Centos6.5下安装Puppet及测试

安装前注意事项

  1. Puppet master尽量使用高配置server
  2. 任何官方未支持的系统也可以正常运行puppet,前提是要装合适的版本的ruby环境
    请参考:http://docs.puppetlabs.com/puppet/latest/reference/system_requirements.html#basic-requirements
  3. master防火墙放行8140端口给agent
  4. 每个节点都必须有一个唯一的主机名,正解析和反解析都被正确配置,如果没有DNS服务,必须在每个节点上配置/etc/hosts
    :默认情况下puppet的master的主机名是puppet
  5. 由于Puppet master同时扮演着CA(认证授权机构)的角色,需要时间同步,启动ntpd服务;
  6. 两种工作模式:Master/Agent、Standatone

环境说明

1
2
3
192.168.10.216   Puppet Agent   c1.geekwolf.github.io
192.168.10.217   Puppet Agent   c2.geekwolf.github.io
192.168.10.218   Puppet Master  m.geekwolf.github.io

安装步骤

安装puppet
1
2
3
4
5
6
7
8
9
10
11
12
13
rpm -ivh [http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm](http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm)
说明:若要测试RC版及相关软件编辑/etc/yum.repos.d/puppetlabs.repo:
[puppetlabs-devel]
name=Puppet Labs Devel El 6 - $basearch
baseurl=http://yum.puppetlabs.com/el/6/devel/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
enabled=1
gpgcheck=1
yum -y install ntp
service ntpd start
chkconfig ntpd on
配置puppet

配置好hostname,并将解析写进hosts同步到所有节点
在master:192.168.10.218安装puppet-server

1
2
3
4
5
6
7
8
9
10
11
12
yum -y install puppet-server(依赖puppet、facter一起安装)
生成启动脚本:
/etc/init.d/puppetmaster
Master配置文件目录:
/etc/puppet
chkconfig puppetmaster on
service puppetmaster start
升级puppet master:
puppet resource package puppet ensure=latest
service puppetmaster restart

在c1 c2 上安装puppet

1
2
3
4
5
yum -y install puppet
chkconfig puppet on
service puppet start
Agent配置文件目录:
/etc/sysconfig/puppet.conf

配置puppet agent c1 c2指定Puppet Master地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
vim /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = m.geekwolf.github.io
证书管理

A.手动签发证书
c1、c2申请证书,由于已经配置了server=m.geekwolf.github.io,故申请时不必在指定server

1
2
3
4
5
6
[root@c1 ~]# puppet agent -t
Info: Creating a new SSL key for c1.geekwolf.github.io
Info: Caching certificate for ca
Info: Caching certificate_request for c1.geekwolf.github.io
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

在Master上管理证书:
签发证书:

1
2
3
puppet cert list --all 查看请求签发的证书(+表示已签发,-未签发)
puppet cert --sign c1.geekwolf.github.io 签发主机c1.geekwolf.github.io的证书
puppet cert --sign --all 签发所有请求的主机的证书

注销证书:

1
2
puppet cert revoke c1.geekwolf.github.io 注销主机c1.geekwolf.github.io的证书
puppet cert revoke --all 注销所有主机的证书(若想在重新签名,需先重启puppetmaster,然后节点在请求申请证书,再签名即可)

清除证书:

1
2
3
4
5
在master上清除某节点证书,重启puppetmaster后生效
puppet cert --clean c1.geekwolf.github.io
在agent上删除相关目录,可以重新再申请签名
rm -rf /var/lib/puppet/ssl 或者rm -rf /var/lib/puppet/certs/c1.geekwolf.github.io.pem

B.自动签发证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
在Puppet Master创建/etc/puppet/autosign.conf文件
*.geekwolf.github.io (geekwolf.github.io域的申请会自动签发)
service puppetmaster restart
所有节点上执行
rm -rf /var/lib/puppet/ssl
然后所有的节点申请签名
puppet agent -t —server m.geekwolf.github.io
在Puppet Master查看签名
[root@m puppet]# puppet cert list --all
+ "c1.geekwolf.github.io" (SHA256) 2A:28:96:6C:B0:36:E8:CC:71:80:F4:C6:B5:D8:61:94:A8:59:46:9D:52:A3:58:2A:D9:78:45:A3:57:93:1C:38
+ "c2.geekwolf.github.io" (SHA256) 09:59:71:9A:CA:AE:92:82:1D:D4:0C:A6:D4:5F:51:C3:D6:E4:EE:80:20:19:CB:B1:71:EE:B3:24:F7:E3:80:71
+ "m.geekwolf.github.io" (SHA256) 10:F3:28:EA:36:25:38:C5:1C:8A:38:FD:94:EF:F9:77:6B:97:E9:FA:60:18:D5:53:DD:5D:DA:15:88:4F:96:A1 (alt names: "DNS:m.geekwolf.github.io", "DNS:puppet", "DNS:puppet.geekwolf.github.io")

测试

1
2
3
4
5
6
7
8
9
10
默认agent(c1,c2)每30分钟连接到puppet master,为测试方便先修改连接时间
echo "runinterval = 10" >>/etc/puppet/puppet.conf
service puppet restart
Puppet Master:
vim /etc/puppet/manifests/site.pp
file {"/tmp/test.txt" :
content=>"test from geekwolf!~\n"; }
检查c1 c2是否有/tmp/test.txt文件

参考

多CA配置

坚持原创分享,您的支持将鼓励我继续创作