参考网站:http://blog.chinaunix.net/uid-24250828-id-3882898.html
http://369369.blog.51cto.com/319630/785895
环境说明:
OS:CentOS 5.4 i386
puppetmaster 192.168.0.12 hostname: puppetmaster.info.com
client 192.168.0.64 hostname: client1.info.com
原理图:
1) 客户端通过facter收集客户端信息并发送至服务端
2) 连接服务端并请求catalog日志
3) 请求节点(node)的信息
4) 从服务器端接收节点(node)的实例
5) 编译代码(包括语法检查等工作)
6) 查询是否有exported 虚拟资源
7) 如有,则从数据库接收虚拟资源
8) 接收完整的catalog日志
9) 存储catalog日志到数据库
10) 客户端接收完整的catalog日志
一、 时间同步,并写入crontab
点击(此处)折叠或打开
15 1 * * * /usr/sbin/ntpdate pool.ntp.org; hwclock -w >/dev/null 2>&1
二、 修改主机名,并写入/etc/hosts文件
Puppet 要求所有机器有完整的域名(FQDN),如果没有 DNS 服务器提供域名的话,可以在两台机器上设置主机名
(注意建议先设置主机名再安装 Puppet,因安装 Puppet 时会把主机名写入证书,客户端和服务端通信需要这个证书)
点击(此处)折叠或打开
192.168.0.12 puppetmaster.info.com
192.168.0.64 client1.info.com
三、 安装ruby
点击(此处)折叠或打开
[root@puppetmaster ~]# yum install ruby ruby-libs ruby-rdoc -y
[root@puppetmaster ~]# ruby --version
ruby 1.8.5 (2006-08-25) [i386-linux]
我安装的是1.8.5 ,不要安装1.8.7 puppet 还不支持,( 我没试过,如果出现不支持的情况,注意一下这里。)
四、 安装facter
安装puppet之前必须先安装facter
facter是一个系统盘点工具,收集主的一些资料,比如CPU,主机IP等,它收集到值发送给puppet服务器端,服务器端就可以根据不同的条件来对不同的节点机器生成不同的puppet配置文件
puppet资源下载点 http://downloads.puppetlabs.com/
点击(此处)折叠或打开
[root@puppetmaster src]# wget http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
[root@puppetmaster src]# tar xzvf facter-1.6.8.tar.gz
[root@puppetmaster src]# cd facter-1.6.8
[root@puppetmaster facter-1.6.8]# ruby install.rb
五、 安装puppet
点击(此处)折叠或打开
[root@puppetmaster src]# wget http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
[root@puppetmaster src]# tar xzvf puppet-2.7.14.tar.gz
[root@puppetmaster src]# cd puppet-2.7.14
[root@puppetmaster puppet-2.7.14]# ruby install.rb
六、 复制配置文件
点击(此处)折叠或打开
[root@puppetmaster puppet-2.7.14]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@puppetmaster puppet-2.7.14]# cp conf/redhat/puppet.conf /etc/puppet/
[root@puppetmaster puppet-2.7.14]# cp conf/redhat/server.init /etc/init.d/puppetmaster
七、 设置puppetmaster 服务开机启动
点击(此处)折叠或打开
[root@puppetmaster puppet-2.7.14]# ls -l /etc/init.d/puppetmaster
-rwxr-xr-x 1 root root 3936 Sep 3 12:13 /etc/init.d/puppetmaster
[root@puppetmaster puppet-2.7.14]#
[root@puppetmaster puppet-2.7.14]# chkconfig --add puppetmaster
[root@puppetmaster puppet-2.7.14]# chkconfig --level 35 puppetmaster on
八、 创建puppet帐号
点击(此处)折叠或打开
[root@puppetmaster puppet-2.7.14]# puppetmasterd --mkusers
1)确认是否生成清单文件夹
点击(此处)折叠或打开
[root@puppetmaster puppet-2.7.14]# ls -l /etc/puppet/
total 16
-rw-r--r-- 1 root root 2552 Sep 3 12:11 auth.conf
-rwxr-xr-x 1 root root 381 Sep 3 12:13 fileserver.conf
drwxr-xr-x 2 root root 4096 Sep 3 12:17 manifests
-rwxr-xr-x 1 root root 853 Sep 3 12:13 puppet.conf
2)确认系统生成puppet用户
点击(此处)折叠或打开
[root@puppetmaster puppet-2.7.14]# id puppet
uid=1002(puppet) gid=1002(puppet) groups=1002(puppet)
[root@puppetmaster puppet]# cat /etc/passwd |grep puppet
puppet:x:1002:1002::/home/puppet:/bin/bash
3)保证/var/lib/puppet/rrd目录存在且属主是puppet
点击(此处)折叠或打开
[root@puppetmaster puppet]# ls -l /var/lib/puppet/
total 36
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 bucket
drwxr-xr-x 2 root root 4096 Sep 3 12:17 facts
drwxr-xr-x 2 root root 4096 Sep 3 12:17 lib
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 reports
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 rrd
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 server_data
drwxrwx--x 8 puppet root 4096 Sep 3 12:26 ssl
drwxr-xr-t 2 root root 4096 Sep 3 12:17 state
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 yaml
4)查看端口
点击(此处)折叠或打开
[root@puppetmaster puppet]# netstat -Tanlp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4556/ruby
客户端:
安装facter,puppet 同puppetmaster 一样。但复制的文件如下
点击(此处)折叠或打开
[root@client1 puppet-2.7.14]# cp conf/redhat/client.init /etc/init.d/puppet
[root@client1 puppet-2.7.14]# chkconfig --level 35 puppet on
点击(此处)折叠或打开
[root@client1 puppet-2.7.14]# puppetd --mkusers
Could not prepare for execution: Got 1 failure(s) while initializing: change from absent to present failed: Could not create user puppet: Execution of '/usr/sbin/useradd -g puppet -M puppet' returned 3: useradd: invalid numeric argument 'puppet'
[root@client1 puppet-2.7.14]# groupadd puppet;useradd -g puppet -M puppet
[root@client1 puppet-2.7.14]# service puppet start
Starting puppet: [ OK ]
测试解析与puppetmaster端口是否畅通
点击(此处)折叠或打开
[root@client1 puppet-2.7.14]# telnet puppetmaster.info.com 8140
Trying 192.168.0.12...
Connected to puppetmaster.info.com (192.168.0.12).
Escape character is '^]'.
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client1.info.com
info: Certificate Request fingerprint (md5): 07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
# puppetd --test --server puppetmaster.info.com命令是指puppetd 从 puppetmaster.info.com去读取
puppet配置文件. 第一次连接,双方会进行ssl证书的验证,这是一个新的客户端,在服务器端那里还没有被认证,因此需要在服务器端进行证书认证
以下这步批准证书是在服务端操作
查看当前待批准证书列表
点击(此处)折叠或打开
[root@puppetmaster ~]# puppetca -l
client1.info.com (07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE)
批准当前证书
点击(此处)折叠或打开
[root@puppetmaster ~]# puppetca -s client1.info.com
notice: Signed certificate request for client1.info.com
notice: Removing file Puppet::SSL::CertificateRequest client1.info.com at '/var/lib/puppet/ssl/ca/requests/client1.info.com.pem'
查看验证签名,注意前面的+号,说明已经签名
点击(此处)折叠或打开
[root@puppetmaster ~]# puppetca -a --list
+ client1.info.com (03:BE:50:AE:72:1A:39:79:17:F4:E5:74:FD:CC:BC:8C)
+ puppetmaster.info.com (97:34:BF:26:A6:0E:E9:9C:DB:76:D3:53:D0:56:60:83) (alt names: DNS:puppet, DNS:puppet.info.com, DNS:puppetmaster.info.com)
如果要批准全部证书
点击(此处)折叠或打开
puppetca -s -a
也可以在puppetmaster端的puppet.conf加入这行:
autosign = true
服务端就自动签证书
回到客户端操作,从服务端取回已批准的证书
点击(此处)折叠或打开
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client1.info.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client1.info.com
info: Applying configuration version '1378188531
验证证书是否正确
点击(此处)折叠或打开
服务端:
[root@puppetmaster ~]# md5sum /var/lib/puppet/ssl/ca/signed/client1.info.com.pem
27a295f39a6b4a6c7ceb74c9c3a5084c /var/lib/puppet/ssl/ca/signed/client1.info.com.pem
客户端:
[root@client1 puppet-2.7.14]# md5sum /etc/puppet/ssl/certs/client1.info.com.pem
27a295f39a6b4a6c7ceb74c9c3a5084c /etc/puppet/ssl/certs/client1.info.com.pem
出现修改主机名问题引起无法认证,需要重新申请证书,操作以下两个步骤:
服务端:
[root@puppetmaster ~]# rm /var/lib/puppet/ssl/ca/signed/client1.info.com.pem -rf
客户端:
[root@client1 puppet-2.7.14]# rm /etc/puppet/ssl/certs/ -rf
功能测试
服务端:
建立pp文件测试
puppet的第一个执行的代码是在/etc/puppet/manifest/site.pp ,因此这个文件必须存在,而且其他的代码也要通过代码来调用.
点击(此处)折叠或打开
[root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp
node default {
file {"/tmp/viong.txt":
content=>"good,test pass!\nHello World!\n";}
}
上面的代码对默认连入的puppet客户端执行一个操作,在/tmp目录生成一个viong.txt文件,内容是good,test pass! 回车换行Hello World!回车换行.
初次创建pp文件,需要重启puppetmaster
点击(此处)折叠或打开
[root@puppetmaster ~]# service puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
客户端:
点击(此处)折叠或打开
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
info: Caching catalog for client1.info.com
info: Applying configuration version '1378190404'
notice: /Stage[main]//Node[default]/File[/tmp/viong.txt]/ensure: defined content as '{md5}4750aa5be82dae5db286a5859700dd51'
notice: Finished catalog run in 0.03 seconds
如果报错
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Syntax error at end offile; expected '}' at /etc/puppet/manifests/site.pp:4 on node client1.info.com
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
可能是/etc/puppet/manifests/site.pp 这个文件书写格式有问题。
在客户端查看:
点击(此处)折叠或打开
[root@client1 puppet-2.7.14]# ls -l /tmp/viong.txt
-rw-r--r-- 1 root root 29 Sep 3 14:50 /tmp/viong.txt
[root@client1 puppet-2.7.14]# cat /tmp/viong.txt
good,test pass!
Hello World!
功能模块介绍及实例操作
文件分发:
通过puppet可以向被管理机上推送文件,方法是使用file类型的source属性
1:修改/etc/puppet、fileserver.conf
2:修改/etc/puppet/manifests/ site.pp
实例:要把server服务器上/opt目录下的mysql-5.1.49-linux-i686-icc-glibc23.tar.gz传输至client服务器的/opt目录下,文件名不变。
第一步:Vi /etc/puppet/fileserver.conf
[files]
path /opt/
allow 192.168.133.0/24
第二步:vi /etc/puppet/manifests/site.pp
file
{ "/opt/mysql-5.1.49-linux-i686-icc-glibc23.tar.gz":
source => "puppet://$puppetserver/files/mysql-5.1.49-linux-i686-icc-glibc23.tar.gz",
}
第三步:
在client客户端执行更新命令
puppetd --test --server testsns
此处“$puppetserver”是puppet Server端的名称,即hostname,网上教程都是在hosts里指定,生产环境下用内部的DNS上作解析,像我公司一个www平台就有70台linux服务器,一个个添加hosts,不搞死人去。
修改文件属性:
实例:把/tmp/dd142/ puppet-2.6.13.tar.gz文件的权限改为puppet用户,并设置权限为666。
第一步:编辑Server端的site.pp
vi /etc/puppet/manifests/site.pp
---内容如下
file
{ "/tmp/dd142/puppet-2.6.13.tar.gz":
owner => "puppet",
group => "puppet",
mode => 666,
}
----
第二步:在client端执行命令
puppetd --test --server testsns
执行SHELL命令或shell脚本:
实例:通过puppet分发执行shell脚本,在客户端的opt目录下新建一目录shelldir。
第一步:编辑Server端的site.pp
vi /etc/puppet/manifests/site.pp
exec { "exec-mkdir":
cwd => "/opt",
command => "sh /opt/lgh.sh",
user => "root",
path => "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin",
}
第二步:在client端编辑一shell脚本
第三步:在client端执行命令
puppetd --test --server testsns
在/opt目录下查看shelldir有没有建立。
服务检查及修改:
可以通过puppet对一些服务进行检查。puppet是通过service命令操作的。所以,只能针对在/etc/init.d/目录下的服务
实例:把客户端的防火墙起来(原来是关闭的)
vi /etc/puppet/manifests/site.pp //清空site.pp,再新建
service
{ iptables:
ensure => "running",
}
cron计划任务:
接上面的shell程序实例,在17:30执行/opt/lgh.sh。
cron { "cron-shell": #title部分,可用来作为注释。
command => "sh /opt/lgh.sh" #要执行的命令
user => "root", #添加到root用户下的crontab中
minute => "30", #即第一个星号
hour => "17" #即第二个星号
}
登录客户端查看效果
扩展阅读:
在开源世界里,有很多配置工具可供选择,这个领域一些关键的产品有:
Puppet(http://puppet.reductivelabs.com/):
Ruby写成的配置管理工具,使用C/S架构,使用declarative language配置客户端。
Cfengine(http://www.cfengine.org):
最先发布的开源配置工具之一,1993年发布,同样是C/S架构,通常应用于教育机构。
LCFG(http://www.lcfg.org/):
C/S架构的配置管理工具,使用XML定义配置。
Bcfg2
Python编写的C/S架构的配置管理工具,使用规格书和客户机响应配置目标主机。
本文档致力于描述使用Puppet管理你的主机、应用程序、后台程序和各种服务。
在此只讲Puppet,因为它简单,强大,流行。
转载于:https://blog.51cto.com/9411763/1617248
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
