案例环境:
-----------------------------------------------------------------
主机 操作系统 IP地址 主要软件
-----------------------------------------------------------------
puppetmaster Centos 6.5 x86_64 192.168.200.131 ruby-*
facter-1.7.1.tar.gz
puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
puppetclient1 Centos 6.5 x86_64 192.168.200.132 ruby-*
facter-1.7.1.tar.gz
puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
puppetclient2 Centos 6.5 x86_64 192.168.200.133 ruby-*
facter-1.7.1.tar.gz
puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
NTP Server Centos 6.5 x86_64 192.168.200.134
================================================================================
案例实施:
setup1: 搭建puppetmaster
1.1 规划服务器主机名
[root@localhost ~]# vi /etc/sysconfig/network
HOSTNAME=master.test.cn
[root@localhost ~]# vi /etc/hosts
192.168.200.131 master.test.cn
192.168.200.132 client.test.cn
192.168.200.133 client133.test.cn
[root@localhost ~]# hostname master.test.cn
[root@localhost ~]# bash
1.2 配置时间服务器NTP Server
1.2.1
[root@localhost ~]# yum -y install ntp
[root@localhost ~]# vi /etc/ntp.conf
添加两行:
server 127.127.1.0
fudge 127.127.1.0 stratum 8
[root@localhost ~]# service ntpd start
正在启动 ntpd: [确定]
[root@localhost ~]# chkconfig ntpd on
1.2.2 puppetmaster作为NTP客户端的配置
[root@master ~]# yum -y install ntp
[root@master ~]# ntpdate 192.168.200.134
7 Jan 22:43:18 ntpdate[3058]: adjust time server 192.168.200.134 offset 0.467919 sec
1.3 安装ruby(注意:Centos的镜像光盘有两张,要做下面的安装,需要将两张盘都挂载,并在*.repo文档中指定路径)
[root@master ~]# yum -y install compat-readline5 ruby*
安装完成后检查ruby的版本
[root@master ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
1.4 puppet 、facter安装
[root@master ~]# useradd -s /sbin/nologin puppet
通过facter工具分析客户端传输过来的信息。
安装facter:
[root@master ~]# tar xf facter-1.7.1.tar.gz
[root@master ~]# cd facter-1.7.1
[root@master facter-1.7.1]# ruby install.rb
安装puppet:
[root@master facter-1.7.1]# cd
[root@master ~]# tar xf puppet-2.7.21.tar.gz
[root@master ~]# cd puppet-2.7.21
[root@master puppet-2.7.21]# ruby install.rb
安装后的调整:
[root@master puppet-2.7.21]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@master puppet-2.7.21]# cp conf/redhat/puppet.conf /etc/puppet/
[root@master puppet-2.7.21]# cp conf/redhat/server.init /etc/init.d/puppetmaster
[root@master puppet-2.7.21]# chmod +x /etc/init.d/puppetmaster
[root@master puppet-2.7.21]# mkdir /etc/puppet/manifests
[root@master puppet-2.7.21]# mkdir /etc/puppet/modules
puppet服务证书请求与签名:
(注意:在生产环境中iptalbes默认是全部关闭的)
master端配置:
[root@master puppet-2.7.21]# service iptables stop
修改配置文件
[root@master puppet-2.7.21]# vi /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
modulepath = /etc/puppet/modules:/usr/share/puppet/modules //添加本行,配置服务器模块路径
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
-----------------------------------------------------------------
启动puppet主程序
[root@master puppet-2.7.21]# /etc/init.d/puppetmaster start
启动 puppetmaster: [确定]
=======================================================================
setup2: 搭建puppetclient1、2
首先配置puppetclient1
2.1 规划服务器主机名
[root@localhost ~]# vi /etc/sysconfig/network
HOSTNAME=client.test.cn
[root@localhost ~]# vi /etc/hosts
192.168.200.131 master.test.cn
192.168.200.132 client.test.cn
192.168.200.133 client133.test.cn
[root@localhost ~]# hostname client.test.cn
[root@localhost ~]# bash
[root@client ~]#
2.2 服务器的时间同步
[root@client ~]# ntpdate 192.168.200.134
8 Jan 21:52:50 ntpdate[3244]: step time server 192.168.200.134 offset -28.886955 sec
2.3 安装ruby
[root@client ~]# yum -y install compat-readline5 ruby*
安装完成后检查ruby的版本
[root@client ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
2.4 puppet facter安装
[root@client ~]# tar xf facter-1.7.1.tar.gz
[root@client ~]# cd facter-1.7.1
[root@client facter-1.7.1]# ruby install.rb
[root@client facter-1.7.1]# cd
[root@client ~]# tar xf puppet-2.7.21.tar.gz
[root@client ~]# cd puppet-2.7.21
[root@client puppet-2.7.21]# ruby install.rb
安装后的调整:
[root@client puppet-2.7.21]# cp conf/redhat/puppet.conf /etc/puppet/
[root@client puppet-2.7.21]# cp conf/redhat/client.init /etc/init.d/puppetclient
[root@client puppet-2.7.21]# chmod +x /etc/init.d/puppetclient
puppet服务证书请求与签名:
(注意:在生产环境中iptalbes默认是全部关闭的)
[root@client puppet-2.7.21]# service iptables stop
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
[root@client puppet-2.7.21]# chkconfig iptables off
[root@client puppet-2.7.21]# iptables -F
[root@client puppet-2.7.21]# setenforce 0
192.168.200.132和192.168.200.133一样,操作如下
修改client配置文件
[root@client puppet-2.7.21]# vi /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
server = master.test.cn //添加本行,设置服务器的域名
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
----------------------------------------------------------------------------
puppetclient2的配置和puppetclient1类似,注意将主机名修改为client133.test.cn
申请与注册:
Client端:
分别在puppetclient1和puppetclient2上进行注册
[root@client ~]# puppet agent --server=master.test.cn --no-daemonize --verbose
info: Creating a new SSL key for client.test.cn
info: Caching certificate for ca
info: Creating a new SSL certificate request for client.test.cn
info: Certificate Request fingerprint (md5): 91:DB:05:67:4E:E7:62:2B:2F:4C:8C:C6:03:48:7B:64
puppet此时在等待任务,但是在server此时可以查看到申请信息
Master端
查看申请注册的客户端
[root@master ~]# puppet cert --list
"client.test.cn" (91:DB:05:67:4E:E7:62:2B:2F:4C:8C:C6:03:48:7B:64)
"client133.test.cn" (CD:EE:80:26:D6:16:C3:D6:9F:7C:DD:14:A0:99:BA:C4)
将未注册的客户端进行注册:
[root@master ~]# puppet cert sign --all
notice: Signed certificate request for client133.test.cn
notice: Removing file Puppet::SSL::CertificateRequest client133.test.cn at '/var/lib/puppet/ssl/ca/requests/client133.test.cn.pem'
notice: Signed certificate request for client.test.cn
notice: Removing file Puppet::SSL::CertificateRequest client.test.cn at '/var/lib/puppet/ssl/ca/requests/client.test.cn.pem'
通过目录去查看已经注册的客户端:
[root@master ~]# ll /var/lib/puppet/ssl/ca/signed/
总用量 12
-rw-r-----. 1 puppet puppet 1911 1月 8 22:21 client133.test.cn.pem
-rw-r-----. 1 puppet puppet 1907 1月 8 22:21 client.test.cn.pem
-rw-r-----. 1 puppet puppet 1976 1月 8 21:48 master.test.cn.pem
==================================================================
此时,客户端已经完成证书的请求与签名。
setup3: 配置实例:
3.1 配置一个测试节点
节点信息:/etc/puppet/manifests/nodes
模块信息:/etc/puppet/modules
实例要求:为了保护linux的ssh端口被爆破,批量修改客户端ssh端口,22 ---> 9922
在master端的操作:
3.1.1 创建需要的必要目录
[root@master ~]# mkdir -p /etc/puppet/modules/ssh/{manifests,templates,files}
[root@master ~]# mkdir /etc/puppet/manifests/nodes
[root@master ~]# mkdir /etc/puppet/modules/ssh/files/ssh
[root@master ~]# chown -R puppet /etc/puppet/modules/
[root@master ~]# ll /etc/puppet/modules/ssh/
总用量 12
drwxr-xr-x. 3 puppet root 4096 1月 8 22:46 files
drwxr-xr-x. 2 puppet root 4096 1月 8 22:46 manifests
drwxr-xr-x. 2 puppet root 4096 1月 8 22:46 templates
3.1.2 创建模块配置文件install.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/install.pp
首先确定客户端安装ssh服务
class ssh::install {
package { "openssh":
ensure => present,
}
}
--------------------------------------------------------------------------
3.1.3 创建模块配置文件config.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/config.pp
class ssh::config {
file { "/etc/ssh/sshd_config": //配置客户端需要同步的文件
ensure => present, //确定客户端此文件存在
owner => "root",
group => "root",
mode => "0600",
source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
//从服务器端同步文件
require => Class["ssh::install"],
//调用install.pp确定ssh已经安装
notify => Class["ssh::service"],
//如果config.pp发生变化通知service.pp
}
}
-------------------------------------------------------------------------
3.1.4 创建模块配置文件service.pp,
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/service.pp
class ssh::service {
service { "sshd": //确定ssh运行
ensure => running,
hasstatus => true,
//puppet该服务支持status命令,类似service sshd status
hasrestart => true,
//puppet该服务支持restart命令,类似service sshd restart
enable => true, //服务器是否开机启动
require => Class["ssh::config"] //确认config.pp调用
}
}
--------------------------------------------------------------------------
3.1.5 创建主配置模块文件init.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/init.pp
class ssh {
include ssh::install,ssh::config,ssh::service
}
---------------------------------------------------------
此时/etc/puppet/modules/ssh/manifests有四个文件
[root@master ~]# ll /etc/puppet/modules/ssh/manifests
总用量 16
-rw-r--r--. 1 root root 271 1月 8 22:58 config.pp
-rw-r--r--. 1 root root 60 1月 8 23:05 init.pp
-rw-r--r--. 1 root root 69 1月 8 22:52 install.pp
-rw-r--r--. 1 root root 159 1月 8 23:04 service.pp
-----------------------------------------------------
3.1.6 建立服务器端ssh统一维护文件。
[root@master ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[root@master ~]# chown puppet /etc/puppet/modules/ssh/files/ssh/sshd_config
----------------------------------------------------------------
3.1.7 创建测试节点配置文件,并将ssh加载进去。
[root@master ~]# vi /etc/puppet/manifests/nodes/ssh.pp
node 'client.test.cn' {
include ssh
}
node 'client133.test.cn' {
include ssh
}
-----------------------------------------------
3.1.8 将测试节点载入puppet,即修改site.pp
[root@master ~]# vi /etc/puppet/manifests/site.pp
import "nodes/ssh.pp"
----------------------------------
3.1.9 修改服务器端维护的sshd_config配置文件
[root@master ~]# vi /etc/puppet/modules/ssh/files/ssh/sshd_config
添加一行:
Port 9922
-------------------------------------------------------------------
3.1.10 重启puppet
[root@master ~]# /etc/init.d/puppetmaster restart
停止 puppetmaster: [确定]
启动 puppetmaster: [确定]
-----------------------------------------------------------------------
setup4:测试:
客户端主动拉取
192.168.200.132执行如下命令
[root@client ~]# puppet agent -t
info: Caching catalog for client.test.cn
info: Applying configuration version '1420730314'
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:
--- /etc/ssh/sshd_config 2013-11-23 06:40:03.000000000 +0800
+++ /tmp/puppet-file20150108-4788-pehloa-0 2015-01-08 23:18:36.011709007 +0800
@@ -11,6 +11,7 @@
# default value.
#Port 22
+Port 9922
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
info: FileBucket adding {md5}53ad75eb1f2269d23f6e4228353cbca3
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 53ad75eb1f2269d23f6e4228353cbca3
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed '{md5}53ad75eb1f2269d23f6e4228353cbca3' to '{md5}3a2dee85056976947f1c154af9a0bf35'
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Class[Ssh::Service]
info: Class[Ssh::Service]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered 'refresh' from 1 events
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.89 seconds
=======================================================================
此时,在客户端已经成功执行。验证如下
[root@client ~]# grep "9922" /etc/ssh/sshd_config
Port 9922
---------------------------------
查看服务器ssh服务是否重启:端口是否生效
[root@client ~]# netstat -anpt |grep ssh
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 5075/sshd
tcp 0 52 192.168.200.132:22 192.168.200.102:49606 ESTABLISHED 3167/sshd
tcp 0 0 :::9922 :::* LISTEN 5075/sshd
-----------------------------------------------------------------------------------------------
setup5:服务器推送同步
当大规模部署时采用服务器推送模式。
Client端:
192.168.200.133端修改
5.1 修改配置文件:
[root@client ~]# vi /etc/puppet/puppet.conf
最后添加一行如下:
listen = true //使puppet监听8139端口
[root@client133 ~]# vi /etc/puppet/auth.conf //验证配置文件auth.conf定义一些验证信息及访问权限
最后一行添加如下:
allow * //允许任何服务器端推送
5.2 启动puppet客户端
[root@client133 ~]# /etc/init.d/puppetclient start
启动 puppet: [确定]
------------------------------------------------------------------------
此时,在客户端已经成功执行。验证如下
#Port 22
Port 9922
-----------------------------------------
[root@client133 ~]# netstat -anpt |grep "sshd"
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 3675/sshd
tcp 0 52 192.168.200.133:22 192.168.200.102:49614 ESTABLISHED 2274/sshd
tcp 0 0 192.168.200.133:22 192.168.200.102:61164 ESTABLISHED 2182/sshd
tcp 0 0 :::9922 :::* LISTEN 3675/sshd
===================================================================================================
Master端也可以强制推送
[root@master ~]# puppet kick client133.test.cn
Triggering client133.test.cn
Getting status
status is success
client133.test.cn finished with exit code 0
Finished
==========================================================
本文来源:http://www.benet.wang/%E6%9C%8D%E5%8A%A1%E6%90%AD%E5%BB%BA/4.html