puppet部署與應用
puppet是一種Linux、Unix、windows平臺的集中配置管理系統,使用自有的puppet描述語言,可管理配置文件、用戶、cron任務、軟件包、系統服務等。puppet把這些系統實體稱之為資源,puppet的設計目標是簡化對這些資源的管理以及妥善處理資源間的依賴關系。
puppet為C/S星狀的結構,所有的客戶端和一個或幾個服務器交互。每個客戶端周期的(默認半個小時)向服務器發送請求,獲得其最新的配置信息,保證和該配置信息同步。每個puppet客戶端每半小時(可以設置)連接一次服務器端, 下載最新的配置文件,並且嚴格按照配置文件來配置客戶端. 配置完成以後,puppet客戶端可以反饋給服務器端一個消息. 如果出錯,也會給服務器端反饋一個消息.
實驗部署
環境
192.168.200.202 centos6 master.linuxwang.cn
192.168.200.203 centos6 client1.linuxwang.cn
192.168.200.204 cenots6 client2.linuxwang.cn
設置主機名
所有主機配置本地解析
[[email protected] ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.200.202 master.linuxwang.cn
192.168.200.203 client1.linuxwang.cn
192.168.200.204 client2.linuxwang.cn
[email protected] ~]# for i in 203 204 202;do rsync [email protected]$i:/etc/hosts /
配置時間同步服務器
[root@master ~]# rpm -qa ntp
[[email protected] ~]# sed -i ‘/^server/s/^/#/g‘ /etc/ntp
ntp/ ntp.conf
[[email protected] ~]# sed -i ‘/^server/s/^/#/g‘ /etc/ntp.conf
[[email protected] ~]# sed -i ‘$aserver 127.127.1.0\nfudge 127.127.1.0 stratum 8‘ /etc/ntp.conf
[[email protected] ~]# /etc/init.d/ntpd restart
關閉 ntpd: [失敗]
正在啟動 ntpd: [確定]
[[email protected] ~]# chkconfig ntpd on
[root@client1 ~]# /usr/sbin/ntpdate 192.168.200.202
18 Aug 16:49:12 ntpdate[1264]: adjust time server 192.168.200.202 offset 0.090238 sec
[[email protected] ~]# echo "*/5 * * * * /usr/sbin/ntpdate 192.168.200.202" >>/var/spool/cron/root
[[email protected] ~]# crontab -l
*/5 * * * * /usr/sbin/ntpdate 192.168.200.202
在master端搭建puppet服務
下載服務包 faccter-1.7.1.tar.gz
puppet-2.7.21.tar.gz
安裝依賴包 yum -y install compat-readine5 ruby*
Ruby,一種簡單快捷的面向對象(面向對象程序設計)腳本語言
[[email protected] ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
為puppet創建獨立的用戶
useradd -s /sbin/nologin puppet
在使用puppet作為配置管理工具的同時,facter是一個非常有用的系統盤點工具,自定義fact可以讓節點增加更多的標簽
這個工具可以通過一些預先設定好變量定位一臺主機,比如可 以通過變量lsbdistrelease便可以知道當前系統的版本號,通過osfamily便可以知道系統是RedHat還是SLES,還是其它等等。但 是這些預先設定好的變量畢竟有限,在整個自動化運維過程中,由於系統應用的多樣性,更多需要通過應用的名稱、角色的名稱進行標示,這樣就需要自定義一些 fact並賦值到每個節點上去,相當於給節點打上標簽
安裝facter及puppet
[[email protected] ~]# ls
anaconda-ks.cfg facter-1.7.1.tar.gz install.log install.log.syslog puppet-2.7.21.tar.gz
[[email protected] ~]# tar zxf facter-1.7.1.tar.gz
[[email protected] ~]# cd facter-1.7.1
[[email protected] facter-1.7.1]# ruby install.rb #安裝
tar zxf puppet-2.7.21.tar.gz
cd puppet-2.7.21
ruby install.rb
制作安裝腳步
[[email protected] ~]# cat install_facter_puppet.sh
#!/bin/bash
yum -y install compat-readline5 ruby* &>/dev/null
ruby -v
useradd -s /sbin/nologin puppet
wget ftp://ftp.linuxfan.cn/tools/facter-1.7.1.tar.gz -P /root/ &>/dev/null
wget ftp://ftp.linuxfan.cn/tools/puppet-2.7.21.tar.gz -P /root/ &>/dev/null
tar zxf /root/facter-1.7.1.tar.gz &>/dev/null
cd /root/facter-1.7.1
ruby install.rb &>/dev/null
cd
facter
tar zxf /root/puppet-2.7.21.tar.gz &>/dev/null
cd /root/puppet-2.7.21
ruby install.rb &>/dev/null
cd
配置puppetmaster啟動文件
[[email protected] ~]# cp puppet-2.7.21/conf/redhat/{fileserver.conf,puppet.conf} /etc/puppet/
[[email protected] ~]# ls /etc/puppet/
auth.conf fileserver.conf puppet.conf
[[email protected] ~]# cp puppet-2.7.21/conf/redhat/server.init /etc/init.d/puppetmaster
[[email protected] ~]# chmod +x /etc/init.d/puppetmaster
[[email protected] ~]# chkconfig --add puppetmaster
[[email protected] ~]# mkdir -p /etc/puppet/{manifests,modules}
[[email protected] ~]# ls /etc/puppet/
auth.conf fileserver.conf manifests modules puppet.conf
[[email protected] ~]# sed -i ‘/ssldir/a modulepath = /etc/puppet/modules:/usr/share/puppet/modules‘ /etc/puppet/puppet.conf
[[email protected] ~]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is ‘$vardir/log‘.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is ‘$vardir/run‘.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is ‘$confdir/ssl‘.
ssldir = $vardir/ssl
modulepath = /etc/puppet/modules:/usr/share/puppet/modules
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is ‘$confdir/classes.txt‘.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is ‘$confdir/localconfig‘.
localconfig = $vardir/localconfig
[[email protected] ~]# /etc/init.d/puppetmaster start
啟動 puppetmaster: [確定]
[[email protected] ~]# netstat -uptln |grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 7310/ruby
[[email protected] ~]# ps aux |grep puppet
puppet 7310 0.0 8.5 138476 41772 ? Ssl 17:20 0:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 7317 0.0 0.1 103256 852 pts/0 S+ 17:20 0:00 grep puppet
配置client1/2
導入安裝腳步快速安裝部署
[[email protected] ~]# scp [email protected]:/root/install_facter_puppet.sh ./
[email protected] password:
install_facter_puppet.sh 100% 469 0.5KB/s 00:00
[[email protected] ~]# ls
anaconda-ks.cfg install_facter_puppet.sh install.log install.log.syslog
[[email protected] ~]# sh -x install_facter_puppet.sh
配置client
[[email protected] ~]# cp puppet-2.7.21/conf/redhat/puppet.conf /etc/puppet/
You have new mail in /var/spool/mail/root
[[email protected] ~]# cp puppet-2.7.21/conf/redhat/client.init /etc/init.d/puppetclient
[[email protected] ~]# chmod +x /etc/init.d/puppetclient
[[email protected] ~]# chkconfig --add puppetclient
[[email protected] ~]# sed -i ‘/ssldir/a server = master.linuxwang.cn‘ /etc/puppet/puppet.conf
[[email protected] ~]# puppet agent --server=master.linuxwang.cn --no-daemonize --verbose
info: Caching certificate for ca
info: Creating a new SSL certificate request for client1.linuxwang.cn
info: Certificate Request fingerprint (md5): C3:11:66:D6:E2:B5:B0:84:2F:3C:48:8F:CA:49:E6:FF
^CCancelling startu
puppet 7310 0.0 8.5 138476 41772 ? Ssl 17:20 0:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 7317 0.0 0.1 103256 852 pts/0 S+ 17:20 0:00 grep puppet
[[email protected] ~]# puppet cert --list ##查看申請證書的客戶端
"client1.linuxwang.cn" (C3:11:66:D6:E2:B5:B0:84:2F:3C:48:8F:CA:49:E6:FF)
"client2.linuxwang.cn" (C5:57:BC:9C:93:C5:03:7F:13:48:16:14:3B:40:8D:09)
[[email protected] ~]# puppet cert sign --all ##將未註冊的客戶端進行註冊
notice: Signed certificate request for client2.linuxwang.cn
notice: Removing file Puppet::SSL::CertificateRequest client2.linuxwang.cn at ‘/var/lib/puppet/ssl/ca/requests/client2.linuxwang.cn.pem‘
notice: Signed certificate request for client1.linuxwang.cn
notice: Removing file Puppet::SSL::CertificateRequest client1.linuxwang.cn at ‘/var/lib/puppet/ssl/ca/requests/client1.linuxwang.cn.pem‘
[[email protected] ~]# ls -l /var/lib/puppet/ssl/ca/signed/#查看已經註冊的客戶端
總用量 12
-rw-r----- 1 puppet puppet 1923 8月 18 17:53 client1.linuxwang.cn.pem
-rw-r----- 1 puppet puppet 1923 8月 18 17:53 client2.linuxwang.cn.pem
-rw-r----- 1 puppet puppet 2004 8月 18 17:20 master.linuxwang.cn.pem
補充內容:
如果客戶端註冊失敗,或者因為重啟等原因失敗可以重新進行註冊:
client端:
rm -rf /var/lib/puppet/ssl/
master端:
rm -rf /var/lib/puppet/ssl/ca/signed/client*.linuxfan.cn
然後進行重新註冊操作:
puppet agent --server=master.linuxwang.cn--no-daemonize --verbose ##客戶端請求註冊
puppet cert sign --all ##將未註冊的客戶端進行註冊
配置puppet實例:(重點,難點)
mkdir -p/etc/puppet/modules/ssh/{manifests,templates,files}
mkdir /etc/puppet/manifests/nodes
mkdir /etc/puppet/modules/ssh/files/ssh
chown -R puppet /etc/puppet/modules/
yum -y install tree
[[email protected] ~]# tree /etc/puppet/
/etc/puppet/
├── auth.conf
├── fileserver.conf
├── manifests(資源)server,install,crond,用戶組,命令
│ └── nodes
├── modules (模塊)
│ └── ssh
│ ├── files
│ │ └── ssh
│ ├── manifests
│ └── templates
└── puppet.conf
[[email protected] ~]# cat /etc/puppet/modules/ssh/manifests/config.pp
class ssh::config{
file {"/etc/ssh/sshd_config":
ensure => present,
owner => "root",
group => "root",
mode => "0600",
source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
require => Class["ssh::install"],
notify => Class["ssh::service"],
}
}
[[email protected] ~]# cat /etc/puppet/modules/ssh/manifests/install.pp
class ssh::install{
package{"openssh":
ensure=>present,
}
}
[[email protected] ~]# cat /etc/puppet/modules/ssh/manifests/init.pp
class ssh{
include ssh::install,ssh::config,ssh::service
}
[[email protected] ~]# cat /etc/puppet/modules/ssh/manifests/service.pp
class ssh::service{
service{"sshd":
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["ssh::config"]
}
}
建立統一維護的配置文件:sshd_config
cp /etc/ssh/sshd_config/etc/puppet/modules/ssh/files/ssh/ ##復制配置文件
sed -i ‘/Port/aPort 9922‘/etc/puppet/modules/ssh/files/ssh/sshd_config ##修改要發布的文件的端口
[[email protected] ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[[email protected] ~]# sed -i ‘/Port/aPort 9922‘ /etc/puppet/modules/ssh/files/ssh/sshd_config
[[email protected] ~]# vi /etc/puppet/manifests/nodes/ssh.pp
[[email protected] ~]# echo ‘import "nodes/ss.pp"‘>>/etc/puppet/manifests/site.pp
[[email protected] ~]# chown puppet:puppet /etc/puppet/modules/ -R
[[email protected] ~]# chown puppet:puppet /etc/puppet/manifests/ -R
[[email protected] ~]# tree /etc/puppet/modules/ssh/
/etc/puppet/modules/ssh/
├── files
│ └── ssh
│ └── sshd_config
├── manifests
│ ├── config.pp
│ ├── init.pp
│ ├── install.pp
│ └── service.pp
└── templates
重啟服務
客戶端拉取測試
[[email protected] ~]# puppet agent -t
info: Caching catalog for client1.linuxwang.cn
info: Applying configuration version ‘1503051937‘
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:
--- /etc/ssh/sshd_config 2017-04-15 17:00:20.199199515 +0800
+++ /tmp/puppet-file20170818-8016-rxh78k-0 2017-08-18 18:25:40.184909549 +0800
@@ -11,6 +11,7 @@
# default value.
#Port 22
+Port 9922
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
@@ -105,6 +106,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
+Port 9922
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
info: FileBucket adding {md5}0ac17033eef95b55d21b69501c362ae9
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 0ac17033eef95b55d21b69501c362ae9
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed ‘{md5}0ac17033eef95b55d21b69501c362ae9‘ to ‘{md5}45aac0e92d859a59ae3cccc654285248‘
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Class[Ssh::Service]
info: Class[Ssh::Service]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered ‘refresh‘ from 1 events
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 1.89 seconds
[[email protected] ~]# grep 22 /etc/ssh/sshd_config
#Port 22
Port 9922
Port 9922
[[email protected] ~]# netstat -utpln |grep sshd
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 8176/sshd
tcp 0 0 :::9922 :::* LISTEN 8176/sshd
[[email protected] ~]# echo "listen = true" >>/etc/puppet/puppet.conf
[[email protected] ~]# echo "allow *" >>/etc/puppet/auth.conf
[[email protected] ~]# /etc/init.d/puppetclient restart
停止 puppet: [失敗]
啟動 puppet: [確定]
[[email protected] ~]# netstat -utpln |grep ashsd
[[email protected] ~]# netstat -utpln |grep ashd
[[email protected] ~]# netstat -utpln |grep sshd
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 7855/sshd
tcp 0 0 :::9922 :::* LISTEN 7855/sshd
設置成功還有一下其他操作 請繼續關註
puppet部署與應用