Automation

How to Install Puppet 8 Server on Rocky Linux and AlmaLinux 9 (Step-by-Step)

Install and configure Puppet 8 server and agent on Rocky Linux 9 or AlmaLinux 9. Enable the Puppet 8 repo, set hostname and puppet.conf, start puppetserver, sign the agent, and deploy Nginx with a simple manifest.

Puppet is a configuration management tool that uses a declarative language to describe system state. It uses an agent–server (master) model: a Puppet server compiles catalogs and serves them to Puppet agents on your nodes. In this guide you install Puppet 8 open-source server on Rocky Linux 9 or AlmaLinux 9, configure the server and an agent, then deploy Nginx using a simple manifest.

Puppet is shipped as several packages: puppetserver (runs on the JVM and compiles catalogs), puppet-agent (runs on each node), and puppetdb (optional, for storing Puppet data). Here we use puppetserver and puppet-agent only.

In this guide you’ll:

  • Update the system, set hostname, and (optionally) set SELinux to permissive
  • Enable the Puppet 8 repo for EL 9 and install puppetserver and puppet-agent
  • Configure puppet.conf and memory for Puppet server, then start and enable services
  • Open port 8140, add Puppet binaries to PATH, and run the agent (including signing the certificate)
  • Create a simple manifest to install and enable Nginx and verify with puppet agent -t

Related: Puppet 7 on Rocky Linux/AlmaLinux 8 · Puppet 7 on Ubuntu 22.04 · Puppet 7 on Ubuntu 20.04 · Ansible on Rocky Linux/CentOS 8

Prerequisites

  • One or two machines running Rocky Linux 9 or AlmaLinux 9 (one for server, optionally one for agent).
  • Root or sudo access.
  • Internet access to install packages and the Puppet repo.
  • Basic familiarity with the Linux terminal and vim (or another editor).

Table of contents

1. Ensure the servers are up to date

Update packages on the server (and agent, if separate):

1

sudo dnf -y update

Optionally install an editor (e.g. vim): sudo dnf install -y vim.

2. Set the hostname

Puppet uses the server hostname for certificates and agent communication. On the Puppet server, set the hostname to a FQDN (replace with your own):

1

sudo hostnamectl set-hostname puppetmaster.citizix.com

Ensure the hostname resolves (DNS or /etc/hosts). Edit /etc/hosts:

1

sudo vim /etc/hosts

Add a line like (use your server’s IP and hostname):

1

10.10.26.147 puppetmaster.citizix.com puppetmaster

Confirm:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

$ sudo hostnamectl

 Static hostname: puppetmaster.citizix.com
       Icon name: computer-vm
         Chassis: vm
      Machine ID: b4755196148c45b3bd8ab5cae8d30704
         Boot ID: 72db802f54fb42059651d746580be0eb
  Virtualization: xen
Operating System: Rocky Linux 9.5 (Blue Onyx)
     CPE OS Name: cpe:/o:rocky:rocky:9::baseos
          Kernel: Linux 5.14.0-503.14.1.el9_5.x86_64
    Architecture: x86-64
 Hardware Vendor: Xen
  Hardware Model: HVM domU
Firmware Version: 4.11.amazon

3. Set SELinux to permissive (optional)

Puppet can run with SELinux enabled, but for a first-time setup many guides use permissive mode. To set it temporarily without rebooting:

1

sudo setenforce 0

To make it persistent, edit /etc/sysconfig/selinux:

1

SELINUX=permissive

Then reboot, or keep using setenforce 0 until you reboot. Use disabled only if you understand the implications.

4. Install Puppet Server

Enable the Puppet 8 repository for Enterprise Linux 9, then install the puppetserver package:

1
2

sudo dnf install https://yum.puppet.com/puppet8-release-el-9.noarch.rpm
sudo dnf install -y puppetserver

5. Configure Puppet master and agent

Memory for Puppet Server: Edit /etc/sysconfig/puppetserver and set the JVM heap (e.g. 1 GB):

1

sudo vim /etc/sysconfig/puppetserver

Set:

1

JAVA_ARGS="-Xms1g -Xmx1g"

Server and agent config: Edit puppet.conf:

1

sudo vim /etc/puppetlabs/puppet/puppet.conf

Add a [server] section with dns_alt_names (use your FQDN and short name), and a [main] section for the agent:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names=puppetmaster.citizix.com,puppetmaster

[main]
certname = puppetmaster.citizix.com
server = puppetmaster.citizix.com
environment = production
runinterval = 30m

6. Start and enable Puppet server

Start the service and enable it on boot:

1
2

sudo systemctl start puppetserver
sudo systemctl enable puppetserver

Check status: sudo systemctl status puppetserver (should show active (running)). Verify the version:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

$ sudo systemctl status puppetserver

● puppetserver.service - puppetserver Service
     Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-12-14 12:05:39 UTC; 3min 2s ago
    Process: 35334 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
   Main PID: 35385 (java)
      Tasks: 49 (limit: 4915)
     Memory: 728.3M
        CPU: 40.976s
     CGroup: /system.slice/puppetserver.service
             └─35385 /usr/bin/java --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED -Xms1g -Xmx1g -Djruby.>

Dec 14 12:05:38 puppetmaster.citizix.com puppetserver[35385]: 12:05:38,777 |-INFO in ch.qos.logback.access.joran.JoranConfigurator@73ab859e - Re>
Dec 14 12:05:39 puppetmaster.citizix.com systemd[1]: Started puppetserver Service.

Example output: puppetserver version: 8.7.0.

7. Open port 8140 on the firewall

Agents connect to the server on TCP 8140. If you use firewalld, open the port:

1
2

sudo firewall-cmd --add-port=8140/tcp --permanent
sudo firewall-cmd --reload

8. Add Puppet binaries to PATH

Puppet CLI tools live in /opt/puppetlabs/bin. Add it to your PATH so you can run puppet and facter without the full path:

1
2

echo 'export PATH=$PATH:/opt/puppetlabs/bin' | tee -a ~/.bashrc
source ~/.bashrc

9. Start the Puppet agent

On the same machine (or another node that will be an agent), start the Puppet agent so it contacts the server and requests a certificate:

1

sudo systemctl start puppet

Check status with sudo systemctl status puppet.

Sign the certificate on the server: On the Puppet server, list pending certs: puppet cert list. Then sign the agent’s cert: puppet cert sign <agent-fqdn> (or puppet cert sign --all to sign all pending).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

$ sudo systemctl status puppet

● puppet.service - Puppet agent
     Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-12-14 12:11:00 UTC; 5s ago
       Docs: man:puppet-agent(8)
   Main PID: 35596 (puppet)
      Tasks: 5 (limit: 10864)
     Memory: 115.8M
        CPU: 2.370s
     CGroup: /system.slice/puppet.service
             ├─35596 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize
             └─35597 "puppet agent: applying configuration"

Dec 14 12:11:00 puppetmaster.citizix.com systemd[1]: Started Puppet agent.
Dec 14 12:11:01 puppetmaster.citizix.com puppet-agent[35596]: Starting Puppet client version 8.10.0
Dec 14 12:11:04 puppetmaster.citizix.com puppet-agent[35597]: Requesting catalog from puppetmaster.citizix.com:8140 (10.10.26.147)
Dec 14 12:11:05 puppetmaster.citizix.com puppet-agent[35597]: Catalog compiled by puppetmaster.citizix.com
Dec 14 12:11:05 puppetmaster.citizix.com puppet-agent[35597]: Applied catalog in 0.03 seconds

10. Verify the Puppet agent

After the server has signed the agent’s certificate, run a test run on the agent:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# puppet agent --test

Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from puppetmaster.citizix.com:8140 (10.10.26.147)
Notice: Catalog compiled by puppetmaster.citizix.com
Info: Caching catalog for puppetmaster.citizix.com
Info: Applying configuration version '1734178301'
Notice: Applied catalog in 0.02 seconds

That means the agent successfully pulled the catalog from the server and applied it.

11. Create a simple manifest to deploy Nginx

Manifests live under /etc/puppetlabs/code/environments/<environment>/manifests. We use the production environment. Create the site manifest:

1

cd /etc/puppetlabs/code/environments/production/manifests

Add the following (replace puppetmaster.citizix.com with your node’s FQDN if different):

1
2
3
4
5
6
7
8
9

node 'puppetmaster.citizix.com' {
  package { 'nginx':
    ensure => installed,
  }
  service { 'nginx':
    ensure => running,
    enable => true,
  }
}

Save and exit. Then on the agent, run:

1

puppet agent -t

Puppet will fetch the catalog and apply it: Nginx is installed and the service is started and enabled. Example output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# puppet agent --test

Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from puppetmaster.citizix.com:8140 (10.10.26.147)
Notice: Catalog compiled by puppetmaster.citizix.com
Info: Caching catalog for puppetmaster.citizix.com
Info: Applying configuration version '1734178389'
Notice: /Stage[main]/Main/Node[puppetmaster.citizix.com]/Package[nginx]/ensure: created
Notice: /Stage[main]/Main/Node[puppetmaster.citizix.com]/Service[nginx]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Main/Node[puppetmaster.citizix.com]/Service[nginx]: Unscheduling refresh on Service[nginx]
Notice: Applied catalog in 3.72 seconds

Check Nginx:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# systemctl status nginx

● nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
     Active: active (running) since Sat 2024-12-14 12:13:17 UTC; 29s ago
   Main PID: 35970 (nginx)
      Tasks: 2 (limit: 10864)
     Memory: 2.0M
        CPU: 21ms
     CGroup: /system.slice/nginx.service
             ├─35970 "nginx: master process /usr/sbin/nginx"
             └─35972 "nginx: worker process"

Dec 14 12:13:17 puppetmaster.citizix.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 14 12:13:17 puppetmaster.citizix.com nginx[35968]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Dec 14 12:13:17 puppetmaster.citizix.com nginx[35968]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Dec 14 12:13:17 puppetmaster.citizix.com systemd[1]: Started The nginx HTTP and reverse proxy server.

You should see active (running). The Nginx web server was installed and configured by Puppet.

Frequently Asked Questions (FAQ)

What is Puppet Server?

Puppet Server is the central component that runs on the JVM. It compiles catalogs from Puppet code and data, serves them to agents, and hosts the certificate authority for agent certificates.

What port does Puppet use?

Agents connect to the server on TCP 8140. Ensure this port is open on the firewall and that the hostname in puppet.conf resolves to the server.

How do I sign a Puppet agent certificate?

On the Puppet server, run puppet cert list to see pending requests, then puppet cert sign <agent-fqdn> to sign one agent, or puppet cert sign --all to sign all. The agent must have run at least once so it has requested a cert.

Where are Puppet manifests stored?

Manifests live under /etc/puppetlabs/code/environments/<environment>/manifests/. The default environment is production; the main manifest is typically site.pp.

What is the difference between Puppet 7 and Puppet 8?

Puppet 8 uses a newer Ruby and has updated dependencies; the EL 9 repo is puppet8-release-el-9. The setup steps (repo, puppet.conf, cert signing, manifests) are the same. Use Puppet 8 on Rocky/AlmaLinux 9 and Puppet 7 on EL 8 if you need to stay on the older series.

Conclusion

You installed Puppet 8 server and agent on Rocky Linux 9 or AlmaLinux 9: enabled the Puppet 8 repo, configured hostname and puppet.conf, started and enabled puppetserver, opened port 8140, added Puppet to PATH, signed the agent certificate, and deployed Nginx with a simple manifest. For Puppet 7 on Rocky/AlmaLinux 8, see How to Install Puppet 7 Server on Rocky Linux/CentOS 8. For Ubuntu, see Puppet 7 on Ubuntu 22.04 or Ubuntu 20.04.

comments powered by Disqus
© 2020 - 2026 Citizix, Ltd.
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy