一、puppet简介:
Puppet是开源的基于Ruby的系统配置管理工具,依赖于C/S的部署架构。puppet有两种工作模式,一是直接运行puppetd file.manifest,这种方式做测试非常直接和方便;二是puppetd --server puppetmaster.server.com;前面一种是直接读取file.mainfest文件进行配置,后一种是从服务端下载manifest进行配置,也是最常用的工作模式:Puppet是一个C/S架构的配置管理工具,在中央服务器上安装puppet-server软件包(被称作Puppet master)。在需要管理的目标主机上安装puppet客户端软件(被称作Puppet Client)。当客户端连接上Puppet master后,定义在Puppet master上的配置文件会被编译,然后在客户端上运行。每个客户端默认每半个小时和服务器进行一次通信,确认配置信息的更新情况,不过建议做好通过crontab来实现即时性,同时也能缓解puppet-server服务器的负担。如果有新的配置信息或者配置信息已经改变,配置将会被重新编译并发布到各客户端执行。也可以在服务器上主动触发一个配置信息的更新,强制各客户端进行配置。如果客户端的配置信息被改变了,它可以从服务器获得原始配置进行校正。
二、puppet安装:
1 服务器端与客户端都需要配置主机名
echo '10.10.0.106 test106.lvs' >> /etc/hosts
echo '10.10.0.50 test50.lvs' >> /etc/hosts
2 服务器端:
配置host文件每增加一个客户端需要在hosts文件中添加对应的主机记录,这里拿两台服务器做测试,test106.lvs做服务器端,test50.lvs做客服端
1) 配置主机名
hostname test106.lvs
echo '10.10.0.106 test106.lvs' >> /etc/hosts
echo '10.10.0.50 test50.lvs' >> /etc/hosts
2) puppet是由ruby语言开发的,所以正常运行需要安装ruby环境
yum install -y ruby ruby-lib ruby-rdoc
3) 安装puppet,centos源没有包括puppet,需要添加puppet安装源,我的测试机时centos5(32位),只需要将下面的地址改为符合自己系统的源地址(根据自己的系统在http://yum.puppetlabs.com/el上选择相应的安装源)。
rpm -ivh http://yum.puppetlabs.com/el/5/products/i386/puppetlabs-release-5-1.noarch.rpm
yum instlal -y puppet-server
chkconfig --add puppetmaster
chkconfig puppetmaster on
service puppetmaster start
iptables -I INPUT -t tcp -m tcp --dport 8140 -j ACCEPT
3 客户端安装:
echo '10.10.0.106 test106.lvs' >> /etc/hosts
echo '10.10.0.50 test50.lvs' >> /etc/hosts
yum install -y ruby ruby-lib ruby-rdoc
rpm -ivh http://yum.puppetlabs.com/el/5/products/i386/puppetlabs-release-5-1.noarch.rpm
yum instlal -y puppet
4 证书申请:
1)客户端向服务端申请证书:
[root@localhost ~]# puppetd --server test106.lvs --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for test50.lvs
info: Certificate Request fingerprint (md5): B2:C1:91:4E:CC:DA:44:74:CE:A9:4E:79:BB:58:2D:5A
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
2)服务端接受证书申请:
[root@localhost tmp]# puppetca --list
test50.lvs (B2:C1:91:4E:CC:DA:44:74:CE:A9:4E:79:BB:58:2D:5A)
[root@localhost manifests]# puppetca -s test50.lvs
notice: Signed certificate request for test50.lvs
notice: Removing file Puppet::SSL::CertificateRequest test50.lvs at '/var/lib/puppet/ssl/ca/requests/test50.lvs.pem'
3)客户端取回已经通过的证书:
[root@localhost ~]# puppetd --server test106.lvs --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for test50.lvs
info: Caching certificate_revocation_list for ca
info: Caching catalog for test50.lvs
info: Applying configuration version '1337761611'
notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/ensure: defined content as '{md5}3adbbad1791fbae3ec908894c4963870'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.05 seconds
5 旧服务器重新审批证书
如果客户端有变动,例如主机名更改,需要重新为该服务器申请证书,需要在服务器端删除原该客户端原有的证书文件 /var/lib/puppet/ssl/ca/signed/CLIENT.NAME.pem
客户端操作需要删除ssl目录 /var/lib/puppet/ssl/
然后重新执行第四步的操作。
三、测试安装是否成功
1 在服务器端新建一个/etc/puppet/manifests/site.pp文件
vim /etc/puppet/manifests/site.pp
node default {
file {
"/tmp/test.txt": content => "hello, world!";
}
}
创建完需要重启服务
service puppetmaster restart
2 客户端执行如下命令
[root@localhost ~]# puppetd --server test106.lvs --test
info: Caching catalog for test50.lvs
info: Applying configuration version '1337762096'
notice: Finished catalog run in 0.07 seconds
[root@localhost ~]# cat /tmp/test.txt
hello, world!
四、客户端设置守护进程
puppetd --server test106.lvs --verbose --waitforcert 60
注释:--server master 指明服务器节点地址
--waitforcert 连接server检查的时间间隔
--verbose 输出冗余信息(可选选项)
PUPPET中文WIKI:http://puppet.wikidot.com/puppet-test
