puppet的工作流程
1.简介
puppet是一种采用C/S星状结构的linux、Unix平台的集中配置管理系统。puppet拥有自己的语言,可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源,puppet的设计目标是简化对这些资源的管理以及妥善处理资源的依赖关系。
2.工作原理
puppet是一个或者多个maste,众多client,所有的客户端都定期(默认为30分钟)使用facter工具把客户端的基本配置信息,通过https的xmlrpc协议发送给服务器端,服务器端通过分析客户端主机名,找到该主机的配置代码,然后编译配置代码,把编译好的配置代码发回客户端,客户端执行代码完成配置。并且把代码执行情况反馈给puppet服务器端。
注释:xmlrpc是使用http协议作为传输协议的rpc机制,使用xml文本的方式传输命令和数据。
puppet的工作流程
如上图所示,puppet的工作流程如下:
1) 客户端puppetd调用facter,facter探测出主机的一些变量,例如主机名、内存大小、IP地址等。puppetd把这些信息通过ssl连接发送到服务器端;
2) 服务器端的puppetmaster检测客户端的主机名,然后找到manifest里面对应的node配置,并对该部分内容进行解析,facter送来的信息可以作为变量处理,node牵涉到的代码才能解析,其他没有涉及的代码不解析。解析分为几个阶段,语法检查,如果语法错误就报错。如果语法没错,就继续解析,解析的结果生成一个中间的“伪代码”,然后把伪代码发给客户端;
3) 客户端接收到“伪代码”,并且执行,客户端把执行结果发送给服务器;
4) 服务器把客户端的执行结果写入日志。
puppet工作过程中有两点值得注意:
第一, 为了保证安全,client和master之间是基于ssl和证书的,只有经过master证书认证的client可以与master通信;
第二, puppet会让系统保持在你所期望的某种状态并一直维持下去,如检测某个文件并保证其一直存在,保证ssh服务始终开启,如果文件被删除了或者ssh服务被关闭了,puppet下次执行时(默认30分钟),会重新创建该文件或者启动ssl服务。
3.优点与缺点
1)语法结构简单
2)灵活性
2)易于扩展
4.安装部署
4.1环境准备
[root@linux-node1 ~]# cat /etc/redhat-release �0�8系统环境
CentOS release 6.6 (Final)
[root@linux-node1 ~]# uname -r
2.6.32-504.el6.x86_64
[root@linux-node1 ~]# uanme -m
-bash: uanme: command not found
[root@linux-node1 ~]# uname -m
x86_64
[root@linux-node1 ~]# /etc/init.d/iptables stop �0�8关闭iptables
[root@linux-node1 ~]# /usr/sbin/ntpdate pool.ntp.org �0�8时间同步,这块很重要
[root@linux-node1 ~]# yum install ruby –y �0�8安装ruby环境
[root@linux-node1 ~]# groupadd puppet �0�8建立所属组及用户
[root@linux-node1 ~]# useradd -g puppet -s /bin/false -M puppet
4.2修改主机名和host解析
[root@master ~]# hostname �0�8master端
master.test.com
[root@agent ~]# hostname �0�8client端
agent.test.com
echo "10.0.0.60 master.test.com">>/etc/hosts
echo "10.0.0.61 agent.test.com">>/etc/hosts
4.3安装facter和puppet
[root@master ~]# mkdir -p /usr/local/src/
[root@master ~]# cd /usr/local/src/
[root@master src]# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz
[root@master src]# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz
[root@master src]# tar xf facter-1.6.5.tar.gz �0�8安装facter
[root@master src]# cd facter-1.6.5
[root@master facter-1.6.5]# ruby install.rb
[root@master facter-1.6.5]# facter �0�8检查,通常会收集主机的信息参数
[root@master facter-1.6.5]# cd /usr/local/src/ �0�8安装puppet
[root@master src]# tar xf puppet-2.6.13.tar.gz
[root@master src]# cd puppet-2.6.13
[root@master puppet-2.6.13]# ruby install.rb
agent端执行同样操作即可。
4.4创建配置文件目录并启动服务
master端执行:
[root@master ~]# mkdir /etc/puppet/manifests �0�8创建配置文件目录
[root@master puppet-2.6.13]# cd /usr/local/src/puppet-2.6.13
[root@master puppet-2.6.13]# cp conf/redhat/* /etc/puppet/
[root@master puppet-2.6.13]# cp conf/auth.conf /etc/puppet/
[root@master puppet-2.6.13]# cp /etc/puppet/server.init /etc/init.d/puppetmaster �0�8拷贝启动文件到/etc/init.d下面
[root@master puppet-2.6.13]# chmod 755 /etc/init.d/puppetmaster �0�8给权限
[root@master puppet-2.6.13]# /etc/init.d/puppetmaster start �0�8启动服务
[root@master puppet-2.6.13]# lsof -i:8140 �0�8查看端口是否起来
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
puppetmas 5677 puppet 7u IPv4 90241 0t0 TCP *:8140 (LISTEN)
agent端执行:目的向master请求证书
[root@agent ~]# puppetd --test --server master.test.com �0�8 向master请求证书
info: Creating a new SSL key for agent.test.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for agent.test.com
info: Certificate Request fingerprint (md5): F2:06:96:19:97:76:2B:B1:1E:56:47:B1:3C:70:17:CE
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
master端执行
[root@master puppet-2.6.13]# puppetca –l �0�8查看谁在请求证书
agent.test.com (F2:06:96:19:97:76:2B:B1:1E:56:47:B1:3C:70:17:CE)
[root@master puppet-2.6.13]# puppetca -s –a �0�8给所有的请求都授权,如果想单独授权,直接在-s后面添加用户hosts名即可
notice: Signed certificate request for agent.test.com
notice: Removing file Puppet::SSL::CertificateRequest agent.test.com at '/var/lib/puppet/ssl/ca/requests/agent.test.com.pem'
[root@master puppet-2.6.13]# ll /var/lib/puppet/ssl/ca/signed/agent.test.com.pem
-rw-r----- 1 puppet puppet 863 Dec 4 16:11 /var/lib/puppet/ssl/ca/signed/agent.test.com.pem �0�8授权后会生成这个文件
agent端执行
[root@agent ~]# puppetd --test --server master.test.com �0�8出现下面提示则表示配置完成,master可以管理agent端
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for agent.test.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for agent.test.com
info: Applying configuration version '1449216956'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.01 seconds
至此,授权匹配完成。
如果授权中出现匹配出错,执行下面操作即可:
1.删除agent端的ssl
[root@agent puppet]# cd /var/lib/puppet/
[root@agent puppet]# ls
classes.txt client_data facts ssl
clientbucket client_yaml lib state
[root@agent puppet]# rm -rf ssl
2.删除master端的
cd /var/lib/puppet/ssl/ca/signed
rm -f agent.test.com.pem
3.再操作刚才授权步骤即可
以上完成了puppet的安装配置授权交互。
5.配置脚本编写
5.1 资源
常用的资源主要有以下几个:
file:文件管理
package:软件包管理
service:系统服务管理
cron:配置定期任务
exec:运行shell命令
6.举例说明其实际应用
6.1 例子一:文件配置
master端:服务器端保存着所有对客户端服务器的配置代码,在puppet里面叫做manifests,客户端下载manifest之后,可以根据manifest对服务器进行配置,例如软件包管理,用户管理和文件管理等等。
[root@master manifests]# cd /etc/puppet/manifests/
[root@master manifests]# cat site.pp
node default{
file {"/tmp/test.txt":
content=>"hello world ";
}
}
以上代码的意思是:
有一个默认节点(每一个agent叫做一个节点,在这个节点的/tmp下创建一个文件叫test.txt,里面的内容为hello world).
agent端去验证
[root@agent ~]# puppetd --test --server master.test.com �0�8所有在master端配置以后,是在agent端来执行
info: Caching catalog for agent.test.com
info: Applying configuration version '1449217516'
notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/ensure: defined content as '{md5}6f5902ac237024bdd0c176cb93063dc4'
notice: Finished catalog run in 0.01 seconds
[root@agent ~]# ll /tmp/
total 4
-rw-r--r-- 1 root root 12 Dec 4 16:25 test.txt
[root@agent ~]# cat /tmp/test.txt �0�8生成了文件并且追加了内容
hello world
再写一个:往/tmp 目录发送一个脚本
[root@master manifests]# pwd
/etc/puppet/manifests
[root@master manifests]# cat site.pp
node default{
file { "/tmp/clearlog.sh":
content=>"find /log/ -type f -size +10KB |xargs rm -f ";
}
}
agent端去验证
[root@agent ~]# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1449232240'
notice: /Stage[main]//Node[default]/File[/tmp/clearlog.sh]/ensure: defined content as '{md5}8fc5e0257f6ef3f8c31be04e99f6cb1a'
notice: Finished catalog run in 0.02 seconds
[root@agent ~]# cat /tmp/clearlog.sh �0�8查看,生成了脚本文件
find /log/ -type f -size +10KB |xargs rm -f
这个时候我想修改这个脚本,修改后再看验证
[root@master manifests]# cat site.pp
node default{
file { "/tmp/clearlog.sh":
content=>"find /log/ -type f -size +1000KB |xargs rm -f ";
}
}
验证
[root@agent ~]# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1449232404'
--- /tmp/clearlog.sh 2015-12-04 20:30:41.552856112 +0800
+++ /tmp/puppet-file20151204-3603-1d4sxkq-0 2015-12-04 20:33:24.893856051 +0800
@@ -1 +1 @@
-find /log/ -type f -size +10KB |xargs rm -f
+find /log/ -type f -size +1000KB |xargs rm -f
info: FileBucket adding {md5}8fc5e0257f6ef3f8c31be04e99f6cb1a
info: /Stage[main]//Node[default]/File[/tmp/clearlog.sh]: Filebucketed /tmp/clearlog.sh to puppet with sum 8fc5e0257f6ef3f8c31be04e99f6cb1a
notice: /Stage[main]//Node[default]/File[/tmp/clearlog.sh]/content: content changed '{md5}8fc5e0257f6ef3f8c31be04e99f6cb1a' to '{md5}eda7c1034d59fa4af3eef1c127a5f18d'
notice: Finished catalog run in 0.04 seconds
[root@agent ~]# cat /tmp/clearlog.sh
find /log/ -type f -size +1000KB |xargs rm -f
6.2 例子二:创建文件并改变用户和授权
master端修改配置文件:
[root@master manifests]# pwd
/etc/puppet/manifests
[root@master manifests]# cat site.pp
node default{
file {"/tmp/test.txt":
owner => "root",
group => "puppet",
mode => "0777",
content => "test"
}
}
agent端验证
[root@agent ~]# ll /tmp/test.txt
-rw-r--r-- 1 root root 12 Dec 4 16:25 /tmp/test.txt
[root@agent ~]# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1449232846'
--- /tmp/test.txt 2015-12-04 16:25:17.093861548 +0800
+++ /tmp/puppet-file20151204-4096-157x3zh-0 2015-12-04 20:40:46.540855888 +0800
@@ -1 +1 @@
-hello world
+test
No newline at end of file
info: FileBucket adding {md5}6f5902ac237024bdd0c176cb93063dc4
info: /Stage[main]//Node[default]/File[/tmp/test.txt]: Filebucketed /tmp/test.txt to puppet with sum 6f5902ac237024bdd0c176cb93063dc4
notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/content: content changed '{md5}6f5902ac237024bdd0c176cb93063dc4' to '{md5}098f6bcd4621d373cade4e832627b4f6'
notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/group: group changed 'root' to 'puppet'
notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/mode: mode changed '644' to '777'
notice: Finished catalog run in 0.04 seconds
[root@agent ~]# ll /tmp/test.txt �0�8权限和属组已改变
-rwxrwxrwx 1 root puppet 4 Dec 4 20:40 /tmp/test.txt
[root@agent ~]# cat /tmp/test.txt �0�8文本内容已改变
test
以上的意思是:
当agent端执行的时候会下载该文件到agent的/tmp下,创建文件test.txt并设置改文件所属用户为root,所属组为puppet,然后权限设置为-rwxrwxrwx 777
6.4例子四:管理crontab任务
master端 site.pp
[root@master manifests]# pwd
/etc/puppet/manifests
[root@master manifests]# cat site.pp
cron { “ntp time” :
command => “/usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1”,
minute => ‘*/10’,
hour => [‘2-4’],
monthday => [2,4],
ensure => present,
environment => “PATH=/bin:/usr/bin:/usr/sbin”
}
按照上面在agent端执行会出现下面错误
[root@agent ~]# puppetd --test --server master.test.com
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Could not match “ntp at /etc/puppet/manifests/site.pp:1 on node agent.test.com
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
重新再写一份:
[root@master manifests]# cat site.pp
cron { "ntp time":
command => "/usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1",
minute => '*/10',
hour => ['2-4'],
monthday => [2,4],
ensure => present,
environment => "PATH=/bin:/usr/bin:/usr/sbin"
}
agent端来验证
[root@agent ~]# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1449249708'
notice: /Stage[main]//Cron[ntp time]/ensure: created
notice: Finished catalog run in 0.07 seconds
[root@agent ~]# crontab -l
# HEADER: This file was autogenerated at Sat Dec 05 01:21:53 +0800 2015 by puppet.
# HEADER: While it can still be managed manually, it is definitely not recommended.
# HEADER: Note particularly that the comments starting with 'Puppet Name' should
# HEADER: not be deleted, as doing so could cause duplicate cron jobs.
#####ntpdate time##########
*/5 * * * * /usr/sbin/ntpdate time.nist.nov >/dev/null 2>&1
# Puppet Name: ntp time
PATH=/bin:/usr/bin:/usr/sbin
*/10 2-4 2,4 * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1
6.5例子五:同步master端/etc/puppet/system_conf/script下的文件到agent
a)修改master配置文件
[ system_conf ]
path /etc/puppet/system_conf/
alow *
b)重启master
/etc/init.d/puppetmaster restart
c)把需要同步的文件放到master 的/etc/puppet/system_conf/script下
d)修改master端 site.pp
file { “/etc/resolv.conf”:
mode=>644,
source => “puppet://master.test.com/system_conf/resolv.conf”
}
可以配置:
系统文件 hosts ,resolv.conf ,i18n ,yum配置文件
脚本文件 /script/service_all_clear.sh
分析:
我希望把文件推送到agent端
1. 修改master端配置文件fileserver.conf
2. 我需要把目录共享出去,这样才能读到共享里面的文件
[root@master puppet]# pwd
/etc/puppet
[root@master puppet]# mkdir -p /etc/puppet/system_conf
[root@master puppet]# cd /etc/puppet/system_conf/
[root@master system_conf]# vim a.log
[root@master system_conf]# ll a.log
-rw-r--r-- 1 root root 7 Dec 5 01:34 a.log
修改配置文件
[root@master puppet]# pwd
/etc/puppet
[root@master puppet]# tail -4 fileserver.conf
# add by xiedi
[system_conf]
path /etc/puppet/system_conf/
allow *
重启生效
[root@master puppet]# /etc/init.d/puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
修改master端的配置文件site.pp
[root@master manifests]# vim site.pp
file {"/etc/resolv.conf":
mode => 777,
source => "puppet://master.test.com/system_conf/resolv.conf";
}
创建需要同步的文件,直接拷贝到目标目录,注意同步目录为配置文件指定目录/etc/puppet/system_conf这个是写到配置文件fileserver.conf
[root@master manifests]# cp /etc/resolv.conf /etc/puppet/system_conf/
[root@master manifests]# ll /etc/puppet/system_conf/
a.log resolv.conf
[root@master manifests]# ll /etc/puppet/system_conf/resolv.conf
-rw-r--r-- 1 root root 21 Dec 5 01:43 /etc/puppet/system_conf/resolv.conf
agent端测试
[root@agent ~]# puppetd --test --server master.test.com
info: Caching catalog for agent.test.com
info: Applying configuration version '1449251085'
notice: /Stage[main]//File[/etc/resolv.conf]/mode: mode changed '644' to '777'
notice: Finished catalog run in 0.08 seconds
[root@agent ~]# ll /etc/resolv.conf
-rwxrwxrwx. 1 root root 21 Nov 17 08:39 /etc/resolv.conf
已修改完成!需要注意的是同步系统文件的权限问题。
可以配置:
系统文件 hosts , resolv.conf ,i18n ,yum配置文件
脚本文件 /script/service_all_clear.sh