Centos 安裝Puppet

標籤：

環境說明：

OS:CentOS 5.4 i386
puppetmaster    192.168.0.12    hostname: puppetmaster.info.com
client        192.168.0.64    hostname: client1.info.com


原理圖：




1)         用戶端通過facter收集用戶端資訊並發送至服務端
2)         串連服務端並請求catalog日誌
3)         請求節點（node）的資訊
4)         從伺服器端接收節點（node)的執行個體
5)         編譯代碼（包括語法檢查等工作）
6)         查詢是否有exported 虛擬資源
7)         如有，則從資料庫接收虛擬資源
8)         接收完整的catalog日誌
9)         儲存catalog日誌到資料庫
10)       用戶端接收完整的catalog日誌


一、 時間同步,並寫入crontab

1. 15 1 * * * /usr/sbin/ntpdate pool.ntp.org; hwclock -w >/dev/null 2>&1

二、 修改主機名稱,並寫入/etc/hosts檔案

Puppet 要求所有機器有完整的網域名稱（FQDN），如果沒有 DNS 伺服器提供網域名稱的話，可以在兩台機器上設定主機名稱
（注意建議先設定主機名稱再安裝 Puppet，因安裝 Puppet 時會把主機名稱寫入認證，用戶端和服務端通訊需要這個認證）

1. 192.168.0.12 puppetmaster.info.com
2. 192.168.0.64 client1.info.com

三、 安裝ruby

1. [[email protected] ~]# yum install ruby ruby-libs ruby-rdoc -y
4. [[email protected] ~]# ruby --version
5. ruby 1.8.5 (2006-08-25) [i386-linux]

我安裝的是1.8.5 ，不要安裝1.8.7 puppet 還不支援，( 我沒試過，如果出現不支援的情況，注意一下這裡。)

四、 安裝facter

安裝puppet之前必須先安裝facter
facter是一個系統硬碟點工具，收集主的一些資料，比如CPU，主機IP等，它收集到值發送給puppet伺服器端,伺服器端就可以根據不同的條件來對不同的節點機器產生不同的puppet設定檔


puppet資源下載點 http://downloads.puppetlabs.com/

1. [[email protected] src]# wget http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
2. [[email protected] src]# tar xzvf facter-1.6.8.tar.gz
3. [[email protected] src]# cd facter-1.6.8
4. [[email protected] facter-1.6.8]# ruby install.rb

五、 安裝puppet

1. [[email protected] src]# wget http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
2. [[email protected] src]# tar xzvf puppet-2.7.14.tar.gz
3. [[email protected] src]# cd puppet-2.7.14
4. [[email protected] puppet-2.7.14]# ruby install.rb

六、 複製設定檔

1. [[email protected] puppet-2.7.14]# cp conf/redhat/fileserver.conf /etc/puppet/
2. [[email protected] puppet-2.7.14]# cp conf/redhat/puppet.conf /etc/puppet/
3. [[email protected] puppet-2.7.14]# cp conf/redhat/server.init /etc/init.d/puppetmaster

七、 設定puppetmaster 服務開機啟動

1. [[email protected] puppet-2.7.14]# ls -l /etc/init.d/puppetmaster
2. -rwxr-xr-x 1 root root 3936 Sep 3 12:13 /etc/init.d/puppetmaster
3. [[email protected] puppet-2.7.14]#
4. [[email protected] puppet-2.7.14]# chkconfig --add puppetmaster
5. [[email protected] puppet-2.7.14]# chkconfig --level 35 puppetmaster on

八、 建立puppet帳號

1. [[email protected] puppet-2.7.14]# puppetmasterd --mkusers

1）確認是否產生資訊清單檔夾

1. [[email protected] puppet-2.7.14]# ls -l /etc/puppet/
2. total 16
3. -rw-r--r-- 1 root root 2552 Sep 3 12:11 auth.conf
4. -rwxr-xr-x 1 root root 381 Sep 3 12:13 fileserver.conf
5. drwxr-xr-x 2 root root 4096 Sep 3 12:17 manifests
6. -rwxr-xr-x 1 root root 853 Sep 3 12:13 puppet.conf

2）確認系統產生puppet使用者

1. [[email protected] puppet-2.7.14]# id puppet
2. uid=1002(puppet) gid=1002(puppet) groups=1002(puppet)
4. [[email protected] puppet]# cat /etc/passwd |grep puppet
5. puppet:x:1002:1002::/home/puppet:/bin/bash

3）保證/var/lib/puppet/rrd目錄存在且屬主是puppet

1. [[email protected] puppet]# ls -l /var/lib/puppet/
2. total 36
3. drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 bucket
4. drwxr-xr-x 2 root root 4096 Sep 3 12:17 facts
5. drwxr-xr-x 2 root root 4096 Sep 3 12:17 lib
6. drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 reports
7. drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 rrd
8. drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 server_data
9. drwxrwx--x 8 puppet root 4096 Sep 3 12:26 ssl
10. drwxr-xr-t 2 root root 4096 Sep 3 12:17 state
11. drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 yaml

4）查看連接埠

1. [[email protected] puppet]# netstat -Tanlp | grep 8140
2. tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4556/ruby

5）開啟防火牆的8140連接埠
#vi /etc/sysconfig/iptables

增加：

-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT

儲存後重啟防火牆：

#service iptables restart

用戶端：

安裝facter,puppet 同puppetmaster 一樣。但複製的檔案如下

1. [[email protected] puppet-2.7.14]# cp conf/redhat/client.init /etc/init.d/puppet
2. cp conf/redhat/puppet.conf /etc/puppet/
3. [[email protected] puppet-2.7.14]# chkconfig --level 35 puppet on

建立puppet使用者：

1. [[email protected] puppet-2.7.14]# puppetd --mkusers
2. Could not prepare for execution: Got 1 failure(s) while initializing: change from absent to present failed: Could not create user puppet: Executionof ‘/usr/sbin/useradd -g puppet -M puppet‘ returned 3: useradd: invalid numeric argument ‘puppet‘
4. [[email protected] puppet-2.7.14]# groupadd puppet;useradd -g puppet -M puppet
5. [[email protected] puppet-2.7.14]# service puppet start
6. Starting puppet: [ OK ]

修改puppet.conf，設定10秒鐘同步一次服務：

#vi /etc/puppet/puppet.conf
[agent]
server = puppetmaster.info.com
listen = true
report = true
runinterval = 10 

重啟伺服器：

#service puppet restart


測試解析與puppetmaster連接埠是否暢通

點擊(此處)摺疊或開啟

1. [[email protected] puppet-2.7.14]# telnet puppetmaster.info.com 8140
2. Trying 192.168.0.12...
3. Connected to puppetmaster.info.com (192.168.0.12).
4. Escape character is ‘^]‘.
6. [[email protected] puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
7. warning: peer certificate won‘t be verified in this SSL session
8. info: Caching certificate for ca
9. warning: peer certificate won‘t be verified in this SSL session
10. warning: peer certificate won‘t be verified in this SSL session
11. info: Creating a new SSL certificate request for client1.info.com
12. info: Certificate Request fingerprint (md5): 07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE
13. warning: peer certificate won‘t be verified in this SSL session
14. warning: peer certificate won‘t be verified in this SSL session
15. warning: peer certificate won‘t be verified in this SSL session
16. Exiting; no certificate found and waitforcert is disabled

# puppetd --test --server puppetmaster.info.com命令是指puppetd 從 puppetmaster.info.com去讀取
puppet設定檔. 第一次串連,雙方會進行ssl認證的驗證,這是一個新的用戶端,在伺服器端那裡還沒有被認證,因此需要在伺服器端進行認證認證



以下這步批准認證是在服務端操作

查看當前待批准認證列表

點擊(此處)摺疊或開啟

1. [[email protected] ~]# puppetca -l
2.   client1.info.com (07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE)

批准當前認證

點擊(此處)摺疊或開啟

1. [[email protected] ~]# puppetca -s client1.info.com
2. notice: Signed certificate request for client1.info.com
3. notice: Removing file Puppet::SSL::CertificateRequest client1.info.com at ‘/var/lib/puppet/ssl/ca/requests/client1.info.com.pem‘

查看驗證簽名,注意前面的+號，說明已經簽名

點擊(此處)摺疊或開啟

1. [[email protected] ~]# puppetca -a --list
2. + client1.info.com (03:BE:50:AE:72:1A:39:79:17:F4:E5:74:FD:CC:BC:8C)
3. + puppetmaster.info.com (97:34:BF:26:A6:0E:E9:9C:DB:76:D3:53:D0:56:60:83) (alt names: DNS:puppet, DNS:puppet.info.com, DNS:puppetmaster.info.com)

如果要批准全部認證

點擊(此處)摺疊或開啟

1. puppetca -s -a
2. 也可以在puppetmaster端的puppet.conf加入這行：
3. autosign = true
4. 服務端就自動簽認證

回到用戶端操作，從服務端取回已獲批准的認證

點擊(此處)摺疊或開啟

1. [[email protected] puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
2. warning: peer certificate won‘t be verified in this SSL session
3. info: Caching certificate for client1.info.com
4. info: Caching certificate_revocation_list for ca
5. info: Caching catalog for client1.info.com
6. info: Applying configuration version ‘1378188531

驗證認證是否正確

點擊(此處)摺疊或開啟

1. 服務端:
2. [[email protected] ~]# md5sum /var/lib/puppet/ssl/ca/signed/client1.info.com.pem
3. 27a295f39a6b4a6c7ceb74c9c3a5084c /var/lib/puppet/ssl/ca/signed/client1.info.com.pem
5. 用戶端:
6. [[email protected] puppet-2.7.14]# md5sum /etc/puppet/ssl/certs/client1.info.com.pem
7. 27a295f39a6b4a6c7ceb74c9c3a5084c /etc/puppet/ssl/certs/client1.info.com.pem
10. 出現修改主機名稱問題引起無法認證，需要重新申請認證，操作以下兩個步驟：
11. 服務端：
12. [[email protected] ~]# rm /var/lib/puppet/ssl/ca/signed/client1.info.com.pem -rf
14. 用戶端：
15. [[email protected] puppet-2.7.14]# rm /etc/puppet/ssl/certs/ -rf

功能測試

服務端：
建立pp檔案測試
puppet的第一個執行的代碼是在/etc/puppet/manifest/site.pp ,因此這個檔案必須存在,而且其他的代碼也要通過代碼來調用.

點擊(此處)摺疊或開啟

1. [[email protected] ~]# vim /etc/puppet/manifests/site.pp
2. node default {
3. file {"/tmp/viong.txt":
4. content=>"good,test pass!\nHello World!\n";}
5.     }

上面的代碼對預設連入的puppet用戶端執行一個操作,在/tmp目錄產生一個viong.txt檔案,內容是good,test pass! 斷行符號換行Hello World!斷行符號換行.

初次建立pp檔案，需要重啟puppetmaster

點擊(此處)摺疊或開啟

1. [[email protected] ~]# service puppetmaster restart
2. Stopping puppetmaster: [ OK ]
3. Starting puppetmaster: [ OK ]

用戶端：

點擊(此處)摺疊或開啟

1. [[email protected] puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
2. info: Caching catalog for client1.info.com
3. info: Applying configuration version ‘1378190404‘
4. notice: /Stage[main]//Node[default]/File[/tmp/viong.txt]/ensure: defined content as ‘{md5}4750aa5be82dae5db286a5859700dd51‘
5. notice: Finished catalog run in 0.03 seconds
8. 如果報錯
9. [[email protected] puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
10. err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Syntax error at end of file; expected ‘}‘ at /etc/puppet/manifests/site.pp:4 on node client1.info.com
11. warning: Not using cache on failed catalog
12. err: Could not retrieve catalog; skipping run
14. 可能是/etc/puppet/manifests/site.pp 這個檔案書寫格式有問題。

在用戶端查看:

點擊(此處)摺疊或開啟

1. [[email protected] puppet-2.7.14]# ls -l /tmp/viong.txt
2. -rw-r--r-- 1 root root 29 Sep 3 14:50 /tmp/viong.txt
3. [[email protected] puppet-2.7.14]# cat /tmp/viong.txt
4. good,test pass!
   Hello World!

Centos 安裝Puppet