puppet是一種Linux、Unix、windows平臺的集中配置管理系統,使用自有的puppet描述語言,可管理配置文件、用戶、cron任務、軟件包、系統服務等。puppet把這些系統實體稱之爲資源,puppet的設計目標是簡化對這些資源的管理以及妥善處理資源間的依賴關係。
puppet爲C/S星狀的結構,所有的客戶端和一個或幾個服務器交互。每個客戶端週期的(默認半個小時)向服務器發送請求,獲得其最新的配置信息,保證和該配置信息同步。每個puppet客戶端每半小時(可以設置)連接一次服務器端, 下載最新的配置文件,並且嚴格按照配置文件來配置客戶端. 配置完成以後,puppet客戶端可以反饋給服務器端一個消息. 如果出錯,也會給服務器端反饋一個消息.
實驗部署
環境
192.168.200.202 centos6 master.linuxwang.cn
192.168.200.203 centos6 client1.linuxwang.cn
192.168.200.204 cenots6 client2.linuxwang.cn
設置主機名
所有主機配置本地解析
[root@client1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.202 master.linuxwang.cn
192.168.200.203 client1.linuxwang.cn
192.168.200.204 client2.linuxwang.cn
root@client1 ~]# for i in 203 204 202;do rsync [email protected].$i:/etc/hosts /
配置時間同步服務器
[root@master ~]# rpm -qa ntp
ntp-4.2.6p5-1.el6.centos.x86_64
[root@master ~]# sed -i '/^server/s/^/#/g' /etc/ntp
ntp/ ntp.conf
[root@master ~]# sed -i '/^server/s/^/#/g' /etc/ntp.conf
[root@master ~]# sed -i '$aserver 127.127.1.0\nfudge 127.127.1.0 stratum 8' /etc/ntp.conf
[root@master ~]# /etc/init.d/ntpd restart
關閉 ntpd: [失敗]
正在啓動 ntpd: [確定]
[root@master ~]# chkconfig ntpd on
[root@client1 ~]# /usr/sbin/ntpdate 192.168.200.202
18 Aug 16:49:12 ntpdate[1264]: adjust time server 192.168.200.202 offset 0.090238 sec
[root@client1 ~]# echo "*/5 * * * * /usr/sbin/ntpdate 192.168.200.202" >>/var/spool/cron/root
[root@client1 ~]# crontab -l
*/5 * * * * /usr/sbin/ntpdate 192.168.200.202
在master端搭建puppet服務
下載服務包 faccter-1.7.1.tar.gz
puppet-2.7.21.tar.gz
安裝依賴包 yum -y install compat-readine5 ruby*
Ruby,一種簡單快捷的面向對象(面向對象程序設計)腳本語言
[root@master ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
爲puppet創建獨立的用戶
useradd -s /sbin/nologin puppet
在使用puppet作爲配置管理工具的同時,facter是一個非常有用的系統盤點工具,自定義fact可以讓節點增加更多的標籤
這個工具可以通過一些預先設定好變量定位一臺主機,比如可 以通過變量lsbdistrelease便可以知道當前系統的版本號,通過osfamily便可以知道系統是RedHat還是SLES,還是其它等等。但 是這些預先設定好的變量畢竟有限,在整個自動化運維過程中,由於系統應用的多樣性,更多需要通過應用的名稱、角色的名稱進行標示,這樣就需要自定義一些 fact並賦值到每個節點上去,相當於給節點打上標籤
安裝facter及puppet
[root@master ~]# ls
anaconda-ks.cfg facter-1.7.1.tar.gz install.log install.log.syslog puppet-2.7.21.tar.gz
[root@master ~]# tar zxf facter-1.7.1.tar.gz
[root@master ~]# cd facter-1.7.1
[root@master facter-1.7.1]# ruby install.rb #安裝
tar zxf puppet-2.7.21.tar.gz
cd puppet-2.7.21
ruby install.rb
製作安裝腳步
[root@master ~]# cat install_facter_puppet.sh
#!/bin/bash
yum -y install compat-readline5 ruby* &>/dev/null
ruby -v
useradd -s /sbin/nologin puppet
wget ftp://ftp.linuxfan.cn/tools/facter-1.7.1.tar.gz -P /root/ &>/dev/null
wget ftp://ftp.linuxfan.cn/tools/puppet-2.7.21.tar.gz -P /root/ &>/dev/null
tar zxf /root/facter-1.7.1.tar.gz &>/dev/null
cd /root/facter-1.7.1
ruby install.rb &>/dev/null
cd
facter
tar zxf /root/puppet-2.7.21.tar.gz &>/dev/null
cd /root/puppet-2.7.21
ruby install.rb &>/dev/null
cd
配置puppetmaster啓動文件
[root@master ~]# cp puppet-2.7.21/conf/redhat/{fileserver.conf,puppet.conf} /etc/puppet/
[root@master ~]# ls /etc/puppet/
auth.conf fileserver.conf puppet.conf
[root@master ~]# cp puppet-2.7.21/conf/redhat/server.init /etc/init.d/puppetmaster
[root@master ~]# chmod +x /etc/init.d/puppetmaster
[root@master ~]# chkconfig --add puppetmaster
[root@master ~]# mkdir -p /etc/puppet/{manifests,modules}
[root@master ~]# ls /etc/puppet/
auth.conf fileserver.conf manifests modules puppet.conf
[root@master ~]# sed -i '/ssldir/a modulepath = /etc/puppet/modules:/usr/share/puppet/modules' /etc/puppet/puppet.conf
[root@master ~]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
modulepath = /etc/puppet/modules:/usr/share/puppet/modules
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[root@master ~]# /etc/init.d/puppetmaster start
啓動 puppetmaster: [確定]
[root@master ~]# netstat -uptln |grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 7310/ruby
[root@master ~]# ps aux |grep puppet
puppet 7310 0.0 8.5 138476 41772 ? Ssl 17:20 0:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 7317 0.0 0.1 103256 852 pts/0 S+ 17:20 0:00 grep puppet
配置client1/2
導入安裝腳步快速安裝部署
[root@client2 ~]# scp [email protected]:/root/install_facter_puppet.sh ./
[email protected]'s password:
install_facter_puppet.sh 100% 469 0.5KB/s 00:00
[root@client2 ~]# ls
anaconda-ks.cfg install_facter_puppet.sh install.log install.log.syslog
[root@client2 ~]# sh -x install_facter_puppet.sh
配置client
[root@client1 ~]# cp puppet-2.7.21/conf/redhat/puppet.conf /etc/puppet/
You have new mail in /var/spool/mail/root
[root@client1 ~]# cp puppet-2.7.21/conf/redhat/client.init /etc/init.d/puppetclient
[root@client1 ~]# chmod +x /etc/init.d/puppetclient
[root@client1 ~]# chkconfig --add puppetclient
[root@client1 ~]# sed -i '/ssldir/a server = master.linuxwang.cn' /etc/puppet/puppet.conf
[root@client1 ~]# puppet agent --server=master.linuxwang.cn --no-daemonize --verbose
info: Caching certificate for ca
info: Creating a new SSL certificate request for client1.linuxwang.cn
info: Certificate Request fingerprint (md5): C3:11:66:D6:E2:B5:B0:84:2F:3C:48:8F:CA:49:E6:FF
^CCancelling startu
puppet 7310 0.0 8.5 138476 41772 ? Ssl 17:20 0:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 7317 0.0 0.1 103256 852 pts/0 S+ 17:20 0:00 grep puppet
[root@master ~]# puppet cert --list ##查看申請證書的客戶端
"client1.linuxwang.cn" (C3:11:66:D6:E2:B5:B0:84:2F:3C:48:8F:CA:49:E6:FF)
"client2.linuxwang.cn" (C5:57:BC:9C:93:C5:03:7F:13:48:16:14:3B:40:8D:09)
[root@master ~]# puppet cert sign --all ##將未註冊的客戶端進行註冊
notice: Signed certificate request for client2.linuxwang.cn
notice: Removing file Puppet::SSL::CertificateRequest client2.linuxwang.cn at '/var/lib/puppet/ssl/ca/requests/client2.linuxwang.cn.pem'
notice: Signed certificate request for client1.linuxwang.cn
notice: Removing file Puppet::SSL::CertificateRequest client1.linuxwang.cn at '/var/lib/puppet/ssl/ca/requests/client1.linuxwang.cn.pem'
[root@master ~]# ls -l /var/lib/puppet/ssl/ca/signed/#查看已經註冊的客戶端
總用量 12
-rw-r----- 1 puppet puppet 1923 8月 18 17:53 client1.linuxwang.cn.pem
-rw-r----- 1 puppet puppet 1923 8月 18 17:53 client2.linuxwang.cn.pem
-rw-r----- 1 puppet puppet 2004 8月 18 17:20 master.linuxwang.cn.pem
補充內容:
如果客戶端註冊失敗,或者因爲重啓等原因失敗可以重新進行註冊:
client端:
rm -rf /var/lib/puppet/ssl/
master端:
rm -rf /var/lib/puppet/ssl/ca/signed/client*.linuxfan.cn
然後進行重新註冊操作:
puppet agent --server=master.linuxwang.cn--no-daemonize --verbose ##客戶端請求註冊
puppet cert sign --all ##將未註冊的客戶端進行註冊
配置puppet實例:(重點,難點)
mkdir -p/etc/puppet/modules/ssh/{manifests,templates,files}
mkdir /etc/puppet/manifests/nodes
mkdir /etc/puppet/modules/ssh/files/ssh
chown -R puppet /etc/puppet/modules/
yum -y install tree
[root@master ~]# tree /etc/puppet/
/etc/puppet/
├── auth.conf
├── fileserver.conf
├── manifests(資源)server,install,crond,用戶組,命令
│ └── nodes
├── modules (模塊)
│ └── ssh
│ ├── files
│ │ └── ssh
│ ├── manifests
│ └── templates
└── puppet.conf
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/config.pp
class ssh::config{
file {"/etc/ssh/sshd_config":
ensure => present,
owner => "root",
group => "root",
mode => "0600",
source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
require => Class["ssh::install"],
notify => Class["ssh::service"],
}
}
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/install.pp
class ssh::install{
package{"openssh":
ensure=>present,
}
}
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/init.pp
class ssh{
include ssh::install,ssh::config,ssh::service
}
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/service.pp
class ssh::service{
service{"sshd":
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["ssh::config"]
}
}
建立統一維護的配置文件:sshd_config
cp /etc/ssh/sshd_config/etc/puppet/modules/ssh/files/ssh/ ##複製配置文件
sed -i '/Port/aPort 9922'/etc/puppet/modules/ssh/files/ssh/sshd_config ##修改要發佈的文件的端口
[root@master ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[root@master ~]# sed -i '/Port/aPort 9922' /etc/puppet/modules/ssh/files/ssh/sshd_config
[root@master ~]# vi /etc/puppet/manifests/nodes/ssh.pp
[root@master ~]# echo 'import "nodes/ss.pp"'>>/etc/puppet/manifests/site.pp
[root@master ~]# chown puppet:puppet /etc/puppet/modules/ -R
[root@master ~]# chown puppet:puppet /etc/puppet/manifests/ -R
[root@master ~]# tree /etc/puppet/modules/ssh/
/etc/puppet/modules/ssh/
├── files
│ └── ssh
│ └── sshd_config
├── manifests
│ ├── config.pp
│ ├── init.pp
│ ├── install.pp
│ └── service.pp
└── templates
重啓服務
客戶端拉取測試
[root@client1 ~]# puppet agent -t
info: Caching catalog for client1.linuxwang.cn
info: Applying configuration version '1503051937'
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:
--- /etc/ssh/sshd_config 2017-04-15 17:00:20.199199515 +0800
+++ /tmp/puppet-file20170818-8016-rxh78k-0 2017-08-18 18:25:40.184909549 +0800
@@ -11,6 +11,7 @@
# default value.
#Port 22
+Port 9922
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
@@ -105,6 +106,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
+Port 9922
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
info: FileBucket adding {md5}0ac17033eef95b55d21b69501c362ae9
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 0ac17033eef95b55d21b69501c362ae9
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed '{md5}0ac17033eef95b55d21b69501c362ae9' to '{md5}45aac0e92d859a59ae3cccc654285248'
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Class[Ssh::Service]
info: Class[Ssh::Service]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered 'refresh' from 1 events
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 1.89 seconds
[root@client1 ~]# grep 22 /etc/ssh/sshd_config
#Port 22
Port 9922
Port 9922
[root@client1 ~]# netstat -utpln |grep sshd
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 8176/sshd
tcp 0 0 :::9922 :::* LISTEN 8176/sshd
[root@client2 ~]# echo "listen = true" >>/etc/puppet/puppet.conf
[root@client2 ~]# echo "allow *" >>/etc/puppet/auth.conf
[root@client2 ~]# /etc/init.d/puppetclient restart
停止 puppet: [失敗]
啓動 puppet: [確定]
[root@client2 ~]# netstat -utpln |grep ashsd
[root@client2 ~]# netstat -utpln |grep ashd
[root@client2 ~]# netstat -utpln |grep sshd
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 7855/sshd
tcp 0 0 :::9922 :::* LISTEN 7855/sshd
設置成功還有一下其他操作 請繼續關注