一.说明
1.结构
默认agent端会每30分钟请求一次master以便来获取自己的catalog。master端这时候会根据agent端所持有的证书验证请求者的身份,并根据证书内嵌的使用者名称和请求者自己的名称进行解析验证,如果验证通过master端就根据节点定义找到属于请求者agent端的配置,并在本地编译为catalog,将编译完成的结果发送给agent端,然后agent端会本地查询,强制部署达到目标状态,最后向master端发送一个反馈信息;
二.安装配置
1.实验环境
master:master.a.com 192.168.85.129
agent:node1.a.com 192.168.85.130
2.需求
master端和agent端需要能互相解析主机名,且要设置时间同步;
2.1主机解析
[root@master ~]# hostname
master.a.com
[root@master ~]# vim /etc/hosts
192.168.85.129 master.a.com master
192.168.85.130 node1.a.com mode1
[root@node1 ~]# hostname
node1.a.com
[root@node1 ~]# cat /etc/hosts
192.168.85.129 master.a.com master
192.168.85.130 node1.a.com node1
2.2时间同步
[root@master ~]# ntpdate ntp.nyist.net
24 Jun 18:39:29 ntpdate[2462]: step time server 59.69.128.35 offset 521452.389257 sec
[root@node1 ~]# ntpdate ntp.nyist.net
24 Jun 18:39:36 ntpdate[2569]: step time server 59.69.128.35 offset 520029.426923 sec
3.安装配置
3.1master端
[root@master ~]# wget
[root@master ~]# rpm -ivh puppetlabs-release-6-12.noarch.rpm
[root@master ~]# yum install facter puppet puppet-server -y
初始化master:
[root@master ~]# puppet master --no-daemonize -v -d #如果没错误出现,CTRL+C强制停止即可
初始化生成的文件位置:
[root@master ~]# cd /var/lib/puppet/
[root@master puppet]# ls
bucket facts.d lib preview reports rrd server_data ssl state yaml
提供master的配置(可选):
/etc/puppet/puppet.conf文件中只有全局配置段[main]和agent配置段[agent],并没有master自己的配置,所以可以生成master的配置段,并将其导入/etc/puppet/puppet.conf中,而且可以根据需要修改其中的内容来配置master;
[root@master ~]# puppet master --genconfig >> /etc/puppet/puppet.conf
启动服务:
[root@master ~]# service puppetmaster start
启动 puppetmaster:[确定]
[root@master ~]# service puppetmaster status
puppet (pid 2703) 正在运行...
[root@master ~]# netstat -ntlp | grep 2703
tcp 0 0 0.0.0.0:
8140 0.0.0.0:* LISTEN 2703/ruby
3.2agent端
[root@node1 ~]# wget
[root@node1 ~]# rpm -ivh puppetlabs-release-6-12.noarch.rpm
[root@node1 ~]# yum install puppet facter -y
注意:puppet.conf文件中有默认的[agent]配置,如果不想使用这些配置,也可以自己生成专用于agent的配置,命令是puppet agent --genconfig将内容覆盖配置文件中的[agent]段即可;
启动服务:
[root@node1 ~]# service puppet start
启动 puppet:[确定]
[root@node1 ~]# service puppet status
puppet (pid 29437) 正在运行...
4.证书配置(server端证书管理命令puppet cert)
4.1客户端请求签名:
puppet的agent子命令有几个选项:
--noop:只运行命令而不真正执行;
--test:用于测试;
--server:指定master;
[root@node1 ~]#
puppet agent --server master.a.com -v -d --test
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for node1.a.com
Info: Certificate Request fingerprint (SHA256): 23:DB:FE:96:56:79:74:CE:93:D1:29:79:F8:7B:74:B5:FF:90:2B:AF:33:37:E8:B5:94:DA:48:DB:F5:1D:FA:82
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
如果出现以上内容就说明没问题了,如果出现
Error: Could not request certificate: No route to host - connect(2)错误,可能是因为两端的防火墙未关闭,关闭即可;
4.2显示服务器端等待签署的证书列表:
[root@master ~]#
puppet cert list
"node1.a.com" (SHA256) 23:DB:FE:96:56:79:74:CE:93:D1:29:79:F8:7B:74:B5:FF:90:2B:AF:33:37:E8:B5:94:DA:48:DB:F5:1D:FA:82
4.3server端签署证书:
[root@master ~]#
puppet cert sign node1.a.com
Notice: Signed certificate request for node1.a.com
Notice: Removing file Puppet::SSL::CertificateRequest node1.a.com at '/var/lib/puppet/ssl/ca/requests/node1.a.com.pem'
4.4签发后(带+号的是已经签过的)
[root@master manifests]# puppet cert list --all
+ "master.a.com" (SHA256) 63:D4:36:B1:E1:0C:AA:85:7F:4E:A1:90:C3:1E:11:78:74:2B:4C:7B:3A:E3:E9:BB:B6:7B:4F:DF:3A:E5:87:AF (alt names: "DNS:master.a.com", "DNS:puppet", "DNS:puppet.a.com")
+ "node1.a.com" (SHA256) 4C:ED:0D:AB:D7:3B:B4:DB:DE:B6:A7:98:FC:56:B6:36:D2:8A:EE:B7:51:7C:BD:FB:60:97:DF:BE:7C:2B:63:36
补充:
(1).在agent端的puppet.conf文件中添加server master.a.com时,就可以直接执行puppet agent -v -d --test了
(2).如果有错误,可以参考:
三.示例
1.服务器端
1.1创建相关目录
[root@bogon modules]# mkdir -pv nginx/{manifests,files,template}
mkdir: 已创建目录 "nginx"
mkdir: 已创建目录 "nginx/manifests"
mkdir: 已创建目录 "nginx/files"
mkdir: 已创建目录 "nginx/template"
1.2提供init.pp文件
[root@master manifests]# cat init.pp
class nginx {
package { 'nginx':
ensure => installed,
name => 'nginx',
}
}
1.3提供两个Nginx的配置文件(只有如下参数不同,其他都相同)
[root@master files]# pwd
/etc/puppet/modules/nginx/files
[root@master files]# cat nginx_web.conf
worker_processes 1;
keepalive_timeout 60;
[root@master files]# cat nginx_proxy.conf
worker_processes 2;
keepalive_timeout 65;
1.4通过子类的.pp文件
[root@master manifests]# pwd
/etc/puppet/modules/nginx/manifests
[root@master manifests]# cat web.pp
class nginx::web inherits nginx {
file {'nginx_web.conf':
ensure => file,
source => 'puppet:///modules/nginx/nginx_web.conf',
path => '/etc/nginx/nginx.conf',
require => Package['nginx'],
}
service { 'nginx':
ensure => true,
name => 'nginx',
subscribe => File['nginx_web.conf'],
}
}
[root@master manifests]# cat proxy.pp
class nginx::proxy inherits nginx {
file {'nginx_proxy.conf':
ensure => file,
source => 'puppet:///modules/nginx/nginx_proxy.conf',
path => '/etc/nginx/nginx.conf',
require => Package['nginx'],
}
service { 'nginx':
ensure => true,
name => 'nginx';
subscribe => File['nginx_proxy.conf'],
}
}
1.5提供所有类的入口即站点清单文件
[root@master manifests]# pwd
/etc/puppet/manifests
[root@master manifests]# vim site.pp
node 'node1.a.com' {
include nginx::web
}
或者
提供专用于node1节点的.pp文件
[root@master manifests]# pwd
/etc/puppet/manifests
[root@master manifests]# cat node1.a.com.pp
node 'node1.a.com' {
include nginx::web
}
然后修改site.pp文件内容为:
import "node1.a.com.pp"
2.agent端上请求master
[root@node1 ~]# rpm -q nginx
package nginx is not installed
[root@node1 ~]# puppet agent --server master.a.com --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for node1.a.com
Info: Applying configuration version '1466784257'
Notice: Finished catalog run in 2.00 seconds
3.验证
[root@node1 ~]# rpm -q nginx
nginx-1.0.15-12.el6.x86_64
[root@node1 ~]# service nginx status
nginx (pid 33426) 正在运行...
[root@node1 ~]#
[root@node1 nginx]# pwd
/etc/nginx
[root@node1 nginx]# cat /etc/nginx/nginx.conf | grep worker_processes
worker_processes 1;
[root@node1 nginx]# cat /etc/nginx/nginx.conf | grep keepalive_timeout
keepalive_timeout 60;
可参考文章:
