#化鲲为鹏,我有话说# 鲲鹏服务器使用 puppet 部署应用

举报
wanghan-devops 发表于 2019/11/12 17:47:26 2019/11/12
【摘要】 -----PuppetMaster-----PuppetClient1-----PuppetClient2----192.168.1.10 192.168.1.101 192.168.1.102构建步骤:1、搭建NTPserver服务器1)NTPserver服务端配置:[root@localhost ~]# vim /etc/ntp.conf添加:server...

-----PuppetMaster-----PuppetClient1-----PuppetClient2----

192.168.1.10           192.168.1.101    192.168.1.102

构建步骤:

1、搭建NTPserver服务器

1)NTPserver服务端配置:

[root@localhost ~]# vim /etc/ntp.conf

添加:

server 127.127.1.0

fudge 127.127.1.0 stratum 8

[root@localhost ~]# service ntpd restart

[root@localhost ~]# chkconfig --add ntpd

[root@localhost ~]# chkconfig ntpd on

2)在PuppetMaster、PuppetClient上进行时间同步

[root@localhost ~]# yum -y install ntp

[root@localhost ~]# ntpdate 192.168.1.1

2、搭建PuppetMaster服务器

要求:需要DNS进行域名解析

1)配置环境

[root@localhost ~]# hostname master.benet.com

[root@localhost ~]# bash

[root@master ~]# vim /etc/hosts

添加:

192.168.1.10    master.benet.com

192.168.1.101   client1.benet.com

192.168.1.102   client2.benet.com

[root@master ~]# yum -y install compat* ruby*

[root@master ~]# ruby -v

[root@master ~]# useradd -s /sbin/nologin puppet

2)安装facter

[root@master ~]# tar -zxvf facter-1.7.1.tar.gz -C /usr/src/

[root@master ~]# cd /usr/src/facter-1.7.1/

[root@master ~]# ruby install.rb

3)安装puppet

[root@master ~]# tar -zxvf puppet-2.7.21.tar.gz -C /usr/src/

[root@master ~]# cd /usr/src/puppet-2.7.21/

[root@master ~]# ruby install.rb

4)配置

[root@master ~]# cp /usr/src/puppet-2.7.21/conf/redhat/fileserver.conf /etc/puppet/

[root@master ~]# cp /usr/src/puppet-2.7.21/conf/redhat/puppet.conf /etc/puppet/

[root@master ~]# cp /usr/src/puppet-2.7.21/conf/redhat/server.init /etc/init.d/puppetmaster

[root@master ~]# chmod +x /etc/init.d/puppetmaster

[root@master ~]# mkdir /etc/puppet/manifests

[root@master ~]# mkdir /etc/puppet/modules

[root@master ~]# vim /etc/puppet/puppet.conf

添加:

[main]

modulepath = /etc/puppet/modules:/usr/share/puppet/modules

[root@master ~]# /etc/init.d/puppetmaster start

[root@master ~]# chkconfig --add puppetmaster

[root@master ~]# chkconfig puppetmaster on

3、搭建PuppetClient服务器

[root@localhost ~]# hostname client1.benet.com(和client2.benet.com)

[root@localhost ~]# bash

[root@client1 ~]# vim /etc/hosts

添加:

192.168.1.10    master.benet.com

192.168.1.101   client1.benet.com

192.168.1.102   client2.benet.com

[root@master ~]# useradd -s /sbin/nologin puppet

[root@client1 ~]# yum -y install compat* ruby*

[root@client1 ~]# ruby -v

[root@client1 ~]# tar -zxvf facter-1.7.1.tar.gz -C /usr/src/

[root@client1 ~]# cd /usr/src/facter-1.7.1/

[root@client1 ~]# ruby install.rb

[root@client1 ~]# tar -zxvf puppet-2.7.21.tar.gz -C /usr/src/

[root@client1 ~]# cd /usr/src/puppet-2.7.21/

[root@client1 ~]# ruby install.rb

[root@client1 ~]# cp /usr/src/puppet-2.7.21/conf/redhat/puppet.conf /etc/puppet/

[root@client1 ~]# cp /usr/src/puppet-2.7.21/conf/redhat/client.init /etc/init.d/puppetclient

[root@client1 ~]# chmod +x /etc/init.d/puppetclient

[root@client1 ~]# vim /etc/puppet/puppet.conf

添加:

server = master.benet.com

申请注册:

[root@client1 ~]# puppet agent --server=master.benet.com --no-daemonize --verbose

注意:由于命令一直在运行,需要Ctrl + C结束。

在PuppetMaster服务器查看申请注册的客户端:

[root@master ~]# puppet cert --list

将未注册的客户端进行注册:

[root@master ~]# puppet cert sign --all

查看已经注册的客户端:

[root@master ~]# ls /var/lib/puppet/ssl/ca/signed

部署puppet时遇到了很多错误.

常见问题

问题:[root@puppet ~]# puppetd --test --server puppet

   dnsdomainname: Unknown host

   dnsdomainname: Unknown host

   err: Could not request certificate: Connection refused - connect(2)

   Exiting; failed to retrieve certificate and waitforcert is disabled

解决方法:此错误是没有启动puppetmasterd服务和配置绑定主机名

   [root@localhost ~]#vi /etc/hosts

    在最后一行添加:

    192.168.3.9 puppet

   [root@localhost ~]#service puppetmasterd restart  --重新启动服务

 

问题: [root@c1 ~]# puppetd --server puppet --test

err: Could not request certificate: No route to host - connect(2)

Exiting; failed to retrieve certificate and waitforcert is disabled

解决方法: server端没有开启8140 port or close iptables firewall

 

问题: [root@c1 puppet-2.7.2rc2]# puppetd --test --server puppet

   info: Creating a new SSL key for c1.localdomain

   err: Could not request certificate: getaddrinfo: Name or service not known

   Exiting; failed to retrieve certificate and waitforcert is disabled

解决方法: 客户端没有配置服务器端的域名绑定:

   [root@c1 ~]#vi /etc/hosts

   在最后一行添加:

   192.168.3.9 puppet

 

问题: [root@t-db2 ~]# puppetd --server puppet.com --test

   warning: peer certificate won't be verified in this SSL session

   warning: peer certificate won't be verified in this SSL session

   warning: peer certificate won't be verified in this SSL session

   Exiting; no certificate found and waitforcert is disabled

解决方法: 在puppet server执行下列语句:

   [root@puppet ~]# puppetca -l --返回下个未签名的证书清单

   c1.localdomain

   [root@puppet ~]# puppetca -s c1.localdomain --签名证书

   notice: Signed certificate request for c1.localmain

证书问题解决:

如果客户机请求证书时出现下面错误:

err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key                                              

Exiting; failed to retrieve certificate and waitforcert is disabled

先到服务器端清除指定客户机的证书

puppetca -c c1.localdomain

然后再到服务器端吊销证书

puppetca -r c1.localdomain

然后在客户机上,mv /var/lib/puppet /tmp

接着在客户机  上请求证书签名

puppetd --test --server puppet

然后在服务器上对客户机的证书做签名

puppetca -s -a

搞定,收工

===实例配置===

Master端:

1、创建必要的目录:

[root@master ~]# mkdir /etc/puppet/modules/ssh/{manifests,templstes,files} -p

[root@master ~]# mkdir /etc/puppet/manifests/nodes -p

[root@master ~]# mkdir /etc/puppet/modules/ssh/files/ssh -p

[root@master ~]# chown -R puppet /etc/puppet/modules/

[root@master ~]# ll /etc/puppet/modules/ssh/ //其中有3个文件夹

2、创建模块配置文件:

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/install.pp

添加:

class ssh::install{

package{ "openssh":

ensure => present,

}

}

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/config.pp

添加:

class ssh::config{

file { "/etc/ssh/sshd_config":

ensure => present,

owner => "root",

group => "root",

mode => "0600",

source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",

require => Class["ssh::install"],

notify => Class ["ssh::service"],

}

}

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/service.pp

添加:

class ssh::service {

service { "sshd":

ensure => running,

hasstatus => true,

hasrestart => true,

enable => true,

require => Class["ssh::config"],

}

}

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/init.pp

添加:

class ssh{

include ssh::install,ssh::config,ssh::service

}

[root@master ~]# ll /etc/puppet/modules/ssh/manifests/ //共4个文件

[root@master ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/

[root@master ~]# chown puppet /etc/puppet/modules/ssh/files/ssh/sshd_config

创建测试点:

[root@master ~]# vim /etc/puppet/manifests/nodes/ssh.pp

添加:

node 'client1.benet.com'{

include ssh

}

node 'client2.benet.com'{

include ssh

}

将测试点载入puppet

[root@master ~]# vim /etc/puppet/manifests/site.pp

添加:

import "nodes/ssh.pp"

修改服务器端维护的sshd_config配置文件

[root@master ~]# vim /etc/puppet/modules/ssh/files/ssh/sshd_config

修改:

Port 9922

重启puppet

[root@master ~]# /etc/init.d/puppetmaster restart

验证:

1、客户端主动拉取:

[root@client1 ~]# puppet agent -t

[root@client1 ~]# netstat -anpt | grep sshd //查看端口是否变化

2、设置服务器推送同步:

client端:

[root@client1 ~]# vim /etc/puppet/puppet.conf

添加(最后一行):

listen = true

[root@client1 ~]# vim /etc/puppet/auth.conf

添加(最后一行):

allow * //允许任何服务器推送

[root@client1 ~]# /etc/init.d/puppetclient restart

master端:

[root@master signed]# puppet kick client1.benet.com //推送


【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
鲲鹏
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

确认 取消

加入云驻计划,成为创作者

  • 华为云周边好礼
  • 免费体验产品
  • 特殊身份标识
  • 线下官方门票
  • 内部专家零距离
  • 与10000+优质创作者共同成长
立即加入