puppet安装测试
一,环境
1,ip地址
server端:192.168.2.129 (centos5.6 i386)
client端:192.168.2.130 (centos5.6 i386)
2,配置环境
Puppet是基于Ruby写成的,安装前服务端和客户端都要准备好Ruby环境.
配置yum源
vim /etc/yum.repo.d/puppet.repo
[puppetlabs]
name=Puppet Labs Packages
baseurl=http://yum.puppetlabs.com/base/
enabled=0
gpgcheck=0
vim /etc/yum.repo.d/ruby.repo
[ruby]
name=ruby
baseurl=http://centos.karan.org/el5/misc/testing/i386/RPMS/
gpgcheck=0
enabled=0
安装ruby环境
yum install ruby ruby-rdoc
注意:安装puppet 2.6需要有ruby1.8.6的支持,以上安装的ruby为1.8.6
二,安装
1,服务器端(192.168.2.129)
安装epel
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
安装puppet服务
yum --enablerepo=epel,epel-puppet install puppet-server
chkconfig --level 2345 puppetmaster on
修改hosts,添加下面行:
192.168.2.129 server.puppet.com
192.168.2.130 client.puppet.com
Server端首次运行前,编辑/etc/puppet/manifests/site.pp文件,内容可以用最基本的
[root@server manifests]# vim site.pp
node "client.puppet.com" {
file {"/tmp/temp1.txt" :
content => "hello,client."
}
}
2,客户端(192.168.2.130)
安装epel
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
安装puppet服务
yum install puppet
chkconfig --level 2345 puppet on
修改hosts,添加下面行:
192.168.2.129 server.puppet.com
192.168.2.130 client.puppet.com
三,测试
1,启动
服务器端启动puppet
[root@server ~]# /etc/init.d/puppetmaster start
客户端启动puppet
[root@client ~]#/etc/init.d/puppet once -v
这时客户机会去连接服务器端,但是由于连接是在ssl上的,而服务器还没有sign过客户端的cert,客户机被断开,客户机端的服务也会被停
止。
[root@client ~]# puppetd --server server.puppet.com --test
客户端发出请求认证
服务器端
[root@server ~]# puppetca --list
client.puppet.com (67:BE:EA:24:79:F2:16:8F:D9:59:F4:C1:3B:8D:DC:19)
如果出现以上信息说明服务器端和客户端连接成功,下面可以给客户机签名。
[root@server ~]# puppetca --sign client.puppet.com
客户端
在服务器端给客户端做完签名后,在客户端启动puppetd,可以看到客户在正常连接server。并且应用sever上为客户定制的配置策略。
[root@client ~]#/etc/init.d/puppet once -v
2,测试连接
在测试前,首先用客户端连接服务器端。
客户端执行:
[root@client ~]# puppetd --server server.puppet.com --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client.puppet.com
info: Certificate Request fingerprint (md5): 67:BE:EA:24:79:F2:16:8F:D9:59:F4:C1:3B:8D:DC:19
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session、
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
如果出现以下错误:
错误1:
[root@client ~]# puppetd --server server.puppet.com --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client.puppet.com
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server
and regenerate it with the current key
Exiting; failed to retrieve certificate and waitforcert is disabled
解决方法:
#puppetca --clean client.puppet.com (服务端) 或者 #puppetca -c -a
#/etc/init.d/puppetmaster restart (服务端)
#rm -rf /var/lib/puppet (客户端)
#/etc/init.d/puppet stop && /etc/init.d/puppet once -v (客户端)
# puppetd --server server.puppet.com --test (客户端)
#puppetca --list (服务端)
client.puppet.com (67:BE:EA:24:79:F2:16:8F:D9:59:F4:C1:3B:8D:DC:19)
如果出现以上信息说明服务器端和客户端连接成功
错误2:
[root@client ~]# puppetd --server server.puppet.com --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client.puppet.com
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
解决方法:
是由于服务器端和客户端的时间不同步造成的,在客户端和服务器端执行:
[root@server ~]# /usr/sbin/ntpdate time.nist.gov
[root@client ~]# /usr/sbin/ntpdate time.nist.gov
然后重复错误1的解决方法步骤!
错误3:
[root@client ~]# puppetd --server server.puppet.com --test
notice: Run of Puppet configuration client already in progress; skipping
解决方法:
出现此现象是由于/etc/puppet/manifests/site.pp配置文件没有写正确
[root@server ~]# cat /etc/puppet/manifests/site.pp
node "client.puppet.com" {
file {"/tmp/temp1.txt" :
content => "hello,client."
# source => "puppet://server.puppet.com/tmp/temp1.txt"
}
}
客户端需要再次执行:
[root@client ~]#puppetd --server server.puppet.com --verbose --waitforcert 60
--server 告诉它master节点的ip,--waitforcert 每60秒去server端检查,--verbose 可选的输出冗余信息
或者 [root@client ~]# puppetd --server server.puppet.com --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client.puppet.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client.puppet.com
info: Applying configuration version '1322473855'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.03 seconds
配置成功的标志:
当申请到证书以后我们对比下这两个文件,他们的MD5值是一样的
服务端:[root@server ~]# md5sum /var/lib/puppet/ssl/ca/signed/client.puppet.com.pem
e3152aea5e755a10a02604d51d7ab56d /var/lib/puppet/ssl/ca/signed/client.puppet.com.pem
客户端:[root@client ~]# md5sum /var/lib/puppet/ssl/certs/client.puppet.com.pem
e3152aea5e755a10a02604d51d7ab56d /var/lib/puppet/ssl/certs/client.puppet.com.pem
3,测试实验
在客户端查看puppet服务是否启动,然后执行:
[root@client tmp]# puppetd --server server.puppet.com --test
info: Caching catalog for client.puppet.com
info: Applying configuration version '1322450970'
notice: /Stage[main]//Node[client.puppet.com]/File[/tmp/temp1.txt]/ensure: defined content as '{md5}
e105a4b8fc6a6001dc7c28526c20c0d4'
notice: Finished catalog run in 0.04 seconds
执行后:
[root@client ~]# cat /tmp/temp1.txt
hello,client.
说明配置成功
[root@server puppet]# /etc/init.d/puppetmaster restart
Stopping puppetmaster: [FAILED]
Starting puppetmaster: /usr/lib/ruby/site_ruby/1.8/puppet/network/http.rb:8:in `server_class_by_type': Mongrel is not
installed on this platform (ArgumentError)
from /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:157:in `http_server_class_by_type'
from /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:137:in `http_server_class'
from /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:58:in `initialize'
from /usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:104:in `new'
from /usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:104:in `main'
from /usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:46:in `run_command'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'
from /usr/sbin/puppetmasterd:4
[FAILED]
配置文件用默认的就不会报错
关于设置主机名:
在客户端服务器上只需修改hostname.rb,在主机名前加上mac地址,就不用修改/etc/hosts,这样可以保证主机名的唯一性。
[root@CDN-BJ-186 ~]# vim /usr/lib/ruby/site_ruby/1.8/facter/hostname.rb
Facter.add(:hostname, :ldapname => "cn") do
setcode do
hostname = nil
name = Facter::Util::Resolution.exec('/sbin/ifconfig -a |sed -n \'1p\'|awk \'{gsub(/:/,"-",$5);print $5".oss.com"}\'') or nil
if name
if name =~ /^([\w-]+)\.(.+)$/
hostname = $1+"-core"
# the Domain class uses this
$domain = $2
else
hostname = name
end
hostname
else
nil
end
end
end
Facter.add(:hostname) do
confine :kernel => :darwin, :kernelrelease => "R7"
setcode do
%x{/usr/sbin/scutil --get LocalHostName}
end
end
或者
Facter.add(:hostname, :ldapname => "cn") do
setcode do
hostname = nil
#if name = Facter::Util::Resolution.exec('hostname')
if name = Facter::Util::Resolution.exec("ifconfig |grep eth0|awk '{print $NF}'|head -n 1")
if name =~ /(.*?)\./
hostname = $1
else
hostname = name
end
end
hostname + ".ku6-puppet.com"
end
end
Facter.add(:hostname) do
confine :kernel => :darwin, :kernelrelease => "R7"
setcode do
Facter::Util::Resolution.exec('/usr/sbin/scutil --get LocalHostName')
end
end
客户端和服务端都只需要加上服务器域名和对应的ip
10.10.10.2 server.puppet.com
puppet常用命令
检查manifests文件是否有语法错误
puppet --parseonly manifests/site.pp
调试代码命令
puppet -l /tmp/site.log /etc/puppet/manifests/site.pp
调试代码片段
puppet apply -e 'file {"/tmp/temp.txt":content=>"123"}'
显示模块路径命令
puppet --configprint modulepath
显示所有设置
puppet --configprint all
可参考: http://www.mysqlops.com/2011/10/18/puppet-zhongwen.html
http://www.slideshare.net/myw58/puppet-7159473