Server IP:192.168.72.10/24 hostname:puppet-server
Client IP:192.168.72.111/24 hostname:puppet-client-01
Clinet IP:192.168.72.168/24 hostname:puppet-client-02
关闭selinux
1、配置服务器和客户端的IP地址和主机名,确保可以相互ping通主机名
2、服务器和客户端安装所需环境
[root@puppet]# yum install ruby* -y
注:如果需要精细安装,只需如下4个包
[root@puppet]# yum install ruby-libs ruby ruby-irb ruby-rdoc -y
3、同步服务器和客户端的时间
[root@puppet]# ntpdate time.nist.gov
注:如果没有ntpdate可以yum安装
[root@puppet]# yum install ntpdate -y
4、服务器和客户端安装facter和puppet主程序
5、下载安装facter
[root@puppet]# wget
[root@puppet]# tar -zxvf facter-latest.tgz
[root@puppet facter-1.6.6]# cd facter-1.6.6
[root@puppet facter-1.6.6]# ruby install.rb
6、下载安装puppet
[root@puppet]wget
[root@puppet]# tar -zxvf puppet-2.6.14.tar.gz
[root@puppet srv]# cd puppet-2.6.14
[root@puppet puppet-2.6.14]# ruby install.rb
7、修改hosts文件
server端
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 puppet-server
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.72.111 puppet-client-01
client端
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 puppet-client-01
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.72.10 puppet-server
8、服务器server端配置
copy源文件
[root@puppet-server puppet-2.6.14]# mkdir /etc/puppet
[root@puppet-server puppet-2.6.14]# cp conf/auth.conf /etc/puppet/
[root@puppet-server puppet-2.6.14]# cp conf/RedHat/fileserver.conf /etc/puppet/
[root@puppet-server puppet-2.6.14]# cp conf/redhat/puppet.conf /etc/puppet/
[root@puppet-server puppet-2.6.14]# cp conf/redhat/server.init /etc/init.d/puppetmaster
[root@puppet-server puppet-2.6.14]# chmod +x /etc/init.d/puppetmaster
[root@puppet-server puppet-2.6.14]# chkconfig --add puppetmaster
[root@puppet-server puppet-2.6.14]# chkconfig puppetmaster on
[root@puppet-server puppet-2.6.14]# chkconfig --list puppetmaster
puppetmaster 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@puppet-server puppet-2.6.14]# mkdir -p /etc/puppet/manifests
创建puppet帐号
[root@puppet-server puppet-2.6.14]# puppetmasterd --mkusers(目的是在/var/lib/puppet下创建一些目录)
启动服务
[root@puppet-server puppet-2.6.14]# /etc/init.d/puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
9、客户client端配置
[root@puppet-client-01 puppet-2.6.14]# mkdir /etc/puppet/
[root@puppet-client-01 puppet-2.6.14]# cp conf/auth.conf /etc/puppet/
[root@puppet-client-01 puppet-2.6.14]# cp conf/namespaceauth.conf /etc/puppet/
[root@puppet-client-01 puppet-2.6.14]# cp conf/redhat/puppet.conf /etc/puppet/
[root@puppet-client-01 puppet-2.6.14]# cp conf/redhat/client.init /etc/init.d/puppet
[root@puppet-client-01 puppet-2.6.14]# chmod +x /etc/init.d/puppet
[root@puppet-client-01 puppet-2.6.14]# chkconfig --add puppet
[root@puppet-client-01 puppet-2.6.14]# chkconfig puppet on
[root@puppet-client-01 puppet-2.6.14]# vim /etc/puppet/namespaceauth.conf
......
[fileserver]
allow *
[puppetmaster]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
[resource]
allow *
......
创建puppet帐号和rra目录
[root@puppet-client-01 puppet-2.6.14]# puppetd --mkusers
注:如果报错,可以手动创建用户。
重启服务
[root@puppet-client-01 puppet]# /etc/init.d/puppet restart
10、服务server端防火墙配置
[root@puppet-server ~]# iptables -A INPUT -p tcp --dport 8140 -j ACCEPT
[root@puppet-server ~]# /etc/init.d/iptables save
11、客户client端防火墙配置
[root@puppet-client-01 ~]# iptables -A INPUT -p tcp --dport 8139 -j ACCEPT
[root@puppet-client-01 ~]# /etc/init.d/iptables save
12、服务端修改配置文件,设置允许的地址
[root@puppet-server ~]# vim /etc/puppet/fileserver.conf
......
[files]
path /tmp/srv/
allow 192.168.72.0/24
......
手动认证
1、客户端发送请求
[root@puppet-client-01 ~]# puppetd --test --server puppet-server
2、服务器端查看
[root@puppet-server ~]# puppetca -l
puppet-client-01 (4B:58:77:C0:52:22:DD:1E:A4:A8:B8:5E:4F:9C:71:25)
3、服务器签名认证
[root@puppet-server ~]# puppetca -s -a(对所有客户端认证)
notice: Signed certificate request for puppet-client-01
notice: Removing file Puppet::SSL::CertificateRequest puppet-client-01 at '/var/lib/puppet/ssl/ca/requests/puppet-client-01.pem'
注:[root@puppet-server ~]# puppetca -s $hostname(对某个主机认证)
自动认证
1、服务端
[root@puppet-server ~]# vim /etc/puppet/puppet.conf
......
[main]
autosign = true
......
2、客户端
[root@puppet-client-01 puppet-2.6.14]# vim /etc/puppet/puppet.conf
[agent]
......
listen = true #打开客户端的监听服务端的puppetrun命令
server = puppet-server #指定服务端
puppetport = 8139 #客户端的监听端口,默认是8139,可不加
runinterval = 60 #同步文件时间,默认1800s
......
3、[root@puppet-client-01 puppet-2.6.14]#puppetd
#客户端运行命令puppetd,会放在后台运行,从此客户端会每隔60s同步一次服务器里的site.pp配置
功能测试: