puppet是一個(gè)配置管理工具,典型的,puppet是一個(gè)C/S結(jié)構(gòu),當(dāng)然,這里的C可以有很多,因

此,也可以說是一個(gè)星型結(jié)構(gòu).所有的puppet客戶端同一個(gè)服務(wù)器端的puppet通訊.每個(gè)

puppet客戶端每半小時(shí)(可以設(shè)置)連接一次服務(wù)器端,下載最新的配置文件,并且嚴(yán)格按照配

置文件來配置服務(wù)器.配置完成以后,puppet客戶端可以反饋給服務(wù)器端一個(gè)消息.如果出錯(cuò),

也會給服務(wù)器端反饋一個(gè)消息.下圖展示了一個(gè)典型的puppet配置的數(shù)據(jù)流動情況.

穩(wěn)定性puppet與其他手工操作工具有一個(gè)的區(qū)別就是puppet的配置具有穩(wěn)定性,因此你可以多次執(zhí)行puppet,一旦你更新了你的配置文件,puppet就會根據(jù)配置文件來更改你的機(jī)配置,通常每30分鐘檢查一次.puppet會讓你的系統(tǒng)狀態(tài)同配置文件所要求的狀態(tài)保持一致.比如你配置文件里面要求ssh服務(wù)必須開啟.假如不小心ssh服務(wù)被關(guān)閉了,那么下一次執(zhí)行puppet的

時(shí)候,puppet會發(fā)現(xiàn)這個(gè)異常,然后會開啟ssh服務(wù).以使系統(tǒng)狀態(tài)和配置文件保持一

致.puppet就象一個(gè)魔術(shù)師,會讓你的混亂的系統(tǒng)收斂到puppet配置文件所想要的狀態(tài).

可以使用puppet管理服務(wù)器的整個(gè)生命周期,從初始化到退役.不同于傳統(tǒng)的例如sun的

Jumpstart或者redhat的Kickstart,puppet可以長年讓服務(wù)器保持最新狀態(tài).只要一開始就正

確的配置他們,然后再也不用去管他們.通常puppet用戶只需要給機(jī)器安裝好puppet并讓他們

運(yùn)行,然后剩余的工作都由puppet來完成.

puppet的細(xì)節(jié)和原理

1.客戶端Puppetd向Master發(fā)起認(rèn)證請求,或使用帶簽名的證書。

2.Master告訴Client你是合法的。

3.客戶端Puppetd調(diào)用Facter,Facter探測出主機(jī)的一些變量,例如主機(jī)名、內(nèi)存大小、IP地址

等。Puppetd將這些信息通過SSL連接發(fā)送到服務(wù)器端。

4.服務(wù)器端的PuppetMaster檢測客戶端的主機(jī)名,然后找到manifest對應(yīng)的node配置,并對該部分內(nèi)容進(jìn)行解析。Facter送過來的信息可以作為變量處理,node牽涉到的代碼才解析,其他沒牽涉的代碼不解析。解析分為幾個(gè)階段,首先是語法檢查,如果語法錯(cuò)誤就報(bào)錯(cuò);如果語法沒錯(cuò),就繼續(xù)解析,解析的結(jié)果生成一個(gè)中間的“偽代碼”(catelog),然后把偽代碼發(fā)給客戶端。

5.客戶端接收到“偽代碼”,并且執(zhí)行。

6.服務(wù)器端把客戶端的執(zhí)行結(jié)果寫入日志,并發(fā)送給報(bào)告系統(tǒng)。

詳細(xì)配置過程：

系統(tǒng)環(huán)境:rhel6.5selinuxandiptablesdisabled

sever:172.25.254.1vm1.example.compuppetmaster

client:172.25.254.2vm2.example.compuppetagent

client:172.25.254.3vm3.example.compuppetagent

重要:server與所有client之間需要解析,以及時(shí)間同步,不然會驗(yàn)證失敗。

server端:

puppetmaster的安裝:

a.如果主機(jī)能上網(wǎng)

#yumlocalinstall-yrubygems-1.3.7-1.el6.noarch.rpm

把以下條目加入yum倉庫:

[puppet]

name=puppet

baseurl=http://yum.puppetlabs.com/el/6Server/products/x86_64/

gpgcheck=0

[ruby]

name=ruby

baseurl=http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/

gpgcheck=0

#yuminstallpuppet-server-y

b.如果主機(jī)不能上網(wǎng)

需呀下載以下安裝包：

[root@vm1update]#ls

facter-2.4.4-1.el6.x86_64.rpmruby-augeas-0.4.1-3.el6.x86_64.rpm

hiera-1.3.4-1.el6.noarch.rpmrubygem-json-1.5.5-3.el6.x86_64.rpm

puppet-3.8.1-1.el6.noarch.rpmrubygems-1.3.7-5.el6.noarch.rpm

puppet-dashboard-1.2.23-1.el6.noarch.rpmruby-shadow-2.2.0-2.el6.x86_64.rpm

puppet-server-3.8.1-1.el6.noarch.rpm

[root@vm1update]#yumlocalinstall-ypuppet-server-3.8.1-1.el6.noarch.rpmpuppet-3.8.1-1.el6.noarch.rpmfacter-2.4.4-1.el6.x86_64.rpmhiera-1.3.4-1.el6.noarch.rpmrubygem-json-1.5.5-3.el6.x86_64.rpmruby*

/etc/puppet配置目錄:

組織結(jié)構(gòu)如下:

|--puppet.conf#主配置配置文件,詳細(xì)內(nèi)容可執(zhí)行puppet--genconfig

|--fileserver.conf#文件服務(wù)器配置文件

|--auth.conf#認(rèn)證配置文件

|--autosign.conf#自動驗(yàn)證配置文件

|--tagmail.conf#郵件配置文件(將錯(cuò)誤信息發(fā)送)

|--manifests#文件存儲目錄(puppet會先讀取該目錄的.PP文件)

|--nodes

|puppetclient.pp

|--site.pp#定義puppet相關(guān)的變量和默認(rèn)配置。

|--modules.pp#加載class類模塊文件(includesyslog)

|--modules #定義模塊

|--syslog #以syslog為例

|--file

|--manifests

|--init.pp #class類配置

|--templates #模塊配置目錄

|--syslog.erb#erb模板

puppet的第一個(gè)執(zhí)行的代碼是在/etc/puppet/manifest/site.pp,因此這個(gè)文件必須存在,而

且其他的代碼也要通過該文件來調(diào)用。

[root@vm1puppet]#touch/etc/puppet/manifest/site.pp #沒有此文件puppetmaster無法啟動,配置后面再定義

[root@vm1puppet]#servicepuppetmasterstart #啟動puppetmaster

[root@vm1puppet]#netstat-antlp|grepruby

tcp000.0.0.0:81400.0.0.0:*LISTEN1863/ruby

client端:

只要安裝puppet即可,安裝方法同server端:

a.

#yuminstallpuppet-y

b.

[root@vm2~]#yumlocalinstall-ypuppet-3.8.1-1.el6.noarch.rpmpuppet-3.8.1-1.el6.noarch.rpmfacter-2.4.4-1.el6.x86_64.rpmhiera-1.3.4-1.el6.noarch.rpmrubygem-json-1.5.5-3.el6.x86_64.rpmruby*

puppet客戶端連接到puppetmaster:

[root@vm2~]#puppetagent--servervm1.example.com--no-daemonize--verbose

Info:CreatinganewSSLkeyforvm2.example.com

Info:Cachingcertificateforca

Info:CreatinganewSSLcertificaterequestfor vm2.example.com

Info:CertificateRequestfingerprint(SHA256):

5C:72:77:D8:27:DF:5A:DF:34:EF:25:97:5A:CF:25:29:9F:58:83:A2:61:57:D9:20:7B:1E:C0:36:75:9D:

FB:FC

client向master發(fā)出證書驗(yàn)證請求,然后等待master簽名并返回證書。

參數(shù)--server指定了需要連接的puppetmaster的名字或是地址,默認(rèn)連接名為“puppet”的主機(jī)

如要修改默認(rèn)連接主機(jī)可以修改/etc/sysconfig/puppet文件中的PUPPET_SERVER=puppet選項(xiàng)

參數(shù)--no-daemonize是puppet客戶端運(yùn)行在前臺

參數(shù)--verbose使客戶端輸出詳細(xì)的日志

在master端:

[root@vm1puppet]#puppetcertlist #顯示所有等待簽名的證書

"vm2.example.com"(SHA256)

CD:BD:13:D0:B8:46:07:F2:B7:AE:00:C4:E6:E9:E1:A4:92:F6:A4:F1:AB:F7:FF:8D:BE:B0:B7:90:E1:

7B:A8:C0

[root@vm1puppet]#puppetcertsignvm2.example.com #簽名證書

Signedcertificaterequestforvm2.example.com

RemovingfilePuppet::SSL::CertificateRequestvm2.example.comat

\'/var/lib/puppet/ssl/ca/requests/vm2.example.com.pem\'

如要同時(shí)簽名所有證書,執(zhí)行以下命令:

[root@vm1puppet]#puppetcertsign--all

[root@vm1puppet]#puppetcertclean vm2.example.com #刪除簽名證書

在對證書簽名后的兩分鐘后,在agent端上可以看到如下輸出:

Info:Cachingcertificateforvm2.example.com

StartingPuppetclientversion3.0.0

Info:Cachingcertificate_revocation_listforca

Info:Retrievingplugin

Info:Cachingcatalogforvm2.example.com

Info:Applyingconfigurationversion\'1349536603\'

Finishedcatalogrunin0.13seconds

自動驗(yàn)證:

在server端,編輯puppet.conf文件:

[root@vm1puppet]#vim/etc/puppet/puppet.conf

[main]

autosign=true

#允許所有客戶端的認(rèn)證

/etc/puppet目錄下創(chuàng)建autosign.conf文件,內(nèi)容如下:

#vim/etc/puppet/autosign.conf

*.example.com #表示允許所有example.com域的主機(jī)

[root@vm1puppet]#servicepuppetmasterreload

在client端只需執(zhí)行:

#puppetagent或#serverpuppetstart

在實(shí)際中有時(shí)會修改client端的主機(jī)名,這樣就需要重新生成證書:

1)在server端執(zhí)行:puppetcert--clean vm2.example.com#你要?jiǎng)h除的原client端主機(jī)名

2)在client端執(zhí)行:rm-fr/var/lib/puppet/ssl/*

3)puppetagent--servervm1.example.com--no-daemonize--verbose

puppet資源定義

以下資源均定義在/etc/puppet/manifest/site.pp文件中,在沒有指定節(jié)點(diǎn)的情況下,對所有

已經(jīng)經(jīng)過驗(yàn)證的client都生效。

1.創(chuàng)建文件

[root@vm1puppet]#vim/etc/puppet/fileserver.conf加入以下行：

[files]

path/etc/puppet/files

allow*.example.com

[root@vm1puppet]#servicepuppetmasterreload#重啟服務(wù)

[root@vm1manifests]#vimsite.pp

file{"/mnt/testfile":#在/mnt下創(chuàng)建testfile文件

source=>"puppet:///files/passwd"#來源：server端/etc/puppet/files/passwd

source=>"/etc/passwd"#來源：client端/etc/passwd

}

2.軟件包定義

package{"httpd":ensure=>present;#安裝httpd

"vsftpd":ensure=>absent#卸載vsftpd

}

3.服務(wù)定義

service{"httpd":ensure=>running; #啟動httpd

"vsftpd":ensure=>stopped #關(guān)閉vsftpd

}

4.組定義

group{"wonder":gid=>600}

5.用戶定義

user{"wonder": #創(chuàng)建wonder用戶

uid=>600,

gid=>600,

home=>"/home/wonder",

shell=>"/bin/bash",

password=>westos

}

file{"/home/wonder":

owner=>wonder,

group=>wonder,

mode=>700,

ensure=>directory

}

file{"/home/wonder/.bash_profile":

source=>"/etc/skel/.bash_profile",

owner=>wonder,

group=>wonder

}

file{"/home/wonder/.bashrc":

source=>"/etc/skel/.bashrc",

owner=>wonder,

group=>wonder

}

user{"test":uid=>900, #創(chuàng)建test用戶

home=>"/home/test",

shell=>"/bin/bash",

provider=>useradd,

managehome=>true,

ensure=>present

}

exec{"echowestos|passwd--stdintest":

path=>"/usr/bin:/usr/sbin:/bin",

onlyif=>"idtest"

}

6.文件系統(tǒng)掛載

mount{"/mnt":#172.25.254.252主機(jī)需要開啟nfs服務(wù)

device=>"172.25.254.252:/var/ftp/pub",

fstype=>"nfs",

options=>"defaults",

ensure=>absent

}

自動掛載文件系統(tǒng),并同步fstab文件,如果需要卸載,改為absent

7.crontab任務(wù)

cron{echo:#2點(diǎn)到4點(diǎn)每隔10分鐘，把時(shí)間導(dǎo)入/tmp/echo

command=>"/bin/echo`/bin/date`>>/tmp/echo",

user=>root,

hour=>[\'2-4\'],

minute=>\'*/10\'

}

#任務(wù)會在client上/var/spool/cron目錄中生成

不同節(jié)點(diǎn)的定義:

1.在puppetmaster上編輯site.pp

[root@vm1puppet]#vim/etc/puppet/manifests/site.pp#寫上

import"nodes/*.pp"

2.建立節(jié)點(diǎn)文件

[root@vm1puppet]#vim/etc/puppet/manifests/nodes/vm2.pp

node\'vm2\'{

package{"httpd":ensure=>present}

}

[root@vm1puppet]#vim/etc/puppet/manifests/nodes/vm3.pp

node\'vm3\'{

user{"test":uid=>900,

home=>"/home/test",

shell=>"/bin/bash",

provider=>useradd,

managehome=>true,

ensure=>present

}

exec{"echowestos|passwd--stdintest":

path=>"/usr/bin:/usr/sbin:/bin",

onlyif=>"idtest"

}

}

編寫模塊:

[root@vm1puppet]#mkdir-p/etc/puppet/modules/httpd/{files,manifests,templates}

[root@vm1puppet]#cd/etc/puppet/modules/httpd/manifests

[root@vm1manifests]#viminstall.pp

classhttpd::install{

package{"httpd":

ensure=>present

}

}

[root@vm1manifests]#vimconfig.pp

classhttpd::config{

file{"/etc/httpd/conf/httpd.conf":

ensure=>present,

source=>"puppet:///modules/httpd/httpd.conf",

#實(shí)際路徑在/etc/puppet/modules/httpd/files/httpd.conf

require=>Class["httpd::install"],

notify=>Class["httpd::service"]

}

}

[root@vm1manifests]#vimservice.pp

classhttpd::service{

service{"httpd":

ensure=>running,

require=>Class["httpd::install","httpd::config"]

}

file{"/var/www/html/index.html":#添加web主頁

source=>"puppet:///files/index.html"

}

}

[root@vm1manifests]#viminit.pp

classhttpd{

includehttpd::install,httpd::config,httpd::service

}

[root@vm1manifests]#vim/etc/puppet/manifests/nodes/vm2.pp

node\'vm2\'{

includehttpd

}

[root@vm1manifests]#servicepuppetmasterreload

模板應(yīng)用(添加虛擬主機(jī)配置):

文件存放在templates目錄中,以*.erb結(jié)尾。

[root@vm1manifests]#vim/etc/puppet/modules/httpd/manifests/init.pp#添加以下行

definehttpd::vhost($domainname){

#file{"/etc/httpd/conf/httpd.conf":

#

content=>template("httpd/httpd.conf.erb")

#}

file{"/etc/httpd/conf.d/${domainname}_vhost.conf":

content=>template("httpd/httpd_vhost.conf.erb"),

require=>Class["httpd::install"],

notify=>Class["httpd::service"]

}

file{"/var/www/$domainname":

ensure=>directory

}

file{"/var/www/$domainname/index.html":

content=>$domainname

}

}

[root@vm1manifests]#vim/etc/puppet/modules/httpd/templates/httpd_vhost.conf.erb

ServerName<%=domainname%>

DocumentRoot/var/www/<%=domainname%>

ErrorLoglogs/<%=domainname%>_error.log

CustomLoglogs/<%=domainname%>_access.logcommon

[root@vm1manifests]#vi/etc/puppet/manifests/nodes/vm2.pp

node\'vm2\'{

includehttpd

httpd::vhost{\'server2.example.com\':

domainname=>"server2.example.com",

}

}

Puppetdashboard安裝(用以web方式管理puppet)

依賴性:

*Ruby1.8.7

*RubyGems

*Rake>=0.8.3

*MySQLserver5.x

*Ruby-MySQLbindings2.7.xor2.8.x

所需安裝包puppet-dashboard-1.2.12-1.el6.noarch.rpmrubygem-rake-0.8.7-2.1.el6.noarch.rpmruby-mysql-2.8.2-1.el6.x86_64.rpm

[root@vm1manifests]#yumlocalinstall-ypuppet-dashboard-1.2.12-1.el6.noarch.rpmrubygem-rake-0.8.7-2.1.el6.noarch.rpmruby-mysql-2.8.2-1.el6.x86_64.rpm

[root@vm1manifests]#yuminstall-ymysqlmysql-server

[root@vm1manifests]#/etc/init.d/mysqldstart

配置mysql數(shù)據(jù)庫:

mysql>CREATEDATABASEdashboard_productionCHARACTERSETutf8;

QueryOK,1rowaffected(0.00sec)

mysql>CREATEUSER\'dashboard\'@\'localhost\'IDENTIFIEDBY\'westos\';

QueryOK,0rowsaffected(0.01sec)

mysql>GRANTALLPRIVILEGESONdashboard_production.*TO\'dashboard\'@\'localhost\';

QueryOK,0rowsaffected(0.00sec)

mysql>

#cd/usr/share/puppet-dashboard/

[root@vm1puppet-dashboard]#vimconfig/database.yml#只留下生產(chǎn)環(huán)境配置

production:

database:dashboard_production

username:dashboard

password:westos

encoding:utf8

adapter:mysql

[root@vm1puppet-dashboard]#rakeRAILS_ENV=productiondb:migrate

#建立dashboard所需的數(shù)據(jù)庫和表

puppet-dashboard默認(rèn)時(shí)區(qū)不正確,需要修改:

[root@vm1puppet-dashboard]#vim/usr/share/puppet-dashboard/config/settings.yml

time_zone:\'Beijing\'

啟動服務(wù):

[root@vm1puppet-dashboard]#servicepuppet-dashboardstart

StartingPuppetDashboard:=>BootingWEBrick

=>Rails2.3.14applicationstartingonhttp://0.0.0.0:3000

[OK]

[root@vm1puppet-dashboard]#chmod0666/usr/share/puppet-dashboard/log/production.log

[root@vm1puppet-dashboard]#servicepuppet-dashboard-workersstart

實(shí)時(shí)報(bào)告匯總:

設(shè)置server端:

root@vm1~]#vim/etc/puppet/puppet.conf

[main]

#添加以下兩項(xiàng)

reports=http

reporturl=http://172.25.254.1:3000/reports

root@vm1~]#servicepuppetmasterreload

設(shè)置client端:

[root@vm1puppet-dashboard]#vim/etc/puppet/puppet.conf#添加以下行

[agent]

report=true

[root@vm1puppet-dashboard]#servicepuppetreload

在客戶端安裝完puppet后,并且認(rèn)證完后,我們可以看到效果,那怎樣讓它自動與服務(wù)器同步

呢?默認(rèn)多少分鐘跟服務(wù)器同步呢?怎樣修改同步的時(shí)間呢,這時(shí)候我們需要配置客戶端:

(1)配置puppet相關(guān)參數(shù)和同步時(shí)間:

[root@vm2~]#vim/etc/sysconfig/puppet

PUPPET_SERVER=puppet.example.com#puppetmaster的地址

PUPPET_PORT=8140 #puppet監(jiān)聽端口

PUPPET_LOG=/var/log/puppet/puppet.log#puppet本地日志

#PUPPET_EXTRA_OPTS=--waitforcert=500【默認(rèn)同步的時(shí)間,我這里不修改這行參數(shù)】

(2)默認(rèn)配置完畢后,客戶端會半個(gè)小時(shí)跟服務(wù)器同步一次,我們可以修改這個(gè)時(shí)間。

[root@vm2~]#vim/etc/puppet/puppet.conf

[agent]

runinterval=60#代表60秒跟服務(wù)器同步一次

[root@vm2~]#servicepuppetreload

對puppet的優(yōu)化 通過nginx + passenger替換掉puppet的WEBRickHTTP，來處理HTTPS請求，并實(shí)現(xiàn)對puppet的負(fù)載均衡。

實(shí)驗(yàn)步驟：
master 端需要能夠連上外網(wǎng)
把以下條目加入 yum 倉庫:
[puppet]
name=puppet
baseurl=http://yum.puppetlabs.com/el/6Server/products/x86_64/
gpgcheck=0
[ruby]
name=ruby
baseurl=http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/
gpgcheck=0

# yum install -y gcc gcc-c++ curl-devel zlib-devel openssl-devel ruby-devel

# gem install rack passenger ##次過程需要等待一段時(shí)間

# gem list

*** LOCAL GEMS ***

json (1.5.5)
passenger (5.0.15)
rack (1.6.4)
rake (10.4.2)

# passenger-config --root
/usr/lib/ruby/gems/1.8/gems/passenger-5.0.15

# ls /usr/lib/ruby/gems/1.8/gems/passenger-5.0.15/ext/
apache2 boost common libev libuv nginx oxt ruby #nginx 等許多支持

# passenger-install-nginx-module
腳本會自動安裝 nginx 支持,按提示操作,基本就是一路回車。

nginx 默認(rèn)安裝在/opt/nginx 目錄:

# vim /opt/nginx/conf/nginx.conf
1 #user nobody;
2 worker_processes 4;
3
4 #error_log logs/error.log;
5 #error_log logs/error.log notice;
6 #error_log logs/error.log info;
7
8 #pid logs/nginx.pid;
9
10
11 events {
12 use epoll;
13 worker_connections 1024;
14 }
15
16
17 http {
18 passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-5.0.15;
19 passenger_ruby /usr/bin/ruby;
20
21 include mime.types;
22 default_type application/octet-stream;
23
24 #log_format main \'$remote_addr - $remote_user [$time_local] "$request" \'
25 # \'$status $body_bytes_sent "$http_referer" \'
26 # \'"$http_user_agent" "$http_x_forwarded_for"\';
27
28 #access_log logs/access.log main;
29
30 sendfile on;
31 tcp_nopush on;
32
33 #keepalive_timeout 0;
34 keepalive_timeout 65;
35
36 #gzip on;
37
38 server {
39 listen 8140;
40 server_name benberba.example.com;
41 root /etc/puppet/rack/public;
42 passenger_enabled on;
43 passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
44 passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
45 ssl on;
46 ssl_session_timeout 5m;
47 ssl_certificate /var/lib/puppet/ssl/certs/vm1.example.com.pem;
48 ssl_certificate_key /var/lib/puppet/ssl/private_keys/vm1.example.co m.pem;
49 ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
50 ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
51 ssl_verify_client optional;
52 ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
53 ssl_prefer_server_ciphers on;
54 ssl_verify_depth 1;
55 ssl_session_cache shared:SSL:128m;
56 }
57 }

# mkdir /etc/puppet/rack/{public,tmp} -p
# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/
# chown puppet.puppet /etc/puppet/rack/config.ru
# chkconfig puppetmaster off
# service puppetmaster stop
# /opt/nginx/sbin/nginx -t #檢測 nginx
# /opt/nginx/sbin/nginx #啟動 nginx
puppetmaster 不需要啟動 , nginx 啟動時(shí)會自動調(diào)用 puppet。

測試
master端
# netstat -antpl |grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4245/nginx
# /etc/init.d/puppetmaster status
puppet is stopped

client端
# puppet agent --server vm1.example.com --no-daemonize --verbose
Notice: Starting Puppet client version 3.8.1
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for vm2.example.com
Info: Applying configuration version \'1440218993\'
Notice: Finished catalog run in 0.21 seconds