centos 5.8 安装puppet
版本历史
时间 | 版本 | 说明 | 编写者 |
2015-01-05 | 1.0 | centos 5.8 安装puppet | csc |
#################################################################
一、环境配置:
系统:centos 5.6 64 bit
puppet 服务器:192.168.1.30 P-master
puppet 客户端:192.168.1.31 P-client01
puppet版本:puppet-2.7.14.tar.gz (老版本)
facter版本:facter-2.3.0.tar.gz (老版本)
服务端和客户端 hosts 池一样
[root@P-master manifests]# more /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.30 P-master
192.168.1.31 P-client01
服务端安装ntpd 时间同步:
客户端要同步ntpd 服务端
二、yum 方案安装
yum 安装 puppet服务器配置:
wget http://yum.puppetlabs.com/el/5/products/x86_64/puppetlabs-release-5-7.noarch.rpm
rpm -ivh puppetlabs-release-5-7.noarch.rpm
Puppet 需要 Ruby 的支持,如果要查看命令行帮助的话需要额外 ruby-rdoc 这个软件包:
# yum install ruby ruby-libruby-rdoc
在 P-master 上安装和启用puppet 服务:
# yum -y install puppet-server
# chkconfig puppetmaster on
# service puppetmaster start
Starting puppetmaster:
关闭 iptables 和设置selinux为关闭状态
# /etc/init.d/iptables stop
iptables: Flushing firewallrules: [ OK ]
iptables: Setting chains to policyACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
yum 安装 puppet 客户端
wgethttp://yum.puppetlabs.com/el/5/products/x86_64/puppetlabs-release-5-7.noarch.rpm
rpm -ivh puppetlabs-release-5-7.noarch.rpm
yum install ruby ruby-libruby-rdoc
yum -y install puppet
三、源代码方案安装(推荐)
所有服务器需要安装:
安装ruby
由于puppet是由ruby语言编写,所以要安装ruby环境及库文件,命令帮助文件
[root@puppetsoft]# yum install ruby ruby-libs ruby-rdoc
安装facter
puppet资源下载点 http://downloads.puppetlabs.com/
facter是一个系统盘点工具,收集主机的一些资料,比如CPU,主机IP等,它收集到值发送给puppet服务器端,服务器端就可以根据不同的条件来对不同的节点机器生成不同的puppet配置文件
安装puppet之前必须先安装facter
[root@puppetsoft]# wget http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
[root@puppetsoft]# tar -zxvf facter-1.6.8.tar.gz
[root@puppetsoft]# cd facter-1.6.8
[root@puppetfacter-1.6.8]# ruby install.rb
安装puppet
[root@puppet facter-1.6.8]#cd ..
[root@puppetsoft]# wget http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
[root@puppetsoft]# tar -zxvf puppet-2.7.14.tar.gz
[root@puppetsoft]# cd puppet-2.7.14
[root@puppetpuppet-2.7.14]# ruby install.rb
四、源代码安装服务端配置如下:
[root@puppetpuppet-2.7.14]# cpconf/redhat/fileserver.conf /etc/puppet/
[root@puppetpuppet-2.7.14]# cpconf/redhat/puppet.conf /etc/puppet/
[root@puppetpuppet-2.7.14]# cpconf/redhat/server.init /etc/init.d/puppetmaster
设置puppetmaster为服务,并自动启动
确认puppetmaster是否有执行权限
[root@puppetpuppet-2.7.14]# ll /etc/init.d/puppetmaster
-rwxr-xr-x 1 root root 393606-05 18:19 /etc/init.d/puppetmaster
[root@puppetpuppet-2.7.14]# chkconfig --add puppetmaster
[root@puppetpuppet-2.7.14]# chkconfig --level 35 puppetmaster on
创建puppet帐号
[root@puppetpuppet-2.7.14]# puppetmasterd --mkusers
1)确认是否生成清单文件夹
[root@puppetsoft]# ll /etc/puppet/
总计 32
-rw-r--r-- 1 rootroot 2552 06-05 01:29 auth.conf
-rwxr-xr-x 1 rootroot 381 2012-06-05 fileserver.conf
drwxr-xr-x 2 root root4096 2012-06-05 manifests
-rwxr-xr-x 1 rootroot 853 2012-06-05 puppet.conf
manifests目录:用来存放puppet的脚本文件的,必须包含init.pp文件,通常情况下可以把脚本都写入到这个一个文件中,但为了便于管理,最好是按照功能或者项目分开存放
2)确认系统生成puppet用户
[root@puppetpuppet-2.7.14]# cat /etc/passwd |grep puppet
puppet:x:500:500::/home/puppet:/bin/bash
3)保证/var/lib/puppet/rrd目录存在且属主是puppet
[root@puppetpuppet-2.7.14]# ll /var/lib/puppet/
总计 72
drwxr-x--- 2puppet puppet 4096 06-05 18:49 bucket
drwxr-xr-x 2root root 4096 06-05 18:49 facts
drwxr-xr-x 2root root 4096 06-05 18:49 lib
drwxr-x--- 2puppet puppet 4096 06-05 18:49 reports
drwxr-x--- 2puppet puppet 4096 06-05 18:49 rrd
drwxr-x--- 2puppet puppet 4096 06-05 18:49 server_data
drwxrwx--x 8puppet root 4096 06-05 18:50 ssl
drwxr-xr-t 2root root 4096 06-05 18:49 state
drwxr-x--- 2puppet puppet 4096 06-05 18:49 yaml
启动服务端:
/etc/init.d/puppetmasterstart
查看是否安装成功
[root@server ~]#netstat -ntpl|grep 8140
tcp 0 00.0.0.0:8140 0.0.0.0:* LISTEN 2993/ruby [root@server ~]# ps -ef|greppuppet|grep -v grep
puppet 2993 1 0 10:57? 00:00:00 /usr/bin/ruby/usr/sbin/puppetmasterd
iptable安全设置(可省略)
默认iptable配置如下:
# Firewallconfiguration written by system-config-securitylevel
# Manual customizationof this file is not recommended.
*filter
:INPUT ACCEPT[0:0]
:FORWARD ACCEPT[0:0]
:OUTPUT ACCEPT[0:0]
:RH-Firewall-1-INPUT- [0:0]
-A INPUT -jRH-Firewall-1-INPUT
-A FORWARD -jRH-Firewall-1-INPUT
-ARH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT-p icmp --icmp-type any -j ACCEPT
-ARH-Firewall-1-INPUT -p 50 -j ACCEPT
-ARH-Firewall-1-INPUT -p 51 -j ACCEPT
-ARH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-ARH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-ARH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-ARH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-ARH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-ARH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
修改为:
# Firewallconfiguration written by system-config-securitylevel
# Manualcustomization of this file is not recommended.
*filter
:INPUT ACCEPT[0:0]
:FORWARD ACCEPT[0:0]
:OUTPUT ACCEPT[0:0]
:RH-Firewall-1-INPUT- [0:0]
-A INPUT -jRH-Firewall-1-INPUT
-A FORWARD -jRH-Firewall-1-INPUT
-ARH-Firewall-1-INPUT -i lo -j ACCEPT
-ARH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-ARH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-ARH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-ARH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
-ARH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
五、源代码安装客户端
[root@puppetpuppet-2.7.14]# echo "10.8.10.30 P-master ">>/etc/hosts
在客户端安装rubyfacter puppet的步骤参考服务端配置
特别说明:请注意客户端和服务器端版本要一致。如果版本不一致的话,那么高版本的只能是puppet server,另一台只能作为puppet客户端,也就是说puppet 服务端的版本可以大于或者等于客户端版本,不可以小于
客户端配置如下:
[root@puppetpuppet-2.7.14]# cpconf/redhat/fileserver.conf /etc/puppet/
[root@puppetpuppet-2.7.14]# cpconf/redhat/puppet.conf /etc/puppet/
[root@puppetpuppet-2.7.14]# cpconf/redhat/client.init /etc/init.d/puppet
[root@puppetpuppet-2.7.14]# chkconfig --level 35puppet on
[root@puppetpuppet-2.7.14]# puppetd --mkusers
Could not preparefor execution: Got 1 failure(s) while initializing: change from absent topresent failed: Could not create user puppet: Execution of '/usr/sbin/useradd-g puppet -M puppet' returned 6: useradd: unknown group puppet
vim /etc/puppet/puppet.conf 添加
[main]
server= P-master #指向puppetserver服务器
[agent]
runinterval=60 #前期方便测试可采用客户端自动更新的方式,设置agent 60秒钟去同步,0表示即刻同步,会要较高的CPU消耗
#手动创建puppet用户与组(可忽略)
[root@puppetpuppet-2.7.14]# groupadd puppet;useradd -g puppet -M puppet
启动客户端
[root@puppetpuppet-2.7.14]# service puppet start
六、建立认证
客户端与puppetmaster认证--客户端操作
备注:
vim/etc/puppet/puppet.conf
[main]
server=P-master #指向puppetserver服务器
如果设置以上项,客户端执行puppetd 同步的时候可以不指定--server puppetmaster
[root@client1puppet-2.7.14]# puppetd --test --server P-master
info: Creating anew SSL key for client1.viong.com
warning: peercertificate won't be verified in this SSL session
info: Cachingcertificate for ca
warning: peercertificate won't be verified in this SSL session
warning: peercertificate won't be verified in this SSL session
info: Creating anew SSL certificate request for client1.viong.com
info: CertificateRequest fingerprint (md5): 6F:6A:45:D9:14:28:D1:5B:05:3B:4F:0B:9A:51:D1:71
warning: peercertificate won't be verified in this SSL session
warning: peercertificate won't be verified in this SSL session
warning: peercertificate won't be verified in this SSL session
Exiting; nocertificate found and waitforcert is disabled
# puppetd --test --server P-master命令是指puppetd 从 P-master去读取
puppet配置文件. 第一次连接,双方会进行ssl证书的验证,这是一个新的客户端,在服务器端那里还没有被认证,因此需要在服务器端进行证书认证
服务端批准证书--在服务端操作
查看当然待批准证书列表
[root@server ~]# puppetca –l
client1.viong.com(B0:85:72:E6:7D:63:EA:CC:BD:0C:E4:F1:70:89:24:70)
批准当前证书
[root@server ~]# puppetca -s client1.viong.com
notice: Signedcertificate request for client1.viong.com
notice: Removingfile Puppet::SSL::CertificateRequest client1.viong.com at
'/var/lib/puppet/ssl/ca/requests/client1.viong.com.pem'
查看验证签名,注意前面的+号,说明已经签名
[root@server ~]# puppetca -a --list
+server.viong.com (43:33:D3:A0:26:C4:E9:89:66:A6:DC:54:20:90:E9:4D) (altnames:
DNS:puppet,DNS:puppet.viong.com, DNS:server.viong.com)
--------------------------------------------------------------------------------------------------
批准全部证书
puppetca -s -a
服务端自动签证书
在puppetmaster端的puppet.conf加入这行:
[main]
autosign = true
--------------------------------------------------------------------------------------------------
回到客户端操作,从服务端取回已批准的证书
[root@client1puppet-2.7.14]# puppetd --test --server P-master
。。。
notice: Finishedcatalog run in 0.02 seconds
MD5sum验证证书是否正确
服务端:
[root@server ~]#md5sum /var/lib/puppet/ssl/ca/signed/client1.viong.com.pem
8529a6f2d42c1b492c016fe870b744b6 /var/lib/puppet/ssl/ca/signed/client1.viong.com.pem
客户端:
[root@client1puppet-2.7.14]# md5sum /var/lib/puppet/ssl/certs/client1.viong.com.pem
8529a6f2d42c1b492c016fe870b744b6 /var/lib/puppet/ssl/certs/client1.viong.com.pem
------------------------------------------------------------------------------------------------
问题排查1
1.更改主机名引起无法认证,需要重新申请证书
2. 如果报错如下,:err: Could not retrieve catalog from remote server: SSL_connect returned=1errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of syncon the server or client
warning:Not using cache on failed catalog
err:Could not retrieve catalog; skipping run
也可以用如下方式解决
操作以下两个步骤:
服务端:
[root@server ca]# rm -rf /var/lib/puppet/ssl/ca/signed/客户端节点.pem
客户端:
[root@client1puppet-2.7.14]# rm -rf/var/lib/puppet/ssl/
客户端在重新执行认证:puppetd --test --server P-master
问题排查2:
puppet resource package sshd
Could not run:Could not autoload package: Could not autoload/usr/lib/ruby/site_ruby/1.8/puppet/provider/package/windows.rb: no such file toload -- windows/error
linux 下如果报错,则删除掉配置文件:
cd /usr/lib/ruby/site_ruby/1.8/puppet/provider/package/
mv windows.rb windows.rb.bak
如果用rpm 包安装puppet 则没有发现该目录下 windows.rb 文件,用源代码安装就有。
问题排查3
------------------------------------------------------------------------------------------------
六、功能测试
服务端:
建立pp文件测试
puppet的第一个执行的代码是在/etc/puppet/manifest/site.pp
因此这个文件必须存在,而且其他的代码也要通过代码来调用.
[root@server ~]#vim /etc/puppet/manifests/site.pp
node default {
file{"/tmp/viong.txt":
content=>"good,testpass!\n";}
上面的代码对默认连入的puppet客户端执行一个操作,在/tmp目录生成一个viong.txt文件,内容是good,test pass! 并自动回车换行
初次创建pp文件,需要重启puppetmaster
[root@server ~]#service puppetmaster restart
停止 puppetmaster: [确定]
启动 puppetmaster: [确定]
客户端:
[root@client1 puppet-2.7.14]#puppetd --test --server server.viong.com
info: Cachingcatalog for client1.viong.com
info: Applyingconfiguration version '1338897814'
notice:/Stage[main]//Node[default]/File[/tmp/viong.txt]/ensure: defined content as'{md5}9a3f5438e1d35a72d853974203de4254'
notice: Finishedcatalog run in 0.03 seconds
成功的话就会显示puppet反馈一些调试信息,并在/tmp目录下创建了 /tmp/viong.txt文件.
[root@client1puppet-2.7.14]# cat /tmp/viong.txt
good,test pass!
==============================================================
设置客户端的守护进程
[root@client1puppet-2.7.14]# puppetd --test--server server.viong.com --verbose --waitforcert 100
info: Cachingcatalog for client1.viong.com
info: Applyingconfiguration version '1338897814'
notice: Finishedcatalog run in 0.03 seconds
--server 服务端FQDN –-verbose 输出冗余信息 –-waitforcert 超时100
本人觉得使用cron或者手动运行puppet比较符合需求,或者以脚本方式,当master有改变再执行编写的脚本
个人笔记:
启动调试
启动客户端:
#service puppet start
Starting puppet agent: [ OK ]
#chkconfig puppet on
客户端执行
运行如下则代表正常:
[root@P-client01 tmp]# puppetagent -t --server P-master
Info: Retrieving plugin
Info: Caching catalog forp-client01
Info: Applying configurationversion '1368517087'
Notice: Finished catalog run in0.03 seconds
问题排查4:
Warning: Find/production/certificate/kvm-vm02? resulted in 404 with the message: Not Found:Could not find certificate kvm-vm02
把服务端和客户端 /var/lib/puppet/ssl 文件夹都删除掉重启客户端服务
puppet agent -t --debug --server P-master
注意:--debug 为调试模式
问题排查5,
Exiting; no certificate found andwaitforcert is disabled
服务端则要执行,即可为其签名。
puppet cert --sign p-client01
然后在运行如下:
出现两个+ 号代表执行成功,只出现一个+号,表示有问题。
[root@P-master yum.repos.d]#puppet cert list -all
+ "p-client01" (SHA256)23:EA:76:73:BD:0C:F3:83:E0:8D:46:6B:3C:AB:25:34:6F:D2:8D:5B:FB:38:C5:8F:BD:D0:CD:5F:26:AF:C2:C1
+ "p-master" (SHA256)F5:D6:3B:2E:41:32:97:81:CA:5C:36:07:69:B8:F1:96:74:DE:12:4D:D7:82:DA:31:56:96:21:F7:AD:16:E4:4A
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Agent端证书的管理
1. 删除已有的证书
清空 /var/lib/puppet/ssl (这个目录和你的/etc/puppet/puppet.conf文件中配置的ssldir路径有关系)下的文件和目录
2. 重启申请证书
puppet agent --server puppet.zhang.com --test
在客户端与服务端签名不能正常进行的时候,请删除后重新签名
七、编程
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hello, world
现在可以在服务端写个小例子来测试一下。这个例子作用很简单,用来在客户端的 /tmp 目录下新建一个 test.txt 文件,内容为helo,test!---cscsctest. 在服务端编写代码:
# vi /etc/puppet/manifests/site.pp
node default {
file { "/tmp/test.txt":
content => "helo,test!---cscsctest";
}
}
在客户端上执行 puppet agent -t--server P-master,
或者执行: puppetd --test --server P-master
运行成功后会在 /tmp 看到新生成的 test.txt:
[root@P-client01 tmp]# puppet agent -t P-master
Notice: Ignoring --listen on onetime run
Info: Retrieving plugin
Info: Caching catalog for p-client01
Info: Applying configuration version '1368587266'
Notice: Finished catalog run in 0.04 seconds
[root@P-client01 tmp]# ls
test.txt
[root@P-client01 tmp]# more test.txt
helo,test!---cscsctest
另外客户端可以配置一段时间内自动请求主机的数据:
vi /etc/puppet/puppet.conf
在【agent】最下面增加如下
server =P-master
runinterval= 60
listen =true
注释:
server = #master服务器的地址
runinterval = #每隔多久的时间进行自动更新,时间单位为秒
listen = #客户端作为一个服务进行监听,允许其它的机器触发puppet运行允许远程触发puppet的节点配置
文件存储报错:
我的存放文件的目录在:/etc/puppet/files
Vi fileserver.conf 添加:
[files]
path/etc/puppet/files
allow *
#mkdir -p /etc/puppet/files
#chmod 755 /etc/puppet/files/sshd_config 文件赋权:
#vi modules/file/manifests/init.pp
file { 'sshd_config':
name =>'/tmp/sshd_config',
ensure =>file,
source =>'puppet:///files/sshd_config',
owner =>root,
group =>root,
mode =>'600',
}
主机代码规范测试:
puppet parser validate modules/file/manifests/init.pp
没有显示说明没有错误。
客户机不执行实际命令测试:
puppet agent -t --noop
问题排查6
Error:/Stage[main]/File/File[sshd_config]: Could not evaluate: Could not retrievefile metadata for puppet:///files/sshd_config: Error 400 on SERVER: Permissiondenied - /etc/puppet/files/sshd_config
Wrappedexception:
Error400 on SERVER: Permission denied - /etc/puppet/files/sshd_config
/etc/puppet/里面的文件权限要让puppet账户能够访问。
要不然执行puppet agent-t --noop 权限报错:
