服务器端采用CentOS6 ip:192.168.1.225
客户端采用 CentOS5 ip:192.168.1.193
1、 在服务器端(采用是CentOS6)
[root@ethnicity~]#wget Fedora.RedHat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
[root@ethnicity ~]# rpm -Uvh epel-release-6-5.noarch.rpm
[root@server ~]# echo $HOSTNAME
server.puppet
[root@server ~]# yum install ruby rubygems rubygem-rails rubygem-sqlite3-ruby ruby-devel ruby-mysql
[root@server ~]# yum install mysql-server //安装puppet服务器端软件
[root@server ~]# yum -y install puppet-server puppet
[root@server ~]# cd /etc/puppet/
[root@server puppet]# vi site.pp //设置资源控制
node default { file { "/tmp/puppettest1.txt": content => "hello,first puppet manifest"; } }
[root@server puppet]# mv site.pp manifests/ //设置一个被管理的资源
[root@server ~]# vim /etc/hosts //hosts信息
192.168.1.225 server.puppet server # Added by NetworkManager
192.168.1.193 client.puppet client
[root@server puppet]# service puppetmaster start
[root@server ~]# /usr/sbin/ntpdate time.nist.gov //和客户端同步时间
7 Dec 16:51:06 ntpdate[3424]: step time server 192.43.244.18 offset 1775852.670622 sec
[root@server ~]# cd /tmp/
[root@server tmp]# cat puppettest1.txt //编辑测试文件,这文件刚开始仅仅在服务器端才有
hello,first puppet manifest
[root@server ~]# /etc/init.d/puppet start
服务器端的设置结束
2、 在客户端的设置(采用的是CentOS5)
[root@client~]#wget
[root@client ~]# rpm -Uvh epel-release-5-4.noarch.rpm
[root@client ~]# echo $HOSTNAME
client.puppet
[root@client ~]# vim /etc/hosts
192.168.1.225 server.puppet server
192.168.1.193 client.puppet client
[root@client ~]# yum -y install puppet
[root@client tmp]# /usr/sbin/ntpdate time.nist.gov
7 Dec 16:51:48 ntpdate[3505]: step time server 192.43.244.18 offset 4569976.891801 sec
[root@client ~]# /etc/init.d/puppet start
3、 实现的过程(根据名字自行分别客户端和服务器端)
(1)、首先是客户端的签名请求
[root@client ~]# puppetd --test --server server.puppet
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client.puppet
info: Certificate Request fingerprint (md5): 32:E8:31:70:7A:B5:9E:2B:B9:B9:A0:9F:A1:92:E7:7A
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
(2)、服务器端检测和签名
[root@server ~]# puppetca -l
client.puppet (32:E8:31:70:7A:B5:9E:2B:B9:B9:A0:9F:A1:92:E7:7A)
[root@server ~]# puppetca -s client.puppet
notice: Signed certificate request for client.puppet
notice: Removing file Puppet::SSL::CertificateRequest client.puppet at '/var/lib/puppet/ssl/ca/requests/client.puppet.pem'
(3)、客户端的资源请求
[root@client ~]# cd /tmp/
[root@client tmp]# puppetd --test --server server.puppet
info: Caching catalog for client.puppet
info: Applying configuration version '1323248041'
notice: /Stage[main]//Node[default]/File[/tmp/puppettest1.txt]/ensure: defined content as '{md5}886609dedc5c8a0c58f3aa8d566175cc'
notice: Finished catalog run in 0.08 seconds
[root@client tmp]# ls //这样就按照配置生成了文件(或者说创建)
gconfd-root mapping-root puppettest1.txt scim-panel-socket:0-root
[root@client ~]# cat /tmp/puppettest1.txt //和服务器端的一模一样
hello,first puppet manifest
这样就成功了
实验中遇到的问题集:
第一个问题:
[root@client ~]# puppetd --test --server server.puppet
info: Creating a new SSL key for client.puppet
err: Could not request certificate: No route to host - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
解决办法:关闭清除iptables规则,还有关闭SElinux
第二个问题:
[root@client ~]# puppetd --test --server server.puppet
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client.puppet
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
原因:客户端和服务器端的时间不同步。解决办法:客户端和服务器端运行/usr/sbin/ntpdate time.nist.gov
第三个问题:
err: Could not request certificate: Connection refused - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
解决办法:按照以上实例设置好hosts文件,同时要启动puppetmaster(service puppetmaster start)
第四个问题:
err: Could not call puppetca.getcert: #<Errno::ENETENREACH: Network is
unreachable --connect(2)>
err: Could not request certificate: Certificate retrieval failed:
Network is unreachable --connect(2)
解决办法,配置主机信息和安装puppet按照正确的顺序
先配置主机信息,保证可以双方ping XXXXXX(主机名)可以联通
然后配置服务器端的puppetmster,最后配置客户端的puppet