Puppet Server从部署到上线使用
目录
这是一篇todo文章,可以快速将puppetserver部署起来,经常遇到的坑也会写出来,但是自己不踩吭记忆是没有成长的(不仅仅是收获经验,重要的是增加了学习的能力),如果不缺时间的话,强烈建议看官方文档:https://puppet.com/docs/puppet/7/server/install_from_packages.html
安装master
通过源来安装
sudo rpm -Uvh https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
sudo yum install puppetserver
启动master服务
sudo systemctl start puppetserver
如果报错
Found master private key '/etc/puppetlabs/puppet/ssl/private_keys/localhost.localdomain.pem' but master public key '/etc/puppetlabs/puppet/ssl/public...需要把ssl目录删除sudo rm -rf /etc/puppetlabs/puppet/ssl/*(已经上线的master,请自己考虑后果再决定),再尝试启动
修改dns解析
解析puppet到master的ip即可
或者绑定hosts, 如果是hosts,客户端和服务器都需要绑定hosts到master的ip
10.10.0.10 puppet
安装puppet-agent
安装agnet需要先启用仓库
sudo rpm -Uvh https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
sudo yum install puppet-agent
anget连接server
手动签名认证
#] puppet agent --test
Info: Creating a new RSA SSL key for agent
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent
Info: Certificate Request fingerprint (SHA256): A3:CA:C3:B1:69:C9:97:3D:3A:BB:A4:F0:E5:15:34:A5:74:B5:86:08:E1:A9:02:A6:D4:91:12:04:6A:89:76:70
Info: Certificate for agent has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (agent).
Exiting now because the waitforcert setting is set to 0.
这时候需要在master节点上面允许agnet的证书,以下是master节点执行:
# 查看还没签名的证书
puppetserver ca list
# 给所有证书签名
puppetserver ca sign --all
自动签名认证
自动认证需要编写ACL规则,一个简单的规则如下:
#] vim /etc/puppetlabs/puppet/autosign.conf
*.nutscloud.com
然后重新启动master服务即可
部署代码
然后把清单文件(.pp)放到master的/etc/puppetlabs/code/environments/production/manifests
modules放到/etc/puppetlabs/code/modules
其他证书操作
吊销证书
如果不想让某个agent来连接master,可以在master上面把证书撤销
puppetserver ca revoke --certname agent_name
清理证书
比如说重装了系统,需要master重新生成证书
puppetserver ca clean --certname agent_name