Puppet安装部署入门版
puppet
简介
puppet官方网站: http://www.puppetlabs.com/
puppet中文wiki: http://puppet.chinaec2.com/
puppet中文论坛: http://www.puppetfans.com/
puppet是一种Linux、Unix平台的集中配置管理系统,所谓配置管理系统,就是管理机器里面诸如文件,用户,进程,软件包这些资源,其设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系
puppet使用一种描述性语言来定义配置项,配置项中被称为”资源”,描述性语言可以声明你的配置的状态---比如声明一个软件包应该被安装或者一个服务应该被启动
用puppet,可以运行一个服务器端,然后每个客户端通过ssl证书连接服务器,得到本机器的配置列表,然后更加列表的来完成配置工作,所以如果硬件配置好,在一天之内配置好上千上万台机器是很容易实现的事情,前提得大部分机器配置类似
在大规模的生成环境中,如果只有一台puppetmaster会忙不过来的,因为puppet是用ruby写的,ruby是解析型语言,每个客户端来访 问,都要解析一次,当客户端多了就忙不过来,所以需要扩展成一个服务器组。puppetmaster可以看作一个web服务器,实际上也是由ruby提供 的web服务器模块来做的。因此可以利用web代理软件来配合puppetmaster做集群设置
puppe项目主要开发者是Luke Kanies,目前是puppet labs CEO,puppet遵循GPLv2版权协议。从1997年开始Kanies参与UNIX的系统管理工作,Puppet的开发源于这些经验。因为对已有的配置工具不甚满意,从2001年到2005年间,Kanies开始在Reductive实验室从事工具的开发。很快,Reductive实验室发布了他们的旗舰产品――
与Luke Kanies谈Puppet工具:http://article.yeeyan.org/view/neilalaer/4629
puppet
系统架构
Puppet是开源的基于Ruby的系统配置管理工具,puppet是一个C/S结构, 当然,这里的C可以有很多,因此,也可以说是一个星型结构. 所有的puppet客户端同一个服务器端的puppet通讯.
每个puppet
客户端每半小时(
可以设置)
连接一次服务器端, 下载最新的配置文件,并且严格按照配置文件来配置服务器. 配置完成以后,puppet客户端可以反馈给服务器端一个消息. 如果出错,也会给服务器端反馈一个消息. 下图展示了一个典型的puppet配置的数据流动情况
puppet
工作流程
实验环境:
puppetmaster 10.13.89.165 lianglab.com
puppet 10.13.89.185 lianglab4.com
安装步骤:
由于centos最小化安装,需要yum一些常用工具
[root@lianglab ~]# yum install ntp vixie-cron wget vim-enhanced telnet
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.163.com
* extras: mirrors.163.com
* rpmforge: ftp.riken.jp
* updates: mirrors.163.com
Setting up Install Process
安装NTP同步时间,统一master和client上的时间
crontables(用来安装、卸装、或列举用来驱动 cron 守护进程的表格的程序)默认是安装的,可vixie-cron软件包是cron的主程序
wget下载安装文件
VI只默认安装了vim-minimal-7.x,所以无论是输入vi或者 vim查看文件,syntax功能都无法正常启用。因此需要用yum安装另外两个组件:vim-common-7.x和vim-enhanced- 7.x ,yum vim-enhanced-会自动下载关联vim-common
telnet只安装client,便于测试网络连通性
[root@lianglab soft]# chkconfig --level 35 ntpd on
[root@lianglab soft]# crontab -e
no crontab for root - using an empty one
10 5 * * * root /usr/sbin/ntpdate time.nist.gov ; /sbin/hwclock �Cw
#每天凌晨5点10分同步time.nist.gov,并将 Linux 时间写入 BIOS时
[root@lianglab soft]# service crond restart
[root@lianglab soft]# ntpdate pool.ntp.org;hwclock -w
15 Jun 11:27:31 ntpdate[4925]: adjust time server 180.153.100.115 offset 0.031925 sec
[root@lianglab soft]#
Puppet 要求所有机器有完整的域名(FQDN),如果没有 DNS 服务器提供域名的话,可以在两台机器上设置主机名(注意要先设置主机名再安装 Puppet,因安装 Puppet 时会把主机名写入证书,客户端和服务端通信需要这个证书):
[root@lianglab soft]# echo "10.13.89.185 lianglab4.com" >>/etc/hosts
[root@lianglab soft]# hostname
lianglab.com
[root@lianglab soft]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=lianglab.com
[root@lianglab soft]#
[root@lianglab soft]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search taobao.ali.com
nameserver 10.13.2.6
nameserver 10.1.23.6
[root@lianglab soft]#
--------------------------------------------------------------------------------------------------
安装ruby
由于puppet是由ruby语言编写,所以要安装ruby环境及库文件,命令帮助文件
[root@lianglab soft]# yum install ruby ruby-libs ruby-rdoc
安装facter
puppet资源下载点 http://downloads.puppetlabs.com/
facter是一个系统盘点工具,收集主机的一些资料,比如CPU,主机IP等,它收集到值发送给puppet服务器端,服务器端就可以根据不同的条件来对不同的节点机器生成不同的puppet配置文件
安装puppet之前必须先安装facter
[root@lianglab soft]# wget http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
--2013-06-15 12:15:55-- http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
正在解析主机 downloads.puppetlabs.com... 96.126.116.126, 2600:3c00::f03c:91ff:fe93:711a
Connecting to downloads.puppetlabs.com|96.126.116.126|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:119323 (117K) [application/x-gzip]
Saving to: `facter-1.6.8.tar.gz'
100%[===================================================>] 119,323 152K/s in 0.8s
2013-06-15 12:15:57 (152 KB/s) - `facter-1.6.8.tar.gz' saved [119323/119323]
[root@lianglab soft]#
[root@lianglab soft]#
[root@lianglab soft]# tar -zxvf facter-1.6.8.tar.gz
------省略--------
facter-1.6.8/conf/osx/PackageInfo.plist
facter-1.6.8/conf/osx/preflight
facter-1.6.8/bin/facter
[root@lianglab soft]# cd facter-1.6.8
[root@lianglab facter-1.6.8]# ruby install.rb
facter-1.6.8/conf/osx/PackageInfo.plist
facter-1.6.8/conf/osx/preflight
facter-1.6.8/bin/facter
[root@lianglab soft]# cd facter-1.6.8
[root@lianglab facter-1.6.8]# ruby install.rb
which: no rst2man.py in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
install -c -p -m 0755 /tmp/facter-binfile.27543.0 /usr/bin/facter
mkdir -p -m 755 /usr/lib/ruby/site_ruby/1.8
-------------省略-------------------
install -c -p -m 0644 lib/facter/util/plist/generator.rb /usr/lib/ruby/site_ruby/1.8/facter/util/plist/generator.rb
Loaded suite install
Started
Finished in 0.000588 seconds.
0 tests, 0 assertions, 0 failures, 0 errors
[root@lianglab facter-1.6.8]#
安装puppet
[root@lianglab facter-1.6.8]# cd ..
[root@lianglab soft]# wget
http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
--2013-06-15 12:21:13-- http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
正在解析主机 downloads.puppetlabs.com... 96.126.116.126, 2600:3c00::f03c:91ff:fe93:711a
Connecting to downloads.puppetlabs.com|96.126.116.126|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1898410 (1.8M) [application/x-gzip]
Saving to: `puppet-2.7.14.tar.gz'
100%[===================================================>] 1,898,410 474K/s in 4.4s
2013-06-15 12:21:18 (422 KB/s) - `puppet-2.7.14.tar.gz' saved [1898410/1898410]
[root@lianglab soft]#
[root@lianglab soft]# tar -zxvf puppet-2.7.14.tar.gz
[root@lianglab soft]# cd puppet-2.7.14
[root@lianglab puppet-2.7.14]# ruby install.rb
--------------省略-------------------
man/man8/puppet-doc.8 -> /usr/share/man/man8/puppet-doc.8
chmod 0644 /usr/share/man/man8/puppet-doc.8
man/man8/pi.8 -> /usr/share/man/man8/pi.8
chmod 0644 /usr/share/man/man8/pi.8
man/man8/puppet-describe.8 -> /usr/share/man/man8/puppet-describe.8
chmod 0644 /usr/share/man/man8/puppet-describe.8
man/man8/puppet-device.8 -> /usr/share/man/man8/puppet-device.8
chmod 0644 /usr/share/man/man8/puppet-device.8
man/man8/puppet-man.8 -> /usr/share/man/man8/puppet-man.8
chmod 0644 /usr/share/man/man8/puppet-man.8
man/man8/puppetca.8 -> /usr/share/man/man8/puppetca.8
chmod 0644 /usr/share/man/man8/puppetca.8
man/man5/puppet.conf.5 -> /usr/share/man/man5/puppet.conf.5
chmod 0644 /usr/share/man/man5/puppet.conf.5
[root@lianglab puppet-2.7.14]#
复制配置文件
[root@lianglab puppet-2.7.14]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@lianglab puppet-2.7.14]# cp conf/redhat/puppet.conf /etc/puppet/
[root@lianglab puppet-2.7.14]# cp conf/redhat/server.init /etc/init.d/puppetmaster
[root@lianglab puppet-2.7.14]#
添加puppet用户
[root@lianglab puppet-2.7.14]# groupadd puppet
[root@lianglab puppet-2.7.14]# useradd -g puppet -s /bin/false -M puppet
[root@lianglab puppet-2.7.14]#
验证一下安装是否成功
[root@lianglab puppet-2.7.14]# puppet master
[root@lianglab puppet-2.7.14]# ps -ef | grep puppet | grep -v grep
puppet 27781 1 0 12:30 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet master
[root@lianglab puppet-2.7.14]#
[root@lianglab puppet-2.7.14]# kill 27781
[root@lianglab puppet-2.7.14]# ps -ef | grep puppet | grep -v grep
[root@lianglab puppet-2.7.14]#
设置puppetmaster为服务,并自动启动,确认puppetmaster是否有执行权限
将puppetmaster服务脚本添加为服务,并在3、5级别启动。
[root@lianglab puppet-2.7.14]# chmod 755 /etc/init.d/puppetmaster
[root@lianglab puppet-2.7.14]# chkconfig --add puppetmaster
[root@lianglab puppet-2.7.14]# chkconfig --level 35 puppetmaster on
[root@lianglab puppet-2.7.14]#
[root@lianglab puppet-2.7.14]# /etc/init.d/puppetmaster restart
停止 puppetmaster:[失败]
启动 puppetmaster:[确定]
[root@lianglab puppet-2.7.14]#
[root@lianglab puppet-2.7.14]# ps -ef | grep puppet | grep -v grep
puppet 27883 1 0 12:48 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd
[root@lianglab puppet-2.7.14]#
1)确认是否生成清单文件夹
[root@lianglab puppet-2.7.14]# ll /etc/puppet/
总计 16
-rw-r--r-- 1 root root 2552 06-15 12:22 auth.conf
-rwxr-xr-x 1 root root 381 06-15 12:23 fileserver.conf
drwxr-xr-x 2 root root 4096 06-15 12:30 manifests
-rwxr-xr-x 1 root root 853 06-15 12:23 puppet.conf
[root@lianglab puppet-2.7.14]#
2)确认系统生成puppet用户
[root@lianglab puppet-2.7.14]# cat /etc/passwd | grep puppet
puppet:x:503:504::/home/puppet:/bin/false
[root@lianglab puppet-2.7.14]#
3)保证/var/lib/puppet/rrd目录存在且属主是puppet
[root@lianglab puppet-2.7.14]# ll /var/lib/puppet/
总计 36
drwxr-x--- 2 puppet puppet 4096 06-15 12:30 bucket
drwxr-xr-x 2 root root 4096 06-15 12:30 facts
drwxr-xr-x 2 root root 4096 06-15 12:30 lib
drwxr-x--- 2 puppet puppet 4096 06-15 12:30 reports
drwxr-x--- 2 puppet puppet 4096 06-15 12:30 rrd
drwxr-x--- 2 puppet puppet 4096 06-15 12:30 server_data
drwxrwx--x 8 puppet root 4096 06-15 12:30 ssl
drwxr-xr-t 2 root root 4096 06-15 12:30 state
drwxr-x--- 2 puppet puppet 4096 06-15 12:30 yaml
====================================客户端配置=========================================
[root@lianglab4 ~]# echo "10.13.89.165 lianglab.com" >> /etc/hosts
[root@lianglab4 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 lianglab4.com lianglab4 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.13.89.165 lianglab.com
[root@lianglab4 ~]#
[root@lianglab4 ~]# hostname
lianglab4.com
[root@lianglab4 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=lianglab4.com
[root@lianglab4 ~]#
在客户端安装ruby facter puppet的步骤与服务端安装一样
yum install ruby ruby-libs ruby-rdoc
wget http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
tar -zxvf facter-1.6.8.tar.gz
cd facter-1.6.8
ruby install.rb
wget http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
tar -zxvf puppet-2.7.14.tar.gz
cd puppet-2.7.14
ruby install.rb
特别说明:请注意客户端和服务器端版本要一致。如果版本不一致的话,那么高版本的只能是puppet server,另一台只能作为puppet客户端,也就是说puppet 服务端的版本可以大于或者等于客户端版本,不可以小于
其中区别一些如下:
[root@lianglab4 puppet-2.7.14]# cp conf/redhat/client.init /etc/init.d/puppet
[root@lianglab4 puppet-2.7.14]# chkconfig --add puppet
[root@lianglab4 puppet-2.7.14]# chkconfig --level 35 puppet on
[root@lianglab4 puppet-2.7.14]# groupadd puppet
[root@lianglab4 puppet-2.7.14]# useradd -g puppet -s /bin/false -M puppet
[root@lianglab4 puppet-2.7.14]#
测试解析与puppetmaster端口是否畅通
[root@lianglab4 puppet-2.7.14]# telnet lianglab.com 8140
Trying 10.13.89.165...
Connected to lianglab.com (10.13.89.165).
Escape character is '^]'.
Connection closed by foreign host.
[root@lianglab4 puppet-2.7.14]#
[root@lianglab4 puppet-2.7.14]# /etc/init.d/puppet start
启动 puppet:Could not prepare for execution: Could not create PID file: /var/lib/puppet/run/agent.pid
[确定]
[root@lianglab4 puppet-2.7.14]#
puppetd --test --server lianglab.com命令是指puppetd 从 lianglab.com去读取
puppet配置文件. 第一次连接,双方会进行ssl证书的验证,这是一个新的客户端,在服务器端那里还没有被认证,因此需要在服务器端进行证书认证
以下这步批准证书是在服务端操作
A。我们要向服务器申请证书
[root@lianglab4 puppet-2.7.14]# puppetd --test --server lianglab.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for lianglab4.com
info: Certificate Request fingerprint (md5): 50:2D:89:E5:B8:6A:11:4A:6E:5D:AB:3F:47:21:A1:12
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
[root@lianglab4 puppet-2.7.14]#
B:服务端接受申请
[root@lianglab puppet-2.7.14]# puppetca --list #查看当前待批准证书列表
lianglab4.com (50:2D:89:E5:B8:6A:11:4A:6E:5D:AB:3F:47:21:A1:12)
[root@lianglab puppet-2.7.14]#
[root@lianglab puppet-2.7.14]# puppetca -s lianglab4.com #批准当前证书
notice: Signed certificate request for lianglab4.com
notice: Removing file Puppet::SSL::CertificateRequest lianglab4.com at '/var/lib/puppet/ssl/ca/requests/lianglab4.com.pem'
[root@lianglab puppet-2.7.14]#
查看验证签名,注意前面的+号,说明已经签名
[root@lianglab puppet-2.7.14]# puppetca -a --list
+ lianglab.com (71:46:13:EC:A1:FB:E2:43:57:6B:AA:14:CC:4B:0E:5E) (alt names: DNS:lianglab.com, DNS:puppet, DNS:puppet.com)
+ lianglab4.com (14:C3:F9:3C:7D:73:0B:08:CF:C4:1E:B6:71:7B:9C:A7)
[root@lianglab puppet-2.7.14]#
--------------------------------------------------------------------------------------------------
如果要批准全部证书
puppetca -s -a
也可以在puppetmaster端的puppet.conf加入这行:
autosign = true
服务端就自动签证书
--------------------------------------------------------------------------------------------------
C:回到客户端操作,从服务端取回已批准的证书
[root@lianglab4 puppet-2.7.14]# puppetd --test --server lianglab.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for
lianglab4.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for
lianglab4.com
info: Applying configuration version '1371275671'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.15 seconds
[root@lianglab4 puppet-2.7.14]#
注意:上文中的红色部分,生成证书时主界面会写入证书,如果生成证书后再更改主机名证书就失效了。
而且请不要用cliens类似简称名字,而应该用lianglab4.com这样全名申请证书,重新审批旧机器的新证书,
当申请到证书以后我们对比下这两个文件,他们的MD5值是一样的。
验证证书是否正确
服务端:
[root@lianglab puppet-2.7.14]# md5sum /var/lib/puppet/ssl/ca/signed/lianglab4.com.pem
4b059e3937cfee49ff98d5bd5557b2db /var/lib/puppet/ssl/ca/signed/lianglab4.com.pem
[root@lianglab puppet-2.7.14]#
客户端:
[root@lianglab4 puppet]# md5sum /md5sum /var/lib/puppet/ssl/certs/lianglab4.com.pem
4b059e3937cfee49ff98d5bd5557b2db /var/lib/puppet/ssl/certs/lianglab4.com.pem
------------------------------------------------------------------------------------------------
其实申请证书的过程就是服务器端生成证书,并发送到客户端的过程。
如果因为意外要重新给旧机器审批证书,我们需要做以下两点才可以重新注册。
出现修改主机名问题引起无法认证,需要重新申请证书,操作以下两个步骤:
puppetca --clean lianglab4.com #清除服务端的证书。
或者rm -rf /var/lib/puppet/ssl/ca/signed/lianglab4.com.pem删除已经注册给客户机“client.gongchang.com”的证书;
rm -rf /var/lib/puppet/ssl/ #客户端要删掉ssl目录。然后执行a、b、c三步。
服务端:
[root@server ca]# rm -rf /var/lib/puppet/ssl/ca/signed/client1.viong.com.pem
客户端:
[root@client1 puppet-2.7.14]# rm -rf /var/lib/puppet/ssl/
------------------------------------------------------------------------------------------------
功能测试-------------------------------------------------------
在服务器端新建一个/etc/puppet/manifests/site.pp文件,新建pp文件测试,puppet的第一个执行的代码是在/etc/puppet/manifest/site.pp因此这个文件必须存在,而且其他的代码也要通过代码来调用.
[root@lianglab puppet-2.7.14]# vi /etc/puppet/manifests/site.pp
node default {
file {"/tmp/Puppet_test.txt": #这是文件路径名;
content=>"This is test of PUPPET"; } #这是文件的内容;
}
上面的代码对默认连入的puppet客户端执行一个操作,在/tmp目录生成一个Puppet_test.txt文件,内容是goThis is test of PUPPET! 并自动回车换行
初次创建pp文件,需要重启puppetmaster
[root@lianglab puppet-2.7.14]# /etc/init.d/puppetmaster restart
停止 puppetmaster:[确定]
启动 puppetmaster:[确定]
[root@lianglab puppet-2.7.14]#
[root@lianglab puppet-2.7.14]# puppet /etc/puppet/manifests/site.pp #执行此命令使site.pp配置生效;
warning: Implicit invocation of 'puppet apply' by passing files (or flags) directly
to 'puppet' is deprecated, and will be removed in the 2.8 series. Please
invoke 'puppet apply' directly in the future.
notice: /Stage[main]//Node[default]/File[/tmp/Puppet_test.txt]/ensure: defined content as '{md5}d395f8aa0b8a631c726a9a3f411093c6'
notice: Finished catalog run in 0.04 seconds
[root@lianglab puppet-2.7.14]#
我们在回到客户端执行命令会得到如下提示信息:
[root@lianglab4 puppet]# puppetd --test --server lianglab.com
info: Caching catalog for lianglab4.com
info: Applying configuration version '1371277359'
notice: /Stage[main]//Node[default]/File[
/tmp/Puppet_test.txt]/ensure: defined content as '{md5}d395f8aa0b8a631c726a9a3f411093c6'
notice: Finished catalog run in 0.05 seconds
[root@lianglab4 puppet]#
[root@lianglab4 puppet]# cat /tmp/Puppet_test.txt
This is test of PUPPET
[root@lianglab4 puppet]#
设置客户端的守护进程
[root@lianglab4 puppet]# service puppet stop
[root@lianglab4 puppet]# puppetd --test --server lianglab.com --verbose --waitforcert 100
info: Caching catalog for lianglab4.com
info: Applying configuration version '1371277359'
notice: Finished catalog run in 0.03 seconds
[root@lianglab4 puppet]#
--server 服务端FQDN �C-verbose 输出冗余信息 �C-waitforcert 超时100
部分情况下puppet服务会无法启动,且提示puppet已经启动,这个时候需要删除一个文件:
[root@client ~]#/usr/sbin/puppetd --test --server master.gongchang.com
notice: Run of Puppet configuration client already in progress; skipping
[root@client ~]#rm /var/lib/puppet/state/puppetdlock
Puppet C/S环境搭建完毕。
文档先整理到这来,资源管理这块涉及到很多内容需要花时间慢慢研究的,
文章整理共计花费4个小时多,但是还是挺顺利的。
感谢这个博主: http://viong.blog.51cto.com