How to Install Puppet 7 Server on Rocky Linux and AlmaLinux 8 (Step-by-Step)

Puppet is a configuration management tool that uses a declarative language to describe system state. It uses an agent–master (server) model: a Puppet server compiles catalogs and serves them to Puppet agents on your nodes. In this guide you install Puppet 7 open-source server on Rocky Linux 8 or AlmaLinux 8 (and CentOS 8), configure the server and an agent, then deploy Nginx using a simple manifest.

Puppet is shipped as several packages: puppetserver (runs on the JVM and compiles catalogs), puppet-agent (runs on each node), and puppetdb (optional, for storing Puppet data). Here we use puppetserver and puppet-agent only.

In this guide you’ll:

Update the system, set hostname, and (optionally) set SELinux to permissive
Enable the Puppet 7 repo and install puppetserver and puppet-agent
Configure puppet.conf and memory for Puppet server, then start and enable services
Open port 8140, add Puppet binaries to PATH, and run the agent to get a signed certificate
Create a simple manifest to install and enable Nginx and verify it with puppet agent -t

Prerequisites

One or two machines running Rocky Linux 8, AlmaLinux 8, or CentOS 8 (one for server, optionally one for agent).
Root or sudo access.
Internet access to install packages and the Puppet repo.
Basic familiarity with the Linux terminal and vim (or another editor).

Prerequisites
Table of contents
Frequently Asked Questions (FAQ)
Conclusion

1. Ensure the servers are up to date

Update packages on the server (and agent, if separate):

1
sudo dnf -y update

2. Set the hostname

Puppet uses the server hostname for certificates and agent communication. On the Puppet server, set the hostname to a FQDN (replace with your own):

1
sudo hostnamectl set-hostname puppetmaster.citizix.com

Ensure the hostname resolves (DNS or /etc/hosts). Edit /etc/hosts:

1
sudo vim /etc/hosts

Add a line like (use your server’s IP and hostname):

1
10.2.40.54 puppetmaster.citizix.com puppetmaster

Confirm:

1
sudo hostnamectl

You should see Static hostname: puppetmaster.citizix.com (or your FQDN).

3. Set SELinux to permissive (optional)

Puppet can run with SELinux enabled, but for a first-time setup many guides use permissive mode to avoid permission issues. To set it temporarily without rebooting:

1
sudo setenforce 0

To make it persistent, edit /etc/sysconfig/selinux and set:

1
SELINUX=permissive

Then reboot, or keep using setenforce 0 until you reboot. Use disabled only if you understand the implications.

4. Install Puppet Server

Enable the Puppet 7 platform repository, then install the puppetserver package (Puppet Server runs on the JVM and compiles catalogs for agents):

1
2
sudo dnf install https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
sudo dnf install -y puppetserver

5. Configure Puppet master and agent

Memory for Puppet Server: Edit /etc/sysconfig/puppetserver and set the JVM heap (e.g. 1 GB):

1
sudo vim /etc/sysconfig/puppetserver

Set:

1
JAVA_ARGS="-Xms1g -Xmx1g"

Server and agent config: Edit puppet.conf:

1
sudo vim /etc/puppetlabs/puppet/puppet.conf

Add a [server] section with dns_alt_names (use your FQDN and short name), and a [main] section for the agent:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names=puppetmaster.citizix.com,puppetmaster

[main]
certname = puppetmaster.citizix.com
server = puppetmaster.citizix.com
environment = production
runinterval = 30m

6. Start and enable Puppet server

Start the service and enable it on boot:

1
2
sudo systemctl start puppetserver
sudo systemctl enable puppetserver

Check status: sudo systemctl status puppetserver (should show active (running)). Verify the version:

1
puppetserver -v

Example output: puppetserver version: 7.4.1.

7. Open port 8140 on the firewall

Agents connect to the server on TCP 8140. If you use firewalld, open the port:

1
2
sudo firewall-cmd --add-port=8140/tcp --permanent
sudo firewall-cmd --reload

8. Add Puppet binaries to PATH

Puppet CLI tools live in /opt/puppetlabs/bin. Add it to your PATH so you can run puppet and facter without the full path:

1
2
echo 'export PATH=$PATH:/opt/puppetlabs/bin' | tee -a ~/.bashrc
source ~/.bashrc

9. Start the Puppet agent

On the same machine (or another node that will be an agent), start the Puppet agent so it contacts the server and requests a certificate:

1
sudo systemctl start puppet

Check status with sudo systemctl status puppet. The agent will run and try to get a cert from the server.

Sign the certificate on the server: On the Puppet server, list pending certs: puppet cert list. Then sign the agent’s cert: puppet cert sign <agent-fqdn> (or puppet cert sign --all to sign all pending).

10. Verify the Puppet agent

After the server has signed the agent’s certificate, run a test run on the agent:

1
puppet agent --test

You should see output like:

1
2
3
4
5
6
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetmaster.citizix.com
Info: Applying configuration version '1636097982'
Notice: Applied catalog in 0.02 seconds

That means the agent successfully pulled the catalog from the server and applied it.

11. Create a simple manifest to deploy Nginx

Manifests live under /etc/puppetlabs/code/environments/<environment>/manifests. We use the production environment. Create the site manifest:

1
2
cd /etc/puppetlabs/code/environments/production/manifests
sudo vim site.pp

Add the following (replace puppetmaster.citizix.com with your node’s FQDN if different):

1
2
3
4
5
6
7
8
9
node 'puppetmaster.citizix.com' {
  package { 'nginx':
    ensure => installed,
  }
  service { 'nginx':
    ensure => running,
    enable => true,
  }
}

Save and exit. Then on the agent (same machine or another node that has this hostname in its cert), run:

1
puppet agent -t

Puppet will fetch the catalog and apply it: Nginx is installed and the service is started and enabled. Example output:

1
2
3
4
5
6
7
8
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetmaster.citizix.com
Info: Applying configuration version '1636098770'
Notice: .../Package[nginx]/ensure: created
Notice: .../Service[nginx]/ensure: ensure changed 'stopped' to 'running'
Notice: Applied catalog in 57.25 seconds

Check Nginx:

1
sudo systemctl status nginx

You should see active (running). The Nginx web server was installed and configured by Puppet.

Frequently Asked Questions (FAQ)

What is Puppet Server?

Puppet Server is the central component that runs on the JVM. It compiles catalogs from Puppet code and data, serves them to agents, and hosts the certificate authority for agent certificates. Agents request catalogs and apply them on their nodes.

What port does Puppet use?

Agents connect to the server on TCP 8140. Ensure this port is open on the firewall and that the hostname used in puppet.conf resolves to the server.

How do I sign a Puppet agent certificate?

On the Puppet server, run puppet cert list to see pending requests, then puppet cert sign <agent-fqdn> to sign one agent, or puppet cert sign --all to sign all. The agent must have run at least once (e.g. sudo systemctl start puppet) so it has requested a cert.

Where are Puppet manifests stored?

Manifests live under /etc/puppetlabs/code/environments/<environment>/manifests/. The default environment is production. The main manifest is typically site.pp.

Conclusion

You installed Puppet 7 server and agent on Rocky Linux 8 (or AlmaLinux / CentOS 8): enabled the Puppet repo, configured hostname and puppet.conf, started and enabled puppetserver, opened port 8140, added Puppet to PATH, signed the agent certificate, and deployed Nginx with a simple manifest. For Puppet 7 on Rocky/AlmaLinux 9, see How to Install Puppet 7 Server on Rocky Linux/Alma Linux 9. For Ubuntu, see Puppet 7 on Ubuntu 22.04 or Ubuntu 20.04.