puppet的配置

1时间问题

agent与master端务必要保持时间的一致性，最好使用ntp服务

检查ntp服务是否安装

[root@master-elk ~]# rpm -qa|grep ntp
ntpdate-4.2.6p5-.el6.centos..x86_64
ntp-4.2.6p5-.el6.centos..x86_64

由于我使用的阿里云的服务器，这个已经默认配置好了，如下

 cat  /etc/ntp.conf

 # ntp.conf

 driftfile  /var/lib/ntp/drift
 pidfile   /var/run/ntpd.pid
 logfile /var/log/ntp.log

 # Access Control Support
 restrict    default kod nomodify notrap nopeer noquery
 restrict - default kod nomodify notrap nopeer noquery
 restrict 127.0.0.1

 # local clock
 server 127.127.1.0
 fudge  127.127.1.0 stratum 

 server ntp1.aliyun.com iburst minpoll  maxpoll
 restrict ntp1.aliyun.com nomodify notrap nopeer noquery
 server ntp2.aliyun.com iburst minpoll  maxpoll
 restrict ntp2.aliyun.com nomodify notrap nopeer noquery
 server ntp3.aliyun.com iburst minpoll  maxpoll
 restrict ntp3.aliyun.com nomodify notrap nopeer noquery
 server ntp4.aliyun.com iburst minpoll  maxpoll
 restrict ntp4.aliyun.com nomodify notrap nopeer noquery
 server ntp5.aliyun.com iburst minpoll  maxpoll
 restrict ntp5.aliyun.com nomodify notrap nopeer noquery
 server ntp6.aliyun.com iburst minpoll  maxpoll
 restrict ntp6.aliyun.com nomodify notrap nopeer noquery
 server ntp1.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp2.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp3.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp4.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp5.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp6.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp7.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp8.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp9.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp10.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp11.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery
 server ntp12.cloud.aliyuncs.com iburst minpoll  maxpoll
 restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery

启动并且加入开启启动

 /etc/init.d/ntpd  start
 chkconfig  ntpd on

最好在计划任务里面加上

   * * * ntpdate cn.pool.ntp.org && hwclock -w

重启计划任务

  /etc/init.d/crond restart

补充：

先来了解一下puppet的配置文件

 # puppet主配置及目录结构

 /etc/puppet
 auth.conf - Agent访问Master的权限控制文件
 authsign.conf - Master对Agent证书自动签名的配置文件
 fileserver.conf - Master向Agent同步静态文件的配置文件(Master挂载目录位置和挂载目录的授权信息)
 puppet.conf - Master守护进程的主要配置文件，定义了运行环境、启动加载文件、配置管理程序、授权Agent的证书目录等信息
 tagmail.conf - Puppet邮件发送配置文件
 namespaceauth.conf - 名称空间配置文件
 files/ - Master存放的静态文件
 manifests/ - Agent入口的导航文件和逻辑文件
 site.pp
 modules/ - Puppet的基础模块
 ssl/ - Master在此目录存放CA证书和已签名授权的Agent证书文件列表，Agent在此目录存放被Master授权的证书文件

参考：http://www.justontheway.com/blog/archives/%E9%9B%86%E7%BE%A4%E8%87%AA%E5%8A%A8%E5%8C%96%E7%AE%A1%E7%90%86puppet%E4%BB%8B%E7%BB%8D/

2配置puppet.conf(master)

默认配置如下:

 [main]
     # The Puppet log directory.
     # The default value is '$vardir/log'.
     logdir = /var/log/puppet

     # Where Puppet PID files are kept.
     # The default value is '$vardir/run'.
     rundir = /var/run/puppet

     # Where SSL certificates are kept.
     # The default value is '$confdir/ssl'.
     ssldir = $vardir/ssl

 [agent]
     # The file in which puppetd stores a list of the classes
     # associated with the retrieved configuratiion.  Can be loaded in
     # the separate ``puppet`` executable using the ``--loadclasses``
     # option.
     # The default value is '$confdir/classes.txt'.
     classfile = $vardir/classes.txt

     # Where puppetd caches the local configuration.  An
     # extension indicating the cache format is added automatically.
     # The default value is '$confdir/localconfig'.
     localconfig = $vardir/localconfig

现在配置如下,以生产的实际情况来做

 [master]
 #   storeconfigs = true
 #   storeconfigs_backend = puppetdb
     autosign       = true
 #    ca             = true
 #    ssldir         = /var/lib/puppet/ssl
  #   certname       = puppetmaster.com
     strict_variables = false
     #environmentpath  = /etc/puppet/modules
     basemodulepath   = /etc/puppet/modules
     ssl_client_header = SSL_CLIENT_S_DN
     ssl_client_verify_header = SSL_CLIENT_VERIFY
     reports = http
       reporturl = http://puppetmaster.com:3000/reports/upload   #报告发送地址，可配置在dashboard或foreman配置文件中
 [main]
     # The Puppet log directory.
     # The default value is '$vardir/log'.
     logdir = /var/log/puppet    #默认日志存放路径

     # Where Puppet PID files are kept.
     # The default value is '$vardir/run'.
     rundir = /var/run/puppet  #pid存放路径

     # Where SSL certificates are kept.
     # The default value is '$confdir/ssl'.
     ssldir = $vardir/ssl     #默认证书存放目录，默认$vardir为/var/lib/puppet
     autosign       = $confdir/autosign.conf  #自动证书签名默认在/etc/puppet/autosign.conf

     pluginsync        = false   #插件同步配置对facter自定义有效这里为false没开启
     masterport        = 8140    #master监听端口
     environment       = production
     certname          = puppetmaster.com
     server = puppetmaster.com    #master端
     listen            = false
     splay             = false
     splaylimit        =
     runinterval       = 1800  ##客户端默认探测时间，可按需求修改
     noop              = false
     configtimeout     =
     usecacheonfailure = true

 [agent]
     # The file in which puppetd stores a list of the classes
     # associated with the retrieved configuratiion.  Can be loaded in
     # the separate ``puppet`` executable using the ``--loadclasses``
     # option.
     # The default value is '$confdir/classes.txt'.
     classfile = $vardir/classes.txt   #关联与检索配置文件目录

     # Where puppetd caches the local configuration.  An
     # extension indicating the cache format is added automatically.
     # The default value is '$confdir/localconfig'.
     localconfig = $vardir/localconfig   ##本地缓存配置目录

创建sitt.pp文件，会告诉puppet去哪里寻找并且载入指定的客户端配置，我们来创建它现在先让它为空

 [root@master-elk manifests]# pwd
 /etc/puppet/manifests
 [root@master-elk manifests]# ls
 [root@master-elk manifests]# touch site.pp
 [root@master-elk manifests]# ls
 site.pp
 [root@master-elk manifests]# 

设置防火墙

 iptables -I  INPUT -p tcp -m state --state NEW -m tcp --dport  -j ACCEPT

启动：

puppetmasterd -v -d --no-daemonize # 前台测试启动 这是2.x测试命令
puppet master  -v -d --no-daemonize  #3.x测试命令

 service puppetmaster start  #正式启动
 或者
 /etc/init.d/puppetmaster  restart

服务验证：ss -antupl |grep 8140

master启动后会创建一个本地的master认证中心,同时创建master的相关证书和密钥，可以在 /etc/puppet/ssl/目录下查看相关的证书和密钥(看配置文件里面你定义在哪里)

 tree  /etc/puppet/ssl/
 ├── ca
 │   ├── ca_crl.pem
 │   ├── ca_crt.pem
 │   ├── ca_key.pem
 │   ├── inventory.txt
 │   ├── private
 │   │   └── ca.pass
 │   ├── requests
 │   ├── serial
 │   └── signed
   |       ├──puppetmaster.com.pem
 ├── certificate_requests
 ├── certs
 │   ├── ca.pem
 │   └──puppetmaster.com.pem
 ├── crl.pem
 ├── private
 ├── private_keys
 │   └──puppetmaster.com.pem
 └── public_keys
     └──puppetmaster.com.pem

agent端配置（一般配置）

 cat   /etc/puppet/puppet.conf

 [main]
     logdir = /var/log/puppet
     rundir = /var/run/puppet
     ssldir = $vardir/ssl

 [agent]
     listen = true  #监听进程
     classfile = $vardir/classes.txt   ##关联与检索配置文件目录
     localconfig = $vardir/localconfig  # #本地缓存配置目录

    server = puppetmaster.com
    report = true   #发送报告
    runinterval = 1800
      #certname 不写默认是hostname

客户端连接到master端，在客户端上执行命令

  puppet agent --server=puppetmaster.com --no-daemonize --verbose   #测试启动
 --no-daemonize: 让puppet客户端工作到前台并输出日志到标准输出
  --verbose:是客户端输出详细信息日志
 也可以加上--debug，让日志更加详细。
 简洁方式：
  puppet agent  --test
正常启动 service puppet  start

上面的意思是agent发起了一个证书验证请求，并且使用加密私钥来连接，puppet使用ssl证书来验证agent和master之间的连接，agent想master发出证书验证请求，等待master签名并且返回证书。现在agent依然运行并且等待已被签名的证书，在证书到达或者退出之前，agent会每个2分钟来是否存在被签名的证书。

服务端确认：

master执行：

 puppet cert --list --all #查看认证情况      前面出现+表示认证过了

在真实很多台的线上环境执行这条命令的时候会出现如下错误

 [root@puppetmater~]# puppet cert --list all
 Error: header too long

是由于机器空间不足造成的可以df-h查看机器空间

参见这里但是需要翻墙（不能翻墙的点击下面的）

我贴出来具体过程：

 Puppet Error: header too long
 If you're working with Puppet and you find that you get this error:
 puppet cert --list
 Error: header too long
 Be mindful of your free space! I've now rolled out 20 servers or so in my puppet setup (soon to be duplicated to over 142 servers once I get these running right. All I'll have to do is spin up a new server, give it an IP and hostname and tell it where the Puppet Master is and Puppet will handle the rest!), and I've found that I'm starting to easily fill up the drive with old reports. Especially when re-running puppet syncs more frequently than the normal  min run-interval. I started getting the above error with a lot of various puppet commands, the simplest one, just trying to list certs. Then I checked a "df -h":
 # df -h
 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda1              16G   15G      % /
 Oops! Using the following script I was able to clean up old reports easily. Set the "days" variable to as high as you want for your setup. I'm using Puppet Dashboard to pull in reports to a DB, so I don't need to keep the yaml's around too long.
 #!/bin/sh
 days="+1"       # more than a day old

 for d in `find /var/lib/puppet/reports -mindepth  -maxdepth  -type d`
 do
         find $d -type f -name \*.yaml -mtime $days |
         sort -r |
         tail -n + |
         xargs /bin/rm -f
 done
 In my case, since it tried to sync a new server ssl cert while the drive was full, the error came out to be due to not only the free space, but a corrupt cert. To find the offending cert and fix the issue, you'll need to look through the /var/lib/puppet dir for the file. The host I was looking for is 'betamem.example.com' and I found it like this:
 # cd /var/lib/puppet
 # find ./|grep betamem
 ./ssl/ca/requests/betamem.example.com
 I then removed the cert (held in /var/lib/puppet/ssl/certificate_requests/) from the agent on 'betamem' and told it to try again by cycling it's puppet agent.
 # rm -f /var/lib/puppet/ssl/certificate_requests/*
 # /etc/init.d/puppet restart
 Stopping puppet agent:                                     [  OK  ]
 Starting puppet agent:                                     [  OK  ]
 Tailing /var/log/messages on the master shows it's got a new request, so let's sign it:
 # tail /var/log/messages -n1
 puppet-master[22486]: betamem.example.com has a waiting certificate request
 # puppet cert --sign betamem.example.com
 Signed certificate request for betamem.example.com
 Removing file Puppet::SSL::CertificateRequest at '/var/lib/puppet/ssl/ca/requests/betamem.example.com.pem'
 Go back to the puppet agent and cycle it again, or just wait until the next run-interval and it should be back to normal!

Puppet Error: header too long

手动注册认证

 puppet cert --sign agent1.puppetmaster.com #注册agent1

另外一种查看认证的方式

 tree /var/lib/puppet/ssl/ #另外一种查看认证的方式

 /etc/puppet/ssl/
 ├── ca
 │   ├── ca_crl.pem
 │   ├── ca_crt.pem
 │   ├── ca_key.pem
 │   ├── inventory.txt
 │   ├── private
 │   │   └── ca.pass
 │   ├── requests
 │   ├── serial
 │   └── signed
 │       ├──puppetmaster.com.pem
 │       ├──agent1.puppetmaster.com.pem  #注册认证
 ├── certificate_requests
 ├── certs
 │   ├── ca.pem
 │   └── puppetmaster.com.pem
 ├── crl.pem
 ├── private
 ├── private_keys
 │   └── puppetmaster.com.pem
 └── public_keys
     └── puppetmaster.com.pem

另外也可以在服务算(master)来做认证

在master服务端执行

 puppet agent --test #puppetmaster自己申请agent认证
 puppet cert --sign --all #注册所有请求的节点
 puppet cert --list --all #查看所有节点认证

但是当我们有上百台机器的时候，这样来做显得十分麻烦，所以puppet提供了一种更好地办法

自动签名认证模式

master端服务端配置

1 如下：

 [root@master-elk ~]# cd /etc/puppet/
 [root@master-elk puppet]# ls
 auth.conf  environments  fileserver.conf  manifests  modules  puppet.conf
 [root@master-elk puppet]# touch autosign.conf
 [root@master-elk puppet]# vim autosign.conf
 [root@master-elk puppet]# cat autosign.conf
 *.puppetmaster.com
 [root@master-elk puppet]# 

创建autosign.conf，然后在里面添加要自动签名的agent

我这里写的*.puppetmaster.com是去匹配agent端hostname以这个结尾的全部自动签名认证

# 注：master端的任何修改，都要重新装载puppetmaster服务，即执行如下命令即可

service puppetmaster reload

2.修改fileserver.conf

创建mkdir /etc/puppet/files

向该文件授予/etc/puppet/files目录的权限

# vi /etc/puppet/fileserver.conf
1 [files]
     path /etc/puppet/files
     allow *    #或者写成allow *.puppetmaster.com

 [modules]
     allow *

 [plugins]
     allow *

该文件就是一个file服务器，我们在里面可以定义需要同步的文件，一般在同步的时候用source来制定路径，如下一个简单的例子

 此案例为C/S结构，把master上面的hosts文件同步到agent上面，如果发现同步文件不一致，需要对源文件进行备份后再进行覆盖，在master上编

 辑/etc/puppet/manifests/site.pp
 node default {
 file {'/etc/hosts' :
      backup => '.bak',
      source => "puppet:///files/hosts",
     }
 }
 file {'/etc/hosts' :
      backup => '.bak',
      source => "puppet:///bin/python2.7.zip",
     }
 }
 我们可以没有bin模块，只需要在fileserver.conf里面定义好配置文件就行了

 其中puppet:///挂载的路径由master上的fileserver.conf文件指定，如下：
 # cat fileserver.conf
 [files]
 path /etc/puppet/files
 allow *
 [bin]
 path  /opt/file/
 allow *
 把hosts文件放到/etc/puppet/files路径下，设置好之后我们在agent上面执行查看
 把python2..zip文件放到/opt/file/路径下，设置好之后我们在agent上面执行查看
       

3puppet agent客户端配置

3.1允许master发起kick命令，puppet客户端默认每30分钟很服务器通讯一次，但是有时，我们希望服务器能够给客户端紧急推送一些东西，于是就有了puppet kick

配置文件/etc/puppet/auth.conf加入如下内容(有些版本是默认自带)这个必须有path /这个

/etc/puppet/auth.conf文件配置签名的ACL列表,配置准许哪些ip或者域名来签名通过

 path ~ ^/catalog/([^/]+)$
 method find
 allow $

 path ~ ^/node/([^/]+)$
 method find
 allow $

 path /certificate_revocation_list/ca
 method find
 allow *

 path /report
 method save
 allow *

 path /file
 allow *

 path /certificate/ca
 auth any
 method find
 allow *

 path /certificate/
 auth any
 method find
 allow *

 path /certificate_request
 auth any
 method find, save
 allow *

 path /run
 method save
 allow pup.qeeyou.com

 path /
 auth any

3.2

在客户端编辑或创建新文件/etc/puppet/namespaceauth.conf，包含下面内容

[puppetrunner]
allow puppetmaster.com    #填写master端ip绑定的那个域名

推送方法，在服务器端运行命令（后边会讲解，这里简单提一下）

  puppet kick -p   agent1.puppetmaster.com

当有问题的时候我们需要清空删除证书，然后重新来认证如下

二、清除原有证书

如果原客户端已经签过证书需要执行以下操作清空旧的证书，否则认证将失败

1.在服务端上执行以下命令其中“puppet2.hnr.com”为相关客户端主机

# puppet cert clean puppet2.hnr.com

2.在客户端上执行以下命令

# find /var/lib/puppet/ssl -name puppet2.hnr.com.pem -delete

认证的方法和上面一样，这里就不多说了