[root@master-elk ~]# rpm -qa|grep ntpntpdate-4.2.6p5-10.el6.centos.1.x86_64ntp-4.2.6p5-10.el6.centos.1.x86_64
1 cat /etc/ntp.conf 2 3 # ntp.conf 4 5 driftfile /var/lib/ntp/drift 6 pidfile /var/run/ntpd.pid 7 logfile /var/log/ntp.log 8 9 # Access Control Support10 restrict default kod nomodify notrap nopeer noquery11 restrict -6 default kod nomodify notrap nopeer noquery12 restrict 14 # local clock15 server fudge stratum 1017 18 server ntp1.aliyun.com iburst minpoll 4 maxpoll 1019 restrict ntp1.aliyun.com nomodify notrap nopeer noquery20 server ntp2.aliyun.com iburst minpoll 4 maxpoll 1021 restrict ntp2.aliyun.com nomodify notrap nopeer noquery22 server ntp3.aliyun.com iburst minpoll 4 maxpoll 1023 restrict ntp3.aliyun.com nomodify notrap nopeer noquery24 server ntp4.aliyun.com iburst minpoll 4 maxpoll 1025 restrict ntp4.aliyun.com nomodify notrap nopeer noquery26 server ntp5.aliyun.com iburst minpoll 4 maxpoll 1027 restrict ntp5.aliyun.com nomodify notrap nopeer noquery28 server ntp6.aliyun.com iburst minpoll 4 maxpoll 1029 restrict ntp6.aliyun.com nomodify notrap nopeer noquery30 server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1031 restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery32 server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1033 restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery34 server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1035 restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery36 server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1037 restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery38 server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1039 restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery40 server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1041 restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery42 server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1043 restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery44 server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1045 restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery46 server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1047 restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery48 server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1049 restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery50 server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1051 restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery52 server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 1053 restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
1 /etc/init.d/ntpd start2 chkconfig ntpd on
1 20 06 * * * ntpdate cn.pool.ntp.org && hwclock -w
1 /etc/init.d/crond restart
1 # puppet主配置及目录结构 2 3 /etc/puppet 4 auth.conf - Agent访问Master的权限控制文件 5 authsign.conf - Master对Agent证书自动签名的配置文件 6 fileserver.conf - Master向Agent同步静态文件的配置文件(Master挂载目录位置和挂载目录的授权信息) 7 puppet.conf - Master守护进程的主要配置文件,定义了运行环境、启动加载文件、配置管理程序、授权Agent的证书目录等信息 8 tagmail.conf - Puppet邮件发送配置文件 9 namespaceauth.conf - 名称空间配置文件10 files/ - Master存放的静态文件11 manifests/ - Agent入口的导航文件和逻辑文件12 site.pp13 modules/ - Puppet的基础模块14 ssl/ - Master在此目录存放CA证书和已签名授权的Agent证书文件列表,Agent在此目录存放被Master授权的证书文件
1 [main] 2 # The Puppet log directory. 3 # The default value is '$vardir/log'. 4 logdir = /var/log/puppet 5 6 # Where Puppet PID files are kept. 7 # The default value is '$vardir/run'. 8 rundir = /var/run/puppet 9 10 # Where SSL certificates are kept.11 # The default value is '$confdir/ssl'.12 ssldir = $vardir/ssl13 14 [agent]15 # The file in which puppetd stores a list of the classes16 # associated with the retrieved configuratiion. Can be loaded in17 # the separate ``puppet`` executable using the ``--loadclasses``18 # option.19 # The default value is '$confdir/classes.txt'.20 classfile = $vardir/classes.txt21 22 # Where puppetd caches the local configuration. An23 # extension indicating the cache format is added automatically.24 # The default value is '$confdir/localconfig'.25 localconfig = $vardir/localconfig
1 [master] 2 # storeconfigs = true 3 # storeconfigs_backend = puppetdb 4 autosign = true 5 # ca = true 6 # ssldir = /var/lib/puppet/ssl 7 # certname = puppetmaster.com 8 strict_variables = false 9 #environmentpath = /etc/puppet/modules10 basemodulepath = /etc/puppet/modules11 ssl_client_header = SSL_CLIENT_S_DN12 ssl_client_verify_header = SSL_CLIENT_VERIFY13 reports = http reporturl = http://puppetmaster.com:3000/reports/upload #报告发送地址,可配置在dashboard或foreman配置文件中14 [main]15 # The Puppet log directory.16 # The default value is '$vardir/log'.17 logdir = /var/log/puppet #默认日志存放路径18 19 # Where Puppet PID files are kept.20 # The default value is '$vardir/run'.21 rundir = /var/run/puppet #pid存放路径22 23 # Where SSL certificates are kept.24 # The default value is '$confdir/ssl'.25 ssldir = $vardir/ssl #默认证书存放目录,默认$vardir为/var/lib/puppet26 autosign = $confdir/autosign.conf #自动证书签名默认在/etc/puppet/autosign.conf27 28 pluginsync = false #插件同步配置对facter自定义有效这里为false没开启29 masterport = 8140 #master监听端口30 environment = production31 certname = puppetmaster.com32 server = puppetmaster.com #master端33 listen = false34 splay = false35 splaylimit = 180036 runinterval = 1800 ##客户端默认探测时间,可按需求修改37 noop = false38 configtimeout = 12039 usecacheonfailure = true40 41 42 [agent]43 # The file in which puppetd stores a list of the classes44 # associated with the retrieved configuratiion. Can be loaded in45 # the separate ``puppet`` executable using the ``--loadclasses``46 # option.47 # The default value is '$confdir/classes.txt'.48 classfile = $vardir/classes.txt #关联与检索配置文件目录49 50 # Where puppetd caches the local configuration. An51 # extension indicating the cache format is added automatically.52 # The default value is '$confdir/localconfig'.53 localconfig = $vardir/localconfig ##本地缓存配置目录
1 [root@master-elk manifests]# pwd2 /etc/puppet/manifests3 [root@master-elk manifests]# ls4 [root@master-elk manifests]# touch site.pp5 [root@master-elk manifests]# ls6 site.pp7 [root@master-elk manifests]#
1 iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT
puppetmasterd -v -d --no-daemonize # 前台测试启动 这是2.x测试命令 puppet master -v -d --no-daemonize #3.x测试命令
1 service puppetmaster start #正式启动2 或者3 /etc/init.d/puppetmaster restart
服务验证:ss -antupl |grep 8140
master启动后会创建一个本地的master认证中心,同时创建master的相关证书和密钥,可以在 /etc/puppet/ssl/目录下查看相关的证书和密钥(看配置文件里面你定义在哪里)
1 tree /etc/puppet/ssl/ 2 ├── ca 3 │ ├── ca_crl.pem 4 │ ├── ca_crt.pem 5 │ ├── ca_key.pem 6 │ ├── inventory.txt 7 │ ├── private 8 │ │ └── ca.pass 9 │ ├── requests10 │ ├── serial11 │ └── signed | ├──puppetmaster.com.pem 12 ├── certificate_requests13 ├── certs 14 │ ├── ca.pem15 │ └──puppetmaster.com.pem16 ├── crl.pem17 ├── private18 ├── private_keys19 │ └──puppetmaster.com.pem20 └── public_keys21 └──puppetmaster.com.pem
1 cat /etc/puppet/puppet.conf 2 3 [main] 4 logdir = /var/log/puppet 5 rundir = /var/run/puppet 6 ssldir = $vardir/ssl 7 8 [agent] 9 listen = true #监听进程10 classfile = $vardir/classes.txt ##关联与检索配置文件目录11 localconfig = $vardir/localconfig # #本地缓存配置目录12 13 server = puppetmaster.com14 report = true #发送报告15 runinterval = 1800 #certname 不写默认是hostname
1 puppet agent --server=puppetmaster.com --no-daemonize --verbose #测试启动2 --no-daemonize: 让puppet客户端工作到前台并输出日志到标准输出3 --verbose:是客户端输出详细信息日志4 也可以加上--debug,让日志更加详细。5 简洁方式:6 puppet agent --test 正常启动 service puppet start
1 puppet cert --list --all #查看认证情况 前面出现+表示认证过了
1 [root@puppetmater~]# puppet cert --list all2 Error: header too long
1 Puppet Error: header too long 2 If you're working with Puppet and you find that you get this error: 3 puppet cert --list 4 Error: header too long 5 Be mindful of your free space! I've now rolled out 20 servers or so in my puppet setup (soon to be duplicated to over 142 servers once I get these running right. All I'll have to do is spin up a new server, give it an IP and hostname and tell it where the Puppet Master is and Puppet will handle the rest!), and I've found that I'm starting to easily fill up the drive with old reports. Especially when re-running puppet syncs more frequently than the normal 30 min run-interval. I started getting the above error with a lot of various puppet commands, the simplest one, just trying to list certs. Then I checked a "df -h": 6 # df -h 7 Filesystem Size Used Avail Use% Mounted on 8 /dev/sda1 16G 15G 0 100% / 9 Oops! Using the following script I was able to clean up old reports easily. Set the "days" variable to as high as you want for your setup. I'm using Puppet Dashboard to pull in reports to a DB, so I don't need to keep the yaml's around too long.10 #!/bin/sh11 days="+1" # more than a day old12 13 for d in `find /var/lib/puppet/reports -mindepth 1 -maxdepth 1 -type d`14 do15 find $d -type f -name \*.yaml -mtime $days |16 sort -r |17 tail -n +2 |18 xargs /bin/rm -f19 done20 In my case, since it tried to sync a new server ssl cert while the drive was full, the error came out to be due to not only the free space, but a corrupt cert. To find the offending cert and fix the issue, you'll need to look through the /var/lib/puppet dir for the file. The host I was looking for is 'betamem.example.com' and I found it like this:21 # cd /var/lib/puppet22 # find ./|grep betamem23 ./ssl/ca/requests/betamem.example.com24 I then removed the cert (held in /var/lib/puppet/ssl/certificate_requests/) from the agent on 'betamem' and told it to try again by cycling it's puppet agent.25 # rm -f /var/lib/puppet/ssl/certificate_requests/*26 # /etc/init.d/puppet restart27 Stopping puppet agent: [ OK ]28 Starting puppet agent: [ OK ]29 Tailing /var/log/messages on the master shows it's got a new request, so let's sign it:30 # tail /var/log/messages -n131 puppet-master[22486]: betamem.example.com has a waiting certificate request32 # puppet cert --sign betamem.example.com33 Signed certificate request for betamem.example.com34 Removing file Puppet::SSL::CertificateRequest at '/var/lib/puppet/ssl/ca/requests/betamem.example.com.pem'35 Go back to the puppet agent and cycle it again, or just wait until the next run-interval and it should be back to normal!
1 puppet cert --sign agent1.puppetmaster.com #注册agent1
1 tree /var/lib/puppet/ssl/ #另外一种查看认证的方式 2 3 /etc/puppet/ssl/ 4 ├── ca 5 │ ├── ca_crl.pem 6 │ ├── ca_crt.pem 7 │ ├── ca_key.pem 8 │ ├── inventory.txt 9 │ ├── private10 │ │ └── ca.pass11 │ ├── requests12 │ ├── serial13 │ └── signed14 │ ├──puppetmaster.com.pem15 │ ├──agent1.puppetmaster.com.pem #注册认证16 ├── certificate_requests17 ├── certs18 │ ├── ca.pem19 │ └── puppetmaster.com.pem20 ├── crl.pem21 ├── private22 ├── private_keys23 │ └── puppetmaster.com.pem24 └── public_keys25 └── puppetmaster.com.pem
1 puppet agent --test #puppetmaster自己申请agent认证2 puppet cert --sign --all #注册所有请求的节点3 puppet cert --list --all #查看所有节点认证
1 如下:
1 [root@master-elk ~]# cd /etc/puppet/2 [root@master-elk puppet]# ls3 auth.conf environments fileserver.conf manifests modules puppet.conf4 [root@master-elk puppet]# touch autosign.conf5 [root@master-elk puppet]# vim autosign.conf 6 [root@master-elk puppet]# cat autosign.conf 7 *.puppetmaster.com8 [root@master-elk puppet]#
# 注:master端的任何修改,都要重新装载puppetmaster服务,即执行如下命令即可
service puppetmaster reload
创建mkdir /etc/puppet/files
# vi /etc/puppet/fileserver.conf 1 [files]2 path /etc/puppet/files3 allow * #或者写成allow *.puppetmaster.com4 5 [modules]6 allow *7 8 [plugins]9 allow *
1 此案例为C/S结构,把master上面的hosts文件同步到agent上面,如果发现同步文件不一致,需要对源文件进行备份后再进行覆盖,在master上编 2 3 辑/etc/puppet/manifests/site.pp 4 node default { 5 file { '/etc/hosts' : 6 backup => '.bak', 7 source => "puppet:///files/hosts", 8 } 9 }10 file { '/etc/hosts' :11 backup => '.bak',12 source => "puppet:///bin/python2.7.zip",13 }14 }15 我们可以没有bin模块,只需要在fileserver.conf里面定义好配置文件就行了16 17 18 其中puppet:///挂载的路径由master上的fileserver.conf文件指定,如下:19 # cat fileserver.conf 20 [files]21 path /etc/puppet/files22 allow *23 [bin]24 path /opt/file/25 allow *26 把hosts文件放到/etc/puppet/files路径下,设置好之后我们在agent上面执行查看27 把python2.7.zip文件放到/opt/file/路径下,设置好之后我们在agent上面执行查看28
3puppet agent客户端配置
3.1允许master发起kick命令,puppet客户端默认每30分钟很服务器通讯一次,但是有时,我们希望服务器能够给客户端紧急推送一些东西,于是就有了puppet kick
配置文件/etc/puppet/auth.conf加入如下内容(有些版本是默认自带)这个必须有path /这个
1 path ~ ^/catalog/([^/]+)$ 2 method find 3 allow $1 4 5 path ~ ^/node/([^/]+)$ 6 method find 7 allow $1 8 9 10 path /certificate_revocation_list/ca11 method find12 allow *13 14 path /report15 method save16 allow *17 18 path /file19 allow *20 21 path /certificate/ca22 auth any23 method find24 allow *25 26 path /certificate/27 auth any28 method find29 allow *30 31 path /certificate_request32 auth any33 method find, save34 allow *35 36 path /run37 method save38 allow pup.qeeyou.com39 40 path /41 auth any
[puppetrunner]allow puppetmaster.com #填写master端ip绑定的那个域名
1 puppet kick -p 10 agent1.puppetmaster.com
# puppet cert clean puppet2.hnr.com
# find /var/lib/puppet/ssl -name puppet2.hnr.com.pem -delete