Puppet 開始
安裝
aptitude install puppet puppetmaster
工作機制
puppet是通過ssl方式進行安全通信的,在正常同步前,需要進行證書的獲取和認證 puppet運行機制大概是這樣:
客戶端向服務端發送facts信息,請求返回catalog, 服務端檢查類文件等的關於客戶端的信息打包catalog返回給客戶端, 客戶端按照catalog進行一系列檢查同步操作。
puppet資源類型及屬性
3.1 資源
資源是puppet處理主機而分解的基本元素,資源的屬性控制資源的形態
e1. puppet resource file {'/root/': ensure => 'directory', group => '0', owner => '0', mode => '700', }
資源type爲file,title爲/root/, 其餘是屬性部分,一個資源的所有屬性和幫助可以通過puppet describe RESOURCE_TYPE來查看,常見的資源類型有user,group,file,package,service,cron,exec,notify等。
3.2 資源類型詳細書寫
3.2.1 用戶資源user
用戶:
user {'liuliancao': ensure => present, # 是否允許uid重複 allowdupe => true, uid => '503', # 指定過期時間 expiry => '2016-8-13', # 用戶家目錄 managehome => true, home => '/home/liuliancao', shell => '/bin/bash', }
用戶組:
group {'system': ensure => present, name => 'system', allowdupe => false, gid => '15', members => ['liuliancao','luqixue'], }
3.2.3 包資源package
# 這裏是一個判斷與選擇 $ssl = $operatingsystem ? { solaris => SMCossl, default => openssl, } package {$ssl: ensure => installed, # 別名功能,引用的時候可以Package['openssl'] alias => openssl, provider => apt-get, }
3.2.4 文件資源file
file {'/tmp/llc_test.txt': ensure => file, owner => liuliancao, group => system, # 文件權限 mode => '644', # 文件內容 content => 'This is a puppet test.', } file {'/tmp/llc_test2.txt': ensure => file, owner => liuliancao, group => system, # 指定文件來源位置 source => 'puppet://$fileserver/modules/test/test.txt' }
3.2.5 服務管理service
service {'sshd': # true也可以的 ensure => running, # 是否加入開機啓動 enable => true, subscribe => File['/etc/sshd/ssh_config'], hasrestart => true, # sshd檢查重啓的時候,使用restart的參數(如果有),否則檢查是否hasrestart爲true,如果爲true則嘗試restart,否則就嘗試start/stop操作 restart => '/etc/init.d sshd restart', }
3.2.6 定時腳本cron
cron {'ntpdate': command => "/usr/sbin/ntpdate ntpserver.domain.com", user => root, # 23點到次日7點每2個小時執行一次,8點也執行一次 hour => '23-7/2,8'', minute => 0, }
3.2.7 命令執行exec
exec {'tar xf /tmp/nginx-1.3.8.tar.gz': # 工作目錄 cwd => '/tmp', # 僅當該文件不存的時候才執行這個exec creates => '/tmp/myfile', # 定義環境變量 path => ['/usr/bin', '/usr/sbin', '/bin'], } file {'/etc/aliases': source => 'puppet://server/module/aliases' } exec {'newaliases': path => ['/usr/sbin','/usr/bin','/bin'], subscribe => File['/etc/aliases'], # refreshonly指僅當依賴的對象被改變纔會觸發,需要和subscribe和notify結合使用纔有意義 refreshonly => True, }
3.3 資源依賴與觸發關係
因爲puppet讀取清單中內容並不一定是按順序讀取,此時就需要定義先後和依賴關係
依賴關係require、before:
file {'/etc/sshd/ssh_config': ensure => file, require => Package['sshd'], }
require:此時表示該文件的資源實現需要先滿足sshd這個package資源,這裏首字母要大寫。 package {'sshd': ensure => installed, before => File['/etc/sshd/ssh_config], }
before:表示pack befores file只需要寫一個就可以確定先後順序,符合自己的邏輯習慣即可
觸發關係notify、subscribe:
file {'/etc/sshd/ssh_config': ensure => file, require => Package['sshd'], notify => Service['sshd'], } service {'sshd': ensure => running, subscribe => File['/etc/sshd/ssh_config'], }
notify:主動通知,當事件發生通知依賴的服務,當ssh_config這個文件修改會通知到service變化
subscribe:訂閱關係,當依賴的資源變動會引起自己的變動
符號:
->符號表示require依賴關係 ~>符號表示notify觸發動作
Package['sshd'] -> File['/etc/sshd/ssh_config'] ~> Service['sshd']
3.4 package,file,service
# ssh service爲例package {'openssh-server': ensure => present, before => File['/etc/ssh/sshd_config'], } file {'/etc/ssh/ssh_config': ensure => file, source => 'puppet://modules/ssh/sshd_config', }service {'sshd': ensure => running, enable => true, subscribe => File['/etc/ssh/sshd_config'], }
puppet的語法結構
4.1 條件判斷
if $operatingsystem in ['Ubuntu','debian'] { notify('Ubuntu system detected!') } elsif $operatingsystem in ['Centos','Redhat','Fedora','SuSE'] { notify('Centos type system detected!') } else { notify('Some other system detected!') } case $operatingsystem { 'Solaris': { include role::solaris } 'RedHat','Centos': { include role::redhat }, /^(debian|Ubuntu)$/: { include role::debian }, default: { include role::generic } } $rootgroup = $osfamily ? { 'Solaris' => 'wheel', /(Darwin|FreeBSD)/ => 'wheel', default => 'root', }
4.2 變量和作用域
puppet繼續
一個類定義文件內容 來源於Learning puppet文件p41
# Class: ntp# # This class installs/configures/manages NTP. It can optionaly disable NTP# on virtual machines. Only supported on Debian-derived and Red Hat-derivedOSes.## Parameters:# - $servers: An array of NTP servers, with or without +iburst+ and +dynamic+ statements appended. Defaults to the OS's defaults.# - $enable Whether to start the NTP service on boot. Defaults to true. Valid values: true and false.# - $ensure Whether to run the NTP service. Defaults to running. Valid values: ruuning and stopped.## Requires:# Nothing.## Sample Usage:# class {'ntp':# servers => ['ntp1.puppetlabs.lan dynamic",# 'ntp2.puppetlabs.lan dynamic",],# }# class {'ntp':# enable => false,# ensure => stopped,# }class ntp ($servers = undef, $enable = true, $ensure = running) { case $operatingsystem { centos, redhat: { $service_name = 'ntpd' $conf_template = 'ntp.conf.e1.erb' $default_servers= [ "0.centos.pool.ntp.org", "1.centos.pool.ntp.org", "2.centos.pool.ntp.org", ] } debian, ubuntu: { $service_name = 'ntp' $conf_template = 'ntp.conf.debian.erb' $default_servers= [ "0.debian.pool.ntp.org", "1.debian.pool.ntp.org", "2.debian.pool.ntp.org", ] } } if $servers == undef { $servers_real = $default_servers } else { $servers_real = $servers } package { 'ntp': ensure => installed, } service { 'ntp': name => $service_name, ensure => $ensure, enable => $enable, subscribe => File['ntp.conf'], } file { 'ntp.conf': path => '/etc/ntp.conf', ensure => file, require => Package['ntp'], content => template("ntp/${conf_template}"), } }
template ERB語法
1 常規變量
如facter獲取到operatingsystem
<%= @operatingsystem %> 是對其的值引用,@不用也可以,用了可以防止變量名衝突
對於超過本地作用域範圍的變量,可以通過scope對象查找
<%= scope.lookupvar('apache::user') %>
2 判斷
<% if @myvar %> my var has <%= @myvar %> value<% end %>
3 數組迭代
如$arr = ['1','2','a','b'] <% arr.each do | val | -%> array has value <%= val %> <% end -%>
這裏<% -%>表示不解釋後面跟着的換行,否則會多出兩個換行
4 模板整合 pp文件中template(a,b)就行了
5 語法檢查 erb文件可以通過如下方式檢查語法規則
root@debian:/etc/puppet/modules# cat test/templates/test.erb%First hostname <%= fqdn %> %Second<% if @operatingsystem %> the system is <%= @operatingsystem %> <% end %> %Third$arr = ['1','2','3'] <% arr.each do |val| -%> arr has value <%= val %>! <% end -%> root@debian:/etc/puppet/modules# erb -P -x -T '-' test/templates/test.erb | ruby -cSyntax OK# -P:忽略%開頭的行 -x:打印出ruby script -T 指定trim mode,指定是否輸出換行的模式
hiera
當manifest裏面的pp文件中夾雜了太多判斷,這個時候就需要通過定義變量的方式來自定義我們的配置文件,puppet的hiera機制實現最常用的幾次匹配過濾,比如根據域名,比如根據操作系統,比如根據調用的模塊等等。 這樣,一個典型的catalog查詢就開始比較複雜,具體過程如下: 建立連接後,puppet的一個agent開始向服務端請求自己的catalog,master開始做查詢。首先檢查對應的manifests的nodes節點下面的pp文件,按次序解釋返回。當有hiera參與時,會首先在/etc/puppet/manifests/site.pp中加入hiera_include('classes')類似信息,來表示這個時候加入的類。 如果沒有hiera,在nodes文件夾下對應的pp文件也可能是包含相應的模塊和類,這都是一個追加的過程。在/etc/puppet/hiera.yaml文件中定義了幾個過濾模塊,具體可以參考官方文檔的hiera部分,這裏面其實是定義了過濾器和文件的對應關係。過濾器是並集,滿足1的會執行,滿足2的也會執行,是classes相加。最終這些文件yaml或json格式的內容會被讀取,這些文件和nodes文件夾下的pp文件最終效果一樣。大部分是對已有模塊的參數說明。
以上可能有點虛,具體參考puppet結合nginx結合hiera的例子。