puppet是一个为实现数据中心自动化管理而设计的配置管理软件。基于c/s架构。puppet的服务器端保存着所有的对客户端服务器的配置代码,在puppet里面叫做manifest. 客户端下载manifest之后,可以根据manifest对服务器进行配置,例如软件包管理,用户管理和文件管理等等。
puppet的工作流程如下:
1. 客户端puppetd调用facter,facter探测出主机的一些变量,例如主机名,内存大小,ip地址等。pupppetd 把这些信息通过ssl连接发送到服务器端;
2. 服务器端的puppetmaster 检测客户端的主机名,然后找到manifest里面对应的node配置,并对该部分内容进行解析,facter送过来的信息可以作为变量处理,node牵涉到的代码才解析,其他没牵涉的代码不解析。解析分为几个阶段,语法检查,如果语法错误就报错。如果语法没错,就继续解析,解析的结果生成一个中间的“伪代码”,然后把伪代码发给客户端;
3. 客户端接收到“伪代码”,并且执行,客户端把执行结果发送给服务器;
4. 服务器端把客户端的执行结果写入日志。
puppet工作过程中有两点值得注意,第一,为了保证安全,client和master之间是基于ssl和证书的,只有经master证书认证的 client可以与master通信;第二,puppet会让系统保持在你所期望的某种状态并一直维持下去,如检测某个文件并保证其一直存在,保证ssh 服务始终开启,如果文件被删除了或者ssh服务被关闭了,puppet下次执行时(默认30分钟),会重新创建该文件或者启动ssh服务。
Puppet是Puppet Labs 基于ruby语言开发的自动化系统配置工具,可以以C/S 模式或独立模式运行,支持对所有 UNIX 及类 UNIX 系统的配置管理,最新版本也开始支持对 Windows 操作系统有限的一些管理。Puppet 适用于服务器管理的整个过程,比如初始安装、配置、更新以及系统下线。
典型的 Puppet 架构为星型结构,Clients默认每30分钟请求一次Server 端,确认是否有新的变更操作指令
运行环境:RHEL6.1 (防火墙和SELINUX关闭) + VitualBox
软件:puppet-2.7.12.tar.gz
facter-1.6.6.tar.gz
以下安装采用两台服务器,一台是 server.sxkeji.com用来安装 puppet-server 服务;一台是 client.sxkeji.com 用来安装 puppet 客户端。
Puppet 要求所有机器有完整的域名(FQDN),修改双方的/etc/hosts文件,添加各自的IP地址对应的主机名,生产环境做内部DNS比较好,不用修改每台服务器的hosts文件。
# vi /etc/hosts # 添加内容如下 10.1.1.78 server.sxkeji.com server 10.1.1.79 client.sxkeji.com client |
保持两台主机时间同步(可通过搭建ntp服务器,这里不作具体搭建ntp服务说明)
puppet 是用ruby语言写的,所以要安装ruby环境,服务器端与客户端都要安装
ruby语言安装
# yum install ruby* -y |
facter安装
# tar xf facter-1.6.6.tar.gz # cd facter-1.6.6 # ruby install.rb |
Puppet安装
# tar xf puppet-2.7.12.tar.gz # cd puppet-2.7.12 # ruby install.rb |
a、Server端
从解开的tar包中拷取相应的配置文件:
[root@server puppet-2.7.12]# cp conf/redhat/fileserver.conf /etc/puppet/ [root@server puppet-2.7.12]# cp conf/redhat/puppet.conf /etc/puppet/ [root@server puppet-2.7.12]# cp conf/redhat/server.init /etc/init.d/puppetmaster [root@server puppet-2.7.12]# chmod 755 /etc/init.d/puppetmaster [root@server puppet-2.7.12]# chkconfig --add puppetmaster [root@server puppet-2.7.12]# chkconfig puppetmaster on [root@server puppet-2.7.12]# mkdir /etc/puppet/manifests |
# pwd /etc/puppet # ls auth.conf fileserver.conf manifests puppet.conf // auth.conf --> client访问puppet server的ACL配置文件 // fileserver.conf --> puppet server 作为文件服务器的ACL配置文件 // manifests --> Puppet脚本主文件目录,至少需要包含site.pp文件 // puppet.conf --> Puppet服务器配置文件 # |
生成puppet账户:
[root@server puppet-2.7.12]# puppetmasterd --mkusers |
启动:
# /etc/init.d/puppetmaster start |
b、Client端
从解开的源码包拷取相关配置文件:
[root@client puppet-2.7.12]# cp conf/namespaceauth.conf /etc/puppet/ [root@client puppet-2.7.12]# cp conf/redhat/puppet.conf /etc/puppet/ [root@client puppet-2.7.12]# cp conf/redhat/client.init /etc/init.d/puppet [root@client puppet-2.7.12]# chmod +x /etc/init.d/puppet |
修改相关配置文件:
[root@client puppet-2.7.12]# vi /etc/puppet/puppet.conf #修改内容如下 [agent] listen = true server = server //服务器端主机名 [root@client puppet-2.7.12]# vi /etc/puppet/namespaceauth.conf #修改内容如下 [fileserver] allow * [puppetmaster] allow * [puppetrunner] allow * [puppetbucket] allow * [puppetreports] allow * [resource] allow * [root@client puppet-2.7.12]# |
生成puppet账户:
[root@client puppet-2.7.12]# puppetmasterd --mkusers [root@client puppet]# rm -rf /var/lib/puppet/ssl/* //删除客户端/var/lib/puppet/ssl目录下的文件,否则可能会报错 |
启动:
# /etc/init.d/puppet start |
Client
[root@client puppet-2.7.12]# puppetd --test --server server //客户端向server端发送请求 //Puppet 客户端使用 HTTPS和服务端(master)通信,为了和服务器端通信必须有合法的 SSL认证,第一次运行puppet客户端的时候会生成一个SSL证书并指定发给 Puppet服务端。 info: Creating a new SSL key for client.sxkeji.com warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for client.sxkeji.com info: Certificate Request fingerprint (md5): 62:CD:A6:63:A7:8C:89:54:68:AF:95:12:59:16:D7:08 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled [root@client puppet-2.7.12]# |
Server
[root@server ~]# puppetca –list //Server端查看请求的主机 client.sxkeji.com (05:BF:3C:9E:D8:72:13:24:1D:3F:4C:15:00:E7:FC:25) [root@server ~]# puppetca -s –a //发送接受请求 // puppet 服务端接受到客户端的证书后必须签字(sign)才能允许客户端接入 //puppetca –s –a //对所有客户端全部签名 //puppetca –s client.sxkeji.com //只签名某个客户端 notice: Signed certificate request for client.sxkeji.com notice: Removing file Puppet::SSL::CertificateRequest client.sxkeji.com at '/var/lib/puppet/ssl/ca/requests/client.sxkeji.com.pem' [root@server ~]# puppet cert list --all //使用puppet cert list --all 命令可以查看客户端已经加入 + client.sxkeji.com (05:BF:3C:9E:D8:72:13:24:1D:3F:4C:15:00:E7:FC:25) + server.sxkeji.com (52:A3:37:85:33:4D:97:7B:1B:78:87:DE:4F:EB:1D:DE) (alt names: DNS:puppet, DNS:puppet.sxkeji.com, DNS:server.sxkeji.com) [root@server ~]# |
client再次发送请求puppetd--test --server server
[root@client puppet]# puppetd --test --server server.sxkeji.com notice: Ignoring --listen on onetime run info: Caching catalog for client.sxkeji.com info: Applying configuration version '1332988321' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.25 seconds [root@client puppet]# |
完成以上之后server和client就可以正常通信了
常见错误和解决方法:
1、 notice: Ignoring --listen on onetime run notice: Run of Puppet configuration client already in progress; skipping 解决方法:a.可以通过ps –e|grep puppet是否有puppet进程在运行。如果有,则停掉puppet,再运行,即可。 b、没有进程,那有可能puppetdlock存在,则删除之,使用rm -rf /var/puppet/state/puppetdlock
2、 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled 解决方法:mv /var/lib/puppet/ /tmp/
3、 err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client 解决方法: 务必保持两台主机时间同步 |