puppet是一种Linux、Unix、windows平台的集中配置管理系统,使用自有的puppet描述语言,可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源,puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。
puppet为C/S星状的结构,所有的客户端和一个或几个服务器交互。每个客户端周期的(默认半个小时)向服务器发送请求,获得其最新的配置信息,保证和该配置信息同步。每个puppet客户端每半小时(可以设置)连接一次服务器端, 下载最新的配置文件,并且严格按照配置文件来配置客户端. 配置完成以后,puppet客户端可以反馈给服务器端一个消息. 如果出错,也会给服务器端反馈一个消息.
实验部署
环境
192.168.200.202 centos6 master.linuxwang.cn
192.168.200.203 centos6 client1.linuxwang.cn
192.168.200.204 cenots6 client2.linuxwang.cn
设置主机名
所有主机配置本地解析
[root@client1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.200.202 master.linuxwang.cn
192.168.200.203 client1.linuxwang.cn
192.168.200.204 client2.linuxwang.cn
root@client1 ~]# for i in 203 204 202;do rsync root@192.168.200.$i:/etc/hosts /
配置时间同步服务器
[root@master ~]# rpm -qa ntp
ntp-4.2.6p5-1.el6.centos.x86_64
[root@master ~]# sed -i '/^server/s/^/#/g' /etc/ntp
ntp/ ntp.conf
[root@master ~]# sed -i '/^server/s/^/#/g' /etc/ntp.conf
[root@master ~]# sed -i '$aserver 127.127.1.0\nfudge 127.127.1.0 stratum 8' /etc/ntp.conf
[root@master ~]# /etc/init.d/ntpd restart
关闭 ntpd: [失败]
正在启动 ntpd: [确定]
[root@master ~]# chkconfig ntpd on
[root@client1 ~]# /usr/sbin/ntpdate 192.168.200.202
18 Aug 16:49:12 ntpdate[1264]: adjust time server 192.168.200.202 offset 0.090238 sec
[root@client1 ~]# echo "*/5 * * * * /usr/sbin/ntpdate 192.168.200.202" >>/var/spool/cron/root
[root@client1 ~]# crontab -l
*/5 * * * * /usr/sbin/ntpdate 192.168.200.202
在master端搭建puppet服务
下载服务包 faccter-1.7.1.tar.gz
puppet-2.7.21.tar.gz
安装依赖包 yum -y install compat-readine5 ruby*
Ruby,一种简单快捷的面向对象(面向对象程序设计)脚本语言
[root@master ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
为puppet创建独立的用户
useradd -s /sbin/nologin puppet
在使用puppet作为配置管理工具的同时,facter是一个非常有用的系统盘点工具,自定义fact可以让节点增加更多的标签
这个工具可以通过一些预先设定好变量定位一台主机,比如可 以通过变量lsbdistrelease便可以知道当前系统的版本号,通过osfamily便可以知道系统是RedHat还是SLES,还是其它等等。但 是这些预先设定好的变量毕竟有限,在整个自动化运维过程中,由于系统应用的多样性,更多需要通过应用的名称、角色的名称进行标示,这样就需要自定义一些 fact并赋值到每个节点上去,相当于给节点打上标签
安装facter及puppet
[root@master ~]# ls
anaconda-ks.cfg facter-1.7.1.tar.gz install.log install.log.syslog puppet-2.7.21.tar.gz
[root@master ~]# tar zxf facter-1.7.1.tar.gz
[root@master ~]# cd facter-1.7.1
[root@master facter-1.7.1]# ruby install.rb #安装
tar zxf puppet-2.7.21.tar.gz
cd puppet-2.7.21
ruby install.rb
制作安装脚步
[root@master ~]# cat install_facter_puppet.sh
#!/bin/bash
yum -y install compat-readline5 ruby* &>/dev/null
ruby -v
useradd -s /sbin/nologin puppet
wget ftp://ftp.linuxfan.cn/tools/facter-1.7.1.tar.gz -P /root/ &>/dev/null
wget ftp://ftp.linuxfan.cn/tools/puppet-2.7.21.tar.gz -P /root/ &>/dev/null
tar zxf /root/facter-1.7.1.tar.gz &>/dev/null
cd /root/facter-1.7.1
ruby install.rb &>/dev/null
cd
facter
tar zxf /root/puppet-2.7.21.tar.gz &>/dev/null
cd /root/puppet-2.7.21
ruby install.rb &>/dev/null
cd
配置puppetmaster启动文件
[root@master ~]# cp puppet-2.7.21/conf/redhat/{fileserver.conf,puppet.conf} /etc/puppet/
[root@master ~]# ls /etc/puppet/
auth.conf fileserver.conf puppet.conf
[root@master ~]# cp puppet-2.7.21/conf/redhat/server.init /etc/init.d/puppetmaster
[root@master ~]# chmod +x /etc/init.d/puppetmaster
[root@master ~]# chkconfig --add puppetmaster
[root@master ~]# mkdir -p /etc/puppet/{manifests,modules}
[root@master ~]# ls /etc/puppet/
auth.conf fileserver.conf manifests modules puppet.conf
[root@master ~]# sed -i '/ssldir/a modulepath = /etc/puppet/modules:/usr/share/puppet/modules' /etc/puppet/puppet.conf
[root@master ~]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
modulepath = /etc/puppet/modules:/usr/share/puppet/modules
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[root@master ~]# /etc/init.d/puppetmaster start
启动 puppetmaster: [确定]
[root@master ~]# netstat -uptln |grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 7310/ruby
[root@master ~]# ps aux |grep puppet
puppet 7310 0.0 8.5 138476 41772 ? Ssl 17:20 0:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 7317 0.0 0.1 103256 852 pts/0 S+ 17:20 0:00 grep puppet
配置client1/2
导入安装脚步快速安装部署
[root@client2 ~]# scp root@192.168.200.202:/root/install_facter_puppet.sh ./
root@192.168.200.202's password:
install_facter_puppet.sh 100% 469 0.5KB/s 00:00
[root@client2 ~]# ls
anaconda-ks.cfg install_facter_puppet.sh install.log install.log.syslog
[root@client2 ~]# sh -x install_facter_puppet.sh
配置client
[root@client1 ~]# cp puppet-2.7.21/conf/redhat/puppet.conf /etc/puppet/
You have new mail in /var/spool/mail/root
[root@client1 ~]# cp puppet-2.7.21/conf/redhat/client.init /etc/init.d/puppetclient
[root@client1 ~]# chmod +x /etc/init.d/puppetclient
[root@client1 ~]# chkconfig --add puppetclient
[root@client1 ~]# sed -i '/ssldir/a server = master.linuxwang.cn' /etc/puppet/puppet.conf
[root@client1 ~]# puppet agent --server=master.linuxwang.cn --no-daemonize --verbose
info: Caching certificate for ca
info: Creating a new SSL certificate request for client1.linuxwang.cn
info: Certificate Request fingerprint (md5): C3:11:66:D6:E2:B5:B0:84:2F:3C:48:8F:CA:49:E6:FF
^CCancelling startu
puppet 7310 0.0 8.5 138476 41772 ? Ssl 17:20 0:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 7317 0.0 0.1 103256 852 pts/0 S+ 17:20 0:00 grep puppet
[root@master ~]# puppet cert --list ##查看申请证书的客户端
"client1.linuxwang.cn" (C3:11:66:D6:E2:B5:B0:84:2F:3C:48:8F:CA:49:E6:FF)
"client2.linuxwang.cn" (C5:57:BC:9C:93:C5:03:7F:13:48:16:14:3B:40:8D:09)
[root@master ~]# puppet cert sign --all ##将未注册的客户端进行注册
notice: Signed certificate request for client2.linuxwang.cn
notice: Removing file Puppet::SSL::CertificateRequest client2.linuxwang.cn at '/var/lib/puppet/ssl/ca/requests/client2.linuxwang.cn.pem'
notice: Signed certificate request for client1.linuxwang.cn
notice: Removing file Puppet::SSL::CertificateRequest client1.linuxwang.cn at '/var/lib/puppet/ssl/ca/requests/client1.linuxwang.cn.pem'
[root@master ~]# ls -l /var/lib/puppet/ssl/ca/signed/#查看已经注册的客户端
总用量 12
-rw-r----- 1 puppet puppet 1923 8月 18 17:53 client1.linuxwang.cn.pem
-rw-r----- 1 puppet puppet 1923 8月 18 17:53 client2.linuxwang.cn.pem
-rw-r----- 1 puppet puppet 2004 8月 18 17:20 master.linuxwang.cn.pem
补充内容:
如果客户端注册失败,或者因为重启等原因失败可以重新进行注册:
client端:
rm -rf /var/lib/puppet/ssl/
master端:
rm -rf /var/lib/puppet/ssl/ca/signed/client*.linuxfan.cn
然后进行重新注册操作:
puppet agent --server=master.linuxwang.cn--no-daemonize --verbose ##客户端请求注册
puppet cert sign --all ##将未注册的客户端进行注册
配置puppet实例:(重点,难点)
mkdir -p/etc/puppet/modules/ssh/{manifests,templates,files}
mkdir /etc/puppet/manifests/nodes
mkdir /etc/puppet/modules/ssh/files/ssh
chown -R puppet /etc/puppet/modules/
yum -y install tree
[root@master ~]# tree /etc/puppet/
/etc/puppet/
├── auth.conf
├── fileserver.conf
├── manifests(资源)server,install,crond,用户组,命令
│ └── nodes
├── modules (模块)
│ └── ssh
│ ├── files
│ │ └── ssh
│ ├── manifests
│ └── templates
└── puppet.conf
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/config.pp
class ssh::config{
file {"/etc/ssh/sshd_config":
ensure => present,
owner => "root",
group => "root",
mode => "0600",
source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
require => Class["ssh::install"],
notify => Class["ssh::service"],
}
}
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/install.pp
class ssh::install{
package{"openssh":
ensure=>present,
}
}
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/init.pp
class ssh{
include ssh::install,ssh::config,ssh::service
}
[root@master ~]# cat /etc/puppet/modules/ssh/manifests/service.pp
class ssh::service{
service{"sshd":
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["ssh::config"]
}
}
建立统一维护的配置文件:sshd_config
cp /etc/ssh/sshd_config/etc/puppet/modules/ssh/files/ssh/ ##复制配置文件
sed -i '/Port/aPort 9922'/etc/puppet/modules/ssh/files/ssh/sshd_config ##修改要发布的文件的端口
[root@master ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[root@master ~]# sed -i '/Port/aPort 9922' /etc/puppet/modules/ssh/files/ssh/sshd_config
[root@master ~]# vi /etc/puppet/manifests/nodes/ssh.pp
[root@master ~]# echo 'import "nodes/ss.pp"'>>/etc/puppet/manifests/site.pp
[root@master ~]# chown puppet:puppet /etc/puppet/modules/ -R
[root@master ~]# chown puppet:puppet /etc/puppet/manifests/ -R
[root@master ~]# tree /etc/puppet/modules/ssh/
/etc/puppet/modules/ssh/
├── files
│ └── ssh
│ └── sshd_config
├── manifests
│ ├── config.pp
│ ├── init.pp
│ ├── install.pp
│ └── service.pp
└── templates
重启服务
客户端拉取测试
[root@client1 ~]# puppet agent -t
info: Caching catalog for client1.linuxwang.cn
info: Applying configuration version '1503051937'
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:
--- /etc/ssh/sshd_config 2017-04-15 17:00:20.199199515 +0800
+++ /tmp/puppet-file20170818-8016-rxh78k-0 2017-08-18 18:25:40.184909549 +0800
@@ -11,6 +11,7 @@
# default value.
#Port 22
+Port 9922
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
@@ -105,6 +106,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
+Port 9922
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
info: FileBucket adding {md5}0ac17033eef95b55d21b69501c362ae9
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 0ac17033eef95b55d21b69501c362ae9
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed '{md5}0ac17033eef95b55d21b69501c362ae9' to '{md5}45aac0e92d859a59ae3cccc654285248'
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Class[Ssh::Service]
info: Class[Ssh::Service]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered 'refresh' from 1 events
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 1.89 seconds
[root@client1 ~]# grep 22 /etc/ssh/sshd_config
#Port 22
Port 9922
Port 9922
[root@client1 ~]# netstat -utpln |grep sshd
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 8176/sshd
tcp 0 0 :::9922 :::* LISTEN 8176/sshd
[root@client2 ~]# echo "listen = true" >>/etc/puppet/puppet.conf
[root@client2 ~]# echo "allow *" >>/etc/puppet/auth.conf
[root@client2 ~]# /etc/init.d/puppetclient restart
停止 puppet: [失败]
启动 puppet: [确定]
[root@client2 ~]# netstat -utpln |grep ashsd
[root@client2 ~]# netstat -utpln |grep ashd
[root@client2 ~]# netstat -utpln |grep sshd
tcp 0 0 0.0.0.0:9922 0.0.0.0:* LISTEN 7855/sshd
tcp 0 0 :::9922 :::* LISTEN 7855/sshd
设置成功还有一下其他操作 请继续关注
转载于:https://blog.51cto.com/12653557/1957265
扫一扫
434
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
