puppet

最新推荐文章于 2022-11-17 15:35:39 发布

原创最新推荐文章于 2022-11-17 15:35:39 发布 · 441 阅读

1 ·

CC 4.0 BY-SA版权

自动化专栏收录该内容

1 篇文章

订阅专栏

puppet是一种Linux、Unix平台的集中配置管理系统，使用ruby语言，可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源，puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。

puppet既可以在单机上使用,也可以以c/s结构使用.在大规模使用puppet的情况下,通常使用c/s结构.在这种结构中puppet客户端只是指运行puppet的服务器,puppet服务器端是只运行puppetmaster的服务器.

puppet客户端首先会连接到puppet服务器端,并且通过facter工具把客户端的基本配置信息发送给服务器端. 服务器端通过分析客户端的主机名,通过node 定义,找到该主机的配置代码,然后编译配置代码,把编译好的配置代码发回客户端,客户端执行代码完成配置.并且把代码执行情况反馈给puppet服务器端.

puppet工作模式、流程

1. 客户端Puppetd向Master发起认证请求，或使用带签名的证书。

2. Master告诉Client你是合法的。

3. 客户端Puppetd调用Facter，Facter探测出主机的一些变量，例如主机名、内存大小、IP地址等。Puppetd将这些信息通过SSL连接发送到服务器端。

4. 服务器端的Puppet Master检测客户端的主机名，然后找到manifest对应的node配置，并对该部分内容进行解析。Facter送过来的信息可以作为变量处理，node牵涉到的代码才解析，其他没牵涉的代码不解析。解析分为几个阶段，首先是语法检查，如果语法错误就报错；如果语法没错，就继续解析，解析的结果生成一个中间的“伪代码”（catelog），然后把伪代码发给客户端。

5. 客户端接收到“伪代码”，并且执行。

6. 客户端在执行时判断有没有File文件，如果有，则向fileserver发起请求。

7. 客户端判断有没有配置Report，如果已配置，则把执行结果发送给服务器。

8. 服务器端把客户端的执行结果写入日志，并发送给报告系统。

puppet工作过程中有两点值得注意，第一，为了保证安全，client和master之间是基于ssl和证书的，只有经master证书认证的client可以与master通信；第二，puppet会让系统保持在你所期望的某种状态并一直维持下去，如检测某个文件并保证其一直存在，保证ssh服务始终开启，如果文件被删除了或者ssh服务被关闭了，puppet下次执行时（默认30分钟），会重新创建该文件或者启动ssh服务。

一、资源类型：
1，file管理文件，通过一定的配置也可以管理目录
2，package管理软件包，会将软件自动安装
3，service 管理服务，设置服务运行还是停止
4，cron 设置定时任务
5，user添加用户
6，group添加组
7，exec如果资源不能满足任务时，可以通过与shell 命令交互来完成
8，notify资源之间通信
可以通过命令#puppet describe --list
二，资源语法格式：
Type { “title”:
Attribute =>a,
Attribute =>b,
}
Type 就是上面的资源类型file……，“title”为了标识这个资源，attribute属性，如权限，用户之类

三，资源使用
1，应用于class中，完成某一个具体的应用
2，应用于site.pp中，作为全局配置
四、依赖性、应用次序
资源之间存在依赖性，使用metaparameters属性定义。资源间的引用使用四个元参before、require、notify、subscribe
资源间的应用次序：
“->”用于定义次序链，而"~>"用于定义通知链

puppet server端安装

精细化安装Ruby环境
1.puppet是基于ruby开发。所以要安装ruby语言环境。
找到相应版本对应的ruby的rpm包（ruby-libs ruby-1.8.7.352）

2.Rdoc的安装
如果需要查看帮助文档，需要安装此包。

安装facter
安装puppet之前必须先安装facter，facter是一个系统盘点工具，收集主的一些资料，比如CPU，主机IP等，它收集到值发送给puppet服务器端,服务器端就可以根据不同的条件来对不同的节点机器生成不同的puppet配置文件

[root@localhost opt]# tar xvzf facter-1.6.5.tar.gz
[root@localhost opt]# cd facter-1.6.5
[root@localhost opt]# cd facter-1.6.5
[root@localhost facter-1.6.5]# ruby install.rb
[root@localhost facter-1.6.5]# cd ..

安装puppet
[root@localhost opt]# tar xvzf puppet-2.6.13.tar.gz
[root@localhost opt]# cd puppet-2.6.13
[root@localhost puppet-2.6.13]# ruby install.rb

复制配置文件

[root@localhost puppet-2.6.13]# cp conf/auth.conf /etc/puppet/
[root@localhost puppet-2.6.13]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@localhost puppet-2.6.13]# cp conf/redhat/puppet.conf /etc/puppet/

创建目录mainifests
[root@localhost puppet-2.6.13]# mkdir -p /etc/puppet/manifests 资源清单以.pp结尾的文件

设置服务开机启动

[root@localhost puppet-2.6.13]# chmod +x /etc/init.d/puppetmaster
[root@localhost puppet-2.6.13]# chkconfig --add puppetmaster
[root@localhost puppet-2.6.13]# chkconfig puppetmaster on

创建puppet用户

[root@localhost puppet-2.6.13]# puppetmasterd --mkusers

puppet client端安装

[root@client2 opt]# tar xvzf facter-1.6.5.tar.gz

[root@client2 opt]# cd facter-1.6.5
[root@client2 facter-1.6.5]# ruby install.rb
[root@client2 facter-1.6.5]# cd ..

安装puppet
[root@client2 opt]# tar xvzf puppet-2.6.13.tar.gz
[root@client2 opt]# cd puppet-2.6.13
[root@client2 puppet-2.6.13]# ruby install.rb

复制文件
[root@client2 puppet-2.6.13]# cp conf/auth.conf /etc/puppet/
cp：是否覆盖"/etc/puppet/auth.conf"？ y
[root@client2 puppet-2.6.13]# cp conf/namespaceauth.conf /etc/puppet/
[root@client2 puppet-2.6.13]# cp conf/redhat/puppet.conf /etc/puppet/
[root@client2 puppet-2.6.13]# cp conf/redhat/client.init /etc/init.d/puppet

设置开机启动
[root@client2 puppet-2.6.13]# chmod +x /etc/init.d/puppet
[root@client2 puppet-2.6.13]# chkconfig -add puppet
-add: 未知的选项
[root@client2 puppet-2.6.13]# chkconfig --add puppet
[root@client2 puppet-2.6.13]# chkconfig puppet on
[root@client2 puppet-2.6.13]# service puppet start
启动 puppet： [确定]
[root@client2 puppet-2.6.13]# service puppet status
puppetd (pid 1985) 正在运行...

创建用户
[root@client2 puppet-2.6.13]# puppetd --mkusers
Could not prepare for execution: Got 1 failure(s) while initializing: change from absent to present failed: Could not create user puppet: Execution of '/usr/sbin/useradd -g puppet -M puppet' returned 6: useradd: group 'puppet' does not exist
groupadd groupdel groupmems groupmod groups
[root@client2 puppet-2.6.13]# groupadd puppet;useradd -g puppet -M puppet

server、client修改hosts文件

server修改hosts文件
[root@puppetmaster ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.179.128 puppetmaster.info.com
192.168.179.129 client.info.com
192.168.179.130 client2.info.com

client修改hosts文件
[root@client2 puppet-2.6.13]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.179.128 puppetmaster.info.com
192.168.179.130 client2.info.com

查看master/client版本
#puppet --version #puppetmasterd --version

测试解析和端口是否畅通

[root@client2 puppet-2.6.13]# ping puppetmaster.info.com
PING puppetmaster.info.com (192.168.179.128) 56(84) bytes of data.
64 bytes from puppetmaster.info.com (192.168.179.128): icmp_seq=1 ttl=64 time=0.601 ms
64 bytes from puppetmaster.info.com (192.168.179.128): icmp_seq=2 ttl=64 time=1.66 ms
64 bytes from puppetmaster.info.com (192.168.179.128): icmp_seq=3 ttl=64 time=0.818 ms
64 bytes from puppetmaster.info.com (192.168.179.128): icmp_seq=4 ttl=64 time=0.509 ms
^C
--- puppetmaster.info.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3856ms
rtt min/avg/max/mdev = 0.509/0.898/1.665/0.457 ms

[root@puppetmaster ~]# ping client2.info.com
PING client2.info.com (192.168.179.130) 56(84) bytes of data.
64 bytes from client2.info.com (192.168.179.130): icmp_seq=1 ttl=64 time=1.11 ms
64 bytes from client2.info.com (192.168.179.130): icmp_seq=2 ttl=64 time=0.719 ms
64 bytes from client2.info.com (192.168.179.130): icmp_seq=3 ttl=64 time=0.561 ms
64 bytes from client2.info.com (192.168.179.130): icmp_seq=4 ttl=64 time=0.751 ms
^C
--- client2.info.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3710ms
rtt min/avg/max/mdev = 0.561/0.786/1.115/0.204 ms

[root@client2 puppet-2.6.13]# telnet puppetmaster.info.com 8140
Trying 192.168.179.128...
Connected to puppetmaster.info.com.
Escape character is '^]'.
Connection closed by foreign host.
[root@client2 puppet-2.6.13]# puppetd --test --server puppetmaster.info.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client2.info.com
info: Certificate Request fingerprint (md5): C6:50:A8:07:F6:58:52:85:D9:A3:48:C9:55:11:88:7E
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

puppetd --test --server puppetmaster.info.com命令是指puppetd 从 puppetmaster.info.com去读取
puppet配置文件. 第一次连接,双方会进行ssl证书的验证,这是一个新的客户端,在服务器端那里还没有被认证,因此需要在服务器端进行证书认证

server进行证书认证

查看当前待批准证书列表
[root@puppetmaster ~]# puppetca -l
client2.info.com (C6:50:A8:07:F6:58:52:85:D9:A3:48:C9:55:11:88:7E)

批准当前证书
[root@puppetmaster ~]# puppetca -s client2.info.com
notice: Signed certificate request for client2.info.com
notice: Removing file Puppet::SSL::CertificateRequest client2.info.com at '/var/lib/puppet/ssl/ca/requests/client2.info.com.pem'

查看验证签名,注意前面的+号，说明已经签名
[root@puppetmaster ~]# puppetca -a --list
+ client2.info.com (AC:6A:6D:BC:92:5E:FD:1E:A1:20:AA:8B:C3:57:08:00)
+ localhost.localdomain (BA:0A:4B:92:31:2D:66:E0:46:2C:5B:BD:F8:ED:7D:6C) (alt names: DNS:localhost.localdomain, DNS:puppet, DNS:puppet.localdomain)
+ puppetmaster.info.com (1B:0A:AB:EC:BD:CD:20:89:F9:6D:E0:E8:40:4B:E0:FD) (alt names: DNS:puppet, DNS:puppet.info.com, DNS:puppetmaster.info.com)

client取回证书

[root@client2 puppet-2.6.13]# puppetd --test --server puppetmaster.info.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client2.info.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client2.info.com
info: Applying configuration version '1414098889'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.01 seconds

验证证书是否正确

server端
[root@puppetmaster ~]# md5sum /var/lib/puppet/ssl/ca/signed/client2.info.com.pem
3839180b3c6323597100c975510d93aa /var/lib/puppet/ssl/ca/signed/client2.info.com.pem

client端
[root@client2 state]# md5sum /var/lib/puppet/ssl/certs/client2.info.com.pem
3839180b3c6323597100c975510d93aa /var/lib/puppet/ssl/certs/client2.info.com.pem