Archive for the ‘puppet’ Category

Install DSC  and hiera-eyaml modules (for password encryption):

puppet module install puppetlabs-dsc
puppetserver gem install hiera-eyaml
Edit /etc/puppetlabs/puppet/hiera.yaml
version: 5
  datadir: data
  data_hash: yaml_data
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
      - "nodes/%{trusted.certname}.yaml"
      - "windowspass.eyaml"
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

Create keys (make sure key path reflects path from hiera.yaml file):

/opt/puppetlabs/puppet/bin/eyaml createkeys

Create password (-l is just label):

/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Add this encrypted password to /etc/puppetlabs/puppet/data/windowspass.eyaml file:


/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml

Test decryption:

/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Secure keys:

chown -R puppet:puppet /etc/puppetlabs/puppet/keys
chmod 400 /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
chmod 400 /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem


For Windows currently is not possible to hide passwords when running  agent in verbose output:

puppet agent -t -v


Map content of windowspass.eyaml to manifest file:

'password' => Sensitive(lookup('password'))

Complete code-/etc/puppetlabs/code/environments/production/manifests/site.pp:

node '' {
file {
 ensure => directory
dsc_windowsfeature  {'dns':
            dsc_ensure => 'Present',
            dsc_name => 'DNS',
dsc_windowsfeature  { 'addsinstall':
            dsc_ensure => 'Present',
            dsc_name => 'AD-Domain-Services',
dsc_windowsfeature  {'addstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-ADDS',
dsc_windowsfeature  {'addnstools':
            dsc_ensure => 'Present',
            dsc_name => 'RSAT-DNS-Server',
dsc_xaddomain   { 'firstdc':
     subscribe => Dsc_windowsfeature['addsinstall'],
            dsc_domainname => '',
     dsc_domainadministratorcredential => {
               'user' => 'pagent',
               'password' => Sensitive(lookup('password'))
     dsc_safemodeadministratorpassword   => {
 'user' => 'pagent',
 'password' => 'password' => Sensitive(lookup('password'))
            dsc_databasepath => 'c:\NTDS',
            dsc_logpath => 'c:\NTDS',
reboot {'dsc_reboot':
 message => 'DSC has requested a reboot',
when => pending,


For debugging:

puppet master --debug --compile --environment=production

Creating new AD user,create New Security group and add user to it:

dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => '',
dsc_username   => 'tfl',
dsc_userprincipalname => '',
dsc_password   => {
'user' => '',
'password' => Sensitive(lookup('password'))
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user'  => '',
'password' => Sensitive(lookup('password'))
dsc_xgroup {'testgroup':
dsc_ensure    => 'present',
dsc_memberstoinclude => '',
dsc_groupname   => 'test',
#dsc_credential => {
#'user' => '',
#'password' => 'Passw0rd01'

In last post we installed Puppet server, in this one we’ll install Puppet agent on Windows server

Make sure Puppet server DNS name is resolvable from Windows host and vice-versa (skip this step if there is Host A DNS record for Puppet server):


Download latest Puppet agent



puppet-agent-5.0.0-x64.msi /qn

If all goes smooth, certificate request file should be seen in C:\ProgramData\PuppetLabs\puppet\etc\ssl\certificate_requests


This certificate is waiting for signing, to do so, we need to move to Puppet server:

sudo puppet cert list
sudo puppet cert sign ""

On Windows server go to Puppet-Start Command Prompt with Puppet as Administrator


Test connection from Windows to Puppet server:

puppet agent --test


By default, Puppet agent polls Puppet server every 30 minutes.This behavior can be overridden by specifying custom polling interval by editing “C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf” fileand adding line


One security concern is that catalog file stores credentials in plain text, to avoid this,prevent storing this file (which is in JSON format) to Puppet client



Creating  simple manifest file

In this example we’ll make sure that IIS is installed

Install IIS module from Forge:

puppet module install puppetlabs-iis --version 4.5.0

Create manifest file and specify node and actions:


$iis_features = ['Web-WebServer','Web-Scripting-Tools','Web-Mgmt-Console']
iis_feature { $iis_features:
ensure => 'present',
include_management_tools => 'present'

Check for syntax errors:

puppet parser validate site.pp

Run powershell scripts

In order not to run script every time, when script runs if will create file with content “Done”

When Puppet tries to run this script again, it will check whether C:\log.txt or string “Done” exists in C:\log.txt, if both checks are true then script won’t be run (unless directive)

exec { 'configure_gpo':
command => 'Set-ADDefaultDomainPasswordPolicy -Identity -ComplexityEnabled $true -MinPasswordLength 7 -MinPasswordAge 1 -MaxPasswordAge 30 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3;write-output "Done" | out-file C:\log.txt -Append',
unless => 'if (!(Test-Path C:\log.txt) -or !(Select-String -Path C:\log.txt -Pattern "Done")) {exit 1}',
provider => powershell,
logoutput => true,


Make sure DNS resolution is in place.This is needed in case no central DNS server is available:

cat /etc/hosts puppetmaster
Add puppet repository:
rpm -Uvh
Install Puppet:
sudo yum -y install puppetserver
#check version:
/opt/puppetlabs/bin/puppet --version
#Add Puppet path to Environmental variable:
export PATH=/opt/puppetlabs/bin:$PATH
source ~/.bash_profile
Alocate memory:


In this example 1GB of RAM is allocated to puppet:
Edit /etc/sysconfig/puppetserver
#Now change the line as below (Replace 1 with number of GBs)
JAVA_ARGS="-Xms1g -Xmx1g ...."
#Save and exit.


Edit /etc/puppetlabs/puppet/puppet.conf (make sure to put here puppet server name resolvable from DNS and from nodes)

environment = production
runinterval = 5s



Enable/start puppet service

systemctl start puppetserver
systemctl enable puppetserver
Open port 8140 if firewalld is running
firewall-cmd --add-port=8140/tcp --permanent
firewall-cmd --reload


Add path to puppet command to VISUDO


sudo visudo
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin


Disable agent (one time run)


If we want “one time” run (execute some manifest and stop contacting Puppet master, we can configure agent to stop-at the end of manifest file)

service { 'puppet':
  ensure => 'stopped',
  enable => 'false',