Puppet基础

来自linux中国网wiki
跳到导航 跳到搜索

why

一切按官方文档是最好的哦 虽然英文Oct 27 2021 

salt 老是0day问题 ,为了安全 于是上puppet 现在文档真的很少,以前在dovo时,流行得很呢 于是有了本文

install

https://puppet.com/docs/puppet/7/install_agents.html#configure_server_setting

https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html

https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html


aliyun mirrors

https://developer.aliyun.com/mirror/puppet https://mirrors.aliyun.com/puppet/

* Enable the Puppet platform repository

RH

 可以用aliyun mirrors 会更加快 
wget -c  https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/x86_64/puppet7-release-7.0.0-1.el7.noarch.rpm &&  rpm -Uvh puppet7-release-7.0.0-1.el7.noarch.rpm
rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

debian 10 or kali 2021 只能是 buster 注意

                                                                                                                                                                            
 记得要改为google dns 8.8.4.4 or alidns                                                                                                                                      
 #wget -c https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg  -i  puppet6-release-buster.deb              

#on my kali 
wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-buster.deb &&  dpkg  -i puppet7-release-buster.deb
#https://mirrors.aliyun.com/puppet/apt/puppet6-release-buster.deb &&                                                         
                                                                                                                                                                             
 wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-bullseye.deb        && dpkg -i  puppet7-release-bullseye.deb #debian 11                                                                                                                                                               
 #wget  https://apt.puppet.com/puppet7-release-buster.deb  && dpkg -i   puppet7-release-buster.deb                                                                     
 apt update       

Installing Puppet Server

    
#base on RHEL 
yum install puppetserver

#base on  debina
apt update                                                                                                                                                                          
apt-get install puppetserver -y                                                                                                                                            
systemctl  enable puppetserver                                                                                                                                                                            
sudo systemctl start puppetserver                                                                                                                                          
                                                                                                                                                                             
 /opt/puppetlabs/server/apps/puppetserver/bin/puppetserver  -v                                                                                                               
 puppetserver version: 6.14.1                                                                                                                                                
                                                                                                                                                                             
 cp /etc/profile  /etc/profileevanbak                                                                                                                                        
 echo 'export PATH=/opt/puppetlabs/server/apps/puppetserver/bin/:$PATH' >> /etc/profile                                                                                                                                                                                                                                            
                                                                                                                                                                         
apt-get install default-jdk                                                                                                                                                                                                                                                                                                                              
     


如何在 Debian 10 上安装 OpenJDK11/OpenJDK8                                                                                          
                                                                                                                                                                            
                                                                                                                                                                            
Installing JDK on Debian 10                                                                                                  
                                                                                                                                                                            
https://puppet.com/docs/puppet/6.19/server/install_from_packages.html

* 3. Install Puppet agent

** RHEL

rpm -Uvh  https://yum.puppet.com/puppet7-release-el-7.noarch.rpm                                                                                                         
                                                                                                                                                                            
https://yum.puppet.com/puppet7-release-el-8.noarch.rpm                                                                                                                      
https://yum.puppet.com/puppet6-release-el-7.noarch.rpm      
**
 cat /etc/yum.repos.d/puppet7.repo 
[puppet7]
name=Puppet 7 Repository el 7 - $basearch
#baseurl=https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/$basearch
baseurl=http://yum.puppetlabs.com/puppet7/el/7/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release
       file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release
enabled=1
gpgcheck=1


yum clean all
yum makecache
                                                                                                                                                                       
yum install puppet-agent  
                                                                                                                                                  
                                                                                                                                                                             
 echo 'export PATH=/opt/puppetlabs/bin:$PATH'  >> /etc/profile  && source /etc/profile                                                                                 
                                                                                                                                                                         https://puppet.com/docs/puppet/6.19/install_agents.html                                                                                                                     
                                                                                                                                                                             
 Start the Puppet service: sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true                                                                
 

** deb

  apt-get install puppet-agent

 source /etc/profile.d/puppet-agent.sh 

systemctl enable puppet 
 systemctl start  puppet 


cat  /etc/profile.d/puppet-agent.sh 
# Add /opt/puppetlabs/bin to the path for sh compatible users

if [ -z "${PATH-}" ] ; then
  export PATH=/opt/puppetlabs/bin
elif ! echo "${PATH}" | grep -q /opt/puppetlabs/bin ; then
  export PATH="${PATH}:/opt/puppetlabs/bin"
fi

if ! echo "${MANPATH-}" | grep -q /opt/puppetlabs/puppet/share/man ; then
  export MANPATH="${MANPATH-}:/opt/puppetlabs/puppet/share/man"
fi
                         

https://puppet.com/docs/puppet/7/install_agents.html

* 4. Install PuppetDB (optional)

configure

https://puppet.com/docs/puppet/7/install_agents.html#agent_primary_server_connections


# 要先配置hosts 

#On the agent node, run:
puppet config set server puppetserver.example.com --section main

#3. Connect the agent to the primary server and sign the certificate

# on agent  node
puppet ssl bootstrap

You will see a message that looks like:

Info: Creating a new RSA SSL key for <agent node>

#On the primary server node, sign the certificate:
#puppetsrver 
sudo puppetserver ca sign --certname <name>
#我是这个 其实最好不要这个 
puppetserver ca sign --all


#On the agent node, run the agent again:

puppet ssl bootstrap

相关配置文件

code on server

最开始的样子
[root@r code]# tree 
.
├── environments
│   └── production
│       ├── data
│       ├── environment.conf
│       ├── hiera.yaml
│       ├── manifests
│       └── modules
└── modules

6 directories, 2 files
[root@code]# pwd
/etc/puppetlabs/code

puppet server


#官方文档就是666 唯一瑕疵 就是配置hosts 和  certname = puppetserver.example.com 好像没说到 还是我没看到呢  这次配置完成用官方文档了,今天就用了删除原来的key good
cat /etc/hosts

127.0.0.1    puppetserver.example.com 
192.168.10.32    puppetserver.example.com 
192.168.10.39 puppetagent
192.168.10.33 puppetagent2

cat /etc/puppetlabs/puppet/puppet.conf

# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
[master]
certname = puppetserver.example.com

agent

cat /etc/hosts
127.0.0.1	localhost
#127.0.1.1	puppetserver.example.com	puppetserver
192.168.10.32 	puppetserver.example.com	puppetserver
127.0.1.1	puppetagent

cat /etc/puppetlabs/puppet/puppet.conf 
[main]
server = puppetserver.example.com
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[agent]
runinterval=30

agent2

cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	puppetagent2
#debian11


192.168.10.32    puppetserver.example.com 

root@puppetagent2:~# cat /etc/puppetlabs/puppet/puppet.conf 
[main]
server = puppetserver.example.com
[agent]
runinterval=30

这里的明天再补上 Sep 26

全新 mastet 添加agent node(全新安装) 和证书配置

info

 各自记得起hostname
192.168.10.70 master.pu.com
192.168.10.71 agent1.pu.com

add hosts

master hosts

127.0.1.1	  puppet
192.168.10. 70 master.pu.com
192.168.10. 71 agent1.pu.com

agent1 hosts

192.168.10.70 master.pu.com

config

on agent

puppet config set server master.pu.com --section main

#改变半小时生效太长
cat /etc/puppetlabs/puppet/puppet.conf
[agent]
runinterval=30


#生成证书
 puppet ssl bootstrap

on master


#On the primary server node, sign the certificate:

puppetserver ca sign --certname agent1.pu.com

全部节点安装个软件试试

root@master:/etc/puppetlabs/code/environments/production/manifests# cat  site.pp
node default {
    package { 'tmux':
     ensure => present,
  }
}

添加 agent node(全新安装) 和证书配置

add hosts

add hosts on server


#puppet 
#home
127.0.0.1    puppetserver.example.com 
192.168.10.32    puppetserver.example.com 
192.168.10.39 puppetagent
192.168.10.33 puppetagent2
192.168.10.38 puppetagent38


192.168.2.200 proxy-intra


add config and hosts on agent

cat /etc/hosts

192.168.10.32    puppetserver.example.com 

cat /etc/puppetlabs/puppet/puppet.conf 
[main]
server = puppetserver.example.com

[agent]
runinterval=30

生成证书 on agent

 evan]#  puppet ssl bootstrap
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for proxy-intra
Info: Certificate Request fingerprint (SHA256): 14:49:D8:04:C7:3B:62:88:0A:20:91:22:15:72:49:37:A8:49:18:84:6A:BD:95:6B:3C:A3:0B:B6:42:8F:FD:9C
Info: Certificate for proxy-intra has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (proxy-intra).
Info: Will try again in 120 second

#注意  一般server 接受了证书后 还要过几分钟才完成 最终提示如下 

Notice: Completed SSL initialization

接受证书 on server

#certname 看生成证书时的提醒 一般是你的node agent的hostname 
puppetserver ca sign --certname  proxy-intra

#执行完成 提示如下 
Successfully signed certificate request for proxy-intra

添加 agent node(非全新安装) 和证书配置

官方文档最6 https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html

puppetserver ca   list  --all
Signed Certificates:

    idc-test-all-db-192-168-10-120-c7          (SHA256)  AF:EA:3F:3D:97:71:04:76:5D:5B:B2:C2:91:98:2A:1:7A:19:44:F6:BD:B2:EB:B2:F1:2E:95:CA:D3:06	alt names: ["DNS:idc-test-all-db-192-168-10-120-c7"]


#先删除原来存在的了key  on server   这几步 也是 puppet rror: The certificate for 'CN=' does not match its private key的解决办法 
puppetserver ca clean --certname  idc-test-all-db-192-168-10-120-c7 
puppetserver ca clean --certname idc-test-all-php-192-168-10-122-c7


#如果有老的key 不是新安装 
cd  /etc/puppetlabs/puppet/ssl/certs/
rm  -f ca.pem  idc-test-all-db-192-168-10-120-c7.pem

# if on node  puppet client 
systemctl  restart puppet


#agent node 
root@debian11# puppet ssl bootstrap
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for idc-test-all-php-192-168-10-122-c7
Info: Certificate Request fingerprint (SHA256): 7D:9F:B7:68:B3::84:06:6D:90:49:9C:8F:76:D7:3A:25:C9:98:E0:2F:0D:39:E1:95:A6:BB:EE:B1:27
Info: Certificate for idc-test-all-php-192-168-10-122-c7 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (idc-test-all-php-192-168-10-122-c7).
Info: Will try again in 120 seconds.

#这个是接受后成功的提示 ,如果只有这个提示 没有前面的 那就是在servrer 存在了相同的了 
Notice: Completed SSL initialization



#sever 上接受 成功喽 
#单独一个  
puppetserver ca sign --certname  puppet2021

puppetserver ca sign   --all
Successfully signed certificate request for idc-test-all-php-192-168-10-122-c7



#这个命令还是不成功 
puppetserver ca sign  idc-test-all-php-192-168-10-122-c7


例如
#最后在master 接受的证书名是以hostname的哦  最好是事先起好hostname,虽然我hosts文件配置为puppet38 配置任务用这个也是成功的 ,不过还是不够规范
 puppetserver ca sign   --all
Successfully signed certificate request for debian11


默认30分钟太久

#on agent  120 秒  ,2 分钟 
vi  /etc/puppetlabs/puppet/puppet.conf 
[agent]
server = master.test.cn
runinterval=120

入门例子

#安装到所有节点  默认是半个小时成效 可以手工执行
 cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
    package { 'emacs':
     ensure => present,
  }
}



# 笨方法  两个节点安装 w3m 
 cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node 'puppetagent' {
    package { 'w3m':
     ensure => present,
  }
}
node 'puppetagent2' {
    package { 'w3m':
     ensure => present,
  }
}

第一个file 例子

#on server
#cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
    file { "/tmp/oct28.txt":
     content => "hey  first puppet file";
  }
}


#结果 随便找个 agent node 
root@puppetagent:~# cat /tmp/oct28.txt 
hey  first puppet file

第一个shell 命令例子

 cat site.pp
node default {
    Exec {path =>"/bin:/sbin:/bin/sh:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"}
    exec { "touch files":
     command => "/usr/bin/touch /tmp/mytouch.txt";
  }
}



第一个 配置一个测试节点 modules


cd /etc/puppetlabs/code/environments/production/modules
root@master:/etc/puppetlabs/code/environments/production/modules# 
mkdir -p  test/{manifests,templates,files}


vi templates/test.erb 
hostname <%= fqdn %>

vi  manifests/init.pp
class  test {
    file {"/tmp/$hostname.txt": content => "hey world";}
}


root@master:/etc/puppetlabs/code/environments/production/manifests# mkdir nodes

vi agent1.pu.com.pp
node 'agent1.pu.com' {
   include test
}


主动拉取
root@agent1:~# puppet agent -t 




 cat   ../site.pp
node default {
    package { 'tree':
     ensure => present,
  }
}

#其实只要这行 上面和下面的全可不要 
import "nodes/agent1.pu.pp"
#include的写法  但是好像有问题  这个所有的 
import  "nodes/*.pp"



成功  暂时是只有  agent1 有,因为开始只是node 里只有 agent1  
root@agent1:~# cat /tmp/agent1.txt 
hey world



trouble shooting 

 The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc>
11月 21 22:25:11 myxps puppet-agent[34301]: The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc>
~

video

Puppet自动化运维企业实战

进阶

企业级自动化运维工具---puppet详解

自动化运维工具——puppet详解(一)

自动化运维工具——puppet详解(二)

see also

trouble shooting


root@master:~# puppetserver ca sign --certname agent1.pu.com
Fatal error when running action 'sign'
  Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_status/
  Root cause: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)


root@master:~#  cat /etc/hosts

127.0.1.1	 puppet

references

https://en.wikipedia.org/wiki/Puppet_(software)


puppet批量管理500多台服务器

Puppet常识梳理

Puppet组件详解

Puppet类用法示例


puppet多环境配置(puppet自动化系列2)

puppet初始化安装和配置(puppet自动化系列1)

puppet自动化布署配置入门


Puppet自动化管理配置

puppet入门

Puppet 实验五 软件安装测试

Usage

puppet入门:puppet使用基础(puppet 5)


Puppet批量部署实际案例

puppet的配置

应用例子

Puppet批量部署tomcat

Puppet批量部署tomcat