最近抽空研究了下据说是圈里运维利器的国外开源软件puppet,原本是想搞一个最新版本编译的整合文档,最后在调试过程中各种报错,google下老外的文章,说是最新版本间存在很多不兼容的情况,后来果断放弃,找到了一个能兼容的版本,并测试成功,前后折腾了2天,真够坑的,现在把自己的心得整合成文档,供大家分享。
系统环境:CentOS6.3
puppet: puppet-2.7.13
facter: facter-1.6.5
ruby: yum源
注:
facter用来获取客户端系统信息(如hostname,ip,OS-Version,fqdn等)
ruby是puppet的开发环境
puppet server: 192.168.7.196
puppet client: 192.168.7.197
(server)为仅服务器端配置
(client)为仅客户器端配置
(server,client)为服务器端与客户端配置
一.配置环境(server,client):
1.关闭iptables和selinux(server,client)
# service iptables stop
# setenforce 0
# vi /etc/sysconfig/selinux
—————
SELINUX=disabled
—————
2.安装ruby开发环境(centos6.3默认更新源)(server,client)
# yum -y install ruby*
3.计划同步时间:(server,client)
每5分钟同步一次时间
# crontab -e
————-
*/5 * * * * /usr/sbin/ntpdate -u asia.pool.ntp.org
————-
# service crond restart
# chkconfig crond on
4.修改服务器及客户端HOST及主机名:
(server,client)
# vi /etc/hosts
——————-
192.168.7.196 server.example.com server
192.168.7.197 client.example.com client
——————-
(server)
# vi /etc/sysconfig/network
—————-
HOSTNAME=server.example.com
—————-
(client)
# vi /etc/sysconfig/network
—————-
HOSTNAME=client.example.com
—————-
二.安装应用软件(server,client):
(server):
1.安装facter:
# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz
# tar zxvf facter-1.6.5.tar.gz
# cd facter-1.6.5
# ruby install.rb
2.安装puppet:
# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz
# tar zxvf puppet-2.6.13.tar.gz
# cd puppet-2.6.13
# ruby install.rb
# cp conf/auth.conf /etc/puppet/
# cp conf/RedHat/fileserver.conf /etc/puppet/
# cp conf/redhat/puppet.conf /etc/puppet/
# mkdir -p /etc/puppet/manifests
设置开机启动脚本:
# cp conf/redhat/server.init /etc/init.d/puppetmaster
# chmod +x /etc/init.d/puppetmaster
# chkconfig –add puppetmaster
# chkconfig puppetmaster on
生成pupput用户:
# puppetmasterd –mkusers
启动puppetmaster服务(端口:8140):
# service puppetmaster start
(client):
1.安装facter:
# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz
# tar zxvf facter-1.6.5.tar.gz
# cd facter-1.6.5
# ruby install.rb
2.安装puppet:
# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz
# tar zxvf puppet-2.6.13.tar.gz
# cd puppet-2.6.13
# ruby install.rb
# cp conf/auth.conf /etc/puppet/
# cp conf/namespaceauth.conf /etc/puppet/
# cp conf/redhat/puppet.conf /etc/puppet/
设置开机启动脚本:
# cp conf/redhat/client.init /etc/init.d/puppet
# chmod +x /etc/init.d/puppet
# chkconfig –add puppet
# chkconfig puppet on
# vi /etc/puppet/puppet.conf
在[agent]条目下添加以下内容:
——-
Listen = true
Server = server.example.com
——–
# vi /etc/puppet/namespaceauth.conf
修改成以下内容:
———
[fileserver]
allow *
[puppetmaster]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
[resource]
allow *
———
生成pupput用户:
# puppetmasterd –mkusers
启动puppet服务(端口:8140):
# /etc/init.d/puppet start
至此安装完毕,现在需要配置客户端与服务器端的认证连接,从而将服务器端的配置的内容分发到各个客户端,实现集中配置管理。
三.认证并分发:
(client):
客户端发送请求
# puppetd –test –server server.example.com
报错:
——————–
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
——————–
解决方法:
这可能是换了不同的两台puppetmaster服务器引起的。解决方法,删除现有ssl证书。
# find /var/lib/puppet -type f -print0 |xargs -0r rm
重新发送请求:
# puppetd –test –server server.example.com
——————-
info: Creating a new SSL key for client.example.com
warning: peer certificate won’t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
info: Creating a new SSL certificate request for client.example.com
info: Certificate Request fingerprint (md5):
32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
——————-
发送成功。
(server):
服务器端查看是否有请求证书的客户端服务器
# puppetca –list
——————
client.example.com (32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99)
——————
收到客户端认证信息
服务器端对client.example.com签名
# puppetca -s client.example.com
或对所有客户端全部签名
# puppetca -s -a
查看验证签名,注意前面的+号,说明已经签名
# puppetca -a –list
———————
+ client.example.com (19:6F:4C:84:B1:69:16:3C:A1:38:C2:2E:6F:B6:67:12)
———————
md5验证服务器端收到的证书是否正确
(server):
# md5sum /var/lib/puppet/ssl/ca/signed/client.example.com.pem
———————
1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/ca/signed/client.example.com.pem
———————
(client):
# md5sum /var/lib/puppet/ssl/certs/client.example.com.pem
———————
1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/certs/client.example.com.pem
———————
MD5值相同,说明我们的puppetmaster和客户端的puppet已经成功建立通信
注:出现修改主机名问题引起无法认证,需要重新申请证书,操作可以按照如下两个步骤:
(server):
# rm -rf /var/lib/puppet/ssl/ca/signed/*.pem // “*.pem”为修改过主机名的证书
(client):
# rm -rf /var/lib/puppet/ssl/
配置完毕,开始验证分发效果:
(server):
修改server端配置文件:
# vi /etc/puppet/manifests/site.pp
—————–
node default{
file { “/tmp/test”:
content=> “this is a test file”;
}
}
—————–
重启puppetmaster,更新配置文件信息。
# service puppetmaster restart
(client):
重启puppet(可不用重启)
# service puppet restart
同步文件:
# puppetd –server server.example.com –test
——————
warning: peer certificate won’t be verified in this SSL session
info: Caching certificate for client.example.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client.example.com
info: Applying configuration version ‘1369124449’
notice: /Stage[main]//Node[default]/File[/tmp/test]/ensure: defined content as ‘{md5}100b144907af2a4786003758a0a6a563’
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.02 seconds
——————
查看/tmp/test文件及文件内容
# cat /tmp/test
———–
this is a test file
———–
———–大功告成————-
puppet的具体功能模块这里就不做过多阐述
相应文档详见传送门:http://www.linuxidc.com/Linux/2013-05/84739.htm
更多CentOS相关信息见CentOS 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=14