puppet的授权
服务器这里
selinux和firewalld关闭

yum install epel-release  (安装仓库)

hostnamectl set-hostname master.localdomain(修改主机名)

yum install puppet-server

[root@localhost signed]# vim /etc/puppet/puppet.conf (添加字段)
[master]
certname=master.localdomain  (指定主服务器)

[root@localhost signed]# vim /etc/hosts(添加本地解析)
192.168.1.139   master.localdomain (主服务器)
192.168.1.4     agent1.localdomain  (客户端)

systemctl rstart puppetmaster(启动服务,一定要加master哦)

[root@localhost signed]# ls
agent1.pem  master.localdomain.pem
[root@localhost signed]# pwd
/var/lib/puppet/ssl/ca/signed   (这个目录下的机器都是授权过的)

 puppet cert --list(查看当前有那些客户端想要连接服务器)

puppet cert --sign "agent1"(允许此机器连接服务器)
puppet cert --sign - -all  (允许所有机器连接我)

客户端
selinux和firewalld关闭

yum install epel-release  (安装仓库)

hostnamectl set-hostname agent1.localdomain(修改主机名)

yum install puppet(装包)

[agent]
    server = master.localdomain  (主服务器)
    runinterval=10   (每10秒发起一次同步,拉取模式)

[root@localhost certificate_requests]# systemctl restart puppetagent(重启,这里一定加上agent)

[root@localhost certificate_requests]# ls
agent1.localdomain.pem   (请求授权文件)
[root@localhost certificate_requests]# pwd
/var/lib/puppet/ssl/certificate_requests

服务端
[root@localhost requests]# ls (目录查询未授权文件)
agent1.pem
[root@localhost requests]# puppet cert list(命令查看未授权文件,agent1前面没有+号说明未授权)
  "agent1" (SHA256) DB:9B:5B:25:D8:BF:B7:9F:7D:25:8E:89:02:F8:F0:4F:92:DB:17:CE:93:2D:47:84:EA:E6:B3:79:D1:9C:7A:B6
[root@localhost requests]# pwd
/var/lib/puppet/ssl/ca/requests

[root@localhost requests]# puppet cert --sign "agent1"(授权)
Notice: Signed certificate request for agent1
Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/var/lib/puppet/ssl/ca/requests/agent1.pem'
[root@localhost requests]# ls
[root@localhost requests]# cd ..
[root@localhost ca]# ls
ca_crl.pem  ca_crt.pem  ca_key.pem  ca_pub.pem  inventory.txt  private  requests  serial  signed
[root@localhost ca]# cd signed/(在已授权目录下找到了agent1,现在可以互相通信了)
[root@localhost signed]# ls
agent1.pem  master.localdomain.pem

来个问题:如果有好几十台机器请求认证授权,服务器怎么办?
当然:puppet cert --sign - -all  (允许所有机器连接我)可以解决
但是:我想要服务器通过了自定义的格式自动授权通过定义的节点怎么办?
[root@localhost signed]# vim /etc/puppet/puppet.conf 
[master]
       certname=master.localdomain
       autosign=true  (添加参数,开启自动授权)
       autosign=/etc/puppet/autosign.conf  (自定义格式文件存放位置)

[root@localhost signed]# vim /etc/puppet/autosign.conf           
*.1    (这里自定义,这个*.1的意思是必须以.1结尾的文件,我自动授权)

[root@localhost signed]# systemctl restart puppetmaster(重启)

如果非正常退出节点,再次启动客户端可能会出现一种进程锁的报错,删掉文件重启即可。

配置文件

/etc/puppet/manifests/site.pp (全局入口文件,每次同步最先查找的文件。)

ansible安装
服务端
yum install -y ansible

[root@localhost ansible]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ba:6c:15:b5:ec:54:11:7e:01:3f:8d:46:5f:9e:b3:6d [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|            ++o .|
|          ...o *o|
|         o o. *o+|
|        . +  o .+|
|        S+     .E|
|       .. .    . |
|      ..         |
|     ...         |
|     .o          |
+-----------------+
[root@localhost ansible]# cd /root/.ssh/
[root@localhost .ssh]# ls
id_rsa  id_rsa.pub   (生成公钥私钥)

[root@localhost .ssh]# ssh-copy-id [email protected](将公钥写入到1.4/root/.ssh/authorized_keys)

[root@localhost ansible]# vim /etc/ansible/ansible.cfg 
private_key_file = /root/.ssh/id_rsa  (指定私钥存放路径)

[root@localhost ansible]# vim /etc/ansible/hosts 
[servers]
192.168.1.4 (定义主机组)

[root@localhost ansible]# ansible servers -m ping (基本的ping测试)
192.168.1.4 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

ok。。