Deployment Management of puppet in rhel6 1 installation and testing

Source: Internet
Author: User
Tags ssl connection puppet labs

Puppet is a configuration management software designed to achieve automated management of data centers. Based on the C/S architecture. The puppet server stores all the configuration code for the client server, which is called manifest in puppet. after downloading the manifest, the client can configure the server based on the manifest, such as software package management, user management, and file management.

The workflow of puppet is as follows:

1. The client puppetd calls facter. facter detects some host variables, such as host name, memory size, and IP address. Pupppetd sends the information to the server through SSL connection;

2. the puppetmaster on the server detects the client host name, finds the corresponding node configuration in manifest, and parses this part of content. The information sent by the facter can be processed as a variable, the Code involved by node is parsed, and other codes not involved are not parsed. Parsing is divided into several stages. syntax check. If a syntax error occurs, an error is returned. If the syntax is correct, continue parsing. The parsing result generates an intermediate "pseudo code" and then sends the pseudo code to the client;

3. The client receives and executes the pseudo code. The client sends the execution result to the server;

4. The server writes the execution result of the client to the log.

The puppet process has two points worth noting. First, to ensure security, the client and master are based on SSL and certificates. Only the master certificate-certified client can communicate with the master. Second, puppet keeps the system in the desired state and keeps it running. For example, you can detect a file and ensure that it exists all the time to ensure that the SSH service is enabled, if the file is deleted or the SSH service is disabled, puppet will re-create the file or start the SSH service at the next execution time (30 minutes by default.

Puppet is an Automated System Configuration tool developed by puppet labs Based on the ruby language. It can run in C/s or independent mode and supports configuration management for all UNIX and Unix-like systems, the latest version also supports limited management of Windows operating systems. Puppet is applicable to the whole process of server management, such as initial installation, configuration, update, and system deprecation.

The typical puppet architecture is a star structure,Clients requests the server every 30 minutes by default.Are there any new change operation instructions?

1. operating environment and software

Running environment:Rhel6.1 (Firewall and SELinux disabled) + Vitualbox

Software:Puppet-2.7.12.tar.gz

Facter-1.6.6.tar.gz

The following two servers are installed: server.sxkeji.com to install the puppet-Server service, and client.sxkeji.com to install the puppet client.

Puppet requires that all machines have a complete domain name (FQDN), modify the/etc/hosts files of both parties, and add the host names corresponding to their respective IP addresses. It is better to make internal DNS in the production environment, you do not need to modify the hosts file of each server.

#VI/etc/hosts

# Add the following content:

10.1.1.78 server.sxkeji.com Server

10.1.1.79 client.sxkeji.com Client

 

Maintain time synchronization between the two hosts (you can set up an NTP server. Here, we do not describe how to set up the NTP service)

2. Puppet Installation

Puppet is written in the ruby language. Therefore, to install the ruby environment, both the server and client must be installed.

Ruby Installation

#Yum install Ruby *-y

 

Install facter

#Tar xf facter-1.6.6.tar.gz

#CD facter-1.6.6

#Ruby install. Rb

 

Puppet Installation

#Tar xf puppet-2.7.12.tar.gz

#CDS puppet-2.7.12

#Ruby install. Rb

3. Puppet configurations

A. Server Side

Copy the corresponding configuration file from the unlocked tar package:

[Root @ server puppet-2.7.12] #Cp conf/RedHat/fileserver. CONF/etc/puppet/

[Root @ server puppet-2.7.12] #Cp conf/RedHat/puppet. CONF/etc/puppet/

[Root @ server puppet-2.7.12] #Cp conf/RedHat/server. init/etc/init. d/puppetmaster

[Root @ server puppet-2.7.12] #Chmod 755/etc/init. d/puppetmaster

[Root @ server puppet-2.7.12] #Chkconfig -- add puppetmaster

[Root @ server puppet-2.7.12] #Chkconfig puppetmaster on

[Root @ server puppet-2.7.12] #Mkdir/etc/puppet/manifests

 

#PWD

/Etc/puppet

#Ls

Auth. conf fileserver. conf manifests puppet. conf

// Auth. conf --> the client accesses the ACL configuration file of the puppet server.

// Fileserver. conf --> puppet server is used as the ACL configuration file of the file server.

// Manifests --> puppet script main file directory, which must contain at least the site. PP File

// Puppet. conf --> puppet server configuration file

#

 

Generate a puppet account:

[Root @ server puppet-2.7.12] #Puppetmasterd -- mkusers

 

Start:

#/Etc/init. d/puppetmaster start

 

B. Client

Copy the relevant configuration file from the unlocked source code package:

[Root @ client puppet-1, 2.7.12] #Cp conf/namespaceauth. CONF/etc/puppet/

[Root @ client puppet-1, 2.7.12] #Cp conf/RedHat/puppet. CONF/etc/puppet/

[Root @ client puppet-1, 2.7.12] #Cp conf/RedHat/client. init/etc/init. d/puppet

[Root @ client puppet-1, 2.7.12] #Chmod + x/etc/init. d/puppet

 

Modify the configuration file:

[Root @ client puppet-1, 2.7.12] #VI/etc/puppet. conf

# The modification content is as follows:

[Agent]

Listen = true

Server = server // server host name

[Root @ client puppet-1, 2.7.12] #VI/etc/puppet/namespaceauth. conf

# The modification content is as follows:

[Fileserver]

Allow *

[Puppetmaster]

Allow *

[Puppetrunner]

Allow *

[Puppetbucket]

Allow *

[Puppetreports]

Allow *

[Resource]

Allow *

[Root @ client puppet-1, 2.7.12] #

 

Generate a puppet account:

[Root @ client puppet-1, 2.7.12] #Puppetmasterd -- mkusers

[Root @ client Puppet] #Rm-RF/var/lib/puppet/SSL /*

// Delete the files in the/var/lib/puppet/SSL directory of the client. Otherwise, an error may be reported.

 

Start:

#/Etc/init. d/puppet start

 

 

4. Puppet Communication

Client

[Root @ client puppet-1, 2.7.12] #Puppetd -- Test -- server Server
// The client sends a request to the server

// The puppet client uses HTTPS to communicate with the server (master ).
SSL authentication: When you run the puppet client for the first time, an SSL certificate is generated and sent to the puppet server.

Info: creating a new SSL Key for client.sxkeji.com

Warning: Peer certificate won't be verified in this SSL session

Warning: Peer certificate won't be verified in this SSL session

Info: creating a new SSL certificate request for client.sxkeji.com

Info: certificate request fingerprint (MD5): 62: CD: A6: 63: A7: 8c: 89: 54: 68: AF: 95: 12: 59: 16: D7: 08

Warning: Peer certificate won't be verified in this SSL session

Warning: Peer certificate won't be verified in this SSL session

Warning: Peer certificate won't be verified in this SSL session

Exiting; no certificate found and waitforcert is disabled

[Root @ client puppet-1, 2.7.12] #

 

Server

[Root @ server ~] #Puppetca-list// View the requested host on the server

Client.sxkeji.com (05: BF: 3C: 9e: D8: 72: 13: 24: 1D: 3f: 4C: 15: 00: E7: FC: 25)

[Root @ server ~] #Puppetca-S-// Send an acceptance request

// After the puppet Server accepts the client certificate, it must sign (sign) to allow Client Access

// Puppetca-S-A // sign all clients

// Puppetca-s client.sxkeji.com // only sign a client

Notice: signed certificate request for client.sxkeji.com

Notice: removing file puppet: SSL: certificaterequest client.sxkeji.com at '/var/lib/puppet/SSL/CA/requests/client.sxkeji.com. pem'

[Root @ server ~] #Puppet Cert list -- all

// Run the puppet Cert list -- all command to check whether the client has been added

+ Client.sxkeji.com (05: BF: 3C: 9e: D8: 72: 13: 24: 1D: 3f: 4C: 15: 00: E7: FC: 25)

+ Server.sxkeji.com (52: A3: 37: 85: 33: 4d: 97: 7b: 1b: 78: 87: de: 4f: EB: 1D: de) (ALT names: DNS: puppet, DNS: puppet.sxkeji.com, DNS: server.sxkeji.com)

[Root @ server ~] #

 

ClientResend the request puppetd -- Test -- server Server

[Root @ client Puppet] #Puppetd -- Test -- server server.sxkeji.com

Notice: Ignoring -- listen on onetime run

Info: caching catalog for client.sxkeji.com

Info: Applying configuration version '20140901'

Info: Creating state file/var/lib/puppet/State. yaml

Notice: Finished catalog run in 0.25 seconds

[Root @ client Puppet] #

 

After completing the preceding steps, the server and client can communicate normally.

 

Common Errors and solutions:

1,

Notice: Ignoring -- listen on onetime run

Notice: Run of puppet configuration client already in progress; skipping

Solution: A. You can run the puppet process through PS-E | grep puppet. If so, stop puppet and run it again.

B. If no process exists, the puppetdlock may exist. Delete it and use Rm-RF/var/puppet/State/puppetdlock.

 

2,

Warning: Peer certificate won't be verified in this SSL session

Warning: Peer certificate won't be verified in this SSL session

Warning: Peer certificate won't be verified in this SSL session

Exiting; no certificate found and waitforcert is disabled

Solution:MV/var/lib/puppet/tmp/

 

3,

Err: cocould not retrieve catalog from remote server: ssl_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: Certificate verify failed. this is often because the time is out of sync on the server or client

Warning: Not Using Cache on failed catalog

Err: cocould not retrieve Catalog; skipping run

Err: cocould not send Report: ssl_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: Certificate verify failed. this is often because the time is out of sync on the server or client

Solution:Be sure to keep the time synchronization between the two hosts

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.