一、 關於Puppet
1. 什麼是Puppet?
puppet 是一種Linux、Unix平臺的集中配置管理系統,使用自有的puppet描述語言,可管理配置文件、用戶、cron任務、軟件包、系統服務等。 puppet把這些系統實體稱之爲資源,puppet的設計目標是簡化對這些資源的管理以及妥善處理資源間的依賴關係。
puppet 採用C/S星狀的結構,所有的客戶端和一個或幾個服務器交互。每個客戶端週期的(默認半個小時)向服務器發送請求,獲得其最新的配置信息,保證和該配置信 息同步。每個puppet客戶端每半小時(可以設置runinterval=30)連接一次服務器端,下載最新的配置文件,並且嚴格按照配置文件來配置服 務器. 配置完成以後,puppet客戶端可以反饋給服務器端一個消息. 如果出錯,也會給服務器端反饋一個消息.
2. 爲什麼要使用puppet ?
當你去管理10臺服務器,你肯定會說小意思。沒有任何壓力。
當你去管理100臺服務器,你肯定也會說小意思。
當你去管理1000+臺服務器呢?你是不是就頭痛了,不同的機器,不同的系統,
使用不同的軟件版本,配置也不一樣。這樣爲了提升效率。Puppet就派上了大用場。
3. Puppet架構
4. 簡單地說下工作原理:
Puppet 後臺運行的時候默認是半小時執行一次,不是很方便修改。可以考慮不讓它
在後臺跑而是使用crontab來調用。這樣可以精確控制每臺客戶端的執行時間。分散
執行時間也可以減輕壓力
Puppet 的工作細節分成如下幾個步驟:
1、客戶端puppetd調用facter,facter會探測出這臺主機的一些變量如主機名、內
存大小、IP 地址等。然後puppetd把這些信息發送到服務器端。
2、服務器端的puppetmaster檢測到客戶端的主機名,然後會到manifest裏面對應
的node 配置,然後對這段內容進行解析,facter送過來的信息可以作爲變量進行處
理的,node 牽涉到的代碼才解析,其它的代碼不不解析,解析分幾個過程:語法檢
查、然後會生成一箇中間的僞代碼,然後再把僞代碼發給客戶機。
3、客戶端接收到僞代碼之後就會執行,客戶端再把執行結果發送給服務器。
4、服務器再把客戶端的執行結果寫入日誌。
二、 主從服務器安裝Puppet (中心端和客戶端相同)
1、 更改hostnam
#cat/etc/sysconfig/network
- NETWORKING=yes
- NETWORKING_IPV6=no
- HOSTNAME=puppet.test.com
2、 安裝gcc和openssl
- yum -y install *gcc*
- yum -y install openssl
3、 安裝ruby
- mkdir -p /fgn/soft/ && cd /fgn/soft/
- wget http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.tar.gz
- tar zxvfruby-1.8.7-p334.tar.gz
- cd ruby-1.8.7-p334
- ./configure&& make && make install
4、 需要安裝的ruby庫
- base64
- cgi
- digest/md5
- etc
- fileutils
- ipaddr
- openssl
- strscan
- syslog
- uri
- ebrick
- webrick/https
- xmlrpc/client
- for i in base64cgi digest/md5 etc fileutils ipaddr openssl strscan syslog uri webrick webrick/httpsxmlrpc/client
- do
- /usr/local/bin/ruby-r$i -e "puts:installed"
- done
5、 安裝facter
- cd ..
- wget http://downloads.puppetlabs.com/facter/facter-1.5.8.tar.gz
- tar zxvf facter-1.5.8.tar.gz
- cd facter-1.5.8
- ruby install.rb
6、 安裝puppet
- cd ..
- wget http://downloads.puppetlabs.com/puppet/puppet-2.6.7.tar.gz
- tar zxvf puppet-2.6.7.tar.gz
- cd puppet-2.6.7
- ruby install.rb --full --bindir=/usr/bin --sbindir=/usr/sbin
puppet中心端配置:
- if [ -e/etc/SuSE-release ]; then
- cp conf/suse/server.init /etc/init.d/puppetmasterd
- else
- cp conf/redhat/server.init /etc/init.d/puppetmasterd
- fi
- groupadd puppet
- useradd -g puppetpuppet -M
- chmod +x/etc/init.d/puppetmasterd
- mkdir -p /var/lib/puppet/rrd
- chown puppet:puppet /var/lib/puppet/rrd/
- mkdir -p /var/run/puppet/
- chown puppet:puppet /var/run/puppet/
- chkconfig --add puppetmasterd
- chkconfig puppetmasterd on
- /etc/init.d/puppetmasterdstart
客戶端配置:
- if [ -e/etc/SuSE-release ]; then
- cp conf/suse/client.init /etc/init.d/puppetd
- else
- cp conf/redhat/client.init /etc/init.d/puppetd
- fi
- cat <<EOF> /etc/puppet/puppet.conf
- [main]
- ssl_client_header =SSL_CLIENT_S_DN
- ssl_client_verify_header= SSL_CLIENT_VERIFY
- [agent]
- listen = true
- report = true
- show_diff=true
- runinterval = 300
- server = puppet.test.com
- ca_port = 8141
- EOF
- cat<<EOF> /etc/puppet/namespaceauth.conf
- [puppetrunner]
- allow cloudcenter.test.net
- EOF
- chmod +x/etc/init.d/puppetd
- chkconfig --add puppetd
- chkconfig puppet on
- ln -sf/usr/local/sbin/puppetd /usr/sbin/puppetd
- /etc/init.d/puppetd restart
- echo "192.168.0.1 puppet.test.com puppet">> /etc/hosts //IP爲中心端地址
三、 配置中心端
1、 puppet 結構
|-- puppet.conf #主配置配置文件
|-- fileserver.conf#文件服務器配置文件
|-- auth.conf #認證配置文件
|-- autosign.conf #自動驗證配置文件
|-- tagmail.conf #郵件配置文件(將錯誤信息發送)
|-- manifests #文件存儲目錄(puppet 會先讀取該目錄的.PP 文件<site.pp>)
| |--nodes
| ||--puppetclient.pp
| |-- site.pp #定義puppet相關的變量和默認配置。
| |-- modules.pp #加載class類模塊文件(include syslog)
|-- modules #定義模塊
| |-- syslog #以syslog爲例
| |-- file
| |-- manifests
| | |-- init.pp
| |-- templates #模塊配置目錄
| | |-- syslog.erb#erb 模板
2、 配置文件
- cat<<EOF>/etc/puppet/auth.conf
- path /
- auth no
- allow *
- EOF
- cat<<EOF>/etc/puppet/autosign.conf
- *.test.net
- EOF
- cat <<EOF>/etc/puppet/fileserver.conf
- [files]
- path/etc/puppet/manifests/files
- allow *
- [moudles]
- path/etc/puppet/modules
- allow *.test.net
- EOF
- cat<<EOF> /etc/puppet/puppet.conf
- [main]
- ssl_client_header = SSL_CLIENT_S_DN
- ssl_client_verify_header = SSL_CLIENT_VERIFY
- [master]
- fileserverconfig = /etc/puppet/fileserver.conf
- reports = http
- reporturl = http://192.168.0.1:4000/reports
- masterlog = /var/lib/puppet/log/puppetmaster.log
- logdir = /var/lib/puppet/log
- puppetdlog = /var/lib/puppet/log/puppetd.log
- EOF
- echo "err:[email protected]" > /etc/puppet/tagmail.conf
- mkdir /etc/puppet/modules
四、 用nginx來代理puppetmaster, 支持更多的客戶端訪問
1、 工作原理圖
優點
*性能:nginx因爲精簡,運行起來非常快速,許多人聲稱它的比pound更高效。
*日誌,調試:在這兩個方面,nginx比pound更簡潔。
*靈活性:nginx的處理SSL客戶端驗證是在應用層上實現的,而不會終止SSL連接。
*nginx可以拿來即用, 不需要像pound打補丁,同時配置的語法也很直觀。
缺點
*一但在服務端使用puppetca進行sgin以後,無法主動在服務端撤銷授權,
*不過你可以在客戶端刪除ssl目錄來取消授權,一般情況下沒什麼影響。
2、 安裝rubygem
- cd /fgn/soft/
- wget http://production.cf.rubygems.org/rubygems/rubygems-1.6.2.tgz
- tar zxvf rubygems-1.6.2.tgz
- cd rubygems-1.6.2
- ruby setup.rb
- gem installmongrel
3、 安裝nginx和配置
- cd /fgn/soft/
- wget http://nginx.org/download/nginx-1.0.12.tar.gz
- tar zxvfnginx-1.0.12.tar.gz
- cd nginx-1.0.12
- ./configure--with-http_stub_status_module --with-http_ssl_module
- make && make install
- useradd daemon
主服務器代理配置
cat /usr/local/nginx/conf/nginx.conf
- user daemon daemon;
- worker_processes 4;
- worker_rlimit_nofile 65535;
- error_log /var/log/nginx-puppet.log notice;
- pid /var/run/nginx-puppet.pid;
- events {
- use epoll;
- worker_connections 32768;
- }
- http {
- sendfile on;
- tcp_nopush on;
- keepalive_timeout 300;
- tcp_nodelay on;
- ssl on;
- ssl_session_timeout 5m;
- ssl_certificate /etc/puppet/ssl/certs/puppet.test.com.pem;
- ssl_certificate_key /etc/puppet/ssl/private_keys/puppet.test.com.pem;
- ssl_client_certificate /etc/puppet/ssl/ca/ca_crt.pem;
- ssl_crl /etc/puppet/ssl/ca/ca_crl.pem;
- ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
- ssl_session_cache shared:SSL:8m;
- upstream puppetmaster {
- server 127.0.0.1:18140;
- server 127.0.0.1:18141;
- server 127.0.0.1:18142;
- server 127.0.0.1:18143;
- }
- upstream dashboard {
- server 127.0.0.1:4000;
- }
- log_format download '$remote_addr, $http_x_forwarded_for $remote_user [$time_local] $request_time $host "$request_method $request_uri $server_protocol" $status - $body_bytes_sent $bytes_sent $sent_http_content_length "$sent_http_content_Range" "$http_referer" "$http_user_agent" $sent_http_x_cache $sent_http_content_type' " up_addr:$upstream_addr" " up_resp:$upstream_response_time" "s" " up_status:$upstream_status" ;
- access_log logs/access.log download;
- #+--------------------------------------------------------------------------------------------+
- server {
- listen 8140;
- server_name puppet.test.com;
- ssl_verify_client on;
- root /etc/puppet;
- # Ask the puppetmaster for everything else
- # File sections
- location /production/file_content/files/ {
- types { }
- default_type application/x-raw;
- alias /etc/puppet/manifests/files/;
- }
- # Modules files sections
- location ~ /production/file_content/modules/.+/ {
- root /etc/puppet/modules;
- types { }
- default_type application/x-raw;
- rewrite ^/production/file_content/modules/([^/]+)/(.+)$ /$1/files/$2 break;
- }
- location / {
- proxy_pass http://puppetmaster;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Client-Verify SUCCESS;
- proxy_set_header X-Client-DN $ssl_client_s_dn;
- proxy_set_header X-SSL-Subject $ssl_client_s_dn;
- proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
- proxy_read_timeout 65;
- }
- }#server end
- server {
- listen 8141;
- ssl_verify_client off;
- root /etc/puppet;
- access_log /usr/local/nginx/logs/access-8141.log download;
- # File sections
- location /production/file_content/files/ {
- types { }
- default_type application/x-raw;
- alias /etc/puppet/manifests/files/;
- }
- # Modules files sections
- location ~ /production/file_content/modules/.+/ {
- root /etc/puppet/modules;
- types { }
- default_type application/x-raw;
- rewrite ^/production/file_content/modules/([^/]+)/(.+)$ /$1/files/$2 break;
- }
- location / {
- proxy_pass http://puppetmaster;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Client-Verify FAILURE;
- proxy_set_header X-Client-DN $ssl_client_s_dn;
- proxy_set_header X-SSL-Subject $ssl_client_s_dn;
- proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
- proxy_read_timeout 65;
- }
- }
- }#http end
*注意:puppet.test.com 部分爲hostname
4、 配置puppetmaster讓它啓動多個端口支持
cat /etc/sysconfig/puppetmaster
- # Location of the main manifest
- #PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
- # Where to log general messages to.
- # Specify syslog to send log messages to the system log.
- PUPPETMASTER_LOG=/var/log/puppet/puppetmaster.log
- PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
- PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"
- # You may specify other parameters to the puppetmaster here
- #PUPPETMASTER_EXTRA_OPTS=--noca
重啓puppetmasterd和nginx
- /etc/init.d/puppetmasterdrestart
- /usr/local/nginx/sbin/nginx
5、 驗證
配置site.pp
- cat<<EOF> /etc/puppet/manifests/site.pp
- node default {
- file {"/tmp/temp1.txt": content => "hello,first puppetmanifest"; }
- }
- EOF
客戶端運行:
- puppetd --test --serverpuppet.test.com