二、Puppet介绍
Puppet是IT自动化的行业标准。 以一种简单而强大的方式管理和自动化更多的基础架构和复杂的工作流。
三、Puppet安装
安装准备
master和node端
# 修改主机名 hostnamectl set-hostname master #配置域名解析 vim /etc/hosts 192.168.200.11 master 192.168.200.12 node #关闭防火墙 systemctl stop firewalld systemctl disable firewalld #关闭SELinux安全模式 setenforce 0 sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config #配置时间同步 yum install -y ntpdate ntpdate ntp1.aliyun.com #配置CentOS镜像源 curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo #更新YUM源 yum clean all yum makecache #升级系统 yum update
安装master端
# 安装阿里云仓库 rpm -ivh https://mirrors.aliyun.com/puppet/yum/puppetlabs-release-el-7.noarch.rpm # 安装Puppet-server、puppet和facter yum install -y puppet puppet-server facter # 备份配置文件 cp /etc/puppet/puppet.conf{,.bak} # 配置puppet.conf [root@master puppet]# vim puppet.conf [root@master puppet]# cat puppet.conf [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig server = master certname = node [master] certname = master [root@master puppet]# # 启动puppetmaster服务 systemctl start puppetmaster systemctl enable puppetmaster systemctl status puppetmaster # 查看本地证书情况 # puppetmaster第一次启动会自动生成证书自动注册自己 [root@master puppet]# tree /var/lib/puppet/ssl/ /var/lib/puppet/ssl/ ├── ca │ ├── ca_crl.pem │ ├── ca_crt.pem │ ├── ca_key.pem │ ├── ca_pub.pem │ ├── inventory.txt │ ├── private │ │ └── ca.pass │ ├── requests │ ├── serial │ └── signed │ └── master.pem ├── certificate_requests ├── certs │ ├── ca.pem │ └── master.pem ├── crl.pem ├── private ├── private_keys │ └── master.pem └── public_keys └── master.pem 9 directories, 13 files [root@master puppet]# # 查看监听状态 # puppetmaster服务开启后,默认监听TCP 8140端口 [root@master puppet]# netstat -nlatp | grep 8140 tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1396/ruby [root@master puppet]# lsof -i:8140 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME puppet 1396 puppet 8u IPv4 24447 0t0 TCP *:8140 (LISTEN)
安装node端
# 安装准备步骤相同 # 安装阿里云仓库 rpm -ivh https://mirrors.aliyun.com/puppet/yum/puppetlabs-release-el-7.noarch.rpm # 安装puppet和facter yum install puppet facter # 配置puppet.conf [root@node ~]# cp /etc/puppet/puppet.conf{,.bak} #备份配置文件 [root@node ~]# cat /etc/puppet/puppet.conf [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet #默认日志存放路径 # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet #pid存放路径 # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl #证书存放目录,默认$vardir为/var/lib/puppet [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig server = master #指向puppetmaster端 certname = node #设置自己的certname名 # 开启puppet服务 systemctl start puppet systemctl enable puppet
Node端向Master端发起认证
# 通过调试模式启动节点向Puppetmaster端发起认证 [root@node ~]# puppet agent --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for node Info: Applying configuration version '1645352953' Notice: Finished catalog run in 0.01 seconds # 服务器端确定认证 [root@master ~]# puppet cert --list --all #查看认证情况 "node" (SHA256) 6F:FC:CF:DB:1F:F1:B4:91:C7:8B:48:DE:64:A1:8D:D9:24:27:4B:B9:A9:72:5C:0E:6D:3F:A3:0B:B7:37:87:AE #未认证 + "master" (SHA256) 87:C4:5B:16:2A:13:E1:D0:B0:58:63:2F:F1:87:98:6D:B6:A4:5D:9B:65:92:D8:72:38:45:FF:2A:18:FD:BA:41 #带+表示已经注册成功 [root@master ~]# [root@master ~]# puppet cert --sign node #注册node Notice: Signed certificate request for node Notice: Removing file Puppet::SSL::CertificateRequest node at '/var/lib/puppet/ssl/ca/requests/node.pem' [root@master ~]# [root@master ~]# puppet cert --list --all #再次查看认证情况 + "master" (SHA256) 87:C4:5B:16:2A:13:E1:D0:B0:58:63:2F:F1:87:98:6D:B6:A4:5D:9B:65:92:D8:72:38:45:FF:2A:18:FD:BA:41 + "node" (SHA256) 35:B1:01:AA:28:DF:76:AA:B2:67:BE:D4:5C:C1:90:3C:C2:68:44:9A:BA:F3:DD:96:2B:37:6E:9E:85:11:E3:E1 [root@master ~]# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式 /var/lib/puppet/ssl/ ├── ca │ ├── ca_crl.pem │ ├── ca_crt.pem │ ├── ca_key.pem │ ├── ca_pub.pem │ ├── inventory.txt │ ├── private │ │ └── ca.pass │ ├── requests │ ├── serial │ └── signed │ ├── master.pem │ └── node.pem ├── certificate_requests │ └── node.pem ├── certs │ ├── ca.pem │ ├── master.pem │ └── node.pem ├── crl.pem ├── private ├── private_keys │ ├── master.pem │ └── node.pem └── public_keys ├── master.pem └── node.pem 9 directories, 18 files
