Puppet自动化部署-安装及配置（3）

　　本文介绍Puppet Master及Agent相关的安装及配置。

一. 官网下载Puppet安装YUM源

[root@puppet-master ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
warning: /var/tmp/rpm-tmp.F1Q84J: Header V4 RSA/SHA512 Signature, key ID 4bd6ec30: NOKEY
Preparing...                ########################################### [100%]
   1:puppetlabs-release     ########################################### [100%]
[root@puppet-master ~]# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
warning: /var/tmp/rpm-tmp.7HTwmp: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
[root@puppet-master ~]#

【修改puppetlabs.repo】
[root@puppet-master yum.repos.d]# sed -i  s/gpgcheck=1/gpgcheck=0/g puppetlabs.repo  ##不修改安装不上

##Agent端配置同上！！

　

二. 安装Puppetmaster

　　（1）安装相关软件包

[root@puppet-master yum.repos.d]# yum install -y puppet-server facter puppet  ###相关依赖系统会自动安装，前提YUM源安装完善

　　（2）修改puppet.conf主配置文件　　

[root@puppet-master ~]# vim /etc/puppet/puppet.conf
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet　　　　　　　　###默认存放日志路径

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet　　　　　　　　###pid存放路径

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl　　　　　　　　　　 ###证书存放目录，$vardir为/var/lib/puppet

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
　　certname = puppet-master.nlf.com     
　　server  = puppet-master.nlf.com       ###设置agent认证连接master端的服务器名称，此名称必须得能够解析
[master]
    certname = puppet-master.nlf.com      ###设置puppetmaster认证服务器名称
[root@puppet-master ~]#

　　

　　（3）启动puppetmaster服务

[root@puppet-master ~]# /etc/init.d/puppetmaster start
Starting puppetmaster:                                     [  OK  ]
[root@puppet-master ~]# chkconfig puppetmaster on    ###设置开机启动
[root@puppet-master ~]# chkconfig --list|grep puppetmaster
puppetmaster   	0:off	1:off	2:on	3:on	4:on	5:on	6:off

　　(4) 查看puppetmaster是否自动验证自己身份

[root@puppet-master ~]# tree /var/lib/puppet/ssl/     ###tree工具需要安装
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       └── puppet-master.nlf.com.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── puppet-master.nlf.com.pem
├── crl.pem
├── private
├── private_keys
│   └── puppet-master.nlf.com.pem
└── public_keys
    └── puppet-master.nlf.com.pem

9 directories, 13 files
[root@puppet-master ~]# puppet cert --list -all    ###带“+”表明注册成功
+ "puppet-master.nlf.com" (SHA256) 48:E6:9D:CF:ED:06:D7:45:D2:30:95:B7:33:5F:41:5F:3C:00:B2:A8:94:03:3A:C7:08:1B:0B:7D:F5:7F:3A:D8 (alt names: "DNS:puppet", "DNS:puppet-master.nlf.com", "DNS:puppet.nlf.com")
[root@puppet-master ~]#

　　（4）查看puppetmaster监听服务

[root@puppet-master ~]# netstat -tulnp |grep 8140
tcp        0      0 0.0.0.0:8140                0.0.0.0:*                   LISTEN      26637/ruby
[root@puppet-master ~]# lsof -i:8140
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
puppet  26637 puppet    5u  IPv4  39347      0t0  TCP *:8140 (LISTEN)
[root@puppet-master ~]#

　　

三. 安装Agent客户端

 　　（1）安装相关软件包

[root@puppet-agent1 ~]# yum install -y puppet facter

　 　（2）修改puppet.conf主配置文件

[root@puppet-agent1 ~]# cat /etc/puppet/puppet.conf
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
    certname = puppet-agent1.nlf.com        ###设置本机的certname名称
    server = puppet-master.nlf.com   　　　　###指向puppetmaster进行身份验证

 [root@puppet-agent1 ~]#

　

四. Agent端向Master进行身份验证

　　Agent端向Master验证

　　首次验证是没有通过，需要Master端进行身份验证

[root@puppet-agent1 ~]# puppet agent -t
Info: Creating a new SSL key for puppet-agent1.nlf.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-agent1.nlf.com
Info: Certificate Request fingerprint (SHA256): 89:C3:7E:20:B4:F2:0E:2D:A3:E7:92:21:9E:11:D2:F9:D1:16:7B:EB:AB:EA:5A:7E:9B:F8:6B:CC:80:5F:E8:08
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
[root@puppet-agent1 ~]#

　　Master端查看请求验证

　　在puppet-master通过puppet-agent1的请求验证，查看puppet-master需要验证的客户端

[root@puppet-master ~]# puppet cert --sign --list    ##没有带“+”说明没有进行身份验证
  "puppet-agent1.nlf.com" (SHA256) 89:C3:7E:20:B4:F2:0E:2D:A3:E7:92:21:9E:11:D2:F9:D1:16:7B:EB:AB:EA:5A:7E:9B:F8:6B:CC:80:5F:E8:08
[root@puppet-master ~]#

　　Master通过客户端的验证

[root@puppet-master ~]# puppet cert --sign puppet-agent1.nlf.com
Notice: Signed certificate request for puppet-agent1.nlf.com
Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent1.nlf.com at '/var/lib/puppet/ssl/ca/requests/puppet-agent1.nlf.com.pem'
[root@puppet-master ~]#

　　Agent端再次验证Master验证

[root@puppet-agent1 ~]# puppet agent -t
Info: Caching certificate for puppet-agent1.nlf.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for puppet-agent1.nlf.com
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: undefined method `include?' for nil:NilClass
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppet-agent1.nlf.com
Info: Applying configuration version '1482305454'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.01 seconds
[root@puppet-agent1 ~]#

　　

　　查看通过身份验证的客户端的证书存放目录

[root@puppet-master ~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       ├── puppet-agent1.nlf.com.pem
│       └── puppet-master.nlf.com.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── puppet-master.nlf.com.pem
├── crl.pem
├── private
├── private_keys
│   └── puppet-master.nlf.com.pem
└── public_keys
    └── puppet-master.nlf.com.pem

9 directories, 14 files
[root@puppet-master ~]#

　　至此，Puppetmaster与Agent完成了C/S架构的部署，接下来就是相关资源的编写！