Puppet

From wiki.habital.lv
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Инсталляция программного обеспечения на сервере и на агенте

rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

На сервере:

# yum install puppet-server
# chkconfig puppetmaster on

Файл /etc/puppet/puppet.conf:

# vi /etc/puppet/puppet.conf
[main]certname = puppet.mybox.lv
   server = puppet.mybox.lv
   environment = production
   runinterval = 1h

[master]
   dns_alt_names = puppet.mybox.lv,puppet

На агенте:

# yum install puppet

Установка сертификатов на сервере и на агенте

На сервере:

# rm -rf /var/lib/puppet/ssl/*
# puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 3F:CD:FD:CF:5B:1A:72:C1:D2:BA:ED:0A:C8:AF:AE:E0:B3:66:AC:78:9B:03:53:01:2E:47:36:6A:21:41:80:76
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for puppet.mybox.lv
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet.mybox.lv
Info: Certificate Request fingerprint (SHA256): 80:D0:E6:43:66:54:85:85:59:2A:3E:40:C1:A4:5F:93:82:89:35:07:84:6C:DF:0F:B8:A0:EC:CB:A1:63:24:D1
Notice: puppet.mybox.lv has a waiting certificate request
Notice: Signed certificate request for puppet.mybox.lv
Notice: Removing file Puppet::SSL::CertificateRequest puppet.mybox.lv at '/var/lib/puppet/ssl/ca/requests/puppet.mybox.lv.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppet.mybox.lv at '/var/lib/puppet/ssl/certificate_requests/puppet.mybox.lv.pem'
Notice: Starting Puppet master version 3.8.7
<Ctrl-C>
# puppet cert list --all
+ "puppet.mybox.lv" (SHA256) 2B:52:7C:52:1E:E9:44:7A:02:BE:1B:8E:9F:84:8D:BF:EC:1E:59:F3:10:18:B9:16:53:C7:22:BB:B6:40:28:00 (alt names:
"DNS:puppet.mybox.lv","DNS:puppet", "DNS:puppet.mybox.lv")
# service puppetmaster start

На агенте:

# vim /etc/puppet/puppet.conf
[main]certname = proxy.mybox.lv
   server = puppet.mybox.lv
   environment = production
   runinterval = 1h
# puppet agent –test

На сервере:

# puppet cert list
 "proxy.mybox.lv" (SHA256) CF:68:EF:63:98:BD:9A:FA:9F:6B:11:F5:BA:36:E1:AE:38:63:B3:82:FF:CB:73:B7:3E:F3:AB:2A:44:9B:5E:08
# puppet cert sign proxy.mybox.lv

Примеры настроек (на puppet-сервере)

NTP-server

# cat /etc/puppet/manifests/site.pp
node 'puppet.mybox.lv' {
  include "ntp_config"
}

node 'proxy.mybox.lv' {
 include "ntp_config"
}

class ntp_config {
 #case $operatingsystem {
 #  centos, redhat: { $service_name = 'ntpd' }
 #  debian, ubuntu: { $service_name = 'ntp' }
 #}

 package { 'ntp':
   ensure => installed,
 }

 service { 'ntp':
   name      => ntpd,
   ensure    => running,
   enable    => true,
   subscribe => File['ntp.conf'],
 }

 file { 'ntp.conf':
   path    => '/etc/ntp.conf',
   ensure  => file,
   owner   => root,
   group   => root,
   mode    => 644,
   require => Package['ntp'],
   source  => "puppet:///modules/ntp/ntp.conf",
   # This source file would be located on the Puppet master at
   # /etc/puppet/modules/ntp/files/ntp.conf
 }
}

NTP-сервер и Squid-сервер

$ cat /etc/puppet/manifests/site.pp
node 'squid-1.mybox.lv', 'squid-2.mybox.lv' {
  include ntp, squid
}
$ cat /etc/puppet/modules/ntp/manifests/init.pp 
class ntp {
 package { ['ntp']:
   ensure => present;
 }
 
 service { 'ntp':
   name    => ntpd,
   ensure  => running,
   enable  => true,
   require => Package['ntp'];
 }
 
 file { 'ntp.conf':
   path    => '/etc/ntp.conf',
   ensure  => file,
   owner   => root,
   group   => root,
   mode    => 644,
   require => Package['ntp'],
   notify  => Service['ntp'],
   source  => "puppet:///modules/ntp/ntp.conf",
   # This source file would be located on the Puppet master at
   # /etc/puppet/modules/ntp/files/ntp.conf
 }
}
$ cat /etc/puppet/modules/ntp/files/ntp.conf 
…
Файл конфикурации ntp.conf
$ cat /etc/puppet/modules/squid/manifests/init.pp 
class squid {
 package { ['squid']:
   ensure => present;
 }

 service { 'squid':
   name      => squid,
   ensure    => running,
   enable    => true,
   require   => Package['squid'];
 }

 file { 'squid.conf':
   path    => '/etc/squid/squid.conf',
   ensure  => file,
   owner   => root,
   group   => squid,
   mode    => 640,
   require => Package['squid'],
   source  => "puppet:///modules/squid/squid.conf",
   # This source file would be located on the Puppet master at
   # /etc/puppet/modules/squid/files/squid.conf
 }

 file { 'squidguard.conf':
   path    => '/etc/squid/squidguard.conf',
   ensure  => file,
   owner   => squid,
   group   => squid,
   mode    => 644,
   require => Package['squid'],
   source  => "puppet:///modules/squid/squidguard.conf",
   # This source file would be located on the Puppet master at
   # /etc/puppet/modules/squid/files/squidguard.conf
 }

 exec { 'squid-reconfigure':
   command => 'squid -k reconfigure',
   path    => ['/bin', '/usr/bin', '/usr/sbin'],
   require => Service['squid'];
 }
}
$ cat /etc/puppet/modules/squid/files/squid.conf
…
Файл конфигурации squid.conf.
$ cat /etc/puppet/modules/squid/files/squidguard.conf
…
Файл конфигурации squidguard.conf.