puppet 的授权
服务器这里
selinux 和 firewalld 关闭
- yum install epel-release (安装仓库)
- hostnamectl set-hostname master.localdomain(修改主机名)
- yum install puppet-server
- [root@localhost signed]# vim /etc/puppet/puppet.conf (添加字段)
- [master]
- certname=master.localdomain (指定主服务器)
- [root@localhost signed]# vim /etc/hosts(添加本地解析)
- 192.168.1.139 master.localdomain (主服务器)
- 192.168.1.4 agent1.localdomain (客户端)
- systemctl rstart puppetmaster(启动服务, 一定要加 master 哦)
- [root@localhost signed]# ls
- agent1.pem master.localdomain.pem
- [root@localhost signed]# pwd
- /var/lib/puppet/ssl/ca/signed (这个目录下的机器都是授权过的)
- puppet cert --list(查看当前有那些客户端想要连接服务器)
- puppet cert --sign "agent1"(允许此机器连接服务器)
- puppet cert --sign - -all (允许所有机器连接我)
客户端
selinux 和 firewalld 关闭
- yum install epel-release (安装仓库)
- hostnamectl set-hostname agent1.localdomain(修改主机名)
- yum install puppet(装包)
- [agent]
- server = master.localdomain (主服务器)
- runinterval=10 (每 10 秒发起一次同步, 拉取模式)
- [root@localhost certificate_requests]# systemctl restart puppetagent(重启, 这里一定加上 agent)
- [root@localhost certificate_requests]# ls
- agent1.localdomain.pem (请求授权文件)
- [root@localhost certificate_requests]# pwd
- /var/lib/puppet/ssl/certificate_requests
服务端
- [root@localhost requests]# ls (目录查询未授权文件)
- agent1.pem
- [root@localhost requests]# puppet cert list(命令查看未授权文件, agent1 前面没有 + 号说明未授权)
"agent1" (SHA256) DB:9B:5B:25:D8:BF:B7:9F:7D:25:8E:89:02:F8:F0:4F:92:DB:17:CE:93:2D:47:84:EA:E6:B3:79:D1:9C:7A:B6
- [root@localhost requests]# pwd
- /var/lib/puppet/ssl/ca/requests
- [root@localhost requests]# puppet cert --sign "agent1"(授权)
- Notice: Signed certificate request for agent1
- Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/var/lib/puppet/ssl/ca/requests/agent1.pem'
- [root@localhost requests]# ls
- [root@localhost requests]# cd ..
- [root@localhost ca]# ls
ca_crl.pem ca_crt.pem ca_key.pem ca_pub.pem inventory.txt private requests serial signed
- [root@localhost ca]# cd signed/(在已授权目录下找到了 agent1, 现在可以互相通信了)
- [root@localhost signed]# ls
- agent1.pem master.localdomain.pem
来个问题: 如果有好几十台机器请求认证授权, 服务器怎么办?
当然: puppet cert --sign - -all (允许所有机器连接我) 可以解决
但是: 我想要服务器通过了自定义的格式自动授权通过定义的节点怎么办?
- [root@localhost signed]# vim /etc/puppet/puppet.conf
- [master]
- certname=master.localdomain
- autosign=true (添加参数, 开启自动授权)
- autosign=/etc/puppet/autosign.conf (自定义格式文件存放位置)
- [root@localhost signed]# vim /etc/puppet/autosign.conf
- *.1 (这里自定义, 这个 *.1 的意思是必须以. 1 结尾的文件, 我自动授权)
- [root@localhost signed]# systemctl restart puppetmaster(重启)
如果非正常退出节点, 再次启动客户端可能会出现一种进程锁的报错, 删掉文件重启即可.
配置文件
/etc/puppet/manifests/site.pp (全局入口文件, 每次同步最先查找的文件.)
ansible 安装
服务端
- yum install -y ansible
- [root@localhost ansible]# ssh-keygen
Generating public/private rsa key pair.
- Enter file in which to save the key (/root/.ssh/id_rsa):
- Created directory '/root/.ssh'.
- Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ba:6c:15:b5:ec:54:11:7e:01:3f:8d:46:5f:9e:b3:6d root@master.localdomain
- The key's randomart image is:
- +--[ RSA 2048]----+
- | ++o .|
- | ...o *o|
- | o o. *o+|
- | . + o .+|
- | S+ .E|
- | .. . . |
- | .. |
- | ... |
- | .o |
- +-----------------+
- [root@localhost ansible]# cd /root/.ssh/
- [root@localhost .ssh]# ls
- id_rsa id_rsa.pub (生成公钥私钥)
- [root@localhost .ssh]# ssh-copy-id root@192.168.1.4(将公钥写入到 1.4/root/.ssh/authorized_keys)
- [root@localhost ansible]# vim /etc/ansible/ansible.cfg
- private_key_file = /root/.ssh/id_rsa (指定私钥存放路径)
- [root@localhost ansible]# vim /etc/ansible/hosts
- [servers]
- 192.168.1.4 (定义主机组)
- [root@localhost ansible]# ansible servers -m ping (基本的 ping 测试)
- 192.168.1.4 | SUCCESS => {
- "changed": false,
- "ping": "pong"
- }
ok..
来源: http://www.bubuko.com/infodetail-2632251.html