Evan：/* Installing Puppet Server */

2021-11-22T01:07:09Z

Installing Puppet Server

新页面

=why=
一切按官方文档是最好的哦虽然英文Oct 27 2021
salt 老是0day问题 ,为了安全于是上puppet 现在文档真的很少,以前在dovo时,流行得很呢于是有了本文

=install=

https://puppet.com/docs/puppet/7/install_agents.html#configure_server_setting

https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html

https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html

==aliyun mirrors ==
https://developer.aliyun.com/mirror/puppet
https://mirrors.aliyun.com/puppet/

==* Enable the Puppet platform repository ==

=== RH===
可以用aliyun mirrors 会更加快
wget -c https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/x86_64/puppet7-release-7.0.0-1.el7.noarch.rpm && rpm -Uvh puppet7-release-7.0.0-1.el7.noarch.rpm

rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

=== debian 10 or kali 2021 只能是 buster 注意 ===
<pre>
记得要改为google dns 8.8.4.4 or alidns
#wget -c https://apt.puppetlabs.com/puppet6-release-buster.deb && dpkg -i puppet6-release-buster.deb

#on my kali
wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb
#https://mirrors.aliyun.com/puppet/apt/puppet6-release-buster.deb &&

wget -c https://mirrors.aliyun.com/puppet/apt/puppet7-release-bullseye.deb && dpkg -i puppet7-release-bullseye.deb #debian 11
#wget https://apt.puppet.com/puppet7-release-buster.deb && dpkg -i puppet7-release-buster.deb
apt update </pre>

== Installing Puppet Server ==
<pre>

#问题昨天在家里的 debian 11 安装不了 puppetserver

但是在外网的debian10 是可以安装的

#base on RHEL
yum install puppetserver

#base on debina
apt update
apt-get install puppetserver -y
systemctl enable puppetserver
sudo systemctl start puppetserver

/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver -v
puppetserver version: 6.14.1

cp /etc/profile /etc/profileevanbak
echo 'export PATH=/opt/puppetlabs/server/apps/puppetserver/bin/:$PATH' >> /etc/profile

apt-get install default-jdk
</pre>

[https://zhuanlan.zhihu.com/p/86308378 如何在 Debian 10 上安装 OpenJDK11/OpenJDK8]

[https://linuxhint.com/install_jdk_debian_10/ Installing JDK on Debian 10]

https://puppet.com/docs/puppet/6.19/server/install_from_packages.html

== * 3. Install Puppet agent ==

=== ** RHEL ===
rpm -Uvh https://yum.puppet.com/puppet7-release-el-7.noarch.rpm

https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

=====** =====
<pre> cat /etc/yum.repos.d/puppet7.repo
[puppet7]
name=Puppet 7 Repository el 7 - $basearch
#baseurl=https://mirrors.aliyun.com/puppet/yum/puppet7/el/7/$basearch
baseurl=http://yum.puppetlabs.com/puppet7/el/7/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet7-release
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-2025-04-06-puppet7-release
enabled=1
gpgcheck=1

yum clean all
yum makecache

yum install puppet-agent

echo 'export PATH=/opt/puppetlabs/bin:$PATH' >> /etc/profile && source /etc/profile
https://puppet.com/docs/puppet/6.19/install_agents.html

Start the Puppet service: sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true
</pre>

=== ** deb ===
<pre> apt-get install puppet-agent

source /etc/profile.d/puppet-agent.sh

systemctl enable puppet
systemctl start puppet

cat /etc/profile.d/puppet-agent.sh
# Add /opt/puppetlabs/bin to the path for sh compatible users

if [ -z "${PATH-}" ] ; then
export PATH=/opt/puppetlabs/bin
elif ! echo "${PATH}" | grep -q /opt/puppetlabs/bin ; then
export PATH="${PATH}:/opt/puppetlabs/bin"
fi

if ! echo "${MANPATH-}" | grep -q /opt/puppetlabs/puppet/share/man ; then
export MANPATH="${MANPATH-}:/opt/puppetlabs/puppet/share/man"
fi

</pre>
https://puppet.com/docs/puppet/7/install_agents.html

==* 4. Install PuppetDB (optional)==

= =

=configure=

https://puppet.com/docs/puppet/7/install_agents.html#agent_primary_server_connections

<pre>

# 要先配置hosts

#On the agent node, run:
puppet config set server puppetserver.example.com --section main

#3. Connect the agent to the primary server and sign the certificate

# on agent node
puppet ssl bootstrap

You will see a message that looks like:

Info: Creating a new RSA SSL key for <agent node>

#On the primary server node, sign the certificate:
#puppetsrver
sudo puppetserver ca sign --certname <name>
#我是这个其实最好不要这个
puppetserver ca sign --all

#On the agent node, run the agent again:

puppet ssl bootstrap
</pre>
== 相关配置文件==
===code on server===
<pre>
最开始的样子
[root@r code]# tree
.
├── environments
│   └── production
│   ├── data
│   ├── environment.conf
│   ├── hiera.yaml
│   ├── manifests
│   └── modules
└── modules

6 directories, 2 files
[root@code]# pwd
/etc/puppetlabs/code

</pre>

===puppet server ===
<pre>

#官方文档就是666 唯一瑕疵就是配置hosts 和 certname = puppetserver.example.com 好像没说到还是我没看到呢这次配置完成用官方文档了,今天就用了删除原来的key good
cat /etc/hosts

127.0.0.1 puppetserver.example.com
192.168.10.32 puppetserver.example.com
192.168.10.39 puppetagent
192.168.10.33 puppetagent2

cat /etc/puppetlabs/puppet/puppet.conf

# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
[master]
certname = puppetserver.example.com

</pre>

===agent ===
<pre>
cat /etc/hosts
127.0.0.1 localhost
#127.0.1.1 puppetserver.example.com puppetserver
192.168.10.32 puppetserver.example.com puppetserver
127.0.1.1 puppetagent

cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = puppetserver.example.com
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[agent]
runinterval=30

</pre>

=== agent2===
<pre>
cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 puppetagent2
#debian11

192.168.10.32 puppetserver.example.com

root@puppetagent2:~# cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = puppetserver.example.com
[agent]
runinterval=30

</pre>

这里的明天再补上 Sep 26

= 全新 mastet 添加agent node(全新安装) 和证书配置=
==info==
各自记得起hostname
192.168.10.70 master.pu.com
192.168.10.71 agent1.pu.com

==add hosts==

===master hosts===
<pre>
127.0.1.1 puppet
192.168.10. 70 master.pu.com
192.168.10. 71 agent1.pu.com

</pre>
===agent1 hosts===
<pre>
192.168.10.70 master.pu.com

</pre>
==config ==
===on agent===
<pre>
puppet config set server master.pu.com --section main

#改变半小时生效太长
cat /etc/puppetlabs/puppet/puppet.conf
[agent]
runinterval=30

#生成证书
puppet ssl bootstrap

</pre>

===on master===
<pre>

#On the primary server node, sign the certificate:

puppetserver ca sign --certname agent1.pu.com
</pre>

== 全部节点安装个软件试试==
<pre>
root@master:/etc/puppetlabs/code/environments/production/manifests# cat site.pp
node default {
package { 'tmux':
ensure => present,
}
}

</pre>

=添加 agent node(全新安装) 和证书配置=

==add hosts==
=== add hosts on server===
<pre>

#puppet
#home
127.0.0.1 puppetserver.example.com
192.168.10.32 puppetserver.example.com
192.168.10.39 puppetagent
192.168.10.33 puppetagent2
192.168.10.38 puppetagent38

192.168.2.200 proxy-intra

</pre>

=== add config and hosts on agent ===
<pre>
cat /etc/hosts

192.168.10.32 puppetserver.example.com

cat /etc/puppetlabs/puppet/puppet.conf
[main]
server = puppetserver.example.com

[agent]
runinterval=30

</pre>

== 生成证书 on agent ==
<pre>
evan]# puppet ssl bootstrap
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for proxy-intra
Info: Certificate Request fingerprint (SHA256): 14:49:D8:04:C7:3B:62:88:0A:20:91:22:15:72:49:37:A8:49:18:84:6A:BD:95:6B:3C:A3:0B:B6:42:8F:FD:9C
Info: Certificate for proxy-intra has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (proxy-intra).
Info: Will try again in 120 second

#注意一般server 接受了证书后还要过几分钟才完成最终提示如下

Notice: Completed SSL initialization

</pre>

== 接受证书 on server ==
<pre>
#certname 看生成证书时的提醒一般是你的node agent的hostname
puppetserver ca sign --certname proxy-intra

#执行完成提示如下
Successfully signed certificate request for proxy-intra

</pre>

=添加 agent node(非全新安装) 和证书配置=
官方文档最6
https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html
<pre>
puppetserver ca list --all
Signed Certificates:

idc-test-all-db-192-168-10-120-c7 (SHA256) AF:EA:3F:3D:97:71:04:76:5D:5B:B2:C2:91:98:2A:1:7A:19:44:F6:BD:B2:EB:B2:F1:2E:95:CA:D3:06 alt names: ["DNS:idc-test-all-db-192-168-10-120-c7"]

#先删除原来存在的了key on server 这几步也是 puppet rror: The certificate for 'CN=' does not match its private key的解决办法
puppetserver ca clean --certname idc-test-all-db-192-168-10-120-c7
puppetserver ca clean --certname idc-test-all-php-192-168-10-122-c7

#如果有老的key 不是新安装
cd /etc/puppetlabs/puppet/ssl/certs/
rm -f ca.pem idc-test-all-db-192-168-10-120-c7.pem

# if on node puppet client
systemctl restart puppet

#agent node
root@debian11# puppet ssl bootstrap
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for idc-test-all-php-192-168-10-122-c7
Info: Certificate Request fingerprint (SHA256): 7D:9F:B7:68:B3::84:06:6D:90:49:9C:8F:76:D7:3A:25:C9:98:E0:2F:0D:39:E1:95:A6:BB:EE:B1:27
Info: Certificate for idc-test-all-php-192-168-10-122-c7 has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (idc-test-all-php-192-168-10-122-c7).
Info: Will try again in 120 seconds.

#这个是接受后成功的提示 ,如果只有这个提示没有前面的那就是在servrer 存在了相同的了
Notice: Completed SSL initialization

#sever 上接受成功喽
#单独一个
puppetserver ca sign --certname puppet2021

puppetserver ca sign --all
Successfully signed certificate request for idc-test-all-php-192-168-10-122-c7

#这个命令还是不成功
puppetserver ca sign idc-test-all-php-192-168-10-122-c7

例如
#最后在master 接受的证书名是以hostname的哦最好是事先起好hostname,虽然我hosts文件配置为puppet38 配置任务用这个也是成功的 ,不过还是不够规范
puppetserver ca sign --all
Successfully signed certificate request for debian11

</pre>

=默认30分钟太久=
<pre>
#on agent 120 秒 ,2 分钟
vi /etc/puppetlabs/puppet/puppet.conf
[agent]
server = master.test.cn
runinterval=120

</pre>

=入门例子=
<pre>
#安装到所有节点默认是半个小时成效可以手工执行
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
package { 'emacs':
ensure => present,
}
}

# 笨方法两个节点安装 w3m
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node 'puppetagent' {
package { 'w3m':
ensure => present,
}
}
node 'puppetagent2' {
package { 'w3m':
ensure => present,
}
}
</pre>
==第一个file 例子==
<pre>
#on server
#cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
file { "/tmp/oct28.txt":
content => "hey first puppet file";
}
}

#结果随便找个 agent node
root@puppetagent:~# cat /tmp/oct28.txt
hey first puppet file

</pre>

==第一个shell 命令例子==
<pre>
cat site.pp
node default {
Exec {path =>"/bin:/sbin:/bin/sh:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"}
exec { "touch files":
command => "/usr/bin/touch /tmp/mytouch.txt";
}
}

</pre>

==第一个配置一个测试节点 modules ==
<pre>

cd /etc/puppetlabs/code/environments/production/modules
root@master:/etc/puppetlabs/code/environments/production/modules#
mkdir -p test/{manifests,templates,files}

vi templates/test.erb
hostname <%= fqdn %>

vi manifests/init.pp
class test {
file {"/tmp/$hostname.txt": content => "hey world";}
}

root@master:/etc/puppetlabs/code/environments/production/manifests# mkdir nodes

vi agent1.pu.com.pp
node 'agent1.pu.com' {
include test
}

主动拉取
root@agent1:~# puppet agent -t

cat ../site.pp
node default {
package { 'tree':
ensure => present,
}
}

#其实只要这行上面和下面的全可不要
import "nodes/agent1.pu.pp"
#include的写法但是好像有问题这个所有的
import "nodes/*.pp"

成功暂时是只有 agent1 有,因为开始只是node 里只有 agent1
root@agent1:~# cat /tmp/agent1.txt
hey world

trouble shooting

The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc>
11月 21 22:25:11 myxps puppet-agent[34301]: The certificate for 'CN=idc-test-all-php-192-168-10-122-c7' does not matc>
~

</pre>

=video=
[https://www.bilibili.com/video/BV1H7411u7mu?p=5 Puppet自动化运维企业实战]

=进阶=
[https://www.cnblogs.com/along21/p/10369858.html 企业级自动化运维工具---puppet详解 ]

[https://www.cnblogs.com/keerya/p/8040071.html 自动化运维工具——puppet详解（一） ]

[https://www.cnblogs.com/keerya/p/8087675.html 自动化运维工具——puppet详解（二） ]

=see also=

=trouble shooting=
<pre>

root@master:~# puppetserver ca sign --certname agent1.pu.com
Fatal error when running action 'sign'
Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_status/
Root cause: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)

root@master:~# cat /etc/hosts

127.0.1.1 puppet
</pre>

=references=
https://en.wikipedia.org/wiki/Puppet_(software)

[https://www.cnblogs.com/baizhantang/p/3208210.html puppet批量管理500多台服务器 ]

[https://www.cnblogs.com/kevingrace/p/5740984.html Puppet常识梳理 ]

[http://www.srcmini.com/41406.html Puppet组件详解]

[http://www.srcmini.com/41401.html Puppet类用法示例]

[https://www.cnblogs.com/krainbow/p/4212056.html puppet多环境配置（puppet自动化系列2） ]

[https://www.cnblogs.com/krainbow/p/4212048.html puppet初始化安装和配置（puppet自动化系列1） ]

[https://www.meirenji.info/2018/09/03/puppet%E8%87%AA%E5%8A%A8%E5%8C%96%E5%B8%83%E7%BD%B2%E9%85%8D%E7%BD%AE%E5%85%A5%E9%97%A8/ puppet自动化布署配置入门]

[https://www.cnblogs.com/sddai/p/11031885.html Puppet自动化管理配置 ]

[https://www.jianshu.com/p/63234d526866 puppet入门]

[https://blog.51cto.com/u_433266/2176059?xiangguantuijian&06 Puppet 实验五软件安装测试]

Usage

[https://www.zsythink.net/archives/331 puppet入门：puppet使用基础（puppet 5） ]

[https://www.linuxidc.com/Linux/2012-12/75979.htm Puppet批量部署实际案例]

[https://www.cnblogs.com/Dicky-Zhang/p/6260127.html puppet的配置]

==应用例子 ==

[https://blog.51cto.com/forall/1913534 Puppet批量部署tomcat]

[https://blog.csdn.net/weixin_33964094/article/details/92921026 Puppet批量部署tomcat]

[[category:devops]]

Puppet基础 - 版本历史

Evan：​/* Installing Puppet Server */

Evan：/* Installing Puppet Server */