之前发布的“运维自动化之svn+puppet实现监控系统的版本控制与自动部署监控系统,http://dl528888.blog.51cto.com/2382721/1040552 ”,由于文章篇幅比较大,所以faq部分就做为单独的一篇文章发布,如果大家有任何的问题,可以再下面留言,我会及时的帮您解决。
FAQ
- [root@slave ~]# puppetd --server master --test
- err: Could not retrieve catalog from remote server: certificate verify failed. This is often because the time is out of sync on the server or client
- warning: Not using cache on failed catalog
- err: Could not retrieve catalog; skipping run
- err: Could not send report: certificate verify failed. This is often because the time is out of sync on the server or client
原因是服务端与客户端的时间不一致,解决方法是调整相同的时间,可以使用ntpdate 210.72.145.44或者cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
修改时区后,如果在客户端里发起证书请求的时候,还出现以下问题
- [root@slave ~]# puppetd --server cobbler --test
- err: Could not retrieve catalog from remote server: certificate verify failed. This is often because the time is out of sync on the server or client
- warning: Not using cache on failed catalog
- err: Could not retrieve catalog; skipping run
- err: Could not send report: certificate verify failed. This is often because the time is out of sync on the server or client
那么你可以查看你的iptables是否关闭,如果没有关闭先关闭他,如果已经关闭,那么重启服务器端与客户端的puppetmaseter与puppet就可以,然后再进行证书请求
- [root@slave ~]# /etc/init.d/puppet restart
- Stopping puppet: [ OK ]
- Starting puppet: [ OK ]
- [root@slave ~]# puppetd --server master --test
- warning: peer certificate won't be verified in this SSL session
- warning: peer certificate won't be verified in this SSL session
- info: Creating a new SSL certificate request for slave
- info: Certificate Request fingerprint (md5): 3F:9D:52:1E:B2:11:01:90:5F:0F:19:CB:5F:6F:22:E1
- warning: peer certificate won't be verified in this SSL session
- warning: peer certificate won't be verified in this SSL session
- warning: peer certificate won't be verified in this SSL session
- Exiting; no certificate found and waitforcert is disabled
可以看到已经成功。
然后再服务端里查看
- [root@master ~]# puppetca --list
- slave (3F:9D:52:1E:B2:11:01:90:5F:0F:19:CB:5F:6F:22:E1)
- 也收到了客户端的证书请求
- [root@master ~]# puppetca -s slave
- notice: Signed certificate request for slave
- notice: Removing file Puppet::SSL::CertificateRequest slave at '/var/lib/puppet/ssl/ca/requests/slave.pem'
在对请求进行签名
2、如果在客户端发起证书请求的时候,出现以下问题
- [root@slave ~]# puppetd --server master --test
- notice: Run of Puppet configuration client already in progress; skipping
原因可能是site.pp没有配置或者puppet需要把/var/lib/puppet/state/里的puppetdlock给删除。
3、如果出现以下主机名不匹配问题
- [root@web-server ~]# puppetd --server beiyong --test
- warning: peer certificate won't be verified in this SSL session
- info: Caching certificate for web-server
- err: Could not retrieve catalog from remote server: hostname not match with the server certificate
- warning: Not using cache on failed catalog
- err: Could not retrieve catalog; skipping run
- err: Could not send report: hostname not match with the server certificate
可能你的/etc/hosts 下/etc/sysconfig/network 下都没有问题,
但 cat /etc/resolv.conf
看看
search localdomain
有没有被注释掉
产生证书的过程是搜索域,如果没有完整的话,会默认的在主机后面加上 hostname.localdomain
客户端拿到证书后,再去跟主机名匹配后,发现不一致了。
解决方法:
(1)、 对/etc/resolv.conf里的search localdomain注释
(2)、或者用完整主机名(带 . 的 )
4、如果在puppet客户端发起请求的时候,如果速度很慢,甚至出现
- err: Could not run Puppet configuration client: execution expired
那么可能的问题就是puppet服务器与客户端的时间不一致,解决方法是
运行ntpdate 210.72.145.44 (210.72.145.44是中国国家授时中心的官方服务器)
如果运行出现
- [root@eng shell]# ntpdate 210.72.145.44
- 13 Oct 17:16:14 ntpdate[18633]: no server suitable for synchronization found
那么可以使用ntpdate us.pool.ntp.org,基本就能解决此问题,当然你想使用ntpdate更新时间的话,一定要能与外网连接,dns设置正确。
5、如果在puppet客户端启动puppet的时候,出现以下错误
- [root@web-server ~]# /etc/init.d/puppet start
- Starting puppet: dnsdomainname: Unknown host
- [ OK ]
代表本机的/etc/hosts里没有本机的ip对应主机
6、如果在服务器需要给客户端证书许可的时候,出现以下情况
- [root@beiyong ~]# puppetca --list
- cunchu.localdomain (E8:28:0A:83:08:A6:E5:AA:E6:4E:AB:09:72:FA:EA:7D)
- jiaohuan.localdomain (5B:B9:64:8A:76:25:7B:F1:BD:C1:A4:98:96:A7:FB:A6)
- web-server.localdomain (09:EE:28:3C:A4:52:99:E5:05:FF:DC:CC:BF:45:59:21)
客户端带有.localdomain字样的,是因为/etc/resolv.conf里有search localdomain,只有把这个删除即可解决此问题,但需要把现在的证书都给删除,可以使用puppetca -c hostname来进行
- [root@beiyong ~]# puppetca -c all
- err: Could not call revoke: Could not find a serial number for all
- [root@beiyong ~]# puppetca -c cunchu.localdomain
- err: Could not call revoke: Could not find a serial number for cunchu.localdomain
- notice: Removing file Puppet::SSL::CertificateRequest cunchu.localdomain at '/var/lib/puppet/ssl/ca/requests/cunchu.localdomain.pem'
- [root@beiyong ~]# puppetca -c jiaohuan.localdomain
- err: Could not call revoke: Could not find a serial number for jiaohuan.localdomain
- notice: Removing file Puppet::SSL::CertificateRequest jiaohuan.localdomain at '/var/lib/puppet/ssl/ca/requests/jiaohuan.localdomain.pem'
- [root@beiyong ~]# puppetca -c web-server.localdomain
- err: Could not call revoke: Could not find a serial number for web-server.localdomain
- notice: Removing file Puppet::SSL::CertificateRequest web-server.localdomain at '/var/lib/puppet/ssl/ca/requests/web-server.localdomain.pem'
然后再在客户端里进行证书申请,就可以再服务器看见
- [root@beiyong ~]# puppetca --list
- cunchu (37:26:10:E5:5C:C7:2E:45:63:2C:76:1D:93:DF:B3:1F)
- jiaohuan (46:FD:7D:95:23:E2:9C:32:26:A7:E7:C0:76:E9:58:6A)
- web-server (EE:75:B5:9B:5C:4F:51:6F:9B:E4:98:46:C6:C2:D7:5E)
7、一般在/var/log/message里出现以下情况
- Oct 27 14:41:45 web-server puppet-agent[14722]: Using cached catalog
- Oct 27 14:41:45 web-server puppet-agent[14722]: Could not retrieve catalog; skipping run
- Oct 27 14:41:51 web-server puppet-agent[14722]: Could not send report: getaddrinfo: Name or service not known
- Oct 27 14:42:52 web-server puppet-agent[14722]: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
是由于你的puppet的server没有修改,还是默认的puppet
你需要在/etc/sysconfig/puppet里的
- # The puppetmaster server
- PUPPET_SERVER=puppet
把PUPPET_SERVER=puppet里的puppet改成你服务端的hostname
然后重启puppet服务,之后message就会把报错了,之后的内容就是
- Oct 27 14:44:30 web-server puppet-agent[22232]: Finished catalog run in 0.21 seconds
- Oct 27 14:45:31 web-server puppet-agent[22232]: Finished catalog run in 0.23 seconds
- Oct 27 14:46:33 web-server puppet-agent[22232]: Finished catalog run in 0.19 seconds
- Oct 27 14:47:34 web-server puppet-agent[22232]: Finished catalog run in 0.19 seconds
- Oct 27 14:48:35 web-server puppet-agent[22232]: Finished catalog run in 0.23 seconds
- Oct 27 14:49:37 web-server puppet-agent[22232]: Finished catalog run in 0.19 seconds