Installing Puppet for Junos OS
Setting Up the Puppet Master
Juniper Networks provides support for using Puppet to manage certain devices running Junos OS. The Puppet master must be running Puppet open-source edition. Table 1 outlines the version of Puppet that must be installed on the Puppet master in order to manage the different Junos OS variants and releases of Puppet for Junos OS on the client.
Table 1: Puppet Version Required on Puppet Master
Junos OS Variant | Puppet for Junos OS Version | Puppet Version |
---|---|---|
Junos OS or Junos OS with Enhanced Automation | 1.0 | Puppet 2.7.19 or later |
2.0 | Puppet 3.6.1 or later | |
Junos OS Evolved | – | Puppet 3.8.7 or later |
The Puppet master must also have the following software installed in order to use Puppet to manage devices running Junos OS:
Juniper Networks NETCONF Ruby gem—Ruby gem that enables device management using the NETCONF protocol.
netdevops/netdev_stdlib
Puppet module—includes the Puppet type definitions for the netdev resources.juniper/netdev_stdlib_junos
Puppet module—includes the Junos OS-specific code that implements each of the types. When you install this module on the Puppet master, it automatically installs thenetdev_stdlib
module.
To configure the Puppet master for use with devices running Junos OS:
- Install Puppet open-source edition.
See the Puppet website for Puppet installation instructions.
- Install the Juniper Networks NETCONF Ruby gem using the
command appropriate for your Puppet master installation.
root@server:~# gem install netconf
Fetching: netconf-0.2.5.gem (100%) Successfully installed netconf-0.2.5 1 gem installed Installing ri documentation for netconf-0.2.5... Installing RDoc documentation for netconf-0.2.5...
Install or upgrade the Juniper Networks
netdev_stdlib_junos
Puppet module.To install the
netdev_stdlib_junos
module, execute the following command on the Puppet master, and specify the module version required to manage your particular devices.root@server:~# puppet module install juniper-netdev_stdlib_junos --version 2.0.6
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ juniper-netdev_stdlib_junos (v2.0.6) └── netdevops-netdev_stdlib (v1.0.0)
To upgrade the module when you have an older version installed, use the
upgrade
option.root@server:~# puppet module upgrade juniper-netdev_stdlib_junos --version 2.0.6
- Set up the
puppet.conf
file on the Puppet master.For information about the configuration file, see Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS.
The Puppet agent identifies with the master using SSL. By default, the puppet master service does not sign client certificate requests. As a result, the Puppet master must approve the agent certificate the first time an agent tries to connect to the master. After the Puppet agent node is configured and running, approve the client certificate on the Puppet master by using the command appropriate for your installation, for example, by using the puppet cert sign host command or the puppetserver ca sign --certname host command.
Configuring the Puppet Agent Node
Juniper Networks provides support for using Puppet to manage certain devices running Junos OS. The setup on the agent node depends on the device and the Junos OS variant running on the device. Certain devices require installing the Puppet agent package on the device, other devices have the Puppet agent integrated into the software image, and some devices support running the Puppet agent as a Docker container. To verify support for a specific platform and determine which setup to use for a given device and Junos OS release, see Puppet for Junos OS Supported Platforms.
Table 2 outlines the tasks required to configure the Puppet agent node for the different types of setups. To configure the node, perform the steps in each linked task.
Table 2: Puppet Agent Setup
Puppet Agent Setup | Tasks |
---|---|
Puppet agent must be installed using the | Perform the steps in the following tasks: |
Puppet agent is integrated on the device | Perform the steps in the following tasks: |
Puppet agent will run as a Docker container | Perform the steps in the following tasks: |
OCX1100 switches, QFX Series switches running Junos OS with Enhanced Automation, and devices running Junos OS Evolved have the Puppet agent integrated with the software. If the device also supports using the Puppet agent Docker container, you can elect to run the Puppet agent as a Docker container instead of using the integrated Puppet agent.
Installing the Puppet Agent Package
To install the Puppet agent on devices running Junos OS that do not have the agent integrated into the software:
- Determine the
jpuppet
software package required for your platform and release at Puppet for Junos OS Supported Platforms. - Access the download page at https://github.com/Juniper/jpuppet-download.
- Select the release folder corresponding to the Puppet for Junos OS release to download.
- Download to the
/var/tmp/
directory on the agent device thejpuppet
software package that is specific to your platform or device microprocessor architecture, depending on the Puppet for Junos OS release.Note Starting in Puppet for Junos OS Release 2.0, the
jpuppet
packages are specific to the microprocessor architecture. In earlier releases, the packages are specific to a particular platform. If you do not know the microprocessor architecture of your device, you can use the UNIX shell command uname -a to determine it.Note We recommend that you install the
jpuppet
software package from the/var/tmp/
directory on your device to ensure the maximum amount of disk space and RAM for the installation. Configure the provider name, license type, and deployment scope associated with the application.
[edit]user@host# set system extensions providers juniper license-type juniper deployment-scope commercialuser@host# commit and-quit- Install the software package using the request system
software add operational mode command, and include the no-validate option.user@host> request system software add
/var/tmp/jpuppet-package-name
no-validate - Verify that the installation is successful by issuing
the show version command.
The list of installed software should include the
jpuppet
package. For example:admin@jd> show version
Hostname: jd Model: mx80-48t Junos: 16.1R1.7 JUNOS Base OS boot [16.1R1.7] JUNOS Base OS Software Suite [16.1R1.7] JUNOS Crypto Software Suite [16.1R1.7] JUNOS Packet Forwarding Engine Support (MX80) [16.1R1.7] JUNOS Web Management [16.1R1.7] JUNOS Online Documentation [16.1R1.7] JUNOS Services Application Level Gateways [16.1R1.7] JUNOS Services Jflow Container package [16.1R1.7] JUNOS Services Stateful Firewall [16.1R1.7] JUNOS Services NAT [16.1R1.7] JUNOS Services RPM [16.1R1.7] JUNOS Macsec Software Suite [16.1R1.7] JUNOS Services Crypto [16.1R1.7] JUNOS Services IPSec [16.1R1.7] JUNOS py-base-powerpc [16.1R1.7] JUNOS py-extensions-powerpc [16.1R1.7] JUNOS Kernel Software Suite [16.1R1.7] JUNOS Routing Software Suite [16.1R1.7] JET app jpuppet [3.6.1_3.0]
Note The package name might vary depending on the Puppet for Junos OS release.
Configuring the Junos OS User Account
You must configure a user account to run the Puppet agent. The user must have configure, control, and view permissions. You can configure any username and authentication method for the account.
To configure a Junos OS user account to run the Puppet agent:
Configure the account username, login class, authentication method, and shell.
[edit]user@host# set system login user puppet class classuser@host# set system login user puppet authentication authentication-optionsuser@host# set system login user puppet shell csh- Commit the configuration.[edit]user@host# commit and-quit
Configuring the Environment Settings
Set up the directory structure and environment settings on any agent nodes on which you installed the Puppet agent package or that use the Puppet agent that is integrated with the software image.
To configure the necessary directory structure and environment settings to run the Puppet agent:
- Log in to the agent node using the Puppet account username and password.
If you are not already in the UNIX-level shell, enter the shell.
user@host> start shell- Create a
$HOME/.cshrc
file, and include the content corresponding to the variant of Junos OS and the release of Puppet for Junos OS installed on the device, which is outlined in Table 3.Table 3: Content in Puppet Agent .cshrc File
Junos OS Variant
Puppet for Junos OS Release
.cshrc
contentJunos OS or
Junos OS with Enhanced Automation1.0 or 2.0
setenv PATH ${PATH}:/opt/sdk/juniper/bin
3.0 or 4.0
setenv PATH ${PATH}:/opt/jet/juniper/bin
Junos OS Evolved
–
setenv PATH ${PATH}:/usr/bin
- Exit the device and log back in using the Puppet account username and password.
If you are not already in the UNIX-level shell, enter the shell.
user@host> start shellVerify that the
jpuppet
code is installed and that the PATH variable is correct by running Facter, which should display device-specific information. For example:% facter
architecture => mx80-48t domain => example.com facterversion => 2.0.1 fqdn => jd.example.com hardwareisa => powerpc hardwaremodel => mx80-48t hostname => jd id => puppet ipaddress => 198.51.100.1 kernel => JUNOS <…more…>
Create the following
$HOME/.puppet
directory structure:% mkdir -p $HOME/.puppet/var/run% mkdir -p $HOME/.puppet/var/log- Place your
puppet.conf
file in the$HOME/.puppet
directory.For information about the configuration file, see Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS.
Starting the Puppet Agent Process
Devices that have the Puppet agent integrated into the software require that you start the Puppet agent process on the device. Start the Puppet agent process after configuring the Junos OS user account and environment settings.
To start the Puppet agent process:
Enter the shell.
user@host> start shellStart the Puppet agent process by executing the puppet agent command, and include any desired options.
For example, on devices running Junos OS or Junos OS with Enhanced Automation:
% puppet agent --server servername --waitforcert 60 --testOn devices running Junos OS Evolved, switch to the default VRF for management traffic, vrf0, and then start the agent.
[vrf:none] user@host:~# switchvrf $$ vrf0[vrf:vrf0] user@host:~# puppet agent --test
Note You can choose to define the server settings in your Puppet configuration file instead of specifying the settings as command options.
Using the Puppet Agent Docker Container
Certain devices running Junos OS Evolved support running the Puppet agent as a Docker container. Docker is a software container platform that is used to package and run an application and its dependencies in an isolated container. Juniper Networks provides a Docker image for the Puppet agent on Docker Hub.
When you run the Puppet agent using the Docker container, the container:
Shares the hostname and network namespace of the host
Uses the host network to communicate with the Puppet server
Authenticates to the host using key-based SSH authentication
To use the Puppet agent Docker container on supported devices:
- Log in as the root user.
- Switch to the default VRF for management traffic, vrf0.
[vrf:none] root@host:~# switchvrf $$ vrf0
- Start the Docker service, and bind it to the default VRF
for management traffic, vrf0.
[vrf:none] root@host:~# systemctl start docker@vrf0
- Set the
DOCKER_HOST
environment variable.[vrf:none] root@host:~# export DOCKER_HOST=unix:///run/docker-vrf0.sock
- Start the Puppet agent Docker container as follows, and
set the
NETCONF_USER
to the Junos OS user account that was set up to run the agent.[vrf:none] root@host:~# docker run -d -e PATH="/usr/local/bundle/bin:$PATH" -e NETCONF_USER=puppet --network=host --name=puppet-agent juniper/puppet-agent:latest
- Generate the SSH key pair that will be used to authenticate
the container to the host.
[vrf:none] root@host:~# docker exec -it puppet-agent ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
Generating public/private rsa key pair. Created directory '/root/.ssh'. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: aa:69:77:b0:47:b0:c4:8f:90:39:f7:0d:04:61:ca:d1 root@host The key's randomart image is: +---[RSA 2048]----+ ...
- Copy the public key to the host, and add it to the root
user’s
authorized_keys
file.[vrf:none] root@host:~# docker cp puppet-agent:/root/.ssh/id_rsa.pub .
[vrf:none] root@host:~# cat id_rsa.pub >> .ssh/authorized_keys
- Verify the connection from the container to the host.
[vrf:none] root@host:~# docker exec -it puppet-agent ssh puppet@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is 3c:3c:ed:5c:ce:ee:34:09:79:22:d3:cd:af:d0:68:4a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. --- JUNOS 20.1-20200115.0-EVO Linux (none) 4.8.28-WR2.2.1_standard #1 SMP PREEMPT Thu Jun 13 00:19:16 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux [vrf:none] puppet@host:~#
- Place your
puppet.conf
file in the container’s/etc/puppet
directory.[vrf:none] root@host:~# docker cp /var/tmp/puppet.conf puppet-agent:/etc/puppet
Note For information about the configuration file, see Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS.
- Start the Puppet agent.
[vrf:none] root@host:~# docker exec -it puppet-agent puppet agent -t
- On the Puppet master, accept the agent’s keys using
the command appropriate for your installation.
root@server:~# puppet cert sign host.example.com
Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS
The Puppet configuration file, puppet.conf
, defines the settings for the Puppet master and agent nodes. It
is an INI-formatted file with code blocks that contain indented setting = value
statements. The main code blocks are:
[master]
—settings for the Puppet master.[agent]
—settings for the agent node.[main]
—global settings that are used by all commands and services. The settings in the[master]
and[agent]
blocks override those in[main]
.
On the Puppet master, the configuration file resides at $confdir/puppet.conf
. On agent nodes running Junos OS,
the location depends on your setup. Table 4 outlines the location
where the Puppet configuration file should reside for a given setup
on devices running Junos OS.
Table 4: Puppet Configuration File Location
Puppet agent setup |
|
---|---|
Puppet agent is installed using the |
|
Puppet agent is integrated on the device |
|
Puppet agent is running as a Docker container |
|
Creating environment-specific Puppet configuration files
is beyond the scope of this document. However, when using Puppet to
manage devices running Junos OS, the Puppet master and agent node puppet.conf
files must contain the following statement
within the [main]
configuration block:
[main] pluginsync = true
In addition, client devices running Junos OS Evolved
must include the certname
statement in
the puppet.conf
file and specify
the node’s certificate name. The Puppet master uses the certificate
name, which can be a hostname, an IP address, or any user-defined
name in lowercase characters, to identify the client.
[main] certname = puppet-client pluginsync = true
The following example shows a sample puppet.conf
file for an agent node running Junos OS:
[main] libdir = $vardir/lib logdir = $vardir/log/puppet rundir = $vardir/run/puppet ssldir = $vardir/ssl moduledir = $libdir factpath = $libdir/facter pluginsync = true [agent] server = puppetmaster.example.com classfile = $vardir/classes.txt localconfig = $vardir/localconfig
The following example shows a sample puppet.conf
file for an agent node running Junos
OS Evolved:
[main] libdir = $vardir/lib logdir = $vardir/log/puppet rundir = $vardir/run/puppet ssldir = $vardir/ssl moduledir = $libdir factpath = $libdir/facter certname = agent01.example.com pluginsync = true [agent] server = puppetmaster.example.com classfile = $vardir/classes.txt localconfig = $vardir/localconfig
For more information about Puppet configuration files, see the Puppet website at https://puppet.com/.
Configuring the Puppet for Junos OS Addressable Memory
On devices running Junos OS, the amount of memory available to Puppet is 64 MB by default. You can expand the usable memory to the system maximum values as defined in Table 5.
Table 5: Puppet Agent Execution Environment Memory Limits
Device | Upper Memory Limit |
---|---|
EX4200, EX4500, EX4550 | 128 MB |
EX4300 | 64 MB |
MX5, MX10, MX40, MX80 | 64 MB |
MX104 | 64 MB |
MX240, MX480, MX960 | 2048 MB |
OCX1100 | 64 MB |
QFX3500, QFX3600 | 1024 MB |
QFX5100 | 64 MB |
QFX10002, QFX10008, QFX10016 | 1024 MB |
To expand the amount of memory available to the Puppet agent execution environment, including the Puppet agent and Facter processes:
- Log in to the Puppet agent using the Puppet user account username and password.
In the Puppet user
$HOME/.cshrc
file, add thelimit data memory
command to the file. For example:limit data 128M
Related Documentation
jpuppet
packages are specific to the microprocessor architecture. In earlier
releases, the packages are specific to a particular platform.