puppet 基础篇
puppet
[TOC]
1.什么是puppet
很多公司經(jīng)常情況下會(huì)遇到這么一個(gè)問題,新應(yīng)用開發(fā)完成之后,運(yùn)維人員耗費(fèi)了大量的時(shí)間在測試環(huán)境上完成了項(xiàng)目的部署,而遷移到線上環(huán)境依舊需要逐字逐句的變更配置,沒日沒夜的加班之后,才能夠勉強(qiáng)保證新應(yīng)用在線上環(huán)境正常運(yùn)行。而與此同時(shí),公司的領(lǐng)導(dǎo)層已經(jīng)暴跳如雷,"我已經(jīng)投入了大量的資金下去,為什么部署一個(gè)新的應(yīng)用依舊需要花費(fèi)這么久的時(shí)間?"
puppet的創(chuàng)始人luke kanies就曾經(jīng)在這種環(huán)境中備受煎熬。于是他就開始思考,如何讓系統(tǒng)管理員們能夠更加高效的去完成工作。隨即誕生的產(chǎn)物就是這款名為puppet的軟件。
事實(shí)上,luke kanies在開發(fā)puppet之前,基本上都是采用perl來編寫程序,但是當(dāng)他想要用perl去編寫腦中的這款程序的模型時(shí)發(fā)現(xiàn)無法實(shí)現(xiàn)。然后luke kanies嘗試了python等語言,都沒辦法寫出他心目中的功能。后來一個(gè)偶然的機(jī)會(huì),朋友提起了ruby這種語言,表示該語言功能十分強(qiáng)大,所以luke kenies嘗試了ruby,并且基于ruby語言開發(fā)出了puppet。
如果說企業(yè)想要多臺(tái)服務(wù)器的維護(hù)成本,puppet是非常不錯(cuò)的工具之一,主要原因是由于puppet開源,并且功能非常完善。同樣,puppet也會(huì)吸取好的建議,吸納其他人員貢獻(xiàn)的代碼,從而不斷的提升puppet的靈活程度及實(shí)用性。
2.puppet的工作過程
在大部分場景下,puppet采用的是一種C/S的模型,也可以稱為M/A模型,m即master:服務(wù)端,a即agent:客戶端。在master端上配置好相應(yīng)的參數(shù)之后,agent端會(huì)根據(jù)master端的配置字段調(diào)整自身環(huán)境內(nèi)容。
下面具體來看一下puppet是如何工作的?
ok
1)agent和master互相建立連接,在此過程當(dāng)中master必須對agent進(jìn)行授權(quán)的操作,授權(quán)完成之后后續(xù)的訪問請求通過ssl加密傳輸來進(jìn)行。
2)master調(diào)用agent的factor工具獲取agent主機(jī)的一些參數(shù)及變量。
3)master獲取到agent的主機(jī)信息后,將發(fā)送給本機(jī)的manifests,進(jìn)行配置字段查詢。
4)根據(jù)匹配到agent對應(yīng)的節(jié)點(diǎn)所需要的配置,解析編譯生成catalog。(catalog又可以稱為偽代碼)
5)agent接收到catalog后,根據(jù)master的配置調(diào)整當(dāng)前環(huán)境,例如軟件包的安裝等等。
6)如果涉及到文件傳送,則會(huì)像master發(fā)起文件傳輸請求,用以獲取所需文件。
7)上報(bào)當(dāng)前情況。
8)結(jié)束。
3.puppet的安裝
在目前實(shí)驗(yàn)環(huán)境中包含兩臺(tái)機(jī)器:servera.example.com這臺(tái)主機(jī)作為master端,serverb.example.com這臺(tái)主機(jī)作為agent端。安裝的puppet版本號(hào)為3.6.2的版本,原則上要求master、agent所使用的軟件版本一致。如果不能保證M/A版本一致,要注意以下問題:
master版本高于agent版本才可能能夠正常運(yùn)行。
master和agent版本差距越大,正確運(yùn)行的可能性越小,如果說一個(gè)0.2版本的agent搭配一個(gè)3.2版本的master基本上不可能正常運(yùn)行。
混合使用版本通常意味著無法獲取完整的性能。
在這里,我已經(jīng)下載好了對應(yīng)的軟件,包括master、agent需要的軟件包,以及提供ruby環(huán)境的軟件包,如下所示:
[root@servera puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
現(xiàn)在我們就可以將軟件進(jìn)行安裝,首先是master端:
[root@servera puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
[root@servera puppet]# yum -y localinstall *.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining facter-2.4.1-1.el7.x86_64.rpm: facter-2.4.1-1.el7.x86_64
Marking facter-2.4.1-1.el7.x86_64.rpm to be installed
Examining hiera-1.3.4-1.el7.noarch.rpm: hiera-1.3.4-1.el7.noarch
Marking hiera-1.3.4-1.el7.noarch.rpm to be installed
Examining puppet-3.6.2-3.el7.noarch.rpm: puppet-3.6.2-3.el7.noarch
Marking puppet-3.6.2-3.el7.noarch.rpm to be installed
Examining puppet-firewalld-0.1.3-1.el7.noarch.rpm: puppet-firewalld-0.1.3-1.el7.noarch
Marking puppet-firewalld-0.1.3-1.el7.noarch.rpm to be installed
Examining puppet-server-3.6.2-3.el7.noarch.rpm: puppet-server-3.6.2-3.el7.noarch
Marking puppet-server-3.6.2-3.el7.noarch.rpm to be installed
Examining ruby-augeas-0.5.0-1.el7.x86_64.rpm: ruby-augeas-0.5.0-1.el7.x86_64
Marking ruby-augeas-0.5.0-1.el7.x86_64.rpm to be installed
Examining rubygem-rgen-0.6.6-2.el7.noarch.rpm: rubygem-rgen-0.6.6-2.el7.noarch
Marking rubygem-rgen-0.6.6-2.el7.noarch.rpm to be installed
Examining ruby-shadow-1.4.1-23.el7.x86_64.rpm: ruby-shadow-1.4.1-23.el7.x86_64
Marking ruby-shadow-1.4.1-23.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package facter.x86_64 0:2.4.1-1.el7 will be installed
--> Processing Dependency: /usr/bin/ruby for package: facter-2.4.1-1.el7.x86_64
test | 2.9 kB 00:00
--> Processing Dependency: pciutils for package: facter-2.4.1-1.el7.x86_64
---> Package hiera.noarch 0:1.3.4-1.el7 will be installed
--> Processing Dependency: ruby(release) for package: hiera-1.3.4-1.el7.noarch
---> Package puppet.noarch 0:3.6.2-3.el7 will be installed
--> Processing Dependency: ruby(selinux) for package: puppet-3.6.2-3.el7.noarch
---> Package puppet-firewalld.noarch 0:0.1.3-1.el7 will be installed
---> Package puppet-server.noarch 0:3.6.2-3.el7 will be installed
---> Package ruby-augeas.x86_64 0:0.5.0-1.el7 will be installed
--> Processing Dependency: augeas-libs >= 1.0.0 for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.1.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.10.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.11.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.12.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.14.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.16.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.8.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0()(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
---> Package ruby-shadow.x86_64 0:1.4.1-23.el7 will be installed
---> Package rubygem-rgen.noarch 0:0.6.6-2.el7 will be installed
--> Processing Dependency: ruby(rubygems) for package: rubygem-rgen-0.6.6-2.el7.noarch
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
---> Package libselinux-ruby.x86_64 0:2.2.2-6.el7 will be installed
---> Package pciutils.x86_64 0:3.2.1-4.el7 will be installed
---> Package ruby.x86_64 0:2.0.0.598-24.el7 will be installed
--> Processing Dependency: rubygem(bigdecimal) >= 1.2.0 for package: ruby-2.0.0.598-24.el7.x86_64
---> Package ruby-libs.x86_64 0:2.0.0.598-24.el7 will be installed
---> Package rubygems.noarch 0:2.0.14-24.el7 will be installed
--> Processing Dependency: rubygem(rdoc) >= 4.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(psych) >= 2.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(io-console) >= 0.4.2 for package: rubygems-2.0.14-24.el7.noarch
--> Running transaction check
---> Package rubygem-bigdecimal.x86_64 0:1.2.0-24.el7 will be installed
---> Package rubygem-io-console.x86_64 0:0.4.2-24.el7 will be installed
---> Package rubygem-psych.x86_64 0:2.0.0-24.el7 will be installed
--> Processing Dependency: libyaml-0.so.2()(64bit) for package: rubygem-psych-2.0.0-24.el7.x86_64
---> Package rubygem-rdoc.noarch 0:4.0.0-24.el7 will be installed
--> Processing Dependency: ruby(irb) = 2.0.0.598 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Processing Dependency: rubygem(json) >= 1.7.7 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Running transaction check
---> Package libyaml.x86_64 0:0.1.4-11.el7_0 will be installed
---> Package ruby-irb.noarch 0:2.0.0.598-24.el7 will be installed
---> Package rubygem-json.x86_64 0:1.7.7-24.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================
Package Arch Version Repository Size
Installing:
facter x86_64 2.4.1-1.el7 /facter-2.4.1-1.el7.x86_64 271 k
hiera noarch 1.3.4-1.el7 /hiera-1.3.4-1.el7.noarch 54 k
puppet noarch 3.6.2-3.el7 /puppet-3.6.2-3.el7.noarch 4.2 M
puppet-firewalld
noarch 0.1.3-1.el7 /puppet-firewalld-0.1.3-1.el7.noarch
46 k
puppet-server noarch 3.6.2-3.el7 /puppet-server-3.6.2-3.el7.noarch 5.6 k
ruby-augeas x86_64 0.5.0-1.el7 /ruby-augeas-0.5.0-1.el7.x86_64 52 k
ruby-shadow x86_64 1.4.1-23.el7 /ruby-shadow-1.4.1-23.el7.x86_64 21 k
rubygem-rgen noarch 0.6.6-2.el7 /rubygem-rgen-0.6.6-2.el7.noarch 307 k
Installing for dependencies:
augeas-libs x86_64 1.1.0-17.el7 test 332 k
libselinux-ruby
x86_64 2.2.2-6.el7 test 127 k
libyaml x86_64 0.1.4-11.el7_0
test 55 k
pciutils x86_64 3.2.1-4.el7 test 90 k
ruby x86_64 2.0.0.598-24.el7
test 67 k
ruby-irb noarch 2.0.0.598-24.el7
test 88 k
ruby-libs x86_64 2.0.0.598-24.el7
test 2.8 M
rubygem-bigdecimal
x86_64 1.2.0-24.el7 test 79 k
rubygem-io-console
x86_64 0.4.2-24.el7 test 50 k
rubygem-json x86_64 1.7.7-24.el7 test 75 k
rubygem-psych x86_64 2.0.0-24.el7 test 77 k
rubygem-rdoc noarch 4.0.0-24.el7 test 318 k
rubygems noarch 2.0.14-24.el7 test 212 k
Transaction Summary
Install 8 Packages (+13 Dependent packages)
Total size: 9.3 M
Total download size: 4.3 M
Installed size: 19 M
Downloading packages:
(1/13): augeas-libs-1.1.0-17.el7.x86_64.rpm | 332 kB 00:00
(2/13): libselinux-ruby-2.2.2-6.el7.x86_64.rpm | 127 kB 00:00
(3/13): libyaml-0.1.4-11.el7_0.x86_64.rpm | 55 kB 00:00
(4/13): pciutils-3.2.1-4.el7.x86_64.rpm | 90 kB 00:00
(5/13): ruby-2.0.0.598-24.el7.x86_64.rpm | 67 kB 00:00
(6/13): ruby-irb-2.0.0.598-24.el7.noarch.rpm | 88 kB 00:00
(7/13): ruby-libs-2.0.0.598-24.el7.x86_64.rpm | 2.8 MB 00:00
(8/13): rubygem-bigdecimal-1.2.0-24.el7.x86_64.rpm | 79 kB 00:00
(9/13): rubygem-io-console-0.4.2-24.el7.x86_64.rpm | 50 kB 00:00
(10/13): rubygem-json-1.7.7-24.el7.x86_64.rpm | 75 kB 00:00
(11/13): rubygem-psych-2.0.0-24.el7.x86_64.rpm | 77 kB 00:00
(12/13): rubygem-rdoc-4.0.0-24.el7.noarch.rpm | 318 kB 00:00
(13/13): rubygems-2.0.14-24.el7.noarch.rpm | 212 kB 00:00
Total 6.6 MB/s | 4.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ruby-libs-2.0.0.598-24.el7.x86_64 1/21
Installing : hiera-1.3.4-1.el7.noarch 2/21
Installing : ruby-shadow-1.4.1-23.el7.x86_64 3/21
Installing : augeas-libs-1.1.0-17.el7.x86_64 4/21
Installing : ruby-augeas-0.5.0-1.el7.x86_64 5/21
Installing : libyaml-0.1.4-11.el7_0.x86_64 6/21
Installing : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/21
Installing : rubygem-json-1.7.7-24.el7.x86_64 8/21
Installing : rubygem-psych-2.0.0-24.el7.x86_64 9/21
Installing : rubygem-rdoc-4.0.0-24.el7.noarch 10/21
Installing : ruby-irb-2.0.0.598-24.el7.noarch 11/21
Installing : ruby-2.0.0.598-24.el7.x86_64 12/21
Installing : rubygems-2.0.14-24.el7.noarch 13/21
Installing : rubygem-io-console-0.4.2-24.el7.x86_64 14/21
Installing : rubygem-rgen-0.6.6-2.el7.noarch 15/21
Installing : pciutils-3.2.1-4.el7.x86_64 16/21
Installing : facter-2.4.1-1.el7.x86_64 17/21
Installing : libselinux-ruby-2.2.2-6.el7.x86_64 18/21
Installing : puppet-3.6.2-3.el7.noarch 19/21
Installing : puppet-server-3.6.2-3.el7.noarch 20/21
Installing : puppet-firewalld-0.1.3-1.el7.noarch 21/21
Verifying : ruby-augeas-0.5.0-1.el7.x86_64 1/21
Verifying : libselinux-ruby-2.2.2-6.el7.x86_64 2/21
Verifying : puppet-server-3.6.2-3.el7.noarch 3/21
Verifying : rubygem-io-console-0.4.2-24.el7.x86_64 4/21
Verifying : pciutils-3.2.1-4.el7.x86_64 5/21
Verifying : libyaml-0.1.4-11.el7_0.x86_64 6/21
Verifying : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/21
Verifying : facter-2.4.1-1.el7.x86_64 8/21
Verifying : rubygem-rdoc-4.0.0-24.el7.noarch 9/21
Verifying : hiera-1.3.4-1.el7.noarch 10/21
Verifying : puppet-3.6.2-3.el7.noarch 11/21
Verifying : rubygem-json-1.7.7-24.el7.x86_64 12/21
Verifying : ruby-libs-2.0.0.598-24.el7.x86_64 13/21
Verifying : rubygems-2.0.14-24.el7.noarch 14/21
Verifying : ruby-shadow-1.4.1-23.el7.x86_64 15/21
Verifying : augeas-libs-1.1.0-17.el7.x86_64 16/21
Verifying : ruby-irb-2.0.0.598-24.el7.noarch 17/21
Verifying : puppet-firewalld-0.1.3-1.el7.noarch 18/21
Verifying : rubygem-psych-2.0.0-24.el7.x86_64 19/21
Verifying : ruby-2.0.0.598-24.el7.x86_64 20/21
Verifying : rubygem-rgen-0.6.6-2.el7.noarch 21/21
Installed:
facter.x86_64 0:2.4.1-1.el7 hiera.noarch 0:1.3.4-1.el7
puppet.noarch 0:3.6.2-3.el7 puppet-firewalld.noarch 0:0.1.3-1.el7
puppet-server.noarch 0:3.6.2-3.el7 ruby-augeas.x86_64 0:0.5.0-1.el7
ruby-shadow.x86_64 0:1.4.1-23.el7 rubygem-rgen.noarch 0:0.6.6-2.el7
Dependency Installed:
augeas-libs.x86_64 0:1.1.0-17.el7
libselinux-ruby.x86_64 0:2.2.2-6.el7
libyaml.x86_64 0:0.1.4-11.el7_0
pciutils.x86_64 0:3.2.1-4.el7
ruby.x86_64 0:2.0.0.598-24.el7
ruby-irb.noarch 0:2.0.0.598-24.el7
ruby-libs.x86_64 0:2.0.0.598-24.el7
rubygem-bigdecimal.x86_64 0:1.2.0-24.el7
rubygem-io-console.x86_64 0:0.4.2-24.el7
rubygem-json.x86_64 0:1.7.7-24.el7
rubygem-psych.x86_64 0:2.0.0-24.el7
rubygem-rdoc.noarch 0:4.0.0-24.el7
rubygems.noarch 0:2.0.14-24.el7
Complete!
其次是agent端:
[root@serverb puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
[root@serverb puppet]# yum -y localinstall facter-2.4.1-1.el7.x86_64.rpm hiera-1.3.4-1.el7.noarch.rpm puppet-3.6.2-3.el7.noarch.rpm puppet-firewalld-0.1.3-1.el7.noarch.rpm ruby-augeas-0.5.0-1.el7.x86_64.rpm rubygem-rgen-0.6.6-2.el7.noarch.rpm ruby-shadow-1.4.1-23.el7.x86_64.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Examining facter-2.4.1-1.el7.x86_64.rpm: facter-2.4.1-1.el7.x86_64
Marking facter-2.4.1-1.el7.x86_64.rpm to be installed
Examining hiera-1.3.4-1.el7.noarch.rpm: hiera-1.3.4-1.el7.noarch
Marking hiera-1.3.4-1.el7.noarch.rpm to be installed
Examining puppet-3.6.2-3.el7.noarch.rpm: puppet-3.6.2-3.el7.noarch
Marking puppet-3.6.2-3.el7.noarch.rpm to be installed
Examining puppet-firewalld-0.1.3-1.el7.noarch.rpm: puppet-firewalld-0.1.3-1.el7.noarch
Marking puppet-firewalld-0.1.3-1.el7.noarch.rpm to be installed
Examining ruby-augeas-0.5.0-1.el7.x86_64.rpm: ruby-augeas-0.5.0-1.el7.x86_64
Marking ruby-augeas-0.5.0-1.el7.x86_64.rpm to be installed
Examining rubygem-rgen-0.6.6-2.el7.noarch.rpm: rubygem-rgen-0.6.6-2.el7.noarch
Marking rubygem-rgen-0.6.6-2.el7.noarch.rpm to be installed
Examining ruby-shadow-1.4.1-23.el7.x86_64.rpm: ruby-shadow-1.4.1-23.el7.x86_64
Marking ruby-shadow-1.4.1-23.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package facter.x86_64 0:2.4.1-1.el7 will be installed
--> Processing Dependency: /usr/bin/ruby for package: facter-2.4.1-1.el7.x86_64
test | 2.9 kB 00:00
--> Processing Dependency: pciutils for package: facter-2.4.1-1.el7.x86_64
---> Package hiera.noarch 0:1.3.4-1.el7 will be installed
--> Processing Dependency: ruby(release) for package: hiera-1.3.4-1.el7.noarch
---> Package puppet.noarch 0:3.6.2-3.el7 will be installed
--> Processing Dependency: ruby(selinux) for package: puppet-3.6.2-3.el7.noarch
---> Package puppet-firewalld.noarch 0:0.1.3-1.el7 will be installed
---> Package ruby-augeas.x86_64 0:0.5.0-1.el7 will be installed
--> Processing Dependency: augeas-libs >= 1.0.0 for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.1.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.10.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.11.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.12.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.14.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.16.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.8.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0()(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
---> Package ruby-shadow.x86_64 0:1.4.1-23.el7 will be installed
---> Package rubygem-rgen.noarch 0:0.6.6-2.el7 will be installed
--> Processing Dependency: ruby(rubygems) for package: rubygem-rgen-0.6.6-2.el7.noarch
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
---> Package libselinux-ruby.x86_64 0:2.2.2-6.el7 will be installed
---> Package pciutils.x86_64 0:3.2.1-4.el7 will be installed
---> Package ruby.x86_64 0:2.0.0.598-24.el7 will be installed
--> Processing Dependency: rubygem(bigdecimal) >= 1.2.0 for package: ruby-2.0.0.598-24.el7.x86_64
---> Package ruby-libs.x86_64 0:2.0.0.598-24.el7 will be installed
---> Package rubygems.noarch 0:2.0.14-24.el7 will be installed
--> Processing Dependency: rubygem(rdoc) >= 4.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(psych) >= 2.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(io-console) >= 0.4.2 for package: rubygems-2.0.14-24.el7.noarch
--> Running transaction check
---> Package rubygem-bigdecimal.x86_64 0:1.2.0-24.el7 will be installed
---> Package rubygem-io-console.x86_64 0:0.4.2-24.el7 will be installed
---> Package rubygem-psych.x86_64 0:2.0.0-24.el7 will be installed
--> Processing Dependency: libyaml-0.so.2()(64bit) for package: rubygem-psych-2.0.0-24.el7.x86_64
---> Package rubygem-rdoc.noarch 0:4.0.0-24.el7 will be installed
--> Processing Dependency: ruby(irb) = 2.0.0.598 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Processing Dependency: rubygem(json) >= 1.7.7 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Running transaction check
---> Package libyaml.x86_64 0:0.1.4-11.el7_0 will be installed
---> Package ruby-irb.noarch 0:2.0.0.598-24.el7 will be installed
---> Package rubygem-json.x86_64 0:1.7.7-24.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================
Package Arch Version Repository Size
Installing:
facter x86_64 2.4.1-1.el7 /facter-2.4.1-1.el7.x86_64 271 k
hiera noarch 1.3.4-1.el7 /hiera-1.3.4-1.el7.noarch 54 k
puppet noarch 3.6.2-3.el7 /puppet-3.6.2-3.el7.noarch 4.2 M
puppet-firewalld noarch 0.1.3-1.el7 /puppet-firewalld-0.1.3-1.el7.noarch
46 k
ruby-augeas x86_64 0.5.0-1.el7 /ruby-augeas-0.5.0-1.el7.x86_64
52 k
ruby-shadow x86_64 1.4.1-23.el7 /ruby-shadow-1.4.1-23.el7.x86_64
21 k
rubygem-rgen noarch 0.6.6-2.el7 /rubygem-rgen-0.6.6-2.el7.noarch
307 k
Installing for dependencies:
augeas-libs x86_64 1.1.0-17.el7 test 332 k
libselinux-ruby x86_64 2.2.2-6.el7 test 127 k
libyaml x86_64 0.1.4-11.el7_0 test 55 k
pciutils x86_64 3.2.1-4.el7 test 90 k
ruby x86_64 2.0.0.598-24.el7 test 67 k
ruby-irb noarch 2.0.0.598-24.el7 test 88 k
ruby-libs x86_64 2.0.0.598-24.el7 test 2.8 M
rubygem-bigdecimal
x86_64 1.2.0-24.el7 test 79 k
rubygem-io-console
x86_64 0.4.2-24.el7 test 50 k
rubygem-json x86_64 1.7.7-24.el7 test 75 k
rubygem-psych x86_64 2.0.0-24.el7 test 77 k
rubygem-rdoc noarch 4.0.0-24.el7 test 318 k
rubygems noarch 2.0.14-24.el7 test 212 k
Transaction Summary
Install 7 Packages (+13 Dependent packages)
Total size: 9.3 M
Total download size: 4.3 M
Installed size: 19 M
Downloading packages:
(1/13): augeas-libs-1.1.0-17.el7.x86_64.rpm | 332 kB 00:00
(2/13): libselinux-ruby-2.2.2-6.el7.x86_64.rpm | 127 kB 00:00
(3/13): libyaml-0.1.4-11.el7_0.x86_64.rpm | 55 kB 00:00
(4/13): pciutils-3.2.1-4.el7.x86_64.rpm | 90 kB 00:00
(5/13): ruby-2.0.0.598-24.el7.x86_64.rpm | 67 kB 00:00
(6/13): ruby-libs-2.0.0.598-24.el7.x86_64.rpm | 2.8 MB 00:00
(7/13): rubygem-bigdecimal-1.2.0-24.el7.x86_64.rpm | 79 kB 00:00
(8/13): rubygem-io-console-0.4.2-24.el7.x86_64.rpm | 50 kB 00:00
(9/13): rubygem-json-1.7.7-24.el7.x86_64.rpm | 75 kB 00:00
(10/13): rubygem-psych-2.0.0-24.el7.x86_64.rpm | 77 kB 00:00
(11/13): rubygem-rdoc-4.0.0-24.el7.noarch.rpm | 318 kB 00:00
(12/13): rubygems-2.0.14-24.el7.noarch.rpm | 212 kB 00:00
(13/13): ruby-irb-2.0.0.598-24.el7.noarch.rpm | 88 kB 00:00
Total 9.6 MB/s | 4.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ruby-libs-2.0.0.598-24.el7.x86_64 1/20
Installing : hiera-1.3.4-1.el7.noarch 2/20
Installing : ruby-shadow-1.4.1-23.el7.x86_64 3/20
Installing : augeas-libs-1.1.0-17.el7.x86_64 4/20
Installing : ruby-augeas-0.5.0-1.el7.x86_64 5/20
Installing : libyaml-0.1.4-11.el7_0.x86_64 6/20
Installing : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/20
Installing : rubygem-json-1.7.7-24.el7.x86_64 8/20
Installing : rubygem-psych-2.0.0-24.el7.x86_64 9/20
Installing : rubygem-rdoc-4.0.0-24.el7.noarch 10/20
Installing : ruby-irb-2.0.0.598-24.el7.noarch 11/20
Installing : ruby-2.0.0.598-24.el7.x86_64 12/20
Installing : rubygems-2.0.14-24.el7.noarch 13/20
Installing : rubygem-io-console-0.4.2-24.el7.x86_64 14/20
Installing : rubygem-rgen-0.6.6-2.el7.noarch 15/20
Installing : pciutils-3.2.1-4.el7.x86_64 16/20
Installing : facter-2.4.1-1.el7.x86_64 17/20
Installing : libselinux-ruby-2.2.2-6.el7.x86_64 18/20
Installing : puppet-3.6.2-3.el7.noarch 19/20
Installing : puppet-firewalld-0.1.3-1.el7.noarch 20/20
Verifying : ruby-augeas-0.5.0-1.el7.x86_64 1/20
Verifying : libselinux-ruby-2.2.2-6.el7.x86_64 2/20
Verifying : rubygem-io-console-0.4.2-24.el7.x86_64 3/20
Verifying : pciutils-3.2.1-4.el7.x86_64 4/20
Verifying : libyaml-0.1.4-11.el7_0.x86_64 5/20
Verifying : rubygem-bigdecimal-1.2.0-24.el7.x86_64 6/20
Verifying : facter-2.4.1-1.el7.x86_64 7/20
Verifying : rubygem-rdoc-4.0.0-24.el7.noarch 8/20
Verifying : hiera-1.3.4-1.el7.noarch 9/20
Verifying : puppet-3.6.2-3.el7.noarch 10/20
Verifying : rubygem-json-1.7.7-24.el7.x86_64 11/20
Verifying : ruby-libs-2.0.0.598-24.el7.x86_64 12/20
Verifying : rubygems-2.0.14-24.el7.noarch 13/20
Verifying : ruby-shadow-1.4.1-23.el7.x86_64 14/20
Verifying : augeas-libs-1.1.0-17.el7.x86_64 15/20
Verifying : ruby-irb-2.0.0.598-24.el7.noarch 16/20
Verifying : puppet-firewalld-0.1.3-1.el7.noarch 17/20
Verifying : rubygem-psych-2.0.0-24.el7.x86_64 18/20
Verifying : ruby-2.0.0.598-24.el7.x86_64 19/20
Verifying : rubygem-rgen-0.6.6-2.el7.noarch 20/20
Installed:
facter.x86_64 0:2.4.1-1.el7 hiera.noarch 0:1.3.4-1.el7
puppet.noarch 0:3.6.2-3.el7 puppet-firewalld.noarch 0:0.1.3-1.el7
ruby-augeas.x86_64 0:0.5.0-1.el7 ruby-shadow.x86_64 0:1.4.1-23.el7
rubygem-rgen.noarch 0:0.6.6-2.el7
Dependency Installed:
augeas-libs.x86_64 0:1.1.0-17.el7
libselinux-ruby.x86_64 0:2.2.2-6.el7
libyaml.x86_64 0:0.1.4-11.el7_0
pciutils.x86_64 0:3.2.1-4.el7
ruby.x86_64 0:2.0.0.598-24.el7
ruby-irb.noarch 0:2.0.0.598-24.el7
ruby-libs.x86_64 0:2.0.0.598-24.el7
rubygem-bigdecimal.x86_64 0:1.2.0-24.el7
rubygem-io-console.x86_64 0:0.4.2-24.el7
rubygem-json.x86_64 0:1.7.7-24.el7
rubygem-psych.x86_64 0:2.0.0-24.el7
rubygem-rdoc.noarch 0:4.0.0-24.el7
rubygems.noarch 0:2.0.14-24.el7
Complete!
至此,安裝完成。
4.puppet的M/A授權(quán)###
根據(jù)我們之前的工作原理說明,可以看出建立連接的第一步應(yīng)該是授權(quán)的操作,那如何來進(jìn)行M/A的授權(quán)認(rèn)證操作呢?實(shí)際上,master和agent共同都具有一個(gè)配置文件 :/etc/puppet/puppet.conf,該配置文件定義了master和agent所需要的運(yùn)行環(huán)境等等參數(shù)。進(jìn)程啟動(dòng)前,會(huì)根據(jù)此配置文件對系統(tǒng)環(huán)境進(jìn)行一個(gè)審核的操作,審核通過后進(jìn)程才會(huì)啟動(dòng)。
master上的配置:
? 在/etc/puppet/puppet.conf文件中追加:
? [master]
? certname=master主機(jī)的主機(jī)名稱
[root@servera puppet]# hostname
servera.example.com
[root@servera puppet]# sed -i '$a[master]\ncertname=servera.pod0.example.com' /etc/puppet/puppet.conf
[root@servera puppet]# cat /etc/puppet/puppet.conf
[main]
The Puppet log directory.
# The default value is '$vardir/log'. logdir = /var/log/puppet# Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet# Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl[agent]
The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig[master]
certname=servera.pod0.example.com
agent上的配置:
? 在/etc/puppet/puppet.conf文件中[main]字段中追加一行
? server = master主機(jī)名
[root@serverb puppet]# sed -i '/ssldir/aserver = servera.pod0.example.com' /etc/puppet/puppet.conf
[root@serverb puppet]# cat /etc/puppet/puppet.conf
[main]
The Puppet log directory.
# The default value is '$vardir/log'. logdir = /var/log/puppet# Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet# Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/sslserver = servera.pod0.example.com
[agent]
The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig注意:puppet配置過程中都是通過主機(jī)名去定位對應(yīng)主機(jī),則需要在這之前做好相應(yīng)的解析工作。
分別啟動(dòng)master和agent端的puppet服務(wù),先啟動(dòng)master端,再啟動(dòng)agent端
1)master端的啟動(dòng),啟動(dòng)完成后會(huì)優(yōu)先對自己主機(jī)進(jìn)行認(rèn)證授權(quán)操作,在/var/lib/puppet/ssl/ca/signed目錄下會(huì)生成本機(jī)名稱.pem的文件,結(jié)果如下:
[root@servera ~]# systemctl start puppetmaster
[root@servera ~]# cd /var/lib/puppet/ssl/ca/signed/
[root@servera signed]# ls
servera.pod0.example.com.pem
2)agent端的啟動(dòng),啟動(dòng)完成后會(huì)在/var/lib/puppet/ssl/certificate_requests生成agent主機(jī)名.pem的文件,并直接將認(rèn)證請求文件發(fā)送給master端,放至在master端的/var/lib/puppet/ssl/ca/requests目錄下,結(jié)果如下:
[root@serverb ~]# systemctl start puppet
[root@serverb ~]# cd /var/lib/puppet/ssl/certificate_requests/
[root@serverb certificate_requests]# ls
serverb.pod0.example.com.pem
[root@servera signed]# cd ../requests/
[root@servera requests]# pwd
/var/lib/puppet/ssl/ca/requests
[root@servera requests]# ls
serverb.pod0.example.com.pem
注意:在此過程當(dāng)中,selinux如果處于enforcing的狀態(tài),會(huì)有相應(yīng)的權(quán)限問題導(dǎo)致agent端無法正確創(chuàng)建請求認(rèn)證文件,可執(zhí)行setenforce 0指令,將selinux狀態(tài)切換成permissive模式
3)master端授權(quán)
master端授權(quán)可通過puppet cert指令來完成:
可以先通過--help選項(xiàng)查看一下幫助信息:
[root@servera requests]# puppet cert --help
puppet-cert(8) -- Manage certificates and requests
SYNOPSIS
Standalone certificate authority. Capable of generating certificates,
but mostly used for signing certificate requests from puppet clients.
USAGE
puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
[--digest <digest>] [<host>]
DESCRIPTION
Because the puppet master service defaults to not signing client
certificate requests, this script is available for signing outstanding
requests. It can be used to list outstanding requests and then either
sign them individually or sign all of them.
ACTIONS
Every action except 'list' and 'generate' requires a hostname to act on,
unless the '--all' option is set.
-
clean:
Revoke a host's certificate (if applicable) and remove all files
related to that host from puppet cert's storage. This is useful when
rebuilding hosts, since new certificate signing requests will only be
honored if puppet cert does not have a copy of a signed certificate
for that host. If '--all' is specified then all host certificates,
both signed and unsigned, will be removed. -
fingerprint:
Print the DIGEST (defaults to the signing algorithm) fingerprint of a
host's certificate. -
generate:
Generate a certificate for a named client. A certificate/keypair will
be generated for each client named on the command line. -
list:
List outstanding certificate requests. If '--all' is specified, signed
certificates are also listed, prefixed by '+', and revoked or invalid
certificates are prefixed by '-' (the verification outcome is printed
in parenthesis). -
print:
Print the full-text version of a host's certificate. -
revoke:
Revoke the certificate of a client. The certificate can be specified either
by its serial number (given as a hexadecimal number prefixed by '0x') or by its
hostname. The certificate is revoked by adding it to the Certificate Revocation
List given by the 'cacrl' configuration option. Note that the puppet master
needs to be restarted after revoking certificates. -
sign:
Sign an outstanding certificate request. -
verify:
Verify the named certificate against the local CA certificate. - reinventory:
Build an inventory of the issued certificates. This will destroy the current
inventory file specified by 'cert_inventory' and recreate it from the
certificates found in the 'certdir'. Ensure the puppet master is stopped
before running this action.
OPTIONS
Note that any setting that's valid in the configuration
file is also a valid long argument. For example, 'ssldir' is a valid
setting, so you can specify '--ssldir <directory>' as an
argument.
See the configuration file documentation at
http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all
configuration options can also be generated by running puppet cert with
'--genconfig'.
-
--all:
Operate on all items. Currently only makes sense with the 'sign',
'clean', 'list', and 'fingerprint' actions. -
--digest:
Set the digest for fingerprinting (defaults to the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version. -
--debug:
Enable full debugging. -
--help:
Print this help message -
--verbose:
Enable verbosity. - --version:
Print the puppet version number and exit.
EXAMPLE
$ puppet cert list culain.madstop.com $ puppet cert sign culain.madstop.comAUTHOR
Luke Kanies
COPYRIGHT
Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
根據(jù)help指令里面我們可以看到以下幾個(gè)常用選項(xiàng):
clean 用于清除所有授權(quán)信息。
list 用于羅列來自于所有agent的認(rèn)證請求。
revoke 用于取消某agent的授權(quán)。
sign 用于給某agent的認(rèn)證請求進(jìn)行授權(quán)的操作。
同樣,現(xiàn)在我們就可以在master上針對agent(serverb)進(jìn)行授權(quán)的操作:
[root@servera requests]# puppet cert --list
"serverb.example.com" (SHA256) 3A:04:7B:E5:AB:69:D0:CA:9C:DC:85:CF:66:EC:F8:61:56:6D:53:B2:BB:9F:7E:9A:9C:C6:E9:AC:E0:CE:F3:D8
[root@servera requests]# puppet cert --sign "serverb.pod0.example.com"
Notice: Signed certificate request for serverb.pod0.example.com
Notice: Removing file Puppet::SSL::CertificateRequest serverb.pod0.example.com at '/var/lib/puppet/ssl/ca/requests/serverb.example.com.pem'
[root@servera requests]# cd ../signed/
[root@servera signed]# ls
servera.pod0.example.com.pem serverb.pod0.example.com.pem
[root@servera signed]# pwd
/var/lib/puppet/ssl/ca/signed
授權(quán)完成后,master主機(jī)上,原本放在/var/lib/puppet/ssl/ca/requests/agent主機(jī)名.pem會(huì)移動(dòng)至/var/lib/puppet/ssl/ca/signed/agent主機(jī)名.pem
且在agent端會(huì)生成一個(gè)新的文件:/var/lib/puppet/ssl/certs/agent主機(jī)名.pem
5.puppet的自動(dòng)認(rèn)證授權(quán)
采用以上方式的確可以完成一對一的授權(quán)。然而,如果要簽名的agent比較多怎么辦?需要一個(gè)個(gè)簽名嗎?其實(shí)puppet提供了一個(gè)--all選項(xiàng),能夠一次完成對對臺(tái)agent的授權(quán)操作。
[root@servera requests]# puppet cert --sign --all
Notice: Signed certificate request for serverb.pod0.example.com
Notice: Removing file Puppet::SSL::CertificateRequest serverb.pod0.example.com at '/var/lib/puppet/ssl/ca/requests/serverb.pod0.example.com.pem
但是該方式依舊需要手動(dòng)去進(jìn)行命令的輸入,可能引發(fā)的后果就是想要被加入的agent主機(jī)沒辦法及時(shí)獲取到授權(quán)從而建立ssl連接進(jìn)行傳輸。
現(xiàn)在我們的需求是:來自于某一個(gè)域名的agent主機(jī)一旦啟動(dòng),發(fā)送授權(quán)請求,master主機(jī)就自動(dòng)針對該主機(jī)進(jìn)行簽名的操作,無需手動(dòng)使用puppet cert --sign指令,即自動(dòng)完成認(rèn)證授權(quán)。
現(xiàn)在再開一臺(tái)服務(wù)器,主機(jī)名為serverd.example.com,作為puppet的agent端,授權(quán)操作要求自動(dòng)完成。配置過程如下:
master端的配置:
[root@servera requests]# cat >> /etc/puppet/puppet.conf << END
autosign = /etc/puppet/autosign.conf
autosign = true
autosign = /etc/puppet/autosign.conf
END
[root@servera requests]# tail -n5 /etc/puppet/puppet.conf
[master]
certname=servera.pod0.example.com
autosign = /etc/puppet/autosign.conf
autosign = true
autosign = /etc/puppet/autosign.conf
[root@servera requests]# cat >> /etc/puppet/autosign.conf << END
*.example.com
END
[root@servera requests]# systemctl restart puppetmaster
agent端的配置
[root@serverd puppet]# sed -i '/ssldir/aserver = servera.pod0.example.com' /etc/puppet/puppet.conf
[root@serverd puppet]# systemctl restart puppet
以上操作完成之后,立刻就可以看到授權(quán)后的結(jié)果。
master端:
[root@servera signed]# pwd
/var/lib/puppet/ssl/ca/signed
[root@servera signed]# ls
servera.pod0.example.com.pem serverd.pod0.example.com.pem
serverb.pod0.example.com.pem
agent端:
[root@serverd certs]# pwd
/var/lib/puppet/ssl/certs
[root@serverd certs]# ls
ca.pem serverd.pod0.example.com.pem
6.puppet的同步機(jī)制
M/A模式下的puppet的同步更新方式有兩種,
1.Agent端主動(dòng)去PuppetMaster端獲取配置。
默認(rèn)情況下,puppet采取此方式完成同步的操作,且在不變更同步時(shí)間配置的情況下,agent端默認(rèn)30分鐘找master端做一次同步。如果要自定義同步時(shí)間,可在agent端的/etc/puppet/puppet.conf中配置runinterval參數(shù)
[root@serverb /]# echo "runinterval = 5" >> /etc/puppet/puppet.conf
[root@serverb /]# cat /etc/puppet/puppet.conf
[main]
The Puppet log directory.
# The default value is '$vardir/log'. logdir = /var/log/puppet# Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet# Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/sslserver = servera.pod0.example.com
[agent]
The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfigruninterval = 5
[root@serverb /]# systemctl restart puppet
[root@serverb /]# tail -f /var/log/messages
Aug 13 08:41:05 serverb puppet-agent[4275]: Finished catalog run in 0.01 seconds
Aug 13 08:41:10 serverb puppet-agent[4441]: Finished catalog run in 0.01 seconds
Aug 13 08:41:15 serverb puppet-agent[4607]: Finished catalog run in 0.01 seconds
Aug 13 08:41:20 serverb puppet-agent[4773]: Finished catalog run in 0.01 seconds
...
采用方式1的好處:若agent由于一些原因?qū)е屡渲梦募p壞,可以在同步時(shí)間周期內(nèi)獲取到正確的配置,不需人為進(jìn)行處理。同樣,配置該方式十分的簡單易上手,能夠根據(jù)需求變更同步周期。
采用方式1的劣勢:多臺(tái)agent同時(shí)像master發(fā)起同步請求,master可能會(huì)面臨性能瓶頸問題。當(dāng)然,該劣勢可通過分批同步的方式去解決。除此之外,我們需要保證master端的操作足夠安全,任何人修改master端的配置參數(shù)都會(huì)被符合節(jié)點(diǎn)要求的agent端同步更新,譬如有人在推送的腳本中寫了rm -rf /*,該操作同樣會(huì)被同步到多臺(tái)agent端執(zhí)行,安全性會(huì)受到很嚴(yán)重的威脅。
2.PuppetMaster端使用puppet kick命令推送配置至agent端
該方式是通過puppetmaster端的puppet kick命令來同步配置的。
優(yōu)勢:
安全性比較高,更新之前可給相應(yīng)檢查代碼的時(shí)間。
更新周期容易控制。
劣勢:
agent端數(shù)據(jù)被篡改后很難實(shí)現(xiàn)及時(shí)恢復(fù)。
鎖機(jī)制導(dǎo)致控制不是很靈活。
?基本上方式2逐漸被企業(yè)環(huán)境所淘汰,在這里就不做說明了。
7.puppet的監(jiān)聽端口號(hào)
基本上涉及網(wǎng)絡(luò)的服務(wù)都會(huì)有監(jiān)聽的端口號(hào),用以區(qū)分不同服務(wù)的訪問請求。
master端監(jiān)聽的端口號(hào)為8140。
[root@servera signed]# netstat -tulnp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4280/ruby
[root@servera signed]# firewall-cmd --permanent --add-port=8140/tcp
success
[root@servera signed]# firewall-cmd --reload
success
如果采用agent主動(dòng)連接master的方式,就需要配置防火墻以保證master端的8140端口能夠接受agent主機(jī)的請求。
8.puppet基礎(chǔ)配置
1)全局入口文件:site.pp的創(chuàng)建####
/etc/puppet/manifests/site.pp是全局的入口文件,agent訪問master獲取配置參數(shù)的第一步就是讀取site.pp內(nèi)容,一切的管理工作都由site.pp開始。
site.pp的作用就是用來定義哪些節(jié)點(diǎn)(即agent)采用什么樣的模塊(配置字段)。首次配置puppetmaster,應(yīng)自行創(chuàng)建該文件。
[root@servera manifests]# cat >> /etc/puppet/manifests/site.pp << END
node 'serverb.example.com' { //定義了需要使用puppet管理的節(jié)點(diǎn)為serverb.example.com
include 'myfile' //模塊名稱定義為myfile,也就是說serverb這臺(tái)機(jī)器要同步更新的內(nèi)容在myfile模塊內(nèi)
}
END
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node 'serverb.example.com' {
include 'myfile'
}
通過以上配置,可以看到,現(xiàn)在serverb這個(gè)節(jié)點(diǎn),要接受的配置字段寫在myfile模塊中,而其他主機(jī)的沒有任何需要同步更新的內(nèi)容。如果想寫多臺(tái)主機(jī)同步更新myfile模塊里的內(nèi)容,可以通過這種方式去完成:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node 'serverb.example.com' {
include 'myfile'
}
node 'serverd.example.com' {
include 'myfile'
}
...
上述寫法表示serverb和serverd兩個(gè)節(jié)點(diǎn)同步的模塊名稱為myfile,但這種寫法較為繁瑣,有些時(shí)候,我們能夠采用正則表達(dá)式來完成節(jié)點(diǎn)定義的配置,如下:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node /^(serverb|serverd).example.com$/ {
include 'myfile'
}
上述內(nèi)容表示serverb和serverd都采用myfile模塊里的配置或者:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node /^.*.example.com$/ {
include 'myfile'
}
任何以example.com作為結(jié)尾的主機(jī)都采用myfile模塊里的配置。
當(dāng)然前提是能夠建立ssl連接,如果沒有通過授權(quán),即便site.pp里面定義了節(jié)點(diǎn)和模塊的對應(yīng)關(guān)系,agent端也是沒有辦法正確從master上拉取配置。
然而有些時(shí)候,所有的節(jié)點(diǎn)寫到同一個(gè)配置文件里很難進(jìn)行后續(xù)的維護(hù)管理。那么實(shí)際上,我們可以通過import字段進(jìn)行不同節(jié)點(diǎn)的進(jìn)行分類操作,配置文件名稱自擬。例如:
[root@servera ~]# echo "import 'site.pp'" > /etc/puppet/manifests/site.pp
[root@servera ~]# cat /etc/puppet/manifests/site.pp
import 'nodes.pp'
[root@servera ~]# cat > /etc/puppet/manifests/nodes.pp << END
node /^..example.com$/ {
include 'myfile'
}
END
[root@servera ~]# cat /etc/puppet/manifests/nodes.pp
node /^..example.com$/ {
include 'myfile'
}
2)模塊的創(chuàng)建及常用資源配置的寫法####
在上述環(huán)節(jié)里,我們include了一個(gè)模塊叫做myfile。當(dāng)agent端通過node節(jié)點(diǎn)查看到自己要同步myfile這個(gè)模塊之后,便會(huì)去/etc/puppet/modules/myfile/manifests目錄下找一個(gè)名為init.pp的文件。該文件也可以理解為模塊入口文件。若該目錄沒有,則需要手動(dòng)去創(chuàng)建出來。
[root@servera ~]# mkdir -p /etc/puppet/modules/myfile/manifests
創(chuàng)建出來之后,就應(yīng)該去編寫init.pp這個(gè)文件,init.pp里格式理應(yīng)如下:
class 模塊名 {
類型1 { "標(biāo)題1":
屬性1 => 值1,
屬性2 => 值2,
屬性3 => 值3
...
屬性N => 值N;
"標(biāo)題2":
屬性 => 值,
.....
屬性 => 值;
}
類型2 { "標(biāo)題":
屬性 => 值,
....
}
}
實(shí)際類型指的是操作的對象,標(biāo)題指的是操作的實(shí)際目標(biāo),屬性指的是控制的實(shí)際內(nèi)容,值對應(yīng)的是狀態(tài)。
舉個(gè)例子:現(xiàn)在我想給agent安裝一個(gè)名為httpd的軟件包,于是我們就可以這樣寫
package { “httpd” # 操作的對象是軟件,操作的實(shí)際目標(biāo)是httpd
ensure => present, # 要求操作的實(shí)際內(nèi)容是保證httpd存在或者不存在,狀態(tài)為存在,即要求該軟件安裝
}
puppet常用類型及屬性簡介
1.file類型(針對文件做操作的類型)
常用屬性:
? ensure => 'absent|present|directory|link'
? group => ‘文件所屬組名稱’
? user => '文件擁有者名稱'
? mode => ‘文件權(quán)限值’
? content => '文件內(nèi)容'
? force => ‘true|false’
? source =>
file屬性應(yīng)用案例:
推送/etc/fstab文件
/etc/fstab文件決定了開機(jī)時(shí)候的掛載情況,針對提供相同功能的主機(jī),通常情況下掛載信息也是大同小異的,在這里我們就可以將文件推送給調(diào)用該模塊的節(jié)點(diǎn)。
[root@servera etc]# cat /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file {"/etc/fstab":
ensure => present,
owner => root,
group => root,
source => 'puppet://servera.example.com/modules/myfile/etc/fstab',
}
}
[root@servera etc]# mkdir -p /etc/puppet/modules/myfile/files/etc
[root@servera files]# cp /etc/fstab /etc/puppet/modules/myfile/files/etc/fstab
注:以上souce代表的是源文件所在位置,不需要寫files目錄,默認(rèn)就會(huì)去files目錄下尋找相應(yīng)的文件。
寫完配置后,不需要重啟服務(wù),客戶端就根據(jù)一定的同步周期去獲取對應(yīng)的配置文件了,可以通過日志看到相應(yīng)的結(jié)果。
[root@serverb ~]# tailf /var/log/messages
Aug 16 11:24:17 serverb puppet-agent[4734]: Finished catalog run in 0.01 seconds
Aug 16 11:24:22 serverb puppet-agent[4900]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:22 serverb puppet-agent[4900]: Finished catalog run in 0.04 seconds
Aug 16 11:24:27 serverb puppet-agent[5068]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:27 serverb puppet-agent[5068]: Finished catalog run in 0.04 seconds
Aug 16 11:24:32 serverb puppet-agent[5236]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:32 serverb puppet-agent[5236]: Finished catalog run in 0.04 seconds
Aug 16 11:24:37 serverb puppet-agent[5404]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:37 serverb puppet-agent[5404]: Finished catalog run in 0.04 seconds
Aug 16 11:24:42 serverb puppet-agent[5572]: (/Stage[main]/Myfile/File[/etc/fstab]/content) content changed '{md5}71c72e221409b343ed9a69f9a2dfa15c' to '{md5}ff16538739bfe5d524783750dd88ae30'
2.user、group類型應(yīng)用(針對用戶和組的設(shè)定類型)
user常用屬性 group常用屬性
ensure => 'present | absent ' ensure => 'present|absent'
uid => ’uid 編號(hào)‘ gid => 'gid編號(hào)'
gid => '默認(rèn)組編號(hào)'
home => '家目錄存放位置'
shell => '用戶使用shell'
用戶和組應(yīng)用案例:
部署多臺(tái)主機(jī)創(chuàng)建tomcat用戶。如果說想要部署jsp頁面的話,會(huì)用到servlet容器,而tomcat就是比較常用的容器。若是采用jsvc的方式啟動(dòng)tomcat這個(gè)服務(wù)的話,就需要有一個(gè)名為tomcat的用戶用來維護(hù)服務(wù)的正常運(yùn)行。這個(gè)案例就是用來針對多臺(tái)主機(jī)批量部署tomcat用戶的典型案例。
[root@servera etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
user { 'tomcat':
require => group['tomcat'],
ensure => present,
uid => '666',
gid => '666',
home => '/home/tomcat',
shell => '/sbin/nologin',
}
group { 'tomcat':
ensure => present,
gid => '666',
}
file { '/home/tomcat':
ensure => directory,
mode => '700',
owner => 'tomcat',
group => 'tomcat',
require => user['tomcat'],
}
}
require資源是一個(gè)公有資源,代表的含義就是其他類型內(nèi)容先執(zhí)行,再執(zhí)行當(dāng)前類型。
比如說上文在user類型里寫了 require => group['tomcat'], 那么實(shí)際上代表的含義就是先去執(zhí)行g(shù)roup類型,標(biāo)題為tomcat的內(nèi)容,再來執(zhí)行user類型tomcat標(biāo)題的內(nèi)容。于是我們從日志當(dāng)中也能看到結(jié)果:組先被創(chuàng)建出來了,其次是用戶,最后是家目錄。
[root@serverb ~]# tail /var/log/messages
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/Group[tomcat]/ensure) created
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/User[tomcat]/ensure) created
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/File[/home/tomcat]/ensure) created
[root@serverb ~]# id tomcat
uid=666(tomcat) gid=666(tomcat) groups=666(tomcat)
[root@serverb ~]# ll -d /home/tomcat/
drwx------. 2 tomcat tomcat 6 Aug 16 11:37 /home/tomcat/
3.package類型應(yīng)用(針對軟件的操作)
package常用屬性:
ensure => present | absent
默認(rèn)情況下package資源采用yum的方式安裝軟件,如果要使用rpm的方式安裝,則需要添加以下兩個(gè)參數(shù)。
source => '/tmp/nginx-1.8.0-1.el7.ngx.x86_64.rpm', //指定軟件絕對路徑
provider => 'rpm', //指定由rpm的方式來進(jìn)行安裝
package屬性應(yīng)用案例:
批量部署數(shù)據(jù)庫mysql環(huán)境,多臺(tái)服務(wù)器安裝mariadb-server:
master端配置:
[root@servera etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
package {'mariadb-server':
ensure => present,
}
}
agent端結(jié)果:
[root@serverb tmp]# tail /var/log/messages -f
Aug 16 18:44:19 serverb yum[109385]: Installed: perl-Data-Dumper-2.145-3.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-Net-Daemon-0.48-5.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-IO-Compress-2.061-2.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-PlRPC-0.2020-14.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-DBI-1.627-4.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-DBD-MySQL-4.023-5.el7.x86_64
Aug 16 18:44:22 serverb yum[109385]: Installed: 1:mariadb-5.5.41-2.el7_0.x86_64
Aug 16 18:44:24 serverb systemd: Reloading.
Aug 16 18:44:25 serverb systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:44:25 serverb systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:44:25 serverb yum[109385]: Installed: 1:mariadb-server-5.5.41-2.el7_0.x86_64
Aug 16 18:44:26 serverb puppet-agent[109199]: (/Stage[main]/Myfile/Package[mariadb-server]/ensure) created
[root@serverb tmp]# rpm -q mariadb-server
mariadb-server-5.5.41-2.el7_0.x86_64
4.service資源應(yīng)用(針對服務(wù)狀態(tài)的控制)
常用屬性
enable => 'true|false' // 定義開機(jī)啟動(dòng)狀態(tài)
ensure => ‘running | stopped’ //定義當(dāng)前環(huán)境運(yùn)行狀態(tài)
service屬性應(yīng)用案例:
讓mariadb服務(wù)運(yùn)行起來,并且開機(jī)自啟:
master端配置:
[root@servera etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
package {'mariadb-server':
ensure => present,
}
service {'mariadb':
require => package['mariadb-server'],
ensure => running,
enable => true,
}
}
agent端結(jié)果:
[root@serverb tmp]# tail -f /var/log/messages
Aug 16 18:55:21 serverb systemd: Started MariaDB database server.
Aug 16 18:55:22 serverb systemd: Reloading.
Aug 16 18:55:22 serverb systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:55:22 serverb systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:55:22 serverb puppet-agent[2453]: (/Stage[main]/Myfile/Service[mariadb]/ensure) ensure changed 'stopped' to 'running'
[root@serverb tmp]# systemctl status mariadb
mariadb.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled)
Active: active (running) since Tue 2016-08-16 18:55:21 EDT; 17s ago
Main PID: 2721 (mysqld_safe)
CGroup: /system.slice/mariadb.service
├─2721 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
└─2878 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mys...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: The lates...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: You can f...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: http://de...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Support M...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Corporati...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Alternati...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: http://ma...
Aug 16 18:55:19 serverb.example.com mysqld_safe[2721]: 160816 18:55:19 mysq...
Aug 16 18:55:19 serverb.example.com mysqld_safe[2721]: 160816 18:55:19 mysq...
Aug 16 18:55:21 serverb.example.com systemd[1]: Started MariaDB database se...
Hint: Some lines were ellipsized, use -l to show in full.
以上這些屬性就是常用的一些屬性了,當(dāng)然并沒有包含所有的屬性,如果有需求,可以訪問https://docs.puppet.com/獲取更詳細(xì)的信息。
5.公有屬性應(yīng)用
通常情況下,每一個(gè)資源配置都會(huì)有一個(gè)依賴關(guān)系,比如說,配置httpd服務(wù)的配置文件的前提就是httpd的軟件已經(jīng)安裝,再比如,改完服務(wù)的配置文件需要將配置文件重新加載起來。這些操作就可以通過公有屬性的配置將多個(gè)資源以某種方式關(guān)聯(lián)起來。
1)notify
通常情況下notify屬性是用來通知其他資源類型執(zhí)行相應(yīng)的操作。
2)subscire
和notify相反,被動(dòng)通知。
3)require
require屬性代表的含義是在本資源執(zhí)行之前,確保其他資源已經(jīng)被成功執(zhí)行。
4)before
before屬性和require相反,在資源執(zhí)行成功后再執(zhí)行其他資源。
舉例:
[root@servera etc]# cat /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file {"/etc/dhcpd.conf":
require => package['dhcp'],
ensure => present,
source => 'puppet://servera.example.com/modules/myfile/etc/dhcpd.conf',
notify => service[dhcpd],
}
package{'dhcp':
ensure => present,
}
service {'dhcpd':
ensure => running,
enable => true,
}
}
課后練習(xí)實(shí)驗(yàn)要求:
使用以上學(xué)習(xí)內(nèi)容完成以下操作:
1.以servera作為master端,server[b-e]作為agent端,配置好相應(yīng)的授權(quán)。
2.在server[b-e]服務(wù)器上使用httpd搭建虛擬主機(jī),站點(diǎn)名稱為www.abc.com,網(wǎng)站根目錄為/var/www/html/abc.com,要求每次配置文件修改完之后服務(wù)重啟。
9.puppet的變量、模板、函數(shù)
1)變量的定義及調(diào)用####
變量的定義通過$variable_name = value的方式完成。
下述例子我們申明了一個(gè)局部變量叫做content:
[root@servera manifests]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
$content = "some content\n"
file { "/tmp/test":
ensure => present,
content => "$content",
}
}
變量也可以全局入口文件site.pp里申明成一個(gè)全局變量:
[root@servera manifests]# vim /etc/puppet/manifests/nodes.pp
node /server[b-c].pod0.example.com/ {
$content = "abc\n"
include 'myfile'
}
2)facter變量的調(diào)用####
facter變量是用來獲取每臺(tái)節(jié)點(diǎn)服務(wù)器不同的一些信息參數(shù)的變量。
變量通過${::facter變量名}來調(diào)用。
class myfile {
file { "/tmp/test":
ensure => present,
content => "${::hostname}",
}
}
3)模板的設(shè)置及調(diào)用####
通常情況下模板以erb作為結(jié)尾,文件存放于模塊目錄下一個(gè)叫做templates的目錄下。
1)生成模板文件
[root@servera myfile]# pwd
/etc/puppet/modules/myfile
[root@servera myfile]# mkdir templates
[root@servera myfile]# cd templates
[root@servera templates]# vim testfile.erb
my ip address <%= content %> # 在模板里面調(diào)用變量采用<%= 變量名 %>
2)調(diào)用模板
[root@servera manifests]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file { "/tmp/testfile":
ensure => present,
content => template('myfile/testfile.erb'), # 調(diào)用模板
}
}
4)函數(shù)的設(shè)置及調(diào)用####
函數(shù)是一系列資源的集合。
1)定義
定義方式如下:
[root@servera manifests]# pwd
/etc/puppet/modules/myfile/manifests
[root@servera manifests]# vim init.pp
class myfile {
define create_file($myfile,$mycontent) {
file { "$myfile":
ensure => present,
content => "$mycontent",
}
}
}
2)調(diào)用
調(diào)用方式如下:
[root@servera manifests]# cd /etc/puppet/manifests/
[root@servera manifests]# ls
nodes.pp site.pp
[root@servera manifests]# vim nodes.pp
node /server[b-c].pod0.example.com/ {
$content = "abc\n"
include 'myhttpd','myssh','myfile'
myfile::create_file { "xxxxxx": #函數(shù)的調(diào)用
myfile => '/tmp/qwer',
mycontent => "qwer\n",
}
}
課后練習(xí):
轉(zhuǎn)載于:https://blog.51cto.com/13602747/2107648
總結(jié)
以上是生活随笔為你收集整理的puppet 基础篇的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: foxmail、outlook发送邮件,
- 下一篇: 简单易用的库存管理软件、进销存软件