系統環境:
伺服器 | OS系統 | IP位址 | 備 注 |
master.com | centos5.5 X64 | 192.168.77.128 | Puppet server |
client.com | centos5.5 X64 | 192.168.77.136 | Puppet client |
軟體包
軟體包 | 下載下傳位址 | 備 注 |
facter | http://downloads.puppetlabs.com/facter/facter-1.6.18.tar.gz | |
Puppet | http://www.puppetlabs.com/downloads/puppet/puppet-2.7.5.tar.gz | 目前最新的穩定版 |
最新的下載下傳位址:http://puppetlabs.com/misc/download-options/
參考資料位址:
http://www.mysqlops.com/category/puppet
http://docs.puppetlabs.com/guides/installation.html#installing-from-a-tarball-not-recommended
安裝前的一些準備(這裡操作失誤,認證時會出現各種問題)
同步時間(2邊都執行一次)
[[email protected] ~]# ntpdate0.rhel.pool.ntp.org
25 Apr 19:52:58 ntpdate[7209]:adjust time server 202.112.29.82 offset 0.054578 sec
修改主機名和hosts檔案
伺服器
[roo[email protected] ~]# hostnamemaster.com
[[email protected] puppet-2.7.5]# vi/etc/hosts
# Do not remove the followingline, or various programs
# that require networkfunctionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.77.136client.com
用戶端
[[email protected] ~]# hostnameclient.com
[[email protected] puppet-2.7.5]# vi/etc/hosts
# Do not remove the followingline, or various programs
# that require networkfunctionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.77.128master.com
下載下傳軟體包并解壓(2邊都執行)
[[email protected] ~]# wget http://downloads.puppetlabs.com/facter/facter-1.6.18.tar.gz
[[email protected] ~]# wget http://www.puppetlabs.com/downloads/puppet/puppet-2.7.5.tar.gz
[[email protected] ~]# tar zxf facter-1.6.18.tar.gz
[[email protected] ~]# tar zxfpuppet-2.7.5.tar.gz
Puppet 是用ruby語言寫的,是以要安裝ruby環境,
[[email protected] ~]# yum –y installruby
Running Transaction
Installing : ruby-libs
Installing : ruby
Installed:
ruby.x86_64 0:1.8.5-29.el5_9
Dependency Installed:
ruby-libs.x86_64 0:1.8.5-29.el5_9
Complete!
Server端安裝:
安裝Facter用來擷取用戶端系統資訊(如hostname,ip,OS-Version,fqdn等)
[[email protected] ~]# cd facter-1.6.18
[[email protected] facter-1.6.18]# rubyinstall.rb
安裝puppet
[[email protected] facter-1.6.18]# cd ..
[[email protected] ~]# cd puppet-2.7.5
[[email protected] puppet-2.7.5]# rubyinstall.rb
配置服務端
[[email protected] puppet-2.7.5]# cpconf/redhat/fileserver.conf /etc/puppet/
[[email protected] puppet-2.7.5]# cpconf/redhat/puppet.conf /etc/puppet/
[[email protected] puppet-2.7.5]# cpconf/redhat/server.init /etc/init.d/puppetmaster
[[email protected] puppet-2.7.5]# chmod+x /etc/init.d/puppetmaster
[[email protected] puppet-2.7.5]#chkconfig --add puppetmaster
[[email protected] puppet-2.7.5]#chkconfig puppetmaster on
生成pupput使用者
[[email protected] puppet-2.7.5]#puppetmasterd --mkusers
啟動
[[email protected] puppet-2.7.5]#/etc/init.d/puppetmaster start
Client端安裝
安裝facter和puppet
[[email protected] ~]# cd facter-1.6.18
[[email protected] facter-1.6.18]# rubyinstall.rb
[[email protected] facter-1.6.18]# cd../puppet-2.7.5
[[email protected] puppet-2.7.5]# rubyinstall.rb
複制并修改配置檔案
[[email protected] puppet-2.7.5]# cpconf/namespaceauth.conf /etc/puppet/(這步可不做)
[[email protected] puppet-2.7.5]# cpconf/redhat/puppet.conf /etc/puppet/
[[email protected] puppet-2.7.5]# cpconf/redhat/client.init /etc/init.d/puppet
[[email protected] puppet-2.7.5]# chmod+x /etc/init.d/puppet
[[email protected] puppet-2.7.5]#chkconfig --add puppet
[[email protected] puppet-2.7.5]#chkconfig puppet on
[[email protected]]# vi /etc/puppet/auth.conf
. //省略部分内容
.
path /
auth any
allow * //最後一行增加
[[email protected]]# vi /etc/puppet/namespaceauth.conf(如果上面沒複制,忽略這步)
# This is an examplenamespaceauth.conf file,
# which you'll need ifyou want to start a client
# in --listen mode.
[fileserver]
allow * //紅色為修改部分
[puppetmaster]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
[resource]
allow *
[[email protected]]# vi /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
.
.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
listen = true //紅色為增加部分
server = master.com
啟動用戶端
[[email protected] puppet-2.7.5]#/etc/init.d/puppet start
啟動 puppet:[确定]
關閉雙方的防火牆及selinux,或開放8140(server伺服器端口),8139(client伺服器端口)。互相作ping hostname telnet hostname 8140 test hostname 8139等,看網絡及hosts是否正常
認證:
用戶端發送請求
[[email protected] puppet-2.7.5]#puppetd --test --server master.com
warning: peer certificate won't beverified in this SSL session
warning: peer certificate won't beverified in this SSL session
warning: peer certificate won't beverified in this SSL session
Exiting; no certificate found andwaitforcert is disabled
伺服器檢視
[[email protected] puppet-2.7.5]#puppetca --list
client.com
伺服器端簽名
puppetca –s –a //對所有用戶端全部簽名
puppetca –s client.com //隻簽名某個用戶端
[[email protected] puppet-2.7.5]#puppetca -s -a
notice: Signed certificate requestfor client.com
notice: Removing file Puppet::SSL::CertificateRequestclient.com at '/var/lib/puppet/ssl/ca/requests/client.com.pem'
伺服器檢視授權結果(紅色部分前面有+表示成功)
[[email protected] puppet-2.7.5]#puppetca -a -l
+ client.com(05:59:FB:07:7B:ED:B7:58:4D:5C:09:58:D9:A0:DC:CB)
+ master.com(77:B4:B3:77:3D:68:33:B7:A6:8A:D4:91:84:B5:41:08)
執行個體操作
檔案分發:
通過puppet可以向被管理機上推送檔案,方法是使用file類型的source屬性
執行個體:要把server伺服器上/opt目錄下的abc.txt傳輸至client伺服器的/opt目錄下,檔案名不變。
第一步:修改/etc/puppet/fileserver.conf并重新開機puppetmaster(紅色部分是增加的)
[[email protected] puppet-2.7.5]# vi/etc/puppet/fileserver.conf
# This file consists ofarbitrarily named sections/modules
# defining where files are servedfrom and to whom
# Define a section 'files'
# Adapt the allow/deny settings toyour needs. Order
# for allow/deny does not matter,allow always takes precedence
# over deny
# [files]
# path /var/lib/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[files]
path /opt/
allow *
[[email protected]masterpuppet-2.7.5]# /etc/init.d/puppetmaster restart
停止 puppetmaster: [确定]
啟動 puppetmaster: [确定]
第二步:修改/etc/puppet/manifests/site.pp并建立abc.txt
[[email protected] puppet-2.7.5]# vi/etc/puppet/manifests/site.pp
file
{"/opt/abc.txt":
source =>"puppet://$puppetserver/files/abc.txt",
}
[[email protected]masterpuppet]# cd /opt/
[[email protected]masteropt]# touch abc.txt
第三步:在client用戶端執行更新指令
用戶端執行更新
[[email protected] ~]# puppetd --test--server master.com
notice: Ignoring --listen ononetime run
info: Caching catalog forclient.com
info: Applying configurationversion '1366960161'
notice:/Stage[main]//File[/opt/abc.txt]/ensure: defined content as'{md5}d41d8cd98f00b204e9800998ecf8427e'
notice: Finished catalog run in0.20 seconds
檢視/opt/下有了abc.txt,删掉他,用服務端推送實作
[[email protected] ~]# cd /opt/
[[email protected] opt]# ll
總計 0
-rw-r--r-- 1 root root 0 04-2615:09 abc.txt
[[email protected] opt]# rm -f abc.txt
服務端推送
[[email protected] ~]# puppetrunclient.com
Triggering client.com
Getting status
status is success
client.com finished with exit code0
Finished
然後去用戶端檢視
[[email protected] opt]# ll
總計 0
-rw-r--r-- 1 root root 0 04-2615:10 abc.txt
錯誤記錄
1.如果在用戶端發起證書請求的時候,出現以下問題
[[email protected] ~]# puppetrunclient.com
Triggering client.com
Host client.com failed:Error 403 on SERVER: Forbidden request: master.com(192.168.77.128) access to/run/client.com [save] authenticated atline 98
client.com finished with exit code2
Failed: client.com
這個問題要修改/etc/puppet/auto.conf
在最後增加allow *
path /
auth any
allow *
改對後重新開機puppet可以修複
2.如果在服務端傳輸的時候,出現以下問題
[[email protected] ~]# puppetrunclient.com
Triggering client.com
Host client.com failed:tlsv1 alert decrypt error
client.com finished with exit code2
Failed: client.com
這是用戶端沒複制namespaceauth.conf或沒允許
[[email protected] puppet-2.7.5]# cp/root/puppet-2.7.5/conf/namespaceauth.conf /etc/puppet/
并把allow *.com什麼的都修改為allow *就可以了,改對後重新開機puppet可以修複
3.如果在用戶端發起證書請求的時候,出現以下問題
[[email protected] opt]# puppetd--test --server master.com
notice: Ignoring --listen ononetime run
err: Could not retrievecatalog from remote server: certificate verify failed. This is often because the time is out of syncon the server or client
warning: Not using cache on failedcatalog
err: Could not retrieve catalog;skipping run
err: Could not send report:certificate verify failed. This is oftenbecause the time is out of sync on the server or client
這個是 2邊時間不同步,同步一下就行了
4.一般在/var/log/message裡出現以下情況或在服務端運作puppetrunclient.com沒反應
[[email protected] opt]# tail -f /var/log/messages
Apr 26 11:29:07 localhost puppet-agent[5552]:Could not send report: getaddrinfo: Name or service not known
是由于你的puppet的server沒有修改,或者改錯了。改對後重新開機puppet可以修複
5. 如果在用戶端發起證書請求的時候,出現以下問題
[[email protected] opt]# puppetd--test –server master.com
notice: Run of Puppet configuration clientalready in progress; skipping
需要把/var/lib/puppet/state/裡的puppetdlock給删除。
6.如果出現以下主機名不比對問題
[[email protected] opt]# puppetd--test –server master.com
warning: peer certificate won't be verified in this SSLsession
info: Caching certificate for web-server
err: Could not retrieve catalog from remote server:hostname not match with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: hostname not match with theserver certificate
檢視并修改hosts檔案(你的主機名和hosts沒對應,不小心打錯了)或:
①對/etc/resolv.conf裡的searchlocaldomain注釋
②或者用完整主機名(帶 . 的)
7.如果在用戶端發起證書請求的時候,出現以下問題
[[email protected] puppet-2.7.5]# puppetd --test--server master.com
notice: Ignoring --listen on onetime run
err: Could not retrieve catalog from remoteserver: Connection refused - connect(2)
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skippingrun
err: Could not send report: Connectionrefused - connect(2)
可能是 /etc/hosts中沒增加伺服器的ip和 主機名(同理當伺服器沒修改hosts也會報同樣的錯)
8.當服務端執行puppetrun正确後,用戶端沒反應
[[email protected] puppet-2.7.5]# puppetrunclient.com
Triggering client.com
Getting status
status is success
client.com finished with exit code 0
Finished
[[email protected] puppet-2.7.5]# tail -f/var/log/messages
Apr 26 14:12:08 localhostpuppet-agent[4622]: triggered run
可能是facter版本和puppet不相容,換個低版本的facter試試