puppet既可以在单机上使用,也可以以c/s结构使用.在大规模使用puppet的情况下,通常使用c/s结构.在这种结构中puppet客户端只是指运行puppet的服务器,puppet服务器端是只运行puppetmaster的服务器.
puppet客户端首先会连接到puppet服务器端,并且通过facter工具把客户端的基本配置信息发送给服务器端. 服务器端通过分析客户端的主机名,通过node 定义,找到该主机的配置代码,然后编译配置代码,把编译好的配置代码发回客户端,客户端执行代码完成配置.并且把代码执行情况反馈给puppet服务器端.
前期准备:
官方:http://puppetlabs.com
相关软件包:
ruby
系统光盘自带
facter
http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz
puppet
http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz
测试环境CentOS5.5:
server:
192.168.209.128
server.example.com
client:
192.168.209.129
client.example.com
由于puppet是基本证书的,证书中包含主机名,所以要修改/etc/hosts或搭建DNS来解析双方。我的测试环境选择了搭建DNS。
同步时间:
ntpdate time.nist.gov
需要在服务端和客户端都同步时间。
服务端安装
1.pubet需要ruby的支持,所以安装之前必须要安装ruby软件包
[root@server ~]# yum -y install ruby ruby-rdoc
2.安装Facter用来获取客户端系统信息
[root@server ~]# tar zxvf facter-1.6.5.tar.gz
[root@server ~]# cd facter-1.6.5
[root@server facter-1.6.5]# ruby install.rb
3.安装puppet
[root@server ~]# tar zxf puppet-2.6.13.tar.gz
[root@server ~]# cd puppet-2.6.13
[root@server puppet-2.6.13]# ruby install.rb
[root@server puppet-2.6.13]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@server puppet-2.6.13]# cp conf/redhat/puppet.conf /etc/puppet/
[root@server puppet-2.6.13]# cp conf/redhat/server.init /etc/init.d/puppetmaster
[root@server ~]# chmod +x /etc/init.d/puppetmaster
[root@server ~]# chkconfig puppetmaster on
[root@server ~]# mkdir -p /etc/puppet/manifests
[root@server ~]# puppetmasterd --mkusers
[root@server ~]# /etc/init.d/puppetmaster start
客户端安装
1.安装ruby、facter、puppet
[root@client ~]# yum -y install ruby ruby-rdoc
[root@client ~]# tar zxf facter-1.6.5.tar.gz
[root@client ~]# cd facter-1.6.5
[root@client facter-1.6.5]# ruby install.rb
[root@client ~]# tar zxf puppet-2.6.13.tar.gz
[root@client ~]# cd puppet-2.6.13
[root@client puppet-2.6.13]# ruby install.rb
[root@client puppet-2.6.13]# cp conf/namespaceauth.conf /etc/puppet/
[root@client puppet-2.6.13]# cp conf/redhat/puppet.conf /etc/puppet/
[root@client puppet-2.6.13]# cp conf/redhat/client.init /etc/init.d/puppet
[root@client puppet-2.6.13]# chmod +x /etc/init.d/puppet
[root@client puppet-2.6.13]# chkconfig puppet on
2.配置
[root@client ~]# vim /etc/puppet/puppet.conf
[agent]
Listen = true
Server = server
[root@client ~]# vim /etc/puppet/namespaceauth.conf
[fileserver]
allow *
[puppetmaster]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
[resource]
allow *
3.生成用户和rra目录
[root@client ~]# puppetmasterd --mkusers
[root@client ~]# /etc/init.d/puppet start
4.建立认证关系
客户端执行,申请证书
[root@client ~]# puppetd -t --server server.example.com
服务端执行,接受申请
[root@server ~]# puppetca -l
client.example.com (28:93:BB:D5:A5:AE:85:C3:C7:68:B3:F7:4E:E7:13:FF)
[root@server ~]# puppetca -s client.example.com
客户端执行,取回通过审批的证书
[root@client ~]# puppetd -t --server server.example.com
证书申请成功后,它们之间就建立信任关系,它们的证书有相同的MD5的值:
[root@server ~]# md5sum /var/lib/puppet/ssl/ca/signed/client.example.com.pem
9ec019e0de00de7b9daf8f79fa160db5 /var/lib/puppet/ssl/ca/signed/client.example.com.pem
[root@client ~]# md5sum /var/lib/puppet/ssl/certs/client.example.com.pem
9ec019e0de00de7b9daf8f79fa160db5 /var/lib/puppet/ssl/certs/client.example.com.pem
错误:
[root@client ~]# puppetd -t --server server.example.com
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
解决:
[root@client ~]# ntpdate time.nist.gov
[root@client ~]# rm -rf /var/lib/puppet/ssl/*
[root@client ~]# puppetd -t --server server.example.com