查看“Puppet基础”的源代码
←
Puppet基础
跳到导航
跳到搜索
因为以下原因,您没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
=why= 一切按官方文档是最好的哦 虽然英文Oct 27 2021 salt 老是0day问题 ,为了安全 于是上puppet 现在文档真的很少,以前在dovo时,流行得很呢 于是有了本文 =install= https://puppet.com/docs/puppet/7/install_agents.html#configure_server_setting https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html ==aliyun mirrors == https://developer.aliyun.com/mirror/puppet https://mirrors.aliyun.com/puppet/ ==* Enable the Puppet platform repository == === RH=== 可以用aliyun mirrors 会更加快 wget -c https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/x86_64/puppet7-release-7.0.0-1.el7.noarch.rpm && rpm -Uvh puppet7-release-7.0.0-1.el7.noarch.rpm rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm === debian 10 or kali 2021 只能是 buster 注意 === <pre> 记得要改为google dns 8.8.4.4 or alidns #wget -c https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg -i puppet6-release-buster.deb #on my kali wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb #https://mirrors.aliyun.com/puppet/apt/puppet6-release-buster.deb && wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-bullseye.deb && dpkg -i puppet7-release-bullseye.deb #debian 11 #wget https://apt.puppet.com/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb apt update </pre> == Installing Puppet Server == <pre> #base on RHEL yum install puppetserver #base on debina apt update apt-get install puppetserver -y systemctl enable puppetserver sudo systemctl start puppetserver /opt/puppetlabs/server/apps/puppetserver/bin/puppetserver -v puppetserver version: 6.14.1 cp /etc/profile /etc/profileevanbak echo 'export PATH=/opt/puppetlabs/server/apps/puppetserver/bin/:$PATH' >> /etc/profile apt-get install default-jdk </pre> [https://zhuanlan.zhihu.com/p/86308378 如何在 Debian 10 上安装 OpenJDK11/OpenJDK8] [https://linuxhint.com/install_jdk_debian_10/ Installing JDK on Debian 10] https://puppet.com/docs/puppet/6.19/server/install_from_packages.html == * 3. Install Puppet agent == === ** RHEL === rpm -Uvh https://yum.puppet.com/puppet7-release-el-7.noarch.rpm https://yum.puppet.com/puppet7-release-el-8.noarch.rpm https://yum.puppet.com/puppet6-release-el-7.noarch.rpm =====** ===== <pre> cat /etc/yum.repos.d/puppet7.repo [puppet7] name=Puppet 7 Repository el 7 - $basearch #baseurl=https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/$basearch baseurl=http://yum.puppetlabs.com/puppet7/el/7/$basearch gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release enabled=1 gpgcheck=1 yum clean all yum makecache yum install puppet-agent echo 'export PATH=/opt/puppetlabs/bin:$PATH' >> /etc/profile && source /etc/profile https://puppet.com/docs/puppet/6.19/install_agents.html Start the Puppet service: sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true </pre> === ** deb === <pre> apt-get install puppet-agent source /etc/profile.d/puppet-agent.sh systemctl enable puppet systemctl start puppet cat /etc/profile.d/puppet-agent.sh # Add /opt/puppetlabs/bin to the path for sh compatible users if [ -z "${PATH-}" ] ; then export PATH=/opt/puppetlabs/bin elif ! echo "${PATH}" | grep -q /opt/puppetlabs/bin ; then export PATH="${PATH}:/opt/puppetlabs/bin" fi if ! echo "${MANPATH-}" | grep -q /opt/puppetlabs/puppet/share/man ; then export MANPATH="${MANPATH-}:/opt/puppetlabs/puppet/share/man" fi </pre> https://puppet.com/docs/puppet/7/install_agents.html ==* 4. Install PuppetDB (optional)== = = =configure= https://puppet.com/docs/puppet/7/install_agents.html#agent_primary_server_connections <pre> # 要先配置hosts #On the agent node, run: puppet config set server puppetserver.example.com --section main #3. Connect the agent to the primary server and sign the certificate # on agent node puppet ssl bootstrap You will see a message that looks like: Info: Creating a new RSA SSL key for <agent node> #On the primary server node, sign the certificate: #puppetsrver sudo puppetserver ca sign --certname <name> #我是这个 其实最好不要这个 puppetserver ca sign --all #On the agent node, run the agent again: puppet ssl bootstrap </pre> == 相关配置文件== ===code on server=== <pre> 最开始的样子 [root@r code]# tree . ├── environments │ └── production │ ├── data │ ├── environment.conf │ ├── hiera.yaml │ ├── manifests │ └── modules └── modules 6 directories, 2 files [root@code]# pwd /etc/puppetlabs/code </pre> ===puppet server === <pre> #官方文档就是666 唯一瑕疵 就是配置hosts 和 certname = puppetserver.example.com 好像没说到 还是我没看到呢 这次配置完成用官方文档了,今天就用了删除原来的key good cat /etc/hosts 127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com 192.168.10.39 puppetagent 192.168.10.33 puppetagent2 cat /etc/puppetlabs/puppet/puppet.conf # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [server] vardir = /opt/puppetlabs/server/data/puppetserver logdir = /var/log/puppetlabs/puppetserver rundir = /var/run/puppetlabs/puppetserver pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid codedir = /etc/puppetlabs/code [master] certname = puppetserver.example.com </pre> ===agent === <pre> cat /etc/hosts 127.0.0.1 localhost #127.0.1.1 puppetserver.example.com puppetserver 192.168.10.32 puppetserver.example.com puppetserver 127.0.1.1 puppetagent cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [agent] runinterval=30 </pre> === agent2=== <pre> cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 puppetagent2 #debian11 192.168.10.32 puppetserver.example.com root@puppetagent2:~# cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com [agent] runinterval=30 </pre> 这里的明天再补上 Sep 26 = 全新 mastet 添加agent node(全新安装) 和证书配置= ==info== 各自记得起hostname 192.168.10.70 master.pu.com 192.168.10.71 agent1.pu.com ==add hosts== ===master hosts=== <pre> 127.0.1.1 puppet 192.168.10. 70 master.pu.com 192.168.10. 71 agent1.pu.com </pre> ===agent1 hosts=== <pre> 192.168.10.70 master.pu.com </pre> ==config == ===on agent=== <pre> puppet config set server master.pu.com --section main #改变半小时生效太长 cat /etc/puppetlabs/puppet/puppet.conf [agent] runinterval=30 #生成证书 puppet ssl bootstrap </pre> ===on master=== <pre> #On the primary server node, sign the certificate: puppetserver ca sign --certname agent1.pu.com </pre> == 全部节点安装个软件试试== <pre> root@master:/etc/puppetlabs/code/environments/production/manifests# cat site.pp node default { package { 'tmux': ensure => present, } } </pre> =添加 agent node(全新安装) 和证书配置= ==add hosts== === add hosts on server=== <pre> #puppet #home 127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com 192.168.10.39 puppetagent 192.168.10.33 puppetagent2 192.168.10.38 puppetagent38 192.168.2.200 proxy-intra </pre> === add config and hosts on agent === <pre> cat /etc/hosts 192.168.10.32 puppetserver.example.com cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com [agent] runinterval=30 </pre> == 生成证书 on agent == <pre> evan]# puppet ssl bootstrap Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for proxy-intra Info: Certificate Request fingerprint (SHA256): 14:49:D8:04:C7:3B:62:88:0A:20:91:22:15:72:49:37:A8:49:18:84:6A:BD:95:6B:3C:A3:0B:B6:42:8F:FD:9C Info: Certificate for proxy-intra has not been signed yet Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (proxy-intra). Info: Will try again in 120 second #注意 一般server 接受了证书后 还要过几分钟才完成 最终提示如下 Notice: Completed SSL initialization </pre> == 接受证书 on server == <pre> #certname 看生成证书时的提醒 一般是你的node agent的hostname puppetserver ca sign --certname proxy-intra #执行完成 提示如下 Successfully signed certificate request for proxy-intra </pre> =添加 agent node(非全新安装) 和证书配置= 官方文档最6 https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html <pre> puppetserver ca list --all Signed Certificates: idc-test-all-db-192-168-10-120-c7 (SHA256) AF:EA:3F:3D:97:71:04:76:5D:5B:B2:C2:91:98:2A:1:7A:19:44:F6:BD:B2:EB:B2:F1:2E:95:CA:D3:06 alt names: ["DNS:idc-test-all-db-192-168-10-120-c7"] #先删除原来存在的了key on server 这几步 也是 puppet rror: The certificate for 'CN=' does not match its private key的解决办法 puppetserver ca clean --certname idc-test-all-db-192-168-10-120-c7 puppetserver ca clean --certname idc-test-all-php-192-168-10-122-c7 #如果有老的key 不是新安装 cd /etc/puppetlabs/puppet/ssl/certs/ rm -f ca.pem idc-test-all-db-192-168-10-120-c7.pem # if on node puppet client systemctl restart puppet #agent node root@debian11# puppet ssl bootstrap Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for idc-test-all-php-192-168-10-122-c7 Info: Certificate Request fingerprint (SHA256): 7D:9F:B7:68:B3::84:06:6D:90:49:9C:8F:76:D7:3A:25:C9:98:E0:2F:0D:39:E1:95:A6:BB:EE:B1:27 Info: Certificate for idc-test-all-php-192-168-10-122-c7 has not been signed yet Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (idc-test-all-php-192-168-10-122-c7). Info: Will try again in 120 seconds. #这个是接受后成功的提示 ,如果只有这个提示 没有前面的 那就是在servrer 存在了相同的了 Notice: Completed SSL initialization #sever 上接受 成功喽 #单独一个 puppetserver ca sign --certname puppet2021 puppetserver ca sign --all Successfully signed certificate request for idc-test-all-php-192-168-10-122-c7 #这个命令还是不成功 puppetserver ca sign idc-test-all-php-192-168-10-122-c7 例如 #最后在master 接受的证书名是以hostname的哦 最好是事先起好hostname,虽然我hosts文件配置为puppet38 配置任务用这个也是成功的 ,不过还是不够规范 puppetserver ca sign --all Successfully signed certificate request for debian11 </pre> =默认30分钟太久= <pre> #on agent 120 秒 ,2 分钟 vi /etc/puppetlabs/puppet/puppet.conf [agent] server = master.test.cn runinterval=120 </pre> =入门例子= <pre> #安装到所有节点 默认是半个小时成效 可以手工执行 cat /etc/puppetlabs/code/environments/production/manifests/site.pp node default { package { 'emacs': ensure => present, } } # 笨方法 两个节点安装 w3m cat /etc/puppetlabs/code/environments/production/manifests/site.pp node 'puppetagent' { package { 'w3m': ensure => present, } } node 'puppetagent2' { package { 'w3m': ensure => present, } } </pre> ==第一个file 例子== <pre> #on server #cat /etc/puppetlabs/code/environments/production/manifests/site.pp node default { file { "/tmp/oct28.txt": content => "hey first puppet file"; } } #结果 随便找个 agent node root@puppetagent:~# cat /tmp/oct28.txt hey first puppet file </pre> ==第一个shell 命令例子== <pre> cat site.pp node default { Exec {path =>"/bin:/sbin:/bin/sh:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"} exec { "touch files": command => "/usr/bin/touch /tmp/mytouch.txt"; } } </pre> ==第一个 配置一个测试节点 modules == <pre> cd /etc/puppetlabs/code/environments/production/modules root@master:/etc/puppetlabs/code/environments/production/modules# mkdir -p test/{manifests,templates,files} vi templates/test.erb hostname <%= fqdn %> vi manifests/init.pp class test { file {"/tmp/$hostname.txt": content => "hey world";} } root@master:/etc/puppetlabs/code/environments/production/manifests# mkdir nodes vi agent1.pu.com.pp node 'agent1.pu.com' { include test } 主动拉取 root@agent1:~# puppet agent -t cat ../site.pp node default { package { 'tree': ensure => present, } } #其实只要这行 上面和下面的全可不要 import "nodes/agent1.pu.pp" #include的写法 但是好像有问题 这个所有的 import "nodes/*.pp" 成功 暂时是只有 agent1 有,因为开始只是node 里只有 agent1 root@agent1:~# cat /tmp/agent1.txt hey world trouble shooting The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc> 11月 21 22:25:11 myxps puppet-agent[34301]: The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc> ~ </pre> =video= [https://www.bilibili.com/video/BV1H7411u7mu?p=5 Puppet自动化运维企业实战] =进阶= [https://www.cnblogs.com/along21/p/10369858.html 企业级自动化运维工具---puppet详解 ] [https://www.cnblogs.com/keerya/p/8040071.html 自动化运维工具——puppet详解(一) ] [https://www.cnblogs.com/keerya/p/8087675.html 自动化运维工具——puppet详解(二) ] =see also= =trouble shooting= <pre> root@master:~# puppetserver ca sign --certname agent1.pu.com Fatal error when running action 'sign' Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_status/ Root cause: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known) root@master:~# cat /etc/hosts 127.0.1.1 puppet </pre> =references= https://en.wikipedia.org/wiki/Puppet_(software) [https://www.cnblogs.com/baizhantang/p/3208210.html puppet批量管理500多台服务器 ] [https://www.cnblogs.com/kevingrace/p/5740984.html Puppet常识梳理 ] [http://www.srcmini.com/41406.html Puppet组件详解] [http://www.srcmini.com/41401.html Puppet类用法示例] [https://www.cnblogs.com/krainbow/p/4212056.html puppet多环境配置(puppet自动化系列2) ] [https://www.cnblogs.com/krainbow/p/4212048.html puppet初始化安装和配置(puppet自动化系列1) ] [https://www.meirenji.info/2018/09/03/puppet%E8%87%AA%E5%8A%A8%E5%8C%96%E5%B8%83%E7%BD%B2%E9%85%8D%E7%BD%AE%E5%85%A5%E9%97%A8/ puppet自动化布署配置入门] [https://www.cnblogs.com/sddai/p/11031885.html Puppet自动化管理配置 ] [https://www.jianshu.com/p/63234d526866 puppet入门] [https://blog.51cto.com/u_433266/2176059?xiangguantuijian&06 Puppet 实验五 软件安装测试] Usage [https://www.zsythink.net/archives/331 puppet入门:puppet使用基础(puppet 5) ] [https://www.linuxidc.com/Linux/2012-12/75979.htm Puppet批量部署实际案例] [https://www.cnblogs.com/Dicky-Zhang/p/6260127.html puppet的配置] ==应用例子 == [https://blog.51cto.com/forall/1913534 Puppet批量部署tomcat] [https://blog.csdn.net/weixin_33964094/article/details/92921026 Puppet批量部署tomcat] [[category:devops]]
返回至
Puppet基础
。
导航菜单
个人工具
登录
名字空间
页面
讨论
变种
视图
阅读
查看源代码
查看历史
更多
搜索
导航
首页
我的导航
关于我
shell
python
ops
linuxchina.net
blog.linuxchina
最近更改
随机页面
帮助
工具
链入页面
相关更改
特殊页面
页面信息
