Puppet-1:Puppet安装与配置测试

摘要: Puppet 安装

一、环境准备

二台机器：

172.16.114.170,172.16.114.169

1.修改hostname

[root@master yum.repos.d]# vi /etc/sysconfig/network

[root@master yum.repos.d]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=master.harry.com

[root@master yum.repos.d]# vi /etc/hosts

[root@master yum.repos.d]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.114.170 master.harry.com master
172.16.114.169 agent1.harry.com agent1

[root@master yum.repos.d]# reboot

[root@master yum.repos.d]# hostname

2.repo 准备

自定义 puppet.pet ==> 根据自己的server 选择不同的repo

[root@master yum.repos.d]# ls -l /etc/yum.repos.d/
total 32
-rw-r--r--. 1 root root 1991 Aug  3 09:13 CentOS-Base.repo
-rw-r--r--. 1 root root  647 Aug  3 09:13 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root  630 Aug  3 09:13 CentOS-Media.repo
-rw-r--r--. 1 root root 6259 Aug  3 09:13 CentOS-Vault.repo
-rw-r--r--. 1 root root  289 Aug  3 09:13 CentOS-fasttrack.repo
-rw-r--r--. 1 root root  225 Sep 21 08:44 puppet.repo

[root@master yum.repos.d]# cat puppet.repo
[puppet-repo]
name=puppet-repo
baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
gpgcheck=0
enabled=1

[rubygem-repo]
name=rubygem-repo
baseurl=http://yum.puppetlabs.com/el/6.5/dependencies/x86_64/
gpgcheck=0
enabled=1

二、安装

[root@master yum.repos.d]# yum install puppet puppet-server -y

[root@master yum.repos.d]# rpm -qa|grep puppet
puppet-3.8.2-1.el6.noarch
puppet-server-3.8.2-1.el6.noarch

[root@master ~]# tree /etc/puppet/
/etc/puppet/
|-- auth.conf
|-- environments
|   `-- example_env
|       |-- manifests
|       |-- modules
|       `-- README.environment
|-- fileserver.conf
|-- manifests
|-- modules
`-- puppet.conf

6 directories, 4 files

三、Server 端配置

[root@master ~]# vi /etc/puppet/puppet.conf

在master段添加certname，使用主机的正式域名(添加certname配置以及指定主机的正式域名的目的)
1:它会使得证书相关的问题解决起来更容易
2:解决Ruby SSL代码错误

[master]
certname=master.harry.com

[root@master ~]# touch /etc/puppet/manifests/site.pp

[root@master ~]# service iptables stop

[root@master ~]# puppet master --verbose --no-daemonize

【Server查看签名】
[root@master ~]# puppet cert --list --all
可以看到很多节点， 最开始有 “+”,表示已经签名成功了

[root@master puppet]# puppet cert --list --all
+ "agent1_cert.harry.com" (SHA256) E2:F3:9E:4A:E9:78:F8:D2:3E:D5:C3:A0:CF:BB:44:EA:F4:CF:F0:9C:13:07:1D:A9:E7:77:CE:37:D4:ED:0C:54
+ "agent2_cert.harry.com" (SHA256) BA:4C:12:85:65:96:B7:9D:52:F9:F1:96:09:7B:40:1E:D4:8C:2C:5A:13:30:95:B2:48:27:8A:78:5C:53:75:16
+ "master.harry.com"      (SHA256) 29:BB:AE:48:AB:DF:B5:AC:87:73:0F:0B:B5:7A:A5:8F:64:0E:1D:E2:89:BF:14:BF:0C:A1:61:FA:10:66:CA:4D (alt names: "DNS:master.harry.com", "DNS:puppet", "DNS:puppet.harry.com")
+ "master_cert.harry.com" (SHA256) 8F:6E:0F:BA:87:30:2B:F8:59:63:D5:B1:CB:7E:E5:55:6A:03:37:4E:B3:19:AD:AA:27:14:8B:7E:76:44:5D:90

给Agent签名

[root@master puppet]# puppet cert --sign agent1.harry.com

再次验证
[root@master puppet]# puppet cert --list --all

也可以如下，可以看到所有的签名
[root@master puppet]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
|-- ca
|   |-- ca_crl.pem
|   |-- ca_crt.pem
|   |-- ca_key.pem
|   |-- ca_pub.pem
|   |-- inventory.txt
|   |-- private
|   |   `-- ca.pass
|   |-- requests
|   |-- serial
|   `-- signed
|       |-- agent1_cert.harry.com.pem
|       |-- agent2_cert.harry.com.pem
|       |-- master_cert.harry.com.pem
|       `-- master.harry.com.pem
|-- certificate_requests
|   `-- master_cert.harry.com.pem
|-- certs
|   |-- ca.pem
|   |-- master_cert.harry.com.pem
|   `-- master.harry.com.pem
|-- crl.pem
|-- private
|-- private_keys
|   |-- master_cert.harry.com.pem
|   `-- master.harry.com.pem
`-- public_keys
|-- master_cert.harry.com.pem
`-- master.harry.com.pem

9 directories, 20 files

四、Agent 端配置

[root@agent1 ~]# puppet agent --server=master.harry.com --no-daemonize --verbose
info:Creating a ...
info:Create a new ..
warning:peer certificate won't verified in this SSL session

此时Agent端连接Server时，选择签名 ==> 【server 端查看签名】