drop it into the repo and run ‘updaterepo’ (an RPM command which rebuilds the repo index files). Puppet will detect the update next time it runs and install it everywhere it’s required.

Email me at if you need more detailed help.

alternative location string for packages

Hi John,

May I know where is the location ( source => “puppet:///application/application.rpm”, ) you’re pointing to ? Is it a directory under /etc/puppet ?

I have the web server and copied Redhat iso and already shared and accessible via all nodes.Because of that I’m wondering if I can replace with

source => “http:///”


By default Puppet will look

By default Puppet will look in /etc/puppet/modules/application/files, but you can configure the file server otherwise if you like. However, in this case the default is quite sensible.

In general a Puppet URL of the form puppet:///foo/bar will deploy the file from modules/foo/files/bar.

Unfortunately Puppet doesn’t

Unfortunately Puppet doesn’t yet support HTTP file types - though it might do in the future.

puppetmaster listening on localhost.localdomain:8140

Hi John,
I am trying to play with puppet at home. I have configured the puppetmaster and client all on the same server. However when I run puppetmaster daemon, it listens on localhost.localdomain:8140 rather than listening on my `hostname`:8140.
I don’t have DNS configured and rely on /etc/hosts file.
Does the servers need to be in DNS to get puppet to work?
Is there a workaround for this issue?

Please advice and help.

Thanks in advance.

# mukarram

You don’t need DNS - but is

You don’t need DNS - but is your hostname in the /etc/hosts file with its public IP address?

It sounds as though Puppet was not able to find an entry for the hostname and resorted to localhost instead. You ought to have something like this in your /etc/hosts file: localhost.localdomain

Does that make a difference? If not, email me at and maybe I can help you get it going.

Fixed it by adding hostname

Fixed it by adding hostname as puppet in the /etc/hosts file.

Puppet Not Working


I am currently working on puppet using Amazon Fedora EC2 instances. Both Puppet Server and Client are working fine. I am able to generate certificate from client and server is able to sign that too but still whatever code I have written in manifest files doesn’t get executed.

Below mentioned is my code in Site.pp file :

class test_class {
file { “/tmp/testfile”:
ensure => present,
mode => 644,
owner => root,
group => root
node puppetclient {
include test_class

Here, puppetclient is the hostname of client. But still after signing certificate /tmp/testfile doesn’t get created.

DNS is also working perfectly fine. I can ping puppetserver(named as puppet) from puppet client.

Can you please tell me what must be the possible mistake ??

Good Stuff, appreciate the

Good Stuff, appreciate the effort you put into this. Just curious when will part 3 be posted? If it already has been hosted, kindly anyone point me to it


Puppet Tutorial part 3

The bad news is part 3 won’t be done for a while. The good news is, I’m writing a whole book on Puppet, to be published later this year! The Puppet Cookbook. It follows on from these tutorials, introducing you to lots of things you can do with Puppet and with complete source code and step-by-step instructions for how to do them.

Hi. Any news about precise


Any news about precise date of your book release? (yes, we’re waiting for it ;-)

Hey Ivan, I’m correcting

Hey Ivan,

I’m correcting final proofs right now and according to the publisher it should be out at the end of October! Don’t forget you can pre-order now and you’ll get the book as soon as it’s available.

master not responding to first contact

I’ve set up the master and a client, but when I start the client the master does not respond at all. It’s listening correctly (, tcpdump shows the incoming requests, but the master just does not respond, nothing on the net, nothing in the logs .. what did I miss?

Is the firewall blocking the

Is the firewall blocking the requests? The default firewall on most distros does not allow port 8140. What happens if you try telnet from the client to port 8140 on the master?

shame on me .. yes, a

shame on me .. yes, a collegue activated a firewall on the INTERNAL network .. never trust a part time employee

thanks :)

If a network service doesn’t

If a network service doesn’t work, always suspect the firewall first! That maxim has saved me a good deal of frustration :)

It doesn’t sound difficult at

It doesn’t sound difficult at all, I haven’t tried to install it yet, just checking some information first, it looks like I’m in the right place for that. Thanks for sharing the information.


Hi John, I am trying to learn how to set up puppet clients using templates. Do you know of a thorough tutorial for them? Does your book go over the use of templates? Thanks :)

Steve, The book certainly


The book certainly does cover templates, and some example uses for them.

Not written the node, yet it worked


I have installed the puppet master and client on two different systems. I have created a site.pp inside the /etc/puppet/manifests folder and is the only file present in it. The content of the site.pp is:

file {‘testfile2’:
path => ‘/tmp/testfile2’,
ensure => present,
mode => 0640,
content => “I’m a test file from puppet server. This is file2”,

I have not written any nodes.pp file. Still the server is creating a file on the client system. But it is taking some time to create the file (I have tried three times, it is taking some 5 - 15 min after updating the site.pp file). I have tried restarting the server also, still that is also not creating the file immediately after restarting the server. So is there any configuration settings where we can run the site.pp script.

Also, can we manually run the server file to affect the changes done in the server site.pp file for client system updates.

Thanks in advance,
Sateesh B.

One of the best site I have ever used.

Ruby on Rails application could not be started

When i type my vm ip it throws me these error (Ruby on Rails application could not be started)

And is there any way i can reset my username and password because i forget for master.

Please advise me i am new to these.


Unable to generate Certificate for windows agent.

I am using Linux as master and Windows as Agent. I am doing the following steps for certificate generation.

Step 1: - In Linux :

I have declared node
node “” —DECLARED WINDOWS Server Name.


Step 2: - In Linux
service puppetmaster stop (For stopping the services)

rm -rf /var/lib/puppet/ssl (Clearing SSL certificates)

service puppetmaster start (Starting the services)

Step 3: - In Windows

Run Services.MSC and re-started puppet agent.

Step 4: - In Linux

puppet cert —list (to view the certifiecates)

I found that no certificate has generated for the windows server.

Am I need to delete SSL in Windows. If Yes, Please let me know the process, because I found more directories with the same name.

how to push conf from puppet

i need to push the configuration from puppet server to the clients.

pls explain the steps.

Post new comment

The content of this field is kept private and will not be shown publicly.
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.
By submitting this form, you accept the Mollom privacy policy.