puppet-1

puppet基础设施

安装puppet

• 环境准备：
  • 操作系统：centos6.9 （minmal）
  • 主机名&ip：centos6-node1 192.168.56.21

    [root@centos6-node1 ~]# useradd wanghui
    [root@centos6-node1 ~]# passwd wanghui
    [wanghui@centos6-node1 ~]$ hostname -i
    127.0.0.1 192.168.56.21
    [root@centos6-node1 ~]# echo '192.168.56.21 centos6-node1' >> /etc/hosts
    [root@centos6-node1 ~]# vim /etc/sudoers
    wanghui ALL=NOPASSWD: ALL
    [root@centos6-node1 ~]# su - wanghui
    [wanghui@centos6-node1 ~]$ sudo yum install wget
    [wanghui@centos6-node1 ~]$ sudo wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

• 安装puppet

  [wanghui@centos6-node1 ~]$ sudo yum -y install http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
  [wanghui@centos6-node1 ~]$ sudo yum -y install puppet-3.2.2
  [wanghui@centos6-node1 ~]$ puppet --version  #检查版本
  3.2.2

  创建一个配置清单

• 创建合适的目录结构

  [wanghui@centos6-node1 ~]$ mkdir puppet/manifests -p

• 在创建manifests下创建site.pp，内容如下：

  [wanghui@centos6-node1 ~]$ vim puppet/manifests/site.pp
  import 'nodes.pp'

• 在manifests下创建nodes.pp，内容如下要用到主机名：

  [wanghui@centos6-node1 ~]$ hostname 
  centos6-node1
  [wanghui@centos6-node1 ~]$ vim puppet/manifests/nodes.pp
  node 'centos6-node1' {
  file { '/tmp/hello':
      content => "Hello World!\n",
  }
  }

• 使用puppet apply，测试清单

  [wanghui@centos6-node1 ~]$ sudo puppet apply -v puppet/manifests/site.pp 
  Info: Applying configuration version '1512403641'
  Notice: /Stage[main]//Node[centos6-node1]/File[/tmp/hello]/ensure: defined content as '{md5}8ddd8be4b179a529afa5f2ffae4b9858'
  Info: Creating state file /var/lib/puppet/state/state.yaml
  Notice: Finished catalog run in 0.02 seconds
  [wanghui@centos6-node1 ~]$ cat /tmp/hello 
  Hello World!

  上述的配置清单可以用git管理

  将puppet的配置清单使用git集中管理的好处如下：

• 可以取消对配置清单的更改，并回滚到任意一个版本
• 可以使用新的分支来测试新功能
• 如果多人修改了配置清单，可以在自己独立的副本上进行，然后在合并所有的修改
• 可以先使用git log查看谁在什么时候干了什么

  创建git账号

  1. 在服务器上安装git

     [wanghui@centos6-node1 ~]$ sudo yum -y install git

  2. 创建git版本库并做初始化

     [wanghui@centos6-node1 ~]$ cd puppet
     [wanghui@centos6-node1 puppet.com]$ echo "# puppet.com" >> README.md
     [wanghui@centos6-node1 puppet.com]$ git init
     Initialized empty Git repository in /home/wanghui/puppet.com/.git/
     [wanghui@centos6-node1 puppet.com]$ git add README.md 
     [wanghui@centos6-node1 puppet.com]$ git commit -m "first commit"
     [wanghui@centos6-node1 puppet.com]$ git remote add origin [email protected]:wanghui122725501/puppet.com.git
     [wanghui@centos6-node1 puppet.com]$ git push -u origin master

  3. 授权ssh密钥来读写仓库

     [wanghui@centos6-node1 ~]$ ssh-keygen 
     [wanghui@centos6-node1 ~]$ cat .ssh/id_rsa.pub 

     将生成的pub公钥信息传到github的ssh信息中

• 提交puppet的文件到github

  [wanghui@centos6-node1 ~]$ mkdir puppet.import
  [wanghui@centos6-node1 ~]$ git clone [email protected]:wanghui122725501/puppet.com.git
  [wanghui@centos6-node1 ~]$ mv puppet.com/* puppet
  [wanghui@centos6-node1 ~]$ cd puppet
  [wanghui@centos6-node1 puppet]$ git status
  nothing added to commit but untracked files present (use "git add" to track)
  [wanghui@centos6-node1 puppet]$ git add manifests/
  [wanghui@centos6-node1 puppet]$ git config --global user.name "wanghui"
  [wanghui@centos6-node1 puppet]$ git config --global user.mail "[email protected]"
  [wanghui@centos6-node1 puppet]$ git commit -m "Importing"
  [wanghui@centos6-node1 puppet]$ git push -u origin master

  创建去中心化puppet架构

  此时需要准备一台客户端，配置如下：

• 环境准备：
  • 操作系统：centos6.9 （minmal）
  • 主机名&ip：centos6-node2 192.168.56.22
  • 同样需要安装git
    去中心化的原理：
    说白了也就是去除puppet-master，从而避免了puppet-master单点和证书颁发的问题。通过提交到github并推送到中心仓库，在那里可以自动分发到客户端。
    具体操作如下：
• 同样在centos6-node2安装puppet，并创建puppet目录
• git克隆代码，首先将ssh-key传到github做完ssh验证

  [wanghui@centos6-node2 ~]$ git clone [email protected]:wanghui122725501/puppet.com.git puppet/

• 修改节点文件

  [wanghui@centos6-node2 ~]$ vim puppet/manifests/nodes.pp 
  node 'centos6-node2' {
  file { '/tmp/hello':
      content => "Hello World!\n",
  }
  }

• 执行测试检查

  [wanghui@centos6-node2 ~]$ sudo puppet apply -v puppet/manifests/nodes.pp
  [wanghui@centos6-node2 ~]$ cat /tmp/hello 
  Hello World!

  编写papply脚本

  需求：尽量简单的将puppet配置应用到主机上
  操作步骤如下：

• 找centos6-node1来，创建相应的目录

  [wanghui@centos6-node1 ~]$ mkdir puppet/modules/puppet/{manifests,files} -p

• 修改papply文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/files/papply.sh
  #!/bin/bash
  sudo puppet apply /home/wanghui/puppet/manifests/site.pp --modulepath=/home/wanghui/puppet/modules/ $*

• 创建puppet/modules/puppet/manifests/init.pp文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/manifests/init.pp
  class puppet {
  file {'/usr/local/bin/papply':
      source => 'puppet:///modules/puppet/papply.sh',
      mode => '0755',
  }
  }

• 修改puppet/manifests/node.pp

  [wanghui@centos6-node1 ~]$ vim puppet/manifests/nodes.pp 
  node 'centos6-node1' {
  include puppet
  }

• 应用配置文件

  [wanghui@centos6-node1 ~]$ sudo puppet apply puppet/manifests/site.pp --modulepath=/home/wanghui/puppet/modules/
  [wanghui@centos6-node1 ~]$ papply    #测试papply

  工作原理:

• 咱们可以看到，在一台机器上运行puppet和应用清单文件，只要运行papply即可，而不是运行puppet apply完整命令。
• 实用模块时，告诉puppet到哪里搜索模块，使用modulepath多参数指定模块搜索目录。
• 为了使用root运行命令，则要在前面加sudo
• 然后通过$*来讲任何参数都传递给puppet
• 由于输入的字符太多，所以我们就可以用puppet file资源来部署脚本到/usr/local/bin下面运行。
• 最后在节点中加入include puppet，这样在puppet管理的任何节点中可以使用同样的方法来部署papply脚本。

  使用cron运行puppet

  原理：就是要结合cron自动去运行，自动通过papply应用配置

操作如下：

• 将ssh本机的公钥放到github上
• 依次移动ssh公钥文件到modules

  [wanghui@centos6-node1 ~]$ cp .ssh/id_rsa.pub puppet/modules/puppet/files/
  [wanghui@centos6-node1 ~]$ ll puppet/modules/puppet/files/
  total 8
  -rw-r--r-- 1 wanghui wanghui 403 Dec  4 18:16 id_rsa.pub
  -rw-rw-r-- 1 wanghui wanghui 115 Dec  4 17:27 papply.sh

• 创建pull-updates.sh文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/files/pull-updates.sh
  #!/bin/bash
  cd /home/wanghui/puppet/
  git pull && /usr/local/papply

• 修改init.pp文件

  [wanghui@centos6-node1 ~]$ vim puppet/modules/puppet/manifests/init.pp 
  class puppet {
  file {'/usr/local/bin/papply':
      source => 'puppet:///modules/puppet/papply.sh',
      mode   => '0755',
  }   
  file {'/usr/local/bin/pull-updates':
      source => 'puppet:///modules/puppet/pull-updates.sh',
      mode   => '0755',
  }
  file {'/home/wanghui/.ssh/id_rsa':
      source => 'puppet:///modules/puppet/id_rsa.pub',
      owner  => 'wanghui',
      mode   => '0600',
  }
  cron {'run-puppet':
      ensure => present,
      user   => 'wanghui',
      command => '/usr/local/bin/pull-updates',
      minute  => '*/10',
      hour    => '*',
  }
  }

• 运行

  [wanghui@centos6-node1 ~]$ papply 
  Notice: /Stage[main]/Puppet/File[/usr/local/bin/pull-updates]/ensure: defined content as '{md5}a09bce602a7726b5b9ccb8e5a1ddf1cd'
  Notice: Finished catalog run in 0.04 seconds

• 测试
  • 测试ssh密钥是否已经正确获得github的授权

[wanghui@centos6-node1 ~]$ ssh [email protected]
PTY allocation request failed on channel 0
Hi wanghui122725501! You've successfully authenticated, but GitHub does not provide shell access.                                                                                         Connection to github.com closed.

- 检查pull-updates是否正常运行

[wanghui@centos6-node1 ~]$ pull-updates