puppet 基础篇
puppet
[TOC]
1.什么是puppet
很多公司經常情況下會遇到這么一個問題,新應用開發完成之后,運維人員耗費了大量的時間在測試環境上完成了項目的部署,而遷移到線上環境依舊需要逐字逐句的變更配置,沒日沒夜的加班之后,才能夠勉強保證新應用在線上環境正常運行。而與此同時,公司的領導層已經暴跳如雷,"我已經投入了大量的資金下去,為什么部署一個新的應用依舊需要花費這么久的時間?"
puppet的創始人luke kanies就曾經在這種環境中備受煎熬。于是他就開始思考,如何讓系統管理員們能夠更加高效的去完成工作。隨即誕生的產物就是這款名為puppet的軟件。
事實上,luke kanies在開發puppet之前,基本上都是采用perl來編寫程序,但是當他想要用perl去編寫腦中的這款程序的模型時發現無法實現。然后luke kanies嘗試了python等語言,都沒辦法寫出他心目中的功能。后來一個偶然的機會,朋友提起了ruby這種語言,表示該語言功能十分強大,所以luke kenies嘗試了ruby,并且基于ruby語言開發出了puppet。
如果說企業想要多臺服務器的維護成本,puppet是非常不錯的工具之一,主要原因是由于puppet開源,并且功能非常完善。同樣,puppet也會吸取好的建議,吸納其他人員貢獻的代碼,從而不斷的提升puppet的靈活程度及實用性。
2.puppet的工作過程
在大部分場景下,puppet采用的是一種C/S的模型,也可以稱為M/A模型,m即master:服務端,a即agent:客戶端。在master端上配置好相應的參數之后,agent端會根據master端的配置字段調整自身環境內容。
下面具體來看一下puppet是如何工作的?
ok
1)agent和master互相建立連接,在此過程當中master必須對agent進行授權的操作,授權完成之后后續的訪問請求通過ssl加密傳輸來進行。
2)master調用agent的factor工具獲取agent主機的一些參數及變量。
3)master獲取到agent的主機信息后,將發送給本機的manifests,進行配置字段查詢。
4)根據匹配到agent對應的節點所需要的配置,解析編譯生成catalog。(catalog又可以稱為偽代碼)
5)agent接收到catalog后,根據master的配置調整當前環境,例如軟件包的安裝等等。
6)如果涉及到文件傳送,則會像master發起文件傳輸請求,用以獲取所需文件。
7)上報當前情況。
8)結束。
3.puppet的安裝
在目前實驗環境中包含兩臺機器:servera.example.com這臺主機作為master端,serverb.example.com這臺主機作為agent端。安裝的puppet版本號為3.6.2的版本,原則上要求master、agent所使用的軟件版本一致。如果不能保證M/A版本一致,要注意以下問題:
master版本高于agent版本才可能能夠正常運行。
master和agent版本差距越大,正確運行的可能性越小,如果說一個0.2版本的agent搭配一個3.2版本的master基本上不可能正常運行。
混合使用版本通常意味著無法獲取完整的性能。
在這里,我已經下載好了對應的軟件,包括master、agent需要的軟件包,以及提供ruby環境的軟件包,如下所示:
[root@servera puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
現在我們就可以將軟件進行安裝,首先是master端:
[root@servera puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
[root@servera puppet]# yum -y localinstall *.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining facter-2.4.1-1.el7.x86_64.rpm: facter-2.4.1-1.el7.x86_64
Marking facter-2.4.1-1.el7.x86_64.rpm to be installed
Examining hiera-1.3.4-1.el7.noarch.rpm: hiera-1.3.4-1.el7.noarch
Marking hiera-1.3.4-1.el7.noarch.rpm to be installed
Examining puppet-3.6.2-3.el7.noarch.rpm: puppet-3.6.2-3.el7.noarch
Marking puppet-3.6.2-3.el7.noarch.rpm to be installed
Examining puppet-firewalld-0.1.3-1.el7.noarch.rpm: puppet-firewalld-0.1.3-1.el7.noarch
Marking puppet-firewalld-0.1.3-1.el7.noarch.rpm to be installed
Examining puppet-server-3.6.2-3.el7.noarch.rpm: puppet-server-3.6.2-3.el7.noarch
Marking puppet-server-3.6.2-3.el7.noarch.rpm to be installed
Examining ruby-augeas-0.5.0-1.el7.x86_64.rpm: ruby-augeas-0.5.0-1.el7.x86_64
Marking ruby-augeas-0.5.0-1.el7.x86_64.rpm to be installed
Examining rubygem-rgen-0.6.6-2.el7.noarch.rpm: rubygem-rgen-0.6.6-2.el7.noarch
Marking rubygem-rgen-0.6.6-2.el7.noarch.rpm to be installed
Examining ruby-shadow-1.4.1-23.el7.x86_64.rpm: ruby-shadow-1.4.1-23.el7.x86_64
Marking ruby-shadow-1.4.1-23.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package facter.x86_64 0:2.4.1-1.el7 will be installed
--> Processing Dependency: /usr/bin/ruby for package: facter-2.4.1-1.el7.x86_64
test | 2.9 kB 00:00
--> Processing Dependency: pciutils for package: facter-2.4.1-1.el7.x86_64
---> Package hiera.noarch 0:1.3.4-1.el7 will be installed
--> Processing Dependency: ruby(release) for package: hiera-1.3.4-1.el7.noarch
---> Package puppet.noarch 0:3.6.2-3.el7 will be installed
--> Processing Dependency: ruby(selinux) for package: puppet-3.6.2-3.el7.noarch
---> Package puppet-firewalld.noarch 0:0.1.3-1.el7 will be installed
---> Package puppet-server.noarch 0:3.6.2-3.el7 will be installed
---> Package ruby-augeas.x86_64 0:0.5.0-1.el7 will be installed
--> Processing Dependency: augeas-libs >= 1.0.0 for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.1.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.10.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.11.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.12.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.14.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.16.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.8.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0()(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
---> Package ruby-shadow.x86_64 0:1.4.1-23.el7 will be installed
---> Package rubygem-rgen.noarch 0:0.6.6-2.el7 will be installed
--> Processing Dependency: ruby(rubygems) for package: rubygem-rgen-0.6.6-2.el7.noarch
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
---> Package libselinux-ruby.x86_64 0:2.2.2-6.el7 will be installed
---> Package pciutils.x86_64 0:3.2.1-4.el7 will be installed
---> Package ruby.x86_64 0:2.0.0.598-24.el7 will be installed
--> Processing Dependency: rubygem(bigdecimal) >= 1.2.0 for package: ruby-2.0.0.598-24.el7.x86_64
---> Package ruby-libs.x86_64 0:2.0.0.598-24.el7 will be installed
---> Package rubygems.noarch 0:2.0.14-24.el7 will be installed
--> Processing Dependency: rubygem(rdoc) >= 4.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(psych) >= 2.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(io-console) >= 0.4.2 for package: rubygems-2.0.14-24.el7.noarch
--> Running transaction check
---> Package rubygem-bigdecimal.x86_64 0:1.2.0-24.el7 will be installed
---> Package rubygem-io-console.x86_64 0:0.4.2-24.el7 will be installed
---> Package rubygem-psych.x86_64 0:2.0.0-24.el7 will be installed
--> Processing Dependency: libyaml-0.so.2()(64bit) for package: rubygem-psych-2.0.0-24.el7.x86_64
---> Package rubygem-rdoc.noarch 0:4.0.0-24.el7 will be installed
--> Processing Dependency: ruby(irb) = 2.0.0.598 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Processing Dependency: rubygem(json) >= 1.7.7 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Running transaction check
---> Package libyaml.x86_64 0:0.1.4-11.el7_0 will be installed
---> Package ruby-irb.noarch 0:2.0.0.598-24.el7 will be installed
---> Package rubygem-json.x86_64 0:1.7.7-24.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================
Package Arch Version Repository Size
Installing:
facter x86_64 2.4.1-1.el7 /facter-2.4.1-1.el7.x86_64 271 k
hiera noarch 1.3.4-1.el7 /hiera-1.3.4-1.el7.noarch 54 k
puppet noarch 3.6.2-3.el7 /puppet-3.6.2-3.el7.noarch 4.2 M
puppet-firewalld
noarch 0.1.3-1.el7 /puppet-firewalld-0.1.3-1.el7.noarch
46 k
puppet-server noarch 3.6.2-3.el7 /puppet-server-3.6.2-3.el7.noarch 5.6 k
ruby-augeas x86_64 0.5.0-1.el7 /ruby-augeas-0.5.0-1.el7.x86_64 52 k
ruby-shadow x86_64 1.4.1-23.el7 /ruby-shadow-1.4.1-23.el7.x86_64 21 k
rubygem-rgen noarch 0.6.6-2.el7 /rubygem-rgen-0.6.6-2.el7.noarch 307 k
Installing for dependencies:
augeas-libs x86_64 1.1.0-17.el7 test 332 k
libselinux-ruby
x86_64 2.2.2-6.el7 test 127 k
libyaml x86_64 0.1.4-11.el7_0
test 55 k
pciutils x86_64 3.2.1-4.el7 test 90 k
ruby x86_64 2.0.0.598-24.el7
test 67 k
ruby-irb noarch 2.0.0.598-24.el7
test 88 k
ruby-libs x86_64 2.0.0.598-24.el7
test 2.8 M
rubygem-bigdecimal
x86_64 1.2.0-24.el7 test 79 k
rubygem-io-console
x86_64 0.4.2-24.el7 test 50 k
rubygem-json x86_64 1.7.7-24.el7 test 75 k
rubygem-psych x86_64 2.0.0-24.el7 test 77 k
rubygem-rdoc noarch 4.0.0-24.el7 test 318 k
rubygems noarch 2.0.14-24.el7 test 212 k
Transaction Summary
Install 8 Packages (+13 Dependent packages)
Total size: 9.3 M
Total download size: 4.3 M
Installed size: 19 M
Downloading packages:
(1/13): augeas-libs-1.1.0-17.el7.x86_64.rpm | 332 kB 00:00
(2/13): libselinux-ruby-2.2.2-6.el7.x86_64.rpm | 127 kB 00:00
(3/13): libyaml-0.1.4-11.el7_0.x86_64.rpm | 55 kB 00:00
(4/13): pciutils-3.2.1-4.el7.x86_64.rpm | 90 kB 00:00
(5/13): ruby-2.0.0.598-24.el7.x86_64.rpm | 67 kB 00:00
(6/13): ruby-irb-2.0.0.598-24.el7.noarch.rpm | 88 kB 00:00
(7/13): ruby-libs-2.0.0.598-24.el7.x86_64.rpm | 2.8 MB 00:00
(8/13): rubygem-bigdecimal-1.2.0-24.el7.x86_64.rpm | 79 kB 00:00
(9/13): rubygem-io-console-0.4.2-24.el7.x86_64.rpm | 50 kB 00:00
(10/13): rubygem-json-1.7.7-24.el7.x86_64.rpm | 75 kB 00:00
(11/13): rubygem-psych-2.0.0-24.el7.x86_64.rpm | 77 kB 00:00
(12/13): rubygem-rdoc-4.0.0-24.el7.noarch.rpm | 318 kB 00:00
(13/13): rubygems-2.0.14-24.el7.noarch.rpm | 212 kB 00:00
Total 6.6 MB/s | 4.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ruby-libs-2.0.0.598-24.el7.x86_64 1/21
Installing : hiera-1.3.4-1.el7.noarch 2/21
Installing : ruby-shadow-1.4.1-23.el7.x86_64 3/21
Installing : augeas-libs-1.1.0-17.el7.x86_64 4/21
Installing : ruby-augeas-0.5.0-1.el7.x86_64 5/21
Installing : libyaml-0.1.4-11.el7_0.x86_64 6/21
Installing : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/21
Installing : rubygem-json-1.7.7-24.el7.x86_64 8/21
Installing : rubygem-psych-2.0.0-24.el7.x86_64 9/21
Installing : rubygem-rdoc-4.0.0-24.el7.noarch 10/21
Installing : ruby-irb-2.0.0.598-24.el7.noarch 11/21
Installing : ruby-2.0.0.598-24.el7.x86_64 12/21
Installing : rubygems-2.0.14-24.el7.noarch 13/21
Installing : rubygem-io-console-0.4.2-24.el7.x86_64 14/21
Installing : rubygem-rgen-0.6.6-2.el7.noarch 15/21
Installing : pciutils-3.2.1-4.el7.x86_64 16/21
Installing : facter-2.4.1-1.el7.x86_64 17/21
Installing : libselinux-ruby-2.2.2-6.el7.x86_64 18/21
Installing : puppet-3.6.2-3.el7.noarch 19/21
Installing : puppet-server-3.6.2-3.el7.noarch 20/21
Installing : puppet-firewalld-0.1.3-1.el7.noarch 21/21
Verifying : ruby-augeas-0.5.0-1.el7.x86_64 1/21
Verifying : libselinux-ruby-2.2.2-6.el7.x86_64 2/21
Verifying : puppet-server-3.6.2-3.el7.noarch 3/21
Verifying : rubygem-io-console-0.4.2-24.el7.x86_64 4/21
Verifying : pciutils-3.2.1-4.el7.x86_64 5/21
Verifying : libyaml-0.1.4-11.el7_0.x86_64 6/21
Verifying : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/21
Verifying : facter-2.4.1-1.el7.x86_64 8/21
Verifying : rubygem-rdoc-4.0.0-24.el7.noarch 9/21
Verifying : hiera-1.3.4-1.el7.noarch 10/21
Verifying : puppet-3.6.2-3.el7.noarch 11/21
Verifying : rubygem-json-1.7.7-24.el7.x86_64 12/21
Verifying : ruby-libs-2.0.0.598-24.el7.x86_64 13/21
Verifying : rubygems-2.0.14-24.el7.noarch 14/21
Verifying : ruby-shadow-1.4.1-23.el7.x86_64 15/21
Verifying : augeas-libs-1.1.0-17.el7.x86_64 16/21
Verifying : ruby-irb-2.0.0.598-24.el7.noarch 17/21
Verifying : puppet-firewalld-0.1.3-1.el7.noarch 18/21
Verifying : rubygem-psych-2.0.0-24.el7.x86_64 19/21
Verifying : ruby-2.0.0.598-24.el7.x86_64 20/21
Verifying : rubygem-rgen-0.6.6-2.el7.noarch 21/21
Installed:
facter.x86_64 0:2.4.1-1.el7 hiera.noarch 0:1.3.4-1.el7
puppet.noarch 0:3.6.2-3.el7 puppet-firewalld.noarch 0:0.1.3-1.el7
puppet-server.noarch 0:3.6.2-3.el7 ruby-augeas.x86_64 0:0.5.0-1.el7
ruby-shadow.x86_64 0:1.4.1-23.el7 rubygem-rgen.noarch 0:0.6.6-2.el7
Dependency Installed:
augeas-libs.x86_64 0:1.1.0-17.el7
libselinux-ruby.x86_64 0:2.2.2-6.el7
libyaml.x86_64 0:0.1.4-11.el7_0
pciutils.x86_64 0:3.2.1-4.el7
ruby.x86_64 0:2.0.0.598-24.el7
ruby-irb.noarch 0:2.0.0.598-24.el7
ruby-libs.x86_64 0:2.0.0.598-24.el7
rubygem-bigdecimal.x86_64 0:1.2.0-24.el7
rubygem-io-console.x86_64 0:0.4.2-24.el7
rubygem-json.x86_64 0:1.7.7-24.el7
rubygem-psych.x86_64 0:2.0.0-24.el7
rubygem-rdoc.noarch 0:4.0.0-24.el7
rubygems.noarch 0:2.0.14-24.el7
Complete!
其次是agent端:
[root@serverb puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
[root@serverb puppet]# yum -y localinstall facter-2.4.1-1.el7.x86_64.rpm hiera-1.3.4-1.el7.noarch.rpm puppet-3.6.2-3.el7.noarch.rpm puppet-firewalld-0.1.3-1.el7.noarch.rpm ruby-augeas-0.5.0-1.el7.x86_64.rpm rubygem-rgen-0.6.6-2.el7.noarch.rpm ruby-shadow-1.4.1-23.el7.x86_64.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Examining facter-2.4.1-1.el7.x86_64.rpm: facter-2.4.1-1.el7.x86_64
Marking facter-2.4.1-1.el7.x86_64.rpm to be installed
Examining hiera-1.3.4-1.el7.noarch.rpm: hiera-1.3.4-1.el7.noarch
Marking hiera-1.3.4-1.el7.noarch.rpm to be installed
Examining puppet-3.6.2-3.el7.noarch.rpm: puppet-3.6.2-3.el7.noarch
Marking puppet-3.6.2-3.el7.noarch.rpm to be installed
Examining puppet-firewalld-0.1.3-1.el7.noarch.rpm: puppet-firewalld-0.1.3-1.el7.noarch
Marking puppet-firewalld-0.1.3-1.el7.noarch.rpm to be installed
Examining ruby-augeas-0.5.0-1.el7.x86_64.rpm: ruby-augeas-0.5.0-1.el7.x86_64
Marking ruby-augeas-0.5.0-1.el7.x86_64.rpm to be installed
Examining rubygem-rgen-0.6.6-2.el7.noarch.rpm: rubygem-rgen-0.6.6-2.el7.noarch
Marking rubygem-rgen-0.6.6-2.el7.noarch.rpm to be installed
Examining ruby-shadow-1.4.1-23.el7.x86_64.rpm: ruby-shadow-1.4.1-23.el7.x86_64
Marking ruby-shadow-1.4.1-23.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package facter.x86_64 0:2.4.1-1.el7 will be installed
--> Processing Dependency: /usr/bin/ruby for package: facter-2.4.1-1.el7.x86_64
test | 2.9 kB 00:00
--> Processing Dependency: pciutils for package: facter-2.4.1-1.el7.x86_64
---> Package hiera.noarch 0:1.3.4-1.el7 will be installed
--> Processing Dependency: ruby(release) for package: hiera-1.3.4-1.el7.noarch
---> Package puppet.noarch 0:3.6.2-3.el7 will be installed
--> Processing Dependency: ruby(selinux) for package: puppet-3.6.2-3.el7.noarch
---> Package puppet-firewalld.noarch 0:0.1.3-1.el7 will be installed
---> Package ruby-augeas.x86_64 0:0.5.0-1.el7 will be installed
--> Processing Dependency: augeas-libs >= 1.0.0 for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.1.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.10.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.11.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.12.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.14.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.16.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0(AUGEAS_0.8.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
--> Processing Dependency: libaugeas.so.0()(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
---> Package ruby-shadow.x86_64 0:1.4.1-23.el7 will be installed
---> Package rubygem-rgen.noarch 0:0.6.6-2.el7 will be installed
--> Processing Dependency: ruby(rubygems) for package: rubygem-rgen-0.6.6-2.el7.noarch
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
---> Package libselinux-ruby.x86_64 0:2.2.2-6.el7 will be installed
---> Package pciutils.x86_64 0:3.2.1-4.el7 will be installed
---> Package ruby.x86_64 0:2.0.0.598-24.el7 will be installed
--> Processing Dependency: rubygem(bigdecimal) >= 1.2.0 for package: ruby-2.0.0.598-24.el7.x86_64
---> Package ruby-libs.x86_64 0:2.0.0.598-24.el7 will be installed
---> Package rubygems.noarch 0:2.0.14-24.el7 will be installed
--> Processing Dependency: rubygem(rdoc) >= 4.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(psych) >= 2.0.0 for package: rubygems-2.0.14-24.el7.noarch
--> Processing Dependency: rubygem(io-console) >= 0.4.2 for package: rubygems-2.0.14-24.el7.noarch
--> Running transaction check
---> Package rubygem-bigdecimal.x86_64 0:1.2.0-24.el7 will be installed
---> Package rubygem-io-console.x86_64 0:0.4.2-24.el7 will be installed
---> Package rubygem-psych.x86_64 0:2.0.0-24.el7 will be installed
--> Processing Dependency: libyaml-0.so.2()(64bit) for package: rubygem-psych-2.0.0-24.el7.x86_64
---> Package rubygem-rdoc.noarch 0:4.0.0-24.el7 will be installed
--> Processing Dependency: ruby(irb) = 2.0.0.598 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Processing Dependency: rubygem(json) >= 1.7.7 for package: rubygem-rdoc-4.0.0-24.el7.noarch
--> Running transaction check
---> Package libyaml.x86_64 0:0.1.4-11.el7_0 will be installed
---> Package ruby-irb.noarch 0:2.0.0.598-24.el7 will be installed
---> Package rubygem-json.x86_64 0:1.7.7-24.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================
Package Arch Version Repository Size
Installing:
facter x86_64 2.4.1-1.el7 /facter-2.4.1-1.el7.x86_64 271 k
hiera noarch 1.3.4-1.el7 /hiera-1.3.4-1.el7.noarch 54 k
puppet noarch 3.6.2-3.el7 /puppet-3.6.2-3.el7.noarch 4.2 M
puppet-firewalld noarch 0.1.3-1.el7 /puppet-firewalld-0.1.3-1.el7.noarch
46 k
ruby-augeas x86_64 0.5.0-1.el7 /ruby-augeas-0.5.0-1.el7.x86_64
52 k
ruby-shadow x86_64 1.4.1-23.el7 /ruby-shadow-1.4.1-23.el7.x86_64
21 k
rubygem-rgen noarch 0.6.6-2.el7 /rubygem-rgen-0.6.6-2.el7.noarch
307 k
Installing for dependencies:
augeas-libs x86_64 1.1.0-17.el7 test 332 k
libselinux-ruby x86_64 2.2.2-6.el7 test 127 k
libyaml x86_64 0.1.4-11.el7_0 test 55 k
pciutils x86_64 3.2.1-4.el7 test 90 k
ruby x86_64 2.0.0.598-24.el7 test 67 k
ruby-irb noarch 2.0.0.598-24.el7 test 88 k
ruby-libs x86_64 2.0.0.598-24.el7 test 2.8 M
rubygem-bigdecimal
x86_64 1.2.0-24.el7 test 79 k
rubygem-io-console
x86_64 0.4.2-24.el7 test 50 k
rubygem-json x86_64 1.7.7-24.el7 test 75 k
rubygem-psych x86_64 2.0.0-24.el7 test 77 k
rubygem-rdoc noarch 4.0.0-24.el7 test 318 k
rubygems noarch 2.0.14-24.el7 test 212 k
Transaction Summary
Install 7 Packages (+13 Dependent packages)
Total size: 9.3 M
Total download size: 4.3 M
Installed size: 19 M
Downloading packages:
(1/13): augeas-libs-1.1.0-17.el7.x86_64.rpm | 332 kB 00:00
(2/13): libselinux-ruby-2.2.2-6.el7.x86_64.rpm | 127 kB 00:00
(3/13): libyaml-0.1.4-11.el7_0.x86_64.rpm | 55 kB 00:00
(4/13): pciutils-3.2.1-4.el7.x86_64.rpm | 90 kB 00:00
(5/13): ruby-2.0.0.598-24.el7.x86_64.rpm | 67 kB 00:00
(6/13): ruby-libs-2.0.0.598-24.el7.x86_64.rpm | 2.8 MB 00:00
(7/13): rubygem-bigdecimal-1.2.0-24.el7.x86_64.rpm | 79 kB 00:00
(8/13): rubygem-io-console-0.4.2-24.el7.x86_64.rpm | 50 kB 00:00
(9/13): rubygem-json-1.7.7-24.el7.x86_64.rpm | 75 kB 00:00
(10/13): rubygem-psych-2.0.0-24.el7.x86_64.rpm | 77 kB 00:00
(11/13): rubygem-rdoc-4.0.0-24.el7.noarch.rpm | 318 kB 00:00
(12/13): rubygems-2.0.14-24.el7.noarch.rpm | 212 kB 00:00
(13/13): ruby-irb-2.0.0.598-24.el7.noarch.rpm | 88 kB 00:00
Total 9.6 MB/s | 4.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ruby-libs-2.0.0.598-24.el7.x86_64 1/20
Installing : hiera-1.3.4-1.el7.noarch 2/20
Installing : ruby-shadow-1.4.1-23.el7.x86_64 3/20
Installing : augeas-libs-1.1.0-17.el7.x86_64 4/20
Installing : ruby-augeas-0.5.0-1.el7.x86_64 5/20
Installing : libyaml-0.1.4-11.el7_0.x86_64 6/20
Installing : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/20
Installing : rubygem-json-1.7.7-24.el7.x86_64 8/20
Installing : rubygem-psych-2.0.0-24.el7.x86_64 9/20
Installing : rubygem-rdoc-4.0.0-24.el7.noarch 10/20
Installing : ruby-irb-2.0.0.598-24.el7.noarch 11/20
Installing : ruby-2.0.0.598-24.el7.x86_64 12/20
Installing : rubygems-2.0.14-24.el7.noarch 13/20
Installing : rubygem-io-console-0.4.2-24.el7.x86_64 14/20
Installing : rubygem-rgen-0.6.6-2.el7.noarch 15/20
Installing : pciutils-3.2.1-4.el7.x86_64 16/20
Installing : facter-2.4.1-1.el7.x86_64 17/20
Installing : libselinux-ruby-2.2.2-6.el7.x86_64 18/20
Installing : puppet-3.6.2-3.el7.noarch 19/20
Installing : puppet-firewalld-0.1.3-1.el7.noarch 20/20
Verifying : ruby-augeas-0.5.0-1.el7.x86_64 1/20
Verifying : libselinux-ruby-2.2.2-6.el7.x86_64 2/20
Verifying : rubygem-io-console-0.4.2-24.el7.x86_64 3/20
Verifying : pciutils-3.2.1-4.el7.x86_64 4/20
Verifying : libyaml-0.1.4-11.el7_0.x86_64 5/20
Verifying : rubygem-bigdecimal-1.2.0-24.el7.x86_64 6/20
Verifying : facter-2.4.1-1.el7.x86_64 7/20
Verifying : rubygem-rdoc-4.0.0-24.el7.noarch 8/20
Verifying : hiera-1.3.4-1.el7.noarch 9/20
Verifying : puppet-3.6.2-3.el7.noarch 10/20
Verifying : rubygem-json-1.7.7-24.el7.x86_64 11/20
Verifying : ruby-libs-2.0.0.598-24.el7.x86_64 12/20
Verifying : rubygems-2.0.14-24.el7.noarch 13/20
Verifying : ruby-shadow-1.4.1-23.el7.x86_64 14/20
Verifying : augeas-libs-1.1.0-17.el7.x86_64 15/20
Verifying : ruby-irb-2.0.0.598-24.el7.noarch 16/20
Verifying : puppet-firewalld-0.1.3-1.el7.noarch 17/20
Verifying : rubygem-psych-2.0.0-24.el7.x86_64 18/20
Verifying : ruby-2.0.0.598-24.el7.x86_64 19/20
Verifying : rubygem-rgen-0.6.6-2.el7.noarch 20/20
Installed:
facter.x86_64 0:2.4.1-1.el7 hiera.noarch 0:1.3.4-1.el7
puppet.noarch 0:3.6.2-3.el7 puppet-firewalld.noarch 0:0.1.3-1.el7
ruby-augeas.x86_64 0:0.5.0-1.el7 ruby-shadow.x86_64 0:1.4.1-23.el7
rubygem-rgen.noarch 0:0.6.6-2.el7
Dependency Installed:
augeas-libs.x86_64 0:1.1.0-17.el7
libselinux-ruby.x86_64 0:2.2.2-6.el7
libyaml.x86_64 0:0.1.4-11.el7_0
pciutils.x86_64 0:3.2.1-4.el7
ruby.x86_64 0:2.0.0.598-24.el7
ruby-irb.noarch 0:2.0.0.598-24.el7
ruby-libs.x86_64 0:2.0.0.598-24.el7
rubygem-bigdecimal.x86_64 0:1.2.0-24.el7
rubygem-io-console.x86_64 0:0.4.2-24.el7
rubygem-json.x86_64 0:1.7.7-24.el7
rubygem-psych.x86_64 0:2.0.0-24.el7
rubygem-rdoc.noarch 0:4.0.0-24.el7
rubygems.noarch 0:2.0.14-24.el7
Complete!
至此,安裝完成。
4.puppet的M/A授權###
根據我們之前的工作原理說明,可以看出建立連接的第一步應該是授權的操作,那如何來進行M/A的授權認證操作呢?實際上,master和agent共同都具有一個配置文件 :/etc/puppet/puppet.conf,該配置文件定義了master和agent所需要的運行環境等等參數。進程啟動前,會根據此配置文件對系統環境進行一個審核的操作,審核通過后進程才會啟動。
master上的配置:
? 在/etc/puppet/puppet.conf文件中追加:
? [master]
? certname=master主機的主機名稱
[root@servera puppet]# hostname
servera.example.com
[root@servera puppet]# sed -i '$a[master]\ncertname=servera.pod0.example.com' /etc/puppet/puppet.conf
[root@servera puppet]# cat /etc/puppet/puppet.conf
[main]
The Puppet log directory.
# The default value is '$vardir/log'. logdir = /var/log/puppet# Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet# Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl[agent]
The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig[master]
certname=servera.pod0.example.com
agent上的配置:
? 在/etc/puppet/puppet.conf文件中[main]字段中追加一行
? server = master主機名
[root@serverb puppet]# sed -i '/ssldir/aserver = servera.pod0.example.com' /etc/puppet/puppet.conf
[root@serverb puppet]# cat /etc/puppet/puppet.conf
[main]
The Puppet log directory.
# The default value is '$vardir/log'. logdir = /var/log/puppet# Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet# Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/sslserver = servera.pod0.example.com
[agent]
The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig注意:puppet配置過程中都是通過主機名去定位對應主機,則需要在這之前做好相應的解析工作。
分別啟動master和agent端的puppet服務,先啟動master端,再啟動agent端
1)master端的啟動,啟動完成后會優先對自己主機進行認證授權操作,在/var/lib/puppet/ssl/ca/signed目錄下會生成本機名稱.pem的文件,結果如下:
[root@servera ~]# systemctl start puppetmaster
[root@servera ~]# cd /var/lib/puppet/ssl/ca/signed/
[root@servera signed]# ls
servera.pod0.example.com.pem
2)agent端的啟動,啟動完成后會在/var/lib/puppet/ssl/certificate_requests生成agent主機名.pem的文件,并直接將認證請求文件發送給master端,放至在master端的/var/lib/puppet/ssl/ca/requests目錄下,結果如下:
[root@serverb ~]# systemctl start puppet
[root@serverb ~]# cd /var/lib/puppet/ssl/certificate_requests/
[root@serverb certificate_requests]# ls
serverb.pod0.example.com.pem
[root@servera signed]# cd ../requests/
[root@servera requests]# pwd
/var/lib/puppet/ssl/ca/requests
[root@servera requests]# ls
serverb.pod0.example.com.pem
注意:在此過程當中,selinux如果處于enforcing的狀態,會有相應的權限問題導致agent端無法正確創建請求認證文件,可執行setenforce 0指令,將selinux狀態切換成permissive模式
3)master端授權
master端授權可通過puppet cert指令來完成:
可以先通過--help選項查看一下幫助信息:
[root@servera requests]# puppet cert --help
puppet-cert(8) -- Manage certificates and requests
SYNOPSIS
Standalone certificate authority. Capable of generating certificates,
but mostly used for signing certificate requests from puppet clients.
USAGE
puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
[--digest <digest>] [<host>]
DESCRIPTION
Because the puppet master service defaults to not signing client
certificate requests, this script is available for signing outstanding
requests. It can be used to list outstanding requests and then either
sign them individually or sign all of them.
ACTIONS
Every action except 'list' and 'generate' requires a hostname to act on,
unless the '--all' option is set.
-
clean:
Revoke a host's certificate (if applicable) and remove all files
related to that host from puppet cert's storage. This is useful when
rebuilding hosts, since new certificate signing requests will only be
honored if puppet cert does not have a copy of a signed certificate
for that host. If '--all' is specified then all host certificates,
both signed and unsigned, will be removed. -
fingerprint:
Print the DIGEST (defaults to the signing algorithm) fingerprint of a
host's certificate. -
generate:
Generate a certificate for a named client. A certificate/keypair will
be generated for each client named on the command line. -
list:
List outstanding certificate requests. If '--all' is specified, signed
certificates are also listed, prefixed by '+', and revoked or invalid
certificates are prefixed by '-' (the verification outcome is printed
in parenthesis). -
print:
Print the full-text version of a host's certificate. -
revoke:
Revoke the certificate of a client. The certificate can be specified either
by its serial number (given as a hexadecimal number prefixed by '0x') or by its
hostname. The certificate is revoked by adding it to the Certificate Revocation
List given by the 'cacrl' configuration option. Note that the puppet master
needs to be restarted after revoking certificates. -
sign:
Sign an outstanding certificate request. -
verify:
Verify the named certificate against the local CA certificate. - reinventory:
Build an inventory of the issued certificates. This will destroy the current
inventory file specified by 'cert_inventory' and recreate it from the
certificates found in the 'certdir'. Ensure the puppet master is stopped
before running this action.
OPTIONS
Note that any setting that's valid in the configuration
file is also a valid long argument. For example, 'ssldir' is a valid
setting, so you can specify '--ssldir <directory>' as an
argument.
See the configuration file documentation at
http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all
configuration options can also be generated by running puppet cert with
'--genconfig'.
-
--all:
Operate on all items. Currently only makes sense with the 'sign',
'clean', 'list', and 'fingerprint' actions. -
--digest:
Set the digest for fingerprinting (defaults to the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version. -
--debug:
Enable full debugging. -
--help:
Print this help message -
--verbose:
Enable verbosity. - --version:
Print the puppet version number and exit.
EXAMPLE
$ puppet cert list culain.madstop.com $ puppet cert sign culain.madstop.comAUTHOR
Luke Kanies
COPYRIGHT
Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
根據help指令里面我們可以看到以下幾個常用選項:
clean 用于清除所有授權信息。
list 用于羅列來自于所有agent的認證請求。
revoke 用于取消某agent的授權。
sign 用于給某agent的認證請求進行授權的操作。
同樣,現在我們就可以在master上針對agent(serverb)進行授權的操作:
[root@servera requests]# puppet cert --list
"serverb.example.com" (SHA256) 3A:04:7B:E5:AB:69:D0:CA:9C:DC:85:CF:66:EC:F8:61:56:6D:53:B2:BB:9F:7E:9A:9C:C6:E9:AC:E0:CE:F3:D8
[root@servera requests]# puppet cert --sign "serverb.pod0.example.com"
Notice: Signed certificate request for serverb.pod0.example.com
Notice: Removing file Puppet::SSL::CertificateRequest serverb.pod0.example.com at '/var/lib/puppet/ssl/ca/requests/serverb.example.com.pem'
[root@servera requests]# cd ../signed/
[root@servera signed]# ls
servera.pod0.example.com.pem serverb.pod0.example.com.pem
[root@servera signed]# pwd
/var/lib/puppet/ssl/ca/signed
授權完成后,master主機上,原本放在/var/lib/puppet/ssl/ca/requests/agent主機名.pem會移動至/var/lib/puppet/ssl/ca/signed/agent主機名.pem
且在agent端會生成一個新的文件:/var/lib/puppet/ssl/certs/agent主機名.pem
5.puppet的自動認證授權
采用以上方式的確可以完成一對一的授權。然而,如果要簽名的agent比較多怎么辦?需要一個個簽名嗎?其實puppet提供了一個--all選項,能夠一次完成對對臺agent的授權操作。
[root@servera requests]# puppet cert --sign --all
Notice: Signed certificate request for serverb.pod0.example.com
Notice: Removing file Puppet::SSL::CertificateRequest serverb.pod0.example.com at '/var/lib/puppet/ssl/ca/requests/serverb.pod0.example.com.pem
但是該方式依舊需要手動去進行命令的輸入,可能引發的后果就是想要被加入的agent主機沒辦法及時獲取到授權從而建立ssl連接進行傳輸。
現在我們的需求是:來自于某一個域名的agent主機一旦啟動,發送授權請求,master主機就自動針對該主機進行簽名的操作,無需手動使用puppet cert --sign指令,即自動完成認證授權。
現在再開一臺服務器,主機名為serverd.example.com,作為puppet的agent端,授權操作要求自動完成。配置過程如下:
master端的配置:
[root@servera requests]# cat >> /etc/puppet/puppet.conf << END
autosign = /etc/puppet/autosign.conf
autosign = true
autosign = /etc/puppet/autosign.conf
END
[root@servera requests]# tail -n5 /etc/puppet/puppet.conf
[master]
certname=servera.pod0.example.com
autosign = /etc/puppet/autosign.conf
autosign = true
autosign = /etc/puppet/autosign.conf
[root@servera requests]# cat >> /etc/puppet/autosign.conf << END
*.example.com
END
[root@servera requests]# systemctl restart puppetmaster
agent端的配置
[root@serverd puppet]# sed -i '/ssldir/aserver = servera.pod0.example.com' /etc/puppet/puppet.conf
[root@serverd puppet]# systemctl restart puppet
以上操作完成之后,立刻就可以看到授權后的結果。
master端:
[root@servera signed]# pwd
/var/lib/puppet/ssl/ca/signed
[root@servera signed]# ls
servera.pod0.example.com.pem serverd.pod0.example.com.pem
serverb.pod0.example.com.pem
agent端:
[root@serverd certs]# pwd
/var/lib/puppet/ssl/certs
[root@serverd certs]# ls
ca.pem serverd.pod0.example.com.pem
6.puppet的同步機制
M/A模式下的puppet的同步更新方式有兩種,
1.Agent端主動去PuppetMaster端獲取配置。
默認情況下,puppet采取此方式完成同步的操作,且在不變更同步時間配置的情況下,agent端默認30分鐘找master端做一次同步。如果要自定義同步時間,可在agent端的/etc/puppet/puppet.conf中配置runinterval參數
[root@serverb /]# echo "runinterval = 5" >> /etc/puppet/puppet.conf
[root@serverb /]# cat /etc/puppet/puppet.conf
[main]
The Puppet log directory.
# The default value is '$vardir/log'. logdir = /var/log/puppet# Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet# Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/sslserver = servera.pod0.example.com
[agent]
The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt# Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfigruninterval = 5
[root@serverb /]# systemctl restart puppet
[root@serverb /]# tail -f /var/log/messages
Aug 13 08:41:05 serverb puppet-agent[4275]: Finished catalog run in 0.01 seconds
Aug 13 08:41:10 serverb puppet-agent[4441]: Finished catalog run in 0.01 seconds
Aug 13 08:41:15 serverb puppet-agent[4607]: Finished catalog run in 0.01 seconds
Aug 13 08:41:20 serverb puppet-agent[4773]: Finished catalog run in 0.01 seconds
...
采用方式1的好處:若agent由于一些原因導致配置文件損壞,可以在同步時間周期內獲取到正確的配置,不需人為進行處理。同樣,配置該方式十分的簡單易上手,能夠根據需求變更同步周期。
采用方式1的劣勢:多臺agent同時像master發起同步請求,master可能會面臨性能瓶頸問題。當然,該劣勢可通過分批同步的方式去解決。除此之外,我們需要保證master端的操作足夠安全,任何人修改master端的配置參數都會被符合節點要求的agent端同步更新,譬如有人在推送的腳本中寫了rm -rf /*,該操作同樣會被同步到多臺agent端執行,安全性會受到很嚴重的威脅。
2.PuppetMaster端使用puppet kick命令推送配置至agent端
該方式是通過puppetmaster端的puppet kick命令來同步配置的。
優勢:
安全性比較高,更新之前可給相應檢查代碼的時間。
更新周期容易控制。
劣勢:
agent端數據被篡改后很難實現及時恢復。
鎖機制導致控制不是很靈活。
?基本上方式2逐漸被企業環境所淘汰,在這里就不做說明了。
7.puppet的監聽端口號
基本上涉及網絡的服務都會有監聽的端口號,用以區分不同服務的訪問請求。
master端監聽的端口號為8140。
[root@servera signed]# netstat -tulnp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4280/ruby
[root@servera signed]# firewall-cmd --permanent --add-port=8140/tcp
success
[root@servera signed]# firewall-cmd --reload
success
如果采用agent主動連接master的方式,就需要配置防火墻以保證master端的8140端口能夠接受agent主機的請求。
8.puppet基礎配置
1)全局入口文件:site.pp的創建####
/etc/puppet/manifests/site.pp是全局的入口文件,agent訪問master獲取配置參數的第一步就是讀取site.pp內容,一切的管理工作都由site.pp開始。
site.pp的作用就是用來定義哪些節點(即agent)采用什么樣的模塊(配置字段)。首次配置puppetmaster,應自行創建該文件。
[root@servera manifests]# cat >> /etc/puppet/manifests/site.pp << END
node 'serverb.example.com' { //定義了需要使用puppet管理的節點為serverb.example.com
include 'myfile' //模塊名稱定義為myfile,也就是說serverb這臺機器要同步更新的內容在myfile模塊內
}
END
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node 'serverb.example.com' {
include 'myfile'
}
通過以上配置,可以看到,現在serverb這個節點,要接受的配置字段寫在myfile模塊中,而其他主機的沒有任何需要同步更新的內容。如果想寫多臺主機同步更新myfile模塊里的內容,可以通過這種方式去完成:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node 'serverb.example.com' {
include 'myfile'
}
node 'serverd.example.com' {
include 'myfile'
}
...
上述寫法表示serverb和serverd兩個節點同步的模塊名稱為myfile,但這種寫法較為繁瑣,有些時候,我們能夠采用正則表達式來完成節點定義的配置,如下:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node /^(serverb|serverd).example.com$/ {
include 'myfile'
}
上述內容表示serverb和serverd都采用myfile模塊里的配置或者:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node /^.*.example.com$/ {
include 'myfile'
}
任何以example.com作為結尾的主機都采用myfile模塊里的配置。
當然前提是能夠建立ssl連接,如果沒有通過授權,即便site.pp里面定義了節點和模塊的對應關系,agent端也是沒有辦法正確從master上拉取配置。
然而有些時候,所有的節點寫到同一個配置文件里很難進行后續的維護管理。那么實際上,我們可以通過import字段進行不同節點的進行分類操作,配置文件名稱自擬。例如:
[root@servera ~]# echo "import 'site.pp'" > /etc/puppet/manifests/site.pp
[root@servera ~]# cat /etc/puppet/manifests/site.pp
import 'nodes.pp'
[root@servera ~]# cat > /etc/puppet/manifests/nodes.pp << END
node /^..example.com$/ {
include 'myfile'
}
END
[root@servera ~]# cat /etc/puppet/manifests/nodes.pp
node /^..example.com$/ {
include 'myfile'
}
2)模塊的創建及常用資源配置的寫法####
在上述環節里,我們include了一個模塊叫做myfile。當agent端通過node節點查看到自己要同步myfile這個模塊之后,便會去/etc/puppet/modules/myfile/manifests目錄下找一個名為init.pp的文件。該文件也可以理解為模塊入口文件。若該目錄沒有,則需要手動去創建出來。
[root@servera ~]# mkdir -p /etc/puppet/modules/myfile/manifests
創建出來之后,就應該去編寫init.pp這個文件,init.pp里格式理應如下:
class 模塊名 {
類型1 { "標題1":
屬性1 => 值1,
屬性2 => 值2,
屬性3 => 值3
...
屬性N => 值N;
"標題2":
屬性 => 值,
.....
屬性 => 值;
}
類型2 { "標題":
屬性 => 值,
....
}
}
實際類型指的是操作的對象,標題指的是操作的實際目標,屬性指的是控制的實際內容,值對應的是狀態。
舉個例子:現在我想給agent安裝一個名為httpd的軟件包,于是我們就可以這樣寫
package { “httpd” # 操作的對象是軟件,操作的實際目標是httpd
ensure => present, # 要求操作的實際內容是保證httpd存在或者不存在,狀態為存在,即要求該軟件安裝
}
puppet常用類型及屬性簡介
1.file類型(針對文件做操作的類型)
常用屬性:
? ensure => 'absent|present|directory|link'
? group => ‘文件所屬組名稱’
? user => '文件擁有者名稱'
? mode => ‘文件權限值’
? content => '文件內容'
? force => ‘true|false’
? source =>
file屬性應用案例:
推送/etc/fstab文件
/etc/fstab文件決定了開機時候的掛載情況,針對提供相同功能的主機,通常情況下掛載信息也是大同小異的,在這里我們就可以將文件推送給調用該模塊的節點。
[root@servera etc]# cat /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file {"/etc/fstab":
ensure => present,
owner => root,
group => root,
source => 'puppet://servera.example.com/modules/myfile/etc/fstab',
}
}
[root@servera etc]# mkdir -p /etc/puppet/modules/myfile/files/etc
[root@servera files]# cp /etc/fstab /etc/puppet/modules/myfile/files/etc/fstab
注:以上souce代表的是源文件所在位置,不需要寫files目錄,默認就會去files目錄下尋找相應的文件。
寫完配置后,不需要重啟服務,客戶端就根據一定的同步周期去獲取對應的配置文件了,可以通過日志看到相應的結果。
[root@serverb ~]# tailf /var/log/messages
Aug 16 11:24:17 serverb puppet-agent[4734]: Finished catalog run in 0.01 seconds
Aug 16 11:24:22 serverb puppet-agent[4900]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:22 serverb puppet-agent[4900]: Finished catalog run in 0.04 seconds
Aug 16 11:24:27 serverb puppet-agent[5068]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:27 serverb puppet-agent[5068]: Finished catalog run in 0.04 seconds
Aug 16 11:24:32 serverb puppet-agent[5236]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:32 serverb puppet-agent[5236]: Finished catalog run in 0.04 seconds
Aug 16 11:24:37 serverb puppet-agent[5404]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:37 serverb puppet-agent[5404]: Finished catalog run in 0.04 seconds
Aug 16 11:24:42 serverb puppet-agent[5572]: (/Stage[main]/Myfile/File[/etc/fstab]/content) content changed '{md5}71c72e221409b343ed9a69f9a2dfa15c' to '{md5}ff16538739bfe5d524783750dd88ae30'
2.user、group類型應用(針對用戶和組的設定類型)
user常用屬性 group常用屬性
ensure => 'present | absent ' ensure => 'present|absent'
uid => ’uid 編號‘ gid => 'gid編號'
gid => '默認組編號'
home => '家目錄存放位置'
shell => '用戶使用shell'
用戶和組應用案例:
部署多臺主機創建tomcat用戶。如果說想要部署jsp頁面的話,會用到servlet容器,而tomcat就是比較常用的容器。若是采用jsvc的方式啟動tomcat這個服務的話,就需要有一個名為tomcat的用戶用來維護服務的正常運行。這個案例就是用來針對多臺主機批量部署tomcat用戶的典型案例。
[root@servera etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
user { 'tomcat':
require => group['tomcat'],
ensure => present,
uid => '666',
gid => '666',
home => '/home/tomcat',
shell => '/sbin/nologin',
}
group { 'tomcat':
ensure => present,
gid => '666',
}
file { '/home/tomcat':
ensure => directory,
mode => '700',
owner => 'tomcat',
group => 'tomcat',
require => user['tomcat'],
}
}
require資源是一個公有資源,代表的含義就是其他類型內容先執行,再執行當前類型。
比如說上文在user類型里寫了 require => group['tomcat'], 那么實際上代表的含義就是先去執行group類型,標題為tomcat的內容,再來執行user類型tomcat標題的內容。于是我們從日志當中也能看到結果:組先被創建出來了,其次是用戶,最后是家目錄。
[root@serverb ~]# tail /var/log/messages
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/Group[tomcat]/ensure) created
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/User[tomcat]/ensure) created
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/File[/home/tomcat]/ensure) created
[root@serverb ~]# id tomcat
uid=666(tomcat) gid=666(tomcat) groups=666(tomcat)
[root@serverb ~]# ll -d /home/tomcat/
drwx------. 2 tomcat tomcat 6 Aug 16 11:37 /home/tomcat/
3.package類型應用(針對軟件的操作)
package常用屬性:
ensure => present | absent
默認情況下package資源采用yum的方式安裝軟件,如果要使用rpm的方式安裝,則需要添加以下兩個參數。
source => '/tmp/nginx-1.8.0-1.el7.ngx.x86_64.rpm', //指定軟件絕對路徑
provider => 'rpm', //指定由rpm的方式來進行安裝
package屬性應用案例:
批量部署數據庫mysql環境,多臺服務器安裝mariadb-server:
master端配置:
[root@servera etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
package {'mariadb-server':
ensure => present,
}
}
agent端結果:
[root@serverb tmp]# tail /var/log/messages -f
Aug 16 18:44:19 serverb yum[109385]: Installed: perl-Data-Dumper-2.145-3.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-Net-Daemon-0.48-5.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-IO-Compress-2.061-2.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-PlRPC-0.2020-14.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-DBI-1.627-4.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-DBD-MySQL-4.023-5.el7.x86_64
Aug 16 18:44:22 serverb yum[109385]: Installed: 1:mariadb-5.5.41-2.el7_0.x86_64
Aug 16 18:44:24 serverb systemd: Reloading.
Aug 16 18:44:25 serverb systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:44:25 serverb systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:44:25 serverb yum[109385]: Installed: 1:mariadb-server-5.5.41-2.el7_0.x86_64
Aug 16 18:44:26 serverb puppet-agent[109199]: (/Stage[main]/Myfile/Package[mariadb-server]/ensure) created
[root@serverb tmp]# rpm -q mariadb-server
mariadb-server-5.5.41-2.el7_0.x86_64
4.service資源應用(針對服務狀態的控制)
常用屬性
enable => 'true|false' // 定義開機啟動狀態
ensure => ‘running | stopped’ //定義當前環境運行狀態
service屬性應用案例:
讓mariadb服務運行起來,并且開機自啟:
master端配置:
[root@servera etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
package {'mariadb-server':
ensure => present,
}
service {'mariadb':
require => package['mariadb-server'],
ensure => running,
enable => true,
}
}
agent端結果:
[root@serverb tmp]# tail -f /var/log/messages
Aug 16 18:55:21 serverb systemd: Started MariaDB database server.
Aug 16 18:55:22 serverb systemd: Reloading.
Aug 16 18:55:22 serverb systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:55:22 serverb systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket'
Aug 16 18:55:22 serverb puppet-agent[2453]: (/Stage[main]/Myfile/Service[mariadb]/ensure) ensure changed 'stopped' to 'running'
[root@serverb tmp]# systemctl status mariadb
mariadb.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled)
Active: active (running) since Tue 2016-08-16 18:55:21 EDT; 17s ago
Main PID: 2721 (mysqld_safe)
CGroup: /system.slice/mariadb.service
├─2721 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
└─2878 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mys...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: The lates...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: You can f...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: http://de...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Support M...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Corporati...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Alternati...
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: http://ma...
Aug 16 18:55:19 serverb.example.com mysqld_safe[2721]: 160816 18:55:19 mysq...
Aug 16 18:55:19 serverb.example.com mysqld_safe[2721]: 160816 18:55:19 mysq...
Aug 16 18:55:21 serverb.example.com systemd[1]: Started MariaDB database se...
Hint: Some lines were ellipsized, use -l to show in full.
以上這些屬性就是常用的一些屬性了,當然并沒有包含所有的屬性,如果有需求,可以訪問https://docs.puppet.com/獲取更詳細的信息。
5.公有屬性應用
通常情況下,每一個資源配置都會有一個依賴關系,比如說,配置httpd服務的配置文件的前提就是httpd的軟件已經安裝,再比如,改完服務的配置文件需要將配置文件重新加載起來。這些操作就可以通過公有屬性的配置將多個資源以某種方式關聯起來。
1)notify
通常情況下notify屬性是用來通知其他資源類型執行相應的操作。
2)subscire
和notify相反,被動通知。
3)require
require屬性代表的含義是在本資源執行之前,確保其他資源已經被成功執行。
4)before
before屬性和require相反,在資源執行成功后再執行其他資源。
舉例:
[root@servera etc]# cat /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file {"/etc/dhcpd.conf":
require => package['dhcp'],
ensure => present,
source => 'puppet://servera.example.com/modules/myfile/etc/dhcpd.conf',
notify => service[dhcpd],
}
package{'dhcp':
ensure => present,
}
service {'dhcpd':
ensure => running,
enable => true,
}
}
課后練習實驗要求:
使用以上學習內容完成以下操作:
1.以servera作為master端,server[b-e]作為agent端,配置好相應的授權。
2.在server[b-e]服務器上使用httpd搭建虛擬主機,站點名稱為www.abc.com,網站根目錄為/var/www/html/abc.com,要求每次配置文件修改完之后服務重啟。
9.puppet的變量、模板、函數
1)變量的定義及調用####
變量的定義通過$variable_name = value的方式完成。
下述例子我們申明了一個局部變量叫做content:
[root@servera manifests]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
$content = "some content\n"
file { "/tmp/test":
ensure => present,
content => "$content",
}
}
變量也可以全局入口文件site.pp里申明成一個全局變量:
[root@servera manifests]# vim /etc/puppet/manifests/nodes.pp
node /server[b-c].pod0.example.com/ {
$content = "abc\n"
include 'myfile'
}
2)facter變量的調用####
facter變量是用來獲取每臺節點服務器不同的一些信息參數的變量。
變量通過${::facter變量名}來調用。
class myfile {
file { "/tmp/test":
ensure => present,
content => "${::hostname}",
}
}
3)模板的設置及調用####
通常情況下模板以erb作為結尾,文件存放于模塊目錄下一個叫做templates的目錄下。
1)生成模板文件
[root@servera myfile]# pwd
/etc/puppet/modules/myfile
[root@servera myfile]# mkdir templates
[root@servera myfile]# cd templates
[root@servera templates]# vim testfile.erb
my ip address <%= content %> # 在模板里面調用變量采用<%= 變量名 %>
2)調用模板
[root@servera manifests]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file { "/tmp/testfile":
ensure => present,
content => template('myfile/testfile.erb'), # 調用模板
}
}
4)函數的設置及調用####
函數是一系列資源的集合。
1)定義
定義方式如下:
[root@servera manifests]# pwd
/etc/puppet/modules/myfile/manifests
[root@servera manifests]# vim init.pp
class myfile {
define create_file($myfile,$mycontent) {
file { "$myfile":
ensure => present,
content => "$mycontent",
}
}
}
2)調用
調用方式如下:
[root@servera manifests]# cd /etc/puppet/manifests/
[root@servera manifests]# ls
nodes.pp site.pp
[root@servera manifests]# vim nodes.pp
node /server[b-c].pod0.example.com/ {
$content = "abc\n"
include 'myhttpd','myssh','myfile'
myfile::create_file { "xxxxxx": #函數的調用
myfile => '/tmp/qwer',
mycontent => "qwer\n",
}
}
課后練習:
轉載于:https://blog.51cto.com/13602747/2107648
總結
以上是生活随笔為你收集整理的puppet 基础篇的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: foxmail、outlook发送邮件,
- 下一篇: 简单易用的库存管理软件、进销存软件