puppet
功能和简介:用于多台服务器的批量管理和部署
需要的包: facter-1.6.18.tar.gz puppet-2.7.22.tar.gz (facter包是puppet的依赖包)
步骤:
server-ip:192.168.13.54 域名 www.wyx1.com
client-ip:192.168.13.55 域名 www.wyx2.com
server:
iptables -F
setenforce 0
hostname www.wyx1.com
vim /etc/hosts
192.168.13.54 www.wyx1.com
192.168.13.55 www.wyx2.com
1。时间同步,并写入crontab,服务端和客户端都要做 (有时可以不做)
15 1 ** * /usr/sbin/ntpdate pool.ntp.org; hwclock -w >/dev/null 2>&1
2.安装ruby--puppet是ruby语言编写的
yum install ruby ruby-libs ruby-rdoc -y
3.安装facter
tar xvf facter-1.6.18.tar.gz
cd facter-1.6.18
ruby install.rb
4.安装puppet
tar xvf puppet-2.7.22.tar.gz
cd puppet-2.7.22
ruby install.rb
5.复制配置文件
cp conf/redhat/fileserver.conf /etc/puppet/
cp conf/redhat/puppet.conf /etc/puppet/
cp conf/redhat/server.init /etc/init.d/puppetmaster
6.设置puppetmaster 服务开机启动
chmod 755 /etc/init.d/puppetmaster
chkconfig --add puppetmaster
chkconfig --level 35 puppetmaster on
7.创建puppet帐号
[[email protected] puppet-2.7.14]# puppetmasterd --mkusers
8.确认是否生成清单文件夹
[[email protected] puppet-2.7.14]# ls -l /etc/puppet/
-rw-r--r-- 1 root root 2552 Sep 3 12:11 auth.conf
-rwxr-xr-x 1 root root 381 Sep 3 12:13 fileserver.conf
drwxr-xr-x 2 root root 4096 Sep 3 12:17 manifests
-rwxr-xr-x 1 root root 853 Sep 3 12:13 puppet.conf
9.确认系统生成puppet用户
[[email protected] puppet-2.7.14]# id puppet
uid=1002(puppet) gid=1002(puppet) groups=1002(puppet)
cat /etc/passwd |grep puppet
puppet:x:1002:1002::/home/puppet:/bin/bash
10.保证/var/lib/puppet/rrd目录存在且属主是puppet
ls -l /var/lib/puppet/
total 36
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 bucket
drwxr-xr-x 2 root root 4096 Sep 3 12:17 facts
drwxr-xr-x 2 root root 4096 Sep 3 12:17 lib
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 reports
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 rrd
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 server_data
drwxrwx--x 8 puppet root 4096 Sep 3 12:26 ssl
drwxr-xr-t 2 root root 4096 Sep 3 12:17 state
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 yaml
11.查看端口
netstat -Tanlp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4556/ruby
--------------------------------------------------------------------------------
client
1。时间同步,并写入crontab,服务端和客户端都要做 (有时可以不做)
15 1 ** * /usr/sbin/ntpdate pool.ntp.org; hwclock -w >/dev/null 2>&1
2.安装ruby--puppet是ruby语言编写的
yum install ruby ruby-libs ruby-rdoc -y
3.安装facter
tar xvf facter-1.6.18.tar.gz
cd facter-1.6.18
ruby install.rb
4.安装puppet
tar xvf puppet-2.7.22.tar.gz
cd puppet-2.7.22
ruby install.rb
5.复制配置文件
[[email protected] puppet-2.7.14]# cp conf/redhat/client.init /etc/init.d/puppet
[[email protected] puppet-2.7.14]# chkconfig --level 35 puppet on
[[email protected] puppet-2.7.14]# puppetd --mkusers
Could not prepare for execution: Got 1 failure(s) while initializing: change from absent to present
failed: Could not create user puppet: Execution of ‘/usr/sbin/useradd -g puppet -M puppet‘ returned 3: useradd:
invalid numeric argument ‘puppet‘
[[email protected] puppet-2.7.14]# groupadd puppet;useradd -g puppet -M puppet
[[email protected] puppet-2.7.14]# chmod 777 /etc/init.d/puppet
[[email protected] puppet-2.7.14]# service puppet start
Starting puppet: [ OK ]
6.测试解析与puppetmaster端口是否畅通
telnet www.wyx1.com 8140
Trying 192.168.13.54...
Connected to www.wyx1.com(192.168.13.54).
Escape character is ‘^]‘.
[[email protected] puppet-2.7.14]# puppetd --test --server www.wyx1.com
warning: peer certificate won‘t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won‘t be verified in this SSL session
warning: peer certificate won‘t be verified in this SSL session
info: Creating a new SSL certificate request for client1.info.com
info: Certificate Request fingerprint (md5): 07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE
warning: peer certificate won‘t be verified in this SSL session
warning: peer certificate won‘t be verified in this SSL session
warning: peer certificate won‘t be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
# puppetd --test --server puppetmaster.info.com命令是指puppetd 从 puppetmaster.info.com去读取
puppet配置文件. 第一次连接,双方会进行ssl证书的验证,这是一个新的客户端,在服务器端那里还没有被认证,
因此需要在服务器端进行证书认证
-------------------------------------------------------------------------------
以下这步批准证书是在服务端操作
查看当前待批准证书列表:
[[email protected] ~]# puppetca -l
www.wyx2.com (07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE)
批准当前证书:
[[email protected] ~]# puppetca -s -a
notice: Signed certificate request for client1.info.com
notice: Removing file Puppet::SSL::CertificateRequest client1.info.com at‘/var/lib/puppet/ssl/ca/requests/client1.info.com.pem‘
查看验证签名,注意前面的+号,说明已经签名:
[[email protected] ~]# puppetca -a --list
+ www.wyx2.com (03:BE:50:AE:72:1A:39:79:17:F4:E5:74:FD:CC:BC:8C)
+ www.wyx1.com(97:34:BF:26:A6:0E:E9:9C:DB:76:D3:53:D0:56:60:83) (alt names: DNS:puppet, DNS:puppet.info.com, DNS:puppetmaster.info.com)
回到客户端操作,从服务端取回已批准的证书
puppetd --test --server www.wyx1.com
warning: peer certificate won‘t be verified in this SSL session
info: Caching certificate for client1.info.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for www.wyx2.com
info: Applying configuration version ‘1378188531
功能测试
服务端:
建立pp文件测试
puppet的第一个执行的代码是在/etc/puppet/manifest/site.pp ,因此这个文件必须存在,而且其他的代码也要通过代码来调用.
[[email protected] ~]# vim /etc/puppet/manifests/site.pp
node default {
file {"/tmp/viong.txt":
content=>"good,test pass!\nHello World!\n";}
}
上面的代码对默认连入的puppet客户端执行一个操作,在/tmp目录生成一个viong.txt文件,内容是good,test pass! 回车换行Hello World!回车换行.
初次创建pp文件,需要重启puppetmaster
[[email protected] ~]# service puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
客户端:
[[email protected] puppet-2.7.14]# puppetd --test --server www.wyx1.com
info: Caching catalog for www.wyx2.com
info: Applying configuration version ‘1378190404‘
notice: /Stage[main]//Node[default]/File[/tmp/viong.txt]/ensure: defined content as ‘{md5}4750aa5be82dae5db286a5859700dd51‘
notice: Finished catalog run in 0.03 seconds
8.如果报错
9.[[email protected] puppet-2.7.14]# puppetd --test --server www.wyx1.com
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Syntax error at end of file; expected ‘}‘ at /etc/puppet/manifests/site.pp:4 on node client1.info.com
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
可能是/etc/puppet/manifests/site.pp 这个文件书写格式有问题。
在客户端查看:
[[email protected] puppet-2.7.14]# ls -l /tmp/viong.txt
cat /tmp/viong.txt
good,test pass!
Hello World!
排错
1. 连接master的时候出现如下报错:
dnsdomainname: Unknown host
解决办法:检查机器主机名的设置,以及是否添加进hosts。
2. 连接master的时候出现如下报错:
err: Could not request certificate: getaddrinfo: Name or service not known
解决办法:服务器端没有配置hosts域名绑定,在hosts中添加。
3. 连接master的时候出现如下报错:
warning: peer certificate won‘t be verified in this SSL session
解决办法:服务端还没有返回签发证书,使用puppet cert --list查看
4. 连接master的时候出现如下报错:
err: Could not retrieve catalog from remote server: certificate verify failed
解决办法:客户端和服务器端时间不同步,SSL连接需要依赖主机上的时间是否正确。执行更新时间的命令:/sbin/ntpdate asia.pool.ntp.org
5.Puppet错误Run of Puppet configuration client already in progress; skipping解决:
rm -rf /var/lib/puppet/state/puppetdlock