小心 在master和agent上保证系统时间的准确是非常重要的。SSL连接依赖主机上的正确时间。如果时间不正确,连接可能会失败,得到的错误信息是证书不被信任。你应该使用诸如NTP(网络时间协议)等服务来保证主机上的时间是准确的。
1、证书服务需要时间的一致,不然会出现错误!
建立文件/puppet/shij.sh 内容如下
#!/bin/bash
rdate -s rdate.darkorb.net
赋予rdate.sh可执行权限,并添加计划任务crontab –e
* * * * * /root/shij.sh
注意:当提示rdate命令不存在请按下面操作,运行yum install rdate
2、修改主机名
vi /etc/sysconfig/network
HOSTNAME=ptmaster.idccenter.net
修改/etc/sysconfig/network,在里面指定主机名称HOSTNAME=
然后执行命令
hostname 主机名
这个时候可以注销一下系统,再重登录之后就行了
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm //扩展库,默认的库中没有puppetmaster。
iptables -I INPUT 1 -p tcp -m state --state NEW --dport 8140 -j ACCEPT //puppetmaster服务端口
iptables-save > /etc/sysconfig/iptables
yum install ruby ruby-libs ruby-shadow -y
yum install puppet puppet-server facter -y
在/etc/puppet/puppet.conf添加主机名和模块的路径
vi /etc/puppet/puppet.conf
[main]
certname = ptmaster.idccenter.net
modulepath = /etc/puppet/modules/
vi /etc/puppet/fileserver.conf
[files]
path /vm/templates //存放下发文件的路径
allow * //设置可以访问的客户端的地址、域名、*
建立puppetmaster资源配置文件
vi /etc/puppet/manifests/site.pp
node default {
include vps
}
建立vps模块
mkdir -p /etc/puppet/modules/vps/{files,manifests,templates}
vi /etc/puppet/modules/vps/manifests/init.pp
class vps {
include vps::centos
}
vi /etc/puppet/modules/vps/manifests/centos.pp
class vps::centos {
File {
owner => "root",
group => "root",
mode => 0644,
}
file { "/template/":
source => "puppet://${fileserver}/files/",
}
file { "/template/centos5.5":
source => "puppet://${fileserver}/files/centos5.5",
}
file { "/template/centos5.5/disk.img":
source => "puppet://${fileverver}/files/centos5.5/disk.img",
}
file { "/template/centos5.5/os.img":
source => "puppet://${fileverver}/files/centos5.5/os.img",
}
}
客户端安装
1、证书服务需要时间的一致,不然会出现错误!
建立文件/puppet/shij.sh 内容如下
#!/bin/bash
rdate -s rdate.darkorb.net
赋予rdate.sh可执行权限,并添加计划任务crontab –e
* * * * * /root/shij.sh
注意:当提示rdate命令不存在请按下面操作,运行yum install rdate
2、修改主机名
vi /etc/sysconfig/network
HOSTNAME=node.idccenter.net
3、在/etc/hosts添加服务器的解析
101.226.179.232 ptmaster.idccenter.net ptmaster
修改/etc/sysconfig/network,在里面指定主机名称HOSTNAME=
然后执行命令
hostname 主机名
这个时候可以注销一下系统,再重登录之后就行了
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm //扩展库,默认的库中没有puppetmaster。
yum install ruby ruby-libs ruby-shadow –y
yum install puppet facter -y
添加客户端连接的服务器地址和自动更新的资源的时间间隔
vi /etc/puppet/puppet.conf
[main]
server=ptmaster.idccenter.net //默认puppet更新资源配置文件的时候会连接puppet别名的服务器 自动更新的时候需要制定服务器的域名。如果不想添加此行配置,那就需要在/etc/hosts里面添加一行别名配置,把服务器的域名别名到puppet的名字,因为客户端更新的时候默认是连接puppet的服务器,所以在hosts里面把服务器别名到puppet也是可以的。
[agent]
runinterval=3600 //时间单位是秒
向ptmaster.idccenter.net服务器申请证书,以便以后的更新资源配置。
[root@node ~]# puppet agent --server=ptmaster.idccenter.net --no-daemonize --verbose
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for node.idccenter.net
info:CertificateRequestfingerprint(md5): DD:1C:AD:56:01:73:77:83:F3:9E:EE:A0:61:C5:4A:37
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for node.idccenter.net
notice: Starting Puppet client version 2.6.17
info: Caching certificate_revocation_list for ca
info: Caching catalog for node.idccenter.net
info: Applying configuration version '1352262069'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.02 seconds
在服务端查看申请证书的客户端并发送连接证书
[root@ptmaster templates]# puppet cert --list
"node.idccenter.net" (DD:1C:AD:56:01:73:77:83:F3:9E:EE:A0:61:C5:4A:37)
[root@ptmaster templates]# puppet cert --sign node.idccenter.net
notice: Signed certificate request for node.idccenter.net
notice: Removing file Puppet::SSL::CertificateRequest node.idccenter.net at '/var/lib/puppet/ssl/ca/requests/node.idccenter.net.pem'
over
本文转自 freeterman 51CTO博客,原文链接:http://blog.51cto.com/myunix/1094771,如需转载请自行联系原作者
