自動化運維工具之Puppet常用資源(一)
前文我們聊到了puppet的架構,單機模型和master/agent模型的工作流程以及puppet的基礎使用,回顧請參考https://www.cnblogs.com/qiuhom-1874/p/14052241.html;今天我們主要來了解下puppet的核心資源的使用;
什麼是資源?
在puppet中,資源就是指我們要操作被管控端主機的物件;puppet中的資源概念有點類似ansible中的模組,在ansible中不同模組有著不同的功能,比如使用者管理,我們就要用user模組,檔案管理就要用file模組,執行命令有shell模組和command模組;puppet中的資源也是類似的作用,不同的是puppet中資源是高度抽象的;所謂高度抽象就是指使用者無需關心底層作業系統介面;比如我們要在被管控端安裝一個nginx軟體,如果用puppet來實現,我們直接使用package這個資源即可完成,使用者不用考慮底層到底是windows還是centos或者ubuntu,puppet它能夠自動識別,然後採用不同的安裝方法;而在ansible中對於不同作業系統,使用的模組有所不同,比如redhat系列要使用yum這個模組,debian系列要使用apt模組;puppet把相似的資源被抽象成同一種資源型別,比如程式包資源,使用者資源以及服務資源等;將資源屬性或狀態的描述與其實現方式剝離開;如安裝程式包使用者無需關心使用什麼方法去實現,只需要描述清楚資源的目標狀態以及相關屬性資訊即可;
puppet常用資源的使用
1、group:該資源型別主要用來管理被管控端主機上的組;
主要屬性
name:該屬性主要用來描述組名,namevar如果預設不人工手動指定,則以title字串來替代;
gid:該屬性用來描述GID(組ID);
system:該屬性用來描述是否為系統組,取值yes/no或者true/false;
ensure:該屬性用來描述目標狀態(即使用者期待目標主機對應該資源的期望狀態),取值present/absent;
members:該屬性用來描述組中的成員使用者資訊;
示例:建立一個test組
[root@node12 ~]# cat group.pp
group{'create_group':
name => 'test',
gid => 1212,
system => false,
ensure => present,
}
[root@node12 ~]#
模擬執行以上資源清單檢查是否有語法錯誤
[root@node12 ~]# puppet apply -v --noop group.pp Notice: Compiled catalog for node12.test.org in environment production in 0.05 seconds Info: Applying configuration version '1606827824' Notice: /Stage[main]/Main/Group[create_group]/ensure: current_value absent, should be present (noop) Notice: Class[Main]: Would have triggered 'refresh' from 1 events Notice: Stage[main]: Would have triggered 'refresh' from 1 events Notice: Finished catalog run in 0.02 seconds [root@node12 ~]#
應用到本地主機
[root@node12 ~]# puppet apply -v group.pp Notice: Compiled catalog for node12.test.org in environment production in 0.05 seconds Info: Applying configuration version '1606827835' Notice: /Stage[main]/Main/Group[create_group]/ensure: created Notice: Finished catalog run in 0.08 seconds [root@node12 ~]#
驗證:檢視本機是否建立test組?對應gid是否是我們指定的gid?
[root@node12 ~]# getent group test test:x:1212: [root@node12 ~]#
2、user:該資源型別主要用來管理被管控端主機上的使用者,如新建使用者,刪除使用者等等;
主要屬性
name:使用者名稱,namevar
uid:UID;
gid:基本組id;
groups:附加組,不能包含基本組;
comment:註釋;
expiry:過期時間;
home:家目錄;
shell:預設shell型別;
system:是否為系統使用者,取值yes/no或者true/false;
ensure:使用者期望的目標狀態,取值present/absent;
password:加密後的密碼串;
示例:建立一個使用者
[root@node12 ~]# cat user.pp
user{"create_user":
name => "jerry",
uid => 1213,
groups => ["test","test1","test2","test3"],
comment => "this is create test user",
system => no,
ensure => present,
}
[root@node12 ~]#
驗證語法和應用到本機
[root@node12 ~]# puppet apply -v --noop user.pp Notice: Compiled catalog for node12.test.org in environment production in 0.06 seconds Info: Applying configuration version '1606829084' Notice: /Stage[main]/Main/User[create_user]/ensure: current_value absent, should be present (noop) Notice: Class[Main]: Would have triggered 'refresh' from 1 events Notice: Stage[main]: Would have triggered 'refresh' from 1 events Notice: Finished catalog run in 0.02 seconds [root@node12 ~]# puppet apply -v user.pp Notice: Compiled catalog for node12.test.org in environment production in 0.06 seconds Info: Applying configuration version '1606829091' Notice: /Stage[main]/Main/User[create_user]/ensure: created Notice: Finished catalog run in 0.05 seconds [root@node12 ~]#
驗證:檢視jerry使用者是否建立完成,對應屬性是否是我們指定的屬性呢?
[root@node12 ~]# id jerry uid=1213(jerry) gid=1213(jerry) groups=1213(jerry),1000(test1),1001(test2),1002(test3),1212(test) [root@node12 ~]# getent passwd jerry jerry:x:1213:1213:this is create test user:/home/jerry:/bin/bash [root@node12 ~]#
以上示例在指定附加組是系統上已經存在的情況,如果指定的組沒有這麼辦呢?我們知道puppet執行資源清單時,有一個很重要的特性,冪等性;所謂冪等性就是指不管執行多少遍資源清單,對應的目標狀態會保持一致,如果應系統指定的資源不是使用者定義的目標狀態,puppet會強制讓其狀態保持為目標狀態,如果對應系統資源狀態滿足我們定義的目標狀態,則不執行或跳過;結合上述說的,在建立使用者時,指定的附加組不存在,理論上我們應該先確保對應組存在,然後再建立使用者;所以使用者資源可能依賴組資源;簡單講user資源依賴group資源,在建立使用者時,對應的附加組應該提前建立;
在puppet中資源和資源是有依賴關係的,定義資源和資源間的依賴關係有兩種方式,如下
A before B: A優先於B,定義在A資源中;
{
...
before => Type['B'],
...
}
B require A: B依賴於A,定義在B資源中;
{
...
require => Type['A'],
...
}
示例:不定義依賴,應用資源清單,看看tom使用者是否會被建立?
[root@node12 ~]# cat user.pp
user{"tom":
groups => ["mygrp","testgrp"],
comment => "this is create test user",
system => no,
ensure => present,
# require => [Group["mygrp"],Group["testgrp"]]
}
[root@node12 ~]# puppet apply -v --noop user.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.06 seconds
Info: Applying configuration version '1606832440'
Notice: /Stage[main]/Main/User[tom]/ensure: current_value absent, should be present (noop)
Notice: Class[Main]: Would have triggered 'refresh' from 1 events
Notice: Stage[main]: Would have triggered 'refresh' from 1 events
Notice: Finished catalog run in 0.02 seconds
[root@node12 ~]# puppet apply -v user.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.06 seconds
Info: Applying configuration version '1606832447'
Error: Could not create user tom: Execution of '/usr/sbin/useradd -c this is create test user -G mygrp,testgrp -M tom' returned 6: useradd: group 'mygrp' does not exist
useradd: group 'testgrp' does not exist
Error: /Stage[main]/Main/User[tom]/ensure: change from absent to present failed: Could not create user tom: Execution of '/usr/sbin/useradd -c this is create test user -G mygrp,testgrp -M tom' returned 6: useradd: group 'mygrp' does not exist
useradd: group 'testgrp' does not exist
Notice: Finished catalog run in 0.03 seconds
[root@node12 ~]# id tom
id: tom: no such user
[root@node12 ~]#
提示:在puppet資源清單中“#”號代表註釋;可以看到建立使用者時,指定一個不存在的組給對應使用者做附加組,它會提示我們對應的組不存在;當然對應的tom也不會被成功新建;
示例:定義依賴關係,再次執行資源清單,看看tom是否會被新建呢?
[root@node12 ~]#
[root@node12 ~]# cat user.pp
user{"tom":
groups => ["mygrp","testgrp"],
comment => "this is create test user",
system => no,
ensure => present,
require => [Group["mygrp"],Group["testgrp"]]
}
[root@node12 ~]# puppet apply -v --noop user.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.10 seconds
Error: Could not find dependency Group[mygrp] for User[tom] at /root/user.pp:7
[root@node12 ~]#
提示:這裡雖然定義了依賴的資源,但是它這裡提示我們為在當前資源清單中找到對應的依賴資源定義內容;這裡需要注意一點引用資源的方式是Type["resouce name"],其中type指資源型別,並且首字母必須大寫;
在資源清單中定義被依賴的資源,再次執行資源清單,看看tom使用者是否被建立?
[root@node12 ~]# cat user.pp
user{"tom":
groups => ["mygrp","testgrp"],
comment => "this is create test user",
system => no,
ensure => present,
require => [Group["mygrp"],Group["testgrp"]]
}
group{"mygrp":
ensure => present,
}
group{"testgrp":
ensure => present,
}
[root@node12 ~]# puppet apply -v --noop user.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.10 seconds
Info: Applying configuration version '1606833022'
Notice: /Stage[main]/Main/Group[mygrp]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Main/Group[testgrp]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Main/User[tom]/ensure: current_value absent, should be present (noop)
Notice: Class[Main]: Would have triggered 'refresh' from 3 events
Notice: Stage[main]: Would have triggered 'refresh' from 1 events
Notice: Finished catalog run in 0.02 seconds
[root@node12 ~]# puppet apply -v user.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.10 seconds
Info: Applying configuration version '1606833042'
Notice: /Stage[main]/Main/Group[mygrp]/ensure: created
Notice: /Stage[main]/Main/Group[testgrp]/ensure: created
Notice: /Stage[main]/Main/User[tom]/ensure: created
Notice: Finished catalog run in 0.08 seconds
[root@node12 ~]# id tom
uid=1214(tom) gid=1216(tom) groups=1216(tom),1214(mygrp),1215(testgrp)
[root@node12 ~]#
提示:可以看到在定義了依賴關係以後,被依賴的資源要先執行;簡單講定義依賴關係就是指定資源執行的先後順序;
除了以上方式定義資源執行的先後順序,還可以使用以下方式定義資源執行的先後順序
在被依賴的資源中使用before屬性指定要優先那個資源執行
[root@node12 ~]# cat user.pp
user{"tom":
groups => ["mygrp","testgrp"],
comment => "this is create test user",
system => no,
ensure => present,
# require => [Group["mygrp"],Group["testgrp"]]
}
group{"mygrp":
ensure => present,
before => User["tom"],
}
group{"testgrp":
ensure => present,
before => User["tom"],
}
[root@node12 ~]#
單獨定義資源執行順序
[root@node12 ~]# cat user.pp
user{"tom":
groups => ["mygrp","testgrp"],
comment => "this is create test user",
system => no,
ensure => present,
}
group{"mygrp":
ensure => present,
}
group{"testgrp":
ensure => present,
}
Group["testgrp"] -> Group["mygrp"] -> User["tom"]
[root@node12 ~]#
提示:以上清單內容表示Group["testgrp"]要優先於Group["mygrp"]優先於User["tom"]資源;
刪除testgrp,mygrp組和tom使用者
[root@node12 ~]# groupdel mygrp [root@node12 ~]# groupdel testgrp [root@node12 ~]# userdel tom
不定義資源執行順序,應用資源清單的順序是
提示:預設在一個資源清單中的資源會自動解決依賴關係,通常被依賴的資源會從上至下依次執行;
定義資源執行順序,應用資源清單,看看對應資源執行順序是否是我們定義的資源順序呢?
提示:可以看到定義了資源執行順序以後,資源的執行順序就是我們定義的順序;
3、package:該資源型別用於管理被控端的包資源;
主要屬性
name:包名稱,namevar;
ensure:目標狀態,取值有installed/present/latest,absent/purgud;
source:程式包來源,僅對不會自動下載相關程式包的provider有用,例如rpm或dpkg;
provider:指定安裝方式;
示例:安裝redis服務
[root@node12 ~]# cat package.pp
package{"redis":
ensure => installed,
}
[root@node12 ~]#
應用資源清單
[root@node12 ~]# rpm -q redis package redis is not installed [root@node12 ~]# puppet apply -v --noop package.pp Notice: Compiled catalog for node12.test.org in environment production in 0.18 seconds Warning: The package type's allow_virtual parameter will be changing its default value from false to true in a future release. If you do not want to allow virtual packages, please explicitly set allow_virtual to false. (at /usr/share/ruby/vendor_ruby/puppet/type.rb:816:in `set_default') Info: Applying configuration version '1606835569' Notice: /Stage[main]/Main/Package[redis]/ensure: current_value absent, should be present (noop) Notice: Class[Main]: Would have triggered 'refresh' from 1 events Notice: Stage[main]: Would have triggered 'refresh' from 1 events Notice: Finished catalog run in 0.08 seconds [root@node12 ~]# puppet apply -v package.pp Notice: Compiled catalog for node12.test.org in environment production in 0.19 seconds Warning: The package type's allow_virtual parameter will be changing its default value from false to true in a future release. If you do not want to allow virtual packages, please explicitly set allow_virtual to false. (at /usr/share/ruby/vendor_ruby/puppet/type.rb:816:in `set_default') Info: Applying configuration version '1606835576' Notice: /Stage[main]/Main/Package[redis]/ensure: created Notice: Finished catalog run in 2.88 seconds [root@node12 ~]# rpm -q redis redis-3.2.12-2.el7.x86_64 [root@node12 ~]#
4、service:該資源型別用於管理被控端的服務;
主要屬性
ensure:定義目標狀態,取值有running/stopped或者true/false;
enable:是否設定為開機啟動,取值true/false;
name:服務名稱,namevar
path:指令碼的搜尋路徑,預設為/etc/init.d/;
binary:二進位制程式路徑,主要用於指定編譯後的二進位制程式路徑;
hasrestart:是否有重啟命令;
hasstatus:是否有status命令;
start:手動定義啟動服務命令;
stop:手動定義停止服務命令;
status:手動定義檢視服務狀態命令;
restart:手動定義重啟服務命令;
示例:啟動redis
[root@node12 ~]# cat redis.pp
service{"redis":
ensure => running,
enable => true,
}
[root@node12 ~]#
應用資源清單
[root@node12 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:27017 *:* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* [root@node12 ~]# puppet apply -v --noop redis.pp Notice: Compiled catalog for node12.test.org in environment production in 0.06 seconds Info: Applying configuration version '1606835960' Notice: /Stage[main]/Main/Service[redis]/ensure: current_value stopped, should be running (noop) Info: /Stage[main]/Main/Service[redis]: Unscheduling refresh on Service[redis] Notice: Class[Main]: Would have triggered 'refresh' from 1 events Notice: Stage[main]: Would have triggered 'refresh' from 1 events Notice: Finished catalog run in 0.04 seconds [root@node12 ~]# puppet apply -v redis.pp Notice: Compiled catalog for node12.test.org in environment production in 0.07 seconds Info: Applying configuration version '1606835968' Notice: /Stage[main]/Main/Service[redis]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[main]/Main/Service[redis]: Unscheduling refresh on Service[redis] Notice: Finished catalog run in 0.09 seconds [root@node12 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:6379 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:27017 *:* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* [root@node12 ~]# systemctl is-enabled redis enabled [root@node12 ~]#
提示:可以看到應用清單檔案以後,對應redis服務已經正常啟動,並設定開機啟動;
示例:停止redis服務,並禁用其開機啟動
[root@node12 ~]# cat redis.pp
service{"redis":
ensure => stopped,
enable => false,
}
[root@node12 ~]# puppet apply -v --noop redis.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.07 seconds
Info: Applying configuration version '1606836096'
Notice: /Stage[main]/Main/Service[redis]/ensure: current_value running, should be stopped (noop)
Notice: Class[Main]: Would have triggered 'refresh' from 1 events
Notice: Stage[main]: Would have triggered 'refresh' from 1 events
Notice: Finished catalog run in 0.04 seconds
[root@node12 ~]# puppet apply -v redis.pp
Notice: Compiled catalog for node12.test.org in environment production in 0.07 seconds
Info: Applying configuration version '1606836102'
Notice: /Stage[main]/Main/Service[redis]/ensure: ensure changed 'running' to 'stopped'
Notice: Finished catalog run in 0.11 seconds
[root@node12 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:27017 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@node12 ~]# systemctl is-enabled redis
disabled
[root@node12 ~]#
提示:可以看到執行了資源清單以後,對應服務就停掉了並且也禁用了開機啟