-----本文大纲
简介
工作原理
puppet安装及命令解析
puppet资源类型
---------------------
一、简介
二、工作原理
在使用任何软件前我们都需要了解其工作原理,否则会给后续使用带来诸多不便。Puppet采用了非常简单的C/S架构,所有数据的交互都通过SSL进行,以保证安全
客户端Puppetd向Master发起认证请求,或使用带签名的证书。
Master告诉Client你是合法的。
客户端Puppetd调用Facter,Facter探测出主机的一些变量,例如主机名、内存大小、IP地址等。Puppetd将这些信息通过SSL连接发送到服务器端。
服务器端的Puppet Master检测客户端的主机名,然后找到manifest对应的node配置,并对该部分内容进行解析。Facter送过来的信息可以作为变量处 理,node牵涉到的代码才解析,其他没牵涉的代码不解析。解析分为几个阶段,首先是语法检查,如果语法错误就报错;如果语法没错,就继续解析,解析的结 果生成一个中间的“伪代码”(catelog),然后把伪代码发给客户端。
客户端接收到“伪代码”,并且执行。
客户端在执行时判断有没有File文件,如果有,则向fileserver发起请求。
客户端判断有没有配置Report,如果已配置,则把执行结果发送给服务器。
服务器端把客户端的执行结果写入日志,并发送给报告系统。
三、puppet安装
1、安装puppet
安装ruby
#yum install ruby ruby-libs ruby-rdoc
安装epel源
#rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
安装puppet
[root@dynamic bin]# yum --enablerepo="epel,epel-puppet" install puppet
2、puppet命令注解
[root@dynamic bin]# puppet help Usage: puppet <subcommand> [options] <action> [options] Available subcommands, from Puppet Faces: ca Local Puppet Certificate Authority management. #管理本地证书 catalog Compile, save, view, and convert catalogs. #编译、保存、查看 puppet、代码,或转换成 Catalogs certificate Provide access to the CA for certificate management. #提供访问 CA证书的管理 certificate_request Manage certificate requests. #管理证书的请求 certificate_revocation_list Manage the list of revoked certificates. #管理撤销证书的列表 config Interact with Puppet's configuration options. facts Retrieve and store facts. #系统信息检查 file Retrieve and store files in a filebucket #在 filebucket 中检索和存 储文件 help Display Puppet help. instrumentation_data Manage instrumentation listener accumulated data. #管理监听的数据 instrumentation_listener Manage instrumentation listeners. #管理监听的状态 instrumentation_probe Manage instrumentation probes. #管理监听探测 key Create, save, and remove certificate keys. ##创建、保存、删除证书密 钥 man Display Puppet manual pages. module Creates, installs and searches for modules on the Puppet Forge. # 从 Puppet Forge 创建、安装、查询模块 node View and manage node definitions. #管理节点 parser Interact directly with the parser. #解析器管理,检查 pp 文件语法 plugin Interact with the Puppet plugin system. #管理插件 report Create, display, and submit reports. #创建、查看报告 resource API only: interact directly with resources via the RAL. #查看资源帮助 resource_type View classes, defined resource types, and nodes from all manifests #查看类、默认资源类型与节点信息 secret_agent Mimics puppet agent. #模拟 Agent status View puppet server status. #查看 puppet 状态 Available applications, soon to be ported to Faces: agent The puppet agent daemon #客户端进程,负责从 Master 端获取信息 apply Apply Puppet manifests locally #运行本地 manifests cert Manage certificates and requests #证书颁发,用于签署证书 describe Display help about resource types #资源帮助 device Manage remote network devices #管理远程网络设备 doc Generate Puppet documentation and references #生成 puppet 文档 filebucket Store and retrieve files in a filebucket #在 filebucket 中检索和存储文件 inspect Send an inspection report #发送 report 报告 kick Remotely control puppet agent #远程控制 agent,远程触发 puppet agent命令 master The puppet master daemon #编译配置文件、模板、节点的自定义插件 queue Queuing daemon for asynchronous storeconfigs #队列进程 See 'puppet help <subcommand> <action>' for help on a specific subcommand action. See 'puppet help <subcommand>' for help on a specific subcommand. Puppet v2.7.25
puppet master :编译配置文件、模板、节点的自定义插件
[root@dynamic bin]# puppet help master puppet-master(8) -- The puppet master daemon ======== SYNOPSIS -------- The central puppet server. Functions as a certificate authority by default. USAGE ----- puppet master [-D|--daemonize|--no-daemonize] [-d|--debug] [-h|--help] [-l|--logdest <file>|console|syslog] [-v|--verbose] [-V|--version] [--compile <node-name>] DESCRIPTION ----------- This command starts an instance of puppet master, running as a daemon and using Ruby's built-in Webrick webserver. Puppet master can also be managed by other application servers; when this is the case, this executable is not used. -D|--daemonize #发送到后台守护进程,默认选项 --no-daemonize #不发送到后台守护进程 -d|--debug #启用完整的调试模式 -h|--help #查看帮助 -l|--logdest <file>|console|syslog #日志发送方式,默认采用 syslog 配置 -v|--verbose #显示详细信息 -V|--version #打印 puppet 版本 --compile <node-name> #以 JSON 的方式输出编译的 catalog --genconfig #输入默认配置文件
puppet agent :客户端进程,负责从 Master 获取数据
[root@dynamic bin]# puppet help agent puppet-agent(8) -- The puppet agent daemon ======== SYNOPSIS -------- Retrieves the client configuration from the puppet master and applies it to the local host. This service may be run as a daemon, run periodically using cron (or something similar), or run interactively for testing purposes. USAGE ----- puppet agent [--certname <name>] [-D|--daemonize|--no-daemonize] [-d|--debug] [--detailed-exitcodes] [--digest <digest>] [--disable] [--enable] [--fingerprint] [-h|--help] [-l|--logdest syslog|<file>|console] [--no-client] [--noop] [-o|--onetime] [--serve <handler>] [-t|--test] [-v|--verbose] [-V|--version] [-w|--waitforcert <seconds>] DESCRIPTION ----------- This is the main puppet client. Its job is to retrieve the local machine's configuration from a remote server and apply it. In order to successfully communicate with the remote server, the client must have a certificate signed by a certificate authority that the server trusts; the recommended method for this, at the moment, is to run a certificate authority as part of the puppet server (which is the default). The client will connect and request a signed certificate, and will continue connecting until it receives one. Once the client has a signed certificate, it will retrieve its configuration and apply it. --certname <name> #指定客户端 certname(唯一 ID),通常以 FQDN 命名 --daemonize #发送到后台守护进程,默认选项 --no-daemonize #不发送到后台守护进程 -d|--debug #启用完整的调试模式 --detailed-exitcodes #提供详细的退出代码 --digest <digest> #指定证书指纹算法,默认为 MD5 算法 --disable #禁用,禁止 puppet agent 在此节点运行 --enable #启用,重新运行执行 puppet agent --fingerprint #显示当前证书的指纹 -h|--help #查看帮助 -l|--logdest syslog|<file>|console #日志发送方式,默认采用 syslog 配置 --no-client #不创建客户端配置文件,当 listen=true 时才有意义 --noop #puppet 运行 Catalog,但不执行配置 -o|--onetime #运行一次,配合--no-daemonize 使用 --serve <handler> #启动另一类的服务 -t|--test #测试用,包含了('onetime','verbose', 'ignorecache', 'no-daemonize', 'no-usecacheonfailure','detailed-exit-codes', 'no-splay', and 'show_diff') -v|--verbose #显示详细信息 -V|--version #打印 puppet 版本 -w|--waitforcert <seconds> #当 Master 未签署此节点证书时,puppet agent 将等待签署,并默认 #每 2 分钟重新连接 Master 以确定是否完成签署
puppet cert :证书颁发,用于签署证书
[root@dynamic bin]# puppet help cert puppet-cert(8) -- Manage certificates and requests ======== SYNOPSIS -------- Standalone certificate authority. Capable of generating certificates, but mostly used for signing certificate requests from puppet clients. USAGE ----- puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] [--digest <digest>] [<host>] DESCRIPTION ----------- Because the puppet master service defaults to not signing client certificate requests, this script is available for signing outstanding requests. It can be used to list outstanding requests and then either sign them individually or sign all of them. ACTIONS ------- Every action except 'list' and 'generate' requires a hostname to act on, unless the '--all' option is set. * clean: #清除,用于清除证书 Revoke a host's certificate (if applicable) and remove all files related to that host from puppet cert's storage. This is useful when rebuilding hosts, since new certificate signing requests will only be honored if puppet cert does not have a copy of a signed certificate for that host. If '--all' is specified then all host certificates, both signed and unsigned, will be removed. * fingerprint: #打印证书指纹 Print the DIGEST (defaults to md5) fingerprint of a host's certificate. * generate: #生成客户端证书 Generate a certificate for a named client. A certificate/keypair will be generated for each client named on the command line. * list: #查看认证客户端列表 List outstanding certificate requests. If '--all' is specified, signed certificates are also listed, prefixed by '+', and revoked or invalid certificates are prefixed by '-' (the verification outcome is printed in parenthesis). * print: #打印主机证书的全文信息 Print the full-text version of a host's certificate. * revoke: #废除已认证的主机 Revoke the certificate of a client. The certificate can be specified either by its serial number (given as a hexadecimal number prefixed by '0x') or by its hostname. The certificate is revoked by adding it to the Certificate Revocation List given by the 'cacrl' configuration option. Note that the puppet master needs to be restarted after revoking certificates. * sign: #签署认证 Sign an outstanding certificate request. * verify: #验证本地指定的认证 Verify the named certificate against the local CA certificate. OPTIONS ------- Note that any configuration parameter that's valid in the configuration file is also a valid long argument. For example, 'ssldir' is a valid configuration parameter, so you can specify '--ssldir <directory>' as an argument. See the configuration file documentation at http://docs.puppetlabs.com/references/stable/configuration.html for the full list of acceptable parameters. A commented list of all configuration options can also be generated by running puppet cert with '--genconfig'. * --all: #执行所有操作,包括'sign','clean','list','fingerprint', Operate on all items. Currently only makes sense with the 'sign', 'clean', 'list', and 'fingerprint' actions. * --digest: #设置证书指纹加密的方式,取决于 openssl 版本 Set the digest for fingerprinting (defaults to md5). Valid values depends on your openssl and openssl ruby extension version, but should contain at least md5, sha1, md2, sha256. * --debug: #启用完整的调试模式 Enable full debugging. * --help: #查看帮助 Print this help message * --verbose: #显示详细信息 Enable verbosity. * --version: #显示版本 Print the puppet version number and exit.
puppet apply :运行本地 manifests
[root@dynamic bin]# puppet help apply puppet-apply(8) -- Apply Puppet manifests locally ======== SYNOPSIS -------- Applies a standalone Puppet manifest to the local system. USAGE ----- puppet apply [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] [-e|--execute] [--detailed-exitcodes] [-l|--logdest <file>] [--apply <catalog>] [--catalog <catalog>] <file> -h|--help #查看帮助 -V|--version #显示版本信息 -d|--debug #启用完整的调试模式 -v|--verbose #显示详细信息 -e|--execute #执行命令中指定的 puppet 代码 --detailed-exitcodes #提供详细的退出代码 -l|--logdest <file> #日志发送方式,默认采用 syslog 配置 --catalog <catalog> #运行 puppet master 采用--compile 输出 JSON 代码
puppet kick #远程控制 agent,远程触发 puppet agent 命令
3、帮助
puppet doc #生成 puppet 文档 puppet help #显示 puppet 帮助信息 puppet resource #查看资源帮助 puppet describe #资源帮助 puppet status #查看 puppet 状态
四、常用的核心资源( puppet describe -l)
puppet resouce 命令可用于交互式查找及修改puppet资源
资源定义格式:
key =>values,
........
}
1、package
puppet支持使用的软件包管理器:
yum,rpm,apt,ports,gem,msi,dpkg,pkg等
package 常用参数
ensure:程序包目标状态
ensure => {present|installed|absent|latest|purged|"version"}
name:资源的名称,即软件包的名字(默认与 title 相同可不写)
source :指定程序包文件路径
install_options :安装选项,最常的用是通过INSTALLDIR指定安装目录
例:安装haproxy
[root@essun tmp]# rpm -q haproxy package haproxy is not installed [root@essun tmp]# cat haproxy_setup.pp package {'haproxy': ensure => installed, name => haproxy } [root@essun tmp]# puppet apply haproxy_setup.pp notice: /Stage[main]//Package[haproxy]/ensure: created notice: Finished catalog run in 16.53 seconds [root@essun tmp]# rpm -q haproxy haproxy-1.4.24-2.el6.x86_64
2、service :管理服务
enable :是否开机自动启动
enable => true|false 指定服务是否开机自启动(修改 chkconfig 部分),并非对所有均有效
name: 服务名称
name => "service name",该资源的 namevar, 服务的名字,通常就是在/etc/init.d/目录下的名字,默认与 title 相同
path:脚本路径
path => "/etc/rc.d/init.d", 启动脚本的搜索路径,可以用冒号分割多个路径,或者用数组指定
start :是否启动服务
stop:是否停止服务
restart:是否重启服务
restart => true |false, 指出管理脚本是否支持 restart 参数,如果不支持,就用 stop 和 start实现 restart 效果.
status => true|false, 指出管理脚本是否支持 status 参数,puppet 用 status 参数来判断服务是否已经在运行了,如果不支持 status 参数,puppet 利用查找运行进程列表里面是否有服务名来判断服务是否在运行
例:启动haproxy
[root@essun tmp]# cat haproxy_setup.pp package {'haproxy': ensure => installed, name => haproxy } service {'haproxy': ensure => true, name => haproxy, enable => true } [root@essun tmp]# puppet apply haproxy_setup.pp -v info: Applying configuration version '1400171155' notice: /Stage[main]//Package[haproxy]/ensure: created notice: /Stage[main]//Service[haproxy]/ensure: ensure changed 'stopped' to 'running' notice: Finished catalog run in 9.21 seconds [root@essun tmp]# chkconfig --list haproxy haproxy 0:off 1:off 2:on 3:on 4:on 5:on 6:off
常用属性
ensure => {present|absent|directory|file|link}, 指定文件的目标状态
content:文件内容:生成方式有三种(content,source,target),彼此互斥
content => "hello",|content => template("postfix/main.cf.erb"), 文件的具体内容,亦可由 erb 模板生成,选择这个可不写资源 source
path:文件路径,必须使用双引号;
path => "/etc/postfix/main.cf", 文件完整路径。默认与 title 相同可不写
mode:定义权限
mode => 0644, 权限属性,四位八进制数
owner:属主
owner|user => root, 所属用户,也可以用 UID
group:属组
group => puppet, 所属用户组,也可以用 GID
recurse:目录递归
recurse => '{true|false|inf|remote}', 对目录是(true)否(false)递归(ensure =>directory 时有效)
replace:替换,本地存在的文件与资源中指定的文件内容不同时,是否执行替换,默认为否
例:
[root@dynamic tmp]# mkdir -pv /tmp/dir1/{dir2,dir3,dir4} mkdir: created directory `/tmp/dir1' mkdir: created directory `/tmp/dir1/dir2' mkdir: created directory `/tmp/dir1/dir3' mkdir: created directory `/tmp/dir1/dir4' [root@dynamic tmp]# cat mkdir.pp file{ "/tmp/dir1": owner => "puppet", group => "puppet", mode => 0700, ensure => directory, recurse => true, purge => true, force => true, ignore => "dir2", } [root@dynamic tmp]# puppet apply mkdir.pp notice: /Stage[main]//File[/tmp/dir1]/owner: owner changed 'root' to 'puppet' notice: /Stage[main]//File[/tmp/dir1]/group: group changed 'root' to 'puppet' notice: /Stage[main]//File[/tmp/dir1]/mode: mode changed '0755' to '0700' notice: /File[/tmp/dir1/dir4]/ensure: removed notice: /File[/tmp/dir1/dir3]/ensure: removed notice: Finished catalog run in 0.06 seconds [root@dynamic tmp]# ll -d dir1/ drwx------ 3 puppet puppet 4096 May 18 14:29 dir1/ [root@dynamic dir1]# ll total 4 drwxr-xr-x 2 root root 4096 May 18 14:28 dir2
4、exec :执行外部命令,通常用于完成puppet自身无法完成的功能
try_sleep:多次尝试之间的时间间隔
例
[root@dynamic tmp]# cat temp.pp exec {'echo temp': command => 'mktemp /tmp/tmp.XXX', path => [ "/bin","/sbin","/usr/bin","/usr/sbin" ], } [root@dynamic tmp]# puppet apply temp.pp notice: /Stage[main]//Exec[echo temp]/returns: executed successfully notice: Finished catalog run in 0.10 seconds [root@dynamic tmp]# ll total 12 drwx------ 3 puppet puppet 4096 May 18 14:29 dir1 srwxrwxrwx 1 mysql mysql 0 May 4 14:19 maria.sock -rw-r--r-- 1 root root 166 May 18 14:24 mkdir.pp -rw-r--r-- 1 root root 111 May 18 15:09 temp.pp -rw------- 1 root root 0 May 18 15:09 tmp.ZeW
元参数:用于定义资源间依赖关系及应用次序。
通知机制:应用产生的消息
特殊属性
例:
[root@dynamic tmp]# cat messages.pp file {'/tmp/messages.txt': ensure => file, content =>"hello puppet!", notify => Exec['messages'] } exec {'messages': command => 'echo "/tmp/message.txt" >> /tmp/message.txt', refreshonly =>true, path => "/bin/:/sbin/:/usr/bin:/usr/sbin" } [root@dynamic tmp]# puppet apply messages.pp notice: /Stage[main]//File[/tmp/messages.txt]/content: content changed '{md5}e147509e8f852facd239743193e249c2' to '{md5}d007288adc523f44584e631abde90137' notice: /Stage[main]//Exec[messages]: Triggered 'refresh' from 1 events notice: Finished catalog run in 0.21 seconds [root@dynamic tmp]# cat message.txt /tmp/message.txt [root@dynamic tmp]# cat messages.txt hello puppet! [root@dynamic tmp]#
subscribe:主动关注所关联的资源的变化
例:
[root@dynamic tmp]# cat messages.pp file {'/tmp/messages.txt': ensure => file, content =>"how are you", } exec {'messages': command => 'echo "/tmp/messages.txt changed" >> /tmp/message.txt', subscribe => File['/tmp/messages.txt'], path => "/bin/:/sbin/:/usr/bin:/usr/sbin" } [root@dynamic tmp]# puppet apply messages.pp notice: /Stage[main]//Exec[messages]/returns: executed successfully notice: Finished catalog run in 0.10 seconds [root@dynamic tmp]# cat messages.txt how are you [root@dynamic tmp]# cat message.txt /tmp/messages.txt changed
require:必须依赖于那一个资源
[root@dynamic tmp]# cat ha_setup.pp package{'haproxy': ensure => installed, before => Service['haproxy'], } file{'/etc/haproxy/haproxy.cfg': source=>'/tmp/haproxy.cfg', owner=>'root', group=>'root', mode=>'640', require=>Package['haproxy'], before => Service['haproxy'], } service{'haproxy': ensure=>running, enable=>true, } [root@dynamic tmp]# puppet apply ha_setup.pp notice: /Stage[main]//Package[haproxy]/ensure: created notice: /Stage[main]//File[/etc/haproxy/haproxy.cfg]/mode: mode changed '0644' to '0640' notice: /Stage[main]//Service[haproxy]/ensure: ensure changed 'stopped' to 'running' notice: Finished catalog run in 24.91 seconds [root@dynamic tmp]# ll /etc/haproxy/ total 4 -rw-r----- 1 root root 3142 Jul 10 2013 haproxy.cfg [root@dynamic tmp]# service haproxy status haproxy (pid 6266) is running...
说明,package 资源属性一定要在service 之前应用,如果package没有应用成功,那么service 资源将不会被应用。
before:file资源一定要在service 资源之前执行
应用链次序链与通知链
->用于定义次序链
~>用于定义通知链
[root@dynamic tmp]# cat ha_setup.pp package{'haproxy': ensure => installed, } file{'/etc/haproxy/haproxy.cfg': source=>'/tmp/haproxy.cfg', owner=>'root', group=>'root', mode=>'640', notify=>Exec['monitor'] } service{'haproxy': ensure=>running, enable=>true, restart =>'/etc/rc.d/init.d/haproxy reload' } exec{'monitor': command => 'echo "/tmp/haproxy.cfg己经重载" >> /tmp/hainfo.txt', path => "/bin:/sbin:/usr/sbin:/usr/bin" } Package['haproxy']->File['/etc/haproxy/haproxy.cfg']->Exec['monitor']~>Service['haproxy'] [root@dynamic tmp]# puppet apply ha_setup.pp notice: /Stage[main]//File[/etc/haproxy/haproxy.cfg]/content: content changed '{md5}c6e95eb3da150a74e6c8c2e70488083e' to '{md5}1f337186b0e1ba5ee82760cb437fb810' notice: /Stage[main]//Exec[monitor]/returns: executed successfully notice: /Stage[main]//Exec[monitor]: Triggered 'refresh' from 1 events notice: /Stage[main]//Service[haproxy]/ensure: ensure changed 'stopped' to 'running' notice: Finished catalog run in 0.90 seconds [root@dynamic tmp]# cat hainfo.txt /tmp/haproxy.cfg己经重载
5、group: 系统上用户组
常用参数
home:用户的家目录。必须是己创建的目录,如果没有创建,则不检查
shell:指定其shell
password:指定用户密码
mangehome: 是否建立家目录。true or false
例
[root@dynamic tmp]# cat useradd.pp group {'groupadd': ensure =>present, gid =>1010, name =>essun, }-> user {'useradd': ensure =>present, uid =>1010, gid =>1010, name =>essun, shell =>"/bin/bash", home =>"/home/essun", managehome =>true, password =>'$1$wvZ8j1$mPa3IT.9vTdCb6sOuvdeu/' } [root@dynamic tmp]# puppet apply useradd.pp notice: /Stage[main]//Group[groupadd]/ensure: created notice: /Stage[main]//User[useradd]/ensure: created notice: Finished catalog run in 0.50 seconds [root@dynamic tmp]# su essun [essun@dynamic tmp]$ whoami essun [essun@dynamic tmp]$ cd [essun@dynamic ~]$ pwd /home/essun [essun@dynamic ~]$ id essun uid=1010(essun) gid=1010(essun) groups=1010(essun)
weekday 周
name:名字
user: 运行此周期性任务计划的用户,如果没有指出,默认为root
例
[root@dynamic tmp]# cat cron.pp cron {'ntpdate': ensure => present, command => '/usr/sbin/ntpdate cn.poolntp.org &> /dev/null', minute => '*/5', } [root@dynamic tmp]# puppet apply cron.pp notice: /Stage[main]//Cron[ntpdate]/ensure: created notice: Finished catalog run in 0.10 seconds [root@dynamic tmp]# date Sun May 18 17:42:21 CST 2014