最近抽空研究了下據說是圈裡運維利器的國外開源軟體puppet,原本是想搞一個最新版本編譯的整合文件，最後在除錯過程中各種報錯，google下老外的文章，說是最新版本間存在很多不相容的情況，後來果斷放棄，找到了一個能相容的版本，並測試成功，前後折騰了2天，真夠坑的，現在把自己的心得整合成文件，供大家分享。

系統環境：CentOS 6.3

puppet: puppet-2.7.13

facter: facter-1.6.5

ruby: yum源

注：

facter用來獲取客戶端系統資訊(如hostname,ip,OS-Version,fqdn等)

ruby是puppet的開發環境

puppet server: 192.168.7.196

puppet client: 192.168.7.197

(server)為僅伺服器端配置

(client)為僅客戶器端配置

(server,client)為伺服器端與客戶端配置

一.配置環境(server,client)：
1.關閉iptables和selinux(server,client)

# service iptables stop

# setenforce 0

# vim /etc/sysconfig/selinux

---------------

SELINUX=disabled

---------------

2.安裝ruby開發環境（centos6.3預設更新源）(server,client)

# yum -y install ruby*

3.計劃同步時間：(server,client)

每5分鐘同步一次時間

# crontab -e

-------------

*/5 * * * * /usr/sbin/ntpdate -u asia.pool.ntp.org

-------------

# service crond restart

# chkconfig crond on

4.修改伺服器及客戶端HOST及主機名：

(server,client)

# vim /etc/hosts

-------------------

192.168.7.196 server.example.com server

192.168.7.197 client.example.com client

-------------------

(server)

# vim /etc/sysconfig/network

----------------

HOSTNAME=server.example.com

----------------

(client)

# vim /etc/sysconfig/network

----------------

HOSTNAME=client.example.com

----------------

二.安裝應用軟體(server,client)：

(server)：
1.安裝facter:

# wget

# tar zxvf facter-1.6.5.tar.gz

# cd facter-1.6.5

# ruby install.rb

2.安裝puppet:

# wget

# tar zxvf puppet-2.6.13.tar.gz

# cd puppet-2.6.13

# ruby install.rb

# cp conf/auth.conf /etc/puppet/

# cp conf/RedHat/fileserver.conf /etc/puppet/

# cp conf/redhat/puppet.conf /etc/puppet/

# mkdir -p /etc/puppet/manifests

設定開機啟動指令碼：

# cp conf/redhat/server.init /etc/init.d/puppetmaster

# chmod +x /etc/init.d/puppetmaster

# chkconfig --add puppetmaster

# chkconfig puppetmaster on

生成pupput使用者:

# puppetmasterd --mkusers

啟動puppetmaster服務（埠：8140）:

# service puppetmaster start

(client):
1.安裝facter:

# wget

# tar zxvf facter-1.6.5.tar.gz

# cd facter-1.6.5

# ruby install.rb

2.安裝puppet:

# wget

# tar zxvf puppet-2.6.13.tar.gz

# cd puppet-2.6.13

# ruby install.rb

# cp conf/auth.conf /etc/puppet/

# cp conf/namespaceauth.conf /etc/puppet/

# cp conf/redhat/puppet.conf /etc/puppet/

設定開機啟動指令碼：

# cp conf/redhat/client.init /etc/init.d/puppet

# chmod +x /etc/init.d/puppet

# chkconfig --add puppet

# chkconfig puppet on

# vi /etc/puppet/puppet.conf

在[agent]條目下新增以下內容：

-------

Listen = true

Server = server.example.com

--------

# vi /etc/puppet/namespaceauth.conf

修改成以下內容：

---------

[fileserver]

allow *

[puppetmaster]

allow *

[puppetrunner]

allow *

[puppetbucket]

allow *

[puppetreports]

allow *

[resource]

allow *

---------

生成pupput使用者:

# puppetmasterd --mkusers

啟動puppet服務（埠：8140）:

# /etc/init.d/puppet start
至此安裝完畢，現在需要配置客戶端與伺服器端的認證連線，從而將伺服器端的配置的內容分發到各個客戶端，實現集中配置管理。

三.認證並分發：

(client):

客戶端傳送請求

# puppetd --test --server server.example.com

報錯：

--------------------

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0

state=SSLv3 read server certificate B: certificate verify failed

warning: Not using cache on failed catalog

err: Could not retrieve catalog; skipping run

--------------------

解決方法：

這可能是換了不同的兩臺puppetmaster伺服器引起的。解決方法，刪除現有ssl證書。

# find /var/lib/puppet -type f -print0 |xargs -0r rm

重新傳送請求：

# puppetd --test --server server.example.com

-------------------

info: Creating a new SSL key for client.example.com

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for ca

warning: peer certificate won't be verified in this SSL session

info: Creating a new SSL certificate request for client.example.com

info: Certificate Request fingerprint (md5):

32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99

warning: peer certificate won't be verified in this SSL session

Exiting; no certificate found and waitforcert is disabled

-------------------

傳送成功。

(server)：
伺服器端檢視是否有請求證書的客戶端伺服器

# puppetca --list

------------------

client.example.com (32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99)

------------------

收到客戶端認證資訊

伺服器端對client.example.com簽名

# puppetca -s client.example.com

或對所有客戶端全部簽名

# puppetca -s -a

檢視驗證簽名,注意前面的+號，說明已經簽名

# puppetca -a --list

---------------------

+ client.example.com (19:6F:4C:84:B1:69:16:3C:A1:38:C2:2E:6F:B6:67:12)

---------------------

md5驗證伺服器端收到的證書是否正確

(server)：

# md5sum /var/lib/puppet/ssl/ca/signed/client.example.com.pem

---------------------

1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/ca/signed/client.example.com.pem

---------------------

(client)：

# md5sum /var/lib/puppet/ssl/certs/client.example.com.pem

---------------------

1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/certs/client.example.com.pem

---------------------

MD5值相同，說明我們的puppetmaster和客戶端的puppet已經成功建立通訊
注：出現修改主機名問題引起無法認證，需要重新申請證書，操作可以按照如下兩個步驟：

(server)：

# rm -rf /var/lib/puppet/ssl/ca/signed/*.pem //"*.pem"為修改過主機名的證書

(client)：

# rm -rf /var/lib/puppet/ssl/

配置完畢，開始驗證分發效果：
(server)：

修改server端配置檔案：

# vim /etc/puppet/manifests/site.pp

-----------------

node default{

file { "/tmp/test":

content=> "this is a test file";

}

-----------------

重啟puppetmaster，更新配置檔案資訊。

# service puppetmaster restart

(client):
重啟puppet（可不用重啟）

# service puppet restart

同步檔案：

# puppetd --server server.example.com --test

------------------

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for client.example.com

info: Caching certificate_revocation_list for ca

info: Caching catalog for client.example.com

info: Applying configuration version '1369124449'

notice: /Stage[main]//Node[default]/File[/tmp/test]/ensure: defined content as '{md5}100b144907af2a4786003758a0a6a563'

info: Creating state file /var/lib/puppet/state/state.yaml

notice: Finished catalog run in 0.02 seconds

------------------

檢視/tmp/test檔案及檔案內容
# cat /tmp/test

-----------

this is a test file

-----------

-----------大功告成-------------

puppet的具體功能模組這裡就不做過多闡述

CentOS 6.3下Puppet安裝配置筆記

相關文章