Puppet 安装与配置
在RHEL6.5上安装puppet
10.1.1.33 puppet 服务端 主机名 puppet.domain.com
10.1.1.34 puppet 客户端 主机名 agent.domain.com
各机器/etc/hosts配置为:
10.1.1.33 puppet.domain.com
10.1.1.34 agent.domain.com
主机名:
[email protected]:nodes# cat /etc/sysconfig/network-scripts/ifcfg-eth0 ... HOSTNAME=puppet.domain.com [email protected]:puppet# cat /etc/sysconfig/network-scripts/ifcfg-eth0 .... HOSTNAME=agent.domain.com
确认安装ruby相关包
yum -y install ruby ruby-libs ruby-shadow
检查ruby版本(1.85以后版本)
[email protected]:~# ruby -v ruby 1.8.7 (2013-06-27 patchlevel 374) [x86_64-linux]根据操作系统版本,这里是centos6.5,选择puppetlabs-release-6-5软件包:
rpm -Uvh http://yum.puppetlabs.com/el/6.5/products/x86_64/puppetlabs-release-6-5.noarch.rpm yum clean all在服务端安装puppet.会自动安装facter等相关依赖包
[email protected]:~# yum install puppet-server [email protected]:~# puppet -V 3.7.3 [email protected]:~# facter -v 2.3.0
在客户端安装puppet.
[email protected]:~# yum install puppet
配置puppet
(1)服务端启动.查看监听状态 puppetmaster服务开启后,默认监听TCP 8140端口
[email protected]:manifests# /etc/init.d/puppetmaster start Starting puppetmaster: [ OK ] [email protected]:puppet# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 892/ruby
(2)客户端启动
[email protected]:~# /etc/init.d/puppet start Starting puppet agent: [ OK ]
(3)配置主机配置文件.修改site.pp增加输出文件配置.
[email protected]:manifests# cat site.pp node default { file { "/tmp/puppettest1.txt": content => "hello,puppet"; } }
(4)客户端发起验证:
[email protected]:~# puppet agent --server puppet.domain.com --test Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for agent.domain.com Info: Certificate Request fingerprint (SHA256): B9:15:4E:8B:5F:D3:63:D2:A9:CC:11:74:ED:32:1C:07:EF:61:C5:BF:37:19:26:3A:7D:05:05:3F:4D:23:83:37 Exiting; no certificate found and waitforcert is disabled如果不使用--server参数指定puppet master服务器,需要在客户端配置文件/etc/puppet/puppet.conf的main指定这一参数,
[main]
server = puppet.domain.com
第二个参数--test使puppet客户端运行时只是测试模式.如果想在前台输出日志到标准输出,可以使用参数--no-daemonize.在默认情况下,puppet客户端是以守护进程的方式运行的.如果想在客户端输出详细的日志,可以使用参数--verbose.--debug参数提供更加详细的输出
(5)服务端完成验证.对agent发送到master的证书进行签名.可以使用puppet cert命令(--list 参数)查看等待被签名的证书.使用sign参数对待被签名的证书进行签名.也可以用--all参数给所有主机签署验证
[email protected]:puppet# puppet cert --list "agent.domain.com" (SHA256) B9:15:4E:8B:5F:D3:63:D2:A9:CC:11:74:ED:32:1C:07:EF:61:C5:BF:37:19:26:3A:7D:05:05:3F:4D:23:83:37 [email protected]:puppet# puppet cert sign agent.domain.com Notice: Signed certificate request for agent.domain.com Notice: Removing file Puppet::SSL::CertificateRequest agent.domain.com at '/var/lib/puppet/ssl/ca/requests/agent.domain.com.pem'(6)客户端再次进行配置.因为服务端已经为agent.domain.com主机配置了一个file资源.
[email protected]:puppet# puppet agent --server puppet.domain.com --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for agent.domain.com Info: Applying configuration version '1418226077' Notice: /Stage[main]/Main/Node[default]/File[/tmp/puppettest1.txt]/ensure: defined content as '{md5}6f009eb2c075367f81dde6ea8fe77e59' Notice: Finished catalog run in 0.08 seconds(7)验证配置:
[email protected]:puppet# cat /tmp/puppettest1.txt hello,puppet
删除某客户端的认证信息:
puppet cert --clean {node certname}
[email protected]:certs# puppet cert --clean 10.1.1.35.domain.com Notice: Revoked certificate with serial 3 Notice: Removing file Puppet::SSL::Certificate 10.1.1.35.domain.com at '/var/lib/puppet/ssl/ca/signed/10.1.1.35.domain.com.pem' Notice: Removing file Puppet::SSL::Certificate 10.1.1.35.domain.com at '/var/lib/puppet/ssl/certs/10.1.1.35.domain.com.pem' Notice: Removing file Puppet::SSL::Key 10.1.1.35.domain.com at '/var/lib/puppet/ssl/private_keys/10.1.1.35.domain.com.pem'
同时要在客户端删除ssl目录
rm -rf /var/lib/puppet/ssl/*