puppetserver7参照官方安装指南(系统Centos)
有业务需要用到puppet来进行统一管理和自动的部署,今天来参照官方给出的步骤对puppet整体流程进行梳理,尽量以通俗易懂的方式来介绍每一步为什么这么做;
首先我把整体的步骤流程给做个汇总排版,顺序步骤:
概念:
【首先我们需要用到最少两台机器做环境部署和测试:一台是server服务器master(用来管理并且同步部署所有服务用到的一台管理机),一台是客户机agent(用来执行master端定义的服务)】
就是上面这个意思,啥是master啊 就是我下发任务让你干活的,啥是agent啊 就是我听从那个让我干活的都干哪些活,有哪些新任务分给我让我来干。
下面是需要的步骤,我捋一下:
1.查看官方文档(可略过)
2.下载官方提供的rpm源增加到软件源库("必须"第3步需要依靠第二步)
3.第一台主机下载安装puppetserver,第二台主机下载安装puppet-agent
4.对两台主机/etc/hosts添加主机名解析(puppet依靠主机名建立连接)
5.配置puppetserver上的puppet.conf文件并开启puppetserver服务(检查8140端口是否开启监听)
6.配置puppet.conf(指向puppetsserver)
7.建立ca注册
1、如本博文不再适用当前最新版安装方式,请看官方文档!
{
官网:【[https://puppet.com/](https://puppet.com/)】
各位点击进入官网直接上方的
【Search按钮→
输入Download→
查找下载页面→
进入下载page(只看page就行其他的不用瞅)→
找到set up the server或者选择Installing Puppet Agents下的Linux版本链接也可以】,
懵逼人士直接点击这个链接
【[https://puppet.com/docs/puppet/7/system_requirements.html](https://puppet.com/docs/puppet/7/system_requirements.html)】
}
到这个页面里面左侧的目录栏点击Set up Puppet下面的Install Puppet选择Install Puppet
2、下载官方封装的rpm链接源文件(安装puppet之前需要用到官方提供的源)
这时候会进入一个puppet install说明页面:
往下找往下找。
找到 Enable the Puppet platform repository 标题
在这里面提供了两种下载安装rpm的网址,一种是yum安装一种是apt安装,请根据自己的操作系统版本选择从哪个地址内下载puppet
我的是Centos7 是yum安装,所以我点击yum.puppet.com下载版本为el7的rpm文件
需要的朋友可以直接点击这个链接下载到本地进行rpm
或者直接 rpm -Uvh 下载链接
puppet-release-el-7.noarch.rpm 2020-11-19 11:17:19 9.7KiB
这里我直接按照官方给提供的操作方式:
sudo rpm -Uvh http://yum.puppet.com/puppet-release-el-7.noarch.rpm
[root@puppet-agents1 ~]# rpm -Uvh http://yum.puppet.com/puppet-release-el-7.noarch.rpm
Retrieving http://yum.puppet.com/puppet-release-el-7.noarch.rpm
warning: /var/tmp/rpm-tmp.IutEzn: Header V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:puppet-release-1.0.0-14.el7 ################################# [100%]
[root@puppet-agents1 ~]#
好咧,现在已经将官方的源地址附加到yum内了,接下来我们要再添加一个epel(社区工具源支撑):
[root@puppet-agents1 ~]# yum install epel-release -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.sjtu.edu.cn
* extras: ftp.sjtu.edu.cn
* updates: mirrors.bupt.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================================================================================================================================================
Installing:
epel-release noarch 7-11 extras 15 k
Transaction Summary
==========================================================================================================================================================================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
[root@puppet-agents1 ~]#
再更新一下yum源,咚咚咚yum update -y
下面省略一部分更新yum源的刷屏过程
…
然后 yum makecache
省略…
3、通过官方提供的源安装puppetserver和puppet-agent
在第一台server机上执行yum install puppetserver -y
[root@puppet-master ~]# yum install puppetserver -y
—分割线—
在第二台agent机上执行yum install puppet-agent -y (只需要这一个就可以)
[root@puppet-agents1 ~]# yum install puppet-agent -y
4、添加两台主机的hosts解析:
server服务器master主机:
[root@puppet-master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.x.x puppet-master --这个是本机自己
192.168.x.x puppet-agents2 --这个是agent主机
[root@puppet-master ~]#
agent主机:
[root@puppet-agents2 ~]# cat /etc/host
host.conf hostname hosts hosts.allow hosts.deny
[root@puppet-agents2 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.x.x puppet-master --这个是server服务器的
192.168.x.x puppet-agents2 --这个是本机自己
[root@puppet-agents2 ~]#
配置完成可以在两台主机上互相ping一下hostname名看一下通信状态有ttl生命周期反馈就可以了。
5、配置puppetserver服务器的puppet.conf文件:
这里有个坑需要注意,就是在puppetserver上的puppet.confg文件内不止需要增加一个certname指向本机的服务主机名,还需要增加几个dir访问目录(否则虽然能够有agent的通信建立,但是服务器却无法正常查看目前拥有的ca签署,还会提示什么什么$ssldir未指定啥的…)
[root@puppet-master ~]# tree /etc/puppetlabs/puppet/
/etc/puppetlabs/puppet/
├── devices
├── hiera.yaml
├── puppet.conf
└── ssl
├── ca -> /etc/puppetlabs/puppetserver/ca
├── certificate_requests
├── certs
│ ├── ca.pem
│ └── puppet-master.pem
├── crl.pem
├── private
├── private_keys
│ └── puppet-master.pem
└── public_keys
└── puppet-master.pem
8 directories, 7 files
[root@puppet-master ~]# cat /etc/puppetlabs/puppet/
devices/ hiera.yaml puppet.conf ssl/
[root@puppet-master ~]# cat /etc/puppetlabs/puppet/
devices/ hiera.yaml puppet.conf ssl/
[root@puppet-master ~]# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[master]
certname = puppet-master --指定本机访问名称
server = puppet-master --指定服务puppet名称(不指定的话puppet默认是puppet名称,后面服务通信会找puppet,提示找不到puppet名称而不是puppet-master)
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
ssldir = $confdir/ssl --根据官网所建议的标记上默认ssl保存位置
certdir = $ssldir/certs --也是官网建议的默认保存位置
cadir = /etc/puppetlabs/puppetserver/ca --官网建议的默认保存位置
启动puppetserver服务
[root@puppet-master ~]# systemctl status puppetserver --status改成start就启动啦
● puppetserver.service - puppetserver Service
Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2022-08-28 12:20:16 CEST; 22h ago
Process: 26826 ExecStop=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver stop (code=exited, status=0/SUCCESS)
Process: 26972 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
Main PID: 27005 (java)
Tasks: 78 (limit: 4915)
CGroup: /system.slice/puppetserver.service
└─27005 /usr/bin/java -Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError=kill -9 %p -XX:ErrorFile=/var/log/puppetlabs/puppetserver/puppetserver_err_pid%p.log -cp /opt/puppetlabs/server/apps/puppetserver/puppet-server...
Aug 28 12:20:00 puppet-master systemd[1]: Starting puppetserver Service...
Aug 28 12:20:04 puppet-master puppetserver[26972]: WARNING: abs already refers to: #'clojure.core/abs in namespace: medley.core, being replaced by: #'medley.core/abs
Aug 28 12:20:16 puppet-master systemd[1]: Started puppetserver Service.
[root@puppet-master ~]# netstat -anpt | grep 8140
tcp6 0 0 :::8140 :::* LISTEN 27005/java
6、配置agent主机上的puppet.conf文件:
[root@puppet-agents2 ~]# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[agent]
server = puppet-master --指定puppet服务名称需要和puppetserver服务器上的保持一致
certname = puppet-agents2 --指定本机的通信名称
report = true --不用管给的默认通讯端口
[root@puppet-agents2 ~]#
配置完了agent后,官方给了两个步骤,需要执行一个
source /etc/profile.d/puppet-agent.sh
配置环境变量再增加一个bin目录path
export PATH=/opt/puppetlabs/bin:$PATH
7、agent主机对puppetserver服务器请求ca注册:
看一下官方给出的步骤
第一步在agent主机上执行puppet ssl bootstrap
(需要注意,如果提示没有puppet这个命令,但是相关的puppet.conf文件都配置过了,证明已经安装上puppet了,reboot重启一下主机就有了。)
[root@puppet-agents1 ~]# puppet ssl bootstrap
Info: Creating a new RSA SSL key for puppet-agents1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-agents1
Info: Certificate Request fingerprint (SHA256): A0:2C:41:*:21:89:D3:89:0C:C3:3D:*:22:C5:02:*:00:75:*:40:5C:13:7E:E1:24:*:8B:79:CF
Info: Certificate for puppet-agents1 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (puppet-agents1). --这里我新建了一台agents1进行访问,因为agents2提前已经签署完了
Info: Will try again in 120 seconds.
下面需要到puppetserver服务器上去查看该agent主机的ca签署请求
[root@puppet-master ~]# puppetserver ca sign --certname puppet-agents1
Successfully signed certificate request for puppet-agents1
puppetserver主机已经成功签署puppet-agents1
官网上让回到agent主机上再运行一遍puppet ssl bootstrap
其实也不用,因为puppetserver签署成功后agent会反馈一条SSL注册信息
[root@puppet-agents1 ~]# puppet ssl bootstrap
Info: Creating a new RSA SSL key for puppet-agents1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-agents1
Info: Certificate Request fingerprint (SHA256): A0:2C:41:*:21:89:D3:89:0C:C3:3D:*:22:C5:02:E5:*:75:*:40:5C:*:7E:E1:24:*:*:79:CF
Info: Certificate for puppet-agents1 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (puppet-agents1).
Info: Will try again in 120 seconds.
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-agents1
Info: Certificate Request fingerprint (SHA256): A0:2C:*:CE:D1:21:89:*:89:0C:C3:3D:48:22:*:02:E5:00:75:*:40:5C:13:7E:E1:24:*:8B:79:CF
Info: Certificate for puppet-agents1 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (puppet-agents1).
Info: Will try again in 120 seconds.
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-agents1
Info: Certificate Request fingerprint (SHA256): A0:2C:41:CE:D1:21:*:D3:89:*:3D:48:22:*:02:E5:00:75:*:40:5C:13:*:24:2E:D1:*:79:CF
Info: Downloaded certificate for puppet-agents1 from https://puppet-master:8140/puppet-ca/v1
Notice: Completed SSL initialization
[root@puppet-agents1 ~]# puppet ssl bootstrap
Notice: Completed SSL initialization
到此为止puppet服务已经搭建完成,并且agent也成功签署ca,可以在puppetserver内code下的manifests中创建个site.pp文件测试master命令agent创建一个测试文件
[root@puppet-master ~]# tree /etc/puppetlabs/code/
/etc/puppetlabs/code/
├── environments
│ └── production
│ ├── data
│ ├── environment.conf
│ ├── hiera.yaml
│ ├── manifests
│ │ └── site.pp
│ └── modules
└── modules
6 directories, 3 files
[root@puppet-master ~]#
[root@puppet-master ~]# cat /etc/puppetlabs/code/environments/production/manifests/site.pp
$puppetmaster = 'puppet-master'
class textfile{
file{
"/media/hello.txt":
content=>"Hello!This echo Hello\n";
}
}
node default{
include textfile
}
—分割线—
开启一下agent服务状态,然后看一下/media下生成的文件信息:
[root@puppet-agents1 ~]# systemctl status puppet
● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@puppet-agents1 ~]# ll /media/
total 0
[root@puppet-agents1 ~]# systemctl start puppet
[root@puppet-agents1 ~]# systemctl status puppet
● puppet.service - Puppet agent
Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2022-08-29 10:39:05 CEST; 2s ago
Main PID: 17929 (puppet)
CGroup: /system.slice/puppet.service
└─17929 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize
Aug 29 10:39:05 puppet-agents1 systemd[1]: Started Puppet agent.
Aug 29 10:39:07 puppet-agents1 puppet-agent[17929]: Starting Puppet client version 7.18.0
Aug 29 10:39:08 puppet-agents1 puppet-agent[17930]: (/Stage[main]/Textfile/File[/media/hello.txt]/ensure) defined content as '{sha256}cb35f43fbb2f2f71b16fca187eb427388c1498e56d232d58daf7dfd9b51bac8e'
Aug 29 10:39:08 puppet-agents1 puppet-agent[17930]: Applied catalog in 0.07 seconds
[root@puppet-agents1 ~]# ll /media/
total 4
-rw-r--r-- 1 root root 22 Aug 29 10:39 hello.txt
[root@puppet-agents1 ~]# cat /media/hello.txt
Hello!This echo Hello
[root@puppet-agents1 ~]#
agent成功同步master定义的文件
(可以在puppetserver上查看一下已经签署的所有ca信息)
[root@puppet-master ~]# puppetserver ca list --all
Signed Certificates:
puppet-master (SHA256) F7:06:*:D8:E8:*:87:EA:01:CD:26:9A:*:85:4B:74:9C:7C:F7:29:*:04:42:CE:0F:*:17:89 alt names: ["DNS:puppet", "DNS:puppet-master"] authorization extensions: [pp_cli_auth: true]
puppet-agents2 (SHA256) F9:5B:01:*:86:4F:3E:FA:49:0D:C2:BD:*:*:42:*:96:5B:28:C6:4F:*:45:49:B5:F9:EB:*:82:BD alt names: ["DNS:puppet-agents2"]
puppet-agents1 (SHA256) 51:3E:E4:1E:*:02:FB:44:81:90:C5:*:26:FA:A6:E0:*:E2:*:6C:07:53:1C:64:36:*:4C:CA:*:C7:19 alt names: ["DNS:puppet-agents1"]