puppet
- puppet
-
- 1.什麼是puppet
- 2.puppet的工作過程
- 3.puppet的安裝
-
- Package Arch Version Repository Size
- Transaction Summary
- Package Arch Version Repository Size
- Transaction Summary
-
- 4.puppet的M/A授權
- serverb.pod0.example.com.pem
- serverb.pod0.example.com.pem
-
- puppet-cert(8) – Manage certificates and requests
- SYNOPSIS
- USAGE
- DESCRIPTION
- ACTIONS
- OPTIONS
- EXAMPLE
- AUTHOR
- COPYRIGHT
- 5.puppet的自動認證授權
- 6.puppet的同步機制
- 7.puppet的監聽端口号
- 8.puppet基礎配置
- 1)全局入口檔案:site.pp的建立
- 2)子產品的建立及常用資源配置的寫法
- 9.puppet的變量、模闆、函數
- 1)變量的定義及調用
- 2)facter變量的調用
- 3)模闆的設定及調用
- 4)函數的設定及調用
1.什麼是puppet
很多公司經常情況下會遇到這麼一個問題,新應用開發完成之後,運維人員耗費了大量的時間在測試環境上完成了項目的部署,而遷移到線上環境依舊需要逐字逐句的變更配置,沒日沒夜的加班之後,才能夠勉強保證新應用線上上環境正常運作。而與此同時,公司的上司層已經暴跳如雷,”我已經投入了大量的資金下去,為什麼部署一個新的應用依舊需要花費這麼久的時間?”
puppet的創始人luke kanies就曾經在這種環境中備受煎熬。于是他就開始思考,如何讓系統管理者們能夠更加高效的去完成工作。随即誕生的産物就是這款名為puppet的軟體。
事實上,luke kanies在開發puppet之前,基本上都是采用perl來編寫程式,但是當他想要用perl去編寫腦中的這款程式的模型時發現無法實作。然後luke kanies嘗試了python等語言,都沒辦法寫出他心目中的功能。後來一個偶然的機會,朋友提起了ruby這種語言,表示該語言功能十分強大,是以luke kenies嘗試了ruby,并且基于ruby語言開發出了puppet。
如果說企業想要多台伺服器的維護成本,puppet是非常不錯的工具之一,主要原因是由于puppet開源,并且功能非常完善。同樣,puppet也會吸取好的建議,吸納其他人員貢獻的代碼,進而不斷的提升puppet的靈活程度及實用性。
2.puppet的工作過程
在大部分場景下,puppet采用的是一種C/S的模型,也可以稱為M/A模型,m即master:服務端,a即agent:用戶端。在master端上配置好相應的參數之後,agent端會根據master端的配置字段調整自身環境内容。
下面具體來看一下puppet是如何工作的?
1)agent和master互相建立連接配接,在此過程當中master必須對agent進行授權的操作,授權完成之後後續的通路請求通過ssl加密傳輸來進行。
2)master調用agent的factor工具擷取agent主機的一些參數及變量。
3)master擷取到agent的主機資訊後,将發送給本機的manifests,進行配置字段查詢。
4)根據比對到agent對應的節點所需要的配置,解析編譯生成catalog。(catalog又可以稱為僞代碼)
5)agent接收到catalog後,根據master的配置調整目前環境,例如軟體包的安裝等等。
6)如果涉及到檔案傳送,則會像master發起檔案傳輸請求,用以擷取所需檔案。
7)上報目前情況。
8)結束。
3.puppet的安裝
在目前實驗環境中包含兩台機器:servera.example.com這台主機作為master端,serverb.example.com這台主機作為agent端。安裝的puppet版本号為3.6.2的版本,原則上要求master、agent所使用的軟體版本一緻。如果不能保證M/A版本一緻,要注意以下問題:
- master版本高于agent版本才可能能夠正常運作。
- master和agent版本差距越大,正确運作的可能性越小,如果說一個0.2版本的agent搭配一個3.2版本的master基本上不可能正常運作。
-
混合使用版本通常意味着無法擷取完整的性能。
在這裡,我已經下載下傳好了對應的軟體,包括master、agent需要的軟體包,以及提供ruby環境的軟體包,如下所示:
shell [[email protected] puppet]# ls facter-2.4.1-1.el7.x86_64.rpm hiera-1.3.4-1.el7.noarch.rpm puppet-3.6.2-3.el7.noarch.rpm puppet-firewalld-0.1.3-1.el7.noarch.rpm puppet-server-3.6.2-3.el7.noarch.rpm ruby-augeas-0.5.0-1.el7.x86_64.rpm rubygem-rgen-0.6.6-2.el7.noarch.rpm ruby-shadow-1.4.1-23.el7.x86_64.rpm
現在我們就可以将軟體進行安裝,首先是master端:
““shell
[[email protected] puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
[[email protected] puppet]# yum -y localinstall *.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining facter-2.4.1-1.el7.x86_64.rpm: facter-2.4.1-1.el7.x86_64
Marking facter-2.4.1-1.el7.x86_64.rpm to be installed
Examining hiera-1.3.4-1.el7.noarch.rpm: hiera-1.3.4-1.el7.noarch
Marking hiera-1.3.4-1.el7.noarch.rpm to be installed
Examining puppet-3.6.2-3.el7.noarch.rpm: puppet-3.6.2-3.el7.noarch
Marking puppet-3.6.2-3.el7.noarch.rpm to be installed
Examining puppet-firewalld-0.1.3-1.el7.noarch.rpm: puppet-firewalld-0.1.3-1.el7.noarch
Marking puppet-firewalld-0.1.3-1.el7.noarch.rpm to be installed
Examining puppet-server-3.6.2-3.el7.noarch.rpm: puppet-server-3.6.2-3.el7.noarch
Marking puppet-server-3.6.2-3.el7.noarch.rpm to be installed
Examining ruby-augeas-0.5.0-1.el7.x86_64.rpm: ruby-augeas-0.5.0-1.el7.x86_64
Marking ruby-augeas-0.5.0-1.el7.x86_64.rpm to be installed
Examining rubygem-rgen-0.6.6-2.el7.noarch.rpm: rubygem-rgen-0.6.6-2.el7.noarch
Marking rubygem-rgen-0.6.6-2.el7.noarch.rpm to be installed
Examining ruby-shadow-1.4.1-23.el7.x86_64.rpm: ruby-shadow-1.4.1-23.el7.x86_64
Marking ruby-shadow-1.4.1-23.el7.x86_64.rpm to be installed
Resolving Dependencies
–> Running transaction check
—> Package facter.x86_64 0:2.4.1-1.el7 will be installed
–> Processing Dependency: /usr/bin/ruby for package: facter-2.4.1-1.el7.x86_64
test | 2.9 kB 00:00
–> Processing Dependency: pciutils for package: facter-2.4.1-1.el7.x86_64
—> Package hiera.noarch 0:1.3.4-1.el7 will be installed
–> Processing Dependency: ruby(release) for package: hiera-1.3.4-1.el7.noarch
—> Package puppet.noarch 0:3.6.2-3.el7 will be installed
–> Processing Dependency: ruby(selinux) for package: puppet-3.6.2-3.el7.noarch
—> Package puppet-firewalld.noarch 0:0.1.3-1.el7 will be installed
—> Package puppet-server.noarch 0:3.6.2-3.el7 will be installed
—> Package ruby-augeas.x86_64 0:0.5.0-1.el7 will be installed
–> Processing Dependency: augeas-libs >= 1.0.0 for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.1.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.10.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.11.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.12.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.14.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.16.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.8.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0()(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
—> Package ruby-shadow.x86_64 0:1.4.1-23.el7 will be installed
—> Package rubygem-rgen.noarch 0:0.6.6-2.el7 will be installed
–> Processing Dependency: ruby(rubygems) for package: rubygem-rgen-0.6.6-2.el7.noarch
–> Running transaction check
—> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
—> Package libselinux-ruby.x86_64 0:2.2.2-6.el7 will be installed
—> Package pciutils.x86_64 0:3.2.1-4.el7 will be installed
—> Package ruby.x86_64 0:2.0.0.598-24.el7 will be installed
–> Processing Dependency: rubygem(bigdecimal) >= 1.2.0 for package: ruby-2.0.0.598-24.el7.x86_64
—> Package ruby-libs.x86_64 0:2.0.0.598-24.el7 will be installed
—> Package rubygems.noarch 0:2.0.14-24.el7 will be installed
–> Processing Dependency: rubygem(rdoc) >= 4.0.0 for package: rubygems-2.0.14-24.el7.noarch
–> Processing Dependency: rubygem(psych) >= 2.0.0 for package: rubygems-2.0.14-24.el7.noarch
–> Processing Dependency: rubygem(io-console) >= 0.4.2 for package: rubygems-2.0.14-24.el7.noarch
–> Running transaction check
—> Package rubygem-bigdecimal.x86_64 0:1.2.0-24.el7 will be installed
—> Package rubygem-io-console.x86_64 0:0.4.2-24.el7 will be installed
—> Package rubygem-psych.x86_64 0:2.0.0-24.el7 will be installed
–> Processing Dependency: libyaml-0.so.2()(64bit) for package: rubygem-psych-2.0.0-24.el7.x86_64
—> Package rubygem-rdoc.noarch 0:4.0.0-24.el7 will be installed
–> Processing Dependency: ruby(irb) = 2.0.0.598 for package: rubygem-rdoc-4.0.0-24.el7.noarch
–> Processing Dependency: rubygem(json) >= 1.7.7 for package: rubygem-rdoc-4.0.0-24.el7.noarch
–> Running transaction check
—> Package libyaml.x86_64 0:0.1.4-11.el7_0 will be installed
—> Package ruby-irb.noarch 0:2.0.0.598-24.el7 will be installed
—> Package rubygem-json.x86_64 0:1.7.7-24.el7 will be installed
–> Finished Dependency Resolution
Dependencies Resolved
============================================================================
Package Arch Version Repository Size
Installing:
facter x86_64 2.4.1-1.el7 /facter-2.4.1-1.el7.x86_64 271 k
hiera noarch 1.3.4-1.el7 /hiera-1.3.4-1.el7.noarch 54 k
puppet noarch 3.6.2-3.el7 /puppet-3.6.2-3.el7.noarch 4.2 M
puppet-firewalld
noarch 0.1.3-1.el7 /puppet-firewalld-0.1.3-1.el7.noarch
46 k
puppet-server noarch 3.6.2-3.el7 /puppet-server-3.6.2-3.el7.noarch 5.6 k
ruby-augeas x86_64 0.5.0-1.el7 /ruby-augeas-0.5.0-1.el7.x86_64 52 k
ruby-shadow x86_64 1.4.1-23.el7 /ruby-shadow-1.4.1-23.el7.x86_64 21 k
rubygem-rgen noarch 0.6.6-2.el7 /rubygem-rgen-0.6.6-2.el7.noarch 307 k
Installing for dependencies:
augeas-libs x86_64 1.1.0-17.el7 test 332 k
libselinux-ruby
x86_64 2.2.2-6.el7 test 127 k
libyaml x86_64 0.1.4-11.el7_0
test 55 k
pciutils x86_64 3.2.1-4.el7 test 90 k
ruby x86_64 2.0.0.598-24.el7
test 67 k
ruby-irb noarch 2.0.0.598-24.el7
test 88 k
ruby-libs x86_64 2.0.0.598-24.el7
test 2.8 M
rubygem-bigdecimal
x86_64 1.2.0-24.el7 test 79 k
rubygem-io-console
x86_64 0.4.2-24.el7 test 50 k
rubygem-json x86_64 1.7.7-24.el7 test 75 k
rubygem-psych x86_64 2.0.0-24.el7 test 77 k
rubygem-rdoc noarch 4.0.0-24.el7 test 318 k
rubygems noarch 2.0.14-24.el7 test 212 k
Transaction Summary
Install 8 Packages (+13 Dependent packages)
Total size: 9.3 M
Total download size: 4.3 M
Installed size: 19 M
Downloading packages:
(1/13): augeas-libs-1.1.0-17.el7.x86_64.rpm | 332 kB 00:00
(2/13): libselinux-ruby-2.2.2-6.el7.x86_64.rpm | 127 kB 00:00
(3/13): libyaml-0.1.4-11.el7_0.x86_64.rpm | 55 kB 00:00
(4/13): pciutils-3.2.1-4.el7.x86_64.rpm | 90 kB 00:00
(5/13): ruby-2.0.0.598-24.el7.x86_64.rpm | 67 kB 00:00
(6/13): ruby-irb-2.0.0.598-24.el7.noarch.rpm | 88 kB 00:00
(7/13): ruby-libs-2.0.0.598-24.el7.x86_64.rpm | 2.8 MB 00:00
(8/13): rubygem-bigdecimal-1.2.0-24.el7.x86_64.rpm | 79 kB 00:00
(9/13): rubygem-io-console-0.4.2-24.el7.x86_64.rpm | 50 kB 00:00
(10/13): rubygem-json-1.7.7-24.el7.x86_64.rpm | 75 kB 00:00
(11/13): rubygem-psych-2.0.0-24.el7.x86_64.rpm | 77 kB 00:00
(12/13): rubygem-rdoc-4.0.0-24.el7.noarch.rpm | 318 kB 00:00
(13/13): rubygems-2.0.14-24.el7.noarch.rpm | 212 kB 00:00
Total 6.6 MB/s | 4.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ruby-libs-2.0.0.598-24.el7.x86_64 1/21
Installing : hiera-1.3.4-1.el7.noarch 2/21
Installing : ruby-shadow-1.4.1-23.el7.x86_64 3/21
Installing : augeas-libs-1.1.0-17.el7.x86_64 4/21
Installing : ruby-augeas-0.5.0-1.el7.x86_64 5/21
Installing : libyaml-0.1.4-11.el7_0.x86_64 6/21
Installing : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/21
Installing : rubygem-json-1.7.7-24.el7.x86_64 8/21
Installing : rubygem-psych-2.0.0-24.el7.x86_64 9/21
Installing : rubygem-rdoc-4.0.0-24.el7.noarch 10/21
Installing : ruby-irb-2.0.0.598-24.el7.noarch 11/21
Installing : ruby-2.0.0.598-24.el7.x86_64 12/21
Installing : rubygems-2.0.14-24.el7.noarch 13/21
Installing : rubygem-io-console-0.4.2-24.el7.x86_64 14/21
Installing : rubygem-rgen-0.6.6-2.el7.noarch 15/21
Installing : pciutils-3.2.1-4.el7.x86_64 16/21
Installing : facter-2.4.1-1.el7.x86_64 17/21
Installing : libselinux-ruby-2.2.2-6.el7.x86_64 18/21
Installing : puppet-3.6.2-3.el7.noarch 19/21
Installing : puppet-server-3.6.2-3.el7.noarch 20/21
Installing : puppet-firewalld-0.1.3-1.el7.noarch 21/21
Verifying : ruby-augeas-0.5.0-1.el7.x86_64 1/21
Verifying : libselinux-ruby-2.2.2-6.el7.x86_64 2/21
Verifying : puppet-server-3.6.2-3.el7.noarch 3/21
Verifying : rubygem-io-console-0.4.2-24.el7.x86_64 4/21
Verifying : pciutils-3.2.1-4.el7.x86_64 5/21
Verifying : libyaml-0.1.4-11.el7_0.x86_64 6/21
Verifying : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/21
Verifying : facter-2.4.1-1.el7.x86_64 8/21
Verifying : rubygem-rdoc-4.0.0-24.el7.noarch 9/21
Verifying : hiera-1.3.4-1.el7.noarch 10/21
Verifying : puppet-3.6.2-3.el7.noarch 11/21
Verifying : rubygem-json-1.7.7-24.el7.x86_64 12/21
Verifying : ruby-libs-2.0.0.598-24.el7.x86_64 13/21
Verifying : rubygems-2.0.14-24.el7.noarch 14/21
Verifying : ruby-shadow-1.4.1-23.el7.x86_64 15/21
Verifying : augeas-libs-1.1.0-17.el7.x86_64 16/21
Verifying : ruby-irb-2.0.0.598-24.el7.noarch 17/21
Verifying : puppet-firewalld-0.1.3-1.el7.noarch 18/21
Verifying : rubygem-psych-2.0.0-24.el7.x86_64 19/21
Verifying : ruby-2.0.0.598-24.el7.x86_64 20/21
Verifying : rubygem-rgen-0.6.6-2.el7.noarch 21/21
Installed:
facter.x86_64 0:2.4.1-1.el7 hiera.noarch 0:1.3.4-1.el7
puppet.noarch 0:3.6.2-3.el7 puppet-firewalld.noarch 0:0.1.3-1.el7
puppet-server.noarch 0:3.6.2-3.el7 ruby-augeas.x86_64 0:0.5.0-1.el7
ruby-shadow.x86_64 0:1.4.1-23.el7 rubygem-rgen.noarch 0:0.6.6-2.el7
Dependency Installed:
augeas-libs.x86_64 0:1.1.0-17.el7
libselinux-ruby.x86_64 0:2.2.2-6.el7
libyaml.x86_64 0:0.1.4-11.el7_0
pciutils.x86_64 0:3.2.1-4.el7
ruby.x86_64 0:2.0.0.598-24.el7
ruby-irb.noarch 0:2.0.0.598-24.el7
ruby-libs.x86_64 0:2.0.0.598-24.el7
rubygem-bigdecimal.x86_64 0:1.2.0-24.el7
rubygem-io-console.x86_64 0:0.4.2-24.el7
rubygem-json.x86_64 0:1.7.7-24.el7
rubygem-psych.x86_64 0:2.0.0-24.el7
rubygem-rdoc.noarch 0:4.0.0-24.el7
rubygems.noarch 0:2.0.14-24.el7
Complete!
““
其次是agent端:
““shell
[[email protected] puppet]# ls
facter-2.4.1-1.el7.x86_64.rpm
hiera-1.3.4-1.el7.noarch.rpm
puppet-3.6.2-3.el7.noarch.rpm
puppet-firewalld-0.1.3-1.el7.noarch.rpm
puppet-server-3.6.2-3.el7.noarch.rpm
ruby-augeas-0.5.0-1.el7.x86_64.rpm
rubygem-rgen-0.6.6-2.el7.noarch.rpm
ruby-shadow-1.4.1-23.el7.x86_64.rpm
[[email protected] puppet]# yum -y localinstall facter-2.4.1-1.el7.x86_64.rpm hiera-1.3.4-1.el7.noarch.rpm puppet-3.6.2-3.el7.noarch.rpm puppet-firewalld-0.1.3-1.el7.noarch.rpm ruby-augeas-0.5.0-1.el7.x86_64.rpm rubygem-rgen-0.6.6-2.el7.noarch.rpm ruby-shadow-1.4.1-23.el7.x86_64.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Examining facter-2.4.1-1.el7.x86_64.rpm: facter-2.4.1-1.el7.x86_64
Marking facter-2.4.1-1.el7.x86_64.rpm to be installed
Examining hiera-1.3.4-1.el7.noarch.rpm: hiera-1.3.4-1.el7.noarch
Marking hiera-1.3.4-1.el7.noarch.rpm to be installed
Examining puppet-3.6.2-3.el7.noarch.rpm: puppet-3.6.2-3.el7.noarch
Marking puppet-3.6.2-3.el7.noarch.rpm to be installed
Examining puppet-firewalld-0.1.3-1.el7.noarch.rpm: puppet-firewalld-0.1.3-1.el7.noarch
Marking puppet-firewalld-0.1.3-1.el7.noarch.rpm to be installed
Examining ruby-augeas-0.5.0-1.el7.x86_64.rpm: ruby-augeas-0.5.0-1.el7.x86_64
Marking ruby-augeas-0.5.0-1.el7.x86_64.rpm to be installed
Examining rubygem-rgen-0.6.6-2.el7.noarch.rpm: rubygem-rgen-0.6.6-2.el7.noarch
Marking rubygem-rgen-0.6.6-2.el7.noarch.rpm to be installed
Examining ruby-shadow-1.4.1-23.el7.x86_64.rpm: ruby-shadow-1.4.1-23.el7.x86_64
Marking ruby-shadow-1.4.1-23.el7.x86_64.rpm to be installed
Resolving Dependencies
–> Running transaction check
—> Package facter.x86_64 0:2.4.1-1.el7 will be installed
–> Processing Dependency: /usr/bin/ruby for package: facter-2.4.1-1.el7.x86_64
test | 2.9 kB 00:00
–> Processing Dependency: pciutils for package: facter-2.4.1-1.el7.x86_64
—> Package hiera.noarch 0:1.3.4-1.el7 will be installed
–> Processing Dependency: ruby(release) for package: hiera-1.3.4-1.el7.noarch
—> Package puppet.noarch 0:3.6.2-3.el7 will be installed
–> Processing Dependency: ruby(selinux) for package: puppet-3.6.2-3.el7.noarch
—> Package puppet-firewalld.noarch 0:0.1.3-1.el7 will be installed
—> Package ruby-augeas.x86_64 0:0.5.0-1.el7 will be installed
–> Processing Dependency: augeas-libs >= 1.0.0 for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.1.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.10.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.11.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.12.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.14.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.16.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0(AUGEAS_0.8.0)(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
–> Processing Dependency: libaugeas.so.0()(64bit) for package: ruby-augeas-0.5.0-1.el7.x86_64
—> Package ruby-shadow.x86_64 0:1.4.1-23.el7 will be installed
—> Package rubygem-rgen.noarch 0:0.6.6-2.el7 will be installed
–> Processing Dependency: ruby(rubygems) for package: rubygem-rgen-0.6.6-2.el7.noarch
–> Running transaction check
—> Package augeas-libs.x86_64 0:1.1.0-17.el7 will be installed
—> Package libselinux-ruby.x86_64 0:2.2.2-6.el7 will be installed
—> Package pciutils.x86_64 0:3.2.1-4.el7 will be installed
—> Package ruby.x86_64 0:2.0.0.598-24.el7 will be installed
–> Processing Dependency: rubygem(bigdecimal) >= 1.2.0 for package: ruby-2.0.0.598-24.el7.x86_64
—> Package ruby-libs.x86_64 0:2.0.0.598-24.el7 will be installed
—> Package rubygems.noarch 0:2.0.14-24.el7 will be installed
–> Processing Dependency: rubygem(rdoc) >= 4.0.0 for package: rubygems-2.0.14-24.el7.noarch
–> Processing Dependency: rubygem(psych) >= 2.0.0 for package: rubygems-2.0.14-24.el7.noarch
–> Processing Dependency: rubygem(io-console) >= 0.4.2 for package: rubygems-2.0.14-24.el7.noarch
–> Running transaction check
—> Package rubygem-bigdecimal.x86_64 0:1.2.0-24.el7 will be installed
—> Package rubygem-io-console.x86_64 0:0.4.2-24.el7 will be installed
—> Package rubygem-psych.x86_64 0:2.0.0-24.el7 will be installed
–> Processing Dependency: libyaml-0.so.2()(64bit) for package: rubygem-psych-2.0.0-24.el7.x86_64
—> Package rubygem-rdoc.noarch 0:4.0.0-24.el7 will be installed
–> Processing Dependency: ruby(irb) = 2.0.0.598 for package: rubygem-rdoc-4.0.0-24.el7.noarch
–> Processing Dependency: rubygem(json) >= 1.7.7 for package: rubygem-rdoc-4.0.0-24.el7.noarch
–> Running transaction check
—> Package libyaml.x86_64 0:0.1.4-11.el7_0 will be installed
—> Package ruby-irb.noarch 0:2.0.0.598-24.el7 will be installed
—> Package rubygem-json.x86_64 0:1.7.7-24.el7 will be installed
–> Finished Dependency Resolution
Dependencies Resolved
============================================================================
Package Arch Version Repository Size
Installing:
facter x86_64 2.4.1-1.el7 /facter-2.4.1-1.el7.x86_64 271 k
hiera noarch 1.3.4-1.el7 /hiera-1.3.4-1.el7.noarch 54 k
puppet noarch 3.6.2-3.el7 /puppet-3.6.2-3.el7.noarch 4.2 M
puppet-firewalld noarch 0.1.3-1.el7 /puppet-firewalld-0.1.3-1.el7.noarch
46 k
ruby-augeas x86_64 0.5.0-1.el7 /ruby-augeas-0.5.0-1.el7.x86_64
52 k
ruby-shadow x86_64 1.4.1-23.el7 /ruby-shadow-1.4.1-23.el7.x86_64
21 k
rubygem-rgen noarch 0.6.6-2.el7 /rubygem-rgen-0.6.6-2.el7.noarch
307 k
Installing for dependencies:
augeas-libs x86_64 1.1.0-17.el7 test 332 k
libselinux-ruby x86_64 2.2.2-6.el7 test 127 k
libyaml x86_64 0.1.4-11.el7_0 test 55 k
pciutils x86_64 3.2.1-4.el7 test 90 k
ruby x86_64 2.0.0.598-24.el7 test 67 k
ruby-irb noarch 2.0.0.598-24.el7 test 88 k
ruby-libs x86_64 2.0.0.598-24.el7 test 2.8 M
rubygem-bigdecimal
x86_64 1.2.0-24.el7 test 79 k
rubygem-io-console
x86_64 0.4.2-24.el7 test 50 k
rubygem-json x86_64 1.7.7-24.el7 test 75 k
rubygem-psych x86_64 2.0.0-24.el7 test 77 k
rubygem-rdoc noarch 4.0.0-24.el7 test 318 k
rubygems noarch 2.0.14-24.el7 test 212 k
Transaction Summary
Install 7 Packages (+13 Dependent packages)
Total size: 9.3 M
Total download size: 4.3 M
Installed size: 19 M
Downloading packages:
(1/13): augeas-libs-1.1.0-17.el7.x86_64.rpm | 332 kB 00:00
(2/13): libselinux-ruby-2.2.2-6.el7.x86_64.rpm | 127 kB 00:00
(3/13): libyaml-0.1.4-11.el7_0.x86_64.rpm | 55 kB 00:00
(4/13): pciutils-3.2.1-4.el7.x86_64.rpm | 90 kB 00:00
(5/13): ruby-2.0.0.598-24.el7.x86_64.rpm | 67 kB 00:00
(6/13): ruby-libs-2.0.0.598-24.el7.x86_64.rpm | 2.8 MB 00:00
(7/13): rubygem-bigdecimal-1.2.0-24.el7.x86_64.rpm | 79 kB 00:00
(8/13): rubygem-io-console-0.4.2-24.el7.x86_64.rpm | 50 kB 00:00
(9/13): rubygem-json-1.7.7-24.el7.x86_64.rpm | 75 kB 00:00
(10/13): rubygem-psych-2.0.0-24.el7.x86_64.rpm | 77 kB 00:00
(11/13): rubygem-rdoc-4.0.0-24.el7.noarch.rpm | 318 kB 00:00
(12/13): rubygems-2.0.14-24.el7.noarch.rpm | 212 kB 00:00
(13/13): ruby-irb-2.0.0.598-24.el7.noarch.rpm | 88 kB 00:00
Total 9.6 MB/s | 4.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ruby-libs-2.0.0.598-24.el7.x86_64 1/20
Installing : hiera-1.3.4-1.el7.noarch 2/20
Installing : ruby-shadow-1.4.1-23.el7.x86_64 3/20
Installing : augeas-libs-1.1.0-17.el7.x86_64 4/20
Installing : ruby-augeas-0.5.0-1.el7.x86_64 5/20
Installing : libyaml-0.1.4-11.el7_0.x86_64 6/20
Installing : rubygem-bigdecimal-1.2.0-24.el7.x86_64 7/20
Installing : rubygem-json-1.7.7-24.el7.x86_64 8/20
Installing : rubygem-psych-2.0.0-24.el7.x86_64 9/20
Installing : rubygem-rdoc-4.0.0-24.el7.noarch 10/20
Installing : ruby-irb-2.0.0.598-24.el7.noarch 11/20
Installing : ruby-2.0.0.598-24.el7.x86_64 12/20
Installing : rubygems-2.0.14-24.el7.noarch 13/20
Installing : rubygem-io-console-0.4.2-24.el7.x86_64 14/20
Installing : rubygem-rgen-0.6.6-2.el7.noarch 15/20
Installing : pciutils-3.2.1-4.el7.x86_64 16/20
Installing : facter-2.4.1-1.el7.x86_64 17/20
Installing : libselinux-ruby-2.2.2-6.el7.x86_64 18/20
Installing : puppet-3.6.2-3.el7.noarch 19/20
Installing : puppet-firewalld-0.1.3-1.el7.noarch 20/20
Verifying : ruby-augeas-0.5.0-1.el7.x86_64 1/20
Verifying : libselinux-ruby-2.2.2-6.el7.x86_64 2/20
Verifying : rubygem-io-console-0.4.2-24.el7.x86_64 3/20
Verifying : pciutils-3.2.1-4.el7.x86_64 4/20
Verifying : libyaml-0.1.4-11.el7_0.x86_64 5/20
Verifying : rubygem-bigdecimal-1.2.0-24.el7.x86_64 6/20
Verifying : facter-2.4.1-1.el7.x86_64 7/20
Verifying : rubygem-rdoc-4.0.0-24.el7.noarch 8/20
Verifying : hiera-1.3.4-1.el7.noarch 9/20
Verifying : puppet-3.6.2-3.el7.noarch 10/20
Verifying : rubygem-json-1.7.7-24.el7.x86_64 11/20
Verifying : ruby-libs-2.0.0.598-24.el7.x86_64 12/20
Verifying : rubygems-2.0.14-24.el7.noarch 13/20
Verifying : ruby-shadow-1.4.1-23.el7.x86_64 14/20
Verifying : augeas-libs-1.1.0-17.el7.x86_64 15/20
Verifying : ruby-irb-2.0.0.598-24.el7.noarch 16/20
Verifying : puppet-firewalld-0.1.3-1.el7.noarch 17/20
Verifying : rubygem-psych-2.0.0-24.el7.x86_64 18/20
Verifying : ruby-2.0.0.598-24.el7.x86_64 19/20
Verifying : rubygem-rgen-0.6.6-2.el7.noarch 20/20
Installed:
facter.x86_64 0:2.4.1-1.el7 hiera.noarch 0:1.3.4-1.el7
puppet.noarch 0:3.6.2-3.el7 puppet-firewalld.noarch 0:0.1.3-1.el7
ruby-augeas.x86_64 0:0.5.0-1.el7 ruby-shadow.x86_64 0:1.4.1-23.el7
rubygem-rgen.noarch 0:0.6.6-2.el7
Dependency Installed:
augeas-libs.x86_64 0:1.1.0-17.el7
libselinux-ruby.x86_64 0:2.2.2-6.el7
libyaml.x86_64 0:0.1.4-11.el7_0
pciutils.x86_64 0:3.2.1-4.el7
ruby.x86_64 0:2.0.0.598-24.el7
ruby-irb.noarch 0:2.0.0.598-24.el7
ruby-libs.x86_64 0:2.0.0.598-24.el7
rubygem-bigdecimal.x86_64 0:1.2.0-24.el7
rubygem-io-console.x86_64 0:0.4.2-24.el7
rubygem-json.x86_64 0:1.7.7-24.el7
rubygem-psych.x86_64 0:2.0.0-24.el7
rubygem-rdoc.noarch 0:4.0.0-24.el7
rubygems.noarch 0:2.0.14-24.el7
Complete!
““
至此,安裝完成。
4.puppet的M/A授權
根據我們之前的工作原理說明,可以看出建立連接配接的第一步應該是授權的操作,那如何來進行M/A的授權認證操作呢?實際上,master和agent共同都具有一個配置檔案 :/etc/puppet/puppet.conf,該配置檔案定義了master和agent所需要的運作環境等等參數。程序啟動前,會根據此配置檔案對系統環境進行一個稽核的操作,稽核通過後程序才會啟動。
-
master上的配置:
在/etc/puppet/puppet.conf檔案中追加:
[master]
certname=master主機的主機名稱
““shell
[[email protected] puppet]# hostname
servera.example.com
[[email protected] puppet]# sed -i ‘a[master]\ncertname=servera.pod0.example.com’ /etc/puppet/puppet.conf
[[email protected] puppet]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is ‘ a[master]\ncertname=servera.pod0.example.com’ /etc/puppet/puppet.conf [[email protected] puppet]# cat /etc/puppet/puppet.conf [main] # The Puppet log directory. # The default value is ‘ vardir/log’.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate
puppet
executable using the
--loadclasses
# option.
# The default value is ‘ confdir/classes.txt′.classfile= c o n f d i r / c l a s s e s . t x t ′ . c l a s s f i l e = vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[master]
certname=servera.pod0.example.com
““
-
agent上的配置:
在/etc/puppet/puppet.conf檔案中[main]字段中追加一行
server = master主機名
““shell
[[email protected] puppet]# sed -i ‘/ssldir/aserver = servera.pod0.example.com’ /etc/puppet/puppet.conf
[[email protected] puppet]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is ‘$vardir/log’.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
server = servera.pod0.example.com
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate
puppet
executable using the
--loadclasses
# option.
# The default value is ‘ confdir/classes.txt′.classfile= c o n f d i r / c l a s s e s . t x t ′ . c l a s s f i l e = vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
““
注意:puppet配置過程中都是通過主機名去定位對應主機,則需要在這之前做好相應的解析工作。
分别啟動master和agent端的puppet服務,先啟動master端,再啟動agent端
1)master端的啟動,啟動完成後會優先對自己主機進行認證授權操作,在/var/lib/puppet/ssl/ca/signed目錄下會生成本機名稱.pem的檔案,結果如下:
shell
[[email protected] ~]# systemctl start puppetmaster
[[email protected] ~]# cd /var/lib/puppet/ssl/ca/signed/
[[email protected] signed]# ls
servera.pod0.example.com.pem
2)agent端的啟動,啟動完成後會在/var/lib/puppet/ssl/certificate_requests生成agent主機名.pem的檔案,并直接将認證請求檔案發送給master端,放至在master端的/var/lib/puppet/ssl/ca/requests目錄下,結果如下:
““shell
[[email protected] ~]# systemctl start puppet
[[email protected] ~]# cd /var/lib/puppet/ssl/certificate_requests/
[[email protected] certificate_requests]# ls
serverb.pod0.example.com.pem
[[email protected] signed]# cd ../requests/
[[email protected] requests]# pwd
/var/lib/puppet/ssl/ca/requests
[[email protected] requests]# ls
serverb.pod0.example.com.pem
““
注意:在此過程當中,selinux如果處于enforcing的狀态,會有相應的權限問題導緻agent端無法正确建立請求認證檔案,可執行setenforce 0指令,将selinux狀态切換成permissive模式
3)master端授權
master端授權可通過puppet cert指令來完成:
可以先通過–help選項檢視一下幫助資訊:
““shell
[[email protected] requests]# puppet cert –help
puppet-cert(8) – Manage certificates and requests
SYNOPSIS
Standalone certificate authority. Capable of generating certificates,
but mostly used for signing certificate requests from puppet clients.
USAGE
puppet cert [-h|–help] [-V|–version] [-d|–debug] [-v|–verbose]
[–digest ] []
DESCRIPTION
Because the puppet master service defaults to not signing client
certificate requests, this script is available for signing outstanding
requests. It can be used to list outstanding requests and then either
sign them individually or sign all of them.
ACTIONS
Every action except ‘list’ and ‘generate’ requires a hostname to act on,
unless the ‘–all’ option is set.
-
clean:
Revoke a host’s certificate (if applicable) and remove all files
related to that host from puppet cert’s storage. This is useful when
rebuilding hosts, since new certificate signing requests will only be
honored if puppet cert does not have a copy of a signed certificate
for that host. If ‘–all’ is specified then all host certificates,
both signed and unsigned, will be removed.
-
fingerprint:
Print the DIGEST (defaults to the signing algorithm) fingerprint of a
host’s certificate.
-
generate:
Generate a certificate for a named client. A certificate/keypair will
be generated for each client named on the command line.
-
list:
List outstanding certificate requests. If ‘–all’ is specified, signed
certificates are also listed, prefixed by ‘+’, and revoked or invalid
certificates are prefixed by ‘-’ (the verification outcome is printed
in parenthesis).
-
print:
Print the full-text version of a host’s certificate.
-
revoke:
Revoke the certificate of a client. The certificate can be specified either
by its serial number (given as a hexadecimal number prefixed by ‘0x’) or by its
hostname. The certificate is revoked by adding it to the Certificate Revocation
List given by the ‘cacrl’ configuration option. Note that the puppet master
needs to be restarted after revoking certificates.
-
sign:
Sign an outstanding certificate request.
-
verify:
Verify the named certificate against the local CA certificate.
-
reinventory:
Build an inventory of the issued certificates. This will destroy the current
inventory file specified by ‘cert_inventory’ and recreate it from the
certificates found in the ‘certdir’. Ensure the puppet master is stopped
before running this action.
OPTIONS
Note that any setting that’s valid in the configuration
file is also a valid long argument. For example, ‘ssldir’ is a valid
setting, so you can specify ‘–ssldir ’ as an
argument.
See the configuration file documentation at
http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all
configuration options can also be generated by running puppet cert with
‘–genconfig’.
-
–all:
Operate on all items. Currently only makes sense with the ‘sign’,
‘clean’, ‘list’, and ‘fingerprint’ actions.
-
–digest:
Set the digest for fingerprinting (defaults to the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version.
-
–debug:
Enable full debugging.
-
–help:
Print this help message
-
–verbose:
Enable verbosity.
-
–version:
Print the puppet version number and exit.
EXAMPLE
$ puppet cert list
culain.madstop.com
$ puppet cert sign culain.madstop.com
AUTHOR
Luke Kanies
COPYRIGHT
Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
““
根據help指令裡面我們可以看到以下幾個常用選項:
- clean 用于清除所有授權資訊。
- list 用于羅列來自于所有agent的認證請求。
- revoke 用于取消某agent的授權。
- sign 用于給某agent的認證請求進行授權的操作。
同樣,現在我們就可以在master上針對agent(serverb)進行授權的操作:
shell
[[email protected] requests]# puppet cert --list
"serverb.example.com" (SHA256) 3A:04:7B:E5:AB:69:D0:CA:9C:DC:85:CF:66:EC:F8:61:56:6D:53:B2:BB:9F:7E:9A:9C:C6:E9:AC:E0:CE:F3:D8
[[email protected] requests]# puppet cert --sign "serverb.pod0.example.com"
Notice: Signed certificate request for serverb.pod0.example.com
Notice: Removing file Puppet::SSL::CertificateRequest serverb.pod0.example.com at '/var/lib/puppet/ssl/ca/requests/serverb.example.com.pem'
[[email protected] requests]# cd ../signed/
[[email protected] signed]# ls
servera.pod0.example.com.pem serverb.pod0.example.com.pem
[[email protected] signed]# pwd
/var/lib/puppet/ssl/ca/signed
授權完成後,master主機上,原本放在/var/lib/puppet/ssl/ca/requests/agent主機名.pem會移動至/var/lib/puppet/ssl/ca/signed/agent主機名.pem
且在agent端會生成一個新的檔案:/var/lib/puppet/ssl/certs/agent主機名.pem
5.puppet的自動認證授權
采用以上方式的确可以完成一對一的授權。然而,如果要簽名的agent比較多怎麼辦?需要一個個簽名嗎?其實puppet提供了一個–all選項,能夠一次完成對對台agent的授權操作。
shell
[[email protected] requests]# puppet cert --sign --all
Notice: Signed certificate request for serverb.pod0.example.com
Notice: Removing file Puppet::SSL::CertificateRequest serverb.pod0.example.com at '/var/lib/puppet/ssl/ca/requests/serverb.pod0.example.com.pem
但是該方式依舊需要手動去進行指令的輸入,可能引發的後果就是想要被加入的agent主機沒辦法及時擷取到授權進而建立ssl連接配接進行傳輸。
現在我們的需求是:來自于某一個域名的agent主機一旦啟動,發送授權請求,master主機就自動針對該主機進行簽名的操作,無需手動使用puppet cert –sign指令,即自動完成認證授權。
現在再開一台伺服器,主機名為serverd.example.com,作為puppet的agent端,授權操作要求自動完成。配置過程如下:
master端的配置:
““shell
[[email protected] requests]# cat >> /etc/puppet/puppet.conf << END
autosign = /etc/puppet/autosign.conf
autosign = true
autosign = /etc/puppet/autosign.conf
END
[[email protected] requests]# tail -n5 /etc/puppet/puppet.conf
[master]
certname=servera.pod0.example.com
autosign = /etc/puppet/autosign.conf
autosign = true
autosign = /etc/puppet/autosign.conf
[[email protected] requests]# cat >> /etc/puppet/autosign.conf << END
*.example.com
END
[[email protected] requests]# systemctl restart puppetmaster
““
agent端的配置
shell
[[email protected] puppet]# sed -i '/ssldir/aserver = servera.pod0.example.com' /etc/puppet/puppet.conf
[[email protected] puppet]# systemctl restart puppet
以上操作完成之後,立刻就可以看到授權後的結果。
master端:
shell
[[email protected] signed]# pwd
/var/lib/puppet/ssl/ca/signed
[[email protected] signed]# ls
servera.pod0.example.com.pem serverd.pod0.example.com.pem
serverb.pod0.example.com.pem
agent端:
shell
[[email protected] certs]# pwd
/var/lib/puppet/ssl/certs
[[email protected] certs]# ls
ca.pem serverd.pod0.example.com.pem
6.puppet的同步機制
M/A模式下的puppet的同步更新方式有兩種,
1.Agent端主動去PuppetMaster端擷取配置。
預設情況下,puppet采取此方式完成同步的操作,且在不變更同步時間配置的情況下,agent端預設30分鐘找master端做一次同步。如果要自定義同步時間,可在agent端的/etc/puppet/puppet.conf中配置runinterval參數
““ shell
[[email protected] /]# echo “runinterval = 5” >> /etc/puppet/puppet.conf
[[email protected] /]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is ‘$vardir/log’.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
server = servera.pod0.example.com
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate
puppet
executable using the
--loadclasses
# option.
# The default value is ‘ confdir/classes.txt′.classfile= c o n f d i r / c l a s s e s . t x t ′ . c l a s s f i l e = vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
runinterval = 5
[[email protected] /]# systemctl restart puppet
[[email protected] /]# tail -f /var/log/messages
Aug 13 08:41:05 serverb puppet-agent[4275]: Finished catalog run in 0.01 seconds
Aug 13 08:41:10 serverb puppet-agent[4441]: Finished catalog run in 0.01 seconds
Aug 13 08:41:15 serverb puppet-agent[4607]: Finished catalog run in 0.01 seconds
Aug 13 08:41:20 serverb puppet-agent[4773]: Finished catalog run in 0.01 seconds
…
““
采用方式1的好處:若agent由于一些原因導緻配置檔案損壞,可以在同步時間周期内擷取到正确的配置,不需人為進行處理。同樣,配置該方式十分的簡單易上手,能夠根據需求變更同步周期。
采用方式1的劣勢:多台agent同時像master發起同步請求,master可能會面臨性能瓶頸問題。當然,該劣勢可通過分批同步的方式去解決。除此之外,我們需要保證master端的操作足夠安全,任何人修改master端的配置參數都會被符合節點要求的agent端同步更新,譬如有人在推送的腳本中寫了rm -rf /*,該操作同樣會被同步到多台agent端執行,安全性會受到很嚴重的威脅。
2.PuppetMaster端使用puppet kick指令推送配置至agent端
該方式是通過puppetmaster端的puppet kick指令來同步配置的。
優勢:
安全性比較高,更新之前可給相應檢查代碼的時間。
更新周期容易控制。
劣勢:
agent端資料被篡改後很難實作及時恢複。
鎖機制導緻控制不是很靈活。
基本上方式2逐漸被企業環境所淘汰,在這裡就不做說明了。
7.puppet的監聽端口号
基本上涉及網絡的服務都會有監聽的端口号,用以區分不同服務的通路請求。
master端監聽的端口号為8140。
shell
[[email protected] signed]# netstat -tulnp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4280/ruby
[[email protected] signed]# firewall-cmd --permanent --add-port=8140/tcp
success
[[email protected] signed]# firewall-cmd --reload
success
如果采用agent主動連接配接master的方式,就需要配置防火牆以保證master端的8140端口能夠接受agent主機的請求。
8.puppet基礎配置
1)全局入口檔案:site.pp的建立
/etc/puppet/manifests/site.pp是全局的入口檔案,agent通路master擷取配置參數的第一步就是讀取site.pp内容,一切的管理工作都由site.pp開始。
site.pp的作用就是用來定義哪些節點(即agent)采用什麼樣的子產品(配置字段)。首次配置puppetmaster,應自行建立該檔案。
““shell
[[email protected] manifests]# cat >> /etc/puppet/manifests/site.pp << END
node ‘serverb.example.com’ { //定義了需要使用puppet管理的節點為serverb.example.com
include ‘myfile’ //子產品名稱定義為myfile,也就是說serverb這台機器要同步更新的内容在myfile子產品内
}
END
[[email protected] manifests]# cat /etc/puppet/manifests/site.pp
node ‘serverb.example.com’ {
include ‘myfile’
}
““
通過以上配置,可以看到,現在serverb這個節點,要接受的配置字段寫在myfile子產品中,而其他主機的沒有任何需要同步更新的内容。如果想寫多台主機同步更新myfile子產品裡的内容,可以通過這種方式去完成:
shell
[[email protected] manifests]# cat /etc/puppet/manifests/site.pp
node 'serverb.example.com' {
include 'myfile'
}
node 'serverd.example.com' {
include 'myfile'
}
...
上述寫法表示serverb和serverd兩個節點同步的子產品名稱為myfile,但這種寫法較為繁瑣,有些時候,我們能夠采用正規表達式來完成節點定義的配置,如下:
shell
[[email protected] manifests]# cat /etc/puppet/manifests/site.pp
node /^(serverb|serverd)\.example\.com$/ {
include 'myfile'
}
上述内容表示serverb和serverd都采用myfile子產品裡的配置或者:
[root@servera manifests]# cat /etc/puppet/manifests/site.pp
node /^.*\.example\.com$/ {
include 'myfile'
}
任何以example.com作為結尾的主機都采用myfile子產品裡的配置。
當然前提是能夠建立ssl連接配接,如果沒有通過授權,即便site.pp裡面定義了節點和子產品的對應關系,agent端也是沒有辦法正确從master上拉取配置。
然而有些時候,所有的節點寫到同一個配置檔案裡很難進行後續的維護管理。那麼實際上,我們可以通過import字段進行不同節點的進行分類操作,配置檔案名稱自拟。例如:
““shell
[[email protected] ~]# echo “import ‘site.pp’” > /etc/puppet/manifests/site.pp
[[email protected] ~]# cat /etc/puppet/manifests/site.pp
import ‘nodes.pp’
[[email protected] ~]# cat > /etc/puppet/manifests/nodes.pp << END
node /^.*.example.com/ {
include ‘myfile’
}
END
[[email protected] ~]# cat /etc/puppet/manifests/nodes.pp
node /^.*.example.com / { include ‘myfile’ } END [[email protected] ~]# cat /etc/puppet/manifests/nodes.pp node /^.*.example.com / {
include ‘myfile’
}
““
2)子產品的建立及常用資源配置的寫法
在上述環節裡,我們include了一個子產品叫做myfile。當agent端通過node節點檢視到自己要同步myfile這個子產品之後,便會去/etc/puppet/modules/myfile/manifests目錄下找一個名為init.pp的檔案。該檔案也可以了解為子產品入口檔案。若該目錄沒有,則需要手動去建立出來。
shell
[[email protected] ~]# mkdir -p /etc/puppet/modules/myfile/manifests
建立出來之後,就應該去編寫init.pp這個檔案,init.pp裡格式理應如下:
shell
class 子產品名 {
類型1 { "标題1":
屬性1 => 值1,
屬性2 => 值2,
屬性3 => 值3
...
屬性N => 值N;
"标題2":
屬性 => 值,
.....
屬性 => 值;
}
類型2 { "标題":
屬性 => 值,
....
}
}
實際類型指的是操作的對象,标題指的是操作的實際目标,屬性指的是控制的實際内容,值對應的是狀态。
舉個例子:現在我想給agent安裝一個名為httpd的軟體包,于是我們就可以這樣寫
shell
package { “httpd” # 操作的對象是軟體,操作的實際目标是httpd
ensure => present, # 要求操作的實際内容是保證httpd存在或者不存在,狀态為存在,即要求該軟體安裝
}
puppet常用類型及屬性簡介
1.file類型(針對檔案做操作的類型)
常用屬性:
ensure => ‘absent|present|directory|link’
group => ‘檔案所屬組名稱’
user => ‘檔案擁有者名稱’
mode => ‘檔案權限值’
content => ‘檔案内容’
force => ‘true|false’
source =>
file屬性應用案例:
推送/etc/fstab檔案
/etc/fstab檔案決定了開機時候的挂載情況,針對提供相同功能的主機,通常情況下挂載資訊也是大同小異的,在這裡我們就可以将檔案推送給調用該子產品的節點。
““shell
[[email protected] etc]# cat /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file {“/etc/fstab”:
ensure => present,
owner => root,
group => root,
source => ‘puppet://servera.example.com/modules/myfile/etc/fstab’,
}
}
[[email protected] etc]# mkdir -p /etc/puppet/modules/myfile/files/etc
[[email protected] files]# cp /etc/fstab /etc/puppet/modules/myfile/files/etc/fstab
注:以上souce代表的是源檔案所在位置,不需要寫files目錄,預設就會去files目錄下尋找相應的檔案。
寫完配置後,不需要重新開機服務,用戶端就根據一定的同步周期去擷取對應的配置檔案了,可以通過日志看到相應的結果。
[[email protected] ~]# tailf /var/log/messages
Aug 16 11:24:17 serverb puppet-agent[4734]: Finished catalog run in 0.01 seconds
Aug 16 11:24:22 serverb puppet-agent[4900]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:22 serverb puppet-agent[4900]: Finished catalog run in 0.04 seconds
Aug 16 11:24:27 serverb puppet-agent[5068]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:27 serverb puppet-agent[5068]: Finished catalog run in 0.04 seconds
Aug 16 11:24:32 serverb puppet-agent[5236]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:32 serverb puppet-agent[5236]: Finished catalog run in 0.04 seconds
Aug 16 11:24:37 serverb puppet-agent[5404]: (/Stage[main]/Myfile/File[/etc/fstab]) Could not evaluate: Could not retrieve information from environment production source(s) puppet://servera.example.com/modules/myfile/etc/fstab
Aug 16 11:24:37 serverb puppet-agent[5404]: Finished catalog run in 0.04 seconds
Aug 16 11:24:42 serverb puppet-agent[5572]: (/Stage[main]/Myfile/File[/etc/fstab]/content) content changed ‘{md5}71c72e221409b343ed9a69f9a2dfa15c’ to ‘{md5}ff16538739bfe5d524783750dd88ae30’
““
2.user、group類型應用(針對使用者群組的設定類型)
| user常用屬性 | group常用屬性 |
|---|---|
| ensure => ‘present | absent ‘ | ensure => ‘present|absent’ |
| uid => ’uid 編号‘ | gid => ‘gid編号’ |
| gid => ‘預設組編号’ | |
| home => ‘家目錄存放位置’ | |
| shell => ‘使用者使用shell’ |
使用者群組應用案例:
部署多台主機建立tomcat使用者。如果說想要部署jsp頁面的話,會用到servlet容器,而tomcat就是比較常用的容器。若是采用jsvc的方式啟動tomcat這個服務的話,就需要有一個名為tomcat的使用者用來維護服務的正常運作。這個案例就是用來針對多台主機批量部署tomcat使用者的典型案例。
[[email protected] etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
user { 'tomcat':
require => group['tomcat'],
ensure => present,
uid => '666',
gid => '666',
home => '/home/tomcat',
shell => '/sbin/nologin',
}
group { 'tomcat':
ensure => present,
gid => '666',
}
file { '/home/tomcat':
ensure => directory,
mode => '700',
owner => 'tomcat',
group => 'tomcat',
require => user['tomcat'],
}
}
require資源是一個公有資源,代表的含義就是其他類型内容先執行,再執行目前類型。
比如說上文在user類型裡寫了 require => group[‘tomcat’], 那麼實際上代表的含義就是先去執行group類型,标題為tomcat的内容,再來執行user類型tomcat标題的内容。于是我們從日志當中也能看到結果:組先被建立出來了,其次是使用者,最後是家目錄。
shell
[[email protected] ~]# tail /var/log/messages
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/Group[tomcat]/ensure) created
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/User[tomcat]/ensure) created
Aug 16 11:37:37 serverb puppet-agent[31620]: (/Stage[main]/Myfile/File[/home/tomcat]/ensure) created
[[email protected] ~]# id tomcat
uid=666(tomcat) gid=666(tomcat) groups=666(tomcat)
[[email protected] ~]# ll -d /home/tomcat/
drwx------. 2 tomcat tomcat 6 Aug 16 11:37 /home/tomcat/
3.package類型應用(針對軟體的操作)
package常用屬性:
ensure => present | absent
預設情況下package資源采用yum的方式安裝軟體,如果要使用rpm的方式安裝,則需要添加以下兩個參數。
source => '/tmp/nginx-1.8.0-1.el7.ngx.x86_64.rpm', //指定軟體絕對路徑
provider => 'rpm', //指定由rpm的方式來進行安裝
package屬性應用案例:
批量部署資料庫mysql環境,多台伺服器安裝mariadb-server:
master端配置:
shell
[[email protected] etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
package {'mariadb-server':
ensure => present,
}
}
agent端結果:
““shell
[[email protected] tmp]# tail /var/log/messages -f
Aug 16 18:44:19 serverb yum[109385]: Installed: perl-Data-Dumper-2.145-3.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-Net-Daemon-0.48-5.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-IO-Compress-2.061-2.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-PlRPC-0.2020-14.el7.noarch
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-DBI-1.627-4.el7.x86_64
Aug 16 18:44:20 serverb yum[109385]: Installed: perl-DBD-MySQL-4.023-5.el7.x86_64
Aug 16 18:44:22 serverb yum[109385]: Installed: 1:mariadb-5.5.41-2.el7_0.x86_64
Aug 16 18:44:24 serverb systemd: Reloading.
Aug 16 18:44:25 serverb systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue ‘RemoveOnStop’ in section ‘Socket’
Aug 16 18:44:25 serverb systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue ‘RemoveOnStop’ in section ‘Socket’
Aug 16 18:44:25 serverb yum[109385]: Installed: 1:mariadb-server-5.5.41-2.el7_0.x86_64
Aug 16 18:44:26 serverb puppet-agent[109199]: (/Stage[main]/Myfile/Package[mariadb-server]/ensure) created
[[email protected] tmp]# rpm -q mariadb-server
mariadb-server-5.5.41-2.el7_0.x86_64
““
4.service資源應用(針對服務狀态的控制)
常用屬性
enable => ‘true|false’ // 定義開機啟動狀态
ensure => ‘running | stopped’ //定義目前環境運作狀态
service屬性應用案例:
讓mariadb服務運作起來,并且開機自啟:
master端配置:
shell
[[email protected] etc]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
package {'mariadb-server':
ensure => present,
}
service {'mariadb':
require => package['mariadb-server'],
ensure => running,
enable => true,
}
}
agent端結果:
““shell
[[email protected] tmp]# tail -f /var/log/messages
Aug 16 18:55:21 serverb systemd: Started MariaDB database server.
Aug 16 18:55:22 serverb systemd: Reloading.
Aug 16 18:55:22 serverb systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue ‘RemoveOnStop’ in section ‘Socket’
Aug 16 18:55:22 serverb systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue ‘RemoveOnStop’ in section ‘Socket’
Aug 16 18:55:22 serverb puppet-agent[2453]: (/Stage[main]/Myfile/Service[mariadb]/ensure) ensure changed ‘stopped’ to ‘running’
[[email protected] tmp]# systemctl status mariadb
mariadb.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled)
Active: active (running) since Tue 2016-08-16 18:55:21 EDT; 17s ago
Main PID: 2721 (mysqld_safe)
CGroup: /system.slice/mariadb.service
├─2721 /bin/sh /usr/bin/mysqld_safe –basedir=/usr
└─2878 /usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mys…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: The lates…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: You can f…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: http://de…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Support M…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Corporati…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: Alternati…
Aug 16 18:55:19 serverb.example.com mariadb-prepare-db-dir[2642]: http://ma…
Aug 16 18:55:19 serverb.example.com mysqld_safe[2721]: 160816 18:55:19 mysq…
Aug 16 18:55:19 serverb.example.com mysqld_safe[2721]: 160816 18:55:19 mysq…
Aug 16 18:55:21 serverb.example.com systemd[1]: Started MariaDB database se…
Hint: Some lines were ellipsized, use -l to show in full.
““
以上這些屬性就是常用的一些屬性了,當然并沒有包含所有的屬性,如果有需求,可以通路https://docs.puppet.com/擷取更詳細的資訊。
5.公有屬性應用
通常情況下,每一個資源配置都會有一個依賴關系,比如說,配置httpd服務的配置檔案的前提就是httpd的軟體已經安裝,再比如,改完服務的配置檔案需要将配置檔案重新加載起來。這些操作就可以通過公有屬性的配置将多個資源以某種方式關聯起來。
1)notify
通常情況下notify屬性是用來通知其他資源類型執行相應的操作。
2)subscire
和notify相反,被動通知。
3)require
require屬性代表的含義是在本資源執行之前,確定其他資源已經被成功執行。
4)before
before屬性和require相反,在資源執行成功後再執行其他資源。
舉例:
shell
[[email protected] etc]# cat /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file {"/etc/dhcpd.conf":
require => package['dhcp'],
ensure => present,
source => 'puppet://servera.example.com/modules/myfile/etc/dhcpd.conf',
notify => service[dhcpd],
}
package{'dhcp':
ensure => present,
}
service {'dhcpd':
ensure => running,
enable => true,
}
}
課後練習實驗要求:
使用以上學習内容完成以下操作:
1.以servera作為master端,server[b-e]作為agent端,配置好相應的授權。
2.在server[b-e]伺服器上使用httpd搭建虛拟主機,站點名稱為www.abc.com,網站根目錄為/var/www/html/abc.com,要求每次配置檔案修改完之後服務重新開機。
9.puppet的變量、模闆、函數
1)變量的定義及調用
變量的定義通過$variable_name = value的方式完成。
下述例子我們申明了一個局部變量叫做content:
[root@servera manifests]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
$content = "some content\n"
file { "/tmp/test":
ensure => present,
content => "$content",
}
}
變量也可以全局入口檔案site.pp裡申明成一個全局變量:
[root@servera manifests]# vim /etc/puppet/manifests/nodes.pp
node /server[b-c]\.pod\.example\.com/ {
$content = "abc\n"
include 'myfile'
}
2)facter變量的調用
facter變量是用來擷取每台節點伺服器不同的一些資訊參數的變量。
變量通過${::facter變量名}來調用。
shell
class myfile {
file { "/tmp/test":
ensure => present,
content => "${::hostname}",
}
}
3)模闆的設定及調用
通常情況下模闆以erb作為結尾,檔案存放于子產品目錄下一個叫做templates的目錄下。
1)生成模闆檔案
[root@servera myfile]# pwd
/etc/puppet/modules/myfile
[root@servera myfile]# mkdir templates
[root@servera myfile]# cd templates
[root@servera templates]# vim testfile.erb
my ip address <%= content %> # 在模闆裡面調用變量采用<%= 變量名 %>
2)調用模闆
[root@servera manifests]# vim /etc/puppet/modules/myfile/manifests/init.pp
class myfile {
file { "/tmp/testfile":
ensure => present,
content => template('myfile/testfile.erb'), # 調用模闆
}
}
4)函數的設定及調用
函數是一系列資源的集合。
1)定義
定義方式如下:
[root@servera manifests]# pwd
/etc/puppet/modules/myfile/manifests
[root@servera manifests]# vim init.pp
class myfile {
define create_file($myfile,$mycontent) {
file { "$myfile":
ensure => present,
content => "$mycontent",
}
}
}
2)調用
調用方式如下:
[root@servera manifests]# cd /etc/puppet/manifests/
[root@servera manifests]# ls
nodes.pp site.pp
[root@servera manifests]# vim nodes.pp
node /server[b-c]\.pod\.example\.com/ {
$content = "abc\n"
include 'myhttpd','myssh','myfile'
myfile::create_file { "xxxxxx": #函數的調用
myfile => '/tmp/qwer',
mycontent => "qwer\n",
}
}
課後練習:
![自動化運維工具-ansible入門(一)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)