Puppet基础
目录
why
一切按官方文档是最好的哦 虽然英文Oct 27 2021
salt 老是0day问题 ,为了安全 于是上puppet 现在文档真的很少,以前在dovo时,流行得很呢 于是有了本文
install
https://puppet.com/docs/puppet/7/install_agents.html#configure_server_setting
https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html
https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html
aliyun mirrors
https://developer.aliyun.com/mirror/puppet https://mirrors.aliyun.com/puppet/
* Enable the Puppet platform repository
RH
可以用aliyun mirrors 会更加快 wget -c https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/x86_64/puppet7-release-7.0.0-1.el7.noarch.rpm && rpm -Uvh puppet7-release-7.0.0-1.el7.noarch.rpm
rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
debian 10 or kali 2021 只能是 buster 注意
记得要改为google dns 8.8.4.4 or alidns
#wget -c https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg -i puppet6-release-buster.deb
#on my kali
wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb
#https://mirrors.aliyun.com/puppet/apt/puppet6-release-buster.deb &&
wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-bullseye.deb && dpkg -i puppet7-release-bullseye.deb #debian 11
#wget https://apt.puppet.com/puppet7-release-buster.deb && dpkg -i dpkg -i puppet7-release-buster.deb
apt update
Installing Puppet Server
#base on RHEL
yum install puppetserver
apt update
apt-get install puppetserver
sudo systemctl start puppetserver
/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver -v
puppetserver version: 6.14.1
cp /etc/profile /etc/profileevanbak
echo 'export PATH=/opt/puppetlabs/server/apps/puppetserver/bin/:$PATH' >> /etc/profile
apt-get install default-jdk
如何在 Debian 10 上安装 OpenJDK11/OpenJDK8 Installing JDK on Debian 10 https://puppet.com/docs/puppet/6.19/server/install_from_packages.html
* 3. Install Puppet agent
** RHEL
rpm -Uvh https://yum.puppet.com/puppet7-release-el-7.noarch.rpm https://yum.puppet.com/puppet7-release-el-8.noarch.rpm https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
**
cat /etc/yum.repos.d/puppet7.repo
[puppet7]
name=Puppet 7 Repository el 7 - $basearch
#baseurl=https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/$basearch
baseurl=http://yum.puppetlabs.com/puppet7/el/7/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release
enabled=1
gpgcheck=1
yum clean all
yum makecache
yum install puppet-agent
echo 'export PATH=/opt/puppetlabs/bin:$PATH' >> /etc/profile && source /etc/profile
https://puppet.com/docs/puppet/6.19/install_agents.html
Start the Puppet service: sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
** deb
apt-get install puppet-agent source /etc/profile.d/puppet-agent.sh
https://puppet.com/docs/puppet/7/install_agents.html
* 4. Install PuppetDB (optional)
configure
https://puppet.com/docs/puppet/7/install_agents.html#agent_primary_server_connections
# 要先配置hosts #On the agent node, run: puppet config set server puppetserver.example.com --section main #3. Connect the agent to the primary server and sign the certificate # on agent node puppet ssl bootstrap You will see a message that looks like: Info: Creating a new RSA SSL key for <agent node> #On the primary server node, sign the certificate: #puppetsrver sudo puppetserver ca sign --certname <name> #我是这个 其实最好不要这个 puppetserver ca sign --all #On the agent node, run the agent again: puppet ssl bootstrap
相关配置文件
code on server
最开始的样子 [root@r code]# tree . ├── environments │ └── production │ ├── data │ ├── environment.conf │ ├── hiera.yaml │ ├── manifests │ └── modules └── modules 6 directories, 2 files [root@code]# pwd /etc/puppetlabs/code
puppet server
#官方文档就是666 唯一瑕疵 就是配置hosts 和 certname = puppetserver.example.com 好像没说到 还是我没看到呢 这次配置完成用官方文档了,今天就用了删除原来的key good cat /etc/hosts 127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com 192.168.10.39 puppetagent 192.168.10.33 puppetagent2 cat /etc/puppetlabs/puppet/puppet.conf # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [server] vardir = /opt/puppetlabs/server/data/puppetserver logdir = /var/log/puppetlabs/puppetserver rundir = /var/run/puppetlabs/puppetserver pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid codedir = /etc/puppetlabs/code [master] certname = puppetserver.example.com
agent
cat /etc/hosts 127.0.0.1 localhost #127.0.1.1 puppetserver.example.com puppetserver 192.168.10.32 puppetserver.example.com puppetserver 127.0.1.1 puppetagent cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com # This file can be used to override the default puppet settings. # See the following links for more details on what settings are available: # - https://puppet.com/docs/puppet/latest/config_important_settings.html # - https://puppet.com/docs/puppet/latest/config_about_settings.html # - https://puppet.com/docs/puppet/latest/config_file_main.html # - https://puppet.com/docs/puppet/latest/configuration.html [agent] runinterval=30
agent2
cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 puppetagent2 #debian11 #127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com root@puppetagent2:~# cat /etc/puppetlabs/puppet/puppet.conf [main] server = puppetserver.example.com [agent] runinterval=30
这里的明天再补上 Sep 26
添加 agent node(全新安装) 和证书配置
add hosts
add hosts on server
#puppet #home 127.0.0.1 puppetserver.example.com 192.168.10.32 puppetserver.example.com 192.168.10.39 puppetagent 192.168.10.33 puppetagent2 192.168.10.38 puppetagent38 192.168.2.200 proxy-intra
add hosts on agent
192.168.10.32 puppetserver.example.com
添加 agent node(非全新安装) 和证书配置
官方文档最6 https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html
puppetserver ca list --all
Signed Certificates:
idc-test-all-db-192-168-10-120-c7 (SHA256) AF:EA:3F:3D:97:71:04:76:5D:5B:B2:C2:91:98:2A:1:7A:19:44:F6:BD:B2:EB:B2:F1:2E:95:CA:D3:06 alt names: ["DNS:idc-test-all-db-192-168-10-120-c7"]
#先删除原来存在的了key on server 这几步 也是 puppet rror: The certificate for 'CN=' does not match its private key的解决办法
puppetserver ca clean --certname idc-test-all-db-192-168-10-120-c7
puppetserver ca clean --certname idc-test-all-php-192-168-10-122-c7
#如果有老的key 不是新安装
cd /etc/puppetlabs/puppet/ssl/certs/
rm -f ca.pem idc-test-all-db-192-168-10-120-c7.pem
# if on node puppet client
systemctl restart puppet
#agent node
root@debian11# puppet ssl bootstrap
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for idc-test-all-php-192-168-10-122-c7
Info: Certificate Request fingerprint (SHA256): 7D:9F:B7:68:B3::84:06:6D:90:49:9C:8F:76:D7:3A:25:C9:98:E0:2F:0D:39:E1:95:A6:BB:EE:B1:27
Info: Certificate for idc-test-all-php-192-168-10-122-c7 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (idc-test-all-php-192-168-10-122-c7).
Info: Will try again in 120 seconds.
#这个是接受后成功的提示 ,如果只有这个提示 没有前面的 那就是在servrer 存在了相同的了
Notice: Completed SSL initialization
#sever 上接受 成功喽
#单独一个
puppetserver ca sign --certname puppet2021
puppetserver ca sign --all
Successfully signed certificate request for idc-test-all-php-192-168-10-122-c7
#这个命令还是不成功
puppetserver ca sign idc-test-all-php-192-168-10-122-c7
例如
#最后在master 接受的证书名是以hostname的哦 最好是事先起好hostname,虽然我hosts文件配置为puppet38 配置任务用这个也是成功的 ,不过还是不够规范
puppetserver ca sign --all
Successfully signed certificate request for debian11
默认30分钟太久
#on agent 120 秒 ,2 分钟 vi /etc/puppetlabs/puppet/puppet.conf [agent] server = master.test.cn runinterval=120
入门例子
#安装到所有节点 默认是半个小时成效 可以手工执行
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
package { 'emacs':
ensure => present,
}
}
# 笨方法 两个节点安装 w3m
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node 'puppetagent' {
package { 'w3m':
ensure => present,
}
}
node 'puppetagent2' {
package { 'w3m':
ensure => present,
}
}
第一个file 例子
#on server
#cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
file { "/tmp/oct28.txt":
content => "hey first puppet file";
}
}
#结果 随便找个 agent node
root@puppetagent:~# cat /tmp/oct28.txt
hey first puppet file
第一个shell 命令例子
cat site.pp
node default {
Exec {path =>"/bin:/sbin:/bin/sh:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"}
exec { "touch files":
command => "/usr/bin/touch /tmp/mytouch.txt";
}
}
video
进阶
see also
references
https://en.wikipedia.org/wiki/Puppet_(software)
Usage
