安装环境centos 7 64bit,puppet 5版本
1. 安装master端
在puppet的网站查找需要安装的yum repository,https://puppet.com/docs/puppet/5.5/puppet_platform.html#yum-based-systems
sudo rpm -Uvh https://yum.puppet.com/puppet5/puppet5-release-el-7.noarch.rpm yum install puppetserver systemctl start puppetserver systemctl enable puppetserver
确认8140端口已经启动
2. puppet的客户端同样是需要安装yum repository, 与上面的的地址同样
sudo yum install puppet-agent
3. 使客户端与服务器端认证同步
a. 保证服务器和客户端的FQDN,/etc/hostname和/etc/hosts 下设置好FQDN (server1.example.com),再使用hostanme -f检查一次主机名,保证可以ping通主机名
b. 服务器和客户端需要同步好ntp时间
4. puppet agent 设置
[root@server2 ~]# vi /etc/puppetlabs/puppet/puppet.conf [main] certname = server2.example.com server = server1.example.com runinterval = 60
certname是客户端(agent)的主机名,server是服务端(master)的主机名。另外下面是另外一个网站的设置,主要多了environment的选项
[main] certname = client.itzgeek.local server = server.itzgeek.local environment = production runinterval = 1h
通过在客户端puppet agent -t 命令测试服务器与客户端直接是否能够联通,客户端把申请提到服务器上
[root@server2 ~]# puppet agent -t Info: Creating a new SSL key for server2.example.com Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for server2.example.com Info: Certificate Request fingerprint (SHA256): 51:2D:9E:00:47:4C:AA:23:5B:36:25:8B:ED:F0:71:96:FC:1B:18:05:CD:6D:36:52:C9:56:E1:0D:7D:A4:38:EA Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled
在服务器上查询证书,下面提示的是从客户端链接过来提出的证书
[root@server1 ~]# puppet cert list "server2.example.com" (SHA256) 51:2D:9E:00:47:4C:AA:23:5B:36:25:8B:ED:F0:71:96:FC:1B:18:05:CD:6D:36:52:C9:56:E1:0D:7D:A4:38:EA
使用下面的命令对证书进行签发
[root@server1 ~]# puppet cert sign server2.example.com Signing Certificate Request for: "server2.example.com" (SHA256) 51:2D:9E:00:47:4C:AA:23:5B:36:25:8B:ED:F0:71:96:FC:1B:18:05:CD:6D:36:52:C9:56:E1:0D:7D:A4:38:EA Notice: Signed certificate request for server2.example.com Notice: Removing file Puppet::SSL::CertificateRequest server2.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/server2.example.com.pem'
如果有多个客户端的节点,你需要一次全部签发可以使用以下命令
/opt/puppetlabs/bin/puppet cert sign --all
s再服务器端可以使用以下命令清除相关的签证
/opt/puppetlabs/bin/puppet cert clean <hostname>
在客户端上再次使用测试命令
[root@server2 ~]# puppet agent -t Info: Caching certificate for server2.example.com Info: Caching certificate_revocation_list for ca Info: Caching certificate for server2.example.com Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Caching catalog for server2.example.com Info: Applying configuration version '1522307153' Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml Notice: Applied catalog in 0.01 seconds
设置代理启动部分:
root@server3:~# puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
}
agent将puppet-agent服务加载
5. 测试部分
manifests/site.pp是设置对agent的推送
[root@server1 ~]# vi /etc/puppetlabs/code/environments/production/manifests/site.pp
node 'server2.example.com' { # Applies only to mentioned node; if nothing mentioned, applies to all.
file { '/tmp/puppetesttdir': # Resource type file
ensure => 'directory', # Create as a diectory
owner => 'root', # Ownership
group => 'root', # Group Name
mode => '0755', # Directory permissions
}
}
node 为需要定义的客户端的hostname,应该就是指定客户端需要做什么内容
file 定义创建一个文件,下面那些就是文件的具体属性
在client上进行测试
[root@server2 ~]# puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Caching catalog for server2.example.com Info: Applying configuration version '1522364471' Notice: /Stage[main]/Main/Node[server2.example.com]/File[/tmp/puppetesttdir]/ensure: created Notice: Applied catalog in 0.02 seconds
如果正常的话你会发现在/tmp下面会有一个新的目录,就是刚才设置的内容,属性都一样
6. manifests 存放在/etc/puppetlabs/code/environments/production/manifests 这个puppet第一检查的目录,里面定义的*.pp文件是puppet第一执行的文件
node 'server2.example.com' { # 对对象为server2这个node
package { 'httpd' : # 安装httpd服务
ensure => installed, # 确认是否安装,如果有没安装就将文件进行安装
}
service { 'httpd' : # 对httpd服务进行操作,关键字service
ensure => running, # 对httpd服务进行启动的操作
enable => true, # 定义服务器启动后自动启动httpd服务
}
}
上面的语句为对server2这个节点的简单操作,如果再复杂的就会使用module class这类进行操作
manifests/ 是这个模块puppet_code(功能代码),也就是这个模块都有什么内容,以什么方式推送给客户端,都在这里定义
files/ 是资源目录
任何在manifests/ 中定义的puppet代码,其中如果需要发生一些文件file{} (比如发送一个ssh-key.pub文件) 那么这个文件就需要放入这个file/目录下
node default {
}
default为所有的节点都运行的,但如果在下面有特别指定的节点,测试过特别指定的节点不会执行default的内容
7. puppet resources 资源部分:
puppet resource -e package openssl # 这个命令可以查询puppet package 安装的版本
# centos
package { 'openssl':
ensure => '1:1.0.2k-8.el7',
}
#ubuntu
package { 'openssl':
ensure => '1.0.2g-1ubuntu4.10',
}
# 在centos 下运行
[root@server2 ~]# puppet resource service
service { 'httpd.service':
ensure => 'running',
enable => 'true',
.....
# 在 ubuntu下运行
root@server3:~# puppet resource service
service { 'apache2':
ensure => 'running',
enable => 'true',
.....
puppet resource user (puppet resource root)
puppet describe service # 这个命令可以现实service所需要的参数
puppet describe --list (显示puppet所有资源)
[root@server1 ~]# puppet describe --list These are the types known to puppet: anchor - A simple resource type intended to be used as ... augeas - Apply a change or an array of changes to the ... computer - Computer object management using DirectorySer ... cron - Installs and manages cron jobs exec - Executes external commands file - Manages files, including their content, owner ... file_line - Ensures that a given line is contained within ... filebucket - A repository for storing and retrieving file ... group - Manage groups host - Installs and manages host entries interface - This represents a router or switch interface k5login - Manage the `.k5login` file for a user macauthorization - Manage the Mac OS X authorization database mailalias - .. no documentation .. maillist - Manage email lists .......
puppet describe user (显示user里面的属性) puppet describe -s user (只显示属性, short line)
File:
content => 编写的内容等于echo 'xxx' > yyy同理
target => 目标路径,相当是agent的路径
source => 引用的资源可以选择文件路径或http资源
notify => Service['mysql'] notify相当于触发的意思,例子为当某个文件修改后需要重启服务器
owner => 所有权
group => 组
mode => '0644' 权限
ensure => 可以选择directory, link, file
recurse => true 可以将目录下的所有内容全部复制(目录递归)
class motd {
file { '/etc/motd':
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/motd/motd.txt"
}
}
# /etc/puppetlabs/code/environments/production/modules/motd/files/motd.txt
[root@server1 mystuff]# ls
manifests templates
class mystuff::html {
file { '/var/www/html/index.html':
content => template('mystuff/index.html.erb')
}
}
# html.pp in manifests 使用template方法存放erb文件
Package:
ensure => installed 安装软件
ensure => absent 卸载文件
ensure => '1.0.2g-ubuntu' 指定安装某版本的软件
ensure => latest 安装最后一个版本
provider => gem 类似通过yum这样的方式安装软件
puppet resource -e package openssl #这个命令可以查询puppet package 安装的版本 package { 'openssl': ensure => '1:1.0.2k-8.el7',
Services:
puppet describe service 列出所有service 属性的设置项
puppet describe --list
ensure => running, 服务要求启动
enable => true 启动的时候启用服务
hasstatus => true,false 当使用false的时候,puppet不会使用systemctl service status方式监控,使用ps ax的方式检查进程表; 当设置为true的时候puppet就执行restart命令
pattern => 'ntpd' 当hasstatus使用false时,进程名称与service 标称的名称不一致,这时候就要使用pattern标识正确的名称
restart => '/bin/echo restarting >> /tmp/debug.log && systemctl resrart ntp' 重启服务器并且写入记录
User
ensure => present 检查系统用户是否存在, absent删除用户
gid => 3000 设置用户组id
uid => 3001 设置用户id
home => '/home/user' 设置用户的主目录
shell => '/bin/bash' 设置用是否能够使用shell /user/sbin/nologin
groups => ['devs'] 设置组设置,(未清除是否是其他组成员,需要设置后再看)
SSHkeys
purge_ssh_keys 当删除用户之后, 可以通过这个属性删除ssh_authorized_key的用户信息
Cron
ensure => absent 同样absent为删除这个cron job
command => '/usr/local/bin/run-puppet' 执行的命令
hour => '*' 这里*代表每小时都运行
hour => fqdn_rand(24, 'run daily backup sync') 产生随机数0 - 23数
minute => '*/15' 这里两行代表每15分钟执行run-puppet脚本一次
user => 'ubuntu' 指定用户执行
environment => ['MAILTO=admin@example.com', 'PATH=/bin'] 指定环境设置
weekday => ['Saturaday', 'Sunday'] 星期六和星期日执行
EXEC
cwd => '/tmp' 类似cd (current working directory)
command = '/tmp/generator/configure && /usr/bin/make install' 执行的命令(这里一定要使用绝对路径)
creates => '/usr/local/bin/cat-picture-generator' creates是检查路径是否有创建,通常是放在command后面使用,如果发现没有创建就会重新执行command的内容
user => 'ubuntu' 使用ubuntu用户执行
onlyif => '/bin/ls /tmp/incoming/*' 如果执行ls /tmp/incoming/* 返回0(echo $?)的时候就会执行command的内容
unless => '/bin/ls /tmp/incoming/*' 与上面相反,当得到的结果为非0的时候才会执行command的内容
refreshonly => true 期望的状态返回值,返回非此值时表示命令执行(未是好明白)
timeout => 超时设置
8.puppet 变量
facter命令, 显示当前系统变量,可以使用到if等语句,if Redhat ....
[root@server1 ~]# facter osfamily RedHat [root@server1 ~]# facter ipaddress 192.168.2.181 [root@server1 ~]# facter hostname server1
Variables: 变量可以包括string, number, boolean
$php_package = 'php7.0-cli'
$answer = 42
$scheduled = true
$my_name = 'John'
notice("Hello, ${my_name}! It's a great to meet you!")
Booleans:
enable => true
Arrays:
$heights = [192, 120, 181, 164, 172]
$first_height = $heights[0]
$dependencies = ['php7.0-cgi', 'php7.0-cli', 'php7.0-common', 'php7.0-gd', 'php7.0-json',]
package { $dependencies :
ensure => installed,
}
$admintools = ['git', 'nano', 'screen']
package { $admintools:
ensure => 'installed',
}
Hashes: 等于key = value关系 类似dic
$heights = {
'john' => 192,
'rabiah' => 120,
'abigail' => 181,
'melina' => 164,
'sumiko' => 172,
}
notice(:John's height is ${heights['john']}cm.")
$attributes = {
'owner' => 'ubuntu',
'group' => 'ubuntu',
'mode' => '0644',
}
file { '/tmp/test':
ensure => present,
* => $attributes,
}
等于
file { '/tmp/test':
ensure => present,
owner => 'ubuntu',
group => 'vagrant',
mode => '0644',
}
$ntpservice = $osfamily ? {
'redhat' => 'ntpd',
'debain' => 'ntp',
'default' => 'ntp',
}
service { $ntpservice:
ensure => 'running'
enable => true,
}
#例子根据操作系统的service进行判断
Regular expressions:
$candidate = 'foo'
notice($candidate =~ /foo/) 使用=~作为regex的符号
if statements:
case statements:
facts built-in mechanism: 检查系统的内置函数
notice($facts['kernel']) 检查linux系统的内核
notice($::kernel) 旧版本检查方法
$facts['os'] hash with architecture, distro, family, hardware, name, release, selinux
notice($facts['os']['architecture'])
notice($facts['os']['distro']['codename'])
$facts['os']['release']['major'] 这个参数会经常使用
if $facts['os']['selinux']['enabled'] {
notice('SELinux is enabled')
} else {
notice(''SELinux is disable')
}
检查SELinux是否打开
$buffer_pool = $facts['memory']['system']['total_bytes'] * 3/4
notice("innodb_buffer_pool_size=${buffer_pool}")
检查MySQL的innodb缓存大小
$facts['memory']['system']['total_bytes']
检查系统内存大小
notice("My hostname is ${facts['hostname']}")
notice("My FQDN is ${facts['fqdn']}")
notice("My IP is ${facts['networking']['ip']}")
$facts['hostname']
检查网络部分
9. class & modules (摆放的目录)
data environment.conf hiera.yaml manifests modules ./data: ./manifests: site.pp ./modules: motd ./modules/motd: manifests ./modules/motd/manifests: init.pp
init.pp是modules的默认文件
class linux {
package { 'ntp':
ensure => 'installed',
}
}
node 'wiki' {
{ class 'linux': }
}
例子1:
class motd {
file { '/etc/motd':
owner => 'root',
group => 'root',
mode => '0644',
content => inline_template("The current $osfamily time is <%= Time.now %>
")
}
}
#这个是init.pp的设置
class motd::crabby {
notify { "Knife Crab is the best": }
}
# 这个是manifests/motd的另外一个模块
node default {
class { 'motd': }
class { 'motd::crabby': }
}
# 这个是主manifests下site.pp配置文件
motd::crabby,crabby为motd的子类
例子2:
[root@server1 modules]# ls -R .: motd mystuff ./motd: manifests ./motd/manifests: crabby.pp init.pp ./mystuff: manifests ./mystuff/manifests: init.pp vim.pp
class mystuff {
notify { "I'm installing stuff like you wanted me to sir": }
include mystuff::vim
}
# init.pp文件
class mystuff::vim {
package { 'vim':
ensure => 'latest'
}
} # mystuff.pp
node default {
class { 'motd': }
class { 'mystuff': }
} #site.pp
例子3:
class mystuff::apache {
if $osfamily == 'redhat' {
package { 'httpd':
ensure => latest
}
service { 'httpd':
ensure => running,
enable => true,
}
}
elsif $osfamily == 'debian' {
package { 'apache2':
ensure => latest
}
service { 'apache2':
ensure => running,
enable => true,
}
}
}
# 增加一个apache.pp的文件在mystuff下面
class mystuff {
notify { "I'm installing stuff like you wanted me to sir": }
include mystuff::vim
include mystuff::apache
}
# 增加mystuff::apache 在init.pp文件下,其他内容均不变
10. puppet forge
https://forge.puppetlabs.com puppet modules下载
[root@server1 manifests]# ls apache.pp html.pp init.pp vim.pp [root@server1 manifests]# vi html.pp [root@server1 manifests]# puppet module list /etc/puppetlabs/code/environments/production/modules ├── motd (???) └── mystuff (???) /etc/puppetlabs/code/modules (no modules installed) /opt/puppetlabs/puppet/modules (no modules installed)
在master中检查已经按照的modules
[root@server1 manifests]# puppet module search ntp Notice: Searching https://forgeapi.puppet.com ... [root@server1 manifests]# puppet module install puppetlabs-ntp Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ puppetlabs-ntp (v7.1.1) └── puppetlabs-stdlib (v4.25.1)
查询及安装puppet module
node default {
class { 'motd': }
class { 'mystuff': }
class { '::ntp': }
}
最后只要在site.pp文件中加载ntp就可以了
notes:
在配置server的时候,误删除了agent的认证key,导致怎么都加不了agent,后来重新安装系统和gen key发现,应该在服务器上把下面路径的文件删除后就可以重新gen key
Notice: Removing file Puppet::SSL::CertificateRequest server3.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/server3.example.com.pem'