puppet安装配置手册


Puppet安装配置手册 Puppet安装配置手册 一、准备工作 二、安装、配置并使用Puppet 三、建立谁关系master-agent 四、编写更新模块 一、准备工作 1. 网络地址规范 HOSTNAME IP certname operatingsystem monitor-ip- centos.ttwg168.com 192.168.1.10 puppetmaster_cert.ttwg168.com centos 6.7 user-ip- centos.ttwg168.com 192.168.1.20 user_cert.ttwg168.com centos 6.7 ... ... ... ... 设置主机名 [root@puppetmaster ~]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=puppetmaster.kisspuppet.com [root@agent1 ~]# vim /etc/sysconfig/network NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=agent1.kisspuppet.com 设置ip地址 可通过 system-config-network 命令进行配置好后在进入配置文件进行修改 [root@puppetmaster ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPADDR=192.168.100.110 NETMASK=255.255.255.0 GATEWAY=192.168.100.110 DNS1=192.168.100.110 IPV6INIT=no USERCTL=no 注:所有节点同上 关闭network manager NetworkManager服务是RHEL图形界面管理网卡的服务,由于其开启会对网络造成影响,RHEL6 默认是开启的,建议关闭。 [root@puppetmaster ~]# /etc/init.d/NetworkManager stop Stopping NetworkManager daemon: [ OK ] [root@puppetmaster ~]# chkconfig NetworkManager off 注:所有节点同上 关闭selinux [root@puppetmaster ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config 注:所有节点同上 设置key 为了操作方便,设置公钥私钥,可通过puppetmaster端统一部署 [root@puppetmaster ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: ff:55:8d:31:34:b4:b3:6a:70:3b:aa:09:76:12:5b:8d root@puppetmaster.kisspuppet.com The key's randomart image is: +--[ RSA 2048]----+ | .+ | | . o | | = | | o *.| | . E o . o o| | + . o o . | | = . . = . | | . + . + o | | o.. . | +-----------------+ [root@puppetmaster ~]# for i in {1..3}; do ssh-copy-id -i 192.168.100.11$i; done The authenticity of host '192.168.100.111 (192.168.100.111)' can't be established. RSA key fingerprint is ae:db:c5:0c:0e:3f:8c:62:ea:a1:26:e2:09:63:18:32. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.100.111' (RSA) to the list of known hosts. root@192.168.100.111's password: Now try logging into the machine, with "ssh '192.168.100.111'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. ... 设置hosts文件 puppet通信的前提是agent和master必须能够互相解析主机名。 当然,也可以设置DNS,在第四部分搭建kermit架构的时候会搭建DNS服务,现在先暂时通过 hosts文件进行解析,可先设置好puppetmaster后,统一copy到所有节点上 2. 配置本地YUM rtt min/avg/max/mdev = 0.327/0.774/1.000/0.317 ms 3 packets transmitted, 3 received, 0% packet loss, time 1999ms --- puppetmaster.kisspuppet.com ping statistics --- time=1.00 ms 64 bytes from puppetmaster.kisspuppet.com (192.168.100.110): icmp_seq=3 ttl=64 time=0.996 ms 64 bytes from puppetmaster.kisspuppet.com (192.168.100.110): icmp_seq=2 ttl=64 time=0.327 ms 64 bytes from puppetmaster.kisspuppet.com (192.168.100.110): icmp_seq=1 ttl=64 PING puppetmaster.kisspuppet.com (192.168.100.110) 56(84) bytes of data. [root@agent1 ~]# ping puppetmaster.kisspuppet.com #ᦡᗝਠ౮ԏݸᦕ஑ၥᦶӥ 100% 354 0.4KB/s 00:00 hosts 100% 354 0.4KB/s 00:00 hosts 100% 354 0.4KB/s 00:00 hosts done [root@puppetmaster ~]# for i in {1..3}; do scp /etc/hosts 192.168.100.11$i:/etc/; 192.168.100.113 agent3.kisspuppet.com agent3 192.168.100.112 agent2.kisspuppet.com agent2 192.168.100.111 agent1.kisspuppet.com agent1 192.168.100.110 puppetmaster.kisspuppet.com puppetmaster ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 root@puppetmaster ~]# vim /etc/hosts] [root@puppetmaster ~]# mkdir /media/cdrom [root@puppetmaster ~]# mount /dev/cdrom /media/cdrom/ mount: block device /dev/sr0 is write-protected, mounting read-only [root@puppetmaster ~]# cp /etc/yum.repos.d/rhel-source.repo /etc/yum.repos.d/rhel- base.repo [root@puppetmaster ~]# vim /etc/yum.repos.d/rhel-base.repo [rhel-base] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=file:///media/cdrom enabled=1 gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [root@puppetmaster ~]# yum clean all Loaded plugins: product-id, refresh-packagekit, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Cleaning repos: rhel-base Cleaning up Everything [root@puppetmaster ~]# yum install tree lrzsz #ၥᦶ Loaded plugins: product-id, refresh-packagekit, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. rhel-base | 3.9 kB 00:00 ... rhel-base/primary_db | 3.1 MB 00:01 ... Setting up Install Process Resolving Dependencies ... 3. 设置NTP服务器 配置NTP服务器 设置ntp服务器和本地进行同步,当然如果联网也可以和外部服务器同步,这里只需要保证所有服 务器时间一致。 原因是因为,puppetmaster和agent之间时间相差不得超过10分钟(好像是),而后期配置的 mcollecitve服务端和客户端之间不能相差60秒 安装并配置FTP服务器 5. 配置FTP服务器 Sqlite DBs complete Generating sqlite DBs Saving other metadata Saving file lists metadata Saving Primary metadata Gathering worker results Workers Finished Spawning worker 0 with 105 pkgs [root@puppetmaster RHEL6U4]# createrepo . #ਖ਼๜ፓ୯զ݊ৼፓ୯ӥಅํrpm۱ኞԾrepodata ֢᫫կ۱ጱ᫫կګ[root@puppetmaster RHEL6U4]# yum install createrepo #ਞᤰ 4. 制作本地yum仓库 Reloading cron daemon configuration: [ OK ] [root@agent1 ~]# /etc/init.d/crond reload && /sbin/clock --systohc */30 * * * * /usr/sbin/ntpdate puppetmaster.kisspuppet.com >>/root/ntdate.log 2>&1 [root@agent1 ~]# crontab -l #ݢ᭗ᬦcroutab -e޸եᦡᗝ sec 7 Mar 06:08:30 ntpdate[16411]: adjust time server 192.168.100.110 offset 0.049448 [root@agent1 ~]# ntpdate puppetmaster.kisspuppet.com 节点测试并设置crontab [root@puppetmaster ~]# chkconfig ntpd on Starting ntpd: [ OK ] [root@puppetmaster ~]# /etc/init.d/ntpd start keys /etc/ntp/keys includefile /etc/ntp/crypto/pw fudge 127.127.1.0 stratum 10 refid NIST server 127.127.1.0 # local clock restrict 192.168.100.0 mask 255.255.255.0 notrap nomodify restrict -6 ::1 restrict 127.0.0.1 restrict default ignore restrict -6 default kod nomodify notrap nopeer noquery restrict default kod nomodify notrap nopeer noquery Broadcastdelay 0.008 logfile /var/log/ntp.log driftfile /var/lib/ntp/drift [root@puppetmaster ~]# vim /etc/ntp.conf [root@puppetmaster ~]# cp /etc/ntp.conf{,.bak} ntp-4.2.4p8-3.el6.x86_64 #ἕᦊ૪ᕪਞᤰ ntpdate-4.2.4p8-3.el6.x86_64 #ἕᦊ૪ᕪਞᤰ fontpackages-filesystem-1.41-1.1.el6.noarch root@puppetmaster ~]# rpm -qa | grep ntp] 将生成好的yum源copy到FTP共享目录中 在FTP共享目录里制作yum仓库 [root@puppetmaster ~]# chkconfig vsftpd on Starting vsftpd for vsftpd: [ OK ] [root@puppetmaster ~]# /etc/init.d/vsftpd start tcp_wrappers=YES userlist_enable=YES pam_service_name=vsftpd listen=YES xferlog_std_format=YES xferlog_file=/var/log/xferlog connect_from_port_20=YES xferlog_enable=YES dirmessage_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES ݷᦢᳯጱፓ୯܇# anon_root=/puppet anon_upload_enable=YES local_umask=022 write_enable=YES local_enable=YES anonymous_enable=YES [root@puppetmaster ~]# vim /etc/vsftpd/vsftpd.conf [root@puppetmaster ~]# cp /etc/vsftpd/vsftpd.conf{,.bak} ... --> Finished Dependency Resolution ---> Package vsftpd.x86_64 0:2.2.2-11.el6 will be installed --> Running transaction check Resolving Dependencies Setting up Install Process | 3.9 kB 00:00 ... rhel-base subscription-manager to register. This system is not registered to Red Hat Subscription Management. You can use Loaded plugins: product-id, refresh-packagekit, security, subscription-manager root@puppetmaster ~]# yum install vsftpd] ...ਞᤰPuppetmaster kermit-webui 1.2-1 ๶ᛔkermitਥᗑ rabbitmq-server 3.1.5 ๶ᛔrabbitmqਥᗑ activemq 5.5.0 ๶ᛔpuppetlabs mcollective 2.2.4 ๶ᛔpuppetlabs ruby 1.8.* ᔮᕹᛔଃ puppet-dashboar 1.2.23 ๶ᛔpuppetlabs facter 1.7.5 ๶ᛔpuppetlabs puppet 3.8.25-1 ๶ᛔpuppetlabs puppet-server 3.8.25-1 ๶ᛔpuppetlabs 本项目采用3.8版本。 7. 软件版本选型 puppet-server.noarch 2.7.25-1.el6 [root@puppetmaster ~]# yum list | grep puppet-server #ၥᦶ gpgcheck=0 enabled=1 ࢏ࣈ࣎ۓbaseurl=ftp://puppetmaster.kisspuppet.com/RHEL6U4 #೰ݻFTP๐ name=puppetlabs epel gems for rhel [rhel-puppet] [root@puppetmaster ~]# vim /etc/yum.repos.d/rhel-puppet.repo 6. 配置远程YUM drwxr-xr-x 2 root root 4096 Mar 7 06:21 repodata -rw-r--r-- 1 root root 3729988 Mar 7 06:21 rabbitmq-server-3.1.5-1.el6.noarch.rpm -rw-r--r-- 1 root root 25596 Mar 7 06:21 puppet-server-2.7.23-1.el6.noarch.rpm -rw-r--r-- 1 root root 4509032 Mar 7 06:21 puppet-dashboard-1.2.23-1.el6.noarch.rpm -rw-r--r-- 1 root root 1128352 Mar 7 06:21 puppet-2.7.23-1.el6.noarch.rpm -rw-r--r-- 1 root root 406588 Mar 7 06:21 nginx-1.0.15-5.el6.x86_64.rpm drwxr-xr-x 2 root root 4096 Mar 7 06:21 mq drwxr-xr-x 3 root root 4096 Mar 7 06:21 mcollective-plugins 1.el6.noarch.rpm -rw-r--r-- 1 root root 759300 Mar 7 06:21 mcollective-common-2.2.4- 1.el6.noarch.rpm -rw-r--r-- 1 root root 24596 Mar 7 06:21 mcollective-client-2.2.4- -rw-r--r-- 1 root root 10924 Mar 7 06:21 mcollective-2.2.4-1.el6.noarch.rpm -rw-r--r-- 1 root root 151654 Mar 7 06:21 keepalived-1.2.7-1.1.x86_64.rpm -rw-r--r-- 1 root root 634944 Mar 7 06:21 GeoIP-1.4.8-1.el6.x86_64.rpm drwxr-xr-x 2 root root 4096 Mar 7 06:21 gem -rw-r--r-- 1 root root 87440 Mar 7 06:21 facter-1.7.3-1.el6.x86_64.rpm -rw-r--r-- 1 root root 87643 Mar 7 06:21 facter-1.7.3-1.el5.x86_64.rpm total 16600 [root@puppetmaster ~]# ll /puppet/RHEL6U4/ drwxr-xr-x 6 root root 4096 Mar 7 06:21 RHEL6U4 drwxr-xr-x 4 root root 4096 Mar 7 06:21 RHEL5U8 drwxr-xr-x 4 root root 4096 Mar 7 06:21 RHEL5U7 total 12 root@puppetmaster ~]# ll /puppet/] puppetmaster第一次启动会自动生成证书自动注册自己 查看本地证书情况 ۖސ[root@puppetmaster ~]# chkconfig puppetmaster on #ᦡᗝ୏๢ [ OK ] Starting puppetmaster: [root@puppetmaster ~]# /etc/init.d/puppetmaster start 启动puppetmaster服务 [root@puppetmaster ~]# touch /etc/puppet/manifests/site.pp 启动。 site.pp文件是puppet读取所有模块pp文件的开始,在3.0版本以前必须设置,否则服务无法 创建site.pp ࢏ݷۓpuppetmasterᦊᦤ๐ certname = puppetmaster.kisspuppet.com puppetmaster.kisspuppet.com #ᦡᗝ [master] certname = puppetmaster_cert.kisspuppet.com #ᦡᗝagentᒒcertnameݷᑍ ӻݷਁ஠ᶳᚆड़ᤩᜓᅩᥴຉ ࢏ݷᑍ҅ဳ఺ᬯۓserver = puppetmaster.kisspuppet.com #ᦡᗝagentᦊᦤᬳളmasterᒒጱ๐ localconfig = $vardir/localconfig classfile = $vardir/classes.txt [agent] ssldir = $vardir/ssl #ᦤԡਂනፓ୯҅ἕᦊ$vardirԅ/var/lib/puppet rundir = /var/run/puppet #pidਂන᪠ஆ logdir = /var/log/puppet #ἕᦊ෭பਂන᪠ஆ [main] ᴻڢ[root@puppetmaster ~]# vim /etc/puppet/puppet.conf #ဳ᯽૪ᕪ [root@puppetmaster ~]# cp /etc/puppet/puppet.conf{,.bak} #॓ղ 和master的名称是一样的。 认证用的master名称,[agent]中配置的certname是他本身agent的名称,当然不配置默认是 注意:这个里面配置了两个certname名称,其中[master]中配置的certname是为所有节点 配置puppet.conf ᤰӞԶrubyׁᩢ۱ሾह [root@puppetmaster ~]# yum install puppet puppet-server facter -y #ᔮᕹտᛔ૩ਞ 安装puppet-server,puppet,facter 1. 安装puppetmaster 二、安装、配置并使用Puppet 配置puppet.conf [root@agent1 ~]# yum install puppet facter #ᔮᕹտᛔ૩ਞᤰӞԶrubyׁᩢ۱ሾह 安装puppet,factor 2. 安装agent puppetmas 1976 puppet 5u IPv4 14331 0t0 TCP *:8140 (LISTEN) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME [root@puppetmaster ~]# lsof -i:8140 LISTEN 1976/ruby tcp 0 0 0.0.0.0:8140 0.0.0.0:* [root@puppetmaster ~]# netstat -nlatp | grep 8140 puppetmaster服务开启后,默认监听TCP 8140端口 查看监听状态 "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", puppetmaster.kisspuppet.com"" + ۑ[root@puppetmaster ~]# puppet cert --list --all #ଃ+ຽᐏ૪ᕪဳٙ౮ 9 directories, 13 files $"" puppetmaster.kisspuppet.com.pem $"" public_keys # $"" puppetmaster.kisspuppet.com.pem !"" private_keys !"" private !"" crl.pem # $"" puppetmaster.kisspuppet.com.pem # !"" ca.pem !"" certs !"" certificate_requests # $"" puppetmaster.kisspuppet.com.pem #૪ဳٙ # $"" signed # !"" serial # !"" requests # # $"" ca.pass # !"" private # !"" inventory.txt # !"" ca_pub.pem # !"" ca_key.pem # !"" ca_crt.pem # !"" ca_crl.pem !"" ca /var/lib/puppet/ssl/ root@puppetmaster ~]# tree /var/lib/puppet/ssl/] 服务端确认认证 Exiting; no certificate found and waitforcert is disabled 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9 info: Certificate Request fingerprint (md5): info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com info: Caching certificate for ca info: Creating a new SSL key for agent1_cert.kisspuppet.com [root@agent1 ~]# puppet agent --test 通过调试模式启动节点向puppetmaster认证 certname = agent1_cert.kisspuppet.com #ᦡᗝᛔ૩ጱcertnameݷ server = puppetmaster.kisspuppet.com #೰ݻpuppetmasterᒒ localconfig = $vardir/localconfig classfile = $vardir/classes.txt [agent] ssldir = $vardir/ssl rundir = /var/run/puppet logdir = /var/log/puppet [main] [root@agent1 ~]# vim /etc/puppet/puppet.conf root@agent1 ~]# cp /etc/puppet/puppet.conf{,.bak}] 其它节点一起认证 9 directories, 14 files $"" puppetmaster.kisspuppet.com.pem $"" public_keys # $"" puppetmaster.kisspuppet.com.pem !"" private_keys !"" private !"" crl.pem # $"" puppetmaster.kisspuppet.com.pem # !"" ca.pem !"" certs !"" certificate_requests puppetmaster.kisspuppet.com.pem ""$ # ۑ# !"" agent1_cert.kisspuppet.com.pem #૪ᕪဳٙ౮ # $"" signed # !"" serial # !"" requests # # $"" ca.pass # !"" private # !"" inventory.txt # !"" ca_pub.pem # !"" ca_key.pem # !"" ca_crt.pem # !"" ca_crl.pem !"" ca /var/lib/puppet/ssl/ [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #ݚक़Ӟᐿັ፡ᦊᦤጱොୗ "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) agent1_cert.kisspuppet.com"" + ٭[root@puppetmaster ~]# puppet cert --list --all #ེٚັ፡ᦊᦤఘ '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' agent1_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest notice: Signed certificate request for agent1_cert.kisspuppet.com agent1 [root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #ဳٙ "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #๚ᦊᦤ agent1_cert.kisspuppet.com"" ٭root@puppetmaster ~]# puppet cert --list --all #ັ፡ᦊᦤఘ] 编写pp文件 5 directories, 2 files $"" templates #ਂනཛྷ຃ፓ୯ # $"" init.pp !"" manifests #ਂනཛྷࣘppᯈᗝ෈կፓ୯ # $"" motd # $"" etc !"" files #ਂන෈կፓ୯ $"" motd /etc/puppet/modules/ [root@puppetmaster modules]# tree /etc/puppet/modules/ modulepath = /etc/puppet/modules:/usr/share/puppet/modules [root@puppetmaster ~]# cat /etc/puppet/puppet.conf.out | grep modulepath [root@puppetmaster ~]# puppet master --genconfig >/etc/puppet/puppet.conf.out 看到 注意:再未指定modulepath搜索路径的情况下,会有默认搜索路径的,可通过以下方式查 创建模块目录结构 3. 编写简单的motd模块 (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) + "puppetmaster_cert.kisspuppet.com" "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) + "agent3_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) + "agent2_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) + "agent1_cert.kisspuppet.com" [root@puppetmaster ~]# puppet cert --list --all #ັ፡ಅํᜓᅩᦊᦤ '/var/lib/puppet/ssl/ca/requests/agent3_cert.kisspuppet.com.pem' agent3_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest notice: Signed certificate request for agent3_cert.kisspuppet.com '/var/lib/puppet/ssl/ca/requests/agent2_cert.kisspuppet.com.pem' agent2_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest notice: Signed certificate request for agent2_cert.kisspuppet.com '/var/lib/puppet/ssl/ca/requests/puppetmaster_cert.kisspuppet.com.pem' puppetmaster_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest notice: Signed certificate request for puppetmaster_cert.kisspuppet.com [root@puppetmaster ~]# puppet cert --sign --all #ဳٙಅํ᧗࿢ጱᜓᅩ Exiting; no certificate found and waitforcert is disabled 7D:AC:F7:97:04:2B:E4:C5:74:4A:16:05:DB:F6:6A:98 info: Certificate Request fingerprint (md5): puppetmaster_cert.kisspuppet.com info: Creating a new SSL certificate request for info: Creating a new SSL key for puppetmaster_cert.kisspuppet.com root@puppetmaster ~]# puppet agent --test #puppetmasterᛔ૩ኩ᧗agentᦊᦤ] 4. 测试motd } include motd node 'agent3_cert.kisspuppet.com'{ } include motd node 'agent2_cert.kisspuppet.com'{ } include motd node 'agent1_cert.kisspuppet.com'{ } include motd node 'puppetmaster_cert.kisspuppet.com'{ ੴݒᰁق$puppetserver = 'puppetmaster.kisspuppet.com' #ᦡᗝ [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp 编写site.pp文件 -- -- --------puppet test--------- -- -- [root@puppetmaster modules]# cat motd/files/etc/motd } } ಗᤈpackageᩒრضڹ require => Package['setup'], #ᥝ࿢෈կᤩᯈᗝԏ ࢏ӥ᫹ۓpuppetmasterᒒ๐ source => "puppet://$puppetserver/modules/motd/etc/motd", #ᥝ࿢file෈կ՗ mode => '0644', #ᥝ࿢file෈կ๦ᴴԅ644 group => 'root', #ᥝ࿢file෈կંᕟԅroot owner => 'root', #ᥝ࿢file෈կંԆԅroot ensure => present, #ᥝ࿢file෈կ॒ԭਂࣁᇫா file{ '/etc/motd': #ਧԎfileᩒრ } ensure => present, #ᥝ࿢setupᬯӻ۱॒ԭᤩਞᤰᇫா package{ 'setup': #ਧԎpackageᩒრ class motd{ #ਧԎӞӻᔄݞmotd root@puppetmaster modules]# vim motd/manifests/init.pp] [root@agent1 ~]# puppet agent --test #ၥᦶᜓᅩagent1 info: Caching catalog for agent1_cert.kisspuppet.com info: Applying configuration version '1394304542' notice: /Stage[main]/Motd/File[/etc/motd]/content: --- /etc/motd 2000-01-13 07:18:52.000000000 +0800--- /etc/motd 2000-01-13 07:18:52.000000000 +0800 +++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09+++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09 02:51:47.000000000 +080002:51:47.000000000 +0800 @@ -0,0 +1,3 @@@@ -0,0 +1,3 @@ +-- -- +--------puppet test--------- +-- -- info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' notice: Finished catalog run in 0.40 seconds [root@agent1 ~]# cat /etc/motd -- -- --------puppet test-----------------puppet test--------- -- -- [root@agent1 ~]# [root@puppetmaster ~]# puppet agent -t #ၥᦶᜓᅩpuppetmaster info: Caching catalog for puppetmaster_cert.kisspuppet.com info: Applying configuration version '1394305371' notice: /Stage[main]/Motd/File[/etc/motd]/content: --- /etc/motd 2010-01-12 21:28:22.000000000 +0800--- /etc/motd 2010-01-12 21:28:22.000000000 +0800 +++ /tmp/puppet-file20140309-3102-1gadon0-0 2014-03-09+++ /tmp/puppet-file20140309-3102-1gadon0-0 2014-03-09 03:02:51.966998294 +080003:02:51.966998294 +0800 @@ -0,0 +1,3 @@@@ -0,0 +1,3 @@ +-- -- +--------puppet test--------- +-- -- info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.52 seconds [root@puppetmaster ~]# cat /etc/motd -- -- --------puppet test-----------------puppet test--------- -- -- 三、建立谁关系master-agent Puppet注册方式基本上有三种:自动注册、手动注册和预签名注册 1. 手动注册 手动注册是由Agent端先发起证书申请请求,然后由Puppetserver端确***方可注册成功,这种注册 方式安全系数中等,逐一注册( puppet cert --sign certnmame )在节点数量较大的情况下是比 较麻烦的,效率也低,批量注册( puppet cert --sign --all )效率很高,一次性便可注册所有的 Agent的请求,但是这种方式安全系数较低,因为错误的请求也会被注册上。 节点申请注册 9 directories, 14 files $"" puppetmaster.kisspuppet.com.pem $"" public_keys # $"" puppetmaster.kisspuppet.com.pem !"" private_keys !"" private !"" crl.pem # $"" puppetmaster.kisspuppet.com.pem # !"" ca.pem !"" certs !"" certificate_requests puppetmaster.kisspuppet.com.pem ""$ # ۑ# !"" agent1_cert.kisspuppet.com.pem #૪ᕪဳٙ౮ # $"" signed # !"" serial # !"" requests # # $"" ca.pass # !"" private # !"" inventory.txt # !"" ca_pub.pem # !"" ca_key.pem # !"" ca_crt.pem # !"" ca_crl.pem !"" ca /var/lib/puppet/ssl/ [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #ݚक़Ӟᐿັ፡ᦊᦤጱොୗ "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) agent1_cert.kisspuppet.com"" + ٭[root@puppetmaster ~]# puppet cert --list --all #ེٚັ፡ᦊᦤఘ ᴻ᧗࿢ڢ# ''/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem agent1_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest ྋୗဳٙ notice: Signed certificate request for agent1_cert.kisspuppet.com #ਖ਼᧗࿢ጱᦤԡ agent1 [root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #ဳٙ "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #๚ᦊᦤ agent1_cert.kisspuppet.com"" ٭[root@puppetmaster ~]# puppet cert --list --all #ັ፡ᦊᦤఘ 服务器端确认认证 Exiting; no certificate found and waitforcert is disabled 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9 info: Certificate Request fingerprint (md5): info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com info: Caching certificate for ca info: Creating a new SSL key for agent1_cert.kisspuppet.com root@agent1 ~]# puppet agent --test] 在Puppetmaster端编写ACL列表 [root@agent1 ~]# rm -rf /var/lib/puppet/ssl/* 在agent1端删除注册过的证书 (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) + "puppetmaster_cert.kisspuppet.com" "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) + "agent3_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) + "agent2_cert.kisspuppet.com" ᴻڢ[root@puppetmaster ~]# puppet cert --list --all #agent1ᦤԡ૪ᕪ '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem' notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem' notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at notice: Revoked certificate with serial 3 [root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com 清除PuppetMaster端已经注册的agent1的证书 率非常高。 道ACL列表要求,其次能和PuppetMaster端通信便可轻易注册成功。当然,它的最大优点就是效 符合预先定义的ACL列表中的所有节点请求不需要确认都会被自动注册上,也就是说你只需要知 这种注册方式简单来讲是通过Puppetmaster端的ACL列表进行控制的,安全系统较低,也就是说 2. 自动注册 notice: Finished catalog run in 0.40 seconds '{md5}87ea3a1af8650395038472457cc7f2b1' '{md5}d41d8cd98f00b204e9800998ecf8427e' to notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed sum d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e +-- -- +--------puppet test--------- +-- -- @@ -0,0 +1,3 @@@@ -0,0 +1,3 @@ 02:51:47.000000000 +080002:51:47.000000000 +0800 +++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09+++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09 --- /etc/motd 2000-01-13 07:18:52.000000000 +0800--- /etc/motd 2000-01-13 07:18:52.000000000 +0800 notice: /Stage[main]/Motd/File[/etc/motd]/content: info: Applying configuration version '1394304542' info: Caching catalog for agent1_cert.kisspuppet.com [root@agent1 ~]# puppet agent --test #ၥᦶᜓᅩagent1 motd模块测试 节点测试 (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) + "puppetmaster_cert.kisspuppet.com" "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) + "agent3_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) + "agent2_cert.kisspuppet.com" (9E:1A:2B:48:26:7D:26:8D:1D:F5:5E:34:A1:6B:13:5F) agent1_cert.kisspuppet.com"" + ۑ[root@puppetmaster ~]# puppet cert --list --all #agent1૪ᕪᛔۖဳٙ౮ 服务器端查看 -- -- --------puppet test--------- -- -- [root@agent1 ~]# cat /etc/motd notice: Finished catalog run in 1.39 seconds info: Applying configuration version '1394359075' info: Caching catalog for agent1_cert.kisspuppet.com info: Caching certificate_revocation_list for ca info: Caching certificate for agent1_cert.kisspuppet.com ED:C9:C7:DF:F1:0E:53:1C:D3:73:5D:B7:D3:94:1F:60 info: Certificate Request fingerprint (md5): info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com info: Caching certificate for ca info: Creating a new SSL key for agent1_cert.kisspuppet.com [root@agent1 ~]# puppet agent --test #ኩ᧗ᦤԡ 自动注册 [root@puppetmaster ~]# puppet cert --list --all Starting puppetmaster: [ OK ] Stopping puppetmaster: [ OK ] [root@puppetmaster ~]# /etc/init.d/puppetmaster restart *.kisspuppet.com root@puppetmaster ~]# vim /etc/puppet/autosign.conf] 在agent1端删除注册的所有信息,包括证书 (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) + "puppetmaster_cert.kisspuppet.com" "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", + "puppetmaster.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) + "agent3_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) + "agent2_cert.kisspuppet.com" ᴻڢ[root@puppetmaster ~]# puppet cert --list --all #agent1ᦤԡ૪ᕪ '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem' notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem' notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at notice: Revoked certificate with serial 3 [root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com 清除PuppetMaster端已经注册的agent1的证书 注:生产环境中建议此方式进行注册,既安全又可靠! 到统一自动化部署中 你的系统中安装了kickstart或者cobbler这样的自动化工具,倒是可以将证书部分转换成脚本集成 所有节点服务器的certname名称,其次需要将生成的证书逐步copy到所有节点上去。不过,如果 复制到节点对应的目录下即可注册成功,这种方式安全系数最高,但是操作麻烦,需要提前预知 预签名注册是在agent端未提出申请的情况下,预先在puppetmaster端生成agent端的证书,然后 3. 预签名注册 -- -- --------puppet test-----------------puppet test--------- -- -- [root@agent1 ~]# cat /etc/motd #෈կٖ਻૪ᕪኞ౮ notice: Finished catalog run in 0.42 seconds '{md5}87ea3a1af8650395038472457cc7f2b1' '{md5}d41d8cd98f00b204e9800998ecf8427e' to notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed sum d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e +-- -- +--------puppet test--------- +-- -- @@ -0,0 +1,3 @@@@ -0,0 +1,3 @@ 17:59:06.000000000 +080017:59:06.000000000 +0800 +++ /tmp/puppet-file20140309-3678-15tazyj-0 2014-03-09+++ /tmp/puppet-file20140309-3678-15tazyj-0 2014-03-09 --- /etc/motd 2014-03-09 17:59:02.000000000 +0800--- /etc/motd 2014-03-09 17:59:02.000000000 +0800 notice: /Stage[main]/Motd/File[/etc/motd]/content: info: Applying configuration version '1394359075' info: Caching catalog for agent1_cert.kisspuppet.com [root@agent1 ~]# puppet agent --test ᴻ෈կٖ਻ڢ# root@agent1 ~]# >/etc/motd] puppetmaster端copy证书到agent1上 5 directories, 2 files `-- agent1_cert.kisspuppet.com.pem `-- public_keys | `-- agent1_cert.kisspuppet.com.pem |-- private_keys |-- private |-- certs |-- certificate_requests /var/lib/puppet/ssl/ [root@agent1 ~]# tree /var/lib/puppet/ssl/ Exiting; failed to retrieve certificate and waitforcert is disabled resolution err: Could not request certificate: getaddrinfo: Temporary failure in name info: Creating a new SSL key for agent1_cert.kisspuppet.com ᕮ຅ [root@agent1 ~]# puppet agent --test --server=abc.com #ᵋ׎೰ਧserverᒒ҅ኞ౮ፓ୯ 节点生成目录结构 '/var/lib/puppet/ssl/certificate_requests/agent1_cert.kisspuppet.com.pem' agent1_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' agent1_cert.kisspuppet.com at notice: Removing file Puppet::SSL::CertificateRequest notice: Signed certificate request for agent1_cert.kisspuppet.com notice: agent1_cert.kisspuppet.com has a waiting certificate request [root@puppetmaster ~]# puppetca --generate agent1_cert.kisspuppet.com puppetserver端预先生成agent1证书 [root@puppetmaster ~]# mv /etc/puppet/autosign.conf{,.bak} 删除自动注册ACL列表 root@agent1 ~]# rm -rf /var/lib/puppet/*] [root@puppetmaster ~]# scp /var/lib/puppet/ssl/private_keys/agent1_cert.kisspuppet.com.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/private_keys/ agent1_cert.kisspuppet.com.pem 100% 3243 3.2KB/s 00:00 [root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/ agent1_cert.kisspuppet.com.pem 100% 1944 1.9KB/s 00:00 [root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/ca.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/ ca.pem 100% 1915 1.9KB/s 00:00 [root@puppetmaster ~]# agent1测试 [root@agent1 ~]# >/etc/motd [root@agent1 ~]# puppet agent --test info: Caching certificate_revocation_list for ca info: Caching catalog for agent1_cert.kisspuppet.com info: Applying configuration version '1394359075' notice: /Stage[main]/Motd/File[/etc/motd]/content: --- /etc/motd 2014-03-09 18:18:10.000000000 +0800 +++ /tmp/puppet-file20140309-4071-1gypudk-0 2014-03-09 18:18:17.000000000 +0800 @@ -0,0 +1,3 @@ +-- -- +--------puppet test--------- +-- -- info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.41 seconds [root@agent1 ~]# cat /etc/motd -- -- --------puppet test--------- -- -- 四、编写更新模块 将Puppet部署到生产中第一个要编写的模块就是puppet本身,虽然puppet可以运行其它所有模块完成各 自的部署,但是puppet一旦出问题,那么一切都会停止工作。当然除了puppet自身模块外,还需要保证 网络的通畅以及其它你附加的环境等等。 之前编写过简单的motd模块,大致了解了一些模块的结构以及简单的pp语法,接下来我们进行详细的讲 解。 那么编写一个完整的puppet模块应该考虑哪些因素呢? 编写不具备判断条件的配置文件 puppet::install,那么创建的子类名称就应该是install.pp 称::class子类名称”,而class子类名称需要和创建的pp文件名保持一致,比如 件中init.pp为起始配置文件,包含的都应该是子配置文件,所有应该写成“class主类名 需要注意的是:class名称要和创建的模块名保持一致,名称为puppet,由于在整个配置文 编写安装配置文件install.pp 整的模块。 注意: 接下来的过程不是一步到位的,是一个循序渐进的过程,一步步指导直到完成一个比较完 启动puppet服务(service.pp) 整个过程应该是这样,首先应该安装puppet(install.pp),然后配置puppet(config.pp),最后 3. 编写puppet模块配置文件 3 directories, 5 files templates ""$ ۓ# $"" service.pp #ᓕቘpuppet๐ ෙڣ# !"" params.pp #ᓕቘཛྷࣘӾݒᰁզ݊ӞԶ # !"" install.pp #ᓕቘpuppetਞᤰ # !"" init.pp #ᓕቘཛྷࣘಅํpp෈կᯈᗝ # !"" config.pp #ᓕቘpuppetᯈᗝ !"" manifests !"" files ../ [root@puppetmaster manifests]# tree ../ params.pp [root@puppetmaster manifests]# touch init.pp config.pp install.pp service.pp [root@puppetmaster puppet]# cd manifests/ 2. 创建puppet配置文件 [root@puppetmaster puppet]# 3 directories, 0 files $"" templates #ਂනᯈᗝཛྷ຃҅ො׎pp෈կ୚አ !"" manifests #ਂනpuppetᯈᗝ !"" files #ਂනӥ᫹ጱ෈կ ../puppet [root@puppetmaster puppet]# tree ../puppet ୌཛྷࣘፓ୯ᕮ຅ڠ# [root@puppetmaster puppet]# mkdir files manifests templates [root@puppetmaster modules]# cd puppet/ [root@puppetmaster modules]# mkdir puppet [root@puppetmaster ~]# cd /etc/puppet/modules/ 1. 创建puppet模块目录结构 puppet安装包是否能够自动升级到指定版本? 在更新puppet配置文件的情况下,是否能够主动让puppet服务重启或者reload? puppet服务是否正常运行? puppet配置文件是否正确? puppet及附属依赖包是否已经安装OK? 应该是以下写法比较合理 operatingsystemmajrelease => 6 [root@agent3 ~]# facter | grep operatingsystemmajrelease operatingsystemmajrelease => 5 [root@agent1 ~]# facter | grep operatingsystemmajrelease 通过以下facter进行判断 能会不一样,比如有RHEL5、RHEL6等,那么如何让puppet模块自己去判断呢? 定的版本,比如2.7.25,那么如何设置呢?其次,还应该考虑一种情况,节点的系统版本可 存在这样一种情况,在我的yum源中有很多puppet版本,而我只希望所有节点只安装我指 编写具备判断系统版本条件的模块 } } ensure => installed, package { ['puppet','facter']: #᯻አහᕟጱ୵ୗ class puppet::install{ [root@puppetmaster manifests]# vim install.pp } } ensure => installed, package { 'facter': } ensure => installed, package { 'puppet': ӷӻᩒრތclass puppet::install{ #Ӟӻᔄ۱ [root@puppetmaster manifests]# vim install.pp 也可以用以下两种写法 } } ensure => installed, package { 'facter': class puppet::facter_install{ } } ensure => installed, #ᥝ࿢॒ԭᤩਞᤰᇫா package { 'puppet': class puppet::puppet_install{ } include puppet::puppet_install,puppet::facter_install ӷӻৼᔄތclass puppet::install{ #Ӟӻᔄ۱ [root@puppetmaster manifests]# vim install.pp 节点安装puppet主要还依赖于facter 也可以是以下写法 } include motd,puppet node 'agent3_cert.kisspuppet.com'{ } include motd,puppet node 'agent2_cert.kisspuppet.com'{ } include motd,puppet node 'agent1_cert.kisspuppet.com'{ } include motd,puppet node 'puppetmaster_cert.kisspuppet.com'{ $puppetmaster = 'puppetmaster.kisspuppet.com' [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp 应用到puppet主配置文件site.pp中的节点上 } include puppet::install class puppet{ [root@puppetmaster manifests]# vim init.pp 添加子类到init.pp中 } } } 6 => '1.7.5-1.el6', 5 => '1.7.5-1.el5', ensure => $operatingsystemmajrelease ?{ package { 'facter': class puppet::facter_install{ } } } 6 => '2.7.25-1.el6', 5 => '2.7.25-1.el5', ෙᔮᕹᇇ๜ڣ# }? ensure => $operatingsystemmajrelease package { 'puppet': class puppet::puppet_install{ } include puppet::puppet_install,puppet::facter_install class puppet::install{ root@puppetmaster manifests]# vim install.pp] [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp $puppetmaster = 'puppetmaster.kisspuppet.com' class environments{ include motd,puppet } node 'puppetmaster_cert.kisspuppet.com'{ include environments } node 'agent1_cert.kisspuppet.com'{ include environments } node 'agent2_cert.kisspuppet.com'{ include environments } node 'agent3_cert.kisspuppet.com'{ include environments } 如何所有节点都使用相同的模块,也可以是以下写法 [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp $puppetmaster = 'puppetmaster.kisspuppet.com' class environments{ include motd,puppet } node default{ include environments } 进行简单的测试 降低facter版本为1.7.3 `[root@agent1 ~]# rpm -e facter --nodeps``[root@agent1 ~]# rpm -ivh facter- ``1.7``.``3``-``1``.el5.x86_64.rpm``warning: facter-``1.7``.``3``- ``1``.el5.x86_64.rpm: Header V3 RSA/SHA1 signature: NOKEY, key ID 4bd6ec30``Preparing... ########################################### [``100``%]`` ``1``:facter ########################################### [``100``%]``[root@agent1 ~]# facter --version``1.7``.``3` 通过--noop进行尝试性测试,可以看到节点变化情况,但是不进行更改,这也是puppet强 大的地方之一 以下为其中一个节点目前的puppet.conf配置文件,我们先找出会变化的内容 引用fact变量,变量的内容会根据节点系统的不同而变化。 puppet的erb模板的存在是为了解决每个节点单独配置一个文件的问题,因为erb模板可以 编写puppet.conf.erb模板 } } install.pp෈կ҅Ԟ੪ฎ᧔ᥝ࿢puppetጱ۱ଫ୮॒ԭਞᤰᇫா ྋᏟᬩᤈضڹ require => Class['puppet::install'], #ᥝ࿢ᬯӻ෈կࣁᯈᗝԏ mode => '0644', #ᥝ࿢෈կ๦ᴴԅ644 group => 'root', #ᥝ࿢෈կંᕟԅroot owner => 'root', #ᥝ࿢෈կંԆԅroot ᪠ஆҁtemplatesፓ୯ᵌᡐധ҂ content => template('puppet/puppet.conf.erb'), #ᥝ࿢໑ഝཛྷ຃ኞ౮,᪠ஆٟဩԅፘ੒ ensure => present, #ᥝ࿢ਂࣁ file { '/etc/puppet/puppet.conf': #ᜓᅩ෈կਂනጱ᪠ஆ class puppet::config{ [root@puppetmaster manifests]# vim config.pp 我们暂时只配置puppet.conf文件 编写配置文件config.pp 的,而这正是puppet所呈现的强大功能之二。 用底层的安装工具yum(其它系统如suse会调用zypper等)进行安装,整个过程是透明 整个过程是这样,节点同步puppetmaster端后发现facter版本号不对,根据系统类型马上调 run ``in` `6.27` `seconds``[root@agent1 ~]# facter --version``1.7``.``5` changed ``'1.7.3-1.el5'` `to ``'1.7.5-1.el5'``notice: Finished catalog /Stage[main]/Puppet::Facter_install/Package[facter]/ensure: ensure configuration version ``'1394794815'``notice: run``info: Caching catalog ``for` `agent1_cert.kisspuppet.com``info: Applying `[root@agent1 ~]# puppet agent -t``notice: Ignoring --listen on onetime 明了rpm包升级的方法! 强制执行,可以看到管理端的facter版本变成了puppet模块中指定的版本1.7.5,这其实也说 run ``in` `0.23` `seconds``[root@agent1 ~]# facter --version``1.7``.``3` triggered ``'refresh'` `from ``1` `events``notice: Finished catalog triggered ``'refresh'` `from ``1` `events``notice: Stage[main]: Would have (noop)``notice: Class[Puppet::Facter_install]: Would have current_value ``1.7``.``3``-``1``.el5, should be ``1.7``.``5``-``1``.el5 /Stage[main]/Puppet::Facter_install/Package[facter]/ensure: configuration version ``'1394794815'``notice: run``info: Caching catalog ``for` `agent1_cert.kisspuppet.com``info: Applying root@agent1 ~]# puppet agent -t --noop``notice: Ignoring --listen on onetime]` 现呢,答案是可以的,可写成以下方式 注意:这种创建变量的方法在大量节点的情况下显然不是最好的方法,能否通过fact变量实 } } } fail("certname is not supported on ${::operatingsystem}") ӥಸᲙ٭ default: { #ᦡᗝἕᦊӧਂࣁጱఘ } $certname = 'agent3_cert.kisspuppet.com' agent3: { } $certname = 'agent1_cert.kisspuppet.com' agent1: { certnameݒᰁے case $hostname{ #ी puppetmasterݷᑍ puppetserverݒᰁ೰ݻے $puppetserver = 'puppetmaster.kisspuppet.com' #ी class puppet::params { [root@puppetmaster manifests]# vim params.pp 编写params.pp文件,增加certname变量 hostname => agent3 [root@agent3 ~]# facter |grep hostname hostname => agent1 [root@agent1 ~]# facter |grep hostname 找出fact值具有唯一性的fact,比如hostname 之前我们说过创建params.pp就是为了解决变量问题,我们先用这个解决 接下来解决这两个变量 listen = true runinterval = 10 certname = agent1_cert.kisspuppet.com #ݒᰁ server = puppetmaster.kisspuppet.com #ݒᰁ localconfig = $vardir/localconfig classfile = $vardir/classes.txt [agent] ssldir = $vardir/ssl rundir = /var/run/puppet logdir = /var/log/puppet [main] root@agent1 ~]# vim /etc/puppet/puppet.conf] { { ,[' require => Class['puppet::install mode => '0644', group => 'root', owner => 'root', content => template('puppet/puppet.conf.erb'), ensure => present, file { '/etc/puppet/puppet.conf': ᔮى୚አے include puppet::params #Ⴒ class puppet::config{ [root@puppetmaster manifests]# vim config.pp 确定依赖关系 由于config.pp依赖于params.pp中的变量,所以config.pp中应当应用class puppet::params listen = true runinterval = 10 certname certname = <%= scope.lookupvar('puppet::params::certname') %> #୚አݒᰁ puppetserver server = <%= scope.lookupvar('puppet::params::puppetserver') %> #୚አݒᰁ localconfig = $vardir/localconfig classfile = $vardir/classes.txt [agent] ssldir = $vardir/ssl rundir = /var/run/puppet logdir = /var/log/puppet [main] ### config by puppet ### [root@puppetmaster manifests]# vim ../templates/puppet.conf.erb 在模板中引用certname变量注意模板存放的位置要和config.pp中引用模板的位置保持一致 } } } fail("Module puppet is not supported on ${::operatingsystem}") default: { } $facter_release = '1.7.3-1.el6' $puppet_release = '2.7.23-1.el6' 6: { } $facter_release = '1.7.3-1.el5' $puppet_release = '2.7.23-1.el5' 5: { case $operatingsystemmajrelease{ $certname = "${::hostname}_cert.kisspuppet.com" #᭗ᬦfactғhostnameਫሿ $puppetserver = 'puppetmaster.kisspuppet.com' class puppet::params { root@puppetmaster manifests]# vim params.pp] ### ### config by puppet [root@agent1 ~]# cat /etc/puppet/puppet.conf notice: Finished catalog run in 0.34 seconds '{md5}134bae34adddbf30a3fe02ff0eb3c6a6' content changed '{md5}fb17740fd53d8d4dfd6d291788a9bda3' to notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: /etc/puppet/puppet.conf to puppet with sum fb17740fd53d8d4dfd6d291788a9bda3 info: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]: Filebucketed info: FileBucket adding {md5}fb17740fd53d8d4dfd6d291788a9bda3 rundir = /var/run/puppet logdir = /var/log/puppet [main] +### config by puppet ### @@ -1,3 +1,4 @@ +0800 +++ /tmp/puppet-file20140314-7475-mlybgg-0 2014-03-14 19:50:16.000000000 --- /etc/puppet/puppet.conf 2014-03-10 08:22:33.000000000 +0800 notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: info: Applying configuration version '1394797763' info: Caching catalog for agent1_cert.kisspuppet.com notice: Ignoring --listen on onetime run [root@agent1 ~]# puppet agent -t 强制执行更新 notice: Finished catalog run in 0.43 seconds notice: Stage[main]: Would have triggered 'refresh' from 1 events notice: Class[Puppet::Config]: Would have triggered 'refresh' from 1 events {md5}134bae34adddbf30a3fe02ff0eb3c6a6 (noop) current_value {md5}fb17740fd53d8d4dfd6d291788a9bda3, should be notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: rundir = /var/run/puppet logdir = /var/log/puppet main]] ړ᮱ے+### config by puppet ### #Ⴒ @@ -1,3 +1,4 @@ +0800 +++ /tmp/puppet-file20140314-7231-f50ehp-0 2014-03-14 19:49:24.000000000 --- /etc/puppet/puppet.conf 2014-03-10 08:22:33.000000000 +0800 notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: info: Applying configuration version '1394797763' info: Caching catalog for agent1_cert.kisspuppet.com notice: Ignoring --listen on onetime run [root@agent1 ~]# puppet agent -t --noop 先进行noop测试 更新测试 } include puppet::install,puppet::config class puppet{ [root@puppetmaster manifests]# vim init.pp init.pp中应当包含class puppet::config localconfig = $vardir/localconfig classfile = $vardir/classes.txt [agent] ssldir = $vardir/ssl rundir = /var/run/puppet logdir = /var/log/puppet [main] ### config by puppet ### [root@agent3 ~]# cat /etc/puppet/puppet.conf notice: Finished catalog run in 2.86 seconds info: Creating state file /var/lib/puppet/state/state.yaml '{md5}4f57479998961563e3306b5d0e02a678' content changed '{md5}03cbe6d4def560996eeacedfaef229b4' to notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: /etc/puppet/puppet.conf to puppet with sum 03cbe6d4def560996eeacedfaef229b4 info: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]: Filebucketed info: FileBucket adding {md5}03cbe6d4def560996eeacedfaef229b4 + listen = true + runinterval = 10 certname = agent3_cert.kisspuppet.com server = puppetmaster.kisspuppet.com localconfig = $vardir/localconfig @@ -8,3 +9,5 @@ rundir = /var/run/puppet logdir = /var/log/puppet [main] +### config by puppet ### @@ -1,3 +1,4 @@ +0800 +++ /tmp/puppet-file20140314-2786-z4e844-0 2014-03-14 19:51:27.719533700 --- /etc/puppet/puppet.conf 2014-03-09 01:50:46.112175841 +0800 notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: '{md5}87ea3a1af8650395038472457cc7f2b1' '{md5}d41d8cd98f00b204e9800998ecf8427e' to notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed sum d41d8cd98f00b204e9800998ecf8427e info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e +-- -- +--------puppet test--------- +-- -- @@ -0,0 +1,3 @@ +0800 +++ /tmp/puppet-file20140314-2786-1wb4mas-0 2014-03-14 19:51:27.589533699 --- /etc/motd 2010-01-12 21:28:22.000000000 +0800 notice: /Stage[main]/Motd/File[/etc/motd]/content: info: Applying configuration version '1394797763' info: Caching catalog for agent3_cert.kisspuppet.com info: Caching certificate_revocation_list for ca info: Caching certificate for agent3_cert.kisspuppet.com [root@agent3 ~]# puppet agent -t runinterval = 10 ਧԎጱcertnameݒᰁኞ౮ض certname = agent1_cert.kisspuppet.com #໑ഝᶼ ਧጱpuppetserverݒᰁኞ౮ض server = puppetmaster.kisspuppet.com #໑ഝᶼ localconfig = $vardir/localconfig classfile = $vardir/classes.txt [agent] ssldir = $vardir/ssl rundir = /var/run/puppet logdir = /var/log/puppet main]] 测试一:查看是否设置了开机启动,查看puppet服务状态 测试 } include puppet::install,puppet::config,puppet::service class puppet{ [root@puppetmaster manifests]# vim init.pp 添加class puppet::service到init.pp中 { { ސ᯿ۓ notify => Class['puppet::service'], #ᯈᗝๅෛݸԆۖ᭗ᬦpuppet๐ require => Class['puppet::install'], mode => '0644', group => 'root', owner => 'root', content => template('puppet/puppet.conf.erb'), ensure => present, file { '/etc/puppet/puppet.conf': include puppet::params class puppet::config{ [root@puppetmaster manifests]# vim config.pp 启,应当做如下设置 这个设置完成后,我们再想想我们预先确定的要求是配置在更新后要求puppet服务自动重 更新config.pp文件,增加通知服务重启功能 } } ਫ᭗ᬦchkconfigᦡᗝpuppetᇫாԅonٌ҅ۖސ enable => true, #ᥝ࿢୏๢ᛔۖ ጱrestart޸եٵຽํٍۓ hasrestart => true, #ᦡᗝpuppet๐ ጱ޸ե“service server_name status"ᬰᤈ༄ັᇫாٵ hasstatus => true, #᭗ᬦຽ Ӟፗ॒ԭᬩᤈᇫாۓ ensure => running, #ᦡᗝpuppet๐ service { 'puppet': class puppet::service{ [root@puppetmaster manifests]# vim service.pp **编写service.pp文件 编写配置文件service.pp runinterval = 10 certname = agent3_cert.kisspuppet.com server = puppetmaster.kisspuppet.com 置呢 在有些场合,我们仅仅需要在修改配置后,让服务重新reload而不是restart,这又当如何设 服务设置reload动作 ۓ๐ސ2.7.25 #᯿ Mar 14 21:20:36 agent1 puppet-agent[13068]: Starting Puppet client version Mar 14 21:20:36 agent1 puppet-agent[13068]: Reopening log files Mar 14 21:20:34 agent1 puppet-agent[10803]: Caught TERM; calling stop '{md5}8c67cb8c039bb6436556b91f0c6678c4' changed '{md5}898865b650b9af4cae1886a894ce656e' to (/Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content) content Mar 14 21:20:34 agent1 puppet-agent[10803]: seconds Mar 14 21:20:23 agent1 puppet-agent[10803]: Finished catalog run in 0.27 seconds Mar 14 21:20:12 agent1 puppet-agent[10803]: Finished catalog run in 0.36 seconds Mar 14 21:20:01 agent1 puppet-agent[10803]: Finished catalog run in 0.28 seconds Mar 14 21:19:50 agent1 puppet-agent[10803]: Finished catalog run in 0.42 seconds Mar 14 21:19:38 agent1 puppet-agent[10803]: Finished catalog run in 0.37 seconds Mar 14 21:19:27 agent1 puppet-agent[10803]: Finished catalog run in 0.30 seconds Mar 14 21:19:16 agent1 puppet-agent[10803]: Finished catalog run in 0.71 seconds Mar 14 21:19:05 agent1 puppet-agent[10803]: Finished catalog run in 0.35 seconds Mar 14 21:18:53 agent1 puppet-agent[10803]: Finished catalog run in 0.27 2.7.25 Mar 14 21:18:52 agent1 puppet-agent[10803]: Starting Puppet client version Mar 14 21:18:52 agent1 puppet-agent[10803]: Reopening log files [root@agent1 ~]# tailf /var/log/messages [root@agent1 ~]# echo "#add a line" >>/etc/puppet/puppet.conf 测试二、查看配置被更改还原后,服务是否会自动重启 puppetd (pid 8537) is running... [root@agent1 ~]# /etc/init.d/puppet status puppet 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@agent1 ~]# chkconfig --list | grep puppet notice: Finished catalog run in 1.42 seconds 'stopped' to 'running' notice: /Stage[main]/Puppet::Service/Service[puppet]/ensure: ensure changed info: Applying configuration version '1394798692' info: Caching catalog for agent1_cert.kisspuppet.com notice: Ignoring --listen on onetime run [root@agent1 ~]# puppet agent -t puppetd is stopped [root@agent1 ~]# /etc/init.d/puppet status root@agent1 ~]# chkconfig puppet off] 将install.pp中的判断语句添加到params.pp中 4. 优化代码 seconds Mar 14 21:32:36 agent1 puppet-agent[13068]: Finished catalog run in 0.25 Mar 14 21:32:35 agent1 puppet-agent[13068]: Reparsing /etc/puppet/puppet.conf seconds Mar 14 21:32:25 agent1 puppet-agent[13068]: Finished catalog run in 0.25 seconds Mar 14 21:32:14 agent1 puppet-agent[13068]: Finished catalog run in 0.32 'refresh' from 1 events Mar 14 21:32:14 agent1 puppet-agent[13068]: (/Service[puppet]) Triggered '{md5}8c67cb8c039bb6436556b91f0c6678c4' changed '{md5}898865b650b9af4cae1886a894ce656e' to (/Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content) content Mar 14 21:32:14 agent1 puppet-agent[13068]: Mar 14 21:32:13 agent1 puppet-agent[13068]: Reparsing /etc/puppet/puppet.conf seconds Mar 14 21:32:03 agent1 puppet-agent[13068]: Finished catalog run in 0.33 [root@agent1 ~]# tailf /var/log/messages [root@agent1 ~]# echo "#add a line" >>/etc/puppet/puppet.conf 测试可以看出服务并没有停止,而是refresh了 } } stop => "/etc/init.d/sshd stop", start => "/etc/init.d/sshd start", restart => "/etc/init.d/sshd reload", #ਖ਼restartද౮reload ᚕ๜ጱ൤ᔱ᪠ஆۖސ path => "/etc/init.d", #ᦡᗝ provider => init, enable => true, hasrestart => true, hasstatus => true, ensure => running, service { 'puppet': class puppet::service{ root@puppetmaster manifests]# vim config.pp] { { , ensure => $puppet::params::facter_release package { 'facter': class puppet::facter_install{ } } class::ݒᰁ” ensure => $puppet::params::puppet_release, #puppet᯾୚አݒᰁጱොဩԅ“$class::ৼ package { 'puppet': class puppet::puppet_install{ } include puppet::puppet_install,puppet::facter_install class puppet::install{ [root@puppetmaster manifests]# vim install.pp #᭗ᬦݒᰁ୚አ } } } fail("Module puppet is not supported on ${::operatingsystem}") default: { } $facter_release = '1.7.3-1.el6' $puppet_release = '2.7.23-1.el6' 6: { } $facter_release = '1.7.3-1.el5' $puppet_release = '2.7.23-1.el5' 5: { ᔮᕹᇇ๜ݒᰁے case $operatingsystemmajrelease{ #Ⴒ } } fail("certname is not supported on ${::operatingsystem}") default: { } $certname = 'agent3_cert.kisspuppet.com' agent3: { } $certname = 'agent1_cert.kisspuppet.com' agent1: { case $hostname{ $puppetserver = 'puppetmaster.kisspuppet.com' class puppet::params { root@puppetmaster manifests]# vim params.pp]
还剩32页未读

继续阅读

下载pdf到电脑,查找使用更方便

pdf的实际排版效果,会与网站的显示效果略有不同!!

需要 10 金币 [ 分享pdf获得金币 ] 0 人已下载

下载pdf

pdf贡献者

janinayen

贡献于2017-05-08

下载需要 10 金币 [金币充值 ]
亲,您也可以通过 分享原创pdf 来获得金币奖励!
下载pdf