1时间问题
agent与master端务必要保持时间的一致性,最好使用ntp服务
检查ntp服务是否安装
[root@master-elk ~]# rpm -qa|grep ntp ntpdate-4.2.6p5-10.el6.centos.1.x86_64 ntp-4.2.6p5-10.el6.centos.1.x86_64
由于我使用的阿里云的服务器,这个已经默认配置好了,如下
1 cat /etc/ntp.conf 2 3 # ntp.conf 4 5 driftfile /var/lib/ntp/drift 6 pidfile /var/run/ntpd.pid 7 logfile /var/log/ntp.log 8 9 # Access Control Support 10 restrict default kod nomodify notrap nopeer noquery 11 restrict -6 default kod nomodify notrap nopeer noquery 12 restrict 127.0.0.1 13 14 # local clock 15 server 127.127.1.0 16 fudge 127.127.1.0 stratum 10 17 18 server ntp1.aliyun.com iburst minpoll 4 maxpoll 10 19 restrict ntp1.aliyun.com nomodify notrap nopeer noquery 20 server ntp2.aliyun.com iburst minpoll 4 maxpoll 10 21 restrict ntp2.aliyun.com nomodify notrap nopeer noquery 22 server ntp3.aliyun.com iburst minpoll 4 maxpoll 10 23 restrict ntp3.aliyun.com nomodify notrap nopeer noquery 24 server ntp4.aliyun.com iburst minpoll 4 maxpoll 10 25 restrict ntp4.aliyun.com nomodify notrap nopeer noquery 26 server ntp5.aliyun.com iburst minpoll 4 maxpoll 10 27 restrict ntp5.aliyun.com nomodify notrap nopeer noquery 28 server ntp6.aliyun.com iburst minpoll 4 maxpoll 10 29 restrict ntp6.aliyun.com nomodify notrap nopeer noquery 30 server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 31 restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery 32 server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 33 restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery 34 server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 35 restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery 36 server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 37 restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery 38 server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 39 restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery 40 server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 41 restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery 42 server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 43 restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery 44 server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 45 restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery 46 server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 47 restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery 48 server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 49 restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery 50 server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 51 restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery 52 server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10 53 restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
启动并且加入开启启动
1 /etc/init.d/ntpd start 2 chkconfig ntpd on
最好在计划任务里面加上
1 20 06 * * * ntpdate cn.pool.ntp.org && hwclock -w
重启计划任务
1 /etc/init.d/crond restart
补充:
先来了解一下puppet的配置文件
1 # puppet主配置及目录结构 2 3 /etc/puppet 4 auth.conf - Agent访问Master的权限控制文件 5 authsign.conf - Master对Agent证书自动签名的配置文件 6 fileserver.conf - Master向Agent同步静态文件的配置文件(Master挂载目录位置和挂载目录的授权信息) 7 puppet.conf - Master守护进程的主要配置文件,定义了运行环境、启动加载文件、配置管理程序、授权Agent的证书目录等信息 8 tagmail.conf - Puppet邮件发送配置文件 9 namespaceauth.conf - 名称空间配置文件 10 files/ - Master存放的静态文件 11 manifests/ - Agent入口的导航文件和逻辑文件 12 site.pp 13 modules/ - Puppet的基础模块 14 ssl/ - Master在此目录存放CA证书和已签名授权的Agent证书文件列表,Agent在此目录存放被Master授权的证书文件
2配置puppet.conf(master)
默认配置如下:
1 [main] 2 # The Puppet log directory. 3 # The default value is '$vardir/log'. 4 logdir = /var/log/puppet 5 6 # Where Puppet PID files are kept. 7 # The default value is '$vardir/run'. 8 rundir = /var/run/puppet 9 10 # Where SSL certificates are kept. 11 # The default value is '$confdir/ssl'. 12 ssldir = $vardir/ssl 13 14 [agent] 15 # The file in which puppetd stores a list of the classes 16 # associated with the retrieved configuratiion. Can be loaded in 17 # the separate ``puppet`` executable using the ``--loadclasses`` 18 # option. 19 # The default value is '$confdir/classes.txt'. 20 classfile = $vardir/classes.txt 21 22 # Where puppetd caches the local configuration. An 23 # extension indicating the cache format is added automatically. 24 # The default value is '$confdir/localconfig'. 25 localconfig = $vardir/localconfig
现在配置如下,以生产的实际情况来做
1 [master] 2 # storeconfigs = true 3 # storeconfigs_backend = puppetdb 4 autosign = true 5 # ca = true 6 # ssldir = /var/lib/puppet/ssl 7 # certname = puppetmaster.com 8 strict_variables = false 9 #environmentpath = /etc/puppet/modules 10 basemodulepath = /etc/puppet/modules 11 ssl_client_header = SSL_CLIENT_S_DN 12 ssl_client_verify_header = SSL_CLIENT_VERIFY 13 reports = http
reporturl = http://puppetmaster.com:3000/reports/upload #报告发送地址,可配置在dashboard或foreman配置文件中 14 [main] 15 # The Puppet log directory. 16 # The default value is '$vardir/log'. 17 logdir = /var/log/puppet #默认日志存放路径 18 19 # Where Puppet PID files are kept. 20 # The default value is '$vardir/run'. 21 rundir = /var/run/puppet #pid存放路径 22 23 # Where SSL certificates are kept. 24 # The default value is '$confdir/ssl'. 25 ssldir = $vardir/ssl #默认证书存放目录,默认$vardir为/var/lib/puppet 26 autosign = $confdir/autosign.conf #自动证书签名默认在/etc/puppet/autosign.conf 27 28 pluginsync = false #插件同步配置对facter自定义有效这里为false没开启 29 masterport = 8140 #master监听端口 30 environment = production 31 certname = puppetmaster.com 32 server = puppetmaster.com #master端 33 listen = false 34 splay = false 35 splaylimit = 1800 36 runinterval = 1800 ##客户端默认探测时间,可按需求修改 37 noop = false 38 configtimeout = 120 39 usecacheonfailure = true 40 41 42 [agent] 43 # The file in which puppetd stores a list of the classes 44 # associated with the retrieved configuratiion. Can be loaded in 45 # the separate ``puppet`` executable using the ``--loadclasses`` 46 # option. 47 # The default value is '$confdir/classes.txt'. 48 classfile = $vardir/classes.txt #关联与检索配置文件目录 49 50 # Where puppetd caches the local configuration. An 51 # extension indicating the cache format is added automatically. 52 # The default value is '$confdir/localconfig'. 53 localconfig = $vardir/localconfig ##本地缓存配置目录
创建sitt.pp文件,会告诉puppet去哪里寻找并且载入指定的客户端配置,我们来创建它现在先让它为空
1 [root@master-elk manifests]# pwd 2 /etc/puppet/manifests 3 [root@master-elk manifests]# ls 4 [root@master-elk manifests]# touch site.pp 5 [root@master-elk manifests]# ls 6 site.pp 7 [root@master-elk manifests]#
设置防火墙
1 iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT
启动:
puppetmasterd -v -d --no-daemonize # 前台测试启动 这是2.x测试命令
puppet master -v -d --no-daemonize #3.x测试命令
1 service puppetmaster start #正式启动 2 或者 3 /etc/init.d/puppetmaster restart
服务验证:ss -antupl |grep 8140
master启动后会创建一个本地的master认证中心,同时创建master的相关证书和密钥,可以在 /etc/puppet/ssl/目录下查看相关的证书和密钥(看配置文件里面你定义在哪里)
1 tree /etc/puppet/ssl/ 2 ├── ca 3 │ ├── ca_crl.pem 4 │ ├── ca_crt.pem 5 │ ├── ca_key.pem 6 │ ├── inventory.txt 7 │ ├── private 8 │ │ └── ca.pass 9 │ ├── requests 10 │ ├── serial 11 │ └── signed
| ├──puppetmaster.com.pem
12 ├── certificate_requests 13 ├── certs 14 │ ├── ca.pem 15 │ └──puppetmaster.com.pem 16 ├── crl.pem 17 ├── private 18 ├── private_keys 19 │ └──puppetmaster.com.pem 20 └── public_keys 21 └──puppetmaster.com.pem
agent端配置(一般配置)
1 cat /etc/puppet/puppet.conf 2 3 [main] 4 logdir = /var/log/puppet 5 rundir = /var/run/puppet 6 ssldir = $vardir/ssl 7 8 [agent] 9 listen = true #监听进程 10 classfile = $vardir/classes.txt ##关联与检索配置文件目录 11 localconfig = $vardir/localconfig # #本地缓存配置目录 12 13 server = puppetmaster.com 14 report = true #发送报告 15 runinterval = 1800
#certname 不写默认是hostname
客户端连接到master端,在客户端上执行命令
1 puppet agent --server=puppetmaster.com --no-daemonize --verbose #测试启动 2 --no-daemonize: 让puppet客户端工作到前台并输出日志到标准输出 3 --verbose:是客户端输出详细信息日志 4 也可以加上--debug,让日志更加详细。 5 简洁方式: 6 puppet agent --test
正常启动 service puppet start
上面的意思是agent发起了一个证书验证请求,并且使用加密私钥来连接,puppet使用ssl证书来验证agent和master之间的连接,agent想master发出证书验证请求,等待master签名并且返回证书。现在agent依然运行并且等待已被签名的证书,在证书到达或者退出之前,agent会每个2分钟来是否存在被签名的证书。
服务端确认:
master执行:
1 puppet cert --list --all #查看认证情况 前面出现+表示认证过了
在真实很多台的线上环境执行这条命令的时候会出现如下错误
1 [root@puppetmater~]# puppet cert --list all 2 Error: header too long
是由于机器空间不足造成的可以df-h查看机器空间
参见这里但是需要翻墙(不能翻墙的点击下面的)
我贴出来具体过程:
1 Puppet Error: header too long 2 If you're working with Puppet and you find that you get this error: 3 puppet cert --list 4 Error: header too long 5 Be mindful of your free space! I've now rolled out 20 servers or so in my puppet setup (soon to be duplicated to over 142 servers once I get these running right. All I'll have to do is spin up a new server, give it an IP and hostname and tell it where the Puppet Master is and Puppet will handle the rest!), and I've found that I'm starting to easily fill up the drive with old reports. Especially when re-running puppet syncs more frequently than the normal 30 min run-interval. I started getting the above error with a lot of various puppet commands, the simplest one, just trying to list certs. Then I checked a "df -h": 6 # df -h 7 Filesystem Size Used Avail Use% Mounted on 8 /dev/sda1 16G 15G 0 100% / 9 Oops! Using the following script I was able to clean up old reports easily. Set the "days" variable to as high as you want for your setup. I'm using Puppet Dashboard to pull in reports to a DB, so I don't need to keep the yaml's around too long. 10 #!/bin/sh 11 days="+1" # more than a day old 12 13 for d in `find /var/lib/puppet/reports -mindepth 1 -maxdepth 1 -type d` 14 do 15 find $d -type f -name *.yaml -mtime $days | 16 sort -r | 17 tail -n +2 | 18 xargs /bin/rm -f 19 done 20 In my case, since it tried to sync a new server ssl cert while the drive was full, the error came out to be due to not only the free space, but a corrupt cert. To find the offending cert and fix the issue, you'll need to look through the /var/lib/puppet dir for the file. The host I was looking for is 'betamem.example.com' and I found it like this: 21 # cd /var/lib/puppet 22 # find ./|grep betamem 23 ./ssl/ca/requests/betamem.example.com 24 I then removed the cert (held in /var/lib/puppet/ssl/certificate_requests/) from the agent on 'betamem' and told it to try again by cycling it's puppet agent. 25 # rm -f /var/lib/puppet/ssl/certificate_requests/* 26 # /etc/init.d/puppet restart 27 Stopping puppet agent: [ OK ] 28 Starting puppet agent: [ OK ] 29 Tailing /var/log/messages on the master shows it's got a new request, so let's sign it: 30 # tail /var/log/messages -n1 31 puppet-master[22486]: betamem.example.com has a waiting certificate request 32 # puppet cert --sign betamem.example.com 33 Signed certificate request for betamem.example.com 34 Removing file Puppet::SSL::CertificateRequest at '/var/lib/puppet/ssl/ca/requests/betamem.example.com.pem' 35 Go back to the puppet agent and cycle it again, or just wait until the next run-interval and it should be back to normal!
手动注册认证
1 puppet cert --sign agent1.puppetmaster.com #注册agent1
另外一种查看认证的方式
1 tree /var/lib/puppet/ssl/ #另外一种查看认证的方式 2 3 /etc/puppet/ssl/ 4 ├── ca 5 │ ├── ca_crl.pem 6 │ ├── ca_crt.pem 7 │ ├── ca_key.pem 8 │ ├── inventory.txt 9 │ ├── private 10 │ │ └── ca.pass 11 │ ├── requests 12 │ ├── serial 13 │ └── signed 14 │ ├──puppetmaster.com.pem 15 │ ├──agent1.puppetmaster.com.pem #注册认证 16 ├── certificate_requests 17 ├── certs 18 │ ├── ca.pem 19 │ └── puppetmaster.com.pem 20 ├── crl.pem 21 ├── private 22 ├── private_keys 23 │ └── puppetmaster.com.pem 24 └── public_keys 25 └── puppetmaster.com.pem
另外也可以在服务算(master)来做认证
在master服务端执行
1 puppet agent --test #puppetmaster自己申请agent认证 2 puppet cert --sign --all #注册所有请求的节点 3 puppet cert --list --all #查看所有节点认证
但是当我们有上百台机器的时候,这样来做显得十分麻烦,所以puppet提供了一种更好地办法
自动签名认证模式
master端服务端配置
1 如下:
1 [root@master-elk ~]# cd /etc/puppet/ 2 [root@master-elk puppet]# ls 3 auth.conf environments fileserver.conf manifests modules puppet.conf 4 [root@master-elk puppet]# touch autosign.conf 5 [root@master-elk puppet]# vim autosign.conf 6 [root@master-elk puppet]# cat autosign.conf 7 *.puppetmaster.com 8 [root@master-elk puppet]#
创建autosign.conf,然后在里面添加要自动签名的agent
我这里写的*.puppetmaster.com是去匹配agent端hostname以这个结尾的全部自动签名认证
# 注:master端的任何修改,都要重新装载puppetmaster服务,即执行如下命令即可
service puppetmaster reload
2.修改fileserver.conf
创建mkdir /etc/puppet/files
向该文件授予/etc/puppet/files目录的权限
# vi /etc/puppet/fileserver.conf
1 [files] 2 path /etc/puppet/files 3 allow * #或者写成allow *.puppetmaster.com 4 5 [modules] 6 allow * 7 8 [plugins] 9 allow *
该文件就是一个file服务器,我们在里面可以定义需要同步的文件,一般在同步的时候用source来制定路径,如下一个简单的例子
1 此案例为C/S结构,把master上面的hosts文件同步到agent上面,如果发现同步文件不一致,需要对源文件进行备份后再进行覆盖,在master上编 2 3 辑/etc/puppet/manifests/site.pp 4 node default { 5 file {'/etc/hosts' : 6 backup => '.bak', 7 source => "puppet:///files/hosts", 8 } 9 } 10 file {'/etc/hosts' : 11 backup => '.bak', 12 source => "puppet:///bin/python2.7.zip", 13 } 14 } 15 我们可以没有bin模块,只需要在fileserver.conf里面定义好配置文件就行了 16 17 18 其中puppet:///挂载的路径由master上的fileserver.conf文件指定,如下: 19 # cat fileserver.conf 20 [files] 21 path /etc/puppet/files 22 allow * 23 [bin] 24 path /opt/file/ 25 allow * 26 把hosts文件放到/etc/puppet/files路径下,设置好之后我们在agent上面执行查看 27 把python2.7.zip文件放到/opt/file/路径下,设置好之后我们在agent上面执行查看 28
3puppet agent客户端配置
3.1允许master发起kick命令,puppet客户端默认每30分钟很服务器通讯一次,但是有时,我们希望服务器能够给客户端紧急推送一些东西,于是就有了puppet kick
配置文件/etc/puppet/auth.conf加入如下内容(有些版本是默认自带)这个必须有path /这个
/etc/puppet/auth.conf文件配置签名的ACL列表,配置准许哪些ip或者域名来签名通过
1 path ~ ^/catalog/([^/]+)$ 2 method find 3 allow $1 4 5 path ~ ^/node/([^/]+)$ 6 method find 7 allow $1 8 9 10 path /certificate_revocation_list/ca 11 method find 12 allow * 13 14 path /report 15 method save 16 allow * 17 18 path /file 19 allow * 20 21 path /certificate/ca 22 auth any 23 method find 24 allow * 25 26 path /certificate/ 27 auth any 28 method find 29 allow * 30 31 path /certificate_request 32 auth any 33 method find, save 34 allow * 35 36 path /run 37 method save 38 allow pup.qeeyou.com 39 40 path / 41 auth any
3.2
在客户端编辑或创建新文件/etc/puppet/namespaceauth.conf,包含下面内容
[puppetrunner]
allow puppetmaster.com #填写master端ip绑定的那个域名
推送方法,在服务器端运行命令(后边会讲解,这里简单提一下)
1 puppet kick -p 10 agent1.puppetmaster.com
当有问题的时候我们需要清空删除证书,然后重新来认证如下
二、清除原有证书
如果原客户端已经签过证书需要执行以下操作清空旧的证书,否则认证将失败
1.在服务端上执行以下命令其中“puppet2.hnr.com”为相关客户端主机
# puppet cert clean puppet2.hnr.com
2.在客户端上执行以下命令
# find /var/lib/puppet/ssl -name puppet2.hnr.com.pem -delete
认证的方法和上面一样,这里就不多说了