自己画的一个简单的架构图
agent端每隔30分钟到master端请求与自己相关的catalog。
各节点时间要同步。
依赖DNS,各节点能通过主机名能解析。
1、同步时间
# yum install -y ntp ntpdate
# ntpdate pool.ntp.org
2、修改hosts(仅在测试时使用,大规模场景下请使用dns解析)
# vim /etc/hosts
3、安装程序包,master端安装puppet、puppet-server,agent端安装puppet即可
# yum install -y puppet puppet-server
# rpm -ql puppet-server
/etc/puppet/fileserver.conf
/etc/puppet/manifests
/usr/lib/systemd/system/puppetmaster.service
# rpm -ql puppet
/etc/puppet/modules
/etc/puppet/puppet.conf
/usr/bin/puppet
/usr/lib/systemd/system/puppet.service
/usr/lib/systemd/system/puppetagent.service
/var/lib/puppet
/var/log/puppet
/var/run/puppet
4、初始化master(这里仅是测试查看运行过程,实际上可以直接启动服务)
# puppet help master
--daemonize:Send the process into the background. This is the default.
--no-daemonize:Do not send the process into the background.
# puppet master --no-daemonize --verbose
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 9A:66:76:76:2F:B0:86:8E:25:7F:24:B6:A5:09:44:3E:F4:2C:DB:37:24:CC:0C:4E:40:C7:C0:81:64:1B:06:61
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for aliyun
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for aliyun
Info: Certificate Request fingerprint (SHA256): C2:59:1A:9D:63:1C:6E:6D:93:68:C9:2C:B7:FD:99:8C:95:9D:D9:C5:7F:D7:38:87:3D:86:68:99:A9:D2:EB:EE
Notice: aliyun has a waiting certificate request
Notice: Signed certificate request for aliyun
Notice: Removing file Puppet::SSL::CertificateRequest aliyun at '/var/lib/puppet/ssl/ca/requests/aliyun.pem'
Notice: Removing file Puppet::SSL::CertificateRequest aliyun at '/var/lib/puppet/ssl/certificate_requests/aliyun.pem'
Notice: Starting Puppet master version 3.6.2
# netstat -tnlp 默认监听在tcp/8140端口
5、启动master服务
# systemctl start puppetmaster
# systemctl enable puppetmaster
可以删除证书重新生成
# rm -rf /var/lib/puppet/ssl/*
# puppet master --no-daemonize --verbose
6、修改master的配置文件,这里提供的是一个ini风格的配置文件,main段是公共配置、master段是matser的配置、agent段是agent的配置
# puppet help master
# puppet man master
See the configuration file documentation at http://docs.puppetlabs.com/references/stable/configuration.html for the full list of acceptable settings.
A commented list of all settings can also be generated by running puppet master with '--genconfig'.
# vim /etc/puppet/puppet.conf
生成完整的配置列表
# puppet help config
puppet config <action> [--section SECTION_NAME]
print Examine Puppet's current setting.
set Set Puppet's settings.
# puppet master --genconfig > /etc/puppet/test.conf
# puppet agent --genconfig >> /etc/puppet/test.conf
# vim /etc/puppet/test.conf
替换现有的配置文件
# cp test.conf /etc/puppet/puppet.conf
# systemctl restart puppetmaster
7、修改agent的配置文件
# vim /etc/puppet/puppet.conf
server = puppetmaster.oupeng.com
# puppet help agent
# puppet man agent
--daemonize
--no-daemonize
--noop:Use 'noop' mode where the daemon runs in a no-op or dry-run mode.
-v|--verbose:Turn on verbose reporting.
-V|--version:Print the puppet version number and exit.
-t|--test:Enable the most common options used for testing. These are 'onetime','verbose','ignorecache','no-daemonize','no-usecacheonfailure','detailed-exitcodes','no-splay',and 'show_diff'.
--onetime:Run the configuration once. Runs a single (normally daemonized) Puppet run.
--detailed-exitcodes:Provide transaction information via exit codes. If this is enabled, an exit code of '2' means there were changes, an exit code of '4' means there were failures during the transaction, and an exit code of '6' means there were both changes and failures.
# puppet agent -t
# systemctl start puppet
# systemctl enable puppet
打印当前配置
# puppet config print
# puppet config print --section master
# puppet config print --section agent
获取模块位置
# puppet config print modulepath
/etc/puppet/environments/production/modules:/etc/puppet/modules:/usr/share/puppet/modules
8、在master端管理证书签署和请求
# puppet help cert
Manage certificates and requests.
list:List outstanding certificate requests. If '--all' is specified, signed certificates are also listed, prefixed by '+', and revoked or invalid certificates are prefixed by '-'. 列出证书请求,加--all可以显示所以证书,包括未签署的和已经签署的。
sign:Sign an outstanding certificate request. 签署证书请求
revoke:Revoke the certificate of a client. 吊销证书,需重启master生效
clean:Revoke a host's certificat e and remove all files related to that host from puppet cert's storage.
--all:Operate on all items. Currently only makes sense with the 'sign', 'clean', 'list', and 'fingerprint' actions.
# puppet cert list
# puppet cert list --all
# puppet cert sign --all
9、示例,定义站点清单
# cd /etc/puppet/manifests/
# vim site.pp
node "agent1.oupeng.com" {
include mariadb
}
# puppet agent --no-daemonize -v --noop
# systemctl restart puppet
到这里,基础环境就部署完成了。