我们先准备三台centos 6.5 x86_64机器,做好安装前的工作。
OS: Centos 6.5 x86_64
Puppet master: master.com (192.168.37.72)
Puppet clients: client1.com (192.168.37.83)
Puppet clients: client2.com (192.168.37.82)
一、先做好安装的准备工作:
在master和client均关闭selinux,iptables:
停止iptables
[root@master ~]# service iptables stop
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
[root@master ~]# chkconfig --list |grep iptablesiptables 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
[root@master ~]# chkconfig ptables off
关闭selinux
[root@master ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing 改成 SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted为了保证能向master主机申请到正确的有效证书,建议master和client设置ntp:
[root@master ~]# yum -y install ntp
[root@master ~]# ntpdate pool.ntp.org
[root@master ~]# chkconfig ntpd on
[root@master ~]# chkconfig --list|grep ntp
ntpd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
ntpdate 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭[root@master ~]# service ntpd start
正在启动 ntpd: [确定]在master和client端设置hosts
Puppet 要求所有机器有完整的域名,如果没有 DNS 服务器提供域名的话,可以在机器上设置主机名(注意:要先安装 Puppet之前设置主机名,因为安装 Puppet 时会把主机名写入证书,客户端和服务端通信需要这个证书),为了简化安装过程我配置了/etc/hosts。
[root@master ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.37.72 master.com
192.168.37.83 client1.com
192.168.37.82 client2.com安装puppet官方源
[root@master ~]# wget http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm
[root@master ~]# rpm -ivh puppetlabs-release-6-7.noarch.rpm
[root@master ~]# yum update
二、Master端安装配置
安装 puppet-server
[root@master ~]# yum -y install puppet-server
添加自动签发证书
编辑 /etc/puppet/puppet.conf 文件, 在[main]段内加入 autosign = true,server = master.com
[root@master ~]# vim /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
autosign = true
server = master.com启动Puppetmaster
[root@master ~]# service puppetmaster start
启动 puppetmaster: [确定]
[root@master ~]# netstat -tunlp | grep :8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 9148/ruby
开机启动
[root@master ~]# chkconfig --list |grep puppet
puppet 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
puppetmaster 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭[root@master ~]# chkconfig puppetmaster on
[root@master ~]# chkconfig --list |grep puppet
puppet 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
puppetmaster 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
三、客户端安装配置
puppet 安装
[root@client1 ~]# yum -y install puppet
为客户端指定puppet服务器,并开启Master的推送功能
编辑 /etc/puppet/puppet.conf 文件,在[agent]段内加入 listen = true,server = master.com
[root@client1 ~]# vim /etc/puppet/puppet.conf
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
listen = true
server = master.com编辑 /etc/puppet/auth.conf 文件, 在 auth / 最下面加入以下语句
[root@client1 ~]# vim /etc/puppet/auth.conf
path /run
method save
allow master.com启动client
[root@client1 ~]# service puppet start
Starting puppet agent: [确定][root@client1 ~]# netstat -tunlp | grep :8139
tcp 0 0 0.0.0.0:8139 0.0.0.0:* LISTEN 15038/ruby开机启动
[root@client1 ~]# chkconfig puppet on
[root@client1 ~]# chkconfig --list |grep puppet
puppet 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
四、证书申请
client需要向服务器端发出请求, 让服务器对客户端进行管理. 这其实是一个证书签发的过程. 第一次运行puppet 客户端的时候会生成一个 SSL 证书并指定发给 Puppet 服务端, 服务器端如果同意管理客户端,就会对这个证书进行签发,可以用这个命令来签发证书,由于我们已经在客户端设置了server地址,因此不需要跟服务端地址。
[root@client1 ~]# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client1.com
Info: Applying configuration version '1440636623'
Notice: Finished catalog run in 0.20 seconds在Master上查看签发的证书列表
如果有看到证书,则说明客户端与Master通信正常,由于之前配置了自动签发证书,所以客户端连接上来后都已经是签证过了
[root@master ~]# puppet cert list --all
+ "client1.com" (SHA256) 41:9C:4C:10:46:AE:79:40:9B:F8:90:AC:84:F7:A1:AA:F7:5E:2F:2D:4F:DC:96:3C:3B:FF:08:CB:2C:62:33:CA
+ "client2.com" (SHA256) 60:6D:C6:5C:4E:FA:3C:00:E0:E2:35:9A:EB:87:F5:28:B8:F7:62:36:63:16:CA:4E:AE:03:05:26:3F:AE:28:AA
+ "master.com" (SHA256) B7:5C:34:7A:95:85:20:03:32:7F:65:5C:0E:8C:49:4D:30:F4:D6:BA:01:7B:15:13:51:4D:7E:55:25:16:EB:9C (alt names: "DNS:master.com", "DNS:puppet", "DNS:puppet.com"+ 表示已经获得签名
- 表示证书被注销
表示未获得证书
五、 简单测试
我们在/etc/puppet/manifests/下建立文件site.pp,此文件可以将/tmp/andrew.txt的内容和权限都推送过去.
Master端
在clinets端创建 /tmp/test.txt 文件, 内容为 “this is a test document!!”
[root@master]# cd /etc/puppet/manifests
[root@master manifests]# vim site.pp
node default{
file {"/tmp/andrewy.txt":
content => "this is a test document!!!\n",
ensure => present,
owner =>root,
group => root,
mode =>644,
}
}clients端
[root@client1 ~]# puppet agent --test --server=master.com
Notice: Ignoring --listen on onetime run
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client1.com
Info: Applying configuration version '1440641613'
Notice: /Stage[main]/Main/Node[default]/File[/tmp/andrewy.txt]/ensure: created
Notice: Finished catalog run in 0.03 seconds通过对notice返回可以确定执行成功,时间为0.03秒。
在客户端检查文件是否存在
[root@client1 ~]# cat /tmp/andrewy.txt
this is a test document!!!
六、客户端自动连接master
clients如何自动连接master端,如何修改默认连接的时间呢?
此时间默认认为1800(30分钟),有时候我们需要在工作中更改此时间,为了很快到看效果,我改成10s(秒),在clients编辑/etc/puppet/puppet.conf这个配置文件,在[agent]标签下加入runinterval = 10。
[root@client1 ~]# vim /etc/puppet/puppet.conf
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
listen = true
server = master.com
runinterval = 10前面已加入listen = true、server = master.com这两个。
[root@client1 ~]# tail -f /var/log/messages
Aug 27 10:56:53 client1 puppet-agent[32370]: Finished catalog run in 0.06 seconds
Aug 27 10:57:03 client1 puppet-agent[32517]: Finished catalog run in 0.05 seconds
Aug 27 10:57:13 client1 puppet-agent[32665]: Finished catalog run in 0.06 seconds
查看日志可以看到每隔10s自动执行。
到此puppet在centos 6.5上的安装已经完成,有时间还会写puppet的进阶级的操作,比如:自动安装、运行shell、模块应用等,由于是第一次在博客写东西和个人知识水平有限,如有什么疏漏的地方,请大家及时指教,谢谢!!!
