參考連結:https://www.bbsmax.com/A/RnJW2bMgzq/
環境說明:
192.168.154.137 master.localdomain #Puppet Server
192.168.154.138 agent1.localdomain #Puppet Agent
這裡的機器名稱不要有下劃線等特殊符合,否則後面會報“the scheme puppet does not accept registry part”這樣的錯誤資訊。
centos的官方軟體庫裡面不包含puppet包,但是在epel項目裡面有包含puppet包。epel 是一個對rhel軟體倉庫的擴充,把一些有用的,但是rhel庫沒包含的軟體收集在一起做成的一個軟體倉庫。
- $ yum install epel-release
1. 安裝Puppet Server
- $ hostnamectl set-hostname master.localdomain #設定機器名稱
- $ systemctl reboot #重新開機
- $ cat /etc/hosts
- 192.168.154.137 master.localdomain
- 192.168.154.138 agent1.localdomain
- $ yum install puppet-server #安裝Puppet Server
- # firewall-cmd --permanent --add-port=/tcp6 #修改防火牆,增加8140端口
2. 安裝Puppet Agent
- $ hostnamectl set-hostname agent1.localdomain #設定機器名稱
- $ systemctl reboot #重新開機
- $ cat /etc/hosts
- 192.168.154.137 master.localdomain
- $ yum install puppet #安裝Puppet Agent
3. 測試Puppet
建立測試檔案site.pp(Server端):
- $ cat /etc/puppet/manifests/site.pp
- node default {
- file { "/tmp/helloworld.txt" :
- content => "Hello World!",
- }
- }
啟動server,以no-daemonize方式,這樣可以在控制台看到操作資訊(Server端):
- $ puppet master --no-daemonize --debug
- ... ...
- Notice: Starting Puppet master version #啟動成功,會看到這樣的資訊
編輯用戶端puppet.conf,增加server配置項(Agent端):
- $ cat /etc/puppet/puppet.conf
- [agent]
- ... ...
- server = master.localdomain
啟動agent(Agent端,以root使用者):
- $ puppet agent --test
- Info: Creating a new SSL key for agent1.localdomain
- Info: Caching certificate for ca
- Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
- Info: Creating a new SSL certificate request for agent1.localdomain
- Info: Certificate Request fingerprint (SHA256): 1D:::3B:1F::8C:B5:::0F:FF:CC:4A:4F:8E:BA:B4:5F:7C:::::A2:0C:C0::D9:1D::9E
- Info: Caching certificate for ca
- Exiting; no certificate found and waitforcert is disabled
啟動後,agent向server申請證書,因為證書還沒有被server稽核,是以目前通信是不成功的。
回到server,通過puppet cert查詢證書:
- $ puppet cert list --all
- ::3B:1F::8C:B5:::0F:FF:CC:4A:4F:8E:BA:B4
- + :A1::::::A5:E5::2B:F6:::A8:D6:1F:9B
證書清單中有cs_agnet1的申請,目前是未稽核狀态(最前面沒有+)。稽核證書:
- $ puppet cert sign agent1.localdomain
- $ puppet cert list --all
- + :7F::A8:3C:B8:EF:B9:E2:AD:1D:5C:D7::B6::CF:
- + :A1::::::A5:E5::2B:F6:::A8:D6:1F:9B:
再次啟動agent:
- # puppet agent --test
- Info: Retrieving pluginfacts
- Info: Retrieving plugin
- Info: Caching catalog for agent1.localdomain
- Info: Applying configuration version '
- Notice: /Stage[main]/Main/Node[default]/File[/tmp/helloworld.txt]/ensure: defined content as '{md5}ed076287532e86365e841e92bfc50d8c'
- Notice: Finished catalog run in 0.02 seconds
這時候,檢視/tmp/helloworld.txt,該檔案就自動同步了。
在證書申請過程中,如果有問題,可以删除證書重新申請,一般都能解決問題。
- Agent:
- $ rm -rf /var/lib/puppet #删除緩存檔案
- Server:
- $ puppet cert clean agent1.localdomain
Q1. 服務端找不到證書?
在測試時,先啟動Server,再通過Agent測試,回到Server通過puppet cert list --all怎麼都找不到證書。
後來發現問題原因是這樣的:在Server端,puppet.conf使用的是預設配置:
- [main]
- # Where SSL certificates are kept.
- ssldir = $vardir/ssl
然後用admin帳号(不是root,另外建立的帳号)啟動Server:
- [[email protected] ~]$ sudo puppet master --no-daemonize --debug
這時候,Agent傳過來的證書申請實際上都存放在/home/admin/.puppet/ssl/目錄下。然後,我再開了另外一個SSH Client,用的是不同的root帳号,結果就是怎麼也找不到證書了。是以,在配置Server端時,ssldir最好這樣配置:
- ssldir = /var/lib/puppet/ssl
Q2. 自動稽核證書?
建立autosign.conf檔案:
- $ cat /etc/puppet/autosign.conf
- *.localdomain
修改Server配置:
- $ cat /etc/puppet/puppet.conf
- [master]
- autosign = /etc/puppet/autosign.conf
删除Server和Agent的過期證書:
- Server:
- $ puppet cert clean --all
- Agent:
- $ rm -rf /var/lib/puppet
OK,這樣就可以了。
Q3. 一個簡單的site.pp例子
- $ cat /etc/puppet/manifests/site.pp
- node default {
- file { '/tmp/hello.txt':
- content => 'Hello World!',
- }
- user { 'admin':
- ensure => 'present',
- comment => 'admin',
- gid => ',
- groups => ['wheel', 'admin'],
- home => '/home/admin',
- password => '$6$o.PFkMC14Xd2gOTk$atsNGzVmLFtQlvVr9imERjmw9n8vNr0quliqW6EdcZR6zyXFGfUv3EIbc9UZd3kJDIuxuMfyonVdm0OT5SJHM.',
- password_max_age => ',
- password_min_age => ',
- shell => '/bin/bash',
- uid => ',
- }
- package { 'epel-release':
- ensure => 'installed',
- }
- package { 'tcping':
- ensure => 'installed',
- }
- package { 'tree':
- ensure => 'installed',
- }
- package { 'net-tools':
- ensure => 'installed',
- }
- service { 'firewalld.service':
- ensure => 'stopped',
- enable => 'false',
- }
- exec { "selinux":
- command => "setenforce 0",
- path => "/usr/bin:/usr/sbin:/bin:/sbin",
- unless => "getenforce |grep -i Permissive",
- }
- }