puppet是一種Linux、Unix、windows平臺的集中配置管理系統,使用自有的puppet描述語言,可管理配置文件、用戶、cron任務、軟件包、系統服務等。puppet把這些系統實體稱之爲資源,puppet的設計目標是簡化對這些資源的管理以及妥善處理資源間的依賴關係。
puppet採用C/S星狀的結構,所有的客戶端和一個或幾個服務器交互。每個客戶端週期的(默認半個小時)向服務器發送請求,獲得其最新的配置信息,保證和該配置信息同步。每個puppet客戶端每半小時(可以設置)連接一次服務器端,下載最新的配置文件並且嚴格按照配置文件來配置服務器。 配置完成以後,puppet客戶端可以反饋給服務器端一個消息。如果出錯,也會給服務器端反饋一個消息。
實驗目的:
1、使用puppet搭建lamp
2、使用puppet搭建nnmp
節點:
node1.stu30.com 172.16.30.1 master
node2.stu30.com 172.16.30.2 agent lamp
node3.stu30.com 172.16.30.3 agent lnmp
通過master管理兩個節點分別安裝lamp和lnmp環境,lamp使用php模塊,lnmp使用php-fpm,nginx通過rpm包安裝,併爲vim添加nginx的語法高亮模塊,並添加cron任務實現,每隔三分鐘同步一次時間
modules目錄樹狀圖:執行下面的模塊安裝時,此樹狀圖中的文件必須存在,不然會報錯。
安裝過程:
node1節點安裝puppet-server:
[root@node1 2.7.25]# ls facter-1.7.5-1.el6.x86_64.rpm puppet-dashboard-1.2.23-1.el6.noarch.rpm puppet-2.7.25-1.el6.noarch.rpm puppet-server-2.7.25-1.el6.noarch.rpm [root@node1 2.7.25]# yum install -y facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm puppet-server-2.7.25-1.el6.noarch.rpm
啓動測試:
[root@node1 ~]# puppet master -v -d –noop –no-daemonize
命令說明:
-v:顯示額外信息
-d:顯示debug信息
–noop:不真正執行,只是測試
–no-daemonize:不以守護進程方式運行,即前臺運行,可以看到運行時的詳細信息
第一次運行會有如下信息:表明node1自己生成了私鑰,並生成證書籤署請求,自簽證書,自動生成一個CA服務器,因爲master與agent之間是通過ssl通信的,所以必須有證書才行,如果有其他客戶端,master會簽署其他客戶端的簽署請求生成證書。
info: Creating a new SSL key for ca info: Creating a new SSL certificate request for ca info: Certificate Request fingerprint (md5): 25:08:0F:4F:4C:08:CB:0C:51:1D:9E:26:6E:E7:FF:85 notice: Signed certificate request for ca notice: Rebuilding inventory file debug: Using cached certificate for ca info: Creating a new certificate revocation list info: Creating a new SSL key for node1.stu30.com debug: Using cached certificate for ca info: Creating a new SSL certificate request for node1.stu30.com info: Certificate Request fingerprint (md5): 6F:90:90:1B:CC:BC:FD:02:32:69:53:F3:E9:20:84:AC notice: node1.stu30.com has a waiting certificate request debug: Using cached certificate for ca debug: Using cached certificate_request for node1.stu30.com notice: Signed certificate request for node1.stu30.com notice: Removing file Puppet::SSL::CertificateRequest node1.stu30.com at '/var/lib/puppet/ssl/ca/requests/node1.stu30.com.pem' notice: Removing file Puppet::SSL::CertificateRequest node1.stu30.com at '/var/lib/puppet/ssl/certificate_requests/node1.stu30.com.pem'
這樣master就沒有問題了,Ctrl+c終止運行,使用命令server puppetmaster start以守護進程運行在後臺,監聽端口爲8140:
下面開始配置agent節點node3:只需要安裝agent就可以了,不需要安裝server端
[root@node3 2.7.25]# yum install -y puppet-2.7.25-1.el6.noarch.rpm facter-1.7.5-1.el6.x86_64.rpm
和master一樣,先進行測試運行:
[root@node3 2.7.25]# puppet agent –server=node1.stu30.com -v -d –noop –no-daemonize
此時需要添加另外一個參數–server,告訴agent誰是master,如果以守護進程使用需要去配置文件[agent]段中添加server = master_hostname,必須是master主機名,因爲CA服務器是以主機名判斷的,像本實驗做了如下配置:
如果運行沒有爆出error錯誤,就可以運行了,爲了能夠看到運行的狀態,我們將–noop參數去掉,同樣以非守護進程運行
[root@node3 2.7.25]# puppet agent --server=node1.stu30.com -v -d --no-daemonize debug: Finishing transaction 70043945071220 info: Creating a new SSL key for node3.stu30.com info: Caching certificate for ca info: Creating a new SSL certificate request for node3.stu30.com info: Certificate Request fingerprint (md5): 3A:AE:32:5B:31:FB:CD:09:E3:96:E6:4E:FA:D0:0F:7C debug: Using cached certificate for ca debug: Using cached certificate for ca
此時會從信息中看出,node3生成了一個證書籤署請求等待master請求
現在我們去node1節點查看
[root@node1 ~]# puppet cert list "node3.stu30.com" (87:DD:C2:66:41:9F:69:34:47:2A:9E:78:30:F6:37:63)
已經生成了,puppet cert list是顯示等待簽署的證書,下面簽署證書
[root@node1 ~]# puppet cert sign node3.stu30.com notice: Signed certificate request for node3.stu30.com notice: Removing file Puppet::SSL::CertificateRequest node3.stu30.com at '/var/lib/puppet/ssl/ca/requests/node3.stu30.com.pem
證書籤署完畢,並且告訴我們存放的位置
Ctrl+c終止程序,並再次運行,agent便會向master發送catalog日誌了
debug: Using cached certificate for node3.stu30.com info: Caching certificate_revocation_list for ca info: Caching catalog for node3.stu30.com debug: Creating default schedules info: Applying configuration version '1422608294'
node3的agent便安裝好了,node2的安裝方法一樣,這裏不再說明
下面開始配置我們的模塊,按照上面的樹狀圖創建所需要的目錄
模塊對應的init.pp文件
mysql:
class mysql{ package{'mysql-server': ensure => installed, ##安裝的狀態 } file {'my.cnf': ensure => file, source => 'puppet:///modules/mysql/my.cnf', ##配置文件,此路徑是master相應模塊裏的files裏的文件,注意,路徑裏不需要填寫files路徑,直接在模塊下填寫文件名就可以了 path => '/etc/my.cnf', ##此路徑是說明將配置文件存放在agent上的位置 require => Package['mysql-server'], ## 執行此資源需要的前提條件,即必須安裝上mysql才能將配置文件粗製到agent notify => Service['mysqld'],## 通知機制,如果配置文件發生了變化,則通知service資源,service是對mysql進行重啓的資源 } service{'mysqld': ensure => running, ##確保mysql安裝上之後的狀態爲running enable => false, ##不開機啓動 require => Package['mysql-server'], ##需要package安裝完成才能執行 require => File['my.cnf'], ##需要配置文件複製完畢之後才能執行 } }
httpd_php:此處和上面一樣就不一一說明了
class httpd_php{ package{['httpd','php']: ##可以同時安裝兩個包 ensure => installed, } file{'httpd.conf': source => 'puppet:///modules/httpd_php/httpd.conf', path => '/etc/httpd/conf/httpd.conf', require => Package['httpd','php'], notify => Service['httpd'], } file{'php.ini': ensure => file, source => 'puppet:///modules/httpd_php/php.ini', path => '/etc/php.ini', require => Package['php'], notify => Service['httpd'], } file{'index.php': ensure => file, source => 'puppet:///modules/httpd_php/index.php', path => '/var/www/html/index.php', require => Package['httpd'], } service{'httpd': ensure => running, enable => false, require => Package['httpd','php'], } }
nginx:
class nginx{ package{'nginx': ensure => latest, ##安裝狀態 provider => rpm, ##因爲是以rpm包安裝,所以這裏使用rpm安裝 source => '/tmp/nginx-1.6.2-1.el6.ngx.x86_64.rpm', ##rpm包的路徑,此處的路徑需要和下面複製的rpm的路徑一致 } file{'default.conf': ensure => file, source => 'puppet:///modules/nginx/default.conf', path => '/etc/nginx/conf.d/default.conf', require => Package['nginx'], notify => Service['nginx'], } file{'index.php': ensure => file, source => 'puppet:///modules/nginx/index.php', path => '/usr/share/nginx/html/index.php', require => Package['nginx'], } file{'nginxrpm': ensure => file, source => 'puppet:///modules/nginx/nginx-1.6.2-1.el6.ngx.x86_64.rpm', path => '/tmp/nginx-1.6.2-1.el6.ngx.x86_64.rpm', before => Package['nginx'], } service{'nginx': ensure => running, enable => false, require => Package['nginx'], } }
nginx_syntax:nginx語法高亮模塊
class nginx_syntax{ exec{'mkdir -pv .vim/syntax': ##執行創建目錄的命令 cwd => '/root', ## 創建目錄的命令是在那個目錄執行的,說的好理解點,就像是先cd到哪個目錄,在執行創建命令,即當前工作目錄 path => ['/bin'], ##mkdir的路徑,此處只寫到父目錄即可 creates => '/root/.vim/syntax', ## 創建完成之後的目錄,如果此目錄不存在則會創建,如果存在則不會創建,必須全部存在纔不會創建,比如.vim目錄存在,而syntax不存在,則只會創建syntax而不會創建.vim了 before => File['filetype.vim','nginx.vim'],##此操作必須在複製文件之前,因爲文件必須複製到此目錄裏 } file{'filetype.vim': ensure => file, source => 'puppet:///modules/nginx_syntax/filetype.vim', path => '/root/.vim/filetype.vim', } file{'nginx.vim': ensure => file, source => 'puppet:///modules/nginx_syntax/nginx.vim', path => '/root/.vim/syntax/nginx.vim', } }
ntp:cron任務模塊
class ntp { ##父類 } class ntp::synctime inherits ntp { ## 子類,繼承上面的父類ntp,此處只是說明繼承這個用法,完全可以只聲明一個類 cron{'synctime': ensure => present, ## 狀態,和package的installed作用一樣,就是必須得有 minute => '*/5', ##定義cron裏的時間,省略的默認爲* command => '/usr/sbin/ntpdate 172.16.0.1 &> /dev/null', ##cron中添加的命令 name => 'sync time from ntp server', ##此cron的名字 } }
php-fpm:nginx將php的請求代理至php-fpm
class nginx_syntax{ exec{'mkdir -pv .vim/syntax': ##執行創建目錄的命令 cwd => '/root', ## 創建目錄的命令是在那個目錄執行的,說的好理解點,就像是先cd到哪個目錄,在執行創建命令,即當前工作目錄 path => ['/bin'], ##mkdir的路徑,此處只寫到父目錄即可 creates => '/root/.vim/syntax', ## 創建完成之後的目錄,如果此目錄不存在則會創建,如果存在則不會創建,必須全部存在纔不會創建,比如.vim目錄存在,而syntax不存在,則只會創建syntax而不會創建.vim了 before => File['filetype.vim','nginx.vim'],##此操作必須在複製文件之前,因爲文件必須複製到此目錄裏 } file{'filetype.vim': ensure => file, source => 'puppet:///modules/nginx_syntax/filetype.vim', path => '/root/.vim/filetype.vim', } file{'nginx.vim': ensure => file, source => 'puppet:///modules/nginx_syntax/nginx.vim', path => '/root/.vim/syntax/nginx.vim', } }
每個模塊的配置文件都說明完畢,我們再來看看/etc/puppet/manifest目錄下的文件:
node2.lamp.pp:
node3.lnmp.pp:
因爲agent只會讀取site.pp所以我們需要編輯site.pp文件:
現在master已經配置好了,我們重啓以下master服務,並確定端口已經監聽
[root@node1 ~]# server puppetmaster restart
node2,node3啓動agent:
node2:
[root@node2 ~]# puppet agent -v --no-daemonize --server=node1.stu30.com info: Caching certificate for node2.stu30.com notice: Starting Puppet client version 2.7.25 info: Caching certificate_revocation_list for ca info: Caching catalog for node2.stu30.com info: Applying configuration version '1422677379' notice: /Stage[main]/Httpd_php/Package[php]/ensure: created notice: /Stage[main]/Mysql/Package[mysql-server]/ensure: created info: FileBucket adding {md5}8ace886bbe7e274448bc8bea16d3ead6 info: /Stage[main]/Mysql/File[my.cnf]: Filebucketed /etc/my.cnf to puppet with sum 8ace886bbe7e274448bc8bea16d3ead6 notice: /Stage[main]/Mysql/File[my.cnf]/content: content changed '{md5}8ace886bbe7e274448bc8bea16d3ead6' to '{md5}dcb78c908cf0077856ebd212792e9ab2' info: /Stage[main]/Mysql/File[my.cnf]: Scheduling refresh of Service[mysqld] notice: /Stage[main]/Mysql/Service[mysqld]/ensure: ensure changed 'stopped' to 'running' notice: /Stage[main]/Mysql/Service[mysqld]: Triggered 'refresh' from 1 events notice: /Stage[main]/Ntp::Synctime/Cron[synctime]/ensure: created notice: /Stage[main]/Httpd_php/File[index.php]/ensure: defined content as '{md5}eb7009d32f9ae4035f2973b7fb8ae29c' notice: /Stage[main]/Httpd_php/Service[httpd]/ensure: ensure changed 'stopped' to 'running' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 42.28 seconds
安裝之後檢查監聽端口,並訪問測試:
node3:
[root@node3 ~]# puppet agent -v --no-daemonize --server=node1.stu30.com info: Caching certificate for node3.stu30.com notice: Starting Puppet client version 2.7.25 info: Caching certificate_revocation_list for ca info: Caching catalog for node3.stu30.com info: Applying configuration version '1422677379' notice: /Stage[main]/Nginx_syntax/File[nginx.vim]/ensure: defined content as '{md5}10395c7a028cc58030f82ab296f13ff3' notice: /Stage[main]/Nginx_syntax/File[filetype.vim]/ensure: defined content as '{md5}dee2611ad012952aa899705cb8821b59' notice: /Stage[main]/Mysql/Package[mysql-server]/ensure: created info: FileBucket adding {md5}8ace886bbe7e274448bc8bea16d3ead6 info: /Stage[main]/Mysql/File[my.cnf]: Filebucketed /etc/my.cnf to puppet with sum 8ace886bbe7e274448bc8bea16d3ead6 notice: /Stage[main]/Mysql/File[my.cnf]/content: content changed '{md5}8ace886bbe7e274448bc8bea16d3ead6' to '{md5}dcb78c908cf0077856ebd212792e9ab2' info: /Stage[main]/Mysql/File[my.cnf]: Scheduling refresh of Service[mysqld] notice: /Stage[main]/Mysql/Service[mysqld]/ensure: ensure changed 'stopped' to 'running' notice: /Stage[main]/Mysql/Service[mysqld]: Triggered 'refresh' from 1 events notice: /Stage[main]/Ntp::Synctime/Cron[synctime]/ensure: created notice: /Stage[main]/Nginx/File[nginxrpm]/ensure: defined content as '{md5}e6f65f654b90f2356a9a3c52f37b53eb' notice: /Stage[main]/Nginx/Package[nginx]/ensure: created notice: /Stage[main]/Nginx/File[index.php]/ensure: defined content as '{md5}28433e7b2073e6222f3882e3a9d86c82' info: FileBucket adding {md5}4dce452bf8dbb01f278ec0ea9ba6cf40 info: /Stage[main]/Nginx/File[default.conf]: Filebucketed /etc/nginx/conf.d/default.conf to puppet with sum 4dce452bf8dbb01f278ec0ea9ba6cf40 notice: /Stage[main]/Nginx/File[default.conf]/content: content changed '{md5}4dce452bf8dbb01f278ec0ea9ba6cf40' to '{md5}3eda5027b81f41800de51afdc0a6b111' info: /Stage[main]/Nginx/File[default.conf]: Scheduling refresh of Service[nginx] notice: /Stage[main]/Nginx/Service[nginx]/ensure: ensure changed 'stopped' to 'running' notice: /Stage[main]/Nginx/Service[nginx]: Triggered 'refresh' from 1 events notice: /Stage[main]/Php-fpm/Package[php-fpm]/ensure: created notice: /Stage[main]/Php-fpm/Service[php-fpm]/ensure: ensure changed 'stopped' to 'running' info: Creating state file /var/lib/puppet/state/state.yaml
安裝之後檢查監聽端口,並訪問測試:
到此使用puppet分別部署lamp和lnmp已經完成了,上面的語言描述可能有不準確的地方,可能有些地方有錯誤,還希望指正~
問題總結:
1、簽署過證書之後,爲了做測試還原虛擬機之後,再次運行agent會提示找不到ssl文件
按照提示分別在master和puppet執行操作;
2、如果提示pid文件無法創建,需將pid刪除,並ps aux 找到pid kill掉;
3、添加nginx配置文件的語法高亮時,不會判斷是否存在nginx是否存在,因爲,是作爲一個單獨模塊存在的,可以將其整合到nginx模塊中,並添加限制require;
4、以下問題出現的原因分析
在/etc/puppet/manifests/目錄下面創建了很多的對應模塊的pp文件以及site.pp文件,而site.pp文件內容爲import “*.pp”,意思爲導入當前目錄下的所有以pp結尾的文件,這會將自己同時導入,造成錯誤,只需修改site.pp文件中的*.pp爲你要使用的pp文件,比如import “nginx.pp”,或者在site.pp的目錄下新建目錄來存放非site.pp的文件,並保持site.pp爲import “創建的目錄/*.pp”,就不會出錯了;
5、以下問題原因分析
出現這個錯誤是因爲之前將modules目錄和manifests目錄備份到了虛擬機的共享文件夾裏,造成了無權限讀取,所有文件權限爲770,一定要注意權限的問題也會造成無法讀取pp文件。