預備工作
【HOSTNAME】 【IP】
master.puppet.com 10.200.37.177
agent.puppet.com 10.200.37.178
主機名設置參照:http://blog.csdn.net/zachaway/article/details/18259495
同時需要更改hosts文件,注意hosts要和主機名對應。
master與agent都要加入下面兩行。
vim /etc/hosts
10.200.37.177 master.puppet.com puppetmaster
10.200.37.178 agent.puppet.com puppetagent
一、Puppet的安裝
Puppet的安裝方式支持源碼安裝、yum安裝以及ruby的gem安裝。官網推薦使用yum來安裝puppet,方面以後的升級、管理、維護。Centos可以採用yum來安裝,但是Centos的默認源中沒有puppet包,因此需要先安裝epel包。Epel是企業版Linux附加軟件包(Extra Packages for Enterprise Linux)的縮寫,是一個由特別興趣小組創建、維護並管理的,針對紅帽企業版Linux(RHEL)及其衍生髮行版(比如CentOS、Scientific Linux)的一個高質量附加軟件包項目。
1. Master的安裝
yum -y install ruby ruby-libs ruby-shadow
wget ftp://ftp.sunet.se/pub/Linux/distributions/yellowdog/yum/6.2/extras/RPMS/epel-release-5-3.noarch.rpm
rpm -Uvh epel-release-5-3.noarch.rpm
yum -y install puppet puppet-server facter
2. Agent的安裝
yum
install ruby ruby-libs ruby-shadow
wget ftp://ftp.sunet.se/pub/Linux/distributions/yellowdog/yum/6.2/extras/RPMS/epel-release-5-3.noarch.rpm
rpm -Uvh epel-release-5-3.noarch.rpm
yum -y install puppet facter
PS:如果出現No Package ruby-shadow...Nothing to do,不用管,不影響後續操作。根據後面安裝的情況,ruby-shadow應該附帶在ruby裏安裝完成了,所以不影響後續安裝。
至此如果安裝過程不報錯的話,puppet已經安裝成功了。
二、master的配置
ls
-1 /etc/puppet/
auth.conf
#定義puppet master的acl文件
fileserver.conf #定義puppet master文件服務器的配置文件
manifests #puppet腳本主文件目錄,site.pp文件必須存在
modules #puppet模塊目錄
puppet.conf #puppet主配置文件
暫時沒有什麼需要修改的內容
2. Agent的配置
Agent的配置主要是更改agent上的/etc/puppet/puppet.conf文件的[agent]部分。
在agent上vim /etc/puppet/puppet.conf 添加如下配置
server = master.puppet.com #master服務器的地址
runinterval = 3600 #每隔多久的時間進行自動更新,時間單位爲秒
listen = true #客戶端作爲一個服務進行監聽,允許其它的機器觸發puppet運行允許遠程觸發puppet的節點配置
三、puppet的啓動和停止
1. Master的啓動和停止
Master的啓動
/etc/rc.d/init.d/puppetmaster
start
或者service puppetmaster start
第一次啓動建議採用puppet
master --verbose --no-daemonize方式啓動,有助於測試和調試錯誤,如果採用後面這種方式,這樣就可以看到啓動的整個過程,啓動過程會做一些初始化的工作,爲master創建本地證書認證中心,證書和key。並打開socket等待client的連接。可以在/etc/puppet/ssl目錄看到相關的文件和目錄。
Master的停止
/etc/rc.d/init.d/puppetmaster
stop
或者service puppetmaster stop
2. Agent的啓動和停止
Agent的啓動
/etc/rc.d/init.d/puppet
start
或者service
puppet start
調試的時候可以採用
puppet
agent --server=master.puppet.com --no-daemonize –verbose
Agent的停止
/etc/rc.d/init.d/puppet
stop
或者service
puppet stop
四、查看本地證書情況
puppetmaster第一次啓動會自動生成證書自動註冊自己
[root@master
~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
|-- ca
| |-- ca_crl.pem
| |-- ca_crt.pem
| |-- ca_key.pem
| |-- ca_pub.pem
| |-- inventory.txt
| |-- private
| | `-- ca.pass
| |-- requests
| |-- serial
| `-- signed
| |-- localhost.localdomain.pem
| `-- master.puppet.com.pem //已註冊
|-- certificate_requests
|-- certs
| |-- ca.pem
| |-- localhost.localdomain.pem
| `-- master.puppet.com.pem
|-- crl.pem
|-- private
|-- private_keys
| |-- localhost.localdomain.pem
| `-- master.puppet.com.pem
`-- public_keys
|-- localhost.localdomain.pem
`-- master.puppet.com.pem
9 directories, 18 files
在agent端通過調試模式啓動節點向Puppetmaster端發起認證
[root@agent
~]# puppet agent --test
info: Creating a new SSL key for agent.puppet.com
info: Creating a new SSL certificate request for agent.puppet.com
info: Certificate Request fingerprint (md5): 65:1A:E7:EC:81:7C:C8:4A:65:F7:53:B9:6E:72:AB:A3
Exiting; no certificate found and waitforcert is disabled
在master端查看認證情況
[root@master
~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
|-- ca
| |-- ca_crl.pem
| |-- ca_crt.pem
| |-- ca_key.pem
| |-- ca_pub.pem
| |-- inventory.txt
| |-- private
| | `-- ca.pass
| |-- requests
| | `-- agent.puppet.com.pem //請求已經發送過來了
| |-- serial
| `-- signed
| |-- localhost.localdomain.pem
| `-- master.puppet.com.pem
|-- certificate_requests
|-- certs
| |-- ca.pem
| |-- localhost.localdomain.pem
| `-- master.puppet.com.pem
|-- crl.pem
|-- private
|-- private_keys
| |-- localhost.localdomain.pem
| `-- master.puppet.com.pem
`-- public_keys
|-- localhost.localdomain.pem
`-- master.puppet.com.pem
9 directories, 18 files
或者
[root@master ~]# puppet cert --list --all //另一種查看認證情況
"agent.puppet.com" (65:1A:E7:EC:81:7C:C8:4A:65:F7:53:B9:6E:72:AB:A3)
+ "master.puppet.com" (E2:39:E2:8E:48:E2:C4:6F:66:26:E1:9D:4B:A6:EF:CC) (alt names: "DNS:master.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
在master上註冊agent
[root@master ~]# puppet cert --sign agent.puppet.com
notice: Signed certificate request for agent.puppet.com
notice: Removing file Puppet::SSL::CertificateRequest agent.puppet.com at '/var/lib/puppet/ssl/ca/requests/agent.puppet.com.pem'
再次查看認證情況
[root@master ~]# puppet cert --list --all
+ "agent.puppet.com" (39:FA:BE:2D:71:45:20:AB:7C:CD:0A:61:DA:96:60:9B)
+ "master.puppet.com" (E2:39:E2:8E:48:E2:C4:6F:66:26:E1:9D:4B:A6:EF:CC) (alt names: "DNS:master.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
至此,puppet的簡單的安裝與配置已經完成。
PS:測試節點agent
[root@master motd]# puppet agent --test
err: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: getaddrinfo: Name or service not known
解決辦法:客戶端和服務器端時間不同步,SSL連接需要依賴主機上的時間是否正確。執行更新時間的命令:
[root@agent ~]# ntpdate master.puppet.com
28 Mar 12:16:58 ntpdate[3348]: step time server 10.200.37.178 offset -29.556532 sec
//此時agent上的ntpd服務應該處於關閉狀態,不讓它自動同步。