puppet的授权
服务器这里
selinux和firewalld关闭
yum install epel-release (安装仓库)
hostnamectl set-hostname master.localdomain(修改主机名)
yum install puppet-server
[root@localhost signed]# vim /etc/puppet/puppet.conf (添加字段)
[master]
certname=master.localdomain (指定主服务器)
[root@localhost signed]# vim /etc/hosts(添加本地解析)
192.168.1.139 master.localdomain (主服务器)
192.168.1.4 agent1.localdomain (客户端)
systemctl rstart puppetmaster(启动服务,一定要加master哦)
[root@localhost signed]# ls
agent1.pem master.localdomain.pem
[root@localhost signed]# pwd
/var/lib/puppet/ssl/ca/signed (这个目录下的机器都是授权过的)
puppet cert --list(查看当前有那些客户端想要连接服务器)
puppet cert --sign "agent1"(允许此机器连接服务器)
puppet cert --sign - -all (允许所有机器连接我)
客户端
selinux和firewalld关闭
yum install epel-release (安装仓库)
hostnamectl set-hostname agent1.localdomain(修改主机名)
yum install puppet(装包)
[agent]
server = master.localdomain (主服务器)
runinterval=10 (每10秒发起一次同步,拉取模式)
[root@localhost certificate_requests]# systemctl restart puppetagent(重启,这里一定加上agent)
[root@localhost certificate_requests]# ls
agent1.localdomain.pem (请求授权文件)
[root@localhost certificate_requests]# pwd
/var/lib/puppet/ssl/certificate_requests
服务端
[root@localhost requests]# ls (目录查询未授权文件)
agent1.pem
[root@localhost requests]# puppet cert list(命令查看未授权文件,agent1前面没有+号说明未授权)
"agent1" (SHA256) DB:9B:5B:25:D8:BF:B7:9F:7D:25:8E:89:02:F8:F0:4F:92:DB:17:CE:93:2D:47:84:EA:E6:B3:79:D1:9C:7A:B6
[root@localhost requests]# pwd
/var/lib/puppet/ssl/ca/requests
[root@localhost requests]# puppet cert --sign "agent1"(授权)
Notice: Signed certificate request for agent1
Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/var/lib/puppet/ssl/ca/requests/agent1.pem'
[root@localhost requests]# ls
[root@localhost requests]# cd ..
[root@localhost ca]# ls
ca_crl.pem ca_crt.pem ca_key.pem ca_pub.pem inventory.txt private requests serial signed
[root@localhost ca]# cd signed/(在已授权目录下找到了agent1,现在可以互相通信了)
[root@localhost signed]# ls
agent1.pem master.localdomain.pem
来个问题:如果有好几十台机器请求认证授权,服务器怎么办?
当然:puppet cert --sign - -all (允许所有机器连接我)可以解决
但是:我想要服务器通过了自定义的格式自动授权通过定义的节点怎么办?
[root@localhost signed]# vim /etc/puppet/puppet.conf
[master]
certname=master.localdomain
autosign=true (添加参数,开启自动授权)
autosign=/etc/puppet/autosign.conf (自定义格式文件存放位置)
[root@localhost signed]# vim /etc/puppet/autosign.conf
*.1 (这里自定义,这个*.1的意思是必须以.1结尾的文件,我自动授权)
[root@localhost signed]# systemctl restart puppetmaster(重启)
如果非正常退出节点,再次启动客户端可能会出现一种进程锁的报错,删掉文件重启即可。
配置文件
/etc/puppet/manifests/site.pp (全局入口文件,每次同步最先查找的文件。)
ansible安装
服务端
yum install -y ansible
[root@localhost ansible]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ba:6c:15:b5:ec:54:11:7e:01:3f:8d:46:5f:9e:b3:6d [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| ++o .|
| ...o *o|
| o o. *o+|
| . + o .+|
| S+ .E|
| .. . . |
| .. |
| ... |
| .o |
+-----------------+
[root@localhost ansible]# cd /root/.ssh/
[root@localhost .ssh]# ls
id_rsa id_rsa.pub (生成公钥私钥)
[root@localhost .ssh]# ssh-copy-id [email protected](将公钥写入到1.4/root/.ssh/authorized_keys)
[root@localhost ansible]# vim /etc/ansible/ansible.cfg
private_key_file = /root/.ssh/id_rsa (指定私钥存放路径)
[root@localhost ansible]# vim /etc/ansible/hosts
[servers]
192.168.1.4 (定义主机组)
[root@localhost ansible]# ansible servers -m ping (基本的ping测试)
192.168.1.4 | SUCCESS => {
"changed": false,
"ping": "pong"
}
ok。。