Puppet基础篇4-安装、配置并使用Puppet

Puppet前期环境(网络、解析、yum源、NTP)在上一章节已经准备就绪,接下来我们就开始安装Puppet了,安装Puppet其实很简单,官方已经提供了yum源,只需要自己将所需要的安装包下载下来然后做成本地yum源即可使用。
注意:本实验完全采用自定义的certname名,如果不设置默认会使用系统变量hostname的值。

一、安装Puppetmaster

1、安装Puppet-server、puppet和facter

  1. [root@puppetmaster ~]# yum install puppet puppet-server facter -y #系统会自己安装一些ruby依赖包环境

2、配置puppet.conf
注意:这个里面配置了两个certname名称,其中[master]中配置的certname是为所有节点认证用的master名称,[agent]中配置的certname是他本身agent的名称,当然不配置默认是和master的名称是一样的。

  1. [root@puppetmaster ~]# cp /etc/puppet/puppet.conf{,.bak}   #备份
  2. [root@puppetmaster ~]# vim /etc/puppet/puppet.conf  #注释已经删除
  3. [main]
  4.     logdir = /var/log/puppet  #默认日志存放路径
  5.     rundir = /var/run/puppet  #pid存放路径
  6.     ssldir = $vardir/ssl #证书存放目录,默认$vardir为/var/lib/puppet
  7. [agent]
  8.     classfile = $vardir/classes.txt
  9.     localconfig = $vardir/localconfig
  10.     server = puppetmaster.kisspuppet.com #设置agent认证连接master端的服务器名称,注意这个名字必须能够被节点解析
  11.     certname = puppetmaster_cert.kisspuppet.com #设置agent端certname名称
  12. [master]
  13.     certname = puppetmaster.kisspuppet.com  puppetmaster.kisspuppet.com #设置puppetmaster认证服务器名

3、创建site.pp文件
site.pp文件是puppet读取所有模块pp文件的开始,在3.0版本以前必须设置,否则服务无法启动。

  1. [root@puppetmaster ~]# touch /etc/puppet/manifests/site.pp

4、启动puppetmaster服务

  1. [root@puppetmaster ~]# /etc/init.d/puppetmaster start
  2. Starting puppetmaster:       
  3.                           [  OK  ]
  4. [root@puppetmaster ~]# chkconfig puppetmaster on #设置开机启动

5、查看本地证书情况
puppetmaster第一次启动会自动生成证书自动注册自己

  1. [root@puppetmaster ~]# tree /var/lib/puppet/ssl/
  2. /var/lib/puppet/ssl/
  3. ├── ca
  4.    ├── ca_crl.pem
  5.    ├── ca_crt.pem
  6.    ├── ca_key.pem
  7.    ├── ca_pub.pem
  8.    ├── inventory.txt
  9.    ├── private
  10.       └── ca.pass
  11.    ├── requests
  12.    ├── serial
  13.    └── signed
  14.        └── puppetmaster.kisspuppet.com.pem  #已注册
  15. ├── certificate_requests
  16. ├── certs
  17.    ├── ca.pem
  18.    └── puppetmaster.kisspuppet.com.pem
  19. ├── crl.pem
  20. ├── private
  21. ├── private_keys
  22.    └── puppetmaster.kisspuppet.com.pem
  23. └── public_keys
  24.     └── puppetmaster.kisspuppet.com.pem
  26. 9 directories, 13 files
  27. [root@puppetmaster ~]# puppet cert --list --all  #带+标示已经注册成功
  28. + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")

6、查看监听状态
puppetmaster服务开启后,默认监听TCP 8140端口

  1. [root@puppetmaster ~]# netstat -nlatp | grep 8140
  2. tcp        0      0 0.0.0.0:8140                0.0.0.0:*                   LISTEN      1976/ruby           
  3. [root@puppetmaster ~]# lsof -i:8140
  4. COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
  5. puppetmas 1976 puppet    5u  IPv4  14331      0t0  TCP *:8140 (LISTEN)

二、安装Agent

以agent1为例

1、安装puppet和facter

  1. [root@agent1 ~]# yum install puppet facter #系统会自己安装一些ruby依赖包环境

2、配置puppet.conf

  1. [root@agent1 ~]# cp /etc/puppet/puppet.conf{,.bak}
  2. [root@agent1 ~]# vim /etc/puppet/puppet.conf
  3. [main]
  4.     logdir = /var/log/puppet
  5.     rundir = /var/run/puppet
  6.     ssldir = $vardir/ssl
  8. [agent]
  9.     classfile = $vardir/classes.txt
  10.     localconfig = $vardir/localconfig
  11.     server = puppetmaster.kisspuppet.com  #指向puppetmaster端
  12.     certname = agent1_cert.kisspuppet.com #设置自己的certname名

3、通过调试模式启动节点向Puppetmaster端发起认证

  1. [root@agent1 ~]# puppet agent --test
  2. info: Creating a new SSL key for agent1_cert.kisspuppet.com
  3. info: Caching certificate for ca
  4. info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com
  5. info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9
  6. Exiting; no certificate found and waitforcert is disabled

4、服务器端确定认证

  1. [root@puppetmaster ~]# puppet cert --list --all #查看认证情况
  2.   "agent1_cert.kisspuppet.com"  (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未认证
  3. + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
  5. [root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #注册agent1
  6. notice: Signed certificate request for agent1_cert.kisspuppet.com
  7. notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem'
  9. [root@puppetmaster ~]# puppet cert --list --all #再次查看认证情况
  10. + "agent1_cert.kisspuppet.com"  (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)
  11. + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
  13. [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式
  14. /var/lib/puppet/ssl/
  15. ├── ca
  16.    ├── ca_crl.pem
  17.    ├── ca_crt.pem
  18.    ├── ca_key.pem
  19.    ├── ca_pub.pem
  20.    ├── inventory.txt
  21.    ├── private
  22.       └── ca.pass
  23.    ├── requests
  24.    ├── serial
  25.    └── signed
  26.        ├── agent1_cert.kisspuppet.com.pem  #已经注册成功
  27.        └── puppetmaster.kisspuppet.com.pem
  28. ├── certificate_requests
  29. ├── certs
  30.    ├── ca.pem
  31.    └── puppetmaster.kisspuppet.com.pem
  32. ├── crl.pem
  33. ├── private
  34. ├── private_keys
  35.    └── puppetmaster.kisspuppet.com.pem
  36. └── public_keys
  37.     └── puppetmaster.kisspuppet.com.pem
  39. 9 directories, 14 files

5、其它节点一起认证

  1. [root@puppetmaster ~]# puppet agent --test #puppetmaster自己申请agent认证
  2. info: Creating a new SSL key for puppetmaster_cert.kisspuppet.com
  3. info: Creating a new SSL certificate request for puppetmaster_cert.kisspuppet.com
  4. info: Certificate Request fingerprint (md5): 7D:AC:F7:97:04:2B:E4:C5:74:4A:16:05:DB:F6:6A:98
  5. Exiting; no certificate found and waitforcert is disabled
  7. [root@puppetmaster ~]# puppet cert --sign --all #注册所有请求的节点
  8. notice: Signed certificate request for puppetmaster_cert.kisspuppet.com
  9. notice: Removing file Puppet::SSL::CertificateRequest puppetmaster_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/puppetmaster_cert.kisspuppet.com.pem'
  10. notice: Signed certificate request for agent2_cert.kisspuppet.com
  11. notice: Removing file Puppet::SSL::CertificateRequest agent2_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent2_cert.kisspuppet.com.pem'
  12. notice: Signed certificate request for agent3_cert.kisspuppet.com
  13. notice: Removing file Puppet::SSL::CertificateRequest agent3_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent3_cert.kisspuppet.com.pem'
  15. [root@puppetmaster ~]# puppet cert --list --all #查看所有节点认证
  16. + "agent1_cert.kisspuppet.com"       (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)
  17. + "agent2_cert.kisspuppet.com"       (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
  18. + "agent3_cert.kisspuppet.com"       (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
  19. + "puppetmaster.kisspuppet.com"      (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
  20. + "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)

三、编写简单的motd模块

1、创建模块目录结构
注意:再未指定modulepath搜索路径的情况下,会有默认搜索路径的,可通过以下方式查看到

  1. [root@puppetmaster ~]# puppet master --genconfig >/etc/puppet/puppet.conf.out
  2. [root@puppetmaster ~]# cat /etc/puppet/puppet.conf.out | grep modulepath
  3.     modulepath = /etc/puppet/modules:/usr/share/puppet/modules
  5. [root@puppetmaster modules]# tree /etc/puppet/modules/
  6. /etc/puppet/modules/
  7. └── motd
  8.     ├── files  #存放文件目录
  9.        └── etc
  10.            └── motd
  11.     ├── manifests  #存放模块pp配置文件目录
  12.        └── init.pp
  13.     └── templates #存放模板目录
  15. 5 directories, 2 files

2、编写pp文件

  1. [root@puppetmaster modules]# vim motd/manifests/init.pp 
  2. class motd{                 #定义一个类叫motd
  3.   package{ 'setup':    #定义package资源
  4.     ensure => present,  #要求setup这个包处于被安装状态
  5.   }
  6.   file{ '/etc/motd':  #定义file资源
  7.     ensure  => present,  #要求file文件处于存在状态
  8.     owner   => 'root', #要求file文件属主为root
  9.     group   => 'root', #要求file文件属组为root
  10.     mode    => '0644', #要求file文件权限为644
  11.     source  => "puppet://$puppetserver/modules/motd/etc/motd", #要求file文件从puppetmaster端服务器下载
  12.     require => Package['setup'], #要求文件被配置之前先执行package资源
  13.   }
  14. }
  16. [root@puppetmaster modules]# cat motd/files/etc/motd 
  17. --                       --
  18. --------puppet test---------
  19. --                       --

3、编写site.pp文件

  1. [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp 
  3. $puppetserver = 'puppetmaster.kisspuppet.com' #设置全局变量
  4. node 'puppetmaster_cert.kisspuppet.com'{
  5.   include  motd
  6. }
  7. node 'agent1_cert.kisspuppet.com'{
  8.   include  motd
  9. }
  11. node 'agent2_cert.kisspuppet.com'{
  12.   include  motd
  13. }
  15. node 'agent3_cert.kisspuppet.com'{
  16.   include  motd
  17. }

四、测试motd模块

  1. [root@agent1 ~]# puppet agent --test  #测试节点agent1
  2. info: Caching catalog for agent1_cert.kisspuppet.com
  3. info: Applying configuration version '1394304542'
  4. notice: /Stage[main]/Motd/File[/etc/motd]/content: 
  5. --- /etc/motd    2000-01-13 07:18:52.000000000 +0800
  6. +++ /tmp/puppet-file20140309-4571-1vqc18j-0    2014-03-09 02:51:47.000000000 +0800
  7. @@ -0,0 +1,3 @@
  8. +--                       --
  9. +--------puppet test---------
  10. +--                       --
  12. info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e
  13. info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
  14. notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
  15. notice: Finished catalog run in 0.40 seconds
  17. [root@agent1 ~]# cat /etc/motd 
  18. --                       --
  19. --------puppet test---------
  20. --                       --
  21. [root@agent1 ~]# 
  24. [root@puppetmaster ~]# puppet agent -t  #测试节点puppetmaster
  25. info: Caching catalog for puppetmaster_cert.kisspuppet.com
  26. info: Applying configuration version '1394305371'
  27. notice: /Stage[main]/Motd/File[/etc/motd]/content: 
  28. --- /etc/motd    2010-01-12 21:28:22.000000000 +0800
  29. +++ /tmp/puppet-file20140309-3102-1gadon0-0    2014-03-09 03:02:51.966998294 +0800
  30. @@ -0,0 +1,3 @@
  31. +--                       --
  32. +--------puppet test---------
  33. +--                       --
  35. info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e
  36. info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
  37. notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
  38. info: Creating state file /var/lib/puppet/state/state.yaml
  39. notice: Finished catalog run in 0.52 seconds
  40. [root@puppetmaster ~]# cat /etc/motd 
  41. --                       --
  42. --------puppet test---------
  43. --                       --