Installing Puppet for Junos OS
Setting Up the Puppet Master
Juniper Networks provides support for using Puppet to manage certain devices running Junos OS. The Puppet master must be running Puppet open-source edition. Table 1 outlines the version of Puppet that must be installed on the Puppet master in order to manage the different Junos OS variants and releases of Puppet for Junos OS on the client.
Table 1: Puppet Version Required on Puppet Master
Junos OS Variant | Puppet for Junos OS Version | Puppet Version |
|---|---|---|
Junos OS or Junos OS with Enhanced Automation | 1.0 | Puppet 2.7.19 or later |
2.0 | Puppet 3.6.1 or later | |
Junos OS Evolved | – | Puppet 3.8.7 or later |
The Puppet master must also have the following software installed in order to use Puppet to manage devices running Junos OS:
Juniper Networks NETCONF Ruby gem—Ruby gem that enables device management using the NETCONF protocol.
netdevops/netdev_stdlibPuppet module—includes the Puppet type definitions for the netdev resources.juniper/netdev_stdlib_junosPuppet module—includes the Junos OS-specific code that implements each of the types. When you install this module on the Puppet master, it automatically installs thenetdev_stdlibmodule.
To configure the Puppet master for use with devices running Junos OS:
- Install Puppet open-source edition.
See the Puppet website for Puppet installation instructions.
- Install the Juniper Networks NETCONF Ruby gem using the
command appropriate for your Puppet master installation.
root@server:~# gem install netconfFetching: netconf-0.2.5.gem (100%) Successfully installed netconf-0.2.5 1 gem installed Installing ri documentation for netconf-0.2.5... Installing RDoc documentation for netconf-0.2.5...
- Install or upgrade the Juniper Networks
netdev_stdlib_junosPuppet module.To install the
netdev_stdlib_junosmodule, execute the following command on the Puppet master, and specify the module version required to manage your particular devices.root@server:~# puppet module install juniper-netdev_stdlib_junos --version 2.0.6Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ juniper-netdev_stdlib_junos (v2.0.6) └── netdevops-netdev_stdlib (v1.0.0)
To upgrade the module when you have an older version installed, use the
upgradeoption.root@server:~# puppet module upgrade juniper-netdev_stdlib_junos --version 2.0.6
- Set up the
puppet.conffile on the Puppet master.For information about the configuration file, see Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS.
The Puppet agent identifies with the Puppet master using SSL. By default, the puppet master service does not sign client certificate requests. As a result, the Puppet master must approve the agent certificate the first time an agent tries to connect to the master. After the Puppet agent node is configured and running, approve the client certificate on the Puppet master by using the command appropriate for your installation, for example, by using the puppet cert sign host command or the puppetserver ca sign --certname host command.
Configuring the Puppet Agent Node
Juniper Networks provides support for using Puppet to manage certain devices running Junos OS. The setup on the agent node depends on the device and the Junos OS variant running on the device. Certain devices require installing the Puppet agent package on the device, other devices have the Puppet agent integrated into the software image, and some devices support running the Puppet agent as a Docker container. To verify support for a specific platform and determine which setup to use for a given device and Junos OS release, see Puppet for Junos OS Supported Platforms.
Table 2 outlines the tasks required to configure the Puppet agent node for the different types of setups. To configure the node, perform the steps in each linked task.
Table 2: Puppet Agent Setup
Puppet Agent Setup | Tasks |
|---|---|
Puppet agent must be installed using the | Perform the steps in the following tasks: |
Puppet agent is integrated on the device | Perform the steps in the following tasks: |
Puppet agent will run as a Docker container | Perform the steps in the following tasks: |
OCX1100 switches, QFX Series switches running Junos OS with Enhanced Automation, and devices running Junos OS Evolved have the Puppet agent integrated with the software. If the device also supports using the Puppet agent Docker container, you can elect to run the Puppet agent as a Docker container instead of using the integrated Puppet agent.
Installing the Puppet Agent Package
To install the Puppet agent on devices running Junos OS that do not have the agent integrated into the software:
- Determine the
jpuppetsoftware package required for your platform and release at Puppet for Junos OS Supported Platforms. - Access the download page at https://github.com/Juniper/jpuppet-download.
- Select the release folder corresponding to the Puppet for Junos OS release to download.
- Download to the
/var/tmp/directory on the agent device thejpuppetsoftware package that is specific to your platform or device microprocessor architecture, depending on the Puppet for Junos OS release.Note Starting in Puppet for Junos OS Release 2.0, the
jpuppetpackages are specific to the microprocessor architecture. In earlier releases, the packages are specific to a particular platform. If you do not know the microprocessor architecture of your device, you can use the UNIX shell command uname -a to determine it.Note We recommend that you install the
jpuppetsoftware package from the/var/tmp/directory on your device to ensure the maximum amount of disk space and RAM for the installation. - Configure the provider name, license type, and deployment
scope associated with the application.[edit]user@host# set system extensions providers juniper license-type juniper deployment-scope commercialuser@host# commit and-quit
- Install the software package using the request system
software add operational mode command, and include the no-validate option.user@host> request system software add
/var/tmp/jpuppet-package-nameno-validate - Verify that the installation is successful by issuing
the show version command.
The list of installed software should include the
jpuppetpackage. For example:admin@jd> show versionHostname: jd Model: mx80-48t Junos: 16.1R1.7 JUNOS Base OS boot [16.1R1.7] JUNOS Base OS Software Suite [16.1R1.7] JUNOS Crypto Software Suite [16.1R1.7] JUNOS Packet Forwarding Engine Support (MX80) [16.1R1.7] JUNOS Web Management [16.1R1.7] JUNOS Online Documentation [16.1R1.7] JUNOS Services Application Level Gateways [16.1R1.7] JUNOS Services Jflow Container package [16.1R1.7] JUNOS Services Stateful Firewall [16.1R1.7] JUNOS Services NAT [16.1R1.7] JUNOS Services RPM [16.1R1.7] JUNOS Macsec Software Suite [16.1R1.7] JUNOS Services Crypto [16.1R1.7] JUNOS Services IPSec [16.1R1.7] JUNOS py-base-powerpc [16.1R1.7] JUNOS py-extensions-powerpc [16.1R1.7] JUNOS Kernel Software Suite [16.1R1.7] JUNOS Routing Software Suite [16.1R1.7] JET app jpuppet [3.6.1_3.0]
Note The package name might vary depending on the Puppet for Junos OS release.
Configuring the Junos OS User Account
You must configure a user account to run the Puppet agent. The user must have configure, control, and view permissions. You can configure any username and authentication method for the account.
To configure a Junos OS user account to run the Puppet agent:
- Configure the account username, login class, authentication
method, and shell.[edit]user@host# set system login user puppet class classuser@host# set system login user puppet authentication authentication-optionsuser@host# set system login user puppet shell csh
- Commit the configuration.[edit]user@host# commit and-quit
Configuring the Environment Settings
Set up the directory structure and environment settings on any agent nodes on which you installed the Puppet agent package or that use the Puppet agent that is integrated with the software image.
To configure the necessary directory structure and environment settings to run the Puppet agent:
- Log in to the agent node using the Puppet account username and password.
- If you are not already in the UNIX-level shell, enter
the shell.user@host> start shell
- Create a
$HOME/.cshrcfile, and include the content corresponding to the variant of Junos OS and the release of Puppet for Junos OS installed on the device, which is outlined in Table 3.Table 3: Content in Puppet Agent .cshrc File
Junos OS Variant
Puppet for Junos OS Release
.cshrccontentJunos OS or
Junos OS with Enhanced Automation1.0 or 2.0
setenv PATH ${PATH}:/opt/sdk/juniper/bin3.0 or 4.0
setenv PATH ${PATH}:/opt/jet/juniper/binJunos OS Evolved
–
setenv PATH ${PATH}:/usr/bin - Exit the device and log back in using the Puppet account username and password.
- If you are not already in the UNIX-level shell, enter
the shell.user@host> start shell
- Verify that the
jpuppetcode is installed and that the PATH variable is correct by running Facter, which should display device-specific information. For example:% facterarchitecture => mx80-48t domain => example.com facterversion => 2.0.1 fqdn => jd.example.com hardwareisa => powerpc hardwaremodel => mx80-48t hostname => jd id => puppet ipaddress => 198.51.100.1 kernel => JUNOS <…more…>
- Create the following
$HOME/.puppetdirectory structure:% mkdir -p $HOME/.puppet/var/run% mkdir -p $HOME/.puppet/var/log - Place your
puppet.conffile in the$HOME/.puppetdirectory.For information about the configuration file, see Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS.
Starting the Puppet Agent Process
Devices that have the Puppet agent integrated into the software require that you start the Puppet agent process on the device. Start the Puppet agent process after configuring the Junos OS user account and environment settings.
To start the Puppet agent process:
- Enter the shell.user@host> start shell
- Start the Puppet agent process by executing the puppet
agent command, and include any desired options.
For example, on devices running Junos OS or Junos OS with Enhanced Automation:
% puppet agent --server servername --waitforcert 60 --testOn devices running Junos OS Evolved, switch to the default VRF for management traffic, vrf0, and then start the agent.
[vrf:none] user@host:~# switchvrf $$ vrf0[vrf:vrf0] user@host:~# puppet agent --test
Note You can choose to define the server settings in your Puppet configuration file instead of specifying the settings as command options.
Using the Puppet Agent Docker Container
Certain devices running Junos OS Evolved support running the Puppet agent as a Docker container. Docker is a software container platform that is used to package and run an application and its dependencies in an isolated container. Juniper Networks provides a Docker image for the Puppet agent on Docker Hub.
When you run the Puppet agent using the Docker container, the container:
Shares the hostname and network namespace of the host
Uses the host network to communicate with the Puppet server
Authenticates to the host using key-based SSH authentication
To use the Puppet agent Docker container on supported devices:
- Log in as the root user.
- Switch to the default VRF for management traffic, vrf0.
[vrf:none] root@host:~# switchvrf $$ vrf0 - Start the Docker service, and bind it to the default VRF
for management traffic, vrf0.
[vrf:vrf0] root@host:~# systemctl start docker@vrf0 - Set the
DOCKER_HOSTenvironment variable.[vrf:vrf0] root@host:~# export DOCKER_HOST=unix:///run/docker-vrf0.sock - Start the Puppet agent Docker container as follows, and
set the
NETCONF_USERto the Junos OS user account that was set up to run the agent.[vrf:vrf0] root@host:~# docker run -d -e PATH="/usr/local/bundle/bin:$PATH" -e NETCONF_USER=puppet --network=host --name=puppet-agent juniper/puppet-agent:latest - Generate the SSH key pair that will be used to authenticate
the container to the host.
[vrf:vrf0] root@host:~# docker exec -it puppet-agent ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsaGenerating public/private rsa key pair. Created directory '/root/.ssh'. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: aa:69:77:b0:47:b0:c4:8f:90:39:f7:0d:04:61:ca:d1 root@host The key's randomart image is: +---[RSA 2048]----+ ...
- Copy the public key to the host, and add it to the root
user’s
authorized_keysfile.[vrf:vrf0] root@host:~# docker cp puppet-agent:/root/.ssh/id_rsa.pub .[vrf:vrf0] root@host:~# cat id_rsa.pub >> .ssh/authorized_keys - Verify the connection from the container to the host.
[vrf:vrf0] root@host:~# docker exec -it puppet-agent ssh puppet@localhostThe authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is 3c:3c:ed:5c:ce:ee:34:09:79:22:d3:cd:af:d0:68:4a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. --- JUNOS 20.1-20200115.0-EVO Linux (none) 4.8.28-WR2.2.1_standard #1 SMP PREEMPT Thu Jun 13 00:19:16 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux [vrf:none] puppet@host:~#
- Place your
puppet.conffile in the container’s/etc/puppetdirectory.[vrf:vrf0] root@host:~# docker cp /var/tmp/puppet.conf puppet-agent:/etc/puppetNote For information about the configuration file, see Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS.
- Start the Puppet agent.
[vrf:vrf0] root@host:~# docker exec -it puppet-agent puppet agent -t - On the Puppet master, accept the agent’s keys using
the command appropriate for your installation.
root@server:~# puppet cert sign host.example.com
Setting Up the Puppet Configuration File on the Puppet Master and Puppet Agents Running Junos OS
The Puppet configuration file, puppet.conf, defines the settings for the Puppet master and agent nodes. It
is an INI-formatted file with code blocks that contain indented setting = value
statements. The main code blocks are:
[master]—settings for the Puppet master.[agent]—settings for the agent node.[main]—global settings that are used by all commands and services. The settings in the[master]and[agent]blocks override those in[main].
On the Puppet master, the configuration file resides at $confdir/puppet.conf. On agent nodes running Junos OS,
the location depends on your setup. Table 4 outlines the location
where the Puppet configuration file should reside for a given setup
on devices running Junos OS.
Table 4: Puppet Configuration File Location
Puppet agent setup |
|
|---|---|
Puppet agent is installed using the |
|
Puppet agent is integrated on the device |
|
Puppet agent is running as a Docker container |
|
Creating environment-specific Puppet configuration files
is beyond the scope of this document. However, when using Puppet to
manage devices running Junos OS, the Puppet master and agent node puppet.conf files must contain the following statement
within the [main] configuration block:
[main]
pluginsync = trueIn addition, client devices running Junos OS Evolved
must include the certname statement in
the puppet.conf file and specify
the node’s certificate name. The Puppet master uses the certificate
name, which can be a hostname, an IP address, or any user-defined
name in lowercase characters, to identify the client.
[main]
certname = puppet-client
pluginsync = trueThe following example shows a sample puppet.conf file for an agent node running Junos OS:
[main]
libdir = $vardir/lib
logdir = $vardir/log/puppet
rundir = $vardir/run/puppet
ssldir = $vardir/ssl
moduledir = $libdir
factpath = $libdir/facter
pluginsync = true
[agent]
server = puppetmaster.example.com
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
The following example shows a sample puppet.conf file for an agent node running Junos
OS Evolved:
[main]
libdir = $vardir/lib
logdir = $vardir/log/puppet
rundir = $vardir/run/puppet
ssldir = $vardir/ssl
moduledir = $libdir
factpath = $libdir/facter
certname = agent01.example.com
pluginsync = true
[agent]
server = puppetmaster.example.com
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
For more information about Puppet configuration files, see the Puppet website at https://puppet.com/.
Configuring the Puppet for Junos OS Addressable Memory
On devices running Junos OS, the amount of memory available to Puppet is 64 MB by default. You can expand the usable memory to the system maximum values as defined in Table 5.
Table 5: Puppet Agent Execution Environment Memory Limits
Device | Upper Memory Limit |
|---|---|
EX4200, EX4500, EX4550 | 128 MB |
EX4300 | 64 MB |
MX5, MX10, MX40, MX80 | 64 MB |
MX104 | 64 MB |
MX240, MX480, MX960 | 2048 MB |
OCX1100 | 64 MB |
QFX3500, QFX3600 | 1024 MB |
QFX5100 | 64 MB |
QFX10002, QFX10008, QFX10016 | 1024 MB |
To expand the amount of memory available to the Puppet agent execution environment, including the Puppet agent and Facter processes:
- Log in to the Puppet agent using the Puppet user account username and password.
- In the Puppet user
$HOME/.cshrcfile, add thelimit data memorycommand to the file. For example:limit data 128M
Related Documentation
jpuppet packages are specific to the microprocessor architecture. In earlier
releases, the packages are specific to a particular platform.