CentOS5上如何安裝Puppet?
1.puppet介紹
Puppet是Puppet Labs基于ruby語言開發的自動化系統配置工具,可以以C/S模式或獨立模式運行,支持對所有UNIX及類UNIX系統的批量配置和管理,***版本也開始支持對Windows操作系統有限的一些管理。
Puppet適用于服務器管理的整個過程,比如初始安裝、配置、更新以及系統下線。
2.puppet安裝與配置
2.1服務器端安裝
安裝puppet-Server
首先在服務器端和客戶端配置好hostname,因為puppet是基于hostname來檢測的,同時都要修改hosts文件:
Puppet需要Ruby的支持,如果要查看命令行幫助的話需要額外ruby-rdoc這個軟件包:
1.下載puppetlabs-release-5-5.noarch.rpm
參考網址:http://yum.puppetlabs.com/el/5/products/x86_64
安裝
- [root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm
- [root@service~]#yuminstallpuppet-server-y
- …
- Installed:
- puppet-server.noarch0:2.7.19-1.el5
- DependencyInstalled:
- augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5puppet.noarch0:2.7.19-1.el5
- ruby.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1ruby-libs.x86_640:1.8.5-24.el5
- ruby-shadow.x86_640:1.4.1-7
#這一步為默認安裝rubyruby-libsruby-rdoc等軟件包
- [root@service~]#/etc/init.d/puppetmasterstart
關閉iptables,關閉selinux
- [root@service~]#/etc/init.d/iptablesstop
- [root@service~]#sed-i'/SELINUX/s/enforcing/disabled/'/etc/selinux/config
2.2客戶端安裝
安裝puppet
在client上安裝puppet客戶端:
Puppet需要Ruby的支持,如果要查看命令行幫助的話需要額外ruby-rdoc這個軟件包:
- [root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm
- [root@service~]#yuminstallpuppet–y
- …
- Installed:
- puppet.noarch0:2.7.19-1.el5
- DependencyInstalled:
- augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5
- ruby.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1
- ruby-libs.x86_640:1.8.5-24.el5ruby-shadow.x86_640:1.4.1-7
- Complete!
安裝完畢!
2.3證書申請
Puppet客戶端與服務器端是通過SSL隧道通信的,客戶端安裝完成后,需要向服務器端申請證書:
審批證書
a:client申請證書:
puppetd --test --server server.puppet.com
有出現SSl session字樣
- [root@client~]#puppetd--test--serverserver.puppet.com
- info:CreatinganewSSLkeyforclient.puppet.com
- info:Cachingcertificateforca
- info:CreatinganewSSLcertificaterequestforclient.puppet.com
- info:CertificateRequestfingerprint(md5):74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE
- Exiting;nocertificatefoundandwaitforcertisdisabled
b:server接受申請
- [root@server~]#puppetca--list
- "client.puppet.com"(74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE)
顯示申請的client
批準證書
- [root@server~]#puppetca-sclient.puppet.com
- notice:Signedcertificaterequestforclient.puppet.com
- notice:RemovingfilePuppet::SSL::CertificateRequestclient.puppet.comat'
- /var/lib/puppet/ssl/ca/requests/client.puppet.com.pem'
puppetca –s hostname批準當前證書
puppetca -s -a簽署所有證書請求
c:client取回已經通過的審批證書
- [root@client~]#puppetd--test--serverserver.puppet.com
- info:Cachingcertificateforclient.puppet.com
- info:Cachingcertificate_revocation_listforca
- info:Cachingcatalogforclient.puppet.com
- info:Applyingconfigurationversion'1346237401'
- notice:Finishedcatalogrunin0.02seconds
完成
附:可能存在的錯誤
報錯
- [root@client-109 ~]# puppetd -server server.puppet.com -test
- err: Could not retrieve catalog from remote server: certificate verify failed
- warning: Not using cache on failed catalog
- err: Could not retrieve catalog; skipping run
原因:服務端與客戶端時間不同步!
2.)報錯
- [root@client ~]# puppetd --server server.puppet.com --test
- err: Could not retrieve catalog from remote server: Server hostname 'server.puppet.com'
- did not match server certificate; expected one of service.puppet.com,
- DNS:puppet, DNS:puppet.puppet.com, DNS:service.puppet.com
原因:服務端hostname有誤,檢查server端的hostname!
3).報錯
- [root@client~]#puppetd--test--serverserver.puppet.com
- err:Couldnotretrievecatalogfromremoteserver:certificateverifyfailed:
- [selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]
- warning:Notusingcacheonfailedcatalog
- err:Couldnotretrievecatalog;skippingrun
- err:Couldnotsendreport:certificateverifyfailed:
- [selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]
原因:
如以上出現error字樣則刪除client上的ssl文件夾
- err:Couldnotretrievecatalogfromremoteserver:certificateverifyfailed
- warning:Notusingcacheonfailedcatalog
- err:Couldnotretrievecatalog;skippingrun
- rm-rf/var/lib/puppet/ssl/
- 再次循環申請證書puppetd--test--serverserver.puppet.com
2.4驗證puppet配置
在服務端寫個例子測試一下。這個例子作用很簡單,用來在客戶端的/tmp目錄下新建一個test.txt文件,內容為:hello,test!
在服務端編寫代碼:【服務器端不需要新建這個文件】
- vi/etc/puppet/manifests/site.pp
- nodedefault{
- file{
- "/tmp/test.txt":content=>"helo,test!";
- }
- }
2.5客戶端測試
在客戶端執行puppetd,運行成功后會在/tmp看到新生成的test.txt:
- [root@client~]#puppetd--test--serverserver.puppet.com
- #顯示如下
- info:Cachingcatalogforclient.puppet.com
- info:Applyingconfigurationversion'1346237596'
- notice:/Stage[main]//Node[default]/File[/tmp/test.txt]/ensure:definedcontentas'
- {md5}d7568aced6a958920309da96080e88e0'
- notice:Finishedcatalogrunin0.03seconds
***查看cat/tmp/test.txt
hello,test!
此致puppet服務器端和客戶端安裝完畢,接下來就是深入的配置了。
2.6客戶端設置守護進程
方法一:啟動puppet后臺運行
[root@client tmp]# puppetd --server server.puppet.com--verbose --waitforcert 60
注釋:--server master指明服務器節點地址
--waitforcert連接server檢查的時間間隔,60分鐘
--verbose輸出冗余信息(可選選項)
方法二:得用crontab作定時同步
3.深入了解puppet
3.1環境架構圖
3.2服務端配置目錄樹
- |--fileserver.conf
- |--manifests
- ||--nodes.pp
- |`--site.pp
- |--modules#定義模塊
- |`--users
- ||--file
- ||--manifests
- |||--adduser.pp
- |||--deluser.pp
- |||--init.pp
- |||--na.pp
- ||`--sa.pp
- |`--templates
- ||--caojin_authorized_keys.erb
- |`--jiaxin_authorized_keys.erb
- |--puppet.conf#主配置配置文件
3.3用戶管理模塊
user mofules目錄樹
- users
- |--file
- |--manifests
- ||--adduser.pp#添加用戶類
- ||--deluser.pp#刪除用戶
- ||--init.pp
- ||--na.pp
- |`--sa.pp
- `--templates
- |--caojin_authorized_keys.erb#用戶key
- `--jiaxin_authorized_keys.erb#用戶key
adduser.pp 文件
- classlinux::adduser{
- defineadd_user($username=,$useruid=,$userhome=,$usershell='/bin/bash',$groups)
- {
- user
- {$username:
- uid=>$useruid,
- shell=>$usershell,
- groups=>$groups,
- home=>"/home/$userhome",
- }
- file
- {"/home/$userhome":
- owner=>$useruid,
- group=>$useruid,
- mode=>700,
- ensure=>directory;
- }
- file
- {"/home/$userhome/.ssh":
- owner=>$useruid,
- group=>$useruid,
- mode=>700,
- ensure=>directory,
- require=>File["/home/$userhome"];
- }
- file
- {"/home/$userhome/.ssh/authorized_keys":
- owner=>$useruid,
- group=>$useruid,
- mode=>600,
- ensure=>present,
- content=>template("users/${userhome}_authorized_keys.erb"),
- require=>File["/home/$userhome/.ssh"];
- }
- }
- }
deluser.pp
- deluser.pp
- classlinux::deluser
- {
- user
- {
- "caojin":
- ensure=>absent,
- }
- }
sa.pp
- import"adduser.pp"
- classlinux::adduser::sainheritslinux::adduser
- {
- add_user
- {
- "jiaxin":
- useruid=>2000,
- username=>jiaxin,
- userhome=>"jiaxin",
- groups=>$operatingsystem?{
- Ubuntu=>["admin"],
- CentOS=>["wheel"],
- RedHat=>["wheel"],
- default=>["wheel"],
- },
- }
- }
