当前位置: > CentOS > CentOS教程 >

CentOS5上如何安装Puppet?

时间:2014-10-17 12:12来源:linux.it.net.cn 作者:it

1.puppet介绍

Puppet是Puppet Labs基于ruby语言开发的自动化系统配置工具,可以以C/S模式或独立模式运行,支持对所有UNIX及类UNIX系统的批量配置和管理,最新版本也开始支持对Windows操作系统有限的一些管理。

Puppet适用于服务器管理的整个过程,比如初始安装、配置、更新以及系统下线。

2.puppet安装与配置

2.1服务器端安装

安装puppet-Server

首先在服务器端和客户端配置好hostname,因为puppet是基于hostname来检测的,同时都要修改hosts文件:

Puppet需要Ruby的支持,如果要查看命令行帮助的话需要额外ruby-rdoc这个软件包:

1.下载puppetlabs-release-5-5.noarch.rpm

参考网址:http://yum.puppetlabs.com/el/5/products/x86_64

安装


  1. [root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm
  2. [root@service~]#yuminstallpuppet-server-y
  3. Installed:
  4.  
  5. puppet-server.noarch0:2.7.19-1.el5
  6. DependencyInstalled:
  7.  
  8. augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5puppet.noarch0:2.7.19-1.el5
  9.  
  10. ruby.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1ruby-libs.x86_640:1.8.5-24.el5
  11.  
  12. ruby-shadow.x86_640:1.4.1-7

#这一步为默认安装rubyruby-libsruby-rdoc等软件包


  1. [root@service~]#/etc/init.d/puppetmasterstart

关闭iptables,关闭selinux


  1. [root@service~]#/etc/init.d/iptablesstop
  2. [root@service~]#sed-i'/SELINUX/s/enforcing/disabled/'/etc/selinux/config

2.2客户端安装

安装puppet

在client上安装puppet客户端:

Puppet需要Ruby的支持,如果要查看命令行帮助的话需要额外ruby-rdoc这个软件包:


  1. [root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm
  2. [root@service~]#yuminstallpuppet–y
  3. Installed:
  4. puppet.noarch0:2.7.19-1.el5
  5. DependencyInstalled:
  6. augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5
  7. ruby.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1
  8. ruby-libs.x86_640:1.8.5-24.el5ruby-shadow.x86_640:1.4.1-7
  9. Complete!

安装完毕!

2.3证书申请

Puppet客户端与服务器端是通过SSL隧道通信的,客户端安装完成后,需要向服务器端申请证书:

审批证书

a:client申请证书:

puppetd --test --server server.puppet.com

有出现SSl session字样


  1. [root@client~]#puppetd--test--serverserver.puppet.com
  2.  
  3. info:CreatinganewSSLkeyforclient.puppet.com
  4. info:Cachingcertificateforca
  5. info:CreatinganewSSLcertificaterequestforclient.puppet.com
  6. info:CertificateRequestfingerprint(md5):74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE
  7. Exiting;nocertificatefoundandwaitforcertisdisabled

b:server接受申请


  1. [root@server~]#puppetca--list
  2. "client.puppet.com"(74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE)

显示申请的client

批准证书


  1. [root@server~]#puppetca-sclient.puppet.com
  2. notice:Signedcertificaterequestforclient.puppet.com
  3. notice:RemovingfilePuppet::SSL::CertificateRequestclient.puppet.comat'
  4. /var/lib/puppet/ssl/ca/requests/client.puppet.com.pem'

puppetca –s hostname批准当前证书

puppetca -s -a签署所有证书请求

c:client取回已经通过的审批证书


  1. [root@client~]#puppetd--test--serverserver.puppet.com
  2.  
  3. info:Cachingcertificateforclient.puppet.com
  4. info:Cachingcertificate_revocation_listforca
  5. info:Cachingcatalogforclient.puppet.com
  6. info:Applyingconfigurationversion'1346237401'
  7. notice:Finishedcatalogrunin0.02seconds

完成

附:可能存在的错误

报错


  1. [root@client-109 ~]# puppetd -server server.puppet.com -test  
  2.  
  3. err: Could not retrieve catalog from remote server: certificate verify failed  
  4. warning: Not using cache on failed catalog  
  5. err: Could not retrieve catalog; skipping run 

原因:服务端与客户端时间不同步!

2.)报错


  1. [root@client ~]# puppetd --server server.puppet.com --test  
  2.  
  3. err: Could not retrieve catalog from remote server: Server hostname 'server.puppet.com'  
  4.  did not match server certificate; expected one of service.puppet.com,   
  5.  
  6. DNS:puppet, DNS:puppet.puppet.com, DNS:service.puppet.com 

原因:服务端hostname有误,检查server端的hostname!

3).报错


  1. [root@client~]#puppetd--test--serverserver.puppet.com
  2.  
  3. err:Couldnotretrievecatalogfromremoteserver:certificateverifyfailed:
  4.  
  5. [selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]
  6. warning:Notusingcacheonfailedcatalog
  7. err:Couldnotretrievecatalog;skippingrun
  8. err:Couldnotsendreport:certificateverifyfailed:
  9.  
  10. [selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]

原因:

如以上出现error字样则删除client上的ssl文件夹


  1. err:Couldnotretrievecatalogfromremoteserver:certificateverifyfailed
  2. warning:Notusingcacheonfailedcatalog
  3. err:Couldnotretrievecatalog;skippingrun
  4.  
  5. rm-rf/var/lib/puppet/ssl/
  6. 再次循环申请证书puppetd--test--serverserver.puppet.com

2.4验证puppet配置

在服务端写个例子测试一下。这个例子作用很简单,用来在客户端的/tmp目录下新建一个test.txt文件,内容为:hello,test!

在服务端编写代码:【服务器端不需要新建这个文件】


  1. vi/etc/puppet/manifests/site.pp  
  2.  
  3. nodedefault{  
  4.  
  5. file{  
  6.  
  7. "/tmp/test.txt":content=>"helo,test!";  
  8.  
  9. }  
  10.  

2.5客户端测试

在客户端执行puppetd,运行成功后会在/tmp看到新生成的test.txt:


  1. [root@client~]#puppetd--test--serverserver.puppet.com
  2. #显示如下
  3. info:Cachingcatalogforclient.puppet.com
  4. info:Applyingconfigurationversion'1346237596'
  5. notice:/Stage[main]//Node[default]/File[/tmp/test.txt]/ensure:definedcontentas'
  6. {md5}d7568aced6a958920309da96080e88e0'
  7. notice:Finishedcatalogrunin0.03seconds

最后查看cat/tmp/test.txt

hello,test!

此致puppet服务器端和客户端安装完毕,接下来就是深入的配置了。

2.6客户端设置守护进程

方法一:启动puppet后台运行

[root@client tmp]# puppetd --server server.puppet.com--verbose --waitforcert 60

注释:--server master指明服务器节点地址

--waitforcert连接server检查的时间间隔,60分钟

--verbose输出冗余信息(可选选项)

方法二:得用crontab作定时同步

3.深入了解puppet

3.1环境架构图

3.2服务端配置目录树


  1. |--fileserver.conf
  2. |--manifests
  3. ||--nodes.pp
  4. |`--site.pp
  5. |--modules#定义模块
  6. |`--users
  7. ||--file
  8. ||--manifests
  9. |||--adduser.pp
  10. |||--deluser.pp
  11. |||--init.pp
  12. |||--na.pp
  13. ||`--sa.pp
  14. |`--templates
  15. ||--caojin_authorized_keys.erb
  16. |`--jiaxin_authorized_keys.erb
  17. |--puppet.conf#主配置配置文件

3.3用户管理模块

user mofules目录树


  1. users
  2.  
  3. |--file
  4. |--manifests
  5. ||--adduser.pp#添加用户类
  6. ||--deluser.pp#删除用户
  7. ||--init.pp
  8. ||--na.pp
  9. |`--sa.pp
  10. `--templates
  11. |--caojin_authorized_keys.erb#用户key
  12. `--jiaxin_authorized_keys.erb#用户key

adduser.pp 文件


  1. classlinux::adduser{
  2. defineadd_user($username=,$useruid=,$userhome=,$usershell='/bin/bash',$groups)
  3. {
  4. user
  5. {$username:
  6. uid=>$useruid,
  7. shell=>$usershell,
  8. groups=>$groups,
  9. home=>"/home/$userhome",
  10. }
  11. file
  12. {"/home/$userhome":
  13. owner=>$useruid,
  14. group=>$useruid,
  15. mode=>700,
  16. ensure=>directory;
  17. }
  18. file
  19. {"/home/$userhome/.ssh":
  20. owner=>$useruid,
  21. group=>$useruid,
  22. mode=>700,
  23. ensure=>directory,
  24. require=>File["/home/$userhome"];
  25. }
  26. file
  27. {"/home/$userhome/.ssh/authorized_keys":
  28. owner=>$useruid,
  29. group=>$useruid,
  30. mode=>600,
  31. ensure=>present,
  32. content=>template("users/${userhome}_authorized_keys.erb"),
  33. require=>File["/home/$userhome/.ssh"];
  34. }
  35. }
  36. }

deluser.pp


  1. deluser.pp
  2. classlinux::deluser
  3. {
  4. user
  5. {
  6. "caojin":
  7. ensure=>absent,
  8. }
  9. }

sa.pp


  1. import"adduser.pp"
  2. classlinux::adduser::sainheritslinux::adduser
  3. {
  4. add_user
  5. {
  6. "jiaxin":
  7. useruid=>2000,
  8. username=>jiaxin,
  9. userhome=>"jiaxin",
  10. groups=>$operatingsystem?{
  11. Ubuntu=>["admin"],
  12. CentOS=>["wheel"],
  13. RedHat=>["wheel"],
  14. default=>["wheel"],
  15. },
  16. }
  17. }
(责任编辑:IT)
------分隔线----------------------------
栏目列表
推荐内容