环境:CoentOS 5.8 x86_64 ,selinux,iptables 已经关闭
puppetmaster 192.168.1.90 puppetmaster.info.com
client 192.168.1.223 client.info.com
原理图:
1) 客户端通过facter收集客户端信息并发送至服务端
2) 连接服务端并请求catalog日志
3) 请求节点(node)的信息
4) 从服务器端接收节点(node)的实例
5) 编译代码(包括语法检查等工作)
6) 查询是否有exported 虚拟资源
7) 如有,则从数据库接收虚拟资源
8) 接收完整的catalog日志
9) 存储catalog日志到数据库
10) 客户端接收完整的catalog日志
以上参考资料。
Puppet安装
Puppet master—服务器
[root@puppetmaster ~]# vim /etc/hosts
192.168.1.90 puppetmaster.info.com
192.168.1.223 client.info.com
[root@puppetmaster ~]# vim/etc/sysconfig/puppet
PUPPET_SERVER=puppetmaster.info.com
[root@puppetmaster ~]# vim /etc/puppet/puppet.conf
server =puppetmaster.info.com
yum-y install ruby ruby-libs ruby-shadow
yum-y install puppet puppet-server facter
[root@puppetmaster ~]# ruby --version
ruby 1.8.7 (2013-06-27 patchlevel 374)[x86_64-linux]
[root@puppetmaster ~]# puppetmasterd --version
2.7.26
[root@puppetmaster ~]# puppet --version
2.7.26
[root@puppetmaster puppet]# puppetmasterd –mkusers 创建puppetmaster用户
[root@puppetmaster ~]# ll /etc/puppet/
总用量 20
-rw-r--r-- 1 root root 2569 1月 19 21:32 auth.conf
-rw-r--r-- 1 root root 381 6月 11 2014 fileserver.conf
drwxr-xr-x 2 root root 4096 1月 19 21:32 manifests
drwxr-xr-x 2 root root 4096 1月 19 21:32 modules
-rw-r--r-- 1 root root 853 6月 11 2014 puppet.conf
[root@puppetmaster puppet]# id puppet
uid=52(puppet) gid=52(puppet) 组=52(puppet)
[root@puppetmaster puppet]# cat /etc/passwd |grep puppet
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
[root@puppetmaster puppet]# ll /var/lib/puppet/
总用量 48
drwxr-x--- 2 puppet puppet 4096 4月 14 11:49 rrd
[root@puppetmaster puppet]# netstat -Tanlp |grep 8140 查看端口
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4826/ruby
[root@puppetmaster ~]# service puppetrestart
停止 puppet: [确定]
启动 puppet: [确定]
[root@puppetmaster ~]# service puppetmasterrestart
停止 puppetmaster: [确定]
启动 puppetmaster: [确定]
[root@puppetmaster ~]#
Puppet agent—客户端
[root@client ssl]# vim /etc/hosts
192.168.1.223 client.info.com
192.168.1.90 puppetmaster.info.com
[root@client ~]# vim /etc/sysconfig/puppet
PUPPET_SERVER=puppetmaster.info.com
[root@client ~]# vim /etc/puppet/puppet.conf
server = puppetmaster.info.com
runinterval = 180
listen = true
yuminstall ruby ruby-libs ruby-shadow
yum-y install puppet facter
[root@client ~]# puppetd –mkusers 创建puppet用户
Could not prepare for execution: Got 1failure(s) while initializing: change from absent to present failed: Could notcreate user puppet: Execution of '/usr/sbin/useradd -g puppet -M puppet'returned 3: useradd: invalid numeric argument 'puppet'
[root@client ~]# groupadd puppet;useradd -gpuppet -M puppet
[root@client ~]# service puppet start
Starting puppet: [ OK ]
[root@client ~]# ruby --version
ruby 1.8.7 (2013-06-27 patchlevel 374)[x86_64-linux]
[root@client ~]# puppet --version
2.7.26
[root@client ~]# service puppet restart
Stopping puppet: [ OK ]
Starting puppet: [ OK ]
连接测试
[root@client ~]# telnet puppetmaster.info.com8140
Trying192.168.1.90...
Connected topuppetmaster.info.com.
Escape character is'^]'.
Connection closedby foreign host.
[root@client ~]# puppetd --test --server puppetmaster.info.com
命令是指puppetd 从 puppetmaster.info.com去读取puppet配置文件。第一次连接,双方会进行ssl证书的验证,这是一个新的客户端,在服务器端那里还没有被认证,因此需要在服务器端进行证书认证。
客户端查看批准证书
[root@puppetmaster ~]# puppetca –l 查看待批准的证书
"client.info.com"(3E:6D:13:F9:29:FB:6F:DB:76:95:80:5C:E2:3D:68:76)
[root@puppetmaster ~]# puppetca -s client.info.com 批准当前证书
notice: Signedcertificate request for client.info.com
notice:RemovingfilePuppet::SSL::CertificateRequestclient.info.comat'/var/lib/puppet/ssl/ca/requests/client.info.com.pem'
[root@puppetmaster~]# puppetca -a --list 查看已批准的证书
+"client.info.com" (37:3A:82:F6:72:9B:1A:4D:01:66:F9:AB:CA:A6:FB:4E)
[root@puppetmaster ~]#puppetca -s –a 批准全部证书
服务器端的/etc/puppet/puppet.conf加入这行:
autosign = true服务端就自动签证书
如果想重新签证书,需要把/var/lib/puppet/ssl/下清空
[root@client ~]#puppetd --test -serverpuppetmaster.info.com 从服务器取回已批准的证书
[root@clientcerts]# pwd
/var/lib/puppet/ssl/certs 客户端证书路径
[root@clientcerts]# ls
ca.pem client.info.com.pem
验证证书是否正确
[root@puppetmaster signed]# md5sum client.info.com.pem
eb31668083c03a31d700663e4acf018b client.info.com.pem
[root@client certs]# md5sumclient.info.com.pem
eb31668083c03a31d700663e4acf018b client.info.com.pem
功能测试
[root@puppetmaster certs]# vim /etc/puppet/manifests/site.pp
node default {
file{"/tmp/viong.txt":
content=>"good,testpass!\nHello World!\n";}
}
[root@puppetmaster certs]# servicepuppetmaster restart
停止 puppetmaster: [失败]
启动 puppetmaster: [确定]
上面的代码对默认连入的puppet客户端执行一个操作,在/tmp目录生成一个viong.txt文件,内容是good,test pass! 回车换行Hello World!回车换行.
客户端查看
[root@client ]# puppetd --test --server puppetmaster.info.com
notice: Ignoring--listen on onetime run
info: Cachingcertificate_revocation_list for ca
info: Cachingcatalog for client.info.com
info: Applyingconfiguration version '1429776345'
notice:/Stage[main]//Node[default]/File[/tmp/viong.txt]/ensure: defined content as'{md5}407ecc3e801487fc7b4c4970e352c210'
notice: Finishedcatalog run in 0.06 seconds
[root@client ~]# ll /tmp/viong.txt
-rw-r--r--. 1 root root 29 Apr 23 16:08/tmp/viong.txt
[root@client ~]# cat /tmp/viong.txt
good,test pass!
Hello World!