Centos7部署puppet
一、puppet的介绍
puppet是什么?
puppet是一种Linux、Unix、Windows平台的集中配置管理系统,使用自有的puppet描述语言,可管理配置文件、用户、cron任务、软件包、系统服务等
puppet将自己所管理的系统实体(文件、用户、软件包等)称之为资源
puppet是开源的可以免费使用的,基于ruby语言开发
puppet的作用和目的是什么?
作用:是实现资源的自动化批量部署配置管理,最常用的是集群服务和配置文件的管理
目的:提高运维人员的工作效率,降低了运维人员的工作难度
puppet的工作模式是什么?
puppet采用C/S的结构模型,服务端/客户端
服务端 puppetmaster–>负责配置和配置任务
客户端 puppet -->既是一个命令也是一个服务,从puppetmaster端主动拉去数据
puppet的应用场景是什么?
用户管理、集群配置
工作模式:
每个puppet客户端每半小时(可以设置)连接一次服务器端,下载最新的配置文件,并且严格安装配置文件来配置客户端,配置完成以后,puppet客户端可以反馈给服务器一个消息,如果出错,也会给服务器端反馈一个消息
也可以在客户端通过命令进行自主控制,配合redis进行目录以及同步方式的控制(我司在用)
二、环境部署
主机名 | IP | 备注 |
---|---|---|
puppet-m | 192.168.99.129 | 服务端 |
puppet01 | 192.168.99.130 | 客户端 |
注:Puppet对机器名hostname高度依赖,在部署前,需要先将机器名调整正确,然后在/etc/hosts文件中添加本机的解析以及server的解
1、初始化服务器配置:所有机器均配置
1.1、更改主机名
##hostnamectl set-hostname puppet-m
##su
[root@puppet-m ~]# cat /etc/hostname
puppet-m
[root@puppet01 lib]# cat /etc/hostname
puppet01
1.2、关闭防火墙和selinux
###关闭防火墙
[root@puppet-m ~]# systemctl stop firewalld
[root@puppet-m ~]# systemctl disable firewalld ##禁止开机自启动
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
###关闭selinux
[root@puppet-m ~]# setenforce 0 ##临时关闭
[root@puppet-m ~]# getenforce ##查看状态为Permissive则关闭
Permissive
[root@puppet-m ~]#sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config ##更改配置文件并重启机器永久关闭
1.3、添加服务端和本机hosts本地解析
[root@puppet-m ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.88.129 puppet-m #server端
192.168.38.130 puppet01 #本地端
1.4、所有机器时间同步
#yum -y install ntp ntpdate #下载ntp
#ntpdate cn.pool.ntp.org #同步网络时间
#hwclock --systohc #将时间写入硬件
1.5 、配置阿里yum源
[root@puppet-m ~]#yum install vim wget lrzsz -y
#wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
#yum clean all
#yum makecache
2、上传软件包进行下载安装服务
2.1服务端上传自用软件包
上传puppet_server_el7.tar.gz 软件到服务器并解压
[root@puppet-m ~]# tzr zxvf puppet_server_el7.tar.gz
[root@puppet-m ~]# cd puppet
[root@puppet-m puppet]# ll
total 20
drwxrwxr-x. 6 15838 15838 85 Dec 19 2016 gems
-rw-rw-r--. 1 15838 15838 659 Sep 9 11:19 install.sh ###一键安装脚本
-r--------. 1 root root 13984 Mar 18 18:55 puppetlabs-release-el-7.noarch.rpm
drwxr-xr-x. 15 15838 15838 220 Dec 19 2016 puppet_nginx
[root@puppet-m puppet]# vim install.sh
#!/bin/bash
rpm -ivh puppetlabs-release-el-7.noarch.rpm
yum install ruby puppet-server openssl -y
cp -r ./gems/* /usr/lib64/ruby/gems/1.8/gems/
gem install rack -v 1.6.4
mkdir -p /etc/puppet/rack/public
cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/
cp -r puppet_nginx /usr/local/
chown -R puppet:puppet /etc/puppet/rack/
#/etc/init.d/puppetmaster start
#/etc/init.d/puppetmaster stop
systemctl start puppetmaster
sleep 5
systemctl stop puppetmaster
[root@puppet-m puppet]# sh ./install.sh ##本目录执行脚本出现以下内容基本完成
Fetching: rack-1.6.4.gem (100%)
Successfully installed rack-1.6.4
Parsing documentation for rack-1.6.4
Installing ri documentation for rack-1.6.4
1 gem installed
2.2、获取证书,并更改nginx配置文件
[root@puppet-m puppet]# ls /var/lib/puppet/ssl/certs/ ##重新获取证书可以重新启动puppetmaster服务,启动获取到后关闭puppetmaster服务
ca.pem puppet-m.pem
###更改nginx配置文件
[root@puppet-m puppet]# vim /usr/local/puppet_nginx/conf/nginx.conf
user root;
worker_processes 4;
worker_rlimit_nofile 65535;
error_log /usr/local/puppet_nginx/logs/error.log;
pid /usr/local/puppet_nginx/puppet_nginx.pid;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
client_body_buffer_size 1m;
access_log /usr/local/puppet_nginx/logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
large_client_header_buffers 16 4k;
keepalive_timeout 65;
client_max_body_size 10m;
# Passenger needed for puppet
passenger_root /usr/lib64/ruby/gems/passenger-5.0.21;
passenger_ruby /usr/bin/ruby;
passenger_max_pool_size 24;
server {
listen 8140;
server_name puppet-m; ###①server_name为本机hostname
root /etc/puppet/rack/public;
passenger_enabled on;
passenger_set_header HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_header HTTP_X_CLIENT_VERIFY $ssl_client_verify;
ssl on;
access_log /usr/local/puppet_nginx/logs/puppet_access.log;
error_log /usr/local/puppet_nginx/logs/puppet_error.log;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppet-m.pem; ##②pem证书地址
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet-m.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
access_by_lua_file /usr/local/puppet_nginx/conf/access.lua; ##③访问控制文件
}
}
⑦注意修改文件中的allow、deny等限制,以及include allow.conf 导入的限制
⑧编辑/etc/puppet/auth.conf
[root@puppet-m puppet]# egrep -v "$^|#" auth.conf ##放开所有,否则客户端连接服务器时会爆403
path /
auth any
allow *
2.2、客户端安装puppet
1)将server 端中 解压puppet_server_el7.tar.gz包得到的 puppetlabs-release-el-7.noarch.rpm 复制到agent机器上
2)导入安装rpm
rpm -ivh puppetlabs-release-el-7.noarch.rpm
yum install puppet ##客户端服务暂时不要启动
2.3修改master的puppet.conf配置文件
[root@puppet-m puppet]# egrep -v "$^|#" /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[master]
certname=puppet-m ##指定自己的主机名
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
2.4、修改agent的puppet.conf配置文件
[root@puppet01 ~]# egrep -v "$^|#" /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
certname=puppet01 ##指定自己的主机名
sercer=puppet-m ##指定server端主机名
# runinterval=180 ##同步时间(s),工作中不用此配置
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
三、配置agent端认证连接服务端
注意:客户端不要开启puppet服务,启动会自动发起认证请求
3.1、agent端尝试发起注册申请
[root@puppet01 ~]# puppet agent --server puppet-m --test ##发起认证,puppet-m为服务端主机名
Info: Creating a new SSL key for puppet01
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet01
Info: Certificate Request fingerprint (SHA256): BF:3A:C1:29:2F:2D:47:EF:CE:95:AA:5F:DB:8C:55:08:8D:EE:4B:D0:82:FA:25:33:67:E2:B4:EC:39:68:96:E4
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
3.2、master查看注册认证
[root@puppet-m ~]# puppet cert --list ##服务端查看
"puppet01" (SHA256) 9F:0B:99:C4:16:E7:D0:95:D6:8A:0C:CA:62:0C:1E:52:9E:B3:6B:74:DE:8C:A3:48:FA:93:95:0B:9B:6F:89:E8
3.3、master签发认证并且服务端验证
[root@puppet-m conf]# puppet cert sign puppet01 ###签发认证
Notice: Signed certificate request for puppet01
Notice: Removing file Puppet::SSL::CertificateRequest puppet01 at '/var/lib/puppet/ssl/ca/requests/puppet01.pem'
[root@puppet01 lib]# puppet agent --server puppet-m --test ##测试连接 ok
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppet01
Info: Applying configuration version '1631252407'
Notice: Finished catalog run in 0.01 seconds