Deployment Management of puppet in rhel6 1 installation and testing

Puppet is a configuration management software designed to achieve automated management of data centers. Based on the C/S architecture. The puppet server stores all the configuration code for the client server, which is called manifest in puppet. after downloading the manifest, the client can configure the server based on the manifest, such as software package management, user management, and file management.

The workflow of puppet is as follows:

1. The client puppetd calls facter. facter detects some host variables, such as host name, memory size, and IP address. Pupppetd sends the information to the server through SSL connection;

2. the puppetmaster on the server detects the client host name, finds the corresponding node configuration in manifest, and parses this part of content. The information sent by the facter can be processed as a variable, the Code involved by node is parsed, and other codes not involved are not parsed. Parsing is divided into several stages. syntax check. If a syntax error occurs, an error is returned. If the syntax is correct, continue parsing. The parsing result generates an intermediate "pseudo code" and then sends the pseudo code to the client;

3. The client receives and executes the pseudo code. The client sends the execution result to the server;

4. The server writes the execution result of the client to the log.

The puppet process has two points worth noting. First, to ensure security, the client and master are based on SSL and certificates. Only the master certificate-certified client can communicate with the master. Second, puppet keeps the system in the desired state and keeps it running. For example, you can detect a file and ensure that it exists all the time to ensure that the SSH service is enabled, if the file is deleted or the SSH service is disabled, puppet will re-create the file or start the SSH service at the next execution time (30 minutes by default.

Puppet is an Automated System Configuration tool developed by puppet labs Based on the ruby language. It can run in C/s or independent mode and supports configuration management for all UNIX and Unix-like systems, the latest version also supports limited management of Windows operating systems. Puppet is applicable to the whole process of server management, such as initial installation, configuration, update, and system deprecation.

The typical puppet architecture is a star structure,Clients requests the server every 30 minutes by default.Are there any new change operation instructions?

1. operating environment and software

Running environment:Rhel6.1 (Firewall and SELinux disabled) + Vitualbox

Software:Puppet-2.7.12.tar.gz

Facter-1.6.6.tar.gz

The following two servers are installed: server.sxkeji.com to install the puppet-Server service, and client.sxkeji.com to install the puppet client.

Puppet requires that all machines have a complete domain name (FQDN), modify the/etc/hosts files of both parties, and add the host names corresponding to their respective IP addresses. It is better to make internal DNS in the production environment, you do not need to modify the hosts file of each server.

#VI/etc/hosts # Add the following content: 10.1.1.78 server.sxkeji.com Server 10.1.1.79 client.sxkeji.com Client

 

Maintain time synchronization between the two hosts (you can set up an NTP server. Here, we do not describe how to set up the NTP service)

2. Puppet Installation

Puppet is written in the ruby language. Therefore, to install the ruby environment, both the server and client must be installed.

Ruby Installation

#Yum install Ruby *-y

 

Install facter

#Tar xf facter-1.6.6.tar.gz #CD facter-1.6.6 #Ruby install. Rb

 

Puppet Installation

#Tar xf puppet-2.7.12.tar.gz #CDS puppet-2.7.12 #Ruby install. Rb

3. Puppet configurations

A. Server Side

Copy the corresponding configuration file from the unlocked tar package:

[Root @ server puppet-2.7.12] #Cp conf/RedHat/fileserver. CONF/etc/puppet/ [Root @ server puppet-2.7.12] #Cp conf/RedHat/puppet. CONF/etc/puppet/ [Root @ server puppet-2.7.12] #Cp conf/RedHat/server. init/etc/init. d/puppetmaster [Root @ server puppet-2.7.12] #Chmod 755/etc/init. d/puppetmaster [Root @ server puppet-2.7.12] #Chkconfig -- add puppetmaster [Root @ server puppet-2.7.12] #Chkconfig puppetmaster on [Root @ server puppet-2.7.12] #Mkdir/etc/puppet/manifests

 

#PWD /Etc/puppet #Ls Auth. conf fileserver. conf manifests puppet. conf // Auth. conf --> the client accesses the ACL configuration file of the puppet server. // Fileserver. conf --> puppet server is used as the ACL configuration file of the file server. // Manifests --> puppet script main file directory, which must contain at least the site. PP File // Puppet. conf --> puppet server configuration file #

 

Generate a puppet account:

[Root @ server puppet-2.7.12] #Puppetmasterd -- mkusers

 

Start:

#/Etc/init. d/puppetmaster start

 

B. Client

Copy the relevant configuration file from the unlocked source code package:

[Root @ client puppet-1, 2.7.12] #Cp conf/namespaceauth. CONF/etc/puppet/ [Root @ client puppet-1, 2.7.12] #Cp conf/RedHat/puppet. CONF/etc/puppet/ [Root @ client puppet-1, 2.7.12] #Cp conf/RedHat/client. init/etc/init. d/puppet [Root @ client puppet-1, 2.7.12] #Chmod + x/etc/init. d/puppet

 

Modify the configuration file:

[Root @ client puppet-1, 2.7.12] #VI/etc/puppet. conf # The modification content is as follows: [Agent] Listen = true Server = server // server host name [Root @ client puppet-1, 2.7.12] #VI/etc/puppet/namespaceauth. conf # The modification content is as follows: [Fileserver] Allow * [Puppetmaster] Allow * [Puppetrunner] Allow * [Puppetbucket] Allow * [Puppetreports] Allow * [Resource] Allow * [Root @ client puppet-1, 2.7.12] #

 

Generate a puppet account:

[Root @ client puppet-1, 2.7.12] #Puppetmasterd -- mkusers [Root @ client Puppet] #Rm-RF/var/lib/puppet/SSL /* // Delete the files in the/var/lib/puppet/SSL directory of the client. Otherwise, an error may be reported.

 

Start:

#/Etc/init. d/puppet start

 

 

4. Puppet Communication

Client

[Root @ client puppet-1, 2.7.12] #Puppetd -- Test -- server Server // The client sends a request to the server // The puppet client uses HTTPS to communicate with the server (master ). SSL authentication: When you run the puppet client for the first time, an SSL certificate is generated and sent to the puppet server. Info: creating a new SSL Key for client.sxkeji.com Warning: Peer certificate won't be verified in this SSL session Warning: Peer certificate won't be verified in this SSL session Info: creating a new SSL certificate request for client.sxkeji.com Info: certificate request fingerprint (MD5): 62: CD: A6: 63: A7: 8c: 89: 54: 68: AF: 95: 12: 59: 16: D7: 08 Warning: Peer certificate won't be verified in this SSL session Warning: Peer certificate won't be verified in this SSL session Warning: Peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled [Root @ client puppet-1, 2.7.12] #

 

Server

[Root @ server ~] #Puppetca-list// View the requested host on the server Client.sxkeji.com (05: BF: 3C: 9e: D8: 72: 13: 24: 1D: 3f: 4C: 15: 00: E7: FC: 25) [Root @ server ~] #Puppetca-S-// Send an acceptance request // After the puppet Server accepts the client certificate, it must sign (sign) to allow Client Access // Puppetca-S-A // sign all clients // Puppetca-s client.sxkeji.com // only sign a client Notice: signed certificate request for client.sxkeji.com Notice: removing file puppet: SSL: certificaterequest client.sxkeji.com at '/var/lib/puppet/SSL/CA/requests/client.sxkeji.com. pem' [Root @ server ~] #Puppet Cert list -- all // Run the puppet Cert list -- all command to check whether the client has been added + Client.sxkeji.com (05: BF: 3C: 9e: D8: 72: 13: 24: 1D: 3f: 4C: 15: 00: E7: FC: 25) + Server.sxkeji.com (52: A3: 37: 85: 33: 4d: 97: 7b: 1b: 78: 87: de: 4f: EB: 1D: de) (ALT names: DNS: puppet, DNS: puppet.sxkeji.com, DNS: server.sxkeji.com) [Root @ server ~] #

 

ClientResend the request puppetd -- Test -- server Server

[Root @ client Puppet] #Puppetd -- Test -- server server.sxkeji.com Notice: Ignoring -- listen on onetime run Info: caching catalog for client.sxkeji.com Info: Applying configuration version '20140901' Info: Creating state file/var/lib/puppet/State. yaml Notice: Finished catalog run in 0.25 seconds [Root @ client Puppet] #

 

After completing the preceding steps, the server and client can communicate normally.

 

Common Errors and solutions:

1, Notice: Ignoring -- listen on onetime run Notice: Run of puppet configuration client already in progress; skipping Solution: A. You can run the puppet process through PS-E | grep puppet. If so, stop puppet and run it again. B. If no process exists, the puppetdlock may exist. Delete it and use Rm-RF/var/puppet/State/puppetdlock.   2, Warning: Peer certificate won't be verified in this SSL session Warning: Peer certificate won't be verified in this SSL session Warning: Peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled Solution:MV/var/lib/puppet/tmp/   3, Err: cocould not retrieve catalog from remote server: ssl_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: Certificate verify failed. this is often because the time is out of sync on the server or client Warning: Not Using Cache on failed catalog Err: cocould not retrieve Catalog; skipping run Err: cocould not send Report: ssl_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: Certificate verify failed. this is often because the time is out of sync on the server or client Solution:Be sure to keep the time synchronization between the two hosts