Puppet自動化部署-安裝及配置（3）

　　本文介紹Puppet Master及Agent相關的安裝及配置。

一. 官網下載Puppet安裝YUM源

 

[root@puppet-master ~]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
warning: /var/tmp/rpm-tmp.F1Q84J: Header V4 RSA/SHA512 Signature, key ID 4bd6ec30: NOKEY
Preparing...                ########################################### [100%]
   1:puppetlabs-release     ########################################### [100%]
[root@puppet-master ~]# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
warning: /var/tmp/rpm-tmp.7HTwmp: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
[root@puppet-master ~]#

【修改puppetlabs.repo】
[root@puppet-master yum.repos.d]# sed -i  s/gpgcheck=1/gpgcheck=0/g puppetlabs.repo  ##不修改安裝不上

##Agent端配置同上！！ 

　

 

二. 安裝Puppetmaster

　　（1）安裝相關軟件包

[root@puppet-master yum.repos.d]# yum install -y puppet-server facter puppet  ###相關依賴系統會自動安裝，前提YUM源安裝完善 

　　（2）修改puppet.conf主配置文件　　

[root@puppet-master ~]# vim /etc/puppet/puppet.conf
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet　　　　　　　　###默認存放日誌路徑 
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet　　　　　　　　###pid存放路徑

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl　　　　　　　　　　 ###證書存放目錄，$vardir爲/var/lib/puppet

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
　　certname = puppet-master.nlf.com 　　server = puppet-master.nlf.com       ###設置agent認證鏈接master端的服務器名稱，此名稱必須得可以解析
[master]
    certname = puppet-master.nlf.com      ###設置puppetmaster認證服務器名稱
[root@puppet-master ~]#

　　

　　（3）啓動puppetmaster服務

[root@puppet-master ~]# /etc/init.d/puppetmaster start
Starting puppetmaster:                                     [  OK  ]
[root@puppet-master ~]# chkconfig puppetmaster on ###設置開機啓動
[root@puppet-master ~]# chkconfig --list|grep puppetmaster
puppetmaster   	0:off	1:off	2:on	3:on	4:on	5:on	6:off

　　(4) 查看puppetmaster是否自動驗證本身身份

[root@puppet-master ~]# tree /var/lib/puppet/ssl/     ###tree工具須要安裝
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       └── puppet-master.nlf.com.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── puppet-master.nlf.com.pem
├── crl.pem
├── private
├── private_keys
│   └── puppet-master.nlf.com.pem
└── public_keys
    └── puppet-master.nlf.com.pem

9 directories, 13 files
[root@puppet-master ~]# puppet cert --list -all    ###帶「+」代表註冊成功
+ "puppet-master.nlf.com" (SHA256) 48:E6:9D:CF:ED:06:D7:45:D2:30:95:B7:33:5F:41:5F:3C:00:B2:A8:94:03:3A:C7:08:1B:0B:7D:F5:7F:3A:D8 (alt names: "DNS:puppet", "DNS:puppet-master.nlf.com", "DNS:puppet.nlf.com")
[root@puppet-master ~]#

　　（4）查看puppetmaster監聽服務

[root@puppet-master ~]# netstat -tulnp |grep 8140
tcp        0      0 0.0.0.0:8140                0.0.0.0:*                   LISTEN      26637/ruby
[root@puppet-master ~]# lsof -i:8140
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
puppet  26637 puppet    5u  IPv4  39347      0t0  TCP *:8140 (LISTEN)
[root@puppet-master ~]#

　　

三. 安裝Agent客戶端

 　　（1）安裝相關軟件包

[root@puppet-agent1 ~]# yum install -y puppet facter

　 　（2）修改puppet.conf主配置文件

[root@puppet-agent1 ~]# cat /etc/puppet/puppet.conf
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
    certname = puppet-agent1.nlf.com ###設置本機的certname名稱 server = puppet-master.nlf.com 　　　　###指向puppetmaster進行身份驗證

 [root@puppet-agent1 ~]#

　

四. Agent端向Master進行身份驗證

　　Agent端向Master驗證

　　首次驗證是沒有經過，須要Master端進行身份驗證

[root@puppet-agent1 ~]# puppet agent -t
Info: Creating a new SSL key for puppet-agent1.nlf.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-agent1.nlf.com
Info: Certificate Request fingerprint (SHA256): 89:C3:7E:20:B4:F2:0E:2D:A3:E7:92:21:9E:11:D2:F9:D1:16:7B:EB:AB:EA:5A:7E:9B:F8:6B:CC:80:5F:E8:08
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
[root@puppet-agent1 ~]#

　　Master端查看請求驗證

　　在puppet-master經過puppet-agent1的請求驗證，查看puppet-master須要驗證的客戶端

[root@puppet-master ~]# puppet cert --sign --list    ##沒有帶「+」說明沒有進行身份驗證
  "puppet-agent1.nlf.com" (SHA256) 89:C3:7E:20:B4:F2:0E:2D:A3:E7:92:21:9E:11:D2:F9:D1:16:7B:EB:AB:EA:5A:7E:9B:F8:6B:CC:80:5F:E8:08
[root@puppet-master ~]#

　　Master經過客戶端的驗證

[root@puppet-master ~]# puppet cert --sign puppet-agent1.nlf.com
Notice: Signed certificate request for puppet-agent1.nlf.com
Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent1.nlf.com at '/var/lib/puppet/ssl/ca/requests/puppet-agent1.nlf.com.pem'
[root@puppet-master ~]#

　　Agent端再次驗證Master驗證

[root@puppet-agent1 ~]# puppet agent -t
Info: Caching certificate for puppet-agent1.nlf.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for puppet-agent1.nlf.com
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: undefined method `include?' for nil:NilClass
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppet-agent1.nlf.com
Info: Applying configuration version '1482305454'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.01 seconds
[root@puppet-agent1 ~]#

　　

　　查看經過身份驗證的客戶端的證書存放目錄

[root@puppet-master ~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       ├── puppet-agent1.nlf.com.pem │   └── puppet-master.nlf.com.pem ├── certificate_requests
├── certs
│   ├── ca.pem
│   └── puppet-master.nlf.com.pem
├── crl.pem
├── private
├── private_keys
│   └── puppet-master.nlf.com.pem
└── public_keys
    └── puppet-master.nlf.com.pem

9 directories, 14 files
[root@puppet-master ~]#

　　至此，Puppetmaster與Agent完成了C/S架構的部署，接下來就是相關資源的編寫！