puppet自动化运维之puppet安装篇
注:要在安装软件以前先设置主机名,因为生成证书的时候要把主机名写入证书,如果证书生成好了再改主机名,就连不上,这是很多初学者遇到问题。每个客户端的证书要经过根证书签名才能和服务器连接。
本次的测试,仅有一台puppet master和puppet agent,但适用任何的构架。
0、安装前提
系统配置:centos x86_64 6.x 最小化安装+ Developtool
服务端ip: 192.168.10.1 hostname:master.perofu.com
客户端ip: 192.168.10.3 hostname:client.perofu.com
注:ruby必须是1.8.5的,以上的不兼容,大家都这么说。
本文的ip和上面的不一样,但这不影响实验效果。
1、服务器端安装
①.将服务端和所有的客户端的主机名写入/etc/hosts:
echo "192.168.10.1 master.perofu.com" >>/etc/hosts
echo "192.168.10.3 client.perofu.com" >>/etc/hosts
…
②.配置主机名:
hostname master.perofu.com
vi /etc/sysconfig/network
HOSTNAME=master.perofu.com
③.安装ruby1.8.5,(1.8.6)不支持:
yum -y install ruby ruby-libs ruby-rdoc ruby-irb
注:如果需要查看帮助文档,才需要安装ruby-rdoc ruby-irb
④.安装NTP同步时间,统一master和client上的时间:
yum install ntp -y
chkconfig --level 35 ntpd on
crontab -e
10 5 * * * root /usr/sbin/ntpdate time.nist.gov &> /dev/null ; /sbin/hwclock -w
service crond restart
ntpdate pool.ntp.org; hwclock -w
注:每天凌晨5点10分同步time.nist.gov,并将 Linux 时间写入 BIOS时。
如果master和client的时间不一致,在证书验证环节,就不能成功。
⑤.安装facter:
tar -axf facter-latest.tgz -C /usr/local/src/
cd /usr/local/src/facter-1.6.8/
ruby install.rb
⑥.安装puppet:
tar -axf puppet-2.6.3.tar.gz -C /usr/local/src/
cd /usr/local/src/puppet-2.6.3/
ruby install.rb
mkdir -p /etc/puppet/manifests
cp conf/auth.conf /etc/puppet/
cp conf/redhat/fileserver.conf /etc/puppet/
cp conf/redhat/puppet.conf /etc/puppet/
cp conf/redhat/server.init /etc/init.d/puppetmaster
chmod +x /etc/init.d/puppetmaster
chkconfig --add puppetmaster
chkconfig puppetmaster on
puppetmasterd --mkusers #生成pupput用户,#如出现错误,则执行groupadd puppet;useradd -g puppet puppet
mkdir -p /var/lib/puppet/rrd
chown puppet:puppet /var/lib/puppet/rrd
/etc/init.d/puppetmaster start #启动
netstat -anplt |gerp :8140 #是否已启动
2、客户端安装
①.将服务端和自己的客户端的主机名写入/etc/hosts:
echo "192.168.10.1 master.perofu.com" >>/etc/hosts
echo "192.168.10.3 client.perofu.com" >>/etc/hosts
②.配置主机名:
hostname client.perofu.com
vi /etc/sysconfig/network
HOSTNAME=client.perofu.com
③.安装ruby1.8.5,(1.8.6不支持):
yum -y install ruby ruby-libs ruby-rdoc ruby-irb
注:如果需要查看帮助文档,才需要安装ruby-rdoc ruby-irb。
④.安装NTP同步时间,统一master和client上的时间:
yum install ntp -y
chkconfig --level 35 ntpd on
crontab -e
10 5 * * * root /usr/sbin/ntpdate time.nist.gov &> /dev/null ; /sbin/hwclock -w
service crond restart
ntpdate pool.ntp.org; hwclock -w
注:每天凌晨5点10分同步time.nist.gov,并将 Linux 时间写入 BIOS时。
如果master和client的时间不一致,在证书验证环节,就不能成功。
⑤.安装facter:
tar -axf facter-latest.tgz -C /usr/local/src/
cd /usr/local/src/facter-1.6.8/
ruby install.rb
⑥.安装puppet
tar -axf puppet-2.6.3.tar.gz -C /usr/local/src/
cd /usr/local/src/puppet-2.6.3/
ruby install.rb
mkdir -p /etc/puppet
cp conf/auth.conf /etc/puppet/
cp conf/namespaceauth.conf /etc/puppet/
cp conf/redhat/puppet.conf /etc/puppet/
cp conf/redhat/client.init /etc/init.d/puppet
chmod +x /etc/init.d/puppet
chkconfig --add puppet
chkconfig puppet on
puppetd --mkusers #如出现错误,则执行groupadd puppet;useradd -g puppet puppet
mkdir -p /var/lib/puppet/rrd
chown puppet:puppet /var/lib/puppet/rrd
/etc/init.d/puppet start
3、证书验证
①.服务端发送证书请求:
puppetd --test --server master.perofu.com
[root@client ~]# puppetd --test --server master.perofu.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for client.perofu.com info: Certificate Request fingerprint (md5): 01:D3:C8:57:79:5B:C1:86:55:97:A6:44:4D:48:2E:67 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled |
②.为客户端签名证书,仅对某个客户端第一次使用:
puppetca -l #查看未签收的证书
puppetca -s 证书名 #签收指定的证书
puppetca -s -a #签收所有未签收的证书
[root@master ~]# puppetca -s -a notice: Signed certificate request for client.perofu.com notice: Removing file Puppet::SSL::CertificateRequest client.perofu.com at '/var/lib/puppet/ssl/ca/requests/client.perofu.com.pem' |
③.在服务端建立puppet的site.pp:
vi /etc/puppet/manifests/site.pp
import "test.pp"
vi /etc/puppet/manifest/test.pp
file { "/tmp/testfile":
ensure => present,
mode => 644,
owner => root,
group => root
}
/etc/init.d/puppetmaster restart #第一次创建site.pp,必须重启
④.签过之后,客户端再次向服务器发起请求:
puppetd --test --server master.perofu.com
[root@client ~]# puppetd --test --server master.perofu.com info: Caching catalog for master.perofu.com info: Applying configuration version '1386457551' notice: /Stage[main]//File[/tmp/testfile]/ensure: created info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.02 seconds |
#请求服务器的/etc/puppet/manifests/下的内容。
⑤.检测master和client的证书是否一致:
#服务端: [root@master ~]# md5sum /var/lib/puppet/ssl/ca/signed/client.perofu.com.pem c979523db046a665468dbd735107e55f /var/lib/puppet/ssl/ca/signed/client.perofu.com.pem
#客服端: [root@client ~]# md5sum /var/lib/puppet/ssl/certs/client.perofu.com.pem c979523db046a665468dbd735107e55f /var/lib/puppet/ssl/certs/client.perofu.com.pem |
⑥.报错之certificate verify failed:
问题:
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed |
解决:
#1.可能是时间不同步,请在master和agent上执行: ntpdate pool.ntp.org; hwclock –w #2.在master和agent上删除现有的证书,在重新验证,即可: find /var/lib/puppet/ssl -type f -print0 |xargs -0r rm |
至此,puppet安装篇就结束了,接下来的是puppet资源的学习,请听下回分解!!!