puppet-master-agent杂记

Posted 2020-10-28

master-agent

一、master节点

1、安装master节点

[[email protected] puppet]# yum -y install puppet-server-3.8.4-1.el7.noarch.rpm

1.1 查看puppet-server文件

[[email protected] puppet]# rpm -ql puppet-server
/etc/puppet/environments
/etc/puppet/environments/example_env
/etc/puppet/environments/example_env/README.environment
/etc/puppet/environments/example_env/manifests
/etc/puppet/environments/example_env/modules
/etc/puppet/fileserver.conf
/etc/puppet/manifests
/usr/lib/systemd/system/puppetmaster.service
/usr/share/man/man8/puppet-ca.8.gz
/usr/share/man/man8/puppet-master.8.gz

1.1 显示puppet配置文件

[[email protected] ~]# puppet config print

1.2 查看参考手册

[[email protected] ~]# puppet doc --list
configuration - A reference for all settings
function - All functions available in the parser
indirection - Indirection types and their terminus classes
metaparameter - All Puppet metaparameters and all their details
providers - Which providers are valid for this machine
report - All available transaction reports
type - All Puppet resource types and all their details

[[email protected] ~]# puppet doc -r configuration

[[email protected] ~]# puppet doc -r type

2、mastere-agent

2.1 准备，host都能互相解析

[[email protected] ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.201.106.21 node1.com node1
10.201.106.22 node2.com node2
10.201.106.23 node3.com node3
10.201.106.24 node4.com node4
10.201.106.131 master1.com master1
10.201.106.132 master2.com master2
10.201.106.133 master3.com master3
10.201.106.134 master4.com master4

2.2 master启动测试

[[email protected] ~]# puppet master -v --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 54:35:74:46:41:CD:4F:87:6F:03:79:C7:3A:76:B2:B7:CD:A0:7C:58:0C:66:CA:83:28:77:C9:BA:1E:BA:08:8A
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for master1.master1.com
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for master1.master1.com
Info: Certificate Request fingerprint (SHA256): F5:2A:6A:A1:EF:03:EF:D1:81:EE:1A:8C:B8:25:14:C6:2B:45:30:21:7C:BA:81:9F:24:64:73:53:6A:56:DC:D2
Notice: master1.master1.com has a waiting certificate request
Notice: Signed certificate request for master1.master1.com
Notice: Removing file Puppet::SSL::CertificateRequest master1.master1.com at ‘/var/lib/puppet/ssl/ca/requests/master1.master1.com.pem‘
Notice: Removing file Puppet::SSL::CertificateRequest master1.master1.com at ‘/var/lib/puppet/ssl/certificate_requests/master1.master1.com.pem‘
Notice: Starting Puppet master version 3.8.4

[[email protected] ~]# ls /var/lib/puppet/ssl/
ca  certificate_requests  certs  crl.pem  private  private_keys  public_keys

[[email protected] ~]# rm -rf /var/lib/puppet/ssl/*

2.3 启动放入后台

[[email protected] ~]# ls /usr/lib/systemd/system/puppet*
/usr/lib/systemd/system/puppetagent.service   /usr/lib/systemd/system/puppet.service
/usr/lib/systemd/system/puppetmaster.service

[[email protected] ~]# systemctl start puppetmaster.service
[[email protected] ~]# ss -tnlp | more 8140
State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN     0      128          *:8140                     *:*                   users:(("puppet",pid=200
06,fd=8))

2.4 在其它节点安装agent

[[email protected] puppet]# yum install -y puppet-3.8.4-1.el7.noarch.rpm facter-2.4.1-1.el7.x86_64.rpm

2.5 agent手动测试

[[email protected] puppet]# puppet agent --server=master1.com --no-daemonize --noop --test --verbose
Info: Creating a new SSL key for master2.master2.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for master2.master2.com
Info: Certificate Request fingerprint (SHA256): 10:35:2B:3E:D3:AA:8C:9D:52:A7:34:CF:6B:7F:26:74:80:04:92:E1:FA:86:00:3A:BF:0D:5B:34:F0:AC:D0:F6
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

2.7

[[email protected] puppet]# puppet agent --server=master1.com --no-daemonize --verbose

2.8 证书签署

查看待签署证书：
[[email protected] ~]# puppet cert list
  "master2.master2.com" (SHA256) 10:35:2B:3E:D3:AA:8C:9D:52:A7:34:CF:6B:7F:26:74:80:04:92:E1:FA:86:00:3A:BF:0D:5B:34:F0:AC:D0:F6
[[email protected] ~]#

签署agent节点证书：
[[email protected] ~]# puppet cert sign master2.master2.com
Notice: Signed certificate request for master2.master2.com
Notice: Removing file Puppet::SSL::CertificateRequest master2.master2.com at ‘/var/lib/puppet/ssl/ca/requests/master2.master2.com.pem‘

agent连接（注意时间同步，如果失败重新签署证书,时间同步，hosts解析检查，需要*.com在前面，参考http://www.minunix.com/2014/05/puppet-faq02/）：

[[email protected] ~]# puppet agent --server=master1.com --no-daemonize --verbose

[[email protected] ~]# puppet agent --server=master1.com --no-daemonize --verbose
Info: Caching certificate for master2.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for master2.com
Notice: Starting Puppet client version 3.8.4
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for master2.com
Info: Applying configuration version ‘1513926001‘
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.03 seconds

2.9 正式启动agent

[[email protected] ~]# systemctl start puppetagent.service

2.10 查看所有已签署证书

[[email protected] ~]# puppet cert list --all
+ "master1.com" (SHA256) CA:B2:28:A9:7F:5E:7E:BB:06:68:44:7D:31:0D:31:BD:7B:96:29:67:56:DA:1E:AF:0A:E5:98:B7:45:98:A2:AD (alt names: "DNS:master1.com", "DNS:puppet", "DNS:puppet.com")
+ "master2.com" (SHA256) B7:23:B6:07:81:F8:6D:E9:E6:92:48:4B:F5:68:FA:24:7B:45:E8:1F:31:AC:3F:49:B0:E4:11:6A:B9:CB:03:16

2.11 清除回收证书

[[email protected] ~]# puppet cert clean master2.com
Notice: Revoked certificate with serial 16
Notice: Removing file Puppet::SSL::Certificate master2.com at ‘/var/lib/puppet/ssl/ca/signed/master2.com.pem‘
Notice: Removing file Puppet::SSL::Certificate master2.com at ‘/var/lib/puppet/ssl/certs/master2.com.pem‘
[[email protected] ~]# 

2.12 客户端重新签署证书

客户端删除证书：
[[email protected] ~]# rm -rf /var/lib/puppet/ssl/*

客户端重新请求：
[[email protected] ~]# puppet agent --server=master1.com --no-daemonize --verbose

master端签署证书：
[[email protected] ~]# puppet cert sign master2.com
Notice: Signed certificate request for master2.com
Notice: Removing file Puppet::SSL::CertificateRequest master2.com at ‘/var/lib/puppet/ssl/ca/requests/master2.com.pem‘

3、

3.1 定义站点清单

查看已有模块：
[[email protected] ~]# puppet module list

显示模块路径：
[[email protected] ~]# puppet config print modulepath
/etc/puppet/modules:/usr/share/puppet/modules

设置模块路径：

3.2 应用类到agent节点上

[[email protected] manifests]# pwd
/etc/puppet/manifests
[[email protected] manifests]# vim site.pp

node "master2.com" {
    include nginx::proxy
}

重启master服务：
[[email protected] manifests]# systemctl restart puppetmaster.service

agent端测试运行，不真正执行：
[[email protected] ~]# puppet agent --server=master1.com --no-daemonize --verbose --noop
Notice: Starting Puppet client version 3.8.4
Info: Caching certificate_revocation_list for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for master2.com
Info: Applying configuration version ‘1513967443‘
Notice: /Stage[main]/Nginx::Proxy/File[/etc/nginx/nginx.conf]/ensure: current_value absent, should be file (noop)
Info: /Stage[main]/Nginx::Proxy/File[/etc/nginx/nginx.conf]: Scheduling refresh of Service[nginx]
Notice: Class[Nginx::Proxy]: Would have triggered ‘refresh‘ from 1 events
Notice: /Stage[main]/Nginx/Package[nginx]/ensure: current_value absent, should be latest (noop)
Notice: /Stage[main]/Nginx/Service[nginx]/ensure: current_value stopped, should be running (noop)
Info: /Stage[main]/Nginx/Service[nginx]: Unscheduling refresh on Service[nginx]
Notice: Class[Nginx]: Would have triggered ‘refresh‘ from 2 events
Notice: Stage[main]: Would have triggered ‘refresh‘ from 2 events
Notice: Finished catalog run in 0.92 seconds

报错是因为配置文件顺序写错了，应该先安装程序包，再提供配置文件，最后启动服务：

或者用requit解决：
class nginx::webserver inherits nginx {
        file{‘/etc/nginx/nginx.conf‘:
                source => ‘puppet:///modules/nginx/nginx_web.conf‘,
                ensure => file,
                notify => Service[‘nginx‘],
                require => Package[‘nginx‘],
        }
}

class nginx::proxy inherits nginx {
        file{‘/etc/nginx/nginx.conf‘:
                content => template(‘nginx/nginx_proxy.conf.erb‘),
                ensure => file,
                notify => Service[‘nginx‘],
                require => Package[‘nginx‘],
        }
}

[[email protected] ~]# puppet agent --server=master1.com --no-daemonize --verbose
Notice: Starting Puppet client version 3.8.4
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for master2.com
Info: Applying configuration version ‘1513967443‘
Info: Computing checksum on file /etc/nginx/nginx.conf
Info: /Stage[main]/Nginx::Proxy/File[/etc/nginx/nginx.conf]: Filebucketed /etc/nginx/nginx.conf to puppet with sum 93bc8e01bfd45e7e18b23acc178ae25b
Notice: /Stage[main]/Nginx::Proxy/File[/etc/nginx/nginx.conf]/content: content changed ‘{md5}93bc8e01bfd45e7e18b23acc178ae25b‘ to ‘{md5}0efa2f8bb50f170b0cf039c626dd25e3‘
Info: /Stage[main]/Nginx::Proxy/File[/etc/nginx/nginx.conf]: Scheduling refresh of Service[nginx]
Notice: /Stage[main]/Nginx/Service[nginx]/ensure: ensure changed ‘stopped‘ to ‘running‘
Info: /Stage[main]/Nginx/Service[nginx]: Unscheduling refresh on Service[nginx]
Notice: Finished catalog run in 4.18 seconds

正式运行：
[[email protected] ~]# systemctl start puppetagent.service

3.3