环境说明:
192.168.154.137 master.localdomain #Puppet Server
192.168.154.138 agent1.localdomain #Puppet Agent
这里的机器名称不要有下划线等特殊符合,否则后面会报“the scheme puppet does not accept registry part”这样的错误信息。
centos的官方软件库里面不包含puppet包,但是在epel项目里面有包含puppet包。epel 是一个对rhel软件仓库的扩展,把一些有用的,但是rhel库没包含的软件收集在一起做成的一个软件仓库。
$ yum install epel-release
1. 安装Puppet Server
$ hostnamectl set-hostname master.localdomain #设置机器名称 $ systemctl reboot #重启 $ cat /etc/hosts 192.168.154.137 master.localdomain 192.168.154.138 agent1.localdomain $ yum install puppet-server #安装Puppet Server # firewall-cmd --permanent --add-port=8140/tcp6 #修改防火墙,增加8140端口
2. 安装Puppet Agent
$ hostnamectl set-hostname agent1.localdomain #设置机器名称 $ systemctl reboot #重启 $ cat /etc/hosts 192.168.154.137 master.localdomain $ yum install puppet #安装Puppet Agent
3. 测试Puppet
创建测试文件site.pp(Server端):
$ cat /etc/puppet/manifests/site.pp node default { file { "/tmp/helloworld.txt" : content => "Hello World!", } }
启动server,以no-daemonize方式,这样可以在控制台看到操作信息(Server端):
$ puppet master --no-daemonize --debug ... ... Notice: Starting Puppet master version 3.6.2 #启动成功,会看到这样的信息
编辑客户端puppet.conf,增加server配置项(Agent端):
$ cat /etc/puppet/puppet.conf [agent] ... ... server = master.localdomain
启动agent(Agent端,以root用户):
$ puppet agent --test Info: Creating a new SSL key for agent1.localdomain Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for agent1.localdomain Info: Certificate Request fingerprint (SHA256): 1D:08:61:3B:1F:43:8C:B5:81:83:0F:FF:CC:4A:4F:8E:BA:B4:5F:7C:94:77:15:72:A2:0C:C0:44:D9:1D:16:9E Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled
启动后,agent向server申请证书,因为证书还没有被server审核,所以目前通信是不成功的。
回到server,通过puppet cert查询证书:
$ puppet cert list --all "agent1.localdomain" (SHA256) 1D:08:61:3B:1F:43:8C:B5:81:83:0F:FF:CC:4A:4F:8E:BA:B4 + "master.localdomain" (SHA256) 47:A1:12:28:22:05:75:A5:E5:92:2B:F6:53:05:A8:D6:1F:9B
证书列表中有cs_agnet1的申请,目前是未审核状态(最前面没有+)。审核证书:
$ puppet cert sign agent1.localdomain $ puppet cert list --all + "agent1.localdomain" (SHA256) 39:7F:59:A8:3C:B8:EF:B9:E2:AD:1D:5C:D7:66:B6:02:CF:70 + "master.localdomain" (SHA256) 47:A1:12:28:22:05:75:A5:E5:92:2B:F6:53:05:A8:D6:1F:9B:
再次启动agent:
# puppet agent --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for agent1.localdomain Info: Applying configuration version '1479087051' Notice: /Stage[main]/Main/Node[default]/File[/tmp/helloworld.txt]/ensure: defined content as '{md5}ed076287532e86365e841e92bfc50d8c' Notice: Finished catalog run in 0.02 seconds
这时候,查看/tmp/helloworld.txt,该文件就自动同步了。
在证书申请过程中,如果有问题,可以删除证书重新申请,一般都能解决问题。
Agent: $ rm -rf /var/lib/puppet #删除缓存文件 Server: $ puppet cert clean agent1.localdomain
Q1. 服务端找不到证书?
在测试时,先启动Server,再通过Agent测试,回到Server通过puppet cert list --all怎么都找不到证书。
后来发现问题原因是这样的:在Server端,puppet.conf使用的是默认配置:
[main]
# Where SSL certificates are kept.
ssldir = $vardir/ssl
然后用admin帐号(不是root,另外创建的帐号)启动Server:
[admin@master ~]$ sudo puppet master --no-daemonize --debug
这时候,Agent传过来的证书申请实际上都存放在/home/admin/.puppet/ssl/目录下。然后,我再开了另外一个SSH Client,用的是不同的root帐号,结果就是怎么也找不到证书了。所以,在配置Server端时,ssldir最好这样配置:
ssldir = /var/lib/puppet/ssl
Q2. 自动审核证书?
创建autosign.conf文件:
$ cat /etc/puppet/autosign.conf *.localdomain
修改Server配置:
$ cat /etc/puppet/puppet.conf [master] autosign = /etc/puppet/autosign.conf
删除Server和Agent的过期证书:
Server: $ puppet cert clean --all Agent: $ rm -rf /var/lib/puppet
OK,这样就可以了。
Q3. 一个简单的site.pp例子
$ cat /etc/puppet/manifests/site.pp node default { file { '/tmp/hello.txt': content => 'Hello World!', } user { 'admin': ensure => 'present', comment => 'admin', gid => '1000', groups => ['wheel', 'admin'], home => '/home/admin', password => '$6$o.PFkMC14Xd2gOTk$atsNGzVmLFtQlvVr9imERjmw9n8vNr0quliqW6EdcZR6zyXFGfUv3EIbc9UZd3kJDIuxuMfyonVdm0OT5SJHM.', password_max_age => '99999', password_min_age => '0', shell => '/bin/bash', uid => '1000', } package { 'epel-release': ensure => 'installed', } package { 'tcping': ensure => 'installed', } package { 'tree': ensure => 'installed', } package { 'net-tools': ensure => 'installed', } service { 'firewalld.service': ensure => 'stopped', enable => 'false', } exec { "selinux": command => "setenforce 0", path => "/usr/bin:/usr/sbin:/bin:/sbin", unless => "getenforce |grep -i Permissive", } }
网上找到的两个例子: anjuke-puppet.rar vmx_puppet.rar