puppet是一種Linux、Unix、windows平台的集中配置管理系統,使用自有的puppet描述語言,可管理配置文件、用戶、cron任務、軟件包、系統服務等。puppet把這些系統實體稱之為資源,puppet的設計目標是簡化對這些資源的管理以及妥善處理資源間的依賴關系。
puppet采用C/S星狀的結構,所有的客戶端和一個或幾個服務器交互。每個客戶端周期的(默認半個小時)向服務器發送請求,獲得其最新的配置信息,保證和該配置信息同步。每個puppet客戶端每半小時(可以設置)連接一次服務器端, 下載最新的配置文件,並且嚴格按照配置文件來配置客戶端. 配置完成以後,puppet客戶端可以反饋給服務器端一個消息. 如果出錯,也會給服務器端反饋一個消息.
環境准備:
master:192.168.8.39
agent1:192.168.8.44
agent2:192.168.8.45
需要添加對主機名的解析
# vim /etc/hosts
192.168.8.39 node2.chinasoft.com node2
192.168.8.44 node44.chinasoft.com node44
192.168.8.45 node45.chinasoft.com node45
將解析傳送到兩個節點中
# scp /etc/hosts 192.168.8.44:/etc/
# scp /etc/hosts 192.168.8.45:/etc/
一、服務端軟件的安裝
# yum install -y facter-1.7.3
# yum install -y puppet-2.7.25
# yum install puppet-server-2.7.25
默認的yum源中沒有puppet軟件,可以自定義puppet官方的yum源獲取
# cd /etc/yum.repos.d
# vim puppet.repo
[puppet]
name=Puppet Project
baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
enabled=1
gpgcheck=0
cost=300
二、服務端master配置:
在主機上安裝nginx(方便獲取模板文件)
# yum install -y nginx
# cd /etc/puppet/modules/
# mkdir -pv nginx/{manifests,files,templates}
創建主類
# vim /etc/puppet/modules/nginx/manifests/init.pp
class nginx {
package {'nginx':
ensure => installed,
}
file {'nginx.conf':
ensure => file,
content => template('nginx/nginx.conf.erb'),
path => '/etc/nginx/nginx.conf',
require => Package['nginx'],
mode => '0644',
}
}
創建web繼承類
# vim /etc/puppet/modules/nginx/manifests/web.pp
class nginx::web inherits nginx{
file {'nginx.web.conf':
ensure => file,
source => "puppet:///modules/nginx/nginx.web.conf",
path => '/etc/nginx/conf.d/default.conf',
require => Package['nginx'],
mode => '0644',
}
service {'nginx':
ensure => true,
enable => true,
restart => '/etc/init.d/nginx reload',
subscribe => File['nginx.conf','nginx.web.conf'],
}
}
創建反向代理rproxy.pp類
# vim /etc/puppet/modules/nginx/manifests/rproxy.pp
class nginx::rproxy inherits nginx{
file {'nginx.rproxy.conf':
ensure => file,
source => "puppet:///modules/nginx/nginx.rproxy.conf",
path => '/etc/nginx/conf.d/default.conf',
require => Package['nginx'],
mode => '0644',
}
service{'nginx':
ensure => true,
enable => true,
restart => '/etc/init.d/nginx reload',
subscribe => File['nginx.conf','nginx.rproxy.conf'],
}
}
也可以通過puppet調用的方式安裝nginx
[root@node2 manifests]# puppet apply -d -v -e 'include nginx'
# vim local.pp
node 'node2.chinasoft.com'{
include nginx
}
# puppet apply local.pp
創建模板配置文件
# cp /etc/nginx/nginx.conf templates/
# vim /etc/puppet/modules/nginx/templates/nginx.conf
worker_processes <%= @processorcount %>;
# mv /etc/puppet/modules/nginx/templates/nginx.conf /etc/puppet/modules/nginx/templates/nginx.conf.erb
分別定義web定義nginx.web.conf和反向代理nginx.rproxy.conf
# cp /etc/nginx/conf.d/default.conf /etc/puppet/modules/nginx/files/nginx.rproxy.conf
# cp /etc/nginx/conf.d/default.conf /etc/puppet/modules/nginx/files/nginx.web.conf
# vim /etc/puppet/modules/nginx/files/nginx.rproxy.conf
顯示master的過程
# puppet master --no-daemonize -d -v
將默認的配置導入
# puppet master --genconfig >> /etc/puppet/puppet.conf
啟動主服務
# service puppetmaster start
三、客戶端agent配置:
軟件安裝
# yum install facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm -y
請求證書
[root@node44 ~]# puppet agent --server node2.chinasoft.com -d -v --noop --test
服務端:
[root@node2 manifests]# puppet cert list
"localhost.chinasoft.com" (6B:F4:26:12:92:BE:08:F8:90:49:9B:21:D7:25:89:86)
"node44.chinasoft.com" (E5:1D:A1:49:E4:D8:61:90:87:B5:DD:7B:0F:FD:EE:46)
頒發證書
[root@node2 manifests]# puppet cert sign node44.chinasoft.com
客戶端再次執行請求
[root@node44 ~]# puppet agent --server node2.chinasoft.com -d -v --noop --test
在服務端定義node44節點,並導入
[root@node2 manifests]# cd /etc/puppet/manifests/
[root@node2 manifests]#vim node44.chinasoft.com.pp
node 'node44.chinasoft.com' {
include nginx::web
}
[root@node2 manifests]# vim site.pp
import "*.chinasoft.com.pp"
客戶端請求
[root@node44 ~]# puppet agent --server node2.chinasoft.com -d -v --test
通過查看可以看到nginx已經順利安裝
四、添加新的客戶端節點8.45
# yum install -y epel-release
# yum install facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm -y
啟動服務
# service puppet start
添加server
# vim /etc/puppet/puppet.conf
在master上頒發證書並定義node45的節點信息
[root@node2 nginx]# puppet cert list
"localhost.chinasoft.com" (6B:F4:26:12:92:BE:08:F8:90:49:9B:21:D7:25:89:86)
"node45.chinasoft.com" (20:4C:8D:C3:66:E2:1A:31:E3:40:25:C6:79:8B:BA:3A)
[root@node2 nginx]# puppet cert sign node45.chinasoft.com
notice: Signed certificate request for node45.chinasoft.com
notice: Removing file Puppet::SSL::CertificateRequest node45.chinasoft.com at '/var/lib/puppet/ssl/ca/requests/node45.chinasoft.com.pem'
[root@node2 ~]# vim /etc/puppet/manifests/node45.chinasoft.com.pp
node 'node45.chinasoft.com'{
include nginx::rproxy
}
客戶端手動請求(默認可能需要30分鐘master向agent推送)
#
[root@node45 ~]# puppet agent --server node2.chinasoft.com -d -v --test
常用核心組件使用定義舉例:
1、軟件包及服務管理
# cat nginx.pp
package {'nginx':
ensure => present,
name => nginx,
}
service {'nginx':
ensure => true,
name => nginx,
enable => true,
}
# puppet apply nginx.pp
2、文件屬性
file {'/tmp/abc.txt':
ensure => present,
content => 'Hello puppet',
}
[root@node5 tmp]# ls
abc.txt nginx.pp test1.pp test2.pp test.pp
[root@node5 tmp]# cat abc.txt
Hello puppet
# vim test3.pp
file {'abc.txt':
ensure => present,
content => 'hello puppet',
path => '/tmp/abc2.txt',
}
file {'fstab.symlink':
ensure => present,
target => '/etc/fstab',
path => '/tmp/fstab.symlink',
}
3、exec命令
# vim test5.pp
exec {'echo command':
command => 'mktemp /tmp/tmp.XXXX',
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
4、依賴關系
# vim test6.pp
package {'nginx':
ensure => present,
name => nginx,
}
service {'nginx':
ensure => true,
name => nginx,
enable => true,
require => Package['nginx'],
}
# cat test7.pp
file {'/tmp/test4.txt':
ensure => file,
content => 'hello puppet',
}
exec {'monitor':
command => 'echo "/tmp/text4.txt changed" >> /tmp/monitor.txt',
subscribe => File['/tmp/test4.txt'],
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
添加refreshonly => true 僅當改變時:
file {'/tmp/test4.txt':
ensure => file,
content => 'hello puppet',
}
exec {'monitor':
command => 'echo "/tmp/text4.txt changed" >> /tmp/monitor.txt',
refreshonly => true,
subscribe => File['/tmp/test4.txt'],
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
5、對用戶及組管理
生成密碼:
# openssl passwd -1 -salt `openssl rand -hex 4`
# cat test8.pp
group {'testgrp':
ensure => present,
gid => 1001,
} ->
user {'testuser':
ensure => present,
gid => 1001,
uid => 1001,
home => '/home/test',
shell => '/bin/tcsh',
password => '$1$7de78495$Of24FLn9EsKbhxxZlZFmF.',
managehome => true,
}
# vim file.pp
file {'/tmp/file1.txt':
ensure => file,
content => 'hello jack',
notify => Notify['notice'],
}
notify {'notice': message => '/tmp/file1.txt has changed',}
變量名的使用
# vim package1.pp
$pkgname='httpd'
package{$pkgname:
ensure => present,
}
service {$pkgname:
ensure => true,
enable => true,
name => httpd,
require => Package[$pkgname],
}
系統變量的引用:
執行facter可以打印出系統的變量
# facter
# cat sysinfo.txt
CentOS
RedHat
4
[root@node5 tmp]# cat facter.pp
file {'/tmp/sysinfo.txt':
ensure => file,
content => " $operatingsystem \n $osfamily \n $processorcount \n $kernal"
}
# vim facter2.pp
$webserver = $operatingsystem ? {
/^(?i-mx:centos|fedora|redhat)/ => 'httpd',
/^(?i-mx:ubuntu|debian)/ => 'apache2',
}
$webprovider = $operatingsystem ? {
/^(?i-mx:centos|fedora|redhat)/ => 'yum',
/^(?i-mx:ubuntu|debian)/ => 'apt',
}
package {"$webserver":
ensure => present,
provider => $webprovider,
}
case語句方式
# vim facter3.pp
case $operatingsystem {
/^(?i-mx:centos|redhat|fedora)/: {package {'httpd' : ensure => present, provider => 'yum',}}
/^(?i-mx:ubuntu|debian)/: {package {'apache2' : ensure => present, provider => 'apt',}}
default: {notify {'notice': message => 'unknown system',}}
}
class類的使用
# cat class1.pp
class nginx {
package {'nginx':
ensure => present,
name => 'nginx',
}
service {'nginx':
ensure => true,
name => 'nginx',
require => Package['nginx'],
enable => true,
}
}
include nginx # 調用實例
定義類調用
# cat class2.pp
$webserver = $operatingsystem ? {
/^(?i-mx:centos|redhat|fedora)/ => 'httpd',
/^(?i-mx:ubuntu|debian)/ => 'apache2',
}
class httpd ($pkgname = 'apache2') {
package {"$pkgname":
ensure => present,
name => $pkgname,
}
service {"$pkgname" :
ensure => true,
enable => true,
require => Package["$pkgname"],
name => $pkgname,
}
}
class {'httpd':
pkgname => $webserver,
}
puppet高級功能之自動簽發證書
1、自動簽發證書
可以設置master自動簽發所有的證書,我們只需要在/etc/puppet 目錄下創建 autosign.conf 文件。(不需要修改 /etc/puppet/puppet.conf文件,因為我默認的autosign.conf 文件的位置沒有修改)
服務端配置:
cat > /etc/puppet/autosign.conf < *.chinasoft.com
EOF
這樣就會對所有來自 magedu.com 的機器的請求,都自動簽名
# cd /etc/puppet/manifests
添加node5主機的模板
# vim node5.chinasoft.com.pp
node 'node5.chinasoft.com' {
include nginx::web
}
重新加載讓配置生效
# service puppetmaster reload
node5客戶端:
添加對master主機的解析
192.168.8.41 node3.chinasoft.com node3
安裝puppet客戶端
# yum localinstall -y facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm
執行請求
# puppet agent --server node2.chinasoft.com -v -d --test
可以看到nginx已經成功安裝
可以通過在網站搜索別人已經配置好的軟件安裝模板
http://forge.puppetlabs.com