puppet: master doesn't connect to node

Question

I created two fresh VMs: one for the puppet-master (sbe-puppet) and one for my node (sbe1). On my master I have a file testdefine.pp with this content:

class testdefine {
    define testdefine ($data) {
      file {"$title":
        ensure  => file,
        content => $data,
      }
    }

    testdefine {'/var/tmp/puppetfile1':
      data => "The name of the file is puppetfile1 and it is created by puppet\$
    }

    testdefine {'/var/tmp/puppetfile2':
      data => "The name of the file is puppetfile2 and it is created by puppet\$
    }
    testdefine {'/var/tmp/puppetfile3':
      data => "The name of the file is puppetfile3 and it is created by puppet\$
    }
}

and a file node.pp with this content:

import "testdefine"

node 'sbe-puppet.mydomain.net'{
    include testdefine
}

node 'sbe1.mydomain.net' {
    include testdefine
}

After running sudo puppet apply node.pp (without errors) these 3 testfiles only exist on my master, but don't appear on my node.

sudo puppet cert list -all lists my node with a +. And puppet agent --configprint server (on my node) shows the correct DNS name of my master.

But when I run $ puppet agent --test on my node I get:

Error: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled

I don't know what's wrong here, because my master already accepted the nodes cert request?!

Can anyone help to get this simple "hello world"-configuration to work?

Additional question: I have master and node in a virtual network (using MS Azure) and I want to only open ports 80/443 for my node and only 22 for my master - will this work with puppet?

Answer 1

These error messages ...

Error: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled

... indicate that the client cannot resolve the master's name. This could be because the wrong server name is configured in its puppet.conf, or because your name service configuration is wrong. How the master may already have accepted a cert request from the agent is unclear, but among the possibilities are:

• the agent's config file has been modified since the cert request was issued, or
• something about the name service has changed since the cert request was issued, or
• a different client issued the cert request, using the same name.

Additional question: I have master and node in a virtual network (using MS Azure) and I want to only open ports 80/443 for my node and only 22 for my master - will this work with puppet?

The master does not attempt to establish connections to agents in conjunction with standard Puppet service, so nodes do not require any specific ports open for incoming traffic on their side. They just need to allow inbound traffic associated with connections they initiate, which is a pretty normal firewall configuration.

On the other hand, agents do need to establish connections to the master, which requires an open port on the master; Puppet uses port 8140/tcp by default. Although the Puppet port is configurable, you cannot use port 22 if you want that port to serve its standard purpose (sshd). The puppet port does not need to be open to the whole world, however; it can, in principle, be restricted to only those machines that are permitted to request catalogs.