一、系统环境:
主机名 IP(Static) 系统 配置 备注
puppetserver 192.168.100.241 CentOS-6.3-x86_64-minimal 1CPU,1G RAM,10G DISK,1网卡 Puppet Server
client01 192.168.100.242 CentOS-6.3-x86_64-minimal 1CPU,1G RAM,10G DISK,1网卡 Puppet Client
***************************************************************************************************
二、Puppet Server安装:
1.安装前的准备:
[root@puppetserver ~]# sed -i "7s/enforcing/disabled/" /etc/selinux/config /*关闭SELinux*/
[root@puppetserver ~]# vi /etc/sysconfig/iptables /*编辑防火墙打开8140和3000端口*/
-A INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
[root@puppetserver ~]# reboot
2.配置NTP服务:
3.配置hosts文件:
[root@puppetserver ~]# vi /etc/hosts
192.168.100.241 puppetserver
192.168.100.242 client01
192.168.100.243 client02
4.安装Puppet Server:
[root@puppetserver ~]# rpm -Uvh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm
[root@puppetserver ~]# yum -y install puppet-server
[root@puppetserver ~]# chkconfig --level 3 puppetmaster on
[root@puppetserver ~]# service puppetmaster start
5.安装配置Mysql数据库:
[root@puppetserver ~]# yum -y install mysql mysql-devel mysql-server
[root@puppetserver ~]# service mysqld start
[root@puppetserver ~]# mysqladmin -u root password 'chensh' /*设置Mysql的root密码为chensh*/
6.安装Dashboard:
[root@puppetserver ~]# yum -y install puppet-dashboard
7.配置dashboard的database.yml文件:
[root@puppetserver ~]# vi /usr/share/puppet-dashboard/config/database.yml
修改部分内容如下:
production:
database: dashboard
username: root
password: chensh
encoding: utf8
adapter: mysql
8.创建dashboard数据库,数据库名为dashboard:
[root@puppetserver ~]# mysql -uroot -pchensh -e 'create database dashboard character set utf8'
9.配置dashboard的environment.rb文件:
[root@puppetserver ~]# vi /usr/share/puppet-dashboard/config/environment.rb
将config.time_zone = 'UTC'改为config.time_zone = 'Beijing'
10.修改/etc/sysconfig/puppet文件:
[root@puppetserver ~]# vi /etc/sysconfig/puppet
# The puppetmaster server
PUPPET_SERVER=puppetserver
# If you wish to specify the port to connect to do so here
PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
# PUPPET_EXTRA_OPTS=--waitforcert=500
11.修改/etc/puppet/puppet.conf文件:
[root@puppetserver ~]# vi /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
reports = store,http,log /*设置Dashbroad report*/
server = puppetserver
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
runinterval = 3600 /*设置检测时间间隔3600s*/
12.初始化Dashboard数据库:
[root@puppetserver ~]# cd /usr/share/puppet-dashboard
[root@puppetserver puppet-dashboard]# rake RAILS_ENV=production db:migrate
13.启动服务:
[root@puppetserver ~]# /etc/init.d/puppetmaster start /*puppet服务端进程,监听8140端口*/
[root@puppetserver ~]# /etc/init.d/puppet-dashboard start /*puppet WEB,默认3000端口*/
[root@puppetserver ~]# /etc/init.d/puppet-dashboard-workers start /*新版本新增的进程,不启动dashboard上面看不到数据*/
14.访问Dashboard WEB:http://192.168.100.241:3000
三、Puppet Client安装:
1.安装前的准备:
[root@client01 ~]# sed -i "7s/enforcing/disabled/" /etc/selinux/config /*关闭SELinux*/
[root@client01 ~]# vi /etc/sysconfig/iptables /*编辑防火墙打开8140端口*/
-A INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT
[root@client01 ~]# reboot
2.配置NTP客户端服务:
3.配置hosts文件:
[root@client01 ~]# vi /etc/hosts
192.168.100.241 puppetserver
192.168.100.242 client01
192.168.100.243 client02
4.安装Puppet Client:
[root@client01 ~]# rpm -Uvh http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-6.noarch.rpm
[root@client01 ~]# yum -y install puppet
5.指定Puppet master名称:
[root@client01 ~]# echo ‘server = puppetserver’ >> /etc/puppet/puppet.conf
[root@client01 ~]# echo ‘reports = true’ >> /etc/puppet/puppet.conf /*向服务端发送report信息*/
6.启动Puppet Client:
[root@client01 ~]# chkconfig --level 3 puppet on
[root@client01 ~]# service puppet start
四、客户端证书申请与服务端认证:
1.客户端证书申请:
[root@client01 ~]# puppet agent --test --server puppetserver /*执行 puppet agent --test也可以*/
Info: Creating a new SSL key for client01
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for client01
Info: Certificate Request fingerprint (SHA256): 69:45:4C:45:17:A9:7C:6F:24:04:8F:0B:F7:44:4D:4D:59:BA:4F:9D:71:35:04:3F:8F:29:0E:63:50:55:16:F3
Exiting; no certificate found and waitforcert is disabled
[root@client01 ~]#
2.服务器端查看请求签发的证书:
[root@puppetserver ~]# puppet cert --list
"client01" (SHA256) 69:45:4C:45:17:A9:7C:6F:24:04:8F:0B:F7:44:4D:4D:59:BA:4F:9D:71:35:04:3F:8F:29:0E:63:50:55:16:F3
[root@puppetserver ~]#
3.服务器端签发证书:
[root@puppetserver ~]# puppet cert --sign client01 /*多证书可执行puppet cert --sign --all批量签发*/
Notice: Signed certificate request for client01
Notice: Removing file Puppet::SSL::CertificateRequest client01 at '/var/lib/puppet/ssl/ca/requests/client01.pem'
[root@puppetserver ~]#
4.查看已签发的证书:
[root@puppetserver~]# puppet cert --list --all
+ "client01" (SHA256) 37:5D:E3:E4:09:07:BA:41:16:D5:16:0A:B0:1F:67:5A:20:BB:65:CB:21:EE:A6:C3:30:DB:C6:77:01:9F:EF:18
[root@puppetserver~]#
******************************************************************************
五、证书注销:
1.注销证书:
[root@puppetserver~]# puppet cert revoke client01
Notice: Revoked certificate with serial 5
[root@puppetserver~]#
2.查看证书当前状态:
[root@puppetserver~]# puppet cert list --all
- "client01" (SHA256) 37:5D:E3:E4:09:07:BA:41:16:D5:16:0A:B0:1F:67:5A:20:BB:65:CB:21:EE:A6:C3:30:DB:C6:77:01:9F:EF:18 (certificate revoked)
[root@puppetserver~]#
3.重启puppetmaster:
[root@puppetserver ~]# /etc/init.d/puppetmaster restart
六、证书删除:
1.删除证书:
[root@puppetserver~]# puppet cert clean client01
Notice: Revoked certificate with serial 5
Notice: Removing file Puppet::SSL::Certificate client01 at '/var/lib/puppet/ssl/ca/signed/client01.pem'
Notice: Removing file Puppet::SSL::Certificate client01 at '/var/lib/puppet/ssl/certs/client01.pem'
[root@puppetserver~]#
2.重启puppetmaster:
[root@puppetserver ~]# /etc/init.d/puppetmaster restart
3.删除客户单client01.pem文件 或者 SSL目录:
[root@client01 ~]# rm -rf /var/lib/puppet/ssl/certs/client01.pem /*删除client01.pem文件*/
[root@client01 ~]# rm -rf /var/lib/puppet/ssl/* /*删除ssl目录下的所有文件*/
七、自动签发证书:
[root@puppetserver ~]# echo “*” >> /etc/puppet/autosign.conf
******************************************************************************
问题总结:
问题1:
执行数据库初始化时报错如下:
[root@puppetmaster puppet-dashboard]# rake RAILS_ENV=production db:migrate
rake aborted!
syntax error on line 49, col 2: ` encoding: utf8'
(See full trace by running task with --trace)
解决办法:
[root@puppetmaster puppet-dashboard]# vi /usr/share/puppet-dashboard/config/database.yml
production:
database: dashboard
username: root
password:chensh
encoding: utf8
adapter: mysql
将"password:chensh"改为"password: chensh"(即加一个“空格”符),再次执行"rake RAILS_ENV=production db:migrate"即可。
问题2:
[root@client01 ~]# puppet agent --test
Error: Could not request certificate: Connection timed out - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
[root@client01 ~]#
解决办法:
请查看网络、SElinux、iptables以及hosts文件中的IP和主机名是否配置正确。
问题3:
[root@puppetserver puppet]# /etc/init.d/puppet-dashboard-workers restart
Rails Error: Unable to access log file. Please ensure that /usr/share/puppet-dashboard/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
解决办法:
[root@puppetserver puppet]# chmod -R 666 /usr/share/puppet-dashboard/log/production.log