在CentOS 6.4上安装Puppet配置管理工具

192.168.1.198 master master.ptmind.com

192.168.1.199 slave1 slave1.ptmind.com

[root@master ~]# more /etc/redhat-release

CentOS release 6.4 (Final)

ping -c 3 master.ptmind.com

ping -c 3 slave1.ptmind.com

Puppet 要求所有机器有完整的域名(FQDN),如果没有 DNS 服务器提供域名的话,可以在两台机器上设置主机名(注意要先设置主机名再安装 Puppet,因为安装 Puppet 时会把主机名写入证书,客户端和服务端通信需要这个证书),因为我配置了DNS,所以就不用改hosts了,如果没有就需要改hosts文件指定。

1.关闭selinux,iptables,并设置ntp

采用CentOS-6.4-x86_64-minimal.iso最小化安装,因此先要安装ntp、wget等常用工具

安装ntp wget 等

yum -y install bind-utils gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool popt-devel rsynx openssh system-config-network-tui

Puppet 需要 Ruby 的支持,如果要查看命令行帮助的话需要额外 ruby-rdoc 这个软件包:

yum install ruby ruby-lib ruby-rdoc -y

关闭selinux

sed -i '/SELINUX/ s/enforcing/disabled/g' /etc/selinux/config

setenforce 0

停止iptables

chkconfig ip6tables off

chkconfig iptables off

/etc/init.d/ip6tables stop

/etc/init.d/iptables stop

设置ntp

ntpdate pool.ntp.org

chkconfig ntpd on

service ntpd start

2.安装puppet服务

puppet不在CentOS的基本源中,需要加入 PuppetLabs 提供的官方源:

wget http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm

rpm -ivh puppetlabs-release-6-7.noarch.rpm

yum update -y

在 master上安装和启用 puppet 服务:

yum install puppet-server -y

chkconfig puppetmaster on

service puppetmaster start

在clients上安装puppet客户端

yum install puppet -y

chkconfig puppet on

service puppet start

3.配置puppet

对于puppet 客户端,修改/etc/puppet/puppet.conf,指定master服务器

vi /etc/puppet/puppet.conf

[main] # The Puppet log directory.

# The default value is '$vardir/log'.

logdir = /var/log/puppet

# Where Puppet PID files are kept.

# The default value is '$vardir/run'.

rundir = /var/run/puppet

# Where SSL certificates are kept.

# The default value is '$confdir/ssl'.

ssldir = $vardir/ssl

[agent]

# The file in which puppetd stores a list of the classes

# associated with the retrieved configuratiion. Can be loaded in

# the separate ``puppet`` executable using the ``--loadclasses``

# option. # The default value is '$confdir/classes.txt'.

classfile = $vardir/classes.txt

# Where puppetd caches the local configuration. An

# extension indicating the cache format is added automatically.

# The default value is '$confdir/localconfig'.

localconfig = $vardir/localconfig

server = master.ptmind.com

并重启puppet服务

chkconfig puppet on

service puppet restart

4.Client申请证书

服务端自动签发证书设置

设置master自动签发所有的证书,我们只需要在/etc/puppet 目录下创建 autosign.conf 文件。(不需要修改 /etc/puppet/puppet.conf文件,因为我默认的autosign.conf 文件的位置没有修改)

echo '*.ptmind.com' >>/etc/puppet/autosign.conf

也可以在puppetmaster端的puppet.conf加入这行:

autosign = true

服务端就自动签证书

并重启puppetmaster!

service puppet restart

这样就会对所有来自ptmind.com的机器的请求,都自动签名。

client需要向服务器端发出请求, 让服务器对客户端进行管理. 这其实是一个证书签发的过程. 第一次运行 puppet 客户端的时候会生成一个 SSL 证书并指定发给 Puppet 服务端, 服务器端如果同意管理客户端,就会对这个证书进行签发,可以用这个命令来签发证书,由于我们已经在客户端设置了server地址,因此不需要跟服务端地址

5、puppet 证书管理相关知识简介

1 puppet agent

为了详细了解注册的过程和日后排错,可以增加参数,因为配置文件里

–no-daemonize 前台输出日志

–verbose 输入更加详细的日志

–debug 更加详细的日志,排错的时候使用

–test 表示测试,就带一个–test参数就可以

puppet agent --no-daemonize --onetime --verbose --debug

就可以申请证书了,由于我配置的自动签发证书,所以直接就签发了,在服务端执行

Debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]

Debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]

Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]

Debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]

Debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]

Debug: Finishing transaction 69857366290940

Debug: Using cached certificate for ca

Debug: Using cached certificate_request for slave1

Debug: Using cached certificate for ca

Debug: Using cached certificate for ca

Exiting; no certificate found and waitforcert is disabled

[root@slave1 ~]#

2签发后在master,执行

puppet cert list --all

即可看到证书已经签发

就可以看到所有客户端已经都已签发证书,前面带”+”号的就是签发成功的,没有签名的,可以用

puppet cert --sign slave1.ptmind.com

[root@master ~]# puppet cert --sign slave1

Notice: Signed certificate request for slave1

Notice: Removing file Puppet::SSL::CertificateRequest slave1 at '/var/lib/puppet/ssl/ca/requests/slave1.pem'

6.centos5X-64位系统安装部署puppet agent

centos5.9 -64X客户(agent)端安装部署

安装新的yum源

rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

安装依赖软件包

yum install ruby ruby-devel ruby-irb ruby-mysql ruby-rdoc ruby-ri -y

安装puppet

在clients上安装puppet客户端

yum install puppet -y

chkconfig puppet on

service puppet start