puppet自動化運維之puppet安裝篇

時間 2019-11-12

標籤 puppet 自動化安裝欄目測試自動化简体版

原文原文鏈接

puppet自動化運維之puppet安裝篇centos

注：要在安裝軟件之前先設置主機名，由於生成證書的時候要把主機名寫入證書,若是證書生成好了再改主機名，就連不上，這是不少初學者遇到問題。每一個客戶端的證書要通過根證書籤名才能和服務器鏈接。ruby

本次的測試，僅有一臺puppet master和puppet agent，但適用任何的構架。
服務器

0、安裝前提

系統配置：centos x86_64 6.x 最小化安裝+ Developtoolsession

服務端ip: 192.168.10.1 hostname：master.perofu.com運維

客戶端ip: 192.168.10.3 hostname：client.perofu.com學習

注：ruby必須是1.8.5的，以上的不兼容，你們都這麼說。測試

本文的ip和上面的不同，但這不影響實驗效果。
this

1、服務器端安裝

①.將服務端和全部的客戶端的主機名寫入/etc/hosts：spa

echo "192.168.10.1 master.perofu.com" >>/etc/hosts3d

echo "192.168.10.3 client.perofu.com" >>/etc/hosts

…

②.配置主機名：

hostname master.perofu.com

vi /etc/sysconfig/network

HOSTNAME=master.perofu.com

③.安裝ruby1.8.5,（1.8.6）不支持：

yum -y install ruby ruby-libs ruby-rdoc ruby-irb

注：若是須要查看幫助文檔,才須要安裝ruby-rdoc ruby-irb

④.安裝NTP同步時間，統一master和client上的時間：

yum install ntp -y

chkconfig --level 35 ntpd on

crontab -e

10 5 * * * root /usr/sbin/ntpdate time.nist.gov &> /dev/null ; /sbin/hwclock -w

service crond restart

ntpdate pool.ntp.org; hwclock -w

注：天天凌晨5點10分同步time.nist.gov，並將 Linux 時間寫入 BIOS時。

若是master和client的時間不一致，在證書驗證環節，就不能成功。

⑤.安裝facter：

tar -axf facter-latest.tgz -C /usr/local/src/

cd /usr/local/src/facter-1.6.8/

ruby install.rb

⑥.安裝puppet：

tar -axf puppet-2.6.3.tar.gz -C /usr/local/src/

cd /usr/local/src/puppet-2.6.3/

ruby install.rb

mkdir -p /etc/puppet/manifests

cp conf/auth.conf /etc/puppet/

cp conf/redhat/fileserver.conf /etc/puppet/

cp conf/redhat/puppet.conf /etc/puppet/

cp conf/redhat/server.init /etc/init.d/puppetmaster

chmod +x /etc/init.d/puppetmaster

chkconfig --add puppetmaster

chkconfig puppetmaster on

puppetmasterd --mkusers #生成pupput用戶,#如出現錯誤，則執行groupadd puppet;useradd -g puppet puppet

mkdir -p /var/lib/puppet/rrd

chown puppet:puppet /var/lib/puppet/rrd

/etc/init.d/puppetmaster start #啓動

netstat -anplt |gerp :8140 #是否已啓動

2、客戶端安裝

①.將服務端和本身的客戶端的主機名寫入/etc/hosts：

echo "192.168.10.1 master.perofu.com" >>/etc/hosts

echo "192.168.10.3 client.perofu.com" >>/etc/hosts

②.配置主機名：

hostname client.perofu.com

vi /etc/sysconfig/network

HOSTNAME=client.perofu.com

③.安裝ruby1.8.5,（1.8.6不支持）：

yum -y install ruby ruby-libs ruby-rdoc ruby-irb

注：若是須要查看幫助文檔,才須要安裝ruby-rdoc ruby-irb。

④.安裝NTP同步時間，統一master和client上的時間：

yum install ntp -y

chkconfig --level 35 ntpd on

crontab -e

10 5 * * * root /usr/sbin/ntpdate time.nist.gov &> /dev/null ; /sbin/hwclock -w

service crond restart

ntpdate pool.ntp.org; hwclock -w

注：天天凌晨5點10分同步time.nist.gov，並將 Linux 時間寫入 BIOS時。

若是master和client的時間不一致，在證書驗證環節，就不能成功。

⑤.安裝facter：

tar -axf facter-latest.tgz -C /usr/local/src/

cd /usr/local/src/facter-1.6.8/

ruby install.rb

⑥.安裝puppet

tar -axf puppet-2.6.3.tar.gz -C /usr/local/src/

cd /usr/local/src/puppet-2.6.3/

ruby install.rb

mkdir -p /etc/puppet

cp conf/auth.conf /etc/puppet/

cp conf/namespaceauth.conf /etc/puppet/

cp conf/redhat/puppet.conf /etc/puppet/

cp conf/redhat/client.init /etc/init.d/puppet

chmod +x /etc/init.d/puppet

chkconfig --add puppet

chkconfig puppet on

puppetd --mkusers #如出現錯誤，則執行groupadd puppet;useradd -g puppet puppet

mkdir -p /var/lib/puppet/rrd

chown puppet:puppet /var/lib/puppet/rrd

/etc/init.d/puppet start

3、證書驗證

①.服務端發送證書請求：

puppetd --test --server master.perofu.com

[root@client ~]# puppetd --test --server master.perofu.com

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for ca

warning: peer certificate won't be verified in this SSL session

info: Creating a new SSL certificate request for client.perofu.com

info: Certificate Request fingerprint (md5): 01:D3:C8:57:79:5B:C1:86:55:97:A6:44:4D:48:2E:67

warning: peer certificate won't be verified in this SSL session

Exiting; no certificate found and waitforcert is disabled

②.爲客戶端簽名證書，僅對某個客戶端第一次使用：

puppetca -l #查看未簽收的證書

puppetca -s 證書名 #簽收指定的證書

puppetca -s -a #簽收全部未簽收的證書

[root@master ~]# puppetca -s -a

notice: Signed certificate request for client.perofu.com

notice: Removing file Puppet::SSL::CertificateRequest client.perofu.com at '/var/lib/puppet/ssl/ca/requests/client.perofu.com.pem'

③.在服務端創建puppet的site.pp：

vi /etc/puppet/manifests/site.pp

import "test.pp"

vi /etc/puppet/manifest/test.pp

file { "/tmp/testfile":

ensure => present,

mode => 644,

owner => root,

group => root

}

/etc/init.d/puppetmaster restart #第一次建立site.pp，必須重啓

④.簽過以後，客戶端再次向服務器發起請求：

puppetd --test --server master.perofu.com

[root@client ~]# puppetd --test --server master.perofu.com

info: Caching catalog for master.perofu.com

info: Applying configuration version '1386457551'

notice: /Stage[main]//File[/tmp/testfile]/ensure: created

info: Creating state file /var/lib/puppet/state/state.yaml

notice: Finished catalog run in 0.02 seconds

#請求服務器的/etc/puppet/manifests/下的內容。

⑤.檢測master和client的證書是否一致：

#服務端：

[root@master ~]# md5sum /var/lib/puppet/ssl/ca/signed/client.perofu.com.pem

c979523db046a665468dbd735107e55f

/var/lib/puppet/ssl/ca/signed/client.perofu.com.pem

#客服端：

[root@client ~]# md5sum /var/lib/puppet/ssl/certs/client.perofu.com.pem

c979523db046a665468dbd735107e55f

/var/lib/puppet/ssl/certs/client.perofu.com.pem

⑥.報錯之certificate verify failed：

問題：

err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

解決：

#1.多是時間不一樣步，請在master和agent上執行：

ntpdate pool.ntp.org; hwclock –w

#2.在master和agent上刪除現有的證書，在從新驗證，便可：

find /var/lib/puppet/ssl -type f -print0 |xargs -0r rm

至此，puppet安裝篇就結束了，接下來的是puppet資源的學習，請聽下回分解！！！