(1)puppet6.2 安装
简介:
基于C/S架构的Puppet更新方式一般有两种,一种是Agent端设置同步时间主动去PuppetMaster端拉取配置,另一种是通过PuppetMaster端使用puppet kick命令或者借助mcollctive触发更新配置,两种方式适应不同的生产环境,各具特色。
安装说明:
系统:centos7
版本:puppet6.2
服务端 puppetserver 192.168.255.131
客户端 puppet-agent 192.168.255.132 92.168.255.133
1.两台机器设置下/etc/hosts,或者dns
2、安装官方yum仓库
rpm -Uvh https://yum.puppet.com/puppet6/puppet6-release-el-7.noarch.rpm
3、master上安装puppetserver
1、安装,注意中间没有“-”
yum install puppetserver #会顺带自动安装上puppet-agent
[root@master1] ~$ export PATH=$PATH:/opt/puppetlabs/bin
2、生成ca证书
[root@master1] ~$ puppetserver ca setup
Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
3、默认Puppet Server配置为使用2GB内存。如果是虚拟机内存不够的话,可以
对于RHEL或CentOS,修改 /etc/sysconfig/puppetserver
更新:
JAVA_ARGS="-Xms2g -Xmx2g"
为
JAVA_ARGS="-Xms512m -Xmx512m"
3、启动,除了systemctl还可以用resource命令
puppet resource service puppetserver ensure=running enable=true
puppet resource service puppet ensure=running enable=true
4、运行在8140端口,puppet是ruby写的,为什么这里是java,因为puppetserver是运行在jvm里面的,有一些软件可以将ruby字节码转换为java字节码,这样就可以运行在jvm里面了,比如XRuby就可以,puppet使用的是JRuby
netstat -atnlp |grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 37268/java
4、客户端 上安装puppet-agent
1、安装puppet-agent,注意中间有-
yum install puppet-agent
2、启动
[root@master2] ~$ puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
}
3、配置/etc/puppetlabs/puppet/puppet.conf文件,在所有agent上,包括master节点也要执行来进行自签名,否则matser上执行puppetserver ca list会报错:
Fatal error when running action 'list' Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_statuses/any_key Root cause: Failed to open TCP connection to puppet:8140 (Connection refused - connect(2) for "puppet" port 8140)
puppet config set server master1.hanli.com
这个命令会自动在etc/puppetlabs/puppet/puppet.conf的[main]区域下添加 server = master1.hanli.com。
这样的话,agent就知道master机器是谁,并访问master的8140端口,向其请求证书签名,从而建立连接。
5、证书认证
puppet为了安全使用https协议传输数据,因此需要进行ca证书认证,只有被ca认证了的agent才能与server建立连接。
认证有两种方式,一种是手动认证,一种是自动认证。
在Puppet-agent检查server的manifests目录之前,它们需要来自Puppetserver的证书颁发机构(CA)的签名证书。使用Puppet的内置CA而不是外部CA(可以puppetserver ca import导入)时,agent会向CA提交证书签名请求(CSR),默认情况下,这些CSR必须由管理员用户手动签名。
手动认证
5a. 服务端查看证书,目前还没有请求,但是服务端上的agent已经认证好了
[root@master1] ~$ puppetserver ca list
No certificates to list
[root@master1] ~$ puppetserver ca list --all
Signed Certificates:
master1.hanli.com (SHA256) 7B:9D:AE:91:5E:A2:16:01:86:BE:E1:90:F9:CD:FE:65:76:1F:FD:B9:2A:9B:53:5A:23:36:37:71:FF:ED:ED:5A alt names: ["DNS:puppet", "DNS:master1.hanli.com"]
5b.客户端上请求,可以看下请求证书的过程
[root@master2] ~$ puppet agent -t
Info: Downloaded certificate for ca from master1.hanli.com
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for master2.hanli.com
Info: Certificate Request fingerprint (SHA256): 02:B4:FA:63:C1:F1:44:BA:C3:69:91:B5:27:BA:E5:15:1C:87:E1:A5:8A:69:2A:98:CF:90:29:14:EC:23:28:25
Exiting; no certificate found and waitforcert is disabled
5c.服务端签发证书认证
[root@master1] ~$ puppetserver ca sign --certname master2.hanli.com
Successfully signed certificate request for master2.hanli.com
[root@master1] ~$ puppetserver ca list --all
Signed Certificates:
master1.hanli.com (SHA256) 7B:9D:AE:91:5E:A2:16:01:86:BE:E1:90:F9:CD:FE:65:76:1F:FD:B9:2A:9B:53:5A:23:36:37:71:FF:ED:ED:5A alt names: ["DNS:puppet", "DNS:master1.hanli.com"]
master2.hanli.com (SHA256) 3D:CB:05:BD:43:8B:3C:E4:2F:C6:05:51:AC:B8:99:14:DE:E1:39:86:2B:D0:F2:6D:BD:D1:84:CC:9E:86:7F:64
5d.一次性签发所有证书
[root@master1] ~$ puppetserver ca sign --all
5e.再次查看
[root@master1] ~$ puppetserver ca list --all
Signed Certificates:
master1.hanli.com (SHA256) 7B:9D:AE:91:5E:A2:16:01:86:BE:E1:90:F9:CD:FE:65:76:1F:FD:B9:2A:9B:53:5A:23:36:37:71:FF:ED:ED:5A alt names: ["DNS:puppet", "DNS:master1.hanli.com"]
master2.hanli.com (SHA256) 3D:CB:05:BD:43:8B:3C:E4:2F:C6:05:51:AC:B8:99:14:DE:E1:39:86:2B:D0:F2:6D:BD:D1:84:CC:9E:86:7F:64
master3.hanli.com (SHA256) 49:81:5E:C2:A0:32:90:8F:33:F4:A2:B5:34:D4:80:80:79:75:79:95:48:90:A5:F0:A6:93:50:66:DE:43:55:3F
5f.已签发证书的目录
[root@master1] ~$ ll /etc/puppetlabs/puppet/ssl/ca/signed/
total 12
-rw-r----- 1 puppet puppet 2037 Feb 12 21:10 master1.hanli.com.pem
-rw-r----- 1 puppet puppet 1952 Feb 12 21:32 master2.hanli.com.pem
-rw-r----- 1 puppet puppet 1952 Feb 12 21:33 master3.hanli.com.pem
至此部署完成。
验证下
在客户端上,观察过程
[root@master2] ~$ puppet agent -t
Info: Downloaded certificate for master2.hanli.com from master1.hanli.com
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for master2.hanli.com
Info: Applying configuration version '1549978582'
Notice: Applied catalog in 0.01 seconds
在服务端上,观察过程可以发现服务端上省略了一步下载证书的步骤。
[root@master1] ~$ puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for master1.hanli.com
Info: Applying configuration version '1549977981'
Notice: Applied catalog in 0.01 seconds
至此安装完成了,但是有个问题,手动签名好麻烦,怎么自动完成签名,而不是手动 sign呢?自动签名有两种,一种是完全的,一种是不完全的基本自动签名
完全(naive)自动签名
需要在master的配置文件/etc/puppetlabs/puppet/puppet.conf中的[master] 区域下面添加autosign = true
这样会自动签名所有请求,不论来自哪里。
我们来实验一下:
1、停止master的主服务和所有节点上agent
master1上:
$ puppet resource service puppetserver ensure=stopped
master1-3上:
$ puppet resource service puppet ensure=stopped
2、删除所有节点上的ssl目录
master1-3上:
$ rm -rf /etc/puppetlabs/puppet/ssl
3、在master的配置文件/etc/puppetlabs/puppet/puppet.conf中的[master] 区域下面添加autosign = true
4、master上重新生成ca
[root@master1] ~$ puppetserver ca setup
Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
5、启动主服务和代理服务
master1上
$ puppet resource service puppetserver ensure=running enable=true
master1-3上
$ puppet resource service puppet ensure=running enable=true
6、查看证书情况,发现都已经签名了
[root@master1] ~$ puppetserver ca list --all
Signed Certificates:
master1.hanli.com (SHA256) 70:88:C5:CB:58:86:C5:42:47:D9:86:07:0B:5C:29:94:58:74:76:24:CD:EF:80:39:DA:8D:05:CD:E7:EB:CB:C9 alt names: ["DNS:puppet", "DNS:master1.hanli.com"]
master2.hanli.com (SHA256) AB:A2:85:97:EA:6B:CA:B0:A0:A3:5A:DD:50:47:E9:C2:1C:4B:B4:96:47:DB:56:66:0D:1F:87:88:48:E4:A0:D1
master3.hanli.com (SHA256) 41:ED:CC:79:FB:5C:D8:8C:54:2B:C7:92:86:8A:9E:8F:B2:52:CA:7D:6D:D4:1D:6F:95:6B:D8:A0:2D:53:6A:C6
基本自动签名
基本自动签名,这种方式是基于域名白名单来进行签名。
默认情况下puppet已开启了基本自动签名功能。但是需要在server上手动创建/etc/puppetlabs/puppet/autosign.conf文件。(开源版本没有这个文件,企业版有这个文件但是内容为空)
内容如下,格式是域名按行分开,支持*号,以下这些域名的csr证书请求发到server上时都会被server上的ca自动签名。
rebuilt.example.com
*.scratch.example.com
*.local
我们试验一下:
1、停止master的主服务和所有节点上agent
master1上:
$ puppet resource service puppetserver ensure=stopped
master1-3上:
$ puppet resource service puppet ensure=stopped
2、删除所有节点上的ssl目录
master1-3上:
$ rm -rf /etc/puppetlabs/puppet/ssl
3、vim /etc/puppetlabs/puppet/autosign.conf,添加一个域名
master2.hanli.com
4、master上重新生成ca
[root@master1] ~$ puppetserver ca setup
Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca
5、启动主服务和代理服务
master1上
$ puppet resource service puppetserver ensure=running enable=true
master1-3上
$ puppet resource service puppet ensure=running enable=true
6、查看证书情况,只有master1(自签名,不用写在白名单里面)和白名单中的master2已被签名,而master3没有,这样就实现了对签名的控制。
[root@master1] ~$ puppetserver ca list --all
Requested Certificates:
master3.hanli.com (SHA256) D3:EC:0D:F0:E1:C6:22:C2:FE:08:FB:9B:C1:8D:00:E8:C9:95:59:1C:4D:C0:6D:4A:E3:E0:68:45:08:07:99:02
Signed Certificates:
master1.hanli.com (SHA256) 10:AF:70:F0:FD:05:9B:F0:3B:CA:53:6A:B0:E8:B2:D6:D0:E3:1B:66:EB:AC:92:C1:D9:FE:35:4B:67:56:08:F1 alt names: ["DNS:puppet", "DNS:master1.hanli.com"]
master2.hanli.com (SHA256) 1C:AD:25:EF:79:62:21:34:CC:2B:66:35:38:9A:8D:41:9C:5E:C5:AF:F7:1D:92:34:FE:25:60:02:93:14:EE:D1
如果你想明确的关闭基本自动签名功能,在master的配置文件/etc/puppetlabs/puppet/puppet.conf中的[master] 区域下面添加autosign = false 。不过不需要这样做。只要文件/etc/puppetlabs/puppet/autosign.conf的内容是空白的就行。
7、测试
/etc/puppet/manifests/site.pp是入口文件,客户端会同步这里面的内容。在这里面编写配置文件,puppet6.2的入口文件在/etc/puppetlabs/code/environments/production/manifests/site.pp
简单例子1:
vim /etc/puppet/manifests/site.pp
file {"/tmp/slave1.txt":
content => "Hello world",
}
稍微复杂点的例子2:(使用模块),puppet6.2的模块目录在 /etc/puppetlabs/code/environments/production/modules,而不是/opt/puppetlabs/puppet/modules。请勿在此目录中修改或添加任何内容。
[root@master] /etc/puppet$ mkdir -pv test/{manifests,templates,file}
[root@master] /etc/puppet$ vim modules/test/manifests/init.pp
class test {
file {"/tmp/$hostname.txt":
content => "Hello world";
}
}
root@master] /etc/puppet$ vim test/templates/test.erb
hostname <%= fqdn %>
[root@master] /etc/puppet$ vim nodes/slave1.hanli.com.pp
node 'slave1.hanli.com' {
include test
[root@master] /etc/puppet$ vim manifests/site.pp
import "nodes/slave1.hanli.com.pp"
关于site.pp中的节点
default(不带引号)是节点名称的特殊值。如果找不到与给定节点匹配的节点语句,没有给定确切地址节点将匹配default中的语句
[root@master1] /etc/puppetlabs/code/environments/production/manifests$ tree
.
├── nodes
│ ├── master2.pp
│ └── master3.pp
└── site.pp
1 directory, 3 files
[root@master1] /etc/puppetlabs/code/environments/production/manifests$ vim site.pp
$information = "onlyTest!"
node default {
notify {$information:}
include falcon::base
}
8、配置生效方式
有两种,客户端拉,服务端推,两种方式各有优缺点,一般使用客户端拉
1、客户端默认每隔30分钟到服务器同步配置信息(默认情况下,客户端puppet.conf配置文件中是没有runinterval字段的,如果不配置,默认是每隔30分钟自动同步一次。可以自己设置为其他数值)
# /etc/puppetlabs/puppet/puppet.conf
[agent]
runinterval = 2h
客户端主动触发更新:puppet agent -t --server puppet-master,(-t等同于--test)如果在客户端配置文件中已指定server,可以省略–server。
另外如果以非root用户身份运行Puppet代理的话,要改用cron作业,root用户也可以用cron
要设置cron作业,请运行以下puppet resource命令:
sudo puppet resource cron puppet-agent ensure=present user=root minute=30 command='/opt/puppetlabs/bin/puppet agent --onetime --no-daemonize --splay --splaylimit 60'
上面的例子每小时运行一次Puppet。
除了puppet source命令 也可以如下
*/30 * * * * /opt/puppetlabs/bin/puppetagent.sh > /dev/null 2>&1
2、服务器主动触发更新 puppet kick -p 10 ,-p是ping的意思,如果客户端对ping不响应则跳过
不过需要添加客户端配置如下:
1、客户端puppet 配置文件字段增加 listen=true
2、客户端防火墙允许8139端口
3、客户端auth.conf插入配置
#allow puppet kick access
path /run
method save
auth any
allow puppetmaster.domain.com
从Puppet代理5.5.4开始,不推荐使用MCollective,将在未来版本的Puppet代理中删除。如果您使用Puppet Enterprise,请考虑从MCollective迁移 到Puppet Orchestrator。如果您使用开源Puppet,请使用Bolt 和PuppetDB的 Puppet Query Language等工具迁移MCollective代理和过滤器 。
9、其他
- 日志默认在/var/log/messages,可以在启动puppet-agent时 ,使用该–logdest 选项指定日志文件路径
- 当前配置可以使用puppet config print查看
- 将资源转换为代码puppet resource user luke
10、常见错误及解决办法
https://www.oschina.net/question/54100_31764
参考:
https://docs.puppet.com/puppet