首页 > 代码库 > puppet的配置

puppet的配置

1时间问题

agent与master端务必要保持时间的一致性,最好使用ntp服务

检查ntp服务是否安装

[root@master-elk ~]# rpm -qa|grep ntp
ntpdate-4.2.6p5-10.el6.centos.1.x86_64
ntp-4.2.6p5-10.el6.centos.1.x86_64

由于我使用的阿里云的服务器,这个已经默认配置好了,如下

技术分享
 1 cat  /etc/ntp.conf
 2 
 3 # ntp.conf
 4 
 5 driftfile  /var/lib/ntp/drift
 6 pidfile   /var/run/ntpd.pid
 7 logfile /var/log/ntp.log
 8 
 9 # Access Control Support
10 restrict    default kod nomodify notrap nopeer noquery
11 restrict -6 default kod nomodify notrap nopeer noquery
12 restrict 127.0.0.1
13 
14 # local clock
15 server 127.127.1.0
16 fudge  127.127.1.0 stratum 10
17 
18 server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
19 restrict ntp1.aliyun.com nomodify notrap nopeer noquery
20 server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
21 restrict ntp2.aliyun.com nomodify notrap nopeer noquery
22 server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
23 restrict ntp3.aliyun.com nomodify notrap nopeer noquery
24 server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
25 restrict ntp4.aliyun.com nomodify notrap nopeer noquery
26 server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
27 restrict ntp5.aliyun.com nomodify notrap nopeer noquery
28 server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
29 restrict ntp6.aliyun.com nomodify notrap nopeer noquery
30 server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
31 restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery
32 server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
33 restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery
34 server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
35 restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery
36 server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
37 restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery
38 server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
39 restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery
40 server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
41 restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery
42 server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
43 restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery
44 server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
45 restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery
46 server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
47 restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery
48 server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
49 restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery
50 server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
51 restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery
52 server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
53 restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
View Code

启动并且加入开启启动

1 /etc/init.d/ntpd  start
2 chkconfig  ntpd on

最好在计划任务里面加上

1 20 06 * * * ntpdate cn.pool.ntp.org && hwclock -w

重启计划任务

1  /etc/init.d/crond restart

 2配置puppet.conf(master)

默认配置如下:

技术分享
 1 [main]
 2     # The Puppet log directory.
 3     # The default value is $vardir/log.
 4     logdir = /var/log/puppet
 5 
 6     # Where Puppet PID files are kept.
 7     # The default value is $vardir/run.
 8     rundir = /var/run/puppet
 9 
10     # Where SSL certificates are kept.
11     # The default value is $confdir/ssl.
12     ssldir = $vardir/ssl
13 
14 [agent]
15     # The file in which puppetd stores a list of the classes
16     # associated with the retrieved configuratiion.  Can be loaded in
17     # the separate ``puppet`` executable using the ``--loadclasses``
18     # option.
19     # The default value is $confdir/classes.txt.
20     classfile = $vardir/classes.txt
21 
22     # Where puppetd caches the local configuration.  An
23     # extension indicating the cache format is added automatically.
24     # The default value is $confdir/localconfig.
25     localconfig = $vardir/localconfig
View Code

现在配置如下,以生产的实际情况来做

 1 [master]
 2 #   storeconfigs = true
 3 #   storeconfigs_backend = puppetdb
 4     autosign       = true
 5 #    ca             = true
 6 #    ssldir         = /var/lib/puppet/ssl
 7  #   certname       = puppetmaster.com
 8     strict_variables = false
 9     #environmentpath  = /etc/puppet/modules
10     basemodulepath   = /etc/puppet/modules
11     ssl_client_header = SSL_CLIENT_S_DN
12     ssl_client_verify_header = SSL_CLIENT_VERIFY
13     reports = http
reporturl = http://puppetmaster.com:3000/reports/upload #报告发送地址,可配置在dashboard或foreman配置文件中
14 [main] 15 # The Puppet log directory. 16 # The default value is $vardir/log. 17 logdir = /var/log/puppet #默认日志存放路径 18 19 # Where Puppet PID files are kept. 20 # The default value is $vardir/run. 21 rundir = /var/run/puppet #pid存放路径 22 23 # Where SSL certificates are kept. 24 # The default value is $confdir/ssl. 25 ssldir = $vardir/ssl #默认证书存放目录,默认$vardir为/var/lib/puppet 26 autosign = $confdir/autosign.conf #自动证书签名默认在/etc/puppet/autosign.conf 27 28 pluginsync = false #插件同步配置对facter自定义有效这里为false没开启 29 masterport = 8140 #master监听端口 30 environment = production 31 certname = puppetmaster.com 32 server = puppetmaster.com #master端 33 listen = false 34 splay = false 35 splaylimit = 1800 36 runinterval = 1800 ##客户端默认探测时间,可按需求修改 37 noop = false 38 configtimeout = 120 39 usecacheonfailure = true 40 41 42 [agent] 43 # The file in which puppetd stores a list of the classes 44 # associated with the retrieved configuratiion. Can be loaded in 45 # the separate ``puppet`` executable using the ``--loadclasses`` 46 # option. 47 # The default value is $confdir/classes.txt. 48 classfile = $vardir/classes.txt #关联与检索配置文件目录 49 50 # Where puppetd caches the local configuration. An 51 # extension indicating the cache format is added automatically. 52 # The default value is $confdir/localconfig. 53 localconfig = $vardir/localconfig ##本地缓存配置目录

创建sitt.pp文件,会告诉puppet去哪里寻找并且载入指定的客户端配置,我们来创建它现在先让它为空

1 [root@master-elk manifests]# pwd
2 /etc/puppet/manifests
3 [root@master-elk manifests]# ls
4 [root@master-elk manifests]# touch site.pp
5 [root@master-elk manifests]# ls
6 site.pp
7 [root@master-elk manifests]# 

设置防火墙

1 iptables -I  INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT

启动:


puppetmasterd -v -d --no-daemonize # 前台测试启动
1 service puppetmaster start  #正式启动
2 或者
3 /etc/init.d/puppetmaster  restart
服务验证:ss -antupl |grep 8140

master启动后会创建一个本地的master认证中心,同时创建master的相关证书和密钥,可以在 /etc/puppet/ssl/目录下查看相关的证书和密钥

 1 tree  /etc/puppet/ssl/
 2 ├── ca
 3 │   ├── ca_crl.pem
 4 │   ├── ca_crt.pem
 5 │   ├── ca_key.pem
 6 │   ├── inventory.txt
 7 │   ├── private
 8 │   │   └── ca.pass
 9 │   ├── requests
10 │   ├── serial
11 │   └── signed
| ├──puppetmaster.com.pem
12 ├── certificate_requests 13 ├── certs 14 │   ├── ca.pem 15 │   └──puppetmaster.com.pem 16 ├── crl.pem 17 ├── private 18 ├── private_keys 19 │   └──puppetmaster.com.pem 20 └── public_keys 21 └──puppetmaster.com.pem

 agent端配置(一般配置)

 1 cat   /etc/puppet/puppet.conf
 2 
 3 [main]
 4     logdir = /var/log/puppet
 5     rundir = /var/run/puppet
 6     ssldir = $vardir/ssl
 7 
 8 [agent]
 9     listen = true  #监听进程
10     classfile = $vardir/classes.txt   ##关联与检索配置文件目录
11     localconfig = $vardir/localconfig  # #本地缓存配置目录
12 
13    server = puppetmaster.com
14    report = true   #发送报告
15    runinterval = 1800
#certname 不写默认是hostname

 客户端连接到master端,在客户端上执行命令

1  puppet agent --server=puppetmaster.com --no-daemonize --verbose   #测试启动
2 --no-daemonize: 让puppet客户端工作到前台并输出日志到标准输出
3  --verbose:是客户端输出详细信息日志
4 也可以加上--debug,让日志更加详细。
5 简洁方式:
6  puppet agent  --test
正常启动 service puppet start

上面的意思是agent发起了一个证书验证请求,并且使用加密私钥来连接,puppet使用ssl证书来验证agent和master之间的连接,agent想master发出证书验证请求,等待master签名并且返回证书。现在agent依然运行并且等待已被签名的证书,在证书到达或者退出之前,agent会每个2分钟来是否存在被签名的证书。

服务端确认:

master执行:

1 puppet cert --list --all #查看认证情况      前面出现+表示认证过了

在真实很多台的线上环境执行这条命令的时候会出现如下错误

1 [root@puppetmater~]# puppet cert --list all
2 Error: header too long

是由于机器空间不足造成的可以df-h查看机器空间

参见这里但是需要FQ(不能FQ的点击下面的)

我贴出来具体过程:

技术分享
 1 Puppet Error: header too long
 2 If youre working with Puppet and you find that you get this error:
 3 puppet cert --list
 4 Error: header too long
 5 Be mindful of your free space! Ive now rolled out 20 servers or so in my puppet setup (soon to be duplicated to over 142 servers once I get these running right. All Ill have to do is spin up a new server, give it an IP and hostname and tell it where the Puppet Master is and Puppet will handle the rest!), and Ive found that Im starting to easily fill up the drive with old reports. Especially when re-running puppet syncs more frequently than the normal 30 min run-interval. I started getting the above error with a lot of various puppet commands, the simplest one, just trying to list certs. Then I checked a "df -h":
 6 # df -h
 7 Filesystem            Size  Used Avail Use% Mounted on
 8 /dev/sda1              16G   15G     0 100% /
 9 Oops! Using the following script I was able to clean up old reports easily. Set the "days" variable to as high as you want for your setup. Im using Puppet Dashboard to pull in reports to a DB, so I dont need to keep the yamls around too long.
10 #!/bin/sh
11 days="+1"       # more than a day old
12 
13 for d in `find /var/lib/puppet/reports -mindepth 1 -maxdepth 1 -type d`
14 do
15         find $d -type f -name \*.yaml -mtime $days |
16         sort -r |
17         tail -n +2 |
18         xargs /bin/rm -f
19 done
20 In my case, since it tried to sync a new server ssl cert while the drive was full, the error came out to be due to not only the free space, but a corrupt cert. To find the offending cert and fix the issue, youll need to look through the /var/lib/puppet dir for the file. The host I was looking for is betamem.example.com and I found it like this:
21 # cd /var/lib/puppet
22 # find ./|grep betamem
23 ./ssl/ca/requests/betamem.example.com
24 I then removed the cert (held in /var/lib/puppet/ssl/certificate_requests/) from the agent on betamem and told it to try again by cycling its puppet agent.
25 # rm -f /var/lib/puppet/ssl/certificate_requests/*
26 # /etc/init.d/puppet restart
27 Stopping puppet agent:                                     [  OK  ]
28 Starting puppet agent:                                     [  OK  ]
29 Tailing /var/log/messages on the master shows it‘s got a new request, so let‘s sign it:
30 # tail /var/log/messages -n1
31 puppet-master[22486]: betamem.example.com has a waiting certificate request
32 # puppet cert --sign betamem.example.com
33 Signed certificate request for betamem.example.com
34 Removing file Puppet::SSL::CertificateRequest at ‘/var/lib/puppet/ssl/ca/requests/betamem.example.com.pem‘
35 Go back to the puppet agent and cycle it again, or just wait until the next run-interval and it should be back to normal!
Puppet Error: header too long

 手动注册认证

1 puppet cert --sign agent1.puppetmaster.com #注册agent1

另外一种查看认证的方式

技术分享
 1 tree /var/lib/puppet/ssl/ #另外一种查看认证的方式
 2 
 3 /etc/puppet/ssl/
 4 ├── ca
 5 │   ├── ca_crl.pem
 6 │   ├── ca_crt.pem
 7 │   ├── ca_key.pem
 8 │   ├── inventory.txt
 9 │   ├── private
10 │   │   └── ca.pass
11 │   ├── requests
12 │   ├── serial
13 │   └── signed
14 │       ├──puppetmaster.com.pem
15 │       ├──agent1.puppetmaster.com.pem  #注册认证
16 ├── certificate_requests
17 ├── certs
18 │   ├── ca.pem
19 │   └── puppetmaster.com.pem
20 ├── crl.pem
21 ├── private
22 ├── private_keys
23 │   └── puppetmaster.com.pem
24 └── public_keys
25     └── puppetmaster.com.pem
View Code

另外也可以在服务算(master)来做认证

在master服务端执行

1 puppet agent --test #puppetmaster自己申请agent认证
2 puppet cert --sign --all #注册所有请求的节点
3 puppet cert --list --all #查看所有节点认证

但是当我们有上百台机器的时候,这样来做显得十分麻烦,所以puppet提供了一种更好地办法

自动签名认证模式

master端服务端配置

1 如下:

技术分享
1 [root@master-elk ~]# cd /etc/puppet/
2 [root@master-elk puppet]# ls
3 auth.conf  environments  fileserver.conf  manifests  modules  puppet.conf
4 [root@master-elk puppet]# touch autosign.conf
5 [root@master-elk puppet]# vim autosign.conf 
6 [root@master-elk puppet]# cat autosign.conf 
7 *.puppetmaster.com
8 [root@master-elk puppet]# 
View Code

创建autosign.conf,然后在里面添加要自动签名的agent

我这里写的*.puppetmaster.com是去匹配agent端hostname以这个结尾的全部自动签名认证

# 注:master端的任何修改,都要重新装载puppetmaster服务,即执行如下命令即可

service puppetmaster reload

2.修改fileserver.conf

创建mkdir /etc/puppet/files

向该文件授予/etc/puppet/files目录的权限

# vi /etc/puppet/fileserver.conf
1
[files] 2 path /etc/puppet/files 3 allow * #或者写成allow *.puppetmaster.com 4 5 [modules] 6 allow * 7 8 [plugins] 9 allow *

3puppet agent客户端配置

3.1允许master发起kick命令,puppet客户端默认每30分钟很服务器通讯一次,但是有时,我们希望服务器能够给客户端紧急推送一些东西,于是就有了puppet kick

配置文件/etc/puppet/auth.conf加入如下内容(有些版本是默认自带)这个必须有path /这个

技术分享
 1 path ~ ^/catalog/([^/]+)$
 2 method find
 3 allow $1
 4 
 5 path ~ ^/node/([^/]+)$
 6 method find
 7 allow $1
 8 
 9 
10 path /certificate_revocation_list/ca
11 method find
12 allow *
13 
14 path /report
15 method save
16 allow *
17 
18 path /file
19 allow *
20 
21 path /certificate/ca
22 auth any
23 method find
24 allow *
25 
26 path /certificate/
27 auth any
28 method find
29 allow *
30 
31 path /certificate_request
32 auth any
33 method find, save
34 allow *
35 
36 path /run
37 method save
38 allow pup.qeeyou.com
39 
40 path /
41 auth any
View Code

3.2

在客户端编辑或创建新文件/etc/puppet/namespaceauth.conf,包含下面内容

[puppetrunner]
allow puppetmaster.com    #填写master端ip绑定的那个域名

推送方法,在服务器端运行命令(后边会讲解,这里简单提一下)

1  puppet kick -p 10  agent1.puppetmaster.com

当有问题的时候我们需要清空删除证书,然后重新来认证如下

二、清除原有证书

如果原客户端已经签过证书需要执行以下操作清空旧的证书,否则认证将失败

1.在服务端上执行以下命令其中“puppet2.hnr.com”为相关客户端主机

# puppet cert clean puppet2.hnr.com

2.在客户端上执行以下命令

# find /var/lib/puppet/ssl -name puppet2.hnr.com.pem -delete

 认证的方法和上面一样,这里就不多说了

 

puppet的配置