#### Puppet基礎篇4-安裝、配置并使用Puppet Puppet前期環境（網絡、解析、yum源、NTP）在上一章節已經準備就緒，接下來我們就開始安裝Puppet了，安裝Puppet其實很簡單，官方已經提供了yum源，只需要自己將所需要的安裝包下載下來然后做成本地yum源即可使用。**注意：**本實驗完全采用自定義的certname名，如果不設置默認會使用系統變量hostname的值。 ### 一、安裝Puppetmaster **1、安裝Puppet-server、puppet和facter** ~~~ [root@puppetmaster ~]# yum install puppet puppet-server facter -y #系統會自己安裝一些ruby依賴包環境 ~~~ **2、配置puppet.conf****注意：**這個里面配置了兩個certname名稱，其中[master]中配置的certname是為所有節點認證用的master名稱，[agent]中配置的certname是他本身agent的名稱，當然不配置默認是和master的名稱是一樣的。 ~~~ [root@puppetmaster ~]# cp /etc/puppet/puppet.conf{,.bak} #備份 [root@puppetmaster ~]# vim /etc/puppet/puppet.conf #注釋已經刪除 [main] logdir = /var/log/puppet #默認日志存放路徑 rundir = /var/run/puppet #pid存放路徑 ssldir = $vardir/ssl #證書存放目錄，默認$vardir為/var/lib/puppet [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig server = puppetmaster.kisspuppet.com #設置agent認證連接master端的服務器名稱，注意這個名字必須能夠被節點解析 certname = puppetmaster_cert.kisspuppet.com #設置agent端certname名稱 [master] certname = puppetmaster.kisspuppet.com puppetmaster.kisspuppet.com #設置puppetmaster認證服務器名 ~~~ **3、創建site.pp文件**site.pp文件是puppet讀取所有模塊pp文件的開始，在3.0版本以前必須設置，否則服務無法啟動。 ~~~ [root@puppetmaster ~]# touch /etc/puppet/manifests/site.pp ~~~ **4、啟動puppetmaster服務** ~~~ [root@puppetmaster ~]# /etc/init.d/puppetmaster start Starting puppetmaster: [ OK ] [root@puppetmaster ~]# chkconfig puppetmaster on #設置開機啟動 ~~~ **5、查看本地證書情況**puppetmaster第一次啟動會自動生成證書自動注冊自己 ~~~ [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ /var/lib/puppet/ssl/ ├── ca │ ├── ca_crl.pem │ ├── ca_crt.pem │ ├── ca_key.pem │ ├── ca_pub.pem │ ├── inventory.txt │ ├── private │ │ └── ca.pass │ ├── requests │ ├── serial │ └── signed │ └── puppetmaster.kisspuppet.com.pem #已注冊 ├── certificate_requests ├── certs │ ├── ca.pem │ └── puppetmaster.kisspuppet.com.pem ├── crl.pem ├── private ├── private_keys │ └── puppetmaster.kisspuppet.com.pem └── public_keys └── puppetmaster.kisspuppet.com.pem 9 directories, 13 files [root@puppetmaster ~]# puppet cert --list --all #帶+標示已經注冊成功 + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") ~~~ **6、查看監聽狀態**puppetmaster服務開啟后，默認監聽TCP 8140端口 ~~~ [root@puppetmaster ~]# netstat -nlatp | grep 8140 tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1976/ruby [root@puppetmaster ~]# lsof -i:8140 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME puppetmas 1976 puppet 5u IPv4 14331 0t0 TCP *:8140 (LISTEN) ~~~ ### 二、安裝Agent 以agent1為例 **1、安裝puppet和facter** ~~~ [root@agent1 ~]# yum install puppet facter #系統會自己安裝一些ruby依賴包環境 ~~~ **2、配置puppet.conf** ~~~ [root@agent1 ~]# cp /etc/puppet/puppet.conf{,.bak} [root@agent1 ~]# vim /etc/puppet/puppet.conf [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig server = puppetmaster.kisspuppet.com #指向puppetmaster端 certname = agent1_cert.kisspuppet.com #設置自己的certname名 ~~~ **3、通過調試模式啟動節點向Puppetmaster端發起認證** ~~~ [root@agent1 ~]# puppet agent --test info: Creating a new SSL key for agent1_cert.kisspuppet.com info: Caching certificate for ca info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9 Exiting; no certificate found and waitforcert is disabled ~~~ **4、服務器端確定認證** ~~~ [root@puppetmaster ~]# puppet cert --list --all #查看認證情況 "agent1_cert.kisspuppet.com" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未認證 + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") [root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #注冊agent1 notice: Signed certificate request for agent1_cert.kisspuppet.com notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' [root@puppetmaster ~]# puppet cert --list --all #再次查看認證情況 + "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一種查看認證的方式 /var/lib/puppet/ssl/ ├── ca │ ├── ca_crl.pem │ ├── ca_crt.pem │ ├── ca_key.pem │ ├── ca_pub.pem │ ├── inventory.txt │ ├── private │ │ └── ca.pass │ ├── requests │ ├── serial │ └── signed │ ├── agent1_cert.kisspuppet.com.pem #已經注冊成功 │ └── puppetmaster.kisspuppet.com.pem ├── certificate_requests ├── certs │ ├── ca.pem │ └── puppetmaster.kisspuppet.com.pem ├── crl.pem ├── private ├── private_keys │ └── puppetmaster.kisspuppet.com.pem └── public_keys └── puppetmaster.kisspuppet.com.pem 9 directories, 14 files ~~~ **5、其它節點一起認證** ~~~ [root@puppetmaster ~]# puppet agent --test #puppetmaster自己申請agent認證 info: Creating a new SSL key for puppetmaster_cert.kisspuppet.com info: Creating a new SSL certificate request for puppetmaster_cert.kisspuppet.com info: Certificate Request fingerprint (md5): 7D:AC:F7:97:04:2B:E4:C5:74:4A:16:05:DB:F6:6A:98 Exiting; no certificate found and waitforcert is disabled [root@puppetmaster ~]# puppet cert --sign --all #注冊所有請求的節點 notice: Signed certificate request for puppetmaster_cert.kisspuppet.com notice: Removing file Puppet::SSL::CertificateRequest puppetmaster_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/puppetmaster_cert.kisspuppet.com.pem' notice: Signed certificate request for agent2_cert.kisspuppet.com notice: Removing file Puppet::SSL::CertificateRequest agent2_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent2_cert.kisspuppet.com.pem' notice: Signed certificate request for agent3_cert.kisspuppet.com notice: Removing file Puppet::SSL::CertificateRequest agent3_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent3_cert.kisspuppet.com.pem' [root@puppetmaster ~]# puppet cert --list --all #查看所有節點認證 + "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) + "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) + "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") + "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) ~~~ ### 三、編寫簡單的motd模塊 **1、創建模塊目錄結構****注意：**再未指定modulepath搜索路徑的情況下，會有默認搜索路徑的，可通過以下方式查看到 ~~~ [root@puppetmaster ~]# puppet master --genconfig >/etc/puppet/puppet.conf.out [root@puppetmaster ~]# cat /etc/puppet/puppet.conf.out | grep modulepath modulepath = /etc/puppet/modules:/usr/share/puppet/modules [root@puppetmaster modules]# tree /etc/puppet/modules/ /etc/puppet/modules/ └── motd ├── files #存放文件目錄 │ └── etc │ └── motd ├── manifests #存放模塊pp配置文件目錄 │ └── init.pp └── templates #存放模板目錄 5 directories, 2 files ~~~ **2、編寫pp文件** ~~~ [root@puppetmaster modules]# vim motd/manifests/init.pp class motd{ #定義一個類叫motd package{ 'setup': #定義package資源 ensure => present, #要求setup這個包處于被安裝狀態 } file{ '/etc/motd': #定義file資源 ensure => present, #要求file文件處于存在狀態 owner => 'root', #要求file文件屬主為root group => 'root', #要求file文件屬組為root mode => '0644', #要求file文件權限為644 source => "puppet://$puppetserver/modules/motd/etc/motd", #要求file文件從puppetmaster端服務器下載 require => Package['setup'], #要求文件被配置之前先執行package資源 } } [root@puppetmaster modules]# cat motd/files/etc/motd -- -- --------puppet test--------- -- -- ~~~ **3、編寫site.pp文件** ~~~ [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp $puppetserver = 'puppetmaster.kisspuppet.com' #設置全局變量 node 'puppetmaster_cert.kisspuppet.com'{ include motd } node 'agent1_cert.kisspuppet.com'{ include motd } node 'agent2_cert.kisspuppet.com'{ include motd } node 'agent3_cert.kisspuppet.com'{ include motd } ~~~ ### 四、測試motd模塊 ~~~ [root@agent1 ~]# puppet agent --test #測試節點agent1 info: Caching catalog for agent1_cert.kisspuppet.com info: Applying configuration version '1394304542' notice: /Stage[main]/Motd/File[/etc/motd]/content: --- /etc/motd 2000-01-13 07:18:52.000000000 +0800 +++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09 02:51:47.000000000 +0800 @@ -0,0 +1,3 @@ +-- -- +--------puppet test--------- +-- -- info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' notice: Finished catalog run in 0.40 seconds [root@agent1 ~]# cat /etc/motd -- -- --------puppet test--------- -- -- [root@agent1 ~]# [root@puppetmaster ~]# puppet agent -t #測試節點puppetmaster info: Caching catalog for puppetmaster_cert.kisspuppet.com info: Applying configuration version '1394305371' notice: /Stage[main]/Motd/File[/etc/motd]/content: --- /etc/motd 2010-01-12 21:28:22.000000000 +0800 +++ /tmp/puppet-file20140309-3102-1gadon0-0 2014-03-09 03:02:51.966998294 +0800 @@ -0,0 +1,3 @@ +-- -- +--------puppet test--------- +-- -- info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.52 seconds [root@puppetmaster ~]# cat /etc/motd -- -- --------puppet test--------- -- -- ~~~