puppet 安装及应用
Puppet安装、配置并使用Puppet
零基础学习Puppet自动化配置管理系列文档
Puppet前期环境(网络、解析、yum源、NTP)在上一章节已经准备就绪,接下来我们就开始安装Puppet了,安装Puppet其实很简单,官方已经提供了yum源,只需要自己将所需要的安装包下载下来然后做成本地yum源即可使用。 注意:本实验完全采用自定义的certname名,如果不设置默认会使用系统变量hostname的值。
一、安装Puppetmaster
1、安装Puppet-server、puppet
sudo rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
vi /etc/yum.repos.d/puppetlabs.repo
#Locate the stanza, and change the value of the enabled key from 0 to 1
yum install -y puppet-server puppet
/etc/init.d/puppetmaster start #start later
Ref:https://docs.puppetlabs.com/guides/install_puppet/install_el.html
2、配置puppet.conf 注意:这个里面配置了两个certname名称,其中中配置的certname是为所有节点认证用的master名称,中配置的certname是他本身agent的名称,当然不配置默认是和master的名称是一样的。
# cp /etc/puppet/puppet.conf{,.bak} #备份
# vim /etc/puppet/puppet.conf#注释已经删除
logdir = /var/log/puppet#默认日志存放路径
rundir = /var/run/puppet#pid存放路径
ssldir = $vardir/ssl #证书存放目录,默认$vardir为/var/lib/puppet
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppetmaster.kisspuppet.com #设置agent认证连接master端的服务器名称,注意这个名字必须能够被节点解析
certname = puppetmaster_cert.kisspuppet.com #设置agent端certname名称
certname = puppetmaster.kisspuppet.compuppetmaster.kisspuppet.com #设置puppetmaster认证服务器名
3、创建site.pp文件 site.pp文件是puppet读取所有模块pp文件的开始,在3.0版本以前必须设置,否则服务无法启动。
# touch /etc/puppet/manifests/site.pp
4、启动puppetmaster服务
# /etc/init.d/puppetmaster start
Starting puppetmaster:
# chkconfig puppetmaster on #设置开机启动
5、查看本地证书情况 puppetmaster第一次启动会自动生成证书自动注册自己
# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
├── ca
│ ├── ca_crl.pem
│ ├── ca_crt.pem
│ ├── ca_key.pem
│ ├── ca_pub.pem
│ ├── inventory.txt
│ ├── private
│ │ └── ca.pass
│ ├── requests
│ ├── serial
│ └── signed
│ └── puppetmaster.kisspuppet.com.pem#已注册
├── certificate_requests
├── certs
│ ├── ca.pem
│ └── puppetmaster.kisspuppet.com.pem
├── crl.pem
├── private
├── private_keys
│ └── puppetmaster.kisspuppet.com.pem
└── public_keys
└── puppetmaster.kisspuppet.com.pem
9 directories, 13 files
# puppet cert --list --all#带+标示已经注册成功
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
6、查看监听状态 puppetmaster服务开启后,默认监听TCP 8140端口
# netstat -nlatp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1976/ruby
# lsof -i:8140
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
puppetmas 1976 puppet 5uIPv414331 0t0TCP *:8140 (LISTEN)
二、安装Agent
以agent1为例
1、安装puppet
sudo rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
vi /etc/yum.repos.d/puppetlabs.repo
#Locate the stanza, and change the value of the enabled key from 0 to 1
yum install -y puppet
2、配置puppet.conf
# cp /etc/puppet/puppet.conf{,.bak}
# vim /etc/puppet/puppet.conf
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppetmaster.kisspuppet.com#指向puppetmaster端
certname = agent1_cert.kisspuppet.com #设置自己的certname名
3、通过调试模式启动节点向Puppetmaster端发起认证
# puppet agent --test
info: Creating a new SSL key for agent1_cert.kisspuppet.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com
info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9
Exiting; no certificate found and waitforcert is disabled
4、服务器端确定认证
# puppet cert --list --all #查看认证情况
"agent1_cert.kisspuppet.com"(69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未认证
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
# puppet cert --sign agent1_cert.kisspuppet.com #注册agent1
notice: Signed certificate request for agent1_cert.kisspuppet.com
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem'
# puppet cert --list --all #再次查看认证情况
+ "agent1_cert.kisspuppet.com"(3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式
/var/lib/puppet/ssl/
├── ca
│ ├── ca_crl.pem
│ ├── ca_crt.pem
│ ├── ca_key.pem
│ ├── ca_pub.pem
│ ├── inventory.txt
│ ├── private
│ │ └── ca.pass
│ ├── requests
│ ├── serial
│ └── signed
│ ├── agent1_cert.kisspuppet.com.pem#已经注册成功
│ └── puppetmaster.kisspuppet.com.pem
├── certificate_requests
├── certs
│ ├── ca.pem
│ └── puppetmaster.kisspuppet.com.pem
├── crl.pem
├── private
├── private_keys
│ └── puppetmaster.kisspuppet.com.pem
└── public_keys
└── puppetmaster.kisspuppet.com.pem
9 directories, 14 files
5、其它节点一起认证
# puppet agent --test #puppetmaster自己申请agent认证
info: Creating a new SSL key for puppetmaster_cert.kisspuppet.com
info: Creating a new SSL certificate request for puppetmaster_cert.kisspuppet.com
info: Certificate Request fingerprint (md5): 7D:AC:F7:97:04:2B:E4:C5:74:4A:16:05:DB:F6:6A:98
Exiting; no certificate found and waitforcert is disabled
# puppet cert --sign --all #注册所有请求的节点
notice: Signed certificate request for puppetmaster_cert.kisspuppet.com
notice: Removing file Puppet::SSL::CertificateRequest puppetmaster_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/puppetmaster_cert.kisspuppet.com.pem'
notice: Signed certificate request for agent2_cert.kisspuppet.com
notice: Removing file Puppet::SSL::CertificateRequest agent2_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent2_cert.kisspuppet.com.pem'
notice: Signed certificate request for agent3_cert.kisspuppet.com
notice: Removing file Puppet::SSL::CertificateRequest agent3_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent3_cert.kisspuppet.com.pem'
# puppet cert --list --all #查看所有节点认证
+ "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)
+ "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)
http://kisspuppet.com/2014/03/08/puppet_learning_base4/
例子:
http://kisspuppet.com/
http://dongxicheng.org/cluster-managemant/puppet/
http://puppet.wikidot.com/puppetnginx
页:
[1]