|
|
注意事项:
A:客户端和服务器端版本要一致。如果版本不一致的话,那么高版本的只能是puppet server,另一台只能为puppet客户端,也就是说puppet 服务端的版本可以 大于或者等于客户端版本,不可以小与.
B:由于SSL证书依赖时间同步。请注意服务端与客户端保持一致。推荐使用ntp 同步时间。
C:由于基于主机名,推荐使用FQDN标准格式 如:master.puppet.com。认证过后请不要随便修改主机名。
一准备工作:
环境: 一台master ip地址192.168.1.220 一台slaveip地址192.168.1.223
1.修改两台机器的主机名.
修改master机器
vim /etc/sysconfig/network
HOSTNAME=master.puppet.com
修改slave机器
vim /etc/sysconfig/network
HOSTNAME=slave.puppet.com
以上方法修改重启后生效,如果不想重启两台机器分别在用命令hostname来修改主机名.如 hostname xxx.puppet.com.
2.同步机器的时间(这一点很重要)
两台机器分别执行如下命令
ntpdate asia.pool.ntp.org
3.修改hosts文件,因为puppet靠主机名通信.
修改master的hosts文件
vim /etc/hosts
192.168.1.220 master.puppet.com
192.168.1.223 slave.puppet.com
修改slave的hosts文件
vim /etc/hosts
192.168.1.220 master.puppet.com
192.168.1.223 slave.puppet.com
二 安装puppet
master主机安装puppet
yum -y install ruby ruby-libs ruby-shadow
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
#源如果失效请手动下载puppet2.7.32 puppet-server2.7.32 facter1.6.18 地址http://dl.fedoraproject.org/pub/epel/6/x86_64/
rpm -Uvh epel-release-6-8.noarch.rpm
yum -y install puppet puppet-server facter
slave主机安装puppet
yum install ruby ruby-libs ruby-shadow
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
yum -y install puppet facter
至此如果安装过程不报错的话,puppet已经安装成功了。如果报错请google.
三 puppet的启动
启动master服务端的进程
启动之前必须先创建site.pp文件,site.pp文件是启动puppet server必须存在的.文件里面不用输入任何字符,只需要这个文件存在就可以!
touch /etc/puppet/manifests/site.pp
然后使用启动命令: puppet master --verbose --no-daemonize
注:这种方式启动有助于测试和调试错误.你可以看到启动的整个过程,启动过程会做一些初始化的工作,为master创建本地证书认证中心,证书和key。并打开socket等待client的连接。你可以在/etc/puppet/ssl目录看到相关的文件和目录。
[root@master puppet]# puppet master --verbose --no-daemonize
info: Creating a new SSL key for ca
info: Creating a new SSL certificate request for ca
info: Certificate Request fingerprint (md5): 6B:A7:DE:0B:C7:BA:29:99:8A:1A:DD:42:50:CC:33:E0
notice: Signed certificate request for ca
notice: Rebuilding inventory file
info: Creating a new certificate revocation list
info: Creating a new SSL key for master.limit.centos
info: Creating a new SSL certificate request for master.limit.centos
info: Certificate Request fingerprint (md5): 10:90:1A:D5:E2:94:47:71:F4:5D:44:6E:CF:DE:F0:EB
notice: master.limit.centos has a waiting certificate request
notice: Signed certificate request for master.limit.centos
notice: Removing file Puppet::SSL::CertificateRequest master.limit.centos at '/etc/puppet/ssl/ca/requests/master.puppet.centos.pem'
notice: Removing file Puppet::SSL::CertificateRequest master.limit.centos at '/etc/puppet/ssl/certificate_requests/master.puppet.centos.pem'
notice: Starting Puppet master version 2.7.23
注: 按ctrl + c 结束上面的进程!(貌似不会自动退出) 以守护进程的方式启动 /etc/rc.d/init.d/puppetmaster restart
如果你的puppet的根目录没有ssl目录可以到/var/lib/puppet/目录查找, ssl目录的位置是在puppet.conf文件中指定的.我的默认是在/var/lib/puppet/目录下,经过修改ssldir = /etc/puppet/ssl 把ssl目录的位置定义到了/etc/puppet/目录下. /etc/puppet/目录是puppet安装的根目录.
slave端的启动与授权.
1,修改slave主机的puppet.conf配置文件.在[main]段添加 server = master.puppet.com
2.slave连接master申请证书
在slave上使用命令: puppet agent --server=master.puppet.com --no-daemonize --verbose
info: Creating a new SSL key for slave.puppet.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for slave.puppet.com
info: Certificate Request fingerprint (md5): 54:11:FB:75:87:94:AF:6B:D1:6B:AD:6B:44:3E:74:A0
ctrl + c 结束进程
3.在master上办法证书
puppet cert --list #查看申请的证书
"slave.puppet.com" (DD:CF:28:EE:98:38:50:D2:6C:19:C6:5E:2D:60:D5:36)
puppet cert --sign slave.puppet.com #给slave签发证书.
notice: Signed certificate request for slave.puppet.com
notice: Removing file Puppet::SSL::CertificateRequest slave.puppet.com at '/etc/puppet/ssl/ca/requests/slave.cacti.linux.pem'
注:puppet cert --sign –all #签发所有证书! puppet cert --clean slave.puppet.com #删除slave的证书!
4.在来到slave上执行命令 puppet agent --server=master.puppet.com --no-daemonize --verbose
info: Caching certificate for slave.puppet.com
notice: Starting Puppet client version 2.7.23
info: Caching certificate_revocation_list for ca
info: Caching catalog for slave.cacti.linux
info: Applying configuration version '1392370988'
notice: Finished catalog run in 0.02 seconds #到此证书申请完成!
ctrl + c 结束进程
注:如果需要重新申请证书,务必把client端ssl目录下的所有文件删除, 并且删除server端对应的已有的证书!!
5.启动slave端, 命令:/etc/rc.d/init.d/puppet start
注:如遇到错误提示http://my.oschina.net/denglz/blog/164700,这上面有一些常见的错误解答.
-------完成上面步骤以后,只能说面master和slave能够连接, 至于你想让他做什么工作就看你自己怎么配置了!
我的需要是让puppet帮我实现文件分发, 要求: slave不自动更新master的目录和文件,需要更新时由master端向下推送!
slave端需要配置的地方!
1; vim auth.conf
path /
auth any
allow * #添加此行
2; vim puppet.conf
[main]
server = master.puppet.com
[agent]
listen = true #添加此行
3; vim /etc/init.d/puppet
找到 [ -n "${PUPPET_SERVER}" ] && PUPPET_OPTS="--server=${PUPPET_SERVER} "这一行,然后在最末尾添加--no-client
添加后的效果:
[ -n "${PUPPET_SERVER}" ] && PUPPET_OPTS="--server=${PUPPET_SERVER} --no-client"
然后重启客户端puppet,/etc/init.d/puppet restart ,这样客户端就不会主动跟服务端同步了(记得把/etc/puppet/puppet.conf里runinterval注释(⊙o⊙)哦)。
然后去服务端执行puppet kick -d --host 客户端主机名 即可实现只想推送功能。
master 端需要修改的文件
1; vim fileserver.conf #文件添加一下内容.
[puppet_ankang]
path /web/root/puppet_ankang
allow 192.168.127.0/24
2;
vim manifests/site.pp
node 'slave.cacti.linux'{ #
file {"/web/root/puppet_ankang": #/web/root/puppet_ankang是slave端被同步的目录
ensure => directory,
source => "puppet://master.puppet.com/puppet_ankang/", #master.puppet.com是server端的主机名; puppet_ankang是fileserver.conf 文件中 [puppet_ankang] 的名字!
#ignore => ".svn"
recurse => true,
purge => true,
force => true,
}
}
master端使用命令: puppet kick -d slave.cacti.linux 向slave端推送如果报错:
Host slave.cacti.linux failed: Error 403 on SERVER: Forbidden request: master.puppet.com(192.168.127.183) access to /run/slave.cacti.linux [save] authenticated at /etc/puppet/auth.conf:99
这是因为slave端的auth.conf文件需要添加一行内容:
修改auth.conf
path /
auth any
allow * #添加allow *
正常的提示应该是这样的
[root@master puppet]# puppet kick -d slave.cacti.linux
Triggering slave.cacti.linux
Getting status
status is success
slave.cacti.linux finished with exit code 0
Finished
到此完成需求!
参考文章
http://sfzhang88.blog.51cto.com/4995876/1160131
http://502245466.blog.51cto.com/7559397/1312837
http://blog.sina.com.cn/s/blog_b07e77fe010174lv.html |
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-8-2 13:18:46
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡