“Puppet基础”的版本间的差异
(未显示同一用户的93个中间版本) | |||
第1行: | 第1行: | ||
+ | =why= | ||
+ | 一切按官方文档是最好的哦 虽然英文Oct 27 2021 | ||
+ | salt 老是0day问题 ,为了安全 于是上puppet 现在文档真的很少,以前在dovo时,流行得很呢 于是有了本文 | ||
+ | |||
+ | =install= | ||
+ | |||
+ | https://puppet.com/docs/puppet/7/install_agents.html#configure_server_setting | ||
+ | |||
+ | https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html | ||
+ | |||
+ | https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html | ||
+ | |||
+ | |||
+ | ==aliyun mirrors == | ||
+ | https://developer.aliyun.com/mirror/puppet | ||
+ | https://mirrors.aliyun.com/puppet/ | ||
+ | |||
+ | ==* Enable the Puppet platform repository == | ||
+ | |||
+ | === RH=== | ||
+ | 可以用aliyun mirrors 会更加快 | ||
+ | wget -c https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/x86_64/puppet7-release-7.0.0-1.el7.noarch.rpm && rpm -Uvh puppet7-release-7.0.0-1.el7.noarch.rpm | ||
+ | |||
+ | rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm | ||
+ | |||
+ | === debian 10 or kali 2021 只能是 buster 注意 === | ||
+ | <pre> | ||
+ | 记得要改为google dns 8.8.4.4 or alidns | ||
+ | #wget -c https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg -i puppet6-release-buster.deb | ||
+ | |||
+ | #on my kali | ||
+ | wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb | ||
+ | #https://mirrors.aliyun.com/puppet/apt/puppet6-release-buster.deb && | ||
+ | |||
+ | wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-bullseye.deb && dpkg -i puppet7-release-bullseye.deb #debian 11 | ||
+ | #wget https://apt.puppet.com/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb | ||
+ | apt update </pre> | ||
+ | |||
+ | == Installing Puppet Server == | ||
+ | <pre> | ||
+ | |||
+ | #问题 昨天在家里的 debian 11 安装不了 puppetserver | ||
+ | |||
+ | 但是在外网的debian10 是可以安装的 | ||
+ | |||
+ | #base on RHEL | ||
+ | yum install puppetserver | ||
+ | |||
+ | #base on debina | ||
+ | apt update | ||
+ | apt-get install puppetserver -y | ||
+ | systemctl enable puppetserver | ||
+ | sudo systemctl start puppetserver | ||
+ | |||
+ | /opt/puppetlabs/server/apps/puppetserver/bin/puppetserver -v | ||
+ | puppetserver version: 6.14.1 | ||
+ | |||
+ | cp /etc/profile /etc/profileevanbak | ||
+ | echo 'export PATH=/opt/puppetlabs/server/apps/puppetserver/bin/:$PATH' >> /etc/profile | ||
+ | |||
+ | apt-get install default-jdk | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | [https://zhuanlan.zhihu.com/p/86308378 如何在 Debian 10 上安装 OpenJDK11/OpenJDK8] | ||
+ | |||
+ | |||
+ | [https://linuxhint.com/install_jdk_debian_10/ Installing JDK on Debian 10] | ||
+ | |||
+ | https://puppet.com/docs/puppet/6.19/server/install_from_packages.html | ||
+ | |||
+ | == * 3. Install Puppet agent == | ||
+ | |||
+ | === ** RHEL === | ||
+ | rpm -Uvh https://yum.puppet.com/puppet7-release-el-7.noarch.rpm | ||
+ | |||
+ | https://yum.puppet.com/puppet7-release-el-8.noarch.rpm | ||
+ | https://yum.puppet.com/puppet6-release-el-7.noarch.rpm | ||
+ | |||
+ | =====** ===== | ||
+ | <pre> cat /etc/yum.repos.d/puppet7.repo | ||
+ | [puppet7] | ||
+ | name=Puppet 7 Repository el 7 - $basearch | ||
+ | #baseurl=https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/$basearch | ||
+ | baseurl=http://yum.puppetlabs.com/puppet7/el/7/$basearch | ||
+ | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release | ||
+ | file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release | ||
+ | enabled=1 | ||
+ | gpgcheck=1 | ||
+ | |||
+ | |||
+ | yum clean all | ||
+ | yum makecache | ||
+ | |||
+ | yum install puppet-agent | ||
+ | |||
+ | |||
+ | echo 'export PATH=/opt/puppetlabs/bin:$PATH' >> /etc/profile && source /etc/profile | ||
+ | https://puppet.com/docs/puppet/6.19/install_agents.html | ||
+ | |||
+ | Start the Puppet service: sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true | ||
+ | </pre> | ||
+ | |||
+ | === ** deb === | ||
+ | <pre> apt-get install puppet-agent | ||
+ | |||
+ | source /etc/profile.d/puppet-agent.sh | ||
+ | |||
+ | systemctl enable puppet | ||
+ | systemctl start puppet | ||
+ | |||
+ | |||
+ | cat /etc/profile.d/puppet-agent.sh | ||
+ | # Add /opt/puppetlabs/bin to the path for sh compatible users | ||
+ | |||
+ | if [ -z "${PATH-}" ] ; then | ||
+ | export PATH=/opt/puppetlabs/bin | ||
+ | elif ! echo "${PATH}" | grep -q /opt/puppetlabs/bin ; then | ||
+ | export PATH="${PATH}:/opt/puppetlabs/bin" | ||
+ | fi | ||
+ | |||
+ | if ! echo "${MANPATH-}" | grep -q /opt/puppetlabs/puppet/share/man ; then | ||
+ | export MANPATH="${MANPATH-}:/opt/puppetlabs/puppet/share/man" | ||
+ | fi | ||
+ | |||
+ | |||
+ | </pre> | ||
+ | https://puppet.com/docs/puppet/7/install_agents.html | ||
+ | |||
+ | ==* 4. Install PuppetDB (optional)== | ||
+ | |||
= = | = = | ||
+ | |||
+ | =configure= | ||
+ | |||
+ | https://puppet.com/docs/puppet/7/install_agents.html#agent_primary_server_connections | ||
+ | |||
+ | <pre> | ||
+ | |||
+ | # 要先配置hosts | ||
+ | |||
+ | #On the agent node, run: | ||
+ | puppet config set server puppetserver.example.com --section main | ||
+ | |||
+ | #3. Connect the agent to the primary server and sign the certificate | ||
+ | |||
+ | # on agent node | ||
+ | puppet ssl bootstrap | ||
+ | |||
+ | You will see a message that looks like: | ||
+ | |||
+ | Info: Creating a new RSA SSL key for <agent node> | ||
+ | |||
+ | #On the primary server node, sign the certificate: | ||
+ | #puppetsrver | ||
+ | sudo puppetserver ca sign --certname <name> | ||
+ | #我是这个 其实最好不要这个 | ||
+ | puppetserver ca sign --all | ||
+ | |||
+ | |||
+ | #On the agent node, run the agent again: | ||
+ | |||
+ | puppet ssl bootstrap | ||
+ | </pre> | ||
+ | == 相关配置文件== | ||
+ | ===code on server=== | ||
+ | <pre> | ||
+ | 最开始的样子 | ||
+ | [root@r code]# tree | ||
+ | . | ||
+ | ├── environments | ||
+ | │ └── production | ||
+ | │ ├── data | ||
+ | │ ├── environment.conf | ||
+ | │ ├── hiera.yaml | ||
+ | │ ├── manifests | ||
+ | │ └── modules | ||
+ | └── modules | ||
+ | |||
+ | 6 directories, 2 files | ||
+ | [root@code]# pwd | ||
+ | /etc/puppetlabs/code | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ===puppet server === | ||
+ | <pre> | ||
+ | |||
+ | #官方文档就是666 唯一瑕疵 就是配置hosts 和 certname = puppetserver.example.com 好像没说到 还是我没看到呢 这次配置完成用官方文档了,今天就用了删除原来的key good | ||
+ | cat /etc/hosts | ||
+ | |||
+ | 127.0.0.1 puppetserver.example.com | ||
+ | 192.168.10.32 puppetserver.example.com | ||
+ | 192.168.10.39 puppetagent | ||
+ | 192.168.10.33 puppetagent2 | ||
+ | |||
+ | cat /etc/puppetlabs/puppet/puppet.conf | ||
+ | |||
+ | # This file can be used to override the default puppet settings. | ||
+ | # See the following links for more details on what settings are available: | ||
+ | # - https://puppet.com/docs/puppet/latest/config_important_settings.html | ||
+ | # - https://puppet.com/docs/puppet/latest/config_about_settings.html | ||
+ | # - https://puppet.com/docs/puppet/latest/config_file_main.html | ||
+ | # - https://puppet.com/docs/puppet/latest/configuration.html | ||
+ | [server] | ||
+ | vardir = /opt/puppetlabs/server/data/puppetserver | ||
+ | logdir = /var/log/puppetlabs/puppetserver | ||
+ | rundir = /var/run/puppetlabs/puppetserver | ||
+ | pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid | ||
+ | codedir = /etc/puppetlabs/code | ||
+ | [master] | ||
+ | certname = puppetserver.example.com | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ===agent === | ||
+ | <pre> | ||
+ | cat /etc/hosts | ||
+ | 127.0.0.1 localhost | ||
+ | #127.0.1.1 puppetserver.example.com puppetserver | ||
+ | 192.168.10.32 puppetserver.example.com puppetserver | ||
+ | 127.0.1.1 puppetagent | ||
+ | |||
+ | cat /etc/puppetlabs/puppet/puppet.conf | ||
+ | [main] | ||
+ | server = puppetserver.example.com | ||
+ | # This file can be used to override the default puppet settings. | ||
+ | # See the following links for more details on what settings are available: | ||
+ | # - https://puppet.com/docs/puppet/latest/config_important_settings.html | ||
+ | # - https://puppet.com/docs/puppet/latest/config_about_settings.html | ||
+ | # - https://puppet.com/docs/puppet/latest/config_file_main.html | ||
+ | # - https://puppet.com/docs/puppet/latest/configuration.html | ||
+ | [agent] | ||
+ | runinterval=30 | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | === agent2=== | ||
+ | <pre> | ||
+ | cat /etc/hosts | ||
+ | 127.0.0.1 localhost | ||
+ | 127.0.1.1 puppetagent2 | ||
+ | #debian11 | ||
+ | |||
+ | |||
+ | 192.168.10.32 puppetserver.example.com | ||
+ | |||
+ | root@puppetagent2:~# cat /etc/puppetlabs/puppet/puppet.conf | ||
+ | [main] | ||
+ | server = puppetserver.example.com | ||
+ | [agent] | ||
+ | runinterval=30 | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | 这里的明天再补上 Sep 26 | ||
+ | |||
+ | = 全新 mastet 添加agent node(全新安装) 和证书配置= | ||
+ | ==info== | ||
+ | 各自记得起hostname | ||
+ | 192.168.10.70 master.pu.com | ||
+ | 192.168.10.71 agent1.pu.com | ||
+ | |||
+ | ==add hosts== | ||
+ | |||
+ | ===master hosts=== | ||
+ | <pre> | ||
+ | 127.0.1.1 puppet | ||
+ | 192.168.10. 70 master.pu.com | ||
+ | 192.168.10. 71 agent1.pu.com | ||
+ | |||
+ | </pre> | ||
+ | ===agent1 hosts=== | ||
+ | <pre> | ||
+ | 192.168.10.70 master.pu.com | ||
+ | |||
+ | </pre> | ||
+ | ==config == | ||
+ | ===on agent=== | ||
+ | <pre> | ||
+ | puppet config set server master.pu.com --section main | ||
+ | |||
+ | #改变半小时生效太长 | ||
+ | cat /etc/puppetlabs/puppet/puppet.conf | ||
+ | [agent] | ||
+ | runinterval=30 | ||
+ | |||
+ | |||
+ | #生成证书 | ||
+ | puppet ssl bootstrap | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ===on master=== | ||
+ | <pre> | ||
+ | |||
+ | #On the primary server node, sign the certificate: | ||
+ | |||
+ | puppetserver ca sign --certname agent1.pu.com | ||
+ | </pre> | ||
+ | |||
+ | == 全部节点安装个软件试试== | ||
+ | <pre> | ||
+ | root@master:/etc/puppetlabs/code/environments/production/manifests# cat site.pp | ||
+ | node default { | ||
+ | package { 'tmux': | ||
+ | ensure => present, | ||
+ | } | ||
+ | } | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | =添加 agent node(全新安装) 和证书配置= | ||
+ | |||
+ | |||
+ | ==add hosts== | ||
+ | === add hosts on server=== | ||
+ | <pre> | ||
+ | |||
+ | #puppet | ||
+ | #home | ||
+ | 127.0.0.1 puppetserver.example.com | ||
+ | 192.168.10.32 puppetserver.example.com | ||
+ | 192.168.10.39 puppetagent | ||
+ | 192.168.10.33 puppetagent2 | ||
+ | 192.168.10.38 puppetagent38 | ||
+ | |||
+ | |||
+ | 192.168.2.200 proxy-intra | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | |||
+ | === add config and hosts on agent === | ||
+ | <pre> | ||
+ | cat /etc/hosts | ||
+ | |||
+ | 192.168.10.32 puppetserver.example.com | ||
+ | |||
+ | cat /etc/puppetlabs/puppet/puppet.conf | ||
+ | [main] | ||
+ | server = puppetserver.example.com | ||
+ | |||
+ | [agent] | ||
+ | runinterval=30 | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | == 生成证书 on agent == | ||
+ | <pre> | ||
+ | evan]# puppet ssl bootstrap | ||
+ | Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml | ||
+ | Info: Creating a new SSL certificate request for proxy-intra | ||
+ | Info: Certificate Request fingerprint (SHA256): 14:49:D8:04:C7:3B:62:88:0A:20:91:22:15:72:49:37:A8:49:18:84:6A:BD:95:6B:3C:A3:0B:B6:42:8F:FD:9C | ||
+ | Info: Certificate for proxy-intra has not been signed yet | ||
+ | Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (proxy-intra). | ||
+ | Info: Will try again in 120 second | ||
+ | |||
+ | #注意 一般server 接受了证书后 还要过几分钟才完成 最终提示如下 | ||
+ | |||
+ | Notice: Completed SSL initialization | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | == 接受证书 on server == | ||
+ | <pre> | ||
+ | #certname 看生成证书时的提醒 一般是你的node agent的hostname | ||
+ | puppetserver ca sign --certname proxy-intra | ||
+ | |||
+ | #执行完成 提示如下 | ||
+ | Successfully signed certificate request for proxy-intra | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | =添加 agent node(非全新安装) 和证书配置= | ||
+ | 官方文档最6 | ||
+ | https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html | ||
+ | <pre> | ||
+ | puppetserver ca list --all | ||
+ | Signed Certificates: | ||
+ | |||
+ | idc-test-all-db-192-168-10-120-c7 (SHA256) AF:EA:3F:3D:97:71:04:76:5D:5B:B2:C2:91:98:2A:1:7A:19:44:F6:BD:B2:EB:B2:F1:2E:95:CA:D3:06 alt names: ["DNS:idc-test-all-db-192-168-10-120-c7"] | ||
+ | |||
+ | |||
+ | #先删除原来存在的了key on server 这几步 也是 puppet rror: The certificate for 'CN=' does not match its private key的解决办法 | ||
+ | puppetserver ca clean --certname idc-test-all-db-192-168-10-120-c7 | ||
+ | puppetserver ca clean --certname idc-test-all-php-192-168-10-122-c7 | ||
+ | |||
+ | |||
+ | #如果有老的key 不是新安装 | ||
+ | cd /etc/puppetlabs/puppet/ssl/certs/ | ||
+ | rm -f ca.pem idc-test-all-db-192-168-10-120-c7.pem | ||
+ | |||
+ | # if on node puppet client | ||
+ | systemctl restart puppet | ||
+ | |||
+ | |||
+ | #agent node | ||
+ | root@debian11# puppet ssl bootstrap | ||
+ | Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml | ||
+ | Info: Creating a new SSL certificate request for idc-test-all-php-192-168-10-122-c7 | ||
+ | Info: Certificate Request fingerprint (SHA256): 7D:9F:B7:68:B3::84:06:6D:90:49:9C:8F:76:D7:3A:25:C9:98:E0:2F:0D:39:E1:95:A6:BB:EE:B1:27 | ||
+ | Info: Certificate for idc-test-all-php-192-168-10-122-c7 has not been signed yet | ||
+ | Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (idc-test-all-php-192-168-10-122-c7). | ||
+ | Info: Will try again in 120 seconds. | ||
+ | |||
+ | #这个是接受后成功的提示 ,如果只有这个提示 没有前面的 那就是在servrer 存在了相同的了 | ||
+ | Notice: Completed SSL initialization | ||
+ | |||
+ | |||
+ | |||
+ | #sever 上接受 成功喽 | ||
+ | #单独一个 | ||
+ | puppetserver ca sign --certname puppet2021 | ||
+ | |||
+ | puppetserver ca sign --all | ||
+ | Successfully signed certificate request for idc-test-all-php-192-168-10-122-c7 | ||
+ | |||
+ | |||
+ | |||
+ | #这个命令还是不成功 | ||
+ | puppetserver ca sign idc-test-all-php-192-168-10-122-c7 | ||
+ | |||
+ | |||
+ | 例如 | ||
+ | #最后在master 接受的证书名是以hostname的哦 最好是事先起好hostname,虽然我hosts文件配置为puppet38 配置任务用这个也是成功的 ,不过还是不够规范 | ||
+ | puppetserver ca sign --all | ||
+ | Successfully signed certificate request for debian11 | ||
+ | |||
+ | |||
+ | </pre> | ||
+ | |||
+ | =默认30分钟太久= | ||
+ | <pre> | ||
+ | #on agent 120 秒 ,2 分钟 | ||
+ | vi /etc/puppetlabs/puppet/puppet.conf | ||
+ | [agent] | ||
+ | server = master.test.cn | ||
+ | runinterval=120 | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | =入门例子= | ||
+ | <pre> | ||
+ | #安装到所有节点 默认是半个小时成效 可以手工执行 | ||
+ | cat /etc/puppetlabs/code/environments/production/manifests/site.pp | ||
+ | node default { | ||
+ | package { 'emacs': | ||
+ | ensure => present, | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | |||
+ | # 笨方法 两个节点安装 w3m | ||
+ | cat /etc/puppetlabs/code/environments/production/manifests/site.pp | ||
+ | node 'puppetagent' { | ||
+ | package { 'w3m': | ||
+ | ensure => present, | ||
+ | } | ||
+ | } | ||
+ | node 'puppetagent2' { | ||
+ | package { 'w3m': | ||
+ | ensure => present, | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
+ | ==第一个file 例子== | ||
+ | <pre> | ||
+ | #on server | ||
+ | #cat /etc/puppetlabs/code/environments/production/manifests/site.pp | ||
+ | node default { | ||
+ | file { "/tmp/oct28.txt": | ||
+ | content => "hey first puppet file"; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | #结果 随便找个 agent node | ||
+ | root@puppetagent:~# cat /tmp/oct28.txt | ||
+ | hey first puppet file | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==第一个shell 命令例子== | ||
+ | <pre> | ||
+ | cat site.pp | ||
+ | node default { | ||
+ | Exec {path =>"/bin:/sbin:/bin/sh:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"} | ||
+ | exec { "touch files": | ||
+ | command => "/usr/bin/touch /tmp/mytouch.txt"; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | </pre> | ||
+ | |||
+ | |||
+ | ==第一个 配置一个测试节点 modules == | ||
+ | <pre> | ||
+ | |||
+ | cd /etc/puppetlabs/code/environments/production/modules | ||
+ | root@master:/etc/puppetlabs/code/environments/production/modules# | ||
+ | mkdir -p test/{manifests,templates,files} | ||
+ | |||
+ | |||
+ | vi templates/test.erb | ||
+ | hostname <%= fqdn %> | ||
+ | |||
+ | vi manifests/init.pp | ||
+ | class test { | ||
+ | file {"/tmp/$hostname.txt": content => "hey world";} | ||
+ | } | ||
+ | |||
+ | |||
+ | root@master:/etc/puppetlabs/code/environments/production/manifests# mkdir nodes | ||
+ | |||
+ | vi agent1.pu.com.pp | ||
+ | node 'agent1.pu.com' { | ||
+ | include test | ||
+ | } | ||
+ | |||
+ | |||
+ | 主动拉取 | ||
+ | root@agent1:~# puppet agent -t | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cat ../site.pp | ||
+ | node default { | ||
+ | package { 'tree': | ||
+ | ensure => present, | ||
+ | } | ||
+ | } | ||
+ | |||
+ | #其实只要这行 上面和下面的全可不要 | ||
+ | import "nodes/agent1.pu.pp" | ||
+ | #include的写法 但是好像有问题 这个所有的 | ||
+ | import "nodes/*.pp" | ||
+ | |||
+ | |||
+ | |||
+ | 成功 暂时是只有 agent1 有,因为开始只是node 里只有 agent1 | ||
+ | root@agent1:~# cat /tmp/agent1.txt | ||
+ | hey world | ||
+ | |||
+ | |||
+ | |||
+ | trouble shooting | ||
+ | |||
+ | The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc> | ||
+ | 11月 21 22:25:11 myxps puppet-agent[34301]: The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc> | ||
+ | ~ | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | =video= | ||
+ | [https://www.bilibili.com/video/BV1H7411u7mu?p=5 Puppet自动化运维企业实战] | ||
+ | |||
+ | =进阶= | ||
+ | [https://www.cnblogs.com/along21/p/10369858.html 企业级自动化运维工具---puppet详解 ] | ||
+ | |||
+ | [https://www.cnblogs.com/keerya/p/8040071.html 自动化运维工具——puppet详解(一) ] | ||
+ | |||
+ | [https://www.cnblogs.com/keerya/p/8087675.html 自动化运维工具——puppet详解(二) ] | ||
=see also= | =see also= | ||
+ | |||
+ | =trouble shooting= | ||
+ | <pre> | ||
+ | |||
+ | root@master:~# puppetserver ca sign --certname agent1.pu.com | ||
+ | Fatal error when running action 'sign' | ||
+ | Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_status/ | ||
+ | Root cause: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known) | ||
+ | |||
+ | |||
+ | root@master:~# cat /etc/hosts | ||
+ | |||
+ | 127.0.1.1 puppet | ||
+ | </pre> | ||
+ | |||
+ | =references= | ||
+ | https://en.wikipedia.org/wiki/Puppet_(software) | ||
+ | |||
+ | |||
+ | [https://www.cnblogs.com/baizhantang/p/3208210.html puppet批量管理500多台服务器 ] | ||
+ | |||
+ | [https://www.cnblogs.com/kevingrace/p/5740984.html Puppet常识梳理 ] | ||
[http://www.srcmini.com/41406.html Puppet组件详解] | [http://www.srcmini.com/41406.html Puppet组件详解] | ||
+ | |||
+ | [http://www.srcmini.com/41401.html Puppet类用法示例] | ||
第9行: | 第598行: | ||
[https://www.cnblogs.com/krainbow/p/4212048.html puppet初始化安装和配置(puppet自动化系列1) ] | [https://www.cnblogs.com/krainbow/p/4212048.html puppet初始化安装和配置(puppet自动化系列1) ] | ||
+ | |||
+ | [https://www.meirenji.info/2018/09/03/puppet%E8%87%AA%E5%8A%A8%E5%8C%96%E5%B8%83%E7%BD%B2%E9%85%8D%E7%BD%AE%E5%85%A5%E9%97%A8/ puppet自动化布署配置入门] | ||
+ | |||
+ | |||
+ | [https://www.cnblogs.com/sddai/p/11031885.html Puppet自动化管理配置 ] | ||
+ | |||
+ | [https://www.jianshu.com/p/63234d526866 puppet入门] | ||
+ | |||
+ | [https://blog.51cto.com/u_433266/2176059?xiangguantuijian&06 Puppet 实验五 软件安装测试] | ||
+ | |||
+ | Usage | ||
+ | |||
+ | [https://www.zsythink.net/archives/331 puppet入门:puppet使用基础(puppet 5) ] | ||
+ | |||
+ | |||
+ | [https://www.linuxidc.com/Linux/2012-12/75979.htm Puppet批量部署实际案例] | ||
+ | |||
+ | [https://www.cnblogs.com/Dicky-Zhang/p/6260127.html puppet的配置] | ||
+ | |||
+ | ==应用例子 == | ||
+ | |||
+ | [https://blog.51cto.com/forall/1913534 Puppet批量部署tomcat] | ||
+ | |||
+ | [https://blog.csdn.net/weixin_33964094/article/details/92921026 Puppet批量部署tomcat] | ||
+ | |||
[[category:devops]] | [[category:devops]] |
2021年11月22日 (一) 01:07的最新版本
目录
why
一切按官方文档是最好的哦 虽然英文Oct 27 2021
salt 老是0day问题 ,为了安全 于是上puppet 现在文档真的很少,以前在dovo时,流行得很呢 于是有了本文
install
https://puppet.com/docs/puppet/7/install_agents.html#configure_server_setting
https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html
https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html
aliyun mirrors
https://developer.aliyun.com/mirror/puppet https://mirrors.aliyun.com/puppet/
* Enable the Puppet platform repository
RH
可以用aliyun mirrors 会更加快 wget -c https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/x86_64/puppet7-release-7.0.0-1.el7.noarch.rpm && rpm -Uvh puppet7-release-7.0.0-1.el7.noarch.rpm
rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
debian 10 or kali 2021 只能是 buster 注意
记得要改为google dns 8.8.4.4 or alidns #wget -c https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg -i puppet6-release-buster.deb #on my kali wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb #https://mirrors.aliyun.com/puppet/apt/puppet6-release-buster.deb && wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-bullseye.deb && dpkg -i puppet7-release-bullseye.deb #debian 11 #wget https://apt.puppet.com/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb apt update
Installing Puppet Server
#问题 昨天在家里的 debian 11 安装不了 puppetserver 但是在外网的debian10 是可以安装的 #base on RHEL yum install puppetserver #base on debina apt update apt-get install puppetserver -y systemctl enable puppetserver sudo systemctl start puppetserver /opt/puppetlabs/server/apps/puppetserver/bin/puppetserver -v puppetserver version: 6.14.1 cp /etc/profile /etc/profileevanbak echo 'export PATH=/opt/puppetlabs/server/apps/puppetserver/bin/:$PATH' >> /etc/profile apt-get install default-jdk
如何在 Debian 10 上安装 OpenJDK11/OpenJDK8 Installing JDK on Debian 10 https://puppet.com/docs/puppet/6.19/server/install_from_packages.html
* 3. Install Puppet agent
** RHEL
rpm -Uvh https://yum.puppet.com/puppet7-release-el-7.noarch.rpm https://yum.puppet.com/puppet7-release-el-8.noarch.rpm https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
**
cat /etc/yum.repos.d/puppet7.repo [puppet7] name=Puppet 7 Repository el 7 - $basearch #baseurl=https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/$basearch baseurl=http://yum.puppetlabs.com/puppet7/el/7/$basearch gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release enabled=1 gpgcheck=1 yum clean all yum makecache yum install puppet-agent echo 'export PATH=/opt/puppetlabs/bin:$PATH' >> /etc/profile && source /etc/profile https://puppet.com/docs/puppet/6.19/install_agents.html Start the Puppet service: sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
** deb
apt-get install puppet-agent source /etc/profile.d/puppet-agent.sh systemctl enable puppet systemctl start puppet cat /etc/profile.d/puppet-agent.sh # Add /opt/puppetlabs/bin to the path for sh compatible users if [ -z "${PATH-}" ] ; then export PATH=/opt/puppetlabs/bin elif ! echo "${PATH}" | grep -q /opt/puppetlabs/bin ; then export PATH="${PATH}:/opt/puppetlabs/bin" fi if ! echo "${MANPATH-}" | grep -q /opt/puppetlabs/puppet/share/man ; then export MANPATH="${MANPATH-}:/opt/puppetlabs/puppet/share/man" fi
https://puppet.com/docs/puppet/7/install_agents.html
* 4. Install PuppetDB (optional)
configure
https://puppet.com/docs/puppet/7/install_agents.html#agent_primary_server_connections
# 要先配置hosts #On the agent node, run: puppet config set server puppetserver.example.com --section main #3. Connect the agent to the primary server and sign the certificate # on agent node puppet ssl bootstrap You will see a message that looks like: Info: Creating a new RSA SSL key for <agent node> #On the primary server node, sign the certificate: #puppetsrver sudo puppetserver ca sign --certname <name> #我是这个 其实最好不要这个 puppetserver ca sign --all #On the agent node, run the agent again: puppet ssl bootstrap
相关配置文件
code on server
最开始的样子 [root@r code]# tree . ├── environments │ └── production │ ├── data │ ├── environment.conf │ ├── hiera.yaml │ ├── manifests │ └── modules └── modules 6 directories, 2 files [root@code]# pwd /etc/puppetlabs/code
puppet server
#官方文档就是666 唯一瑕疵 就是配置hosts 和 certname = puppetserver.example.com 好像没说到 还是我没看到呢 这次配置完成用官方文档了,今天就用了删除原来的key good cat /etc/hosts 127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com 192.168.10.39 puppetagent 192.168.10.33 puppetagent2 cat /etc/puppetlabs/puppet/puppet.conf # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [server] vardir = /opt/puppetlabs/server/data/puppetserver logdir = /var/log/puppetlabs/puppetserver rundir = /var/run/puppetlabs/puppetserver pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid codedir = /etc/puppetlabs/code [master] certname = puppetserver.example.com
agent
cat /etc/hosts 127.0.0.1 localhost #127.0.1.1 puppetserver.example.com puppetserver 192.168.10.32 puppetserver.example.com puppetserver 127.0.1.1 puppetagent cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [agent] runinterval=30
agent2
cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 puppetagent2 #debian11 192.168.10.32 puppetserver.example.com root@puppetagent2:~# cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com [agent] runinterval=30
这里的明天再补上 Sep 26
全新 mastet 添加agent node(全新安装) 和证书配置
info
各自记得起hostname 192.168.10.70 master.pu.com 192.168.10.71 agent1.pu.com
add hosts
master hosts
127.0.1.1 puppet 192.168.10. 70 master.pu.com 192.168.10. 71 agent1.pu.com
agent1 hosts
192.168.10.70 master.pu.com
config
on agent
puppet config set server master.pu.com --section main #改变半小时生效太长 cat /etc/puppetlabs/puppet/puppet.conf [agent] runinterval=30 #生成证书 puppet ssl bootstrap
on master
#On the primary server node, sign the certificate: puppetserver ca sign --certname agent1.pu.com
全部节点安装个软件试试
root@master:/etc/puppetlabs/code/environments/production/manifests# cat site.pp node default { package { 'tmux': ensure => present, } }
添加 agent node(全新安装) 和证书配置
add hosts
add hosts on server
#puppet #home 127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com 192.168.10.39 puppetagent 192.168.10.33 puppetagent2 192.168.10.38 puppetagent38 192.168.2.200 proxy-intra
add config and hosts on agent
cat /etc/hosts 192.168.10.32 puppetserver.example.com cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com [agent] runinterval=30
生成证书 on agent
evan]# puppet ssl bootstrap Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for proxy-intra Info: Certificate Request fingerprint (SHA256): 14:49:D8:04:C7:3B:62:88:0A:20:91:22:15:72:49:37:A8:49:18:84:6A:BD:95:6B:3C:A3:0B:B6:42:8F:FD:9C Info: Certificate for proxy-intra has not been signed yet Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (proxy-intra). Info: Will try again in 120 second #注意 一般server 接受了证书后 还要过几分钟才完成 最终提示如下 Notice: Completed SSL initialization
接受证书 on server
#certname 看生成证书时的提醒 一般是你的node agent的hostname puppetserver ca sign --certname proxy-intra #执行完成 提示如下 Successfully signed certificate request for proxy-intra
添加 agent node(非全新安装) 和证书配置
官方文档最6 https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html
puppetserver ca list --all Signed Certificates: idc-test-all-db-192-168-10-120-c7 (SHA256) AF:EA:3F:3D:97:71:04:76:5D:5B:B2:C2:91:98:2A:1:7A:19:44:F6:BD:B2:EB:B2:F1:2E:95:CA:D3:06 alt names: ["DNS:idc-test-all-db-192-168-10-120-c7"] #先删除原来存在的了key on server 这几步 也是 puppet rror: The certificate for 'CN=' does not match its private key的解决办法 puppetserver ca clean --certname idc-test-all-db-192-168-10-120-c7 puppetserver ca clean --certname idc-test-all-php-192-168-10-122-c7 #如果有老的key 不是新安装 cd /etc/puppetlabs/puppet/ssl/certs/ rm -f ca.pem idc-test-all-db-192-168-10-120-c7.pem # if on node puppet client systemctl restart puppet #agent node root@debian11# puppet ssl bootstrap Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for idc-test-all-php-192-168-10-122-c7 Info: Certificate Request fingerprint (SHA256): 7D:9F:B7:68:B3::84:06:6D:90:49:9C:8F:76:D7:3A:25:C9:98:E0:2F:0D:39:E1:95:A6:BB:EE:B1:27 Info: Certificate for idc-test-all-php-192-168-10-122-c7 has not been signed yet Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (idc-test-all-php-192-168-10-122-c7). Info: Will try again in 120 seconds. #这个是接受后成功的提示 ,如果只有这个提示 没有前面的 那就是在servrer 存在了相同的了 Notice: Completed SSL initialization #sever 上接受 成功喽 #单独一个 puppetserver ca sign --certname puppet2021 puppetserver ca sign --all Successfully signed certificate request for idc-test-all-php-192-168-10-122-c7 #这个命令还是不成功 puppetserver ca sign idc-test-all-php-192-168-10-122-c7 例如 #最后在master 接受的证书名是以hostname的哦 最好是事先起好hostname,虽然我hosts文件配置为puppet38 配置任务用这个也是成功的 ,不过还是不够规范 puppetserver ca sign --all Successfully signed certificate request for debian11
默认30分钟太久
#on agent 120 秒 ,2 分钟 vi /etc/puppetlabs/puppet/puppet.conf [agent] server = master.test.cn runinterval=120
入门例子
#安装到所有节点 默认是半个小时成效 可以手工执行 cat /etc/puppetlabs/code/environments/production/manifests/site.pp node default { package { 'emacs': ensure => present, } } # 笨方法 两个节点安装 w3m cat /etc/puppetlabs/code/environments/production/manifests/site.pp node 'puppetagent' { package { 'w3m': ensure => present, } } node 'puppetagent2' { package { 'w3m': ensure => present, } }
第一个file 例子
#on server #cat /etc/puppetlabs/code/environments/production/manifests/site.pp node default { file { "/tmp/oct28.txt": content => "hey first puppet file"; } } #结果 随便找个 agent node root@puppetagent:~# cat /tmp/oct28.txt hey first puppet file
第一个shell 命令例子
cat site.pp node default { Exec {path =>"/bin:/sbin:/bin/sh:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"} exec { "touch files": command => "/usr/bin/touch /tmp/mytouch.txt"; } }
第一个 配置一个测试节点 modules
cd /etc/puppetlabs/code/environments/production/modules root@master:/etc/puppetlabs/code/environments/production/modules# mkdir -p test/{manifests,templates,files} vi templates/test.erb hostname <%= fqdn %> vi manifests/init.pp class test { file {"/tmp/$hostname.txt": content => "hey world";} } root@master:/etc/puppetlabs/code/environments/production/manifests# mkdir nodes vi agent1.pu.com.pp node 'agent1.pu.com' { include test } 主动拉取 root@agent1:~# puppet agent -t cat ../site.pp node default { package { 'tree': ensure => present, } } #其实只要这行 上面和下面的全可不要 import "nodes/agent1.pu.pp" #include的写法 但是好像有问题 这个所有的 import "nodes/*.pp" 成功 暂时是只有 agent1 有,因为开始只是node 里只有 agent1 root@agent1:~# cat /tmp/agent1.txt hey world trouble shooting The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc> 11月 21 22:25:11 myxps puppet-agent[34301]: The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc> ~
video
进阶
see also
trouble shooting
root@master:~# puppetserver ca sign --certname agent1.pu.com Fatal error when running action 'sign' Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_status/ Root cause: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known) root@master:~# cat /etc/hosts 127.0.1.1 puppet
references
https://en.wikipedia.org/wiki/Puppet_(software)
Usage