puppet-1

puppet基礎設施

安裝puppet

• 環境準備：
  • 操作系統：centos6.9 （minmal）
  • 主機名&ip：centos6-node1 192.168.56.21

    [root@centos6-node1 ~]# useradd wanghui
    [root@centos6-node1 ~]# passwd wanghui
    [wanghui@centos6-node1 ~]$ hostname -i
    127.0.0.1 192.168.56.21
    [root@centos6-node1 ~]# echo '192.168.56.21 centos6-node1' >> /etc/hosts
    [root@centos6-node1 ~]# vim /etc/sudoers
    wanghui ALL=NOPASSWD: ALL
    [root@centos6-node1 ~]# su - wanghui
    [wanghui@centos6-node1 ~]$ sudo yum install wget
    [wanghui@centos6-node1 ~]$ sudo wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

• 安裝puppet

  [wanghui@centos6-node1 ~]$ sudo yum -y install http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
  [wanghui@centos6-node1 ~]$ sudo yum -y install puppet-3.2.2
  [wanghui@centos6-node1 ~]$ puppet --version  #檢查版本
  3.2.2

  創建一個配置清單

• 創建合適的目錄結構

  [wanghui@centos6-node1 ~]$ mkdir puppet/manifests -p

• 在創建manifests下創建site.pp，內容如下：

  [wanghui@centos6-node1 ~]$ vim puppet/manifests/site.pp
  import 'nodes.pp'

• 在manifests下創建nodes.pp，內容如下要用到主機名：

  [wanghui@centos6-node1 ~]$ hostname 
  centos6-node1
  [wanghui@centos6-node1 ~]$ vim puppet/manifests/nodes.pp
  node 'centos6-node1' {
  file { '/tmp/hello':
      content => "Hello World!\n",
  }
  }

• 使用puppet apply，測試清單

  [wanghui@centos6-node1 ~]$ sudo puppet apply -v puppet/manifests/site.pp 
  Info: Applying configuration version '1512403641'
  Notice: /Stage[main]//Node[centos6-node1]/File[/tmp/hello]/ensure: defined content as '{md5}8ddd8be4b179a529afa5f2ffae4b9858'
  Info: Creating state file /var/lib/puppet/state/state.yaml
  Notice: Finished catalog run in 0.02 seconds
  [wanghui@centos6-node1 ~]$ cat /tmp/hello 
  Hello World!

  上述的配置清單可以用git管理

  將puppet的配置清單使用git集中管理的好處如下：

• 可以取消對配置清單的更改，並回滾到任意一個版本
• 可以使用新的分支來測試新功能
• 如果多人修改了配置清單，可以在自己獨立的副本上進行，然後在合併所有的修改
• 可以先使用git log查看誰在什麼時候幹了什麼

  創建git賬號

  1. 在服務器上安裝git

     [wanghui@centos6-node1 ~]$ sudo yum -y install git

  2. 創建git版本庫並做初始化

     [wanghui@centos6-node1 ~]$ cd puppet
     [wanghui@centos6-node1 puppet.com]$ echo "# puppet.com" >> README.md
     [wanghui@centos6-node1 puppet.com]$ git init
     Initialized empty Git repository in /home/wanghui/puppet.com/.git/
     [wanghui@centos6-node1 puppet.com]$ git add README.md 
     [wanghui@centos6-node1 puppet.com]$ git commit -m "first commit"
     [wanghui@centos6-node1 puppet.com]$ git remote add origin [email protected]:wanghui122725501/puppet.com.git
     [wanghui@centos6-node1 puppet.com]$ git push -u origin master

  3. 授權ssh密鑰來讀寫倉庫

     [wanghui@centos6-node1 ~]$ ssh-keygen 
     [wanghui@centos6-node1 ~]$ cat .ssh/id_rsa.pub 

     將生成的pub公鑰信息傳到github的ssh信息中

• 提交puppet的文件到github

  [wanghui@centos6-node1 ~]$ mkdir puppet.import
  [wanghui@centos6-node1 ~]$ git clone [email protected]:wanghui122725501/puppet.com.git
  [wanghui@centos6-node1 ~]$ mv puppet.com/* puppet
  [wanghui@centos6-node1 ~]$ cd puppet
  [wanghui@centos6-node1 puppet]$ git status
  nothing added to commit but untracked files present (use "git add" to track)
  [wanghui@centos6-node1 puppet]$ git add manifests/
  [wanghui@centos6-node1 puppet]$ git config --global user.name "wanghui"
  [wanghui@centos6-node1 puppet]$ git config --global user.mail "[email protected]"
  [wanghui@centos6-node1 puppet]$ git commit -m "Importing"
  [wanghui@centos6-node1 puppet]$ git push -u origin master

  創建去中心化puppet架構

  此時需要準備一臺客戶端，配置如下：

• 環境準備：
  • 操作系統：centos6.9 （minmal）
  • 主機名&ip：centos6-node2 192.168.56.22
  • 同樣需要安裝git
    去中心化的原理：
    說白了也就是去除puppet-master，從而避免了puppet-master單點和證書頒發的問題。通過提交到github並推送到中心倉庫，在那裏可以自動分發到客戶端。
    具體操作如下：
• 同樣在centos6-node2安裝puppet，並創建puppet目錄
• git克隆代碼，首先將ssh-key傳到github做完ssh驗證

  [wanghui@centos6-node2 ~]$ git clone [email protected]:wanghui122725501/puppet.com.git puppet/

• 修改節點文件

  [wanghui@centos6-node2 ~]$ vim puppet/manifests/nodes.pp 
  node 'centos6-node2' {
  file { '/tmp/hello':
      content => "Hello World!\n",
  }
  }

• 執行測試檢查

  [wanghui@centos6-node2 ~]$ sudo puppet apply -v puppet/manifests/nodes.pp
  [wanghui@centos6-node2 ~]$ cat /tmp/hello 
  Hello World!

  編寫papply腳本

  需求：儘量簡單的將puppet配置應用到主機上
  操作步驟如下：

• 找centos6-node1來，創建相應的目錄

  [wanghui@centos6-node1 ~]$ mkdir puppet/modules/puppet/{manifests,files} -p

• 修改papply文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/files/papply.sh
  #!/bin/bash
  sudo puppet apply /home/wanghui/puppet/manifests/site.pp --modulepath=/home/wanghui/puppet/modules/ $*

• 創建puppet/modules/puppet/manifests/init.pp文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/manifests/init.pp
  class puppet {
  file {'/usr/local/bin/papply':
      source => 'puppet:///modules/puppet/papply.sh',
      mode => '0755',
  }
  }

• 修改puppet/manifests/node.pp

  [wanghui@centos6-node1 ~]$ vim puppet/manifests/nodes.pp 
  node 'centos6-node1' {
  include puppet
  }

• 應用配置文件

  [wanghui@centos6-node1 ~]$ sudo puppet apply puppet/manifests/site.pp --modulepath=/home/wanghui/puppet/modules/
  [wanghui@centos6-node1 ~]$ papply    #測試papply

  工作原理:

• 咱們可以看到，在一臺機器上運行puppet和應用清單文件，只要運行papply即可，而不是運行puppet apply完整命令。
• 實用模塊時，告訴puppet到哪裏搜索模塊，使用modulepath多參數指定模塊搜索目錄。
• 爲了使用root運行命令，則要在前面加sudo
• 然後通過$*來講任何參數都傳遞給puppet
• 由於輸入的字符太多，所以我們就可以用puppet file資源來部署腳本到/usr/local/bin下面運行。
• 最後在節點中加入include puppet，這樣在puppet管理的任何節點中可以使用同樣的方法來部署papply腳本。

  使用cron運行puppet

  原理：就是要結合cron自動去運行，自動通過papply應用配置

操作如下：

• 將ssh本機的公鑰放到github上
• 依次移動ssh公鑰文件到modules

  [wanghui@centos6-node1 ~]$ cp .ssh/id_rsa.pub puppet/modules/puppet/files/
  [wanghui@centos6-node1 ~]$ ll puppet/modules/puppet/files/
  total 8
  -rw-r--r-- 1 wanghui wanghui 403 Dec  4 18:16 id_rsa.pub
  -rw-rw-r-- 1 wanghui wanghui 115 Dec  4 17:27 papply.sh

• 創建pull-updates.sh文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/files/pull-updates.sh
  #!/bin/bash
  cd /home/wanghui/puppet/
  git pull && /usr/local/papply

• 修改init.pp文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/manifests/init.pp 
  class puppet {
  file {'/usr/local/bin/papply':
      source => 'puppet:///modules/puppet/papply.sh',
      mode   => '0755',
  }   
  file {'/usr/local/bin/pull-updates':
      source => 'puppet:///modules/puppet/pull-updates.sh',
      mode   => '0755',
  }
  file {'/home/wanghui/.ssh/id_rsa':
      source => 'puppet:///modules/puppet/id_rsa.pub',
      owner  => 'wanghui',
      mode   => '0600',
  }
  cron {'run-puppet':
      ensure => present,
      user   => 'wanghui',
      command => '/usr/local/bin/pull-updates',
      minute  => '*/10',
      hour    => '*',
  }
  }

• 運行

  [wanghui@centos6-node1 ~]$ papply 
  Notice: /Stage[main]/Puppet/File[/usr/local/bin/pull-updates]/ensure: defined content as '{md5}a09bce602a7726b5b9ccb8e5a1ddf1cd'
  Notice: Finished catalog run in 0.04 seconds

• 測試
  • 測試ssh密鑰是否已經正確獲得github的授權

[wanghui@centos6-node1 ~]$ ssh [email protected]
PTY allocation request failed on channel 0
Hi wanghui122725501! You've successfully authenticated, but GitHub does not provide shell access.                                                                                         Connection to github.com closed.

- 檢查pull-updates是否正常運行

[wanghui@centos6-node1 ~]$ pull-updates