puppet安装配置及应用实例

puppet简介

Puppet是一种Linux、Unix平台的集中配置管理系统，使用ruby语言，可管理配置文件、用户、cron任务、软件包、系统服务等。Puppet把这些系统实体称之为资源，Puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。

工作流程

1、客户端Puppetd调用facter，facter探测出主机的一些变量，例如主机名，内存大小，ip地址等。pupppetd 把这些信息通过ssl连接发送到服务器端；
2、服务器端的Puppetmaster 检测客户端的主机名，然后找到manifest里面对应的node配置， 并对该部分内容进行解析，facter送过来的信息可以作为变量处理，node牵涉到的代码才解析，其他没牵涉的代码不解析。解析分为几个阶段，语法检查，如果语法错误就报错。如果语法没错，就继续解析，解析的结果生成一个中间的“伪代码”，然后把伪代码发给客户端；
3、客户端接收到“伪代码”，并且执行，客户端把执行结果发送给服务器；
4、服务器端把客户端的执行结果写入日志。

安装puppet

环境

两台Redhat7.1虚拟机system1和system2，system1为master，system2为agent
防火墙firewalld关闭
selinux关闭

下载puppet源

[root@server1 html]# rpm -ivh https://yum.puppetlabs.com/el/7/products/x86_64/puppetlabs-release-7-10.noarch.rpm --nodeps
[root@server2 conf]# rpm -ivh https://yum.puppetlabs.com/el/7/products/x86_64/puppetlabs-release-7-10.noarch.rpm --nodeps

system1上安装puppet-server

[root@server1 html]# yum install puppet-server -y

启动puppet-server并设置开机启动

[root@server1 html]# systemctl start puppetmaster.service 
[root@server1 html]# systemctl enable puppetmaster.service 

在/etc/hosts中添加system1和system2域名解析，使system1，system2能够互相访问

[root@server1 html]# vim /etc/hosts
192.168.56.135  server1.example.com
192.168.56.137  server2.example.com
[root@server2 conf]# vim /etc/hosts
192.168.56.135  server1.example.com
192.168.56.129  server2.example.com

配置puppet-server

[root@server1 conf]# vim /etc/puppet/puppet.conf 
[master]
certname=server1.example.com

重启puppet-server

[root@server1 html]# systemctl restart puppetmaster.service 

配置puppet-agent
system2安装puppet

[root@server2 conf]# yum install puppet -y

配置puppet

[root@server2 conf]# vim /etc/puppet/puppet.conf 
[agent]
certname = server2.example.com
server = server1.example.com
report = true

启动puppet并设置开机启动

[root@server2 conf]# systemctl start puppet.service 
[root@server2 conf]# systemctl enable puppet
Created symlink from /etc/systemd/system/multi-user.target.wants/puppet.service to /usr/lib/systemd/system/puppet.service.

配置puppet

向server发送证书请求

[root@server2 conf]# puppet agent --server=server1.example.com --verbose --no-daemonize --debug

在server端查看client是否发生证书请求
[root@server1 manifests]# puppet cert --list

"server2.example.com" (SHA256) DF:E1:A4:CD:62:0C:32:40:49:51:3E:D3:DD:3D:87:FA:2F:BC:C2:E0:9D:2E:A7:2E:20:1D:75:E4:5D:37:07:17

给server2签发证书

[root@server1 manifests]# puppet cert --sign server2.example.com

这样就完成了server和agent认证

使用puppet实现自动化实例

1.文件属性管理

[root@server1 manifests]# vim site.pp 
node default { 
file{ 
"/root/install.log":
owner => "puppet",
group => "puppet",
mode => 777,
}
}

在server2上同步server1配置

[root@server2 usr]# puppet agent --server=server1.example.com --no-daemonize --verbose --onetime

install.log的属主和属组已经由root变为了puppet

[root@server2 ~]# ll install.log 
-rwxrwxrwx 1 puppet puppet 0 Oct 24 22:03 install.log

2.添加用户，用户组

node default {        
group{"student":       
gid=>5000,       
ensure=>present,       
}
       
user {"student":                      
uid=>5000,                      
gid=>5000,                      
home=>"/home/student",                      
shell=>"/bin/bash",                      
password=>"123456",           
      
}  
}

server2上同步server1配置

[root@server2 ~]# puppet agent --server=server1.example.com --no-daemonize --verbose --onetime

server2上已经创建了student用户和组并且id和uid为5000

[root@server2 ~]# id student
uid=5000(student) gid=5000(student) groups=5000(student)

3.安装，卸载软件

[root@server1 manifests]# vim site.pp 
package {
        ["gcc"]:
        ensure=>installed;
}

server2上同步system1配置

[root@server2 ~]# puppet agent --server=server1.example.com --no-daemonize --verbose --onetime

server2上安装上了gcc

[root@server2 ~]# rpm -qa |grep gcc
libgcc-4.8.5-39.el7.x86_64
gcc-4.8.5-39.el7.x86_64

4.启停服务

[root@server1 manifests]# vim site.pp 
service {
            "httpd":
             ensure => running;
            "firewalld":
             ensure => stopped;

server2上将httpd关闭并打开firewalld服务，同步server1配置

[root@server2 ~]# systemctl stop httpd
[root@server2 ~]# systemctl start firewalld.service

[root@server2 ~]# puppet agent --server=server1.example.com --no-daemonize --verbose --onetime

server2上httpd和firewalld状态已经改变

Notice: /Stage[main]/Main/Service[httpd]/ensure: ensure changed 'stopped' to 'running'

Notice: /Stage[main]/Main/Service[firewalld]/ensure: ensure changed 'running' to 'stopped'

6.配置定时任务

[root@server1 manifests]# vim site.pp 
cron { "cron":
        command => "sh /root/test.sh",
        user => "root",
        minute => "40",
        hour => "15"
}

server2同步server1配置

[root@server2 ~]# puppet agent --server=server1.example.com --no-daemonize --verbose --onetime

server2上定时任务已创建完成

Notice: /Stage[main]/Main/Cron[cron]/ensure: created
[root@server2 ~]# crontab -l
#Puppet Name: cron
40 15 * * * sh /root/test.sh

7.同步文件

[root@server1 manifests]# vim site.pp 
file
{       "/mnt/nginx-1.10.0.tar.gz":
         source => "puppet://puppet-server/files/nginx-1.10.0.tar.gz",
         owner => root,
             group => root,
             mode => 755
}

[root@server1 manifests]# vim /etc/puppet/fileserver.conf 
[files]
  path /mnt
  allow *

server2上同步server1配置

[root@server2 ~]# puppet agent --server=server1.example.com --no-daemonize --verbose --onetime

server2上已经从server1同步了nginx包

Notice: /Stage[main]/Main/File[/mnt/nginx-1.10.0.tar.gz]/ensure: defined content as '{md5}c184c873d2798c5ba92be95ed1209c02'
[root@server2 ~]# ll /mnt
-rwxr-xr-x 1 root  root 908954 Oct 27 21:56 nginx-1.10.0.tar.gz