Puppet用户手册–安装与配置
来源:互联网 发布:编程专用笔记本 编辑:程序博客网 时间:2024/06/07 00:47
在安装Puppet之前需要保证服务器已经安装以下软件:
1) Ruby: 挂载ISO后,切换到/mnt/Server, 输入: yum -y install ruby-*
2) Facter
3) Ruby所依赖的OpenSSL 库,运行以下命令来测试是否已经安装所依赖的库文件:
ruby -ropenssl -e "puts :yep"
如果输出“yep”表示无问题。
注意:在安装Puppet之前,如果需要,必须将服务器主机名修改好,否则将会出现很多问题哟!
2. 安装Puppet服务器端
由于本文基于源码安装,使用二进制包的安装方式本文不打算介绍,如有需要请自行到网上搜索。好了,首先将facter-2.0.0rc4.tar.gz、puppet-2.7.19.tar.gz上传到 Puppet服务端(192.168.56.2),具体步骤如下:
由于本文基于源码安装,使用二进制包的安装方式本文不打算介绍,如有需要请自行到网上搜索。好了,首先将facter-2.0.0rc4.tar.gz、puppet-2.7.19.tar.gz上传到 Puppet服务端(192.168.56.2),具体步骤如下:
1) 安装facter:
# wget http://downloads.puppetlabs.com/facter/facter-2.0.0rc4.tar.gz# tar zxvf facter-2.0.0rc4.tar.gz# cd facter-2.0.0rc4# ruby install.rb
安装后会提示是否有无问题,如下图所示,无任何错误:
2) 安装Puppet:
# wget http://puppetlabs.com/downloads/puppet/puppet-2.7.20.tar.gz# tar zxvf puppet-2.7.19.tar.gz# cd puppet-2.7.19# ruby install.rb
安装后会提示是否有无问题,如下图所示,无任何错误:
到此,Puppet服务端安装已经结束。
3. 安装Puppet客户端 For Linux
Puppet客户端的安装方式与服务端一样,故不再详细介绍,详细请见第二章。
4. 安装Puppet客户端 For Windows
暂时不打算写!
5. 配置Puppet服务端和客户端
在配置之前,要确保Puppet服务端和所有Puppet客户端的本地时间一致,关于时间同步,推荐使用NTP(请参考网上的NTP详细介绍或MAN)。
5.1 配置Puppet服务端:
创建puppet组和用户:
# groupadd puppet# useradd -g puppet -s /sbin/nologin puppet
设置/etc/hosts:
# echo "192.168.56.2 puppetmaster.test.com puppetmaster" >> /etc/hosts# echo "192.168.56.10 client1.test.com client1" >> /etc/hosts# cp conf/namespaceauth.conf /etc/puppet/# cp conf/redhat/puppet.conf /etc/puppet/# cp conf/redhat/server.init /etc/init.d/puppetmaster# chmod +x /etc/init.d/puppetmaster
启动puppetmaster ,若无问题,显示如下:
# /etc/init.d/puppetmaster startStarting puppetmaster: [ OK ]# chkconfig puppetmaster on
5.2 配置Puppet客户端:
除了以下命令不一样,其他全部和服务端一样的配置:
# cp conf/redhat/<b>client</b>.init /etc/init.d/puppet# chmod +x /etc/init.d/puppet
服务端对应命令如下:
# cp conf/redhat/<b>server</b>.init /etc/init.d/puppetmaster
启动puppet,若无问题,显示如下:
# /etc/init.d/puppet startStarting puppet: [ OK ]# chkconfig puppet on
5.3 Puppet服务端和客户端测试:
Puppet客户端与服务器端是通过SSL隧道通信的,客户端安装完成后,需要向服务器端申请证书:
1) 首次连接服务器端会发起证书申请,在客户端执行命令如下:
# puppetd --server puppetmaster --test
执行以上命令代表客户端已经成功生成证书,并把证书签名请求发送到Puppet服务端.
2) 登录到Puppet服务端,查看所有客户端的证书签名请求:
# puppetca --list
从结果可看出,已经看到client1.test.com客户端的证书签名请求,最后对所有的证书请求进行签名:
# puppetca -s -a
5.4 示例:同步hosts文件(modules实现)
1) 同步之前,先看下未使用module实现的简单示例:
# 默认的节点配置node default {file {"/tmp/temp1.txt":content => "Hello,Puppet!"; }}
# 同步/root/temp01.txt文件node "client1.test.com" {host { "host1":ip => "192.168.1.1",target => "/root/temp01.txt",ensure => present; }}node "feinno-hgg" {host { "host2":ip => "192.168.1.1",target => "/root/temp01.txt",ensure => present; }}
…
以上示例表示配置两个客户端,分别是“client1.test.com”和“feinno-hgg”,同时还有一个默认的node节点,后期如果有新客户端加入,在文件末尾加入一个新的node即可。但请再深入的思考一下,从后期的维护或管理角度来看,必须考虑下面两个重点的问题:
问题1:假设您管理的不是10台,而是100台或者1000台,甚至更多,此种配置方式是否最优?
问题2:假设您管理的客户端是多架构平台的,例如Debian、CentOS、Solaris、AIX或Windows,如何解决跨平台的文件同步?
使用示例1的配置方式,显示无法解决上面这两个问题,所以这就是我们下面要介绍的模块化实现。
2) 创建所须目录:
#/bin/mkdir -p /etc/puppet/modules/hosts/{files,lib,manifests,templates}#/bin/mkdir -p /etc/puppet/modules/hosts/files/hosts/etc
3) 创建所须文件:
# ll /etc/puppet/manifests/total 8-rw-r--r-- 1 root root 103 Oct 15 17:08 nodes.pp-rw-r--r-- 1 root root 52 Oct 15 17:04 site.pp
# cat site.pp# 导入nodes.ppimport 'nodes.pp'$puppetserver="master.test.com"
# cat nodes.pp# 匹配所有以字母开头、.test.com结尾的客户端,并包含一个 hosts 的类文件node /^\w+\.test\.com$/ {include hosts}node 'feinno-hgg' {include hosts}
注意nodes.pp中使用了正则表达式,这使得一个非常 简单的node可以匹配多个客户端,而对于特殊主机来讲,可单独在文件结尾添加node即可,从而解决我们刚才提到的第一个问题。
再来看看modules下的2类文件:
# ls -l /etc/puppet/modules/hosts/manifests-rw-r--r-- 1 root root 654 Oct 15 17:16 config.pp-rw-r--r-- 1 root root 47 Oct 12 11:20 init.pp
#cat init.pp# 定义一个hosts的类,并包括它的一个子类:hosts::configclass hosts {include hosts::config}
# cat config.pp# 定义一个hosts::config的子类,父类为 hostsclass hosts::config inherits hosts { if $operatingsystem in [ "RedHat","CentOS","Ubuntu","Fedora" ] { file { "/etc/hosts":owner => "root",group => "root",mode => 644,source => "puppet://$puppetserver/hosts/etc/hosts",}} elsif $operatingsystem == "Windows" {file { "C:/Windows/System32/drivers/etc/hosts":owner => "xm_Administrator",group => "Administrators",source => "puppet://$puppetserver/hosts/etc/win_hosts";}} else {fail("Doesn't support this OS: $operatingsystem")}}
从config.pp中可看出,通过一个if/elsif决断语句,结合Puppet内置变量$operatingsystem可同步任何跨平台的操作系统的hosts文件,从而解决我们刚才提到的第二个问题。
4) 配置modules
细心的读者可能会问:Puppet如何识别的module? 问的相当好,Puppet默认是无法识别自定义modules的,需要我们在puppet.conf的 [main]中配置一个参数:modulepath,例如:
# cat puppet.conf | grep modulemodulepath = /etc/puppet/modules
通过简单的参加配置,Puppet就可识别自定义模块。
5) 配置 Fileserver:
# /etc/puppet/fileserver.conf[hosts]path /etc/puppet/modules/hosts/filesallow *
此处配置一个hosts的文件服务,及指定文件存放位置,同时允许所有客户端同步,生产环境不建议直接对所有客户端开放。而我们之前在config.pp中的source后面的路径格式为:
puppet://$puppetserver/mount_point/path
例如:
puppet://$puppetserver/hosts/etc/hosts
对应的绝对路径为:
/etc/puppet/modules/hosts/files/etc/hosts
6) Puppet客户端 for Windows 8客户端测试:
D:\Program Files (x86)\Puppet Labs\Puppet\bin>puppet.bat agent --test --server master.test.cominfo: Retrieving plugininfo: Caching catalog for feinno-hgginfo: Applying configuration version '1350292129'notice: /Stage[main]/Hosts::Config/File[C:/Windows/System32/drivers/etc/hosts]/content: info: FileBucket got a duplicate file {md5}2c0dd3682bc4dbab317365a88af6177ainfo: /Stage[main]/Hosts::Config/File[C:/Windows/System32/drivers/etc/hosts]: Filebucketed C:/Windows/System32/drivers/etc/hosts to puppet with sum 2c0dd3682bc4dbab317365a88af6177anotice: /Stage[main]/Hosts::Config/File[C:/Windows/System32/drivers/etc/hosts]/content: content changed '{md5}2c0dd3682bc4dbab317365a88af6177a' to '{md5}09636a06eea3999e8b02ca831923f3d6'notice: this OS: windows. Sync complete.notice: /Stage[main]/Hosts::Config/Notify[this OS: windows. Sync complete.]/message: defined 'message' as 'this OS: windows. Sync complete.'notice: Finished catalog run in 0.85 seconds
通过日志可看出,已经成功同步win_host到C:/Windows/System32/drivers/etc/hosts 。
提示:在MS 2008 或Win 7 、Win 8 客户端同步时,注意C:/Windows/System32/drivers/etc 的目录需要有写权限。
6. 管理Puppet服务
6.1 Puppet服务端启动、停止、重启过程如下:
# /etc/init.d/puppetmaster start # 启动# /etc/init.d/puppetmaster stop # 停止# /etc/init.d/puppetmaster restart # 重启
6.2 Puppet客户端启动、停止、重启过程如下:
# /etc/init.d/puppet start# /etc/init.d/puppet stop# /etc/init.d/puppet restart
6.3 Puppet For Windows客户端设置:
在Windows下安装Puppet客户端后,会自动在系统服务中添加一个Puppet Agent服务,并已经设置为开机自启动,如果不是,请自行修改。
6.4 设置Puppet服务端开机自启动:
# chkconfig puppetmaster on# chkconfig --list puppetmaster
7. 常见错误
7.1 语法错误 puppetd -s puppetmaster.test.com –t
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:54:in `handle_serve': uninitialized constant Puppet::Network::Handler (NameError)from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:363:in `send'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:363:in `parse_options'from /usr/lib/ruby/1.8/optparse.rb:1247:in `call'from /usr/lib/ruby/1.8/optparse.rb:1247:in `order!'from /usr/lib/ruby/1.8/optparse.rb:1205:in `catch'from /usr/lib/ruby/1.8/optparse.rb:1205:in `order!'from /usr/lib/ruby/1.8/optparse.rb:1279:in `permute!'from /usr/lib/ruby/1.8/optparse.rb:1300:in `parse!'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:370:in `parse_options'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:416:in `hook'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:407:in `exit_on_fail'from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'from /usr/sbin/puppetd:4
答:此问题由于版本太低导致,或修改参数形式,例如将-t -s 修改成 –test –server。
7.2 Could not load openssl Ruby library; cannot install
# tar xvf openssl-0.9.8p.tar.gz# cd openssl-0.9.8p# cp ssl/ssl.h /root/ruby-1.8.7/ext/openssl/# ./config -fPIC --prefix=/usr/local --openssldir=/usr/local/openssl enable-shared# make && make install
进入到ruby源码目录下的ext/openssl/:
# cd /root/ruby-1.8.7/ext/openssl/# ruby extconf.rb --with-openssl-include=/usr/local/openssl/include --with-openssl-lib=/usr/local/openssl/lib# make && make install
7.3 Error 400 on SERVER: Cannot find file: Invalid mount
# puppetd --test
info: Caching catalog for client1.test.cominfo: Applying configuration version '1349933729'err: /Stage[main]//Node[client1.test.com]/File[/etc/puppet/files/temp01.txt]: Could not evaluate: Error 400 on SERVER: Cannot find file: Invalid mount 'temp01.txt' Could not retrieve file metadata for puppet:///temp01.txt: Error 400 on SERVER: Cannot find file: Invalid mount 'temp01.txt' at /etc/puppet/manifests/site.pp:20notice: Finished catalog run in 0.45 seconds
7.4 err: Could not retrieve catalog from remote server: Connection refused
# puppetd --test --server master.test.com
err: Could not retrieve catalog from remote server: Connection refused - connect(2)warning: Not using cache on failed catalogerr: Could not retrieve catalog; skipping runerr: Could not send report: Connection refused - connect(2)
该错误表示无法连接到Master,即Puppet服务端,由以下两个原因造成:
1) Puppet服务端拒绝连接,通常是由于防火墙或selinux造成;
2) Puppet客户端本地防火墙导致
本人在测试时遇到此问题,但经检查上述原因后,仍然报拒绝连接错误,经过约2小时的仔细排查,终于找到问题,原因却让我差点吐血! 以下是排查过程:
第一步:查看Puppet服务端防火墙,发现是开启的,但无任何规则,关闭防火墙后,到客户端尝试,无果! 再查看Linux,问题仍在。
第二步:查看Puppet客户端防火墙,已是关闭状态,SELinux同样关闭状态。
第三步:尝试修改Puppet服务端的auth.conf文件,并重启puppetmaster后,问题仍在。
第四步:查看Puppet客户端所连接的服务端是否正确:
# puppet agent --configprint server
打印的域名和hosts文件一致。
第五步:查看Puppet服务端和Puppet客户端的hosts文件是否正确
在第一次查看这两个文件的时候,发现没问题,后来再从其他地方折腾回来看hosts文件的时候,发现Puppet客户端的hosts文件存在一个让本人都不好意思写出来的错误:
# Do not remove the following line, or various programs# that require network functionality will fail.<span style="color: #ff0000;"><b>127.0.0.1 master.test.com master localhost.localdomain localhost</b></span>#::1 localhost6.localdomain6 localhost6192.168.56.2 master.test.com192.168.56.10 client1.test.com192.168.10.188 feinno-hgg
终于发现问题所在,客户端的hosts写成这样,也确实不易,保存退出后,经测试问题已解决。
这种低级错误都是平常不够严谨才造成的,且还花大量时间,所以当出现问题后,一定要非常仔细检查每个操作或步骤,只有这样,才能更高效的找到根源并解决。
7.5 Could not evaluate: Error 400 on SERVER: Not authorized to call find
info: Caching catalog for client1.test.cominfo: Applying configuration version '1350282880'notice: this OS: RedHat. Sync complete.notice: /Stage[main]/Hosts::Config/Notify[this OS: RedHat. Sync complete.]/message: defined 'message' as 'this OS: RedHat. Sync complete.'err: /Stage[main]/Hosts::Config/File[/etc/hosts]: Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/hosts/etc/hosts Could not retrieve file metadata for puppet://master.test.com/hosts/etc/hosts: Error 400 on SERVER: Not authorized to call find on /file_metadata/hosts/etc/hosts at /etc/puppet/modules/hosts/manifests/config.pp:10
该问题由于没有通过Puppet服务端fileserver的认证造成,由于要同步文件资源,故需要在Puppet服务端Fileserver对应的mount point加上认证,例如:
# cat /etc/puppet/fileserver.conf
[hosts]path /etc/puppet/modules/hosts/filesallow client1.test.com
7.6 Failed to generate additional resources using ‘eval_generate: SSL_connect
D:\Program Files (x86)\Puppet Labs\Puppet\bin>puppet.bat agent --test --server master.test.com
info: Retrieving pluginerr: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=master.test.com]err: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=master.test.com] Could not retrieve file metadata for puppet://master.test.com/plugins: SSL_connect returned=1 errno=0state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=master.test.com]err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is notyet valid for /CN=master.test.com]warning: Not using cache on failed catalogerr: Could not retrieve catalog; skipping runerr: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=master.test.com]
此问题由于Puppet服务端和Puppet客户端的时间不一致导致,将服务端和客户端的时间修改成一致即可解决,如果确保时间一致,问题仍在,请重新生成证书,重新生成证书过程如下:
1) 在Puppet服务端清除证书:
# puppetca -c feinno-hgg
2) 在Puppet客户端删除证书:
Linux客户端证书路径:
MS2003:%ALLUSERSPROFILE%\Application Data\PuppetLabs\puppet\etc\sslMS2008:%PROGRAMDATA%\PuppetLabs\puppet\etc\ssl\
例如删除Linux客户端下的证书:
# rm -fr /var/lib/puppet/ssl/*
3) 在Puppet客户端执行:
# puppetca --test --server master.test.com
4) 在Puppet客户端执行:
# puppetca –l
如果有显示客户端的认证请求签名,则输入:
# puppetca -s feinno-hgg <i># </i><i>代表对客户端feinno-hgg</i><i>的证书请求进行签名。</i>
或:
# puppetca -s -a <i># </i><i>对所有的客户端进行证书签名</i>
7.7 Could not retrieve information from environment production source(s)
D:\Program Files (x8 6)\Puppet Labs\Puppet\bin>puppet.bat agent --test --server master.test.cominfo: Caching certificate for feinno-hgginfo: Retrieving plugininfo: Caching certificate_revocation_list for caerr: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: Couldnot retrieve information from environment production source(s) puppet://master.test.com/pluginsinfo: Caching catalog for feinno-hgginfo: Applying configuration version '1350284808'info: Creating state file C:/ProgramData/PuppetLabs/puppet/var/state/state.yamlnotice: Finished catalog run in 0.18 seconds
此问题是属于2.7.x 的一个Bug导致,即在Windows平台下Puppet客户端向Puppet服务端同步文件时,默认情况下会同步Puppet服务端的plug,那要怎么解决呢? 操作如下:
在modules_name的目录下创建一个 lib的空目录即可。例如:
# mkdir /etc/puppet/modules/mymodule/lib
也可参考以下官方地址: https://projects.puppetlabs.com/issues/2244
7.8 notice: Run of Puppet configuration client already in progress; skipping
解决方法: 部分情况下puppet服务会无法启动,且会提示puppet已经启动,这个时候需要删除一个文件puppetdlock:
Linux客户端绝对路径: /var/lib/puppet/state/puppetdlock
Windows 2003客户端绝对路径:C:\Documents and Settings\All Users\Application Data\PuppetLabs\puppet\var\state\ puppetdlock
Windows 2008客户端绝对路径:C:\ ProgramData\PuppetLabs\puppet\var\state\ puppetdlock
7.9 certificate verify failed: [CRL is not yet valid for /CN
err: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate additional resources using ‘eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=pmaster.i.12582.com]err: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=pmaster.i.12582.com] Could not retrievefile metadata for puppet://pmaster.i.12582.com/plugins: SSL_connect returned=1errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=pmaster.i.12582.com]err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is notyet valid for /CN=pmaster.i.12582.com]warning: Not using cache on failed catalogerr: Could not retrieve catalog; skipping runerr: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=pmaster.i.12582.com]
原因:
在配置证书时可能由于CA证书不匹配或被删除导致。
解决办法:
Master执行:
# puppet cert clean c02.i.12582.com
客户端执行:
[ps]
# rm -f C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ c02.i.12582.com.pem
# puppetca –test
[/ps]
此处需要注意一定别删除整个SSL目录,只需要删除指定的pem文件即可,另上面红色字体请根据实际情况修改。
8. 排错思路
1)服务器端、客户端之间和本身的防火墙确认无问题;
2)服务器端的SELinux确认禁用;
3)证书确认是否正确配置正确,重新配置的过程如下:
Puppet 服务端:
# puppetd -r -c client01.domain.com
Puppet 客户端:
- Windows 2003:
C:\Documents and Settings\All Users\Application Data\PuppetLabs\puppet\etc\ssl
- Windows 2008:
C:\ProgramData\PuppetLabs\puppet\etc\ssl
- Linux 客户端:
/var/lib/puppet/ssl
- Puppet用户手册–安装与配置
- puppet 安装与配置
- puppet安装配置
- puppet 安装配置
- puppet 安装配置
- puppet安装配置
- Puppet 安装配置
- PUPPET安装及PUPPET KICK 配置
- puppet命令与配置
- Puppet安装与配置简介(附视频教程)
- puppet原理、安装及配置
- ubuntu下 puppet安装配置
- puppet原理、安装及配置
- puppet的安装和配置
- puppet的安装及配置
- Puppet 安装配置快速入门
- puppet的yum安装配置
- Puppet学习之puppet的安装和配置
- 无向图-邻接表表示
- 开发辅助工具-ddms
- 当大数据遇到安全分析:思科OpenSOC即将开源
- 关于MVC
- About Modifying the SERVICE_NAMES Parameter for Oracle RAC
- Puppet用户手册–安装与配置
- java再学习—线程
- 【leetcode】Number of 1 Bits
- 长沙创意节目O圣梵传媒的管弦乐队
- 用GDB调试程序(二)
- 一个很好的对象池实现
- OpenSOC初探
- CString.AllocSysString(),BSTR,_bstr_t的内存泄露
- 黑马程序员--java基础--IO流(二)