參考鏈接:https://www.bbsmax.com/A/RnJW2bMgzq/
環境說明:
192.168.154.137 master.localdomain #Puppet Server
192.168.154.138 agent1.localdomain #Puppet Agent
這裏的機器名稱不要有下劃線等特殊符合,否則後面會報“the scheme puppet does not accept registry part”這樣的錯誤信息。
centos的官方軟件庫裏面不包含puppet包,但是在epel項目裏面有包含puppet包。epel 是一個對rhel軟件倉庫的擴展,把一些有用的,但是rhel庫沒包含的軟件收集在一起做成的一個軟件倉庫。
- $ yum install epel-release
1. 安裝Puppet Server
- $ hostnamectl set-hostname master.localdomain #設置機器名稱
- $ systemctl reboot #重啓
- $ cat /etc/hosts
- 192.168.154.137 master.localdomain
- 192.168.154.138 agent1.localdomain
- $ yum install puppet-server #安裝Puppet Server
- # firewall-cmd --permanent --add-port=/tcp6 #修改防火牆,增加8140端口
2. 安裝Puppet Agent
- $ hostnamectl set-hostname agent1.localdomain #設置機器名稱
- $ systemctl reboot #重啓
- $ cat /etc/hosts
- 192.168.154.137 master.localdomain
- $ yum install puppet #安裝Puppet Agent
3. 測試Puppet
創建測試文件site.pp(Server端):
- $ cat /etc/puppet/manifests/site.pp
- node default {
- file { "/tmp/helloworld.txt" :
- content => "Hello World!",
- }
- }
啓動server,以no-daemonize方式,這樣可以在控制檯看到操作信息(Server端):
- $ puppet master --no-daemonize --debug
- ... ...
- Notice: Starting Puppet master version #啓動成功,會看到這樣的信息
編輯客戶端puppet.conf,增加server配置項(Agent端):
- $ cat /etc/puppet/puppet.conf
- [agent]
- ... ...
- server = master.localdomain
啓動agent(Agent端,以root用戶):
- $ puppet agent --test
- Info: Creating a new SSL key for agent1.localdomain
- Info: Caching certificate for ca
- Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
- Info: Creating a new SSL certificate request for agent1.localdomain
- Info: Certificate Request fingerprint (SHA256): 1D:::3B:1F::8C:B5:::0F:FF:CC:4A:4F:8E:BA:B4:5F:7C:::::A2:0C:C0::D9:1D::9E
- Info: Caching certificate for ca
- Exiting; no certificate found and waitforcert is disabled
啓動後,agent向server申請證書,因爲證書還沒有被server審覈,所以目前通信是不成功的。
回到server,通過puppet cert查詢證書:
- $ puppet cert list --all
- ::3B:1F::8C:B5:::0F:FF:CC:4A:4F:8E:BA:B4
- + :A1::::::A5:E5::2B:F6:::A8:D6:1F:9B
證書列表中有cs_agnet1的申請,目前是未審覈狀態(最前面沒有+)。審覈證書:
- $ puppet cert sign agent1.localdomain
- $ puppet cert list --all
- + :7F::A8:3C:B8:EF:B9:E2:AD:1D:5C:D7::B6::CF:
- + :A1::::::A5:E5::2B:F6:::A8:D6:1F:9B:
再次啓動agent:
- # puppet agent --test
- Info: Retrieving pluginfacts
- Info: Retrieving plugin
- Info: Caching catalog for agent1.localdomain
- Info: Applying configuration version '
- Notice: /Stage[main]/Main/Node[default]/File[/tmp/helloworld.txt]/ensure: defined content as '{md5}ed076287532e86365e841e92bfc50d8c'
- Notice: Finished catalog run in 0.02 seconds
這時候,查看/tmp/helloworld.txt,該文件就自動同步了。
在證書申請過程中,如果有問題,可以刪除證書重新申請,一般都能解決問題。
- Agent:
- $ rm -rf /var/lib/puppet #刪除緩存文件
- Server:
- $ puppet cert clean agent1.localdomain
Q1. 服務端找不到證書?
在測試時,先啓動Server,再通過Agent測試,回到Server通過puppet cert list --all怎麼都找不到證書。
後來發現問題原因是這樣的:在Server端,puppet.conf使用的是默認配置:
- [main]
- # Where SSL certificates are kept.
- ssldir = $vardir/ssl
然後用admin帳號(不是root,另外創建的帳號)啓動Server:
- [admin@master ~]$ sudo puppet master --no-daemonize --debug
這時候,Agent傳過來的證書申請實際上都存放在/home/admin/.puppet/ssl/目錄下。然後,我再開了另外一個SSH Client,用的是不同的root帳號,結果就是怎麼也找不到證書了。所以,在配置Server端時,ssldir最好這樣配置:
- ssldir = /var/lib/puppet/ssl
Q2. 自動審覈證書?
創建autosign.conf文件:
- $ cat /etc/puppet/autosign.conf
- *.localdomain
修改Server配置:
- $ cat /etc/puppet/puppet.conf
- [master]
- autosign = /etc/puppet/autosign.conf
刪除Server和Agent的過期證書:
- Server:
- $ puppet cert clean --all
- Agent:
- $ rm -rf /var/lib/puppet
OK,這樣就可以了。
Q3. 一個簡單的site.pp例子
- $ cat /etc/puppet/manifests/site.pp
- node default {
- file { '/tmp/hello.txt':
- content => 'Hello World!',
- }
- user { 'admin':
- ensure => 'present',
- comment => 'admin',
- gid => ',
- groups => ['wheel', 'admin'],
- home => '/home/admin',
- password => '$6$o.PFkMC14Xd2gOTk$atsNGzVmLFtQlvVr9imERjmw9n8vNr0quliqW6EdcZR6zyXFGfUv3EIbc9UZd3kJDIuxuMfyonVdm0OT5SJHM.',
- password_max_age => ',
- password_min_age => ',
- shell => '/bin/bash',
- uid => ',
- }
- package { 'epel-release':
- ensure => 'installed',
- }
- package { 'tcping':
- ensure => 'installed',
- }
- package { 'tree':
- ensure => 'installed',
- }
- package { 'net-tools':
- ensure => 'installed',
- }
- service { 'firewalld.service':
- ensure => 'stopped',
- enable => 'false',
- }
- exec { "selinux":
- command => "setenforce 0",
- path => "/usr/bin:/usr/sbin:/bin:/sbin",
- unless => "getenforce |grep -i Permissive",
- }
- }