Over a million developers have joined DZone.

Test Puppet Config of an Existing Node Using Puppet Master via Vagrant

· DevOps Zone

The DevOps zone is brought to you in partnership with Sonatype Nexus. The Nexus suite helps scale your DevOps delivery with continuous component intelligence integrated into development tools, including Eclipse, IntelliJ, Jenkins, Bamboo, SonarQube and more. Schedule a demo today

Are you using Puppet in the client-server setup and want to test the configuration for a particular node without actually changing it? You can do that by fooling Puppet Master into believing that a Vagrant virtual machine (VM) is that node and applying it there. The process is simple: you essentially only need to get the nodes’ cert or private key and supply them to Puppet (and likely make sure that the hostname puppet can be resolved from within the VM). Let’s see it in detail.

Credit to my colleague Mikael for discovering the cert and key trick.


I suppose that you have already installed Vagrant and Virtual Box (VMWare should/could work too), if not, install them and read Getting Started.

Create the Vagrant VM to use for the test. In some directory, which I will call <vagrantdir> from now on, run vagrant init to create a Vagrantfile.

Next, get /var/lib/puppet/ssl/certs/<hostname>.pem and /var/lib/puppet/ssl/private_keys/<hostname>.pem from the target node. Put them into <vagrantdir>/ssl/(certs|private_keys)/<hostname>.pem. The directory will be visible inside the VM as /vagrant/ssl.

Update the Vagrantfile to use the OS box or Ubuntu base box you want (e.g. config.vm.box_url = “http://files.vagrantup.com/precise32.box&#8221;) and set up the following provisioners (run in order of appearance), replacing targetnode.example.com with the actual hostname of the target node and puppet.example.com with the Puppet Master’s hostname:

## Vagrantfile snippet
  # 1) Get the signed certificate needed to connect to Puppet Master as the given node
  # Get it from /var/lib/puppet/ssl/certs/<hostname>.pem
  # Note: A fresh agent has only private and public key (gets cert when signed?)
 config.vm.provision :shell,
      :inline => "mkdir -p /etc/puppet/ssl; cp -r /vagrant/ssl /etc/puppet"
  config.vm.provision "puppet_server" do |puppet|
    # BEWARE: Into /etc/hosts, add <puppet master's IP> puppet so that file://[puppet]/.. can work
    puppet.puppet_server = "puppet.example.com"
    puppet.puppet_node = "targetnode.example.com"
    puppet.options = ["--no-daemonize", "--onetime", "--verbose", "--debug"] # add "--env", "myEnvName" to test a particular environment
  config.vm.hostname = "targetnode.example.com"

When you run vagrant up, the VM should come up, get its keys, connect to the Puppet Master, and obtain and apply the configuration from it.


The VM runs on your computer so it likely won’t have access to the same network resources (services, etc.) as the real node. It will also likely have different devices (important if you run in EC2 and mount EBS disks, etc.) unless you manage to configure Virtual Box or the OS to be more like what Puppet expects.

For example, in our case we needed to add “ln -sf /bin/true /sbin/dhclient” to the Shell provisioner to mock dhclient, because otherwise it was run by our setup and got blocked forever.

If you happen to replace /etc/sudoerrs, you will need to re-enable the user vagrant (which is in the admin group) to run everything without providing a password. One way to do that is to run the following command from inside the VM (you could even add a third provisioner to run it after Puppet but it would not be run if Puppet failed):

echo -e "vagrant\n" | sudo -S sed -i '$ a\vagrant  ALL=(ALL) NOPASSWD:ALL' /etc/sudoers

Note on versions

Tested with Puppet 2.7.x, Vagrant 1.2.7, Virtual Box  4.2.16 on OS X 10.7.

The DevOps zone is brought to you in partnership with Sonatype Nexus. Use the Nexus Suite to automate your software supply chain and ensure you're using the highest quality open source components at every step of the development lifecycle. Get Nexus today


Published at DZone with permission of Jakub Holý, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}