CentOS6.5 + Puppet3.7.3 installation, configuration, and testing

CentOS6.5 + Puppet3.7.3 installation, configuration, and testing

OS: CentOS-6.5-x86_64

Puppet 3.7.3

Puppet master: master.fisteam2.com

Puppet clients: node1-5.fisteam2.com

Puppet requires that all machines have a complete domain name (FQDN). If no DNS server provides a domain name, you can set the host name on the two machines (note that you must set the host name before installing Puppet, because the host name is written into the certificate when Puppet is installed, this certificate is required for communication between the client and the server.) because I have configured DNS, you do not need to change the hosts, if not, you need to change the hosts file.

1. Disable selinux and iptables and set ntp
Minimal installation with CentOS-6.5-x86_64.iso

Disable selinux
[Root @ master ~] # Cat/etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX = can take one of these three values:

# Enforcing-SELinux security policy is enforced.

# Permissive-SELinux prints warnings instead of enforcing.

# Disabled-No SELinux policy is loaded.

SELINUX = enforcing

# SELINUXTYPE = can take one of these two values:

# Targeted-Targeted processes are protected,

# Mls-Multi Level Security protection.

SELINUXTYPE = targeted

[Root @ master ~] # Sed-I '/SELINUX/s/enforcing/disabled/G'/etc/selinux/config

[Root @ master ~] # Cat/etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX = can take one of these three values:

# Enforcing-SELinux security policy is enforced.

# Permissive-SELinux prints warnings instead of enforcing.

# Disabled-No SELinux policy is loaded.

SELINUX = disabled

# SELINUXTYPE = can take one of these two values:

# Targeted-Targeted processes are protected,

# Mls-Multi Level Security protection.

SELINUXTYPE = targeted

[Root @ master ~] # Setenforce 0

Stop iptables
[Root @ node1 ~] # Chkconfig -- list | grep tables

Ip6tables 0: off 1: off 2: on 3: on 4: on 5: on 6: off

Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off

[Root @ node1 ~] # Chkconfig ip6tables off

[Root @ node1 ~] # Chkconfig iptables off

[Root @ node1 ~] # Service ip6tables stop

Ip6tables: Setting chains to policy ACCEPT: filter [OK]

Ip6tables: Flushing firewall rules: [OK]

Ip6tables: Unloading modules: [OK]

[Root @ node1 ~] # Service iptables stop

Iptables: Setting chains to policy ACCEPT: filter [OK]

Iptables: Flushing firewall rules: [OK]

Iptables: Unloading modules: [OK]

[Root @ node1 ~] #

Set ntp
[Root @ master ~] # Ntpdate pool.ntp.org

[Root @ master ~] # Chkconfig -- list | grep ntp

Ntpd 0: off 1: off 2: off 3: off 4: off 5: off 6: off

Ntpdate 0: off 1: off 2: off 3: off 4: off 5: off 6: off

[Root @ master ~] # Chkconfig ntpd on

[Root @ master ~] # Service ntpd start

Starting ntpd: [OK]

[Root @ master ~] #

2. Install the puppet Service
Puppet is not in the basic CentOS source. You must add the official sources provided by PuppetLabs:
[Root @ master ~] # Wget http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm

[Root @ master ~] # Rpm-ivh puppetlabs-release-6-7.noarch.rpm

[Root @ master ~] # Yum update

Install and enable the puppet service on the master:
[Root @ master ~] # Yum install puppet-server

[Root @ master ~] # Chkconfig -- list | grep puppet

Puppet 0: off 1: off 2: off 3: off 4: off 5: off 6: off

Puppetmaster 0: off 1: off 2: off 3: off 4: off 5: off 6: off

[Root @ master ~] # Chkconfig puppet on

[Root @ master ~] # Service puppetmaster start

Starting puppetmaster: [OK]

[Root @ master ~] #

Install the puppet client on clients

[Root @ node1 ~] # Yum install puppet

[Root @ node1 ~] # Chkconfig -- list | grep puppet

Puppet 0: off 1: off 2: off 3: off 4: off 5: off 6: off

[Root @ node1 ~] # Chkconfig puppet on

[Root @ node1 ~] # Chkconfig -- list | grep puppet

Puppet 0: off 1: off 2: on 3: on 4: on 5: on 6: off

[Root @ node1 ~] # Service puppet start

Starting puppet agent: [OK]

[Root @ node1 ~] #

3. Configure puppet

For the puppet client, modify/etc/puppet. conf and specify the master server
[Main]

# The Puppet log directory.

# The default value is '$ vardir/log '.

Logdir =/var/log/puppet

# Where Puppet PID files are kept.

# The default value is '$ vardir/run '.

Rundir =/var/run/puppet

# Where SSL certificates are kept.

# The default value is '$ confdir/ssl '.

Ssldir = $ vardir/ssl

[Agent]

# The file in which puppetd stores a list of the classes

# Associated with the retrieved provided atiion. Can be loaded in # the separate ''puppet ''executable using the'' -- loadclasses''

# Option.

# The default value is '$ confdir/classes.txt '.

Classfile = $ vardir/classes.txt

# Where puppetd caches the local configuration.

# Extension indicating the cache format is added automatically.

# The default value is '$ confdir/localconfig '.

Localconfig = $ vardir/localconfig

Server = master.fisteam2.com

Restart the puppet service.
[Root @ node1 ~] # Service puppet restart

Stopping puppet agent: [OK]

Starting puppet agent: [OK]

[Root @ node1 ~] #

4. The Client applies for a certificate
Server-side automatic certificate issuance settings
Set the master to automatically issue all certificates. We only need to create the autosign. conf file in the/etc/puppet directory. (You do not need to modify the/etc/puppet. conf file because the location of my default autosign. conf file is not modified)
[Root @ master ~] # Ll/etc/puppet/

Total 28

-Rw-r --. 1 root 4178 Nov 4 06:24 auth. conf

Drwxr-xr-x. 3 root 4096 Dec 29 environments

-Rw-r --. 1 root 1462 Nov 4 06:23 fileserver. conf

Drwxr-xr-x. 2 root 4096 Nov 4 06:24 manifests

Drwxr-xr-x. 2 root 4096 Nov 4 modules

-Rw-r --. 1 root 853 Nov 4 06:23 puppet. conf

[Root @ master ~] # Cat>/etc/puppet/autosign. conf <EOF

> * .Fisteam2.com

> EOF

[Root @ master ~] # Service puppetmaster restart

Stopping puppetmaster: [OK]

Starting puppetmaster: [OK]

[Root @ master ~] #

In this way, all requests from fisteam2.com are automatically signed.
The client needs to send a request to the server for the server to manage the client. this is actually a process of issuing certificates. when you run the puppet client for the first time, an SSL certificate is generated and sent to the Puppet server. If the server agrees to manage the client, the certificate is issued. You can use this command to issue the certificate, because we have set the server address on the client, we do not need to contact the server address.
[Root @ master ~] # Puppet agent

To learn more about the registration process and daily troubleshooting, you can add parameters because the configuration file contains
-No-daemonize foreground output log
-Verbose: enter more detailed logs.
-Debug more detailed logs, used in troubleshooting
-Test indicates the test. You can use the-test parameter.
[Root @ node1 ~] # Puppet agent -- no-daemonize -- onetime -- verbose -- debug

You can apply for a certificate. Because I configured the automatic issuance certificate, it was issued directly and executed on the server.
[Root @ master ~] # Puppet cert list -- all

You can see that all clients have issued certificates. The "+" sign is successfully issued. If there is no signature, you can use
[Root @ master ~] # Puppet cert -- sign node1.localdomain

The certificate has been issued.

Puppet Learning Series:

Puppet Learning 1: Installation and simple instance applications

Puppet 2: simple module configuration and application

Research on three Backup Recovery solutions for Puppet agent
Register your Puppet node in a safer way
Deep understanding of Puppet syntax and working mechanism through SSH Configuration
Puppet uses Nginx multiple ports for Load Balancing
C/S mode instance of Puppet in CentOS (5 and 6)

For more details, please continue to read the highlights on the next page:

1 2 3 4 Next Page