Puppet是开源的基于Ruby的系统配置管理工具依赖于C/S的部署架构。2.7之后使用ssl(https协议)通信。
一、基础环境
1、角色、ip、版本、内核
serverA 10.1.10.117 3.2.0-4-amd64 7.8 server(puppet-master) facter dnsmasq hiera
clientB 10.1.10.185 3.2.0-4-amd64 7.8 client(puppet-agent) facter hiera
facter-2.4.4.tar.gz 20-May-2015 13:10 245K
puppet-3.8.2.tar.gz 06-Aug-2015 15:04 2.5M
ruby-1.9.3
hiera-1.3.4
2、安装基础包(serverA clientB)
apt-get install wget tree lrzsz -y
3、安装ruby包(serverA clientB)
apt-get -y install ruby1.9.3 ruby-json
4、安装hiera(安装puppet时需要用到的)(serverA clientB)
1)下载
wget
2)安装
dpkg -i hiera_1.3.4-1_all.deb
Selecting previously unselected package hiera.
(Reading database ... 42125 files and directories currently installed.)
Unpacking hiera (from hiera_1.3.4-1_all.deb) ...
Setting up hiera (1.3.4-1) ...
Processing triggers for man-db ...
5、确认服务端和客户端时间一致(serverA clientB)
ntpdate stdtime.gov.hk
13 Sep 14:55:29 ntpdate[2068]: adjust time server 118.143.17.82 offset 0.006169 sec
ntpdate stdtime.gov.hk
13 Sep 14:56:47 ntpdate[2621]: step time server 118.143.17.82 offset 12610.205803 sec
6、设置hostname(serverA clientB)
1(serverA)
hostname puppetserver117.com
echo "puppetserver117.com" > /etc/hostname
2(clientB)
hostname puppetclient185.com
echo "puppetclient185.com" > /etc/hostname
二、安装dns服务器
1、安装dnsmasq包(serverA)
apt-get install dnsmasq -y
2、配置(serverA)
1)备份/etc/dnsmasq.conf
cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
2)修改/etc/dnsmasq.conf
sed -i 's!#listen-address=.*!listen-address=10.1.10.117,127.0.0.1!g' /etc/dnsmasq.conf
echo "address=/puppetserver117.com/10.1.10.117" >> /etc/dnsmasq.conf
echo "address=/puppetclient185.com/10.1.10.185" >> /etc/dnsmasq.conf
3)备份/etc/resolv.conf
cp /etc/resolv.conf /etc/resolv.conf.bak
4)修改/etc/resolv.conf
echo "nameserver 10.1.10.117" > /etc/resolv.conf
echo "nameserver 114.114.114.114" >> /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
3、重启dnsmasq服务(serverA)
/etc/init.d/dnsmasq restart
4、查看端口和进程(serverA)
1)查看进程
ps -ef |grep dnsmasq
dnsmasq 11323 1 0 13:21 ? 00:00:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
2)查看监听端口
netstat -tupnl |grep dnsmasq
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2699/dnsmasq
tcp6 0 0 :::53 :::* LISTEN 2699/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:* 2699/dnsmasq
udp6 0 0 :::53 :::* 2699/dnsmasq
5、设置开机启动,默认已经添加好了(serverA)
ll /etc/rc2.d/ |grep dnsmasq
lrwxrwxrwx 1 root root 17 Sep 9 09:11 S02dnsmasq -> ../init.d/dnsmasq
6、测试(serverA)
ping -c 4 puppetserver117.com
PING puppetserver117.com (10.1.10.117) 56(84) bytes of data.
64 bytes from 10.1.10.117: icmp_req=1 ttl=64 time=0.027 ms
64 bytes from 10.1.10.117: icmp_req=2 ttl=64 time=0.036 ms
64 bytes from 10.1.10.117: icmp_req=3 ttl=64 time=0.037 ms
64 bytes from 10.1.10.117: icmp_req=4 ttl=64 time=0.036 ms
--- puppetserver117.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.027/0.034/0.037/0.004 ms
ping -c 4 puppetclient185.com
PING puppetclient185.com (10.1.10.185) 56(84) bytes of data.
64 bytes from 10.1.10.185: icmp_req=1 ttl=64 time=0.478 ms
64 bytes from 10.1.10.185: icmp_req=2 ttl=64 time=0.354 ms
64 bytes from 10.1.10.185: icmp_req=3 ttl=64 time=0.339 ms
64 bytes from 10.1.10.185: icmp_req=4 ttl=64 time=0.226 ms
--- puppetclient185.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.226/0.349/0.478/0.090 ms
7、测试(clientB)
1)安装host nsloopup等命令
apt-get install dnsutils -y
2)备份
cp /etc/resolv.conf /etc/resolv.conf.bak
3)echo "nameserver 10.1.10.117" > /etc/resolv.conf
4)使用nslookup命令测试
nslookup puppetserver117.com
Server: 10.1.10.117
Address: 10.1.10.117 #53
Name: puppetserver117.com
Address: 10.1.10.117
nslookup puppetclient185.com
Server: 10.1.10.117
Address: 10.1.10.117 #53
Name: puppetclient185.com
Address: 10.1.10.185
5)使用host命令测试
host puppetserver117.com
puppetserver117.com has address 10.1.10.117
host puppetclient185.com
puppetclient185.com has address 10.1.10.185
6)使用ping命令测试
ping -c 4 puppetserver117.com
PING puppetserver117.com (10.1.10.117) 56(84) bytes of data.
64 bytes from puppetserver117.com (10.1.10.117): icmp_req=1 ttl=64 time=0.686 ms
64 bytes from puppetserver117.com (10.1.10.117): icmp_req=2 ttl=64 time=0.291 ms
64 bytes from puppetserver117.com (10.1.10.117): icmp_req=3 ttl=64 time=0.349 ms
64 bytes from puppetserver117.com (10.1.10.117): icmp_req=4 ttl=64 time=0.351 ms
--- puppetserver117.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.291/0.419/0.686/0.156 ms
ping -c 4 puppetclient185.com
PING puppetclient185.com (10.1.10.185) 56(84) bytes of data.
64 bytes from 10.1.10.185: icmp_req=1 ttl=64 time=0.100 ms
64 bytes from 10.1.10.185: icmp_req=2 ttl=64 time=0.036 ms
64 bytes from 10.1.10.185: icmp_req=3 ttl=64 time=0.036 ms
64 bytes from 10.1.10.185: icmp_req=4 ttl=64 time=0.036 ms
--- puppetclient185.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.036/0.052/0.100/0.027 ms
三、安装server(puppetmaster) facter
1、下载facter和puppet包 (serverA)
wget --no-check-certificate https://downloads.puppetlabs.com/facter/facter-2.4.4.tar.gz
wget --no-check-certificate https://downloads.puppetlabs.com/puppet/puppet-3.8.2.tar.gz
2、解压并编译安装 (serverA)
1)tar zxvf facter-2.4.4.tar.gz && cd facter-2.4.4 && ruby install.rb
2)tar zxvf puppet-3.8.2.tar.gz && cd puppet-3.8.2 && ruby install.rb
3、检查facter是否正确安装了 (serverA)
facter
architecture => amd64
bios_release_date => 05/20/2014
bios_vendor => Phoenix Technologies LTD
bios_version => 6.00
blockdevice_fd0_size => 0
blockdevice_sda_model => VMware Virtual S
blockdevice_sda_size => 42949672960
blockdevice_sda_vendor => VMware,
blockdevice_sr0_model => VMware IDE CDR10
blockdevice_sr0_size => 1073741312
blockdevice_sr0_vendor => NECVMWar
blockdevices => fd0,sda,sr0
boardmanufacturer => Intel Corporation
boardproductname => 440BX Desktop Reference Platform
boardserialnumber => None
domain => com
facterversion => 2.4.4
filesystems => ext4
fqdn => puppetserver117.com
gid => root
hardwareisa => unknown
hardwaremodel => x86_64
hostname => puppetserver117
id => root
interfaces => eth0,lo
ipaddress => 10.1.10.117
ipaddress_eth0 => 10.1.10.117
ipaddress_lo => 127.0.0.1
is_virtual => true
kernel => Linux
kernelmajversion => 3.2
kernelrelease => 3.2.0-4-amd64
kernelversion => 3.2.0
macaddress => 00:0c:29:c8:87:a1
macaddress_eth0 => 00:0c:29:c8:87:a1
manufacturer => VMware, Inc.
memoryfree => 156.01 MB
memoryfree_mb => 156.01
memorysize => 231.50 MB
memorysize_mb => 231.50
mtu_eth0 => 1500
mtu_lo => 16436
netmask => 255.255.255.0
netmask_eth0 => 255.255.255.0
netmask_lo => 255.0.0.0
network_eth0 => 10.1.10.0
network_lo => 127.0.0.0
operatingsystem => Debian
operatingsystemmajrelease => 7
operatingsystemrelease => 7.8
os => {"name"=>"Debian", "family"=>"Debian", "release"=>{"major"=>"7", "minor"=>"8", "full"=>"7.8"}}
osfamily => Debian
partitions => {"sda1"=>{"uuid"=>"62f9f2a1-249c-41fe-b639-c5137c10bf83", "size"=>"19529728", "filesystem"=>"ext4"}, "sda2"=>{"uuid"=>"61b1523a-55ad-416c-ab91-367d44015060", "size"=>"7813120", "filesystem"=>"swap"}, "sda3"=>{"size"=>"2"}, "sda5"=>{"uuid"=>"317612c3-4d18-4f0c-95e1-88476b99b698", "size"=>"56537088", "mount"=>"/opt", "filesystem"=>"ext4"}}
path => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
physicalprocessorcount => 1
processor0 => Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
processorcount => 1
processors => {"models"=>["Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz"], "count"=>1, "physicalcount"=>1}
productname => VMware Virtual Platform
ps => ps -ef
puppetversion => 3.8.2
rubyplatform => x86_64-linux
rubysitedir => /usr/local/lib/site_ruby/1.9.1
rubyversion => 1.9.3
selinux => false
serialnumber => VMware-56 4d a9 ca b9 e1 09 08-bd 90 b0 13 33 c8 87 a1
swapfree => 3.73 GB
swapfree_mb => 3814.81
swapsize => 3.73 GB
swapsize_mb => 3815.00
system_uptime => {"seconds"=>1403, "hours"=>0, "days"=>0, "uptime"=>"0:23 hours"}
timezone => CST
type => Other
uniqueid => 010a750a
uptime => 0:23 hours
uptime_days => 0
uptime_hours => 0
uptime_seconds => 1403
uuid => 564DA9CA-B9E1-0908-BD90-B01333C887A1
virtual => vmware
PS:看到以上信息说明facter安装成功。
4、看下puppet.conf安装在那边 (serverA)
find / -name "*puppet.conf*"
/root/puppet-3.8.2/man/man5/puppet.conf.5
/root/puppet-3.8.2/examples/hiera/etc/puppet.conf
/root/puppet-3.8.2/ext/ips/puppet.conf
/root/puppet-3.8.2/ext/RedHat/puppet.conf
/root/puppet-3.8.2/ext/gentoo/puppet/puppet.conf
/root/puppet-3.8.2/ext/debian/puppet.conf
/usr/share/man/man5/puppet.conf.5.gz
5、修改配置/etc/puppet/puppet.conf (serverA)
1)备份配置
cp /root/puppet-3.8.2/ext/debian/puppet.conf /etc/puppet/puppet.conf
2)修改配置
diff /root/puppet-3.8.2/ext/debian/puppet.conf /etc/puppet/puppet.conf
7c7
< templatedir=$confdir/templates
---
> pluginsync=false
6、使用puppet命令创建用户和组(当然也可以使用useradd和groupadd来创建用户和组) (serverA)
1)创建组puppet
Notice: /Group[puppet]/ensure: created
group { 'puppet':
ensure => 'present',
}
2)创建用户puppet
puppet resource user puppet ensure=present gid=puppet shell='/bin/false'
Notice: /User[puppet]/ensure: created
user { 'puppet':
ensure => 'present',
gid => '1001',
shell => '/bin/false',
}
7、复制一份启动脚本并修改下 (serverA)
1)复制脚本
cp /root/puppet-3.8.2/ext/debian/puppetmaster.init /etc/init.d/puppetmaster
2)修改脚本
diff /etc/init.d/puppetmaster /root/puppet-3.8.2/ext/debian/puppetmaster.init
15,16d14
< PORT=8140
< IP="10.1.10.117"
55c53
< --startas $DAEMON -- $NAME $DAEMON_OPTS --masterport=$PORT --bindaddress=$IP
---
> --startas $DAEMON -- $NAME $DAEMON_OPTS --masterport=$PORT
8、给脚本执行权限 (serverA)
chmod +x /etc/init.d/puppetmaster
9、创建这个文件并添加以下内容(启动puppetmaster脚本时需要用到 否则会报错 启不来服务的) (serverA)
echo "START=yes" > /etc/default/puppetmaster
10、启动puppetmaster服务 (serverA)
/etc/init.d/puppetmaster start
[ ok ] Starting puppet master.
11、查看端口和进程 (serverA)
1)查看端口
netstat -tupnl |grep 8140
tcp 0 0 10.1.10.117:8140 0.0.0.0:* LISTEN 11029/ruby1.9.1
2)查看进程
ps -ef |grep pupp
puppet 11029 1 0 09:10 ? 00:00:00 /usr/bin/ruby1.9.1 /usr/bin/puppet master --masterport=8140 --bindaddress=10.1.10.117
12、设置开机启动 (serverA)
update-rc.d puppetmaster defaults
update-rc.d: using dependency based boot sequencing
13、查看下 (serverA)
ll /etc/rc2.d/ |grep pupp
lrwxrwxrwx 1 root root 22 Sep 14 10:04 S03puppetmaster -> ../init.d/puppetmaster
14、查看下本地注册存放位置 (serverA)
tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
├── ca
│ ├── ca_crl.pem
│ ├── ca_crt.pem
│ ├── ca_key.pem
│ ├── ca_pub.pem
│ ├── inventory.txt
│ ├── private
│ │ └── ca.pass
│ ├── requests
│ ├── serial
│ └── signed
│ └── puppetserver117.com.pem
├── certificate_requests
├── certs
│ ├── ca.pem
│ └── puppetserver117.com.pem
├── crl.pem
├── private
├── private_keys
│ └── puppetserver117.com.pem
└── public_keys
└── puppetserver117.com.pem
9 directories, 13 files
15、查看已注册 (serverA)
puppet cert list --all
+ "puppetserver117.com" (SHA256) 5E:20:8B:A1:E2:6A:06:E5:13:DE:6F:E0:87:19:1E:F4:9A:AF:24:EF:D4:16:04:13:AB:AE:C7:B2:74:D7:87:4A (alt names: "DNS:puppet", "DNS:puppet.com", "DNS:puppetserver117.com")
PS:看到本机已经注册好了
16、相关日志(serverA)
1)查看下相关日志
cat /var/log/puppet/masterhttp.log
[2015-09-15 09:10:30] INFO WEBrick 1.3.1
[2015-09-15 09:10:30] INFO ruby 1.9.3 (2012-04-20) [x86_64-linux]
[2015-09-15 09:10:30] INFO
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Puppet CA: puppetserver117.com
Validity
Not Before: Sep 14 01:10:30 2015 GMT
Not After : Sep 13 01:10:30 2020 GMT
Subject: CN=puppetserver117.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d7:d3:79:d5:6f:39:b3:e9:6b:8e:49:25:39:3f:
4a:bc:19:3f:fc:11:30:20:13:37:86:ca:9b:d8:04:
ff:ec:c7:91:15:66:2a:e4:c2:9f:00:1d:bf:73:c2:
07:8c:f8:a9:16:6a:83:1e:af:a5:99:19:c4:98:ab:
b5:34:f0:82:91:4b:dd:f6:99:9a:e8:65:79:35:81:
d2:cd:14:43:dd:f8:46:15:5e:be:3c:43:0b:8d:70:
1b:6a:e5:16:5b:0b:ce:2e:a9:bb:3f:50:cb:de:d8:
91:07:15:75:6d:3c:fb:15:ba:cf:5e:e2:3a:b2:c3:
e2:e9:79:da:ba:52:cf:32:85:39:e0:2c:3c:c5:fa:
98:36:9e:52:af:17:bd:f0:fb:4b:98:0d:c6:59:46:
6d:c7:34:9d:b8:c4:42:76:d4:b9:81:3e:95:e9:20:
80:61:6d:8e:5a:76:9c:67:19:81:88:02:d4:1e:38:
ef:72:b1:5c:a9:6e:c0:e9:c9:a1:8c:7c:51:a3:72:
df:47:a0:a6:36:e8:dd:27:07:e1:66:4c:3a:1e:e6:
32:e2:3f:06:5a:67:fd:fd:94:08:06:f6:e0:83:be:
e1:21:3b:7b:c2:33:93:3b:c2:ef:94:15:90:ba:f6:
b9:f3:50:3d:6c:f9:45:79:69:a4:73:03:df:23:f8:
9f:77:f2:34:15:b2:ec:4d:cf:fd:ae:bf:bd:76:ba:
18:12:21:b1:cd:ee:d2:dc:57:29:f6:19:36:3a:2f:
6d:a1:dd:7a:a1:63:d0:4d:8e:dd:fb:e6:83:89:82:
64:a0:13:40:d8:6d:7c:f5:03:7e:b8:5f:a2:d1:1f:
00:4d:19:29:9e:84:f8:93:f8:0a:9a:b7:2d:74:a0:
7e:af:d9:59:6c:5f:1d:92:63:df:8e:75:c0:74:8a:
c2:0b:a5:a1:37:dd:8d:5e:16:0f:94:4e:66:a0:59:
e5:8b:0d:29:2d:11:57:9f:c1:e7:9a:d0:21:e9:88:
d6:9c:95:40:00:39:99:90:7a:e1:6a:ac:16:ed:8b:
c2:bb:d9:2b:e6:f6:37:65:d2:0b:65:1b:05:56:c3:
2a:ff:fc:f6:4a:a8:f8:fa:d8:58:de:88:7f:f8:4f:
cc:19:3d:b8:8f:fb:78:a8:cb:d3:f6:ec:9b:ef:65:
b7:49:0f:69:45:4b:84:82:3d:f4:ab:5e:ec:25:48:
63:26:e5:d8:79:b9:56:66:6e:7a:d1:cc:b2:58:71:
ba:f1:ce:c1:6d:7c:d1:45:0a:cc:7b:f7:46:e9:49:
62:81:a8:19:25:21:95:c0:de:a4:02:ba:42:38:fa:
0d:98:8c:60:ec:5d:aa:7a:b2:a2:7f:e4:1f:08:af:
c6:39:57
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Subject Alternative Name:
DNS:puppet, DNS:puppet.com, DNS:puppetserver117.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
24:77:9C:76:4F:4A:03:74:BA:6B:64:FC:F2:5E:B2:89:59:9B:8C:C3
X509v3 Authority Key Identifier:
keyid:9B:9D:4F:1D:A1:36:4F:4C:CB:37:A8:B3:9C:65:C7:D8:49:9E:AE:F2
Signature Algorithm: sha256WithRSAEncryption
35:b8:9f:5f:4e:08:f2:6c:27:51:4f:d3:17:d8:0c:62:f9:66:
95:68:82:b4:a8:7f:2a:4d:ba:4d:0e:a9:3e:cb:d4:fe:a0:0d:
d4:3d:e5:02:98:11:b4:2e:43:e6:a7:e2:ff:93:94:05:c0:3f:
2a:c8:0e:9c:03:bc:8e:2a:e6:46:d6:86:67:d7:6d:a3:fd:ae:
2e:cf:c2:41:6e:d8:b1:58:d5:31:94:52:4f:67:6c:af:c3:86:
b5:a8:b0:18:d2:d8:2b:e9:c8:09:40:47:a5:1c:c6:f4:af:99:
c9:c6:eb:2a:1e:0c:19:40:73:45:f9:9a:f6:6a:9f:ed:db:44:
11:83:95:4c:97:ed:45:25:5d:65:40:c8:9e:55:22:a2:7a:28:
a2:01:6a:8d:d9:fe:c9:c8:7b:b4:04:b3:e7:62:43:e5:bd:ef:
03:8b:f4:18:54:68:66:b1:8e:d7:b1:55:13:ba:42:17:db:61:
0f:2f:0c:74:eb:b1:84:7c:8f:f6:61:eb:06:0b:64:68:60:54:
e3:ca:25:8a:c4:6d:cc:f4:b6:c6:ae:66:b4:11:8f:66:a4:b9:
3c:d4:25:ae:a0:c5:76:1a:65:7c:70:a3:f8:67:2a:21:ba:48:
6e:38:28:ec:53:03:65:b1:a3:be:56:b3:46:cc:fb:38:09:58:
40:0c:a3:a5:82:ac:32:6d:30:3e:61:08:06:ea:97:a8:0f:da:
e3:25:e7:b9:24:9e:de:2b:63:e9:56:ff:e0:a8:8c:22:2e:2d:
8f:04:f9:f4:d4:a2:4c:c7:2b:e1:e4:38:65:a0:4d:f7:25:7b:
39:5f:7d:f4:74:1a:7c:13:a3:9e:d8:22:13:31:9f:38:66:77:
de:b8:da:ef:26:3b:e8:43:ee:32:f2:fb:fe:40:0c:62:42:1c:
a4:6b:9e:70:23:05:00:fd:67:e8:51:b7:8b:f3:8c:8c:22:31:
0c:fd:4e:b1:97:f9:6f:81:6e:c5:4f:ff:44:2e:d6:eb:c7:e7:
cd:23:16:23:24:55:e3:5d:f8:5a:2e:11:3f:cc:30:b0:6b:20:
28:a6:1f:e6:89:0d:e0:96:2a:ea:cd:9f:ea:f2:13:6b:f2:d5:
8a:4c:7e:ef:7c:bf:36:c2:56:15:21:5c:a3:f3:ad:d8:3e:e6:
e8:8c:25:b1:55:e6:a3:da:d7:5a:39:b1:09:5e:ed:1a:06:c9:
ca:39:bc:c1:1a:72:05:84:8a:6c:25:14:d6:12:e5:34:71:99:
2a:dd:bd:24:31:48:37:5f:91:f8:9d:c6:ae:bf:46:c6:84:97:
44:d4:f2:05:5e:83:89:4c:77:23:f1:05:8a:7e:3b:6d:c0:d9:
2a:96:a0:19:e2:86:40:fb
[2015-09-15 09:10:30] INFO WEBrick::HTTPServer#start: pid=11029 port=8140
2)tac /var/log/syslog |more
Sep 17 10:24:18 debian puppet-master[8123]: Starting Puppet master version 3.8.2
Sep 17 10:24:18 debian puppet-master[8123]: Reopening log files
Sep 17 10:24:17 debian puppet-master[8114]: Removing file Puppet::SSL::CertificateRequest puppetserver117.com at '/var/lib/puppet/ssl/certificate_requests/puppetserver117.com.pem'
Sep 17 10:24:17 debian puppet-master[8114]: Removing file Puppet::SSL::CertificateRequest puppetserver117.com at '/var/lib/puppet/ssl/ca/requests/puppetserver117.com.pem'
Sep 17 10:24:17 debian puppet-master[8114]: Signed certificate request for puppetserver117.com
Sep 17 10:24:17 debian puppet-master[8114]: puppetserver117.com has a waiting certificate request
Sep 17 10:24:16 debian puppet-master[8114]: Signed certificate request for ca
17、最后查看下软件版本
1)facter -v
2.4.4
2)ruby -v
ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-linux]
3)puppet -V
3.8.2
4)hiera -v
1.3.4
四、安装client(agent) facter clientB上
1、下载facter和puppet包 (clientB)
wget --no-check-certificate https://downloads.puppetlabs.com/facter/facter-2.4.4.tar.gz
wget --no-check-certificate https://downloads.puppetlabs.com/puppet/puppet-3.8.2.tar.gz
2、解压并编译安装 (clientB)
1)tar zxvf facter-2.4.4.tar.gz && cd facter-2.4.4 && ruby install.rb
2)tar zxvf puppet-3.8.2.tar.gz && cd puppet-3.8.2 && ruby install.rb
3、修改配置/etc/puppet/puppet.conf (clientB)
1)备份配置
cp /root/puppet-3.8.2/ext/debian/puppet.conf /etc/puppet/puppet.conf
2)修改配置
diff /root/puppet-3.8.2/ext/debian/puppet.conf /etc/puppet/puppet.conf
7c7
< templatedir=$confdir/templates
---
> pluginsync=false
4、agent向master请求注册(clientB)
puppet agent --server puppetserver117.com --verbose --test
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetclient185.com
Info: Certificate Request fingerprint (SHA256): 74:C3:18:26:D6:58:6F:B8:A7:AC:D9:FA:34:46:4B:70:3C:46:D5:80:31:A8:96:41:35:24:99:4C:91:23:D0:6A
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
5、查看日志有看到已经向服务端请求证书(clientB)
tac /var/log/syslog |more
Sep 17 10:48:59 debian puppet-agent[9504]: Caching certificate for ca
Sep 17 10:48:59 debian puppet-agent[9504]: Certificate Request fingerprint (SHA256): 74:C3:18:26:D6:58:6F:B8:A7:AC:D9:FA:34:46:4B:70:3C:46:D5:80:31:A8:96:41:35:24:99:4C:91:23:D0:6A
Sep 17 10:48:59 debian puppet-agent[9504]: Creating a new SSL certificate request for puppetclient185.com
Sep 17 10:48:59 debian puppet-agent[9504]: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Sep 17 10:48:59 debian puppet-agent[9504]: Caching certificate for ca
6、在puppet master上看到有请求证书了(serverA)
puppet cert list --all
"puppetclient185.com" (SHA256) 74:C3:18:26:D6:58:6F:B8:A7:AC:D9:FA:34:46:4B:70:3C:46:D5:80:31:A8:96:41:35:24:99:4C:91:23:D0:6A
+ "puppetserver117.com" (SHA256) B1:07:63:25:81:6E:CB:08:4E:92:34:7B:22:A8:DC:AB:11:56:33:4B:8A:85:14:8D:B4:8F:4A:D4:06:58:CA:CF (alt names: "DNS:puppet", "DNS:puppet.com", "DNS:puppetserver117.com")
7、服务端签发证书(serverA) 如果需要一次性全部签发证书可以使用puppet cert sign --all
puppet cert sign puppetclient185.com
Notice: Signed certificate request for puppetclient185.com
Notice: Removing file Puppet::SSL::CertificateRequest puppetclient185.com at '/var/lib/puppet/ssl/ca/requests/puppetclient185.com.pem'
8、查看全部已注册 (serverA)
puppet cert list --all
+ "puppetclient185.com" (SHA256) 72:D1:CD:EB:22:DF:BF:DD:CD:01:56:4B:F4:E6:F3:AF:76:6C:63:D0:3F:4E:21:C9:A1:C2:22:C0:55:31:B8:C0
+ "puppetserver117.com" (SHA256) B1:07:63:25:81:6E:CB:08:4E:92:34:7B:22:A8:DC:AB:11:56:33:4B:8A:85:14:8D:B4:8F:4A:D4:06:58:CA:CF (alt names: "DNS:puppet", "DNS:puppet.com", "DNS:puppetserver117.com")
PS:看到puppetclient185.com已经签发证书成功
9、客户端确认(主动去拉) (clientB)
puppet agent --server puppetserver117.com --verbose --test
Info: Caching certificate for puppetclient185.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for puppetclient185.com
Info: Caching catalog for puppetclient185.com
Info: Applying configuration version '1442458402'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.01 seconds
10、测试(同步文件) agent主动获取
1)先创建manifests目录 (serverA)
mkdir -p /etc/puppet/manifests
2)创建站点内容 (serverA)
cat /etc/puppet/manifests/site.pp
node default {
file {
"/tmp/helloworld.txt":
content => "hello, world\n";
}
}
3)agent强制更新 (clientB)
puppet agent --server puppetserver117.com --verbose --test
Info: Caching catalog for puppetclient185.com
Info: Applying configuration version '1442477637'
Notice: /Stage[main]/Main/Node[default]/File[/tmp/helloworld.txt]/ensure: defined content as '{md5}22c3683b094136c3398391ae71b20f04'
Notice: Finished catalog run in 0.03 seconds
4)查看到客户端上有文件过来 内容就是之前服务端写的
ll /tmp/helloworld.txt
-rw-r--r-- 1 root root 13 Sep 17 16:13 /tmp/helloworld.txt
cat /tmp/helloworld.txt
hello, world
11、测试(同步文件) puppet kick推送
1)创建需要同步的文件内容 (clientB)
cat /etc/puppet/manifests/site.pp
node default {
file {
"/tmp/helloworld.txt":
content => "hello\n";
}
}
2)修改/etc/puppet/auth.conf追加1行内容 (clientB)
echo 'allow *' >> /etc/puppet/auth.conf
3)创建namespaceauth.conf文件 追加以下内容 (clientB)
cat /etc/puppet/namespaceauth.conf
[fileserver]
allow *
[puppetmaster]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
[resource]
allow *
4)修改/etc/puppet/puppet.conf (clientB)
先备份下
cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak
diff /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak
8,9d7
< listen=true
< runinterval=86400
5)启动puppet agent (clientB)
puppet agent --server puppetserver117.com --bindaddress=10.1.10.185
6)查看进程 (clientB)
ps -ef |grep pupp
root 11110 1 0 16:39 ? 00:00:00 /usr/bin/ruby1.9.1 /usr/bin/puppet agent --server puppetserver117.com --bindaddress=10.1.10.185
7)查看端口 (clientB)
netstat -tupnl |grep 8139
tcp 0 0 10.1.10.185:8139 0.0.0.0:* LISTEN 11763/ruby1.9.1
8)使用puppet kick命令推送文件 (serverA)
puppet kick -p 1 --host puppetclient185.com
Warning: Puppet kick is deprecated. See
Warning: Failed to load ruby LDAP library. LDAP functionality will not be available
Triggering puppetclient185.com
Getting status
status is success
puppetclient185.com finished with exit code 0
Finished
9)查看文件和内容 (clientB)
cat /tmp/helloworld.txt
hello
Puppet 学习系列:
相关阅读: