puppet,这是目前运维主流的运维自动化工具,大多数运维管理人员都听说过,或者在使用以及在正在考虑使用中。puppet可以配合cobbler,puppet也可以配合func实现运维自动化,简单化,化繁杂为简单。
1.什么是puppet
puppet是一种Linux、Unix平台的集中配置管理系统,使用ruby语言,可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源,puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。
2.puppet的语法
由于puppet是由ruby写的,因此如ruby语法非常相近,关于ruby的介绍:请参阅http://ruby-lang.org
3.puppet能管理哪些资源:
puppet介绍里有写过,他能管理file(文件),user(用户),group(组),package(软件包),mount(挂载),schedule和cron(计划任务),service(服务),tidy(清理),yumrepo(yum仓库),sshkey(ssh认证)等常用资源。
4.Puppet的工作模式
Puppet是一个C/S架构的配置管理工具,在中央服务器上安装puppet-server软件包(被称作Puppetmaster)。在需要管理的目标主机上安装puppet客户端软件(被称作PuppetClient)。当客户端连接上Puppetmaster后,定义在Puppetmaster上的配置文件会被编译,然后在客户端上运行。每个客户端默认每半个小时和服务器进行一次通信,确认配置信息的更新情况。如果有新的配置信息或者配置信息已经改变,配置将会被重新编译并发布到各客户端执行。也可以在服务器上主动触发一个配置信息的更新,强制各客户端进行配置。如果客户端的配置信息被改变了,它可以从服务器获得原始配置进行校正。
安装过程:
1. 配置/etc/hosts文件
server:
# cat /etc/hosts
192.168.1.102 puppet.server
192.168.1.103 www.client
# iptables -F
# date
client:
# cat /etc/hosts
192.168.1.102 puppet.server
192.168.1.103 www.client
# iptables -F
# date
2. 配置yum源(centos默认没有puppet源, 下面链接失效可以参考:https://fedoraproject.org/wiki/EPEL/zh-cn)
CentOS6.x:
rpm -Uvh http://epel.mirrors.arminco.com/6/i386/epel-release-6-8.noarch.rpm
CentOS5.x:
rpm -Uvh http://epel.mirrors.arminco.com/5/i386/epel-release-5-4.noarch.rpm 3. 安装puppet:
Server端:
# yum install puppet -y //安装client端
# yum install puppet-server -y // 安装server端
# vi /etc/puppet/puppet.conf //编辑主配置文件,添加如下
[master]
certname=puppet.server
Client端:
# yum install puppet -y //安装client端
4. puppet服务端与客户端连接
server:
# puppet master //启动puppet服务器
# lsof -i:8140 //默认端口8140,查看监听是否正常
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
puppet 15667 puppet 5u IPv4 66457 0t0 TCP *:8140 (LISTEN)
# cd /var/lib/puppet/ssl/ca/ //启动服务后会生成此文件夹
# ls |grep -E 'requests|signed'
requests //收到client请求证书,放置证书的文件夹
signed //请求证书签名后放置的文件夹
# puppet cert --list //查看当前哪些客户端发送了证书请求
client:
# puppet agent --server=puppet.server --no-daemonize --verbose //向server发送证书请求
Info: Creating a new SSL key for www.client
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for www.client
Info: Certificate Request fingerprint (SHA256): 81:FF:8F:63:1A:3B:02:5D:A5:5E:16:E9:E2:4B:23:5B:8E:07:2D:BE:DF:13:F8:1F:3C:EF:70:BA:C7:6D:88:4A
Notice: Did not receive certificate
server:
# puppet cert --list //查看client是否发生证书请求,发现已收到
???此处不明白,我的client 主机名明明是定义的puppet.client,这里却显示www.client
"www.client" (SHA256) CC:FB:3F:CC:B2:B8:9E:55:07:72:03:E1:96:D1:CD:F6:DC:9C:7C:C1:5E:25:D0:E8:FB:7D:62:C2:02:89:BC:32
# puppet cert --sign www.client //签发证书
Notice: Signed certificate request for www.client
Notice: Removing file Puppet::SSL::CertificateRequest www.client at '/var/lib/puppet/ssl/ca/requests/www.client.pem'
# ls /var/lib/puppet/ssl/ca/signed //文件确认证书已经签发
puppet.server.pem www.client.pem
# puppet cert --list --all //命令行再次确认证书已经签发
+ "puppet.server" (SHA256)
+ "www.client" (SHA256)
client: //收到已签名的证书,显示如下
Info: Caching certificate for www.client
Notice: Starting Puppet client version 3.2.2
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for www.client
Info: Applying configuration version '1372765477'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.03 seconds
5. 配置package管理,即client安装软件包
server:
# pwd //所有client需要同步的配置都放在这里
/etc/puppet/manifests
# cat site.pp //该文件指定server端
import 'node.pp'
$puppetserver='puppet.server'
# cat node.pp //指定client端及其动作
node 'www.client' {
package { 'system-config-lvm': ensure=> present }
}
# puppet master --no-daemonize --verbose //立即启用
//
package是关键字,共有四种,分别是
package(管理软件包)
service(管理服务)
file(管理文件)
exec(管理命令)
client:
# puppet agent --server=puppet.server --no-daemonize --verbose --onetime
Info: Retrieving plugin
Info: Caching catalog for www.client
Info: Applying configuration version '1372764532'
Notice: /Stage[main]//Node[www.client]/Package[system-config-lvm]/ensure: created
Notice: Finished catalog run in 6.93 seconds ---> 软件包正常安装,用时6.93秒
//--onetime 只同步一次,默认30分钟自动向server同步配置
6.配置service/模块管理,即client安装服务
server:
# pwd
/etc/puppet/modules
# vi /etc/puppet/manifests/node.pp
node 'www.client' {
package { 'system-config-lvm': ensure=> present }
include ftp //添加此行
}
# mkdir -p ./ftp/{files,templates,manifests}
# vi ftp/manifests/init.pp
class ftp {
package { 'vsftpd': ensure=> present }
file { "/etc/vsftpd/vsftpd.conf":
owner => "root",
group => "root",
mode => "0644",
source => "puppet://$puppetserver/modules/ftp/vsftpd.conf" }
service { "vsftpd": ensure=> running, enable => true }
}
running--->自动启动, enable--->设置开机自动启动,即chkconfig vsftpd on
# cp /etc/vsftpd/vsftpd.conf ./ftp/files
# chmod 644 ./ftp/files/vsftpd.conf
# vi ./ftp/files/vsftpd.conf //改变前三行为下面的内容
anonymous_enable=YES
local_enable=YES
write_enable=YES
client:
# puppet agent --server=puppet.server --no-daemonize --verbose --onetime
Info: Retrieving plugin
Info: Caching catalog for www.client
Info: Applying configuration version '1372769145'
Notice: /Stage[main]/Ftp/Package[vsftpd]/ensure: created
Notice: /Stage[main]/Ftp/Service[vsftpd]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Ftp/Service[vsftpd]: Unscheduling refresh on Service[vsftpd]
Info: FileBucket adding {md5}0a5b80d33d6b0f90c357f250f202749a
Info: /File[/etc/vsftpd/vsftpd.conf]: Filebucketed /etc/vsftpd/vsftpd.conf to puppet with sum 0a5b80d33d6b0f90c357f250f202749a
Notice: /File[/etc/vsftpd/vsftpd.conf]/content: content changed '{md5}0a5b80d33d6b0f90c357f250f202749a' to '{md5}ba656bae1283560af992873eb92c848b'
Notice: /File[/etc/vsftpd/vsftpd.conf]/mode: mode changed '0600' to '0644'
Notice: Finished catalog run in 5.44 seconds //成功,用时5.44秒
# service vsftpd status
vsftpd (pid 6374) 正在运行...
# chkconfig --list|grep vsftp
vsftpd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
# head -n3 /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
puppet运维自动化之puppet模块示例: http://os.51cto.com/art/201205/334240.htm
puppet安装配置基础: http://blog.chinaunix.net/uid-20104120-id-3790845.html
puppet运维自动化之Exec资源管理: http://os.51cto.com/art/201205/334242.htm //全部实现
