这是一篇todo文章,可以快速将puppetserver部署起来,经常遇到的坑也会写出来,但是自己不踩吭记忆是没有成长的(不仅仅是收获经验,重要的是增加了学习的能力),如果不缺时间的话,强烈建议看官方文档:https://puppet.com/docs/puppet/7/server/install_from_packages.html

安装master

通过源来安装

1
2
sudo rpm -Uvh https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
sudo yum install puppetserver

启动master服务

1
sudo systemctl start puppetserver

如果报错Found master private key '/etc/puppetlabs/puppet/ssl/private_keys/localhost.localdomain.pem' but master public key '/etc/puppetlabs/puppet/ssl/public...需要把ssl目录删除sudo rm -rf /etc/puppetlabs/puppet/ssl/*已经上线的master,请自己考虑后果再决定),再尝试启动

修改dns解析

解析puppet到master的ip即可

或者绑定hosts, 如果是hosts,客户端和服务器都需要绑定hosts到master的ip

1
10.10.0.10  puppet

安装puppet-agent

安装agnet需要先启用仓库

1
2
sudo rpm -Uvh https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
sudo yum install puppet-agent

anget连接server

手动签名认证

1
2
3
4
5
6
7
8
9
#] puppet agent --test

Info: Creating a new RSA SSL key for agent
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent
Info: Certificate Request fingerprint (SHA256): A3:CA:C3:B1:69:C9:97:3D:3A:BB:A4:F0:E5:15:34:A5:74:B5:86:08:E1:A9:02:A6:D4:91:12:04:6A:89:76:70
Info: Certificate for agent has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (agent).
Exiting now because the waitforcert setting is set to 0.

这时候需要在master节点上面允许agnet的证书,以下是master节点执行:

1
2
3
4
5
# 查看还没签名的证书
puppetserver ca list

# 给所有证书签名
puppetserver ca sign --all

自动签名认证

自动认证需要编写ACL规则,一个简单的规则如下:

1
2
3
#] vim /etc/puppetlabs/puppet/autosign.conf

*.nutscloud.com

然后重新启动master服务即可

部署代码

然后把清单文件(.pp)放到master的/etc/puppetlabs/code/environments/production/manifests
modules放到/etc/puppetlabs/code/modules

其他证书操作

吊销证书

如果不想让某个agent来连接master,可以在master上面把证书撤销

1
puppetserver ca revoke --certname agent_name

清理证书

比如说重装了系统,需要master重新生成证书

1
puppetserver ca clean --certname agent_name