DevOps技术分享 » Puppet http://www.showerlee.com 与你共同学习运维开发 Mon, 19 Oct 2020 05:51:41 +0000 zh-CN hourly 1 http://wordpress.org/?v=3.6 Centos6.3下Puppet功能模块实例笔记 http://www.showerlee.com/archives/345 http://www.showerlee.com/archives/345#comments Sat, 24 Aug 2013 12:14:39 +0000 showerlee http://www.showerlee.com/?p=345 之前的博文介绍了Puppet的初始安装配置:

传送门:http://www.showerlee.com/archives/343

今天来介绍Puppet的具体实用功能,其实我的理解就是怎么偷懒,呵呵。

1.填充文件内容:

(server):

修改server端配置文件:

# vi /etc/puppet/manifests/site.pp

-----------------

node default{

 file { "/tmp/test":

         content=> "this is a test file";

}

}

-----------------

重启puppetmaster,更新配置文件信息。

# service puppetmaster restart

(client):

重启puppet(可不用重启)

# service puppet restart

同步文件:

# puppetd --server server.example.com  --test

------------------

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for client.example.com

info: Caching certificate_revocation_list for ca

info: Caching catalog for client.example.com

info: Applying configuration version '1369124449'

notice: /Stage[main]//Node[default]/File[/tmp/test]/ensure: defined content as '{md5}100b144907af2a4786003758a0a6a563'

info: Creating state file /var/lib/puppet/state/state.yaml

notice: Finished catalog run in 0.02 seconds

------------------

查看/tmp/test文件及文件内容

# cat /tmp/test

-----------

this is a test file

-----------

2.文件分发:

通过puppet可以向被管理机上推送文件,方法是使用file类型的source属性

1:修改/etc/puppet/fileserver.conf

2:修改/etc/puppet/manifests/site.pp

实例:要把server服务器上/root目录下的puppet-2.6.13.tar.gz传输至client服务器的/tmp目录下,文件名不变。

# vi /etc/puppet/fileserver.conf

----------------

[files]

path /root

allow 192.168.7.0/24

----------------

# vi /etc/puppet/manifests/site.pp

添加到node default{}内:

---------------

  file { "/tmp/puppet-2.6.13.tar.gz":

          source => "puppet://$puppetserver/files/puppet-2.6.13.tar.gz",

}

---------------

重启poppetmaster服务

# service poppetmaster restart

(client):

执行更新命令

# puppetd --test --server server.example.com

此处“$puppetserver”是puppet Server端的名称,即本机hostname,网上教程都是在hosts里

指定,生产环境下建议用内部的DNS上作解析

3.修改文件属性:

实例:把/tmp/puppet-2.6.13.tar.gz文件的权限改为puppet用户,并设置权限为777。

(server):

# vi /etc/puppet/manifests/site.pp

在source后添加:

---------------

file { "/tmp/puppet-2.6.13.tar.gz":

          source => "puppet://$puppetserver/files/puppet-2.6.13.tar.gz",

          owner => "puppet",

          group => "puppet",

          mode => 777,

  }

--------------

重启poppetmaster服务

# service poppetmaster restart

(client):

执行更新命令

# puppetd --test --server server.example.com

4.执行SHELL命令或shell脚本:

实例:通过puppet分发执行shell脚本,在客户端的/tmp目录下执行test.sh脚本,该脚本实现在本目录创建一个testfile文件。

(server):

首先创建一个shell脚本test.sh,并保存在/etc/puppet/fileserver.conf配置文件中设置

的/root目录下

# cd /root

# vi test.sh

---------------

#!/bin/bash

/bin/touch /tmp/testfile

---------------

重启poppetmaster服务

# service poppetmaster restart

(client):

执行更新命令

# puppetd --test --server server.example.com

设置文件分发和权限分配:

# vi /etc/puppet/manifests/site.pp

添加到node default{}内:

----------------

file { "/tmp/test.sh":

          source => "puppet://$puppetserver/files/test.sh",

          owner => "puppet",

          group => "puppet",

          mode => 755,

  }

exec { "exec-mkdir":

          cwd => "/tmp",

          command => "sh /tmp/test.sh",

          user => "puppet",

          path => "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin",

  }

----------------

重启poppetmaster服务

# service poppetmaster restart

(client):

执行更新命令

# puppetd --test --server server.example.com

# ll /tmp

----------------------

.....

-rw-r--r--  1 puppet root         0 5月  22 09:28 testfile

-rwxr-xr-x  1 puppet puppet      37 5月  22 09:28 test.sh

----------------------

5.服务启动及关闭:


可以通过puppet对一些服务进行重启,状态等操作。puppet是通过service命令操作的。所以,只能针对在/etc/init.d/目录下的服务

实例:把客户端的iptables服务关闭,并把nfs服务启动

# vi /etc/puppet/manifests/site.pp

添加到node default{}内:

---------------------

service {

           "postfix":

            ensure => stopped;

           "nfs":

            ensure => running;

          }

--------------------

重启poppetmaster服务

# service poppetmaster restart

(client):

执行更新命令

# puppetd --test --server server.example.com

6.cron计划任务:

接上面的shell程序实例,在10:27执行test.sh

# vi /etc/puppet/manifests/site.pp

添加到node default{}内:

-----------------

cron { "cron-shell":

           command => "sh /tmp/test.sh",

           user => "puppet",

           minute => "27",

           hour => "10"

  }

-----------------

(client):

执行更新命令

# puppetd --test --server server.example.com

声明: 本文采用 CC BY-NC-SA 3.0 协议进行授权
转载请注明来源:DevOps技术分享
]]> http://www.showerlee.com/archives/345/feed 0 Centos6.3下Puppet安装配置笔记 http://www.showerlee.com/archives/343 http://www.showerlee.com/archives/343#comments Sat, 24 Aug 2013 12:12:46 +0000 showerlee http://www.showerlee.com/?p=343 ----------闲扯---------------  

最近抽空研究了下据说是圈里运维利器的国外开源软件puppet,原本是想搞一个最新版本编译的整合文档,最后在调试过程中各种报错,google下老外的文章,说是最新版本间存在很多不兼容的情况,后来果断放弃,找到了一个能兼容的版本,并测试成功,前后折腾了2天,真够坑的,现在把自己的心得整合成文档,供大家分享。

---------惯例,开搞----------

系统环境:centos6.3

puppet:   puppet-2.7.13

facter:   facter-1.6.5

ruby:     yum源

注:

facter用来获取客户端系统信息(如hostname,ip,OS-Version,fqdn等)

ruby是puppet的开发环境

puppet server: 192.168.7.196

puppet client: 192.168.7.197

(server)为仅服务器端配置

(client)为仅客户器端配置

(server,client)为服务器端与客户端配置

一.配置环境(server,client):

1.关闭iptables和selinux(server,client)

# service iptables stop

# setenforce 0

# vi /etc/sysconfig/selinux

---------------

SELINUX=disabled

---------------

2.安装ruby开发环境(centos6.3默认更新源)(server,client)

# yum -y install ruby*

3.计划同步时间:(server,client)

每5分钟同步一次时间

# crontab -e

-------------

*/5 * * * * /usr/sbin/ntpdate -u asia.pool.ntp.org

-------------

# service crond restart

# chkconfig crond on

4.修改服务器及客户端HOST及主机名:

(server,client)

# vi /etc/hosts

-------------------

192.168.7.196    server.example.com    server

192.168.7.197    client.example.com    client

-------------------

(server)

# vi /etc/sysconfig/network

----------------

HOSTNAME=server.example.com

----------------

(client)

# vi /etc/sysconfig/network

----------------

HOSTNAME=client.example.com

----------------

二.安装应用软件(server,client)

(server):

1.安装facter:

# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz

# tar zxvf facter-1.6.5.tar.gz

# cd facter-1.6.5

# ruby install.rb

2.安装puppet:

# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz

# tar zxvf puppet-2.6.13.tar.gz

# cd puppet-2.6.13

# ruby install.rb

# cp conf/auth.conf /etc/puppet/

# cp conf/redhat/fileserver.conf /etc/puppet/

# cp conf/redhat/puppet.conf /etc/puppet/

# mkdir -p /etc/puppet/manifests

设置开机启动脚本:

# cp conf/redhat/server.init /etc/init.d/puppetmaster

# chmod +x /etc/init.d/puppetmaster

# chkconfig --add puppetmaster

# chkconfig puppetmaster on

生成pupput用户:

# puppetmasterd --mkusers

启动puppetmaster服务(端口:8140):

# service puppetmaster start

(client):

1.安装facter:

# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz

# tar zxvf facter-1.6.5.tar.gz

# cd facter-1.6.5

# ruby install.rb

2.安装puppet:

# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz

# tar zxvf puppet-2.6.13.tar.gz

# cd puppet-2.6.13

# ruby install.rb

# cp conf/auth.conf /etc/puppet/

# cp conf/namespaceauth.conf /etc/puppet/

# cp conf/redhat/puppet.conf /etc/puppet/

设置开机启动脚本:

# cp conf/redhat/client.init /etc/init.d/puppet

# chmod +x /etc/init.d/puppet

# chkconfig --add puppet

# chkconfig puppet on

# vi /etc/puppet/puppet.conf

在[agent]条目下添加以下内容:

-------

Listen = true

Server = server.example.com

--------

# vi /etc/puppet/namespaceauth.conf

修改成以下内容:

---------

[fileserver]

allow *

[puppetmaster]

allow *

[puppetrunner]

allow *

[puppetbucket]

allow *

[puppetreports]

allow *

[resource]

allow *

---------

生成pupput用户:

# puppetmasterd --mkusers

启动puppet服务(端口:8140):

# /etc/init.d/puppet start

至此安装完毕,现在需要配置客户端与服务器端的认证连接,从而将服务器端的配置的内容分发到各个客户端,实现集中配置管理。

三.认证并分发:


(client):

客户端发送请求

# puppetd --test --server server.example.com

报错:

--------------------

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0

state=SSLv3 read server certificate B: certificate verify failed

warning: Not using cache on failed catalog

err: Could not retrieve catalog; skipping run

--------------------

解决方法:

这可能是换了不同的两台puppetmaster服务器引起的。解决方法,删除现有ssl证书。

# find /var/lib/puppet -type f -print0 |xargs -0r rm

重新发送请求:

# puppetd --test --server server.example.com

-------------------

info: Creating a new SSL key for client.example.com

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for ca

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

info: Creating a new SSL certificate request for client.example.com

info: Certificate Request fingerprint (md5):

32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

Exiting; no certificate found and waitforcert is disabled

-------------------

发送成功。

(server):

服务器端查看是否有请求证书的客户端服务器

# puppetca --list

------------------

client.example.com (32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99)

------------------

收到客户端认证信息

服务器端对client.example.com签名

# puppetca -s client.example.com

或对所有客户端全部签名

# puppetca -s -a

查看验证签名,注意前面的+号,说明已经签名

# puppetca -a --list

---------------------

+ client.example.com (19:6F:4C:84:B1:69:16:3C:A1:38:C2:2E:6F:B6:67:12)

---------------------

md5验证服务器端收到的证书是否正确

(server):

# md5sum /var/lib/puppet/ssl/ca/signed/client.example.com.pem

---------------------

1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/ca/signed/client.example.com.pem

---------------------

(client):

# md5sum /var/lib/puppet/ssl/certs/client.example.com.pem

---------------------

1ebfd47775ec8f3e2ae112d75ccba132  /var/lib/puppet/ssl/certs/client.example.com.pem

---------------------

MD5值相同,说明我们的puppetmaster和客户端的puppet已经成功建立通信

注:出现修改主机名问题引起无法认证,需要重新申请证书,操作可以按照如下两个步骤:

(server):

# rm -rf /var/lib/puppet/ssl/ca/signed/*.pem  // "*.pem"为修改过主机名的证书

(client):

# rm -rf /var/lib/puppet/ssl/

配置完毕,开始验证分发效果:

(server):

修改server端配置文件:

# vi /etc/puppet/manifests/site.pp

-----------------

node default{

  file { "/tmp/test":

          content=> "this is a test file";

}

}

-----------------

重启puppetmaster,更新配置文件信息。

# service puppetmaster restart

(client):

重启puppet(可不用重启)

# service puppet restart

同步文件:

# puppetd --server server.example.com  --test

------------------

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for client.example.com

info: Caching certificate_revocation_list for ca

info: Caching catalog for client.example.com

info: Applying configuration version '1369124449'

notice: /Stage[main]//Node[default]/File[/tmp/test]/ensure: defined content as '{md5}100b144907af2a4786003758a0a6a563'

info: Creating state file /var/lib/puppet/state/state.yaml

notice: Finished catalog run in 0.02 seconds

------------------

查看/tmp/test文件及文件内容

# cat /tmp/test

-----------

this is a test file

-----------

-----------大功告成-------------

puppet的具体功能模块这里就不做过多阐述

相应文档详见传送门:http://www.showerlee.com/archives/345

声明: 本文采用 CC BY-NC-SA 3.0 协议进行授权
转载请注明来源:DevOps技术分享
]]> http://www.showerlee.com/archives/343/feed 0