Puppet实战笔记
什么是puppet?puppet批量管理工具,目前乐视,安居都是在用puppet,采用的是C/S模式的结构的linux,unix的集中配置
管理系统,puppet拥有自己的语言,可以管理文件用户,cron任务,软件包等,系统服务。
puppet工作原理:
采用https和XML协议,master去管理client,客户通过https的xmlrpc协议发给服务器端,服务器通过分析客户主机名,找到该主机配置代码
当客户端操作完成后向服务器返回消息,看看是否执行成功。
puppet
应用于公司有大量上百台服务器进行管理
puppet安装
注意时间要同步
ntpdate time.nist.gov
环境:
系统redhat6.5
master 192.168.2.1
client1192.168.2.3
client2192.168.2.4
首先时间同步,防火墙关掉
/etc/init.d/iptablesstop
需要ruby环境,装ruby
# yum -y install ruby
创建用户puppet
# groupadd puppet
# useradd -g puppet -s /bin/false-M puppet
设置hosts puppet同步是通过域名同步
echo "192.168.1.102 master.test.com" >> /etc/hosts
echo "192.168.1.60 agent.test.com" >> /etc/hosts
echo "192.168.1.106 client02" >> /etc/hosts
机器名字改成域名形式
vim /etc/sysconfig/network
master必须改主机名,client不用改
把所有域名加到hosts里面,能通信
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.1 master.test.com
192.168.2.3 agent1.test.com
192.168.2.4 client02
确定域名通信
安装puppet软件包
# tar zxf facter-1.6.4.tar.gz
# cd facter-1.6.4
# rubyinstall.rb
# tar zxf puppet-2.7.14.tar.gz
# cd puppet-2.7.14
# rubyinstall.rb
# mkdir -p /etc/puppet
# cp conf/redhat/* /etc/puppet/
# cp conf/auth.conf/etc/puppet/
MASTER
建立配置文件目录
# mkdir/etc/puppet/manifests -p
# pwd
/etc/puppet
# cp server.init/etc/init.d/puppetmaster 复制启动文件
# chmod755 /etc/init.d/puppetmaster 给权限
启动puppet
# /etc/init.d/puppetmasterstart
启动 puppetmaster: [确定]
# ps -ef |grep puppet
puppet 48544 10 00:33 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd
root 48558472220 00:33 pts/2 00:00:00 grep puppet
Agent操作:
# puppetd --test --server master.test.com 请求证书
info: Creating a new SSL key for agent.test.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for agent.test.com
info: Certificate Request fingerprint (md5): 2B:25:B8:D5:53:7D:0C:35:6C:F0:C2:01:3F:56:E9:CB
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
Master查看
# puppetca -l发现有一个请求证书
agent.test.com (2B:25:B8:D5:53:7D:0C:35:6C:F0:C2:01:3F:56:E9:CB)
Master授权证书
# puppetca -s agent.test.com
notice: Signed certificate request for agent.test.com
notice: Removing file Puppet::SSL::CertificateRequest agent.test.com at '/var/lib/puppet/ssl/ca/requests/agent.test.com.pem'
# ll /var/lib/puppet/ssl/ca/signed/Server端证书目录
总用量 8
-rw-r-----. 1 puppet puppet 13873月 27 11:46 agent.test.com.pem
-rw-r-----. 1 puppet puppet9363月 27 11:28 master.test.com.pem
Agent查看证书
# puppetd --test --server master.test.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for agent.test.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for agent.test.com
info: Applying configuration version '1459050414'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.02 seconds
OK 证书请求完成
puppet配置管理
Master配置
创建编写配置文件
# cd /etc/puppet/manifests/
# vim site.pp
# cat site.pp
node default{ 在客户端下
file {"/tmp/test.txt": 创建test。txt文件
content=>"I'm test puppet\n"; 文件内容
}
}
重启puppet第一服务次创建需要重启puppet
# /etc/init.d/puppetmasterrestart
停止 puppetmaster: [确定]
启动 puppetmaster: [确定]
Agent运行查看
# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1459051322'
notice: /Stage//Node/File/ensure: defined content as '{md5}126809c793cb00f34616532d90ab1e85'
notice: Finished catalog run in 0.03 seconds
提示有文件
那么查看下
# ls
orbit-gdmpulse-yllwWiOizWaBtest.txtyum.log
# cat test.txt
I'm test puppet
ok同步成功
加入要创建一个用户并改变用户和授权怎么做?
# cat site.pp 这个脚本是将大于100kb的log日志的脚本
node default{
file {"/tmp/test.txt":
content=>"find /log/ -type f -size +100KB |xargs rm -rf\n",
mode=>"0777",
}
}
# ll test.sh agent查看是root用户
-rwxrwxrwx. 1 root root 463月 27 12:17 test.sh
# cat site.pp 配置属组用户
node default{
file {"/tmp/test.sh":
content=>"find /log/ -type f -size +100KB |xargs rm -rf\n",
mode=>"0777",
group=>"puppet",
owner=>"puppet",
}
}
agent运行
# ll test.sh 变成puppet
-rwxrwxrwx. 1 puppet puppet 463月 27 12:17 test.sh
设置计划任务
cron { "ntp time ":这个是名字在agent里面是注释
command => "/usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1",
minute => '*/10',
hour => ['2-4'],
monthday => ,
ensure => present,
environment => "PATH=/bin:/usr/bin:/usr/sbin"
}
}
在Agent查看计划任务
# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1459053791'
notice: /Stage//Node/Cron/ensure: created
notice: Finished catalog run in 0.11 seconds
# crontab-l
# HEADER: This file was autogenerated at Sun Mar 27 12:43:12 +0800 2016 by puppet.
# HEADER: While it can still be managed manually, it is definitely not recommended.
# HEADER: Note particularly that the comments starting with 'Puppet Name' should
# HEADER: not be deleted, as doing so could cause duplicate cron jobs.
# Puppet Name: ntp time
PATH=/bin:/usr/bin:/usr/sbin
*/10 2-4 2,4 * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1
假如在puppet用户执行这任务
那么直接加user=puppet就可以
假如我想把master端一个文件同步到agent上,怎么写?
创建同步的文件
# mkdir /etc/puppet/system_conf
# cd /etc/puppet/system_conf/
# vim a.log
# cat a.log
test
# ll a.log
-rw-r--r--. 1 root root 53月 27 12:55 a.log
修改master端配置 四部曲:
第一步:配置共享目录
# cat fileserver.conf 在文件里添加内容,代表将这个目录共享出去
path /etc/puppet/system_conf/
allow *
第二步:重启puppet
# /etc/init.d/puppetmasterrestart
停止 puppetmaster: [确定]
启动 puppetmaster: [确定
第三步:需要将同步的文件放到system.conf文件中,前面已经做了
第四步:修改master端site.pp
file {"a.log":
mode=>644,
source => "puppet://master.test.com/system_conf/a.log"; 制定来源
}
}
agent查看
# cat a.log
test
根据不同业务配置不同的服务器:
配置node节点
node 'client02' { client02主机名,代表在client02下同步
file{ "/var/log/snmp.log":
content=>"test/n".
}
添加如下参数
puppet主要配置文件puppet.confserver.sysconfig
那么咱们之前都是手动同步,怎么设置成自动同步呢?、
agent
# cd /etc/puppet/
# cp client.init/etc/init.d/puppetagent
# chmod777 /etc/init.d/puppetagent
# cp client.sysconfig/etc/sysconfig/puppet
# vim /etc/sysconfig/puppet 编辑文件
# cat /etc/sysconfig/puppet
# The puppetmaster server
PUPPET_SERVER=master.test.com
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
PUPPET_EXTRA_OPTS=--waitforcert=500
# /etc/init.d/puppetagentstart 启动服务,这样默认就从puppet取
启动 puppet: [确定]
这样咱们puppet完成了!!!
页:
[1]