CentOS5上如何安装Puppet？

时间:2014-10-17 12:12 来源:linux.it.net.cn 作者:it

1.puppet介绍

Puppet是Puppet Labs基于ruby语言开发的自动化系统配置工具，可以以C/S模式或独立模式运行，支持对所有UNIX及类UNIX系统的批量配置和管理，最新版本也开始支持对Windows操作系统有限的一些管理。

Puppet适用于服务器管理的整个过程，比如初始安装、配置、更新以及系统下线。

2.puppet安装与配置

2.1服务器端安装

安装puppet-Server

首先在服务器端和客户端配置好hostname，因为puppet是基于hostname来检测的，同时都要修改hosts文件：

Puppet需要Ruby的支持，如果要查看命令行帮助的话需要额外ruby-rdoc这个软件包：

1.下载puppetlabs-release-5-5.noarch.rpm

参考网址：http://yum.puppetlabs.com/el/5/products/x86_64

安装

[root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm
[root@service~]#yuminstallpuppet-server-y
…
Installed:
puppet-server.noarch0:2.7.19-1.el5
DependencyInstalled:
augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5puppet.noarch0:2.7.19-1.el5
ruby.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1ruby-libs.x86_640:1.8.5-24.el5
ruby-shadow.x86_640:1.4.1-7

#这一步为默认安装rubyruby-libsruby-rdoc等软件包

[root@service~]#/etc/init.d/puppetmasterstart

关闭iptables,关闭selinux

[root@service~]#/etc/init.d/iptablesstop
[root@service~]#sed-i'/SELINUX/s/enforcing/disabled/'/etc/selinux/config

2.2客户端安装

安装puppet

在client上安装puppet客户端：

Puppet需要Ruby的支持，如果要查看命令行帮助的话需要额外ruby-rdoc这个软件包：

[root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm
[root@service~]#yuminstallpuppet–y
…
Installed:
puppet.noarch0:2.7.19-1.el5
DependencyInstalled:
augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5
ruby.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1
ruby-libs.x86_640:1.8.5-24.el5ruby-shadow.x86_640:1.4.1-7
Complete!

安装完毕!

2.3证书申请

Puppet客户端与服务器端是通过SSL隧道通信的，客户端安装完成后，需要向服务器端申请证书：

审批证书

a：client申请证书:

puppetd --test --server server.puppet.com

有出现SSl session字样

[root@client~]#puppetd--test--serverserver.puppet.com
info:CreatinganewSSLkeyforclient.puppet.com
info:Cachingcertificateforca
info:CreatinganewSSLcertificaterequestforclient.puppet.com
info:CertificateRequestfingerprint(md5):74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE
Exiting;nocertificatefoundandwaitforcertisdisabled

b：server接受申请

[root@server~]#puppetca--list
"client.puppet.com"(74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE)

显示申请的client

批准证书

[root@server~]#puppetca-sclient.puppet.com
notice:Signedcertificaterequestforclient.puppet.com
notice:RemovingfilePuppet::SSL::CertificateRequestclient.puppet.comat'
/var/lib/puppet/ssl/ca/requests/client.puppet.com.pem'

puppetca –s　hostname批准当前证书

puppetca -s -a签署所有证书请求

c：client取回已经通过的审批证书

[root@client~]#puppetd--test--serverserver.puppet.com
info:Cachingcertificateforclient.puppet.com
info:Cachingcertificate_revocation_listforca
info:Cachingcatalogforclient.puppet.com
info:Applyingconfigurationversion'1346237401'
notice:Finishedcatalogrunin0.02seconds

完成

附：可能存在的错误

报错

[root@client-109 ~]# puppetd -server server.puppet.com -test
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

原因：服务端与客户端时间不同步！

2.)报错

[root@client ~]# puppetd --server server.puppet.com --test
err: Could not retrieve catalog from remote server: Server hostname 'server.puppet.com'
did not match server certificate; expected one of service.puppet.com,
DNS:puppet, DNS:puppet.puppet.com, DNS:service.puppet.com

原因：服务端hostname有误，检查server端的hostname！

3).报错

[root@client~]#puppetd--test--serverserver.puppet.com
err:Couldnotretrievecatalogfromremoteserver:certificateverifyfailed:
[selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]
warning:Notusingcacheonfailedcatalog
err:Couldnotretrievecatalog;skippingrun
err:Couldnotsendreport:certificateverifyfailed:
[selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]

原因：

如以上出现error字样则删除client上的ssl文件夹

err:Couldnotretrievecatalogfromremoteserver:certificateverifyfailed
warning:Notusingcacheonfailedcatalog
err:Couldnotretrievecatalog;skippingrun
rm-rf/var/lib/puppet/ssl/
再次循环申请证书puppetd--test--serverserver.puppet.com

2.4验证puppet配置

在服务端写个例子测试一下。这个例子作用很简单，用来在客户端的/tmp目录下新建一个test.txt文件，内容为：hello，test！

在服务端编写代码：【服务器端不需要新建这个文件】

vi/etc/puppet/manifests/site.pp
nodedefault{
file{
"/tmp/test.txt":content=>"helo,test!";
}
}

2.5客户端测试

在客户端执行puppetd，运行成功后会在/tmp看到新生成的test.txt：

[root@client~]#puppetd--test--serverserver.puppet.com
#显示如下
info:Cachingcatalogforclient.puppet.com
info:Applyingconfigurationversion'1346237596'
notice:/Stage[main]//Node[default]/File[/tmp/test.txt]/ensure:definedcontentas'
{md5}d7568aced6a958920309da96080e88e0'
notice:Finishedcatalogrunin0.03seconds

最后查看cat/tmp/test.txt

hello，test！

此致puppet服务器端和客户端安装完毕，接下来就是深入的配置了。

2.6客户端设置守护进程

方法一：启动puppet后台运行

[root@client tmp]# puppetd --server server.puppet.com--verbose --waitforcert 60

注释：--server master指明服务器节点地址

--waitforcert连接server检查的时间间隔,60分钟

--verbose输出冗余信息（可选选项）

方法二：得用crontab作定时同步

3.深入了解puppet

3.1环境架构图

3.2服务端配置目录树

|--fileserver.conf
|--manifests
||--nodes.pp
|`--site.pp
|--modules#定义模块
|`--users
||--file
||--manifests
|||--adduser.pp
|||--deluser.pp
|||--init.pp
|||--na.pp
||`--sa.pp
|`--templates
||--caojin_authorized_keys.erb
|`--jiaxin_authorized_keys.erb
|--puppet.conf#主配置配置文件

3.3用户管理模块

user mofules目录树

users
|--file
|--manifests
||--adduser.pp#添加用户类
||--deluser.pp#删除用户
||--init.pp
||--na.pp
|`--sa.pp
`--templates
|--caojin_authorized_keys.erb#用户key
`--jiaxin_authorized_keys.erb#用户key

adduser.pp 文件

classlinux::adduser{
defineadd_user($username=,$useruid=,$userhome=,$usershell='/bin/bash',$groups)
{
user
{$username:
uid=>$useruid,
shell=>$usershell,
groups=>$groups,
home=>"/home/$userhome",
}
file
{"/home/$userhome":
owner=>$useruid,
group=>$useruid,
mode=>700,
ensure=>directory;
}
file
{"/home/$userhome/.ssh":
owner=>$useruid,
group=>$useruid,
mode=>700,
ensure=>directory,
require=>File["/home/$userhome"];
}
file
{"/home/$userhome/.ssh/authorized_keys":
owner=>$useruid,
group=>$useruid,
mode=>600,
ensure=>present,
content=>template("users/${userhome}_authorized_keys.erb"),
require=>File["/home/$userhome/.ssh"];
}
}
}

deluser.pp

deluser.pp
classlinux::deluser
{
user
{
"caojin":
ensure=>absent,
}
}

sa.pp

import"adduser.pp"
classlinux::adduser::sainheritslinux::adduser
{
add_user
{
"jiaxin":
useruid=>2000,
username=>jiaxin,
userhome=>"jiaxin",
groups=>$operatingsystem?{
Ubuntu=>["admin"],
CentOS=>["wheel"],
RedHat=>["wheel"],
default=>["wheel"],
},
}
}

(责任编辑：IT)