centos 7 64bit,puppet 5 安装笔记

centos 7 64bit,puppet 5 安装笔记

安装环境centos 7 64bit,puppet 5版本

 

1. 安装master端 
在puppet的网站查找需要安装的yum repository,https://puppet.com/docs/puppet/5.5/puppet_platform.html#yum-based-systems 

sudo rpm -Uvh https://yum.puppet.com/puppet5/puppet5-release-el-7.noarch.rpm
 
yum install puppetserver
 
systemctl start puppetserver

systemctl enable puppetserver

  

确认8140端口已经启动

2. puppet的客户端同样是需要安装yum repository, 与上面的的地址同样

sudo yum install puppet-agent

  

3. 使客户端与服务器端认证同步

a. 保证服务器和客户端的FQDN,/etc/hostname和/etc/hosts 下设置好FQDN (server1.example.com),再使用hostanme -f检查一次主机名,保证可以ping通主机名

b. 服务器和客户端需要同步好ntp时间

 

4. puppet agent 设置

[root@server2 ~]# vi /etc/puppetlabs/puppet/puppet.conf 

[main]
certname = server2.example.com
server = server1.example.com
runinterval = 60

certname是客户端(agent)的主机名,server是服务端(master)的主机名。另外下面是另外一个网站的设置,主要多了environment的选项

[main]
certname = client.itzgeek.local
server = server.itzgeek.local
environment = production
runinterval = 1h

通过在客户端puppet agent -t 命令测试服务器与客户端直接是否能够联通,客户端把申请提到服务器上

[root@server2 ~]# puppet agent -t
Info: Creating a new SSL key for server2.example.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for server2.example.com
Info: Certificate Request fingerprint (SHA256): 51:2D:9E:00:47:4C:AA:23:5B:36:25:8B:ED:F0:71:96:FC:1B:18:05:CD:6D:36:52:C9:56:E1:0D:7D:A4:38:EA
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

在服务器上查询证书,下面提示的是从客户端链接过来提出的证书

[root@server1 ~]# puppet cert list
  "server2.example.com" (SHA256) 51:2D:9E:00:47:4C:AA:23:5B:36:25:8B:ED:F0:71:96:FC:1B:18:05:CD:6D:36:52:C9:56:E1:0D:7D:A4:38:EA

使用下面的命令对证书进行签发 

[root@server1 ~]# puppet cert sign server2.example.com
Signing Certificate Request for:
  "server2.example.com" (SHA256) 51:2D:9E:00:47:4C:AA:23:5B:36:25:8B:ED:F0:71:96:FC:1B:18:05:CD:6D:36:52:C9:56:E1:0D:7D:A4:38:EA
Notice: Signed certificate request for server2.example.com
Notice: Removing file Puppet::SSL::CertificateRequest server2.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/server2.example.com.pem'  

如果有多个客户端的节点,你需要一次全部签发可以使用以下命令

/opt/puppetlabs/bin/puppet cert sign --all

s再服务器端可以使用以下命令清除相关的签证

/opt/puppetlabs/bin/puppet cert clean   

在客户端上再次使用测试命令

[root@server2 ~]# puppet agent -t
Info: Caching certificate for server2.example.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for server2.example.com
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for server2.example.com
Info: Applying configuration version '1522307153'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds

 
设置代理启动部分:

root@server3:~# puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure => 'running',
  enable => 'true',
}

agent将puppet-agent服务加载


5. 测试部分

manifests/site.pp是设置对agent的推送

[root@server1 ~]# vi /etc/puppetlabs/code/environments/production/manifests/site.pp

node 'server2.example.com' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppetesttdir': # Resource type file
 ensure => 'directory', # Create as a diectory
 owner => 'root', # Ownership
 group => 'root', # Group Name
 mode => '0755', # Directory permissions
}
}

node 为需要定义的客户端的hostname,应该就是指定客户端需要做什么内容
file 定义创建一个文件,下面那些就是文件的具体属性

在client上进行测试

[root@server2 ~]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for server2.example.com
Info: Applying configuration version '1522364471'
Notice: /Stage[main]/Main/Node[server2.example.com]/File[/tmp/puppetesttdir]/ensure: created
Notice: Applied catalog in 0.02 seconds

如果正常的话你会发现在/tmp下面会有一个新的目录,就是刚才设置的内容,属性都一样

 


  

6. manifests 存放在/etc/puppetlabs/code/environments/production/manifests 这个puppet第一检查的目录,里面定义的*.pp文件是puppet第一执行的文件

node 'server2.example.com' {   # 对对象为server2这个node
  package { 'httpd' :    # 安装httpd服务
  ensure => installed,  # 确认是否安装,如果有没安装就将文件进行安装
          }
  service { 'httpd' :      # 对httpd服务进行操作,关键字service
  ensure => running,   # 对httpd服务进行启动的操作
  enable => true,        # 定义服务器启动后自动启动httpd服务
          }
}

上面的语句为对server2这个节点的简单操作,如果再复杂的就会使用module class这类进行操作

  

manifests/ 是这个模块puppet_code(功能代码),也就是这个模块都有什么内容,以什么方式推送给客户端,都在这里定义
files/ 是资源目录
任何在manifests/ 中定义的puppet代码,其中如果需要发生一些文件file{} (比如发送一个ssh-key.pub文件) 那么这个文件就需要放入这个file/目录下

 

node default {
 
}

default为所有的节点都运行的,但如果在下面有特别指定的节点,测试过特别指定的节点不会执行default的内容

 

7. puppet resources 资源部分:

puppet resource -e package openssl    # 这个命令可以查询puppet package 安装的版本

# centos
package { 'openssl':
  ensure => '1:1.0.2k-8.el7',
}

#ubuntu
package { 'openssl':
  ensure => '1.0.2g-1ubuntu4.10',
}
 
      
# 在centos 下运行
[root@server2 ~]# puppet resource service

service { 'httpd.service':
  ensure => 'running',
  enable => 'true',

.....

# 在 ubuntu下运行
root@server3:~# puppet resource service

service { 'apache2':
  ensure => 'running',
  enable => 'true',

.....
 
      
puppet resource user (puppet resource root)
puppet describe service         # 这个命令可以现实service所需要的参数
puppet describe --list (显示puppet所有资源)

 

[root@server1 ~]# puppet describe --list
These are the types known to puppet:
anchor          - A simple resource type intended to be used as ...
augeas          - Apply a change or an array of changes to the  ...
computer        - Computer object management using DirectorySer ...
cron            - Installs and manages cron jobs
exec            - Executes external commands
file            - Manages files, including their content, owner ...
file_line       - Ensures that a given line is contained within ...
filebucket      - A repository for storing and retrieving file  ...
group           - Manage groups
host            - Installs and manages host entries
interface       - This represents a router or switch interface
k5login         - Manage the `.k5login` file for a user
macauthorization - Manage the Mac OS X authorization database
mailalias       - .. no documentation ..
maillist        - Manage email lists
.......

 

puppet describe user (显示user里面的属性) puppet describe -s user (只显示属性, short line)

 

 

File:
content =>         编写的内容等于echo 'xxx' > yyy同理
target =>         目标路径,相当是agent的路径
source =>          引用的资源可以选择文件路径或http资源
notify => Service['mysql']  notify相当于触发的意思,例子为当某个文件修改后需要重启服务器
owner =>         所有权
group =>         组
mode => '0644'      权限
ensure =>         可以选择directory, link, file
recurse => true      可以将目录下的所有内容全部复制(目录递归)

class motd {
  file { '/etc/motd':
    owner => 'root',
    group => 'root',
    mode => '0644',
    source => "puppet:///modules/motd/motd.txt"
  }
}


# /etc/puppetlabs/code/environments/production/modules/motd/files/motd.txt

 

[root@server1 mystuff]# ls
manifests  templates


class mystuff::html {
  file { '/var/www/html/index.html':
    content => template('mystuff/index.html.erb')
  }
}
# html.pp in manifests 使用template方法存放erb文件

 

Package: 
ensure => installed      安装软件
ensure => absent      卸载文件
ensure => '1.0.2g-ubuntu'  指定安装某版本的软件
ensure => latest        安装最后一个版本
provider => gem      类似通过yum这样的方式安装软件

puppet resource -e package openssl    #这个命令可以查询puppet package 安装的版本

package { 'openssl':
  ensure => '1:1.0.2k-8.el7',

 

Services:
puppet describe service  列出所有service 属性的设置项
puppet describe --list

ensure => running,      服务要求启动
enable => true        启动的时候启用服务
hasstatus => true,false    当使用false的时候,puppet不会使用systemctl service status方式监控,使用ps ax的方式检查进程表; 当设置为true的时候puppet就执行restart命令
pattern => 'ntpd'       当hasstatus使用false时,进程名称与service 标称的名称不一致,这时候就要使用pattern标识正确的名称

restart => '/bin/echo restarting >> /tmp/debug.log && systemctl resrart ntp'  重启服务器并且写入记录

User
ensure => present     检查系统用户是否存在, absent删除用户
gid => 3000        设置用户组id
uid => 3001        设置用户id
home => '/home/user'   设置用户的主目录
shell => '/bin/bash'     设置用是否能够使用shell /user/sbin/nologin
groups => ['devs']      设置组设置,(未清除是否是其他组成员,需要设置后再看)

SSHkeys
purge_ssh_keys       当删除用户之后, 可以通过这个属性删除ssh_authorized_key的用户信息

Cron
ensure => absent     同样absent为删除这个cron job
command => '/usr/local/bin/run-puppet'  执行的命令
hour => '*'         这里*代表每小时都运行
hour => fqdn_rand(24, 'run daily backup sync')  产生随机数0 - 23数
minute => '*/15'      这里两行代表每15分钟执行run-puppet脚本一次
user => 'ubuntu'       指定用户执行
environment => ['[email protected]', 'PATH=/bin']  指定环境设置
weekday => ['Saturaday', 'Sunday']  星期六和星期日执行

EXEC
cwd => '/tmp'       类似cd (current working directory)
command = '/tmp/generator/configure && /usr/bin/make install'  执行的命令(这里一定要使用绝对路径)
creates => '/usr/local/bin/cat-picture-generator'    creates是检查路径是否有创建,通常是放在command后面使用,如果发现没有创建就会重新执行command的内容
user => 'ubuntu'     使用ubuntu用户执行
onlyif => '/bin/ls /tmp/incoming/*'    如果执行ls /tmp/incoming/* 返回0(echo $?)的时候就会执行command的内容
unless => '/bin/ls /tmp/incoming/*'     与上面相反,当得到的结果为非0的时候才会执行command的内容
refreshonly => true             期望的状态返回值,返回非此值时表示命令执行(未是好明白)
timeout =>                超时设置

 

8.puppet 变量

facter命令, 显示当前系统变量,可以使用到if等语句,if Redhat ....

[root@server1 ~]# facter osfamily
RedHat
[root@server1 ~]# facter ipaddress
192.168.2.181
[root@server1 ~]# facter hostname
server1

  

Variables:              变量可以包括string, number, boolean
$php_package = 'php7.0-cli'
$answer = 42
$scheduled = true
$my_name = 'John'
notice("Hello, ${my_name}! It's a great to meet you!")


Booleans:
enable => true

 

Arrays:
$heights = [192, 120, 181, 164, 172]
$first_height = $heights[0]

$dependencies = ['php7.0-cgi', 'php7.0-cli', 'php7.0-common', 'php7.0-gd', 'php7.0-json',]
package { $dependencies :
  ensure => installed,
}


$admintools = ['git', 'nano', 'screen']
  package { $admintools:
    ensure => 'installed',
}

  




Hashes:    等于key = value关系 类似dic
$heights = {
  'john' => 192,
  'rabiah' => 120,
  'abigail' => 181,
  'melina' => 164,
  'sumiko' => 172,
}
notice(:John's height is ${heights['john']}cm.")

$attributes = {
  'owner' => 'ubuntu',
  'group' => 'ubuntu',
  'mode' => '0644',
}

file { '/tmp/test':
  ensure => present,
  *         => $attributes,
}
等于
file { '/tmp/test':
  ensure => present,
  owner => 'ubuntu',
  group => 'vagrant',
  mode => '0644',
}

 

$ntpservice = $osfamily ? {
  'redhat' => 'ntpd', 
  'debain' => 'ntp',
  'default' => 'ntp',
}


service { $ntpservice:
  ensure => 'running'
  enable => true,
}

#例子根据操作系统的service进行判断

  


Regular expressions:
$candidate = 'foo'
notice($candidate =~ /foo/)    使用=~作为regex的符号

if statements:

case statements:

facts built-in mechanism:     检查系统的内置函数
notice($facts['kernel'])      检查linux系统的内核
notice($::kernel)          旧版本检查方法
$facts['os']              hash with architecture, distro, family, hardware, name, release, selinux
notice($facts['os']['architecture'])
notice($facts['os']['distro']['codename'])
$facts['os']['release']['major']     这个参数会经常使用

if $facts['os']['selinux']['enabled'] {
  notice('SELinux is enabled')
} else {
  notice(''SELinux is disable')
}

 检查SELinux是否打开

$buffer_pool = $facts['memory']['system']['total_bytes'] * 3/4
notice("innodb_buffer_pool_size=${buffer_pool}")

 检查MySQL的innodb缓存大小

$facts['memory']['system']['total_bytes']

 检查系统内存大小

notice("My hostname is ${facts['hostname']}")
notice("My FQDN is ${facts['fqdn']}")
notice("My IP is ${facts['networking']['ip']}")

$facts['hostname']

 检查网络部分


9. class & modules  (摆放的目录)

data  environment.conf  hiera.yaml  manifests  modules

./data:

./manifests:
site.pp

./modules:
motd

./modules/motd:
manifests

./modules/motd/manifests:
init.pp

init.pp是modules的默认文件

class linux {
  package { 'ntp':
    ensure => 'installed',
    }
}

node 'wiki' {
  { class 'linux': }
}

 


例子1:

class motd {
  file { '/etc/motd':
    owner => 'root',
    group => 'root',
    mode => '0644',
    content => inline_template("The current $osfamily time is <%= Time.now %>\n")
  }
}

#这个是init.pp的设置
class motd::crabby {
  notify { "Knife Crab is the best": }
}

# 这个是manifests/motd的另外一个模块
node default {
  class { 'motd': }
  class { 'motd::crabby': }
}

# 这个是主manifests下site.pp配置文件

 motd::crabby,crabby为motd的子类

例子2: 

[root@server1 modules]# ls -R
.:
motd  mystuff

./motd:
manifests

./motd/manifests:
crabby.pp  init.pp

./mystuff:
manifests

./mystuff/manifests:
init.pp  vim.pp
class mystuff {

notify { "I'm installing stuff like you wanted me to sir": }

include mystuff::vim

}

# init.pp文件
class mystuff::vim {

  package { 'vim':
    ensure => 'latest'
          }

} # mystuff.pp
node default {
  class { 'motd': }
  class { 'mystuff': }
} #site.pp

 

例子3:

class mystuff::apache {
  if $osfamily == 'redhat' {
     package { 'httpd':
       ensure => latest
     }
     service { 'httpd':
       ensure => running,
       enable => true,
     }
  }
  elsif $osfamily == 'debian' {
     package { 'apache2':
       ensure => latest
     }
     service { 'apache2':
       ensure => running,
       enable => true,
     }
  }
}

# 增加一个apache.pp的文件在mystuff下面
class mystuff {

notify { "I'm installing stuff like you wanted me to sir": }

include mystuff::vim
include mystuff::apache

}

# 增加mystuff::apache 在init.pp文件下,其他内容均不变

  

10. puppet forge
https://forge.puppetlabs.com  puppet modules下载

[root@server1 manifests]# ls
apache.pp  html.pp  init.pp  vim.pp
[root@server1 manifests]# vi html.pp 
[root@server1 manifests]# puppet module list
/etc/puppetlabs/code/environments/production/modules
├── motd (???)
└── mystuff (???)
/etc/puppetlabs/code/modules (no modules installed)
/opt/puppetlabs/puppet/modules (no modules installed)

在master中检查已经按照的modules

[root@server1 manifests]# puppet module search ntp
Notice: Searching https://forgeapi.puppet.com ...

[root@server1 manifests]# puppet module install puppetlabs-ntp 
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ puppetlabs-ntp (v7.1.1)
  └── puppetlabs-stdlib (v4.25.1)

查询及安装puppet module

node default {
  class { 'motd': }
  class { 'mystuff': }
  class { '::ntp': }
}

最后只要在site.pp文件中加载ntp就可以了

 

notes:

在配置server的时候,误删除了agent的认证key,导致怎么都加不了agent,后来重新安装系统和gen key发现,应该在服务器上把下面路径的文件删除后就可以重新gen key

Notice: Removing file Puppet::SSL::CertificateRequest server3.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/server3.example.com.pem'

posted on 2018-03-27 06:44 ecwork 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/ecwork/p/8655284.html

你可能感兴趣的:(centos 7 64bit,puppet 5 安装笔记)