centos5安装puppet
环境:系统:centos5.6
puppet服务器:192.168.56.123 puppet-server
puppet客户端:192.168.56.124 client
注意:最小化安装centos5.6并修改好相应的ip和hostname才能继续以下步骤,否则先安装puppet后修改主机名,puppet生成的ca文件将不能使用。
安装扩展源:(服务端客户端都要安装)
访问https://fedoraproject.org/wiki/EPEL/zh-cn,选择相应的epel-release'包
安装:
wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -Uvh epel-release-5-4.noarch.rpm
安装ntp对时程序:
yum install -y ntp
对时程序加入crontab:
vi /etc/crontab
添加:
5 * * * * root /sbin/ntpdate pool.ntp.org >/dev/null 2>&1
Server端安装:
yum install -y puppet-server ruby ruby-rdoc
chkconfig --level 35 puppetmaster on
添加客户端到hosts:
vi /etc/hosts
192.168.56.124 client
启动puppet服务器:
创建三个目录:
mkdir -p /etc/puppet/manifests/{classes,files,nodes}
设置全局参数:
vi /etc/puppet/manifests/site.pp
添加:
import "nodes/*.pp"
import "classes/*.pp"
创建类:
vi /etc/puppet/manifests/classes/test_class.pp
编辑:
class test_class {
file { "/tmp/testfiles":
ensure => present,
mode => 644,
owner => root,
group => root
}
}
vi /etc/puppet/manifests/classes/linux_Environment_class.pp
编辑:
class linux_Environment_class {
file { "/etc/profile.d/global.sh":
source =>"puppet://puppet-server/files/global.sh",
ensure => present,
mode => 644,
owner => root,
group => root
}
}
添加节点主机:
vi /etc/puppet/manifests/nodes/client.pp
编辑:
node client {
include test_class
include linux_Environment_class
}
配置服务器端文件服务:
vi /etc/puppet/fileserver.conf
添加:
path /etc/puppet/manifests/files
allow 192.168.56.0/24
创建存放files的文件夹:
mkdir -p /etc/puppet/manifests/files
将global.sh文件拷贝到/etc/puppet/manifests/files 下:
scp root@192.168.56.107:/etc/profile.d/global.sh /etc/puppet/manifests/files/global.sh
puppet服务端如何配置自动给客户端签名:
编辑 /etc/puppet/puppet.conf添加如下内容:
vi /etc/puppet/puppet.conf
autosign=true
autosign = /etc/puppet/autosign.conf
再编辑 /etc/puppet/autosign.conf添加 * 表示所有,或者添加域名,举例:
vi /etc/puppet/autosign.conf
添加:
*
*.example.com
启动Server端:
service puppetmaster start
查看服务端是否启动成功:
ps aux|grep 'puppet'|grep -v grep
注意:如不成功,查看相关日志:
tail -f /var/log/messages |grep 'puppet'
客户端安装:
yum install -y puppet ruby ruby-rdoc
chkconfig --level 35 puppet on
修改客户端配置:
vi /etc/puppet/puppet.conf
添加:
runinterval = 30 #30秒
server=puppet-server
listen = true
注意:这个值默认是1800秒,表示检查更新的时间间隔(秒)。
server指定的是puppet服务器名。
listen打开本地监听端口8139
添加server端到hosts:
vi /etc/hosts
192.168.56.123 puppet-server
启动客户端:
/etc/init.d/puppet start
客户端向服务器端发送测试请求:
puppetd --test --server puppet-server
会出现以下信息:
# puppetd --test --server puppet-server
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client
info: Certificate Request fingerprint (md5): EB:86:71:EB:22:65:0A:A0:93:AD:FB:DD:8D:60:44:A3
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
这个告警是因为这时客户端去连接server,由于连接是在ssl上的,而Server还没有sign过客户端的cert,客户机被断开。
所以服务器端执行:
puppetca --list
会出现以下信息:
# puppetca --list
client (EB:86:71:EB:22:65:0A:A0:93:AD:FB:DD:8D:60:44:A3)
服务器端将会显示被请求客户端的信息:
服务器端执行:
puppetca -s -a
注意:此命令是允许列表中所有的客户请求。如果想认证单个客户端的请求,请执行:puppetca -s client
会出现以下信息:
# puppetca -s -a
notice: Signed certificate request for client
notice: Removing file Puppet::SSL::CertificateRequest client at '/var/lib/puppet/ssl/ca/requests/client.pem'
客户端继续执行:
# puppetd --test --server puppet-server
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client
info: Caching certificate_revocation_list for ca
info: Caching catalog for client
info: Applying configuration version '1328494632'
notice: /Stage/Test_class/File/ensure: created
notice: /Stage/Linux_environment_class/File/ensure: defined content as '{md5}8869bd495610ff47b88f866a15ac746d'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.22 seconds
这时,testfiles文件以及global.sh文件都已建立并拷贝。
页:
[1]