• puppet的配置


    1时间问题

    agent与master端务必要保持时间的一致性,最好使用ntp服务

    检查ntp服务是否安装

    [root@master-elk ~]# rpm -qa|grep ntp
    ntpdate-4.2.6p5-10.el6.centos.1.x86_64
    ntp-4.2.6p5-10.el6.centos.1.x86_64

    由于我使用的阿里云的服务器,这个已经默认配置好了,如下

     1 cat  /etc/ntp.conf
     2 
     3 # ntp.conf
     4 
     5 driftfile  /var/lib/ntp/drift
     6 pidfile   /var/run/ntpd.pid
     7 logfile /var/log/ntp.log
     8 
     9 # Access Control Support
    10 restrict    default kod nomodify notrap nopeer noquery
    11 restrict -6 default kod nomodify notrap nopeer noquery
    12 restrict 127.0.0.1
    13 
    14 # local clock
    15 server 127.127.1.0
    16 fudge  127.127.1.0 stratum 10
    17 
    18 server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
    19 restrict ntp1.aliyun.com nomodify notrap nopeer noquery
    20 server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
    21 restrict ntp2.aliyun.com nomodify notrap nopeer noquery
    22 server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
    23 restrict ntp3.aliyun.com nomodify notrap nopeer noquery
    24 server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
    25 restrict ntp4.aliyun.com nomodify notrap nopeer noquery
    26 server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
    27 restrict ntp5.aliyun.com nomodify notrap nopeer noquery
    28 server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
    29 restrict ntp6.aliyun.com nomodify notrap nopeer noquery
    30 server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    31 restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery
    32 server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    33 restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery
    34 server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    35 restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery
    36 server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    37 restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery
    38 server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    39 restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery
    40 server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    41 restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery
    42 server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    43 restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery
    44 server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    45 restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery
    46 server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    47 restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery
    48 server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    49 restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery
    50 server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    51 restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery
    52 server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    53 restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
    View Code

    启动并且加入开启启动

    1 /etc/init.d/ntpd  start
    2 chkconfig  ntpd on

    最好在计划任务里面加上

    1 20 06 * * * ntpdate cn.pool.ntp.org && hwclock -w

    重启计划任务

    1  /etc/init.d/crond restart

    补充:

    先来了解一下puppet的配置文件

     1 # puppet主配置及目录结构
     2 
     3 /etc/puppet
     4 auth.conf - Agent访问Master的权限控制文件
     5 authsign.conf - Master对Agent证书自动签名的配置文件
     6 fileserver.conf - Master向Agent同步静态文件的配置文件(Master挂载目录位置和挂载目录的授权信息)
     7 puppet.conf - Master守护进程的主要配置文件,定义了运行环境、启动加载文件、配置管理程序、授权Agent的证书目录等信息
     8 tagmail.conf - Puppet邮件发送配置文件
     9 namespaceauth.conf - 名称空间配置文件
    10 files/ - Master存放的静态文件
    11 manifests/ - Agent入口的导航文件和逻辑文件
    12 site.pp
    13 modules/ - Puppet的基础模块
    14 ssl/ - Master在此目录存放CA证书和已签名授权的Agent证书文件列表,Agent在此目录存放被Master授权的证书文件

    参考:http://www.justontheway.com/blog/archives/%E9%9B%86%E7%BE%A4%E8%87%AA%E5%8A%A8%E5%8C%96%E7%AE%A1%E7%90%86puppet%E4%BB%8B%E7%BB%8D/

     2配置puppet.conf(master)

    默认配置如下:

     1 [main]
     2     # The Puppet log directory.
     3     # The default value is '$vardir/log'.
     4     logdir = /var/log/puppet
     5 
     6     # Where Puppet PID files are kept.
     7     # The default value is '$vardir/run'.
     8     rundir = /var/run/puppet
     9 
    10     # Where SSL certificates are kept.
    11     # The default value is '$confdir/ssl'.
    12     ssldir = $vardir/ssl
    13 
    14 [agent]
    15     # The file in which puppetd stores a list of the classes
    16     # associated with the retrieved configuratiion.  Can be loaded in
    17     # the separate ``puppet`` executable using the ``--loadclasses``
    18     # option.
    19     # The default value is '$confdir/classes.txt'.
    20     classfile = $vardir/classes.txt
    21 
    22     # Where puppetd caches the local configuration.  An
    23     # extension indicating the cache format is added automatically.
    24     # The default value is '$confdir/localconfig'.
    25     localconfig = $vardir/localconfig
    View Code

    现在配置如下,以生产的实际情况来做

     1 [master]
     2 #   storeconfigs = true
     3 #   storeconfigs_backend = puppetdb
     4     autosign       = true
     5 #    ca             = true
     6 #    ssldir         = /var/lib/puppet/ssl
     7  #   certname       = puppetmaster.com
     8     strict_variables = false
     9     #environmentpath  = /etc/puppet/modules
    10     basemodulepath   = /etc/puppet/modules
    11     ssl_client_header = SSL_CLIENT_S_DN
    12     ssl_client_verify_header = SSL_CLIENT_VERIFY
    13     reports = http
    reporturl = http://puppetmaster.com:3000/reports/upload #报告发送地址,可配置在dashboard或foreman配置文件中
    14 [main] 15 # The Puppet log directory. 16 # The default value is '$vardir/log'. 17 logdir = /var/log/puppet #默认日志存放路径 18 19 # Where Puppet PID files are kept. 20 # The default value is '$vardir/run'. 21 rundir = /var/run/puppet #pid存放路径 22 23 # Where SSL certificates are kept. 24 # The default value is '$confdir/ssl'. 25 ssldir = $vardir/ssl #默认证书存放目录,默认$vardir为/var/lib/puppet 26 autosign = $confdir/autosign.conf #自动证书签名默认在/etc/puppet/autosign.conf 27 28 pluginsync = false #插件同步配置对facter自定义有效这里为false没开启 29 masterport = 8140 #master监听端口 30 environment = production 31 certname = puppetmaster.com 32 server = puppetmaster.com #master端 33 listen = false 34 splay = false 35 splaylimit = 1800 36 runinterval = 1800 ##客户端默认探测时间,可按需求修改 37 noop = false 38 configtimeout = 120 39 usecacheonfailure = true 40 41 42 [agent] 43 # The file in which puppetd stores a list of the classes 44 # associated with the retrieved configuratiion. Can be loaded in 45 # the separate ``puppet`` executable using the ``--loadclasses`` 46 # option. 47 # The default value is '$confdir/classes.txt'. 48 classfile = $vardir/classes.txt #关联与检索配置文件目录 49 50 # Where puppetd caches the local configuration. An 51 # extension indicating the cache format is added automatically. 52 # The default value is '$confdir/localconfig'. 53 localconfig = $vardir/localconfig ##本地缓存配置目录

    创建sitt.pp文件,会告诉puppet去哪里寻找并且载入指定的客户端配置,我们来创建它现在先让它为空

    1 [root@master-elk manifests]# pwd
    2 /etc/puppet/manifests
    3 [root@master-elk manifests]# ls
    4 [root@master-elk manifests]# touch site.pp
    5 [root@master-elk manifests]# ls
    6 site.pp
    7 [root@master-elk manifests]# 

    设置防火墙

    1 iptables -I  INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT

    启动:

    
    
    puppetmasterd -v -d --no-daemonize # 前台测试启动 这是2.x测试命令
    puppet master -v -d --no-daemonize #3.x测试命令
    1 service puppetmaster start  #正式启动
    2 或者
    3 /etc/init.d/puppetmaster  restart
    服务验证:ss -antupl |grep 8140

    master启动后会创建一个本地的master认证中心,同时创建master的相关证书和密钥,可以在 /etc/puppet/ssl/目录下查看相关的证书和密钥(看配置文件里面你定义在哪里)

     1 tree  /etc/puppet/ssl/
     2 ├── ca
     3 │   ├── ca_crl.pem
     4 │   ├── ca_crt.pem
     5 │   ├── ca_key.pem
     6 │   ├── inventory.txt
     7 │   ├── private
     8 │   │   └── ca.pass
     9 │   ├── requests
    10 │   ├── serial
    11 │   └── signed
    | ├──puppetmaster.com.pem
    12 ├── certificate_requests 13 ├── certs 14 │   ├── ca.pem 15 │   └──puppetmaster.com.pem 16 ├── crl.pem 17 ├── private 18 ├── private_keys 19 │   └──puppetmaster.com.pem 20 └── public_keys 21 └──puppetmaster.com.pem

     agent端配置(一般配置)

     1 cat   /etc/puppet/puppet.conf
     2 
     3 [main]
     4     logdir = /var/log/puppet
     5     rundir = /var/run/puppet
     6     ssldir = $vardir/ssl
     7 
     8 [agent]
     9     listen = true  #监听进程
    10     classfile = $vardir/classes.txt   ##关联与检索配置文件目录
    11     localconfig = $vardir/localconfig  # #本地缓存配置目录
    12 
    13    server = puppetmaster.com
    14    report = true   #发送报告
    15    runinterval = 1800
    #certname 不写默认是hostname

     客户端连接到master端,在客户端上执行命令

    1  puppet agent --server=puppetmaster.com --no-daemonize --verbose   #测试启动
    2 --no-daemonize: 让puppet客户端工作到前台并输出日志到标准输出
    3  --verbose:是客户端输出详细信息日志
    4 也可以加上--debug,让日志更加详细。
    5 简洁方式:
    6  puppet agent  --test
    正常启动 service puppet start

    上面的意思是agent发起了一个证书验证请求,并且使用加密私钥来连接,puppet使用ssl证书来验证agent和master之间的连接,agent想master发出证书验证请求,等待master签名并且返回证书。现在agent依然运行并且等待已被签名的证书,在证书到达或者退出之前,agent会每个2分钟来是否存在被签名的证书。

    服务端确认:

    master执行:

    1 puppet cert --list --all #查看认证情况      前面出现+表示认证过了

    在真实很多台的线上环境执行这条命令的时候会出现如下错误

    1 [root@puppetmater~]# puppet cert --list all
    2 Error: header too long

    是由于机器空间不足造成的可以df-h查看机器空间

    参见这里但是需要翻墙(不能翻墙的点击下面的)

    我贴出来具体过程:

     1 Puppet Error: header too long
     2 If you're working with Puppet and you find that you get this error:
     3 puppet cert --list
     4 Error: header too long
     5 Be mindful of your free space! I've now rolled out 20 servers or so in my puppet setup (soon to be duplicated to over 142 servers once I get these running right. All I'll have to do is spin up a new server, give it an IP and hostname and tell it where the Puppet Master is and Puppet will handle the rest!), and I've found that I'm starting to easily fill up the drive with old reports. Especially when re-running puppet syncs more frequently than the normal 30 min run-interval. I started getting the above error with a lot of various puppet commands, the simplest one, just trying to list certs. Then I checked a "df -h":
     6 # df -h
     7 Filesystem            Size  Used Avail Use% Mounted on
     8 /dev/sda1              16G   15G     0 100% /
     9 Oops! Using the following script I was able to clean up old reports easily. Set the "days" variable to as high as you want for your setup. I'm using Puppet Dashboard to pull in reports to a DB, so I don't need to keep the yaml's around too long.
    10 #!/bin/sh
    11 days="+1"       # more than a day old
    12 
    13 for d in `find /var/lib/puppet/reports -mindepth 1 -maxdepth 1 -type d`
    14 do
    15         find $d -type f -name *.yaml -mtime $days |
    16         sort -r |
    17         tail -n +2 |
    18         xargs /bin/rm -f
    19 done
    20 In my case, since it tried to sync a new server ssl cert while the drive was full, the error came out to be due to not only the free space, but a corrupt cert. To find the offending cert and fix the issue, you'll need to look through the /var/lib/puppet dir for the file. The host I was looking for is 'betamem.example.com' and I found it like this:
    21 # cd /var/lib/puppet
    22 # find ./|grep betamem
    23 ./ssl/ca/requests/betamem.example.com
    24 I then removed the cert (held in /var/lib/puppet/ssl/certificate_requests/) from the agent on 'betamem' and told it to try again by cycling it's puppet agent.
    25 # rm -f /var/lib/puppet/ssl/certificate_requests/*
    26 # /etc/init.d/puppet restart
    27 Stopping puppet agent:                                     [  OK  ]
    28 Starting puppet agent:                                     [  OK  ]
    29 Tailing /var/log/messages on the master shows it's got a new request, so let's sign it:
    30 # tail /var/log/messages -n1
    31 puppet-master[22486]: betamem.example.com has a waiting certificate request
    32 # puppet cert --sign betamem.example.com
    33 Signed certificate request for betamem.example.com
    34 Removing file Puppet::SSL::CertificateRequest at '/var/lib/puppet/ssl/ca/requests/betamem.example.com.pem'
    35 Go back to the puppet agent and cycle it again, or just wait until the next run-interval and it should be back to normal!
    Puppet Error: header too long

     手动注册认证

    1 puppet cert --sign agent1.puppetmaster.com #注册agent1

    另外一种查看认证的方式

     1 tree /var/lib/puppet/ssl/ #另外一种查看认证的方式
     2 
     3 /etc/puppet/ssl/
     4 ├── ca
     5 │   ├── ca_crl.pem
     6 │   ├── ca_crt.pem
     7 │   ├── ca_key.pem
     8 │   ├── inventory.txt
     9 │   ├── private
    10 │   │   └── ca.pass
    11 │   ├── requests
    12 │   ├── serial
    13 │   └── signed
    14 │       ├──puppetmaster.com.pem
    15 │       ├──agent1.puppetmaster.com.pem  #注册认证
    16 ├── certificate_requests
    17 ├── certs
    18 │   ├── ca.pem
    19 │   └── puppetmaster.com.pem
    20 ├── crl.pem
    21 ├── private
    22 ├── private_keys
    23 │   └── puppetmaster.com.pem
    24 └── public_keys
    25     └── puppetmaster.com.pem
    View Code

    另外也可以在服务算(master)来做认证

    在master服务端执行

    1 puppet agent --test #puppetmaster自己申请agent认证
    2 puppet cert --sign --all #注册所有请求的节点
    3 puppet cert --list --all #查看所有节点认证

    但是当我们有上百台机器的时候,这样来做显得十分麻烦,所以puppet提供了一种更好地办法

    自动签名认证模式

    master端服务端配置

    1 如下:

    1 [root@master-elk ~]# cd /etc/puppet/
    2 [root@master-elk puppet]# ls
    3 auth.conf  environments  fileserver.conf  manifests  modules  puppet.conf
    4 [root@master-elk puppet]# touch autosign.conf
    5 [root@master-elk puppet]# vim autosign.conf 
    6 [root@master-elk puppet]# cat autosign.conf 
    7 *.puppetmaster.com
    8 [root@master-elk puppet]# 
    View Code

    创建autosign.conf,然后在里面添加要自动签名的agent

    我这里写的*.puppetmaster.com是去匹配agent端hostname以这个结尾的全部自动签名认证

    # 注:master端的任何修改,都要重新装载puppetmaster服务,即执行如下命令即可

    service puppetmaster reload

    2.修改fileserver.conf

    创建mkdir /etc/puppet/files

    向该文件授予/etc/puppet/files目录的权限

    # vi /etc/puppet/fileserver.conf
    1
    [files] 2 path /etc/puppet/files 3 allow * #或者写成allow *.puppetmaster.com 4 5 [modules] 6 allow * 7 8 [plugins] 9 allow *

    该文件就是一个file服务器,我们在里面可以定义需要同步的文件,一般在同步的时候用source来制定路径,如下一个简单的例子

     1 此案例为C/S结构,把master上面的hosts文件同步到agent上面,如果发现同步文件不一致,需要对源文件进行备份后再进行覆盖,在master上编
     2 
     3 辑/etc/puppet/manifests/site.pp
     4 node default {
     5 file {'/etc/hosts' :
     6      backup => '.bak',
     7      source => "puppet:///files/hosts",
     8     }
     9 }
    10 file {'/etc/hosts' :
    11      backup => '.bak',
    12      source => "puppet:///bin/python2.7.zip",
    13     }
    14 }
    15 我们可以没有bin模块,只需要在fileserver.conf里面定义好配置文件就行了
    16 
    17 
    18 其中puppet:///挂载的路径由master上的fileserver.conf文件指定,如下:
    19 # cat fileserver.conf 
    20 [files]
    21 path /etc/puppet/files
    22 allow *
    23 [bin]
    24 path  /opt/file/
    25 allow *
    26 把hosts文件放到/etc/puppet/files路径下,设置好之后我们在agent上面执行查看
    27 把python2.7.zip文件放到/opt/file/路径下,设置好之后我们在agent上面执行查看
    28       

    3puppet agent客户端配置

    3.1允许master发起kick命令,puppet客户端默认每30分钟很服务器通讯一次,但是有时,我们希望服务器能够给客户端紧急推送一些东西,于是就有了puppet kick

    配置文件/etc/puppet/auth.conf加入如下内容(有些版本是默认自带)这个必须有path /这个

    /etc/puppet/auth.conf文件配置签名的ACL列表,配置准许哪些ip或者域名来签名通过

     1 path ~ ^/catalog/([^/]+)$
     2 method find
     3 allow $1
     4 
     5 path ~ ^/node/([^/]+)$
     6 method find
     7 allow $1
     8 
     9 
    10 path /certificate_revocation_list/ca
    11 method find
    12 allow *
    13 
    14 path /report
    15 method save
    16 allow *
    17 
    18 path /file
    19 allow *
    20 
    21 path /certificate/ca
    22 auth any
    23 method find
    24 allow *
    25 
    26 path /certificate/
    27 auth any
    28 method find
    29 allow *
    30 
    31 path /certificate_request
    32 auth any
    33 method find, save
    34 allow *
    35 
    36 path /run
    37 method save
    38 allow pup.qeeyou.com
    39 
    40 path /
    41 auth any
    View Code

    3.2

    在客户端编辑或创建新文件/etc/puppet/namespaceauth.conf,包含下面内容

    [puppetrunner]
    allow puppetmaster.com    #填写master端ip绑定的那个域名

    推送方法,在服务器端运行命令(后边会讲解,这里简单提一下)

    1  puppet kick -p 10  agent1.puppetmaster.com

    当有问题的时候我们需要清空删除证书,然后重新来认证如下

    二、清除原有证书

    如果原客户端已经签过证书需要执行以下操作清空旧的证书,否则认证将失败

    1.在服务端上执行以下命令其中“puppet2.hnr.com”为相关客户端主机

    # puppet cert clean puppet2.hnr.com

    2.在客户端上执行以下命令

    # find /var/lib/puppet/ssl -name puppet2.hnr.com.pem -delete

     认证的方法和上面一样,这里就不多说了

  • 相关阅读:
    javascript数组查重方法总结
    html5的web存储
    掌握javascript中的最基础数据结构-----数组
    ES解决geoip的location不为geo_point格式
    elk默认分片只有1000导致索引没有创建
    Polysh批量管理服务器
    Git永久删除文件和历史记录
    windows下设置JupyterNotebook默认目录
    windwos安装RabbitMQ
    win7计划任务报该任务映像己损坏或己篡改
  • 原文地址:https://www.cnblogs.com/Dicky-Zhang/p/6260127.html
Copyright © 2020-2023  润新知