puppet 学习笔记
推荐参考:
puppet运维自动化之puppet基础知识介绍:http://os.51cto.com/art/201205/334201.htm(推荐,很基础)
puppet安装配置:http://blog.chinaunix.net/uid-24250828-id-3882898.html
puppet资源下载点:http://downloads.puppetlabs.com/
puppet官方说明文档:https://docs.puppetlabs.com/guides/install_puppet/install_el.html
Puppet学习之puppet的安装和配置 :http://blog.chinaunix.net/uid-23500957-id-3808027.html
本文安装参考:Centos5上如何安装puppet:http://os.51cto.com/art/201209/357189.htm,CentOS建议使用这种方法,大致思路是配置好puppet软件源,用yum安装。
1、安装好软件后client端需要修改配置文件:
[root@agent1 ~]# vim /etc/puppet/puppet.conf [agent] server = puppetmaster //server服务器主机名或IP地址 certname = agent1 //本机主机名 runinterval = 60 //自动同步时间间隔 listen = true report = true pluginsysc = false //(如果你有自己定义的plugin,需要将其设定为true,如果没有就设为false,一样OK)
2、认证
2.1 通过调试模式启动节点向Puppetmaster端发起认证
[root@agent1 ~]# puppet agent --test info: Creating a new SSL key for agent1 info: Caching certificate for ca info: Creating a new SSL certificate request for agent1 info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9 Exiting; no certificate found and waitforcert is disabled
2.2 服务器端确定认证
[root@puppetmaster ~]# puppet cert --list --all #查看认证情况 "agent1" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未认证 + "puppetmaster" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") [root@puppetmaster ~]# puppet cert --sign agent1 #注册agent1 notice: Signed certificate request for agent1 notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/var/lib/puppet/ssl/ca/requests/agent1' [root@puppetmaster ~]# puppet cert --list --all #再次查看认证情况 + "agent1" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) #带"+"表示已认证 + "puppetmaster" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式 /var/lib/puppet/ssl/ ├── ca │ ├── ca_crl.pem │ ├── ca_crt.pem │ ├── ca_key.pem │ ├── ca_pub.pem │ ├── inventory.txt │ ├── private │ │ └── ca.pass │ ├── requests │ ├── serial │ └── signed │ ├── agent1.pem #已经注册成功 │ └── puppetmaster.pem ├── certificate_requests │ ├── certs │ ├── ca.pem │ └── puppetmaster.pem ├── crl.pem ├── private ├── private_keys │ └── puppetmaster.pem └── public_keys └── puppetmaster.pem 9 directories, 14 files
3、创建模块目录结构
注意:在未指定modulepath搜索路径的情况下,会有默认搜索路径的,可通过以下方式查看到
[root@puppetmaster ~]# puppet master --genconfig >/etc/puppet/puppet.conf.out [root@puppetmaster ~]# cat /etc/puppet/puppet.conf.out | grep modulepath modulepath = /etc/puppet/modules:/usr/share/puppet/modules
[root@puppetmaster modules]# tree /etc/puppet/modules/test/ /etc/puppet/modules/test/ |-- files |-- manifests | └-- init.pp └--templates
4、测试test模块
[root@agent1 ~]# puppet agent --test #测试节点agent1 或者:#puppet agent --server puppetserverhost --test
5、主配置文件生成(默认已有,可忽略)
[root@puppetmaster puppet]# puppetmasterd --genconfig > puppet.conf
6、 在agent 端看到运行结果。
[root@agent1 ~]# puppetd --test --trace --debug
还可以在master端运行一个命令,也同样可以将配置应用到agent端。
[root@puppetmaster puppet]# puppet kick -d --host agent1
具体请参考:
http://blog.sina.com.cn/s/blog_4e424e210100plcw.html
7、 要写自己manifest,必须要学习puppet语言。
补充:puppet资源package详细介绍(附案例):http://kisspuppet.com/2013/11/11/package/
ps:puppet可以把服务器IP作为 certname名字,对于公司内网没有DNS服务器的有帮助。以下我公司的就是如此。
自己写了个公司puppet自动安装脚本(agent端),在此记录下(有些东西是多余的,我只是适应公司服务器的环境,仅供参考):
#!/bin/bash
#time:2014/12/10 by:Lance
SERVER_IP=`ifconfig | grep 172.16.8. |sed -n '1p' | awk '{print $2}' | awk -F':' '{print $2}'`
check_file(){
#验证是否已经安装puppet
if [ `rpm -qa | grep puppet- | wc -l` -ge 1 ]; then
echo "此服务器已经安装puppet!!"
exit 0
fi
#验证puppet文件夹是否存在
if [ -d /etc/puppet ]; then
echo "/etc/puppet已经存在,正在备份。。。"
mv /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak
mv /etc/puppet/auth.conf /etc/puppet/auth.conf.bak
fi
}
check_system_clock(){
#sync time
/usr/sbin/ntpdate 202.120.2.101 && /sbin/hwclock -w
if [ -f /var/spool/cron/root ]; then
if [ `grep ntpdate /var/spool/cron/root | wc -l` -eq 0 ]; then
echo "ntpdate计划任务不存在,正在添加。。。"
echo "01 1 * * * /usr/sbin/ntpdate 202.120.2.101 && /sbin/hwclock -w >/dev/null 2>&1" >>/var/spool/cron/root
fi
fi
#System Time
if [ ! `cat /etc/sysconfig/clock |grep -i Shanghai` ];then
echo "Time zone false ...正在修改。。。"
sleep 3
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
fi
}
check_repo(){
TEST=0
#CentOS yum 源修改
if [ ! -f /etc/yum.repos.d/epel.repo ] && [ ! -f /etc/yum.repos.d/CentOS* ] &&( [ -f /etc/yum.repos.d/local.repo ] || [ -f /etc/yum.repos.d/2.repo ]); then
cp /etc/yum.repos.d/bak/epel.repo /etc/yum.repos.d/epel.repo
cp /etc/yum.repos.d/bak/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
mv /etc/yum.repos.d/local.repo /etc/yum.repos.d/local.repo.bak &>/dev/null
mv /etc/yum.repos.d/2.repo /etc/yum.repos.d/2.repo.bak &>/dev/null
TEST=2
#yum clean all
yum makecache
fi
}
check_recovery(){
if [ $TEST -eq 2 ]; then
mv /etc/yum.repos.d/local.repo.bak /etc/yum.repos.d/local.repo &>/dev/null
mv /etc/yum.repos.d/2.repo.bak /etc/yum.repos.d/2.repo &>/dev/null
fi
}
epel_yum(){
#验证操作系统版本并下载安装puppet yum源
if [ `uname -r | grep el6 | wc -l` -eq 1 ] && [ `rpm -qa | grep epel |wc -l` -eq 0 ]; then
# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget https://yum.puppetlabs.com/el/6.5/products/x86_64/puppetlabs-release-6-5.noarch.rpm
rpm -ivh puppetlabs-release-6-5.noarch.rpm
rm -rf puppetlabs-release-6-5.noarch.rpm
elif [ `uname -r | grep el5 | wc -l` -eq 1 ] && [ `rpm -qa | grep epel |wc -l` -eq 0 ]; then
rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
fi
}
check_install(){
#puppet_client端安装
yum install puppet -y
if [ $? -eq 0 ];then
echo "安装完成,即将修改puppet配置文件。。。"
cat >> /etc/puppet/puppet.conf <<EOF
server = 172.16.8.129 #server端IP地址
certname = $SERVER_IP
runinterval = 60 #puppet客户端向server自动请求时间间隔
listen = true
report = true
EOF
echo "修改完成,即将启动puppet。。。"
chkconfig puppet on
/etc/init.d/puppet start
fi
}
#检查网络
check_network(){
ping -c 1 www.baidu.com &>/dev/null
if [ $? -ne 0 ]; then
echo "外网故障,即将修改。。。"
route add -net 0.0.0.0/0 gw 172.16.8.2
fi
}
check_network
check_file
check_system_clock
check_repo
epel_yum
check_install
check_recovery