学习Puppet（二）

puppet的工作流程

1.简介

puppet是一种采用C/S星状结构的linux、Unix平台的集中配置管理系统。puppet拥有自己的语言，可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源，puppet的设计目标是简化对这些资源的管理以及妥善处理资源的依赖关系。

2.工作原理

puppet是一个或者多个maste，众多client，所有的客户端都定期（默认为30分钟）使用facter工具把客户端的基本配置信息，通过https的xmlrpc协议发送给服务器端，服务器端通过分析客户端主机名，找到该主机的配置代码，然后编译配置代码，把编译好的配置代码发回客户端，客户端执行代码完成配置。并且把代码执行情况反馈给puppet服务器端。

注释：xmlrpc是使用http协议作为传输协议的rpc机制，使用xml文本的方式传输命令和数据。

puppet的工作流程

 

如上图所示，puppet的工作流程如下：

1）  客户端puppetd调用facter,facter探测出主机的一些变量，例如主机名、内存大小、IP地址等。puppetd把这些信息通过ssl连接发送到服务器端；

2）  服务器端的puppetmaster检测客户端的主机名，然后找到manifest里面对应的node配置，并对该部分内容进行解析，facter送来的信息可以作为变量处理，node牵涉到的代码才能解析，其他没有涉及的代码不解析。解析分为几个阶段，语法检查，如果语法错误就报错。如果语法没错，就继续解析，解析的结果生成一个中间的“伪代码”，然后把伪代码发给客户端；

3）  客户端接收到“伪代码”，并且执行，客户端把执行结果发送给服务器；

4）  服务器把客户端的执行结果写入日志。

puppet工作过程中有两点值得注意：

第一，   为了保证安全，client和master之间是基于ssl和证书的，只有经过master证书认证的client可以与master通信；

第二，   puppet会让系统保持在你所期望的某种状态并一直维持下去，如检测某个文件并保证其一直存在，保证ssh服务始终开启，如果文件被删除了或者ssh服务被关闭了，puppet下次执行时（默认30分钟），会重新创建该文件或者启动ssl服务。

3.优点与缺点

1）语法结构简单

2）灵活性

2）易于扩展

4.安装部署

4.1环境准备

[root@linux-node1 ~]# cat /etc/redhat-release               �0�8系统环境

CentOS release 6.6 (Final)

[root@linux-node1 ~]# uname -r

2.6.32-504.el6.x86_64

[root@linux-node1 ~]# uanme -m

-bash: uanme: command not found

[root@linux-node1 ~]# uname -m

x86_64

[root@linux-node1 ~]# /etc/init.d/iptables stop             �0�8关闭iptables

[root@linux-node1 ~]# /usr/sbin/ntpdate pool.ntp.org          �0�8时间同步，这块很重要

[root@linux-node1 ~]# yum install ruby –y             �0�8安装ruby环境

[root@linux-node1 ~]# groupadd puppet       �0�8建立所属组及用户

[root@linux-node1 ~]# useradd -g puppet -s /bin/false -M puppet

4.2修改主机名和host解析

[root@master ~]# hostname     �0�8master端

master.test.com

[root@agent ~]# hostname     �0�8client端

agent.test.com

echo "10.0.0.60 master.test.com">>/etc/hosts

echo "10.0.0.61 agent.test.com">>/etc/hosts

4.3安装facter和puppet

[root@master ~]# mkdir -p /usr/local/src/

[root@master ~]# cd /usr/local/src/

[root@master src]# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz

[root@master src]# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz

[root@master src]# tar xf facter-1.6.5.tar.gz          �0�8安装facter

[root@master src]# cd facter-1.6.5

[root@master facter-1.6.5]# ruby  install.rb

[root@master facter-1.6.5]# facter            �0�8检查，通常会收集主机的信息参数

[root@master facter-1.6.5]# cd /usr/local/src/     �0�8安装puppet

[root@master src]# tar xf puppet-2.6.13.tar.gz

[root@master src]# cd puppet-2.6.13

[root@master puppet-2.6.13]# ruby install.rb

agent端执行同样操作即可。

4.4创建配置文件目录并启动服务

master端执行：

[root@master ~]# mkdir /etc/puppet/manifests      �0�8创建配置文件目录

[root@master puppet-2.6.13]# cd /usr/local/src/puppet-2.6.13

[root@master puppet-2.6.13]# cp conf/redhat/* /etc/puppet/

[root@master puppet-2.6.13]# cp conf/auth.conf /etc/puppet/

[root@master puppet-2.6.13]# cp /etc/puppet/server.init  /etc/init.d/puppetmaster     �0�8拷贝启动文件到/etc/init.d下面

[root@master puppet-2.6.13]# chmod 755 /etc/init.d/puppetmaster   �0�8给权限

[root@master puppet-2.6.13]# /etc/init.d/puppetmaster start      �0�8启动服务

[root@master puppet-2.6.13]# lsof -i:8140                    �0�8查看端口是否起来

COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

puppetmas 5677 puppet    7u  IPv4  90241      0t0  TCP *:8140 (LISTEN)

agent端执行：目的向master请求证书

[root@agent ~]# puppetd --test --server master.test.com             �0�8 向master请求证书

info: Creating a new SSL key for agent.test.com

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for ca

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

info: Creating a new SSL certificate request for agent.test.com

info: Certificate Request fingerprint (md5): F2:06:96:19:97:76:2B:B1:1E:56:47:B1:3C:70:17:CE

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

warning: peer certificate won't be verified in this SSL session

Exiting; no certificate found and waitforcert is disabled

master端执行

[root@master puppet-2.6.13]# puppetca –l        �0�8查看谁在请求证书

agent.test.com (F2:06:96:19:97:76:2B:B1:1E:56:47:B1:3C:70:17:CE)

[root@master puppet-2.6.13]# puppetca -s –a       �0�8给所有的请求都授权，如果想单独授权，直接在-s后面添加用户hosts名即可

notice: Signed certificate request for agent.test.com

notice: Removing file Puppet::SSL::CertificateRequest agent.test.com at '/var/lib/puppet/ssl/ca/requests/agent.test.com.pem'

[root@master puppet-2.6.13]# ll /var/lib/puppet/ssl/ca/signed/agent.test.com.pem

-rw-r----- 1 puppet puppet 863 Dec  4 16:11 /var/lib/puppet/ssl/ca/signed/agent.test.com.pem     �0�8授权后会生成这个文件

agent端执行

[root@agent ~]# puppetd --test --server master.test.com      �0�8出现下面提示则表示配置完成，master可以管理agent端

warning: peer certificate won't be verified in this SSL session

info: Caching certificate for agent.test.com

info: Caching certificate_revocation_list for ca

info: Caching catalog for agent.test.com

info: Applying configuration version '1449216956'

info: Creating state file /var/lib/puppet/state/state.yaml

notice: Finished catalog run in 0.01 seconds

至此，授权匹配完成。

如果授权中出现匹配出错，执行下面操作即可：

1.删除agent端的ssl

[root@agent puppet]# cd /var/lib/puppet/

[root@agent puppet]# ls

classes.txt   client_data  facts  ssl

clientbucket  client_yaml  lib    state

[root@agent puppet]# rm -rf ssl

2.删除master端的

cd /var/lib/puppet/ssl/ca/signed

rm -f agent.test.com.pem

3.再操作刚才授权步骤即可

以上完成了puppet的安装配置授权交互。

5.配置脚本编写

5.1 资源

常用的资源主要有以下几个：

file：文件管理

package：软件包管理

service：系统服务管理

cron：配置定期任务

exec：运行shell命令

6.举例说明其实际应用

6.1 例子一：文件配置

master端:服务器端保存着所有对客户端服务器的配置代码，在puppet里面叫做manifests,客户端下载manifest之后，可以根据manifest对服务器进行配置，例如软件包管理，用户管理和文件管理等等。

[root@master manifests]# cd /etc/puppet/manifests/

[root@master manifests]# cat site.pp

node default{

file {"/tmp/test.txt":

content=>"hello world\n";

}

}

以上代码的意思是：

有一个默认节点（每一个agent叫做一个节点，在这个节点的/tmp下创建一个文件叫test.txt，里面的内容为hello world）.

agent端去验证

[root@agent ~]# puppetd --test --server master.test.com      �0�8所有在master端配置以后，是在agent端来执行

info: Caching catalog for agent.test.com

info: Applying configuration version '1449217516'

notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/ensure: defined content as '{md5}6f5902ac237024bdd0c176cb93063dc4'

notice: Finished catalog run in 0.01 seconds

[root@agent ~]# ll /tmp/

total 4

-rw-r--r-- 1 root root 12 Dec  4 16:25 test.txt

[root@agent ~]# cat /tmp/test.txt            �0�8生成了文件并且追加了内容

hello world

再写一个：往/tmp 目录发送一个脚本

[root@master manifests]# pwd

/etc/puppet/manifests

[root@master manifests]# cat site.pp

node default{

file { "/tmp/clearlog.sh":

content=>"find /log/ -type f -size +10KB |xargs rm -f\n";

}

}

agent端去验证

[root@agent ~]# puppetd --test --server master.test.com

info: Caching catalog for agent.test.com

info: Applying configuration version '1449232240'

notice: /Stage[main]//Node[default]/File[/tmp/clearlog.sh]/ensure: defined content as '{md5}8fc5e0257f6ef3f8c31be04e99f6cb1a'

notice: Finished catalog run in 0.02 seconds

[root@agent ~]# cat /tmp/clearlog.sh         �0�8查看，生成了脚本文件

find /log/ -type f -size +10KB |xargs rm -f

这个时候我想修改这个脚本，修改后再看验证

[root@master manifests]# cat site.pp

node default{

file { "/tmp/clearlog.sh":

content=>"find /log/ -type f -size +1000KB |xargs rm -f\n";

}

}

验证

[root@agent ~]# puppetd --test --server master.test.com

info: Caching catalog for agent.test.com

info: Applying configuration version '1449232404'

--- /tmp/clearlog.sh    2015-12-04 20:30:41.552856112 +0800

+++ /tmp/puppet-file20151204-3603-1d4sxkq-0     2015-12-04 20:33:24.893856051 +0800

@@ -1 +1 @@

-find /log/ -type f -size +10KB |xargs rm -f

+find /log/ -type f -size +1000KB |xargs rm -f

info: FileBucket adding {md5}8fc5e0257f6ef3f8c31be04e99f6cb1a

info: /Stage[main]//Node[default]/File[/tmp/clearlog.sh]: Filebucketed /tmp/clearlog.sh to puppet with sum 8fc5e0257f6ef3f8c31be04e99f6cb1a

notice: /Stage[main]//Node[default]/File[/tmp/clearlog.sh]/content: content changed '{md5}8fc5e0257f6ef3f8c31be04e99f6cb1a' to '{md5}eda7c1034d59fa4af3eef1c127a5f18d'

notice: Finished catalog run in 0.04 seconds

[root@agent ~]# cat /tmp/clearlog.sh

find /log/ -type f -size +1000KB |xargs rm -f

6.2 例子二：创建文件并改变用户和授权

master端修改配置文件：

[root@master manifests]# pwd

/etc/puppet/manifests

[root@master manifests]# cat site.pp

node default{

file {"/tmp/test.txt":

owner => "root",

group => "puppet",

mode => "0777",

content => "test"

}

}

agent端验证

[root@agent ~]# ll /tmp/test.txt

-rw-r--r-- 1 root root 12 Dec  4 16:25 /tmp/test.txt

[root@agent ~]# puppetd --test --server master.test.com

info: Caching catalog for agent.test.com

info: Applying configuration version '1449232846'

--- /tmp/test.txt       2015-12-04 16:25:17.093861548 +0800

+++ /tmp/puppet-file20151204-4096-157x3zh-0     2015-12-04 20:40:46.540855888 +0800

@@ -1 +1 @@

-hello world

+test

\ No newline at end of file

info: FileBucket adding {md5}6f5902ac237024bdd0c176cb93063dc4

info: /Stage[main]//Node[default]/File[/tmp/test.txt]: Filebucketed /tmp/test.txt to puppet with sum 6f5902ac237024bdd0c176cb93063dc4

notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/content: content changed '{md5}6f5902ac237024bdd0c176cb93063dc4' to '{md5}098f6bcd4621d373cade4e832627b4f6'

notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/group: group changed 'root' to 'puppet'

notice: /Stage[main]//Node[default]/File[/tmp/test.txt]/mode: mode changed '644' to '777'

notice: Finished catalog run in 0.04 seconds

[root@agent ~]# ll /tmp/test.txt          �0�8权限和属组已改变

-rwxrwxrwx 1 root puppet 4 Dec  4 20:40 /tmp/test.txt

[root@agent ~]# cat /tmp/test.txt        �0�8文本内容已改变

test

以上的意思是：

当agent端执行的时候会下载该文件到agent的/tmp下，创建文件test.txt并设置改文件所属用户为root，所属组为puppet，然后权限设置为-rwxrwxrwx 777

6.4例子四：管理crontab任务

master端  site.pp

[root@master manifests]# pwd

/etc/puppet/manifests

[root@master manifests]# cat site.pp

cron { “ntp time” :

command => “/usr/sbin/ntpdate  pool.ntp.org >/dev/null  2>&1”,

minute => ‘*/10’,

hour => [‘2-4’],

monthday => [2,4],

ensure => present,

environment => “PATH=/bin:/usr/bin:/usr/sbin”

}

按照上面在agent端执行会出现下面错误

[root@agent ~]# puppetd --test --server master.test.com

err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Could not match “ntp at /etc/puppet/manifests/site.pp:1 on node agent.test.com

warning: Not using cache on failed catalog

err: Could not retrieve catalog; skipping run

重新再写一份：

[root@master manifests]# cat site.pp

cron { "ntp time":

command => "/usr/sbin/ntpdate  pool.ntp.org >/dev/null 2>&1",

minute => '*/10',

hour => ['2-4'],

monthday => [2,4],

ensure => present,

environment => "PATH=/bin:/usr/bin:/usr/sbin"

}

agent端来验证

[root@agent ~]# puppetd --test --server master.test.com

info: Caching catalog for agent.test.com

info: Applying configuration version '1449249708'

notice: /Stage[main]//Cron[ntp time]/ensure: created

notice: Finished catalog run in 0.07 seconds

[root@agent ~]# crontab -l

# HEADER: This file was autogenerated at Sat Dec 05 01:21:53 +0800 2015 by puppet.

# HEADER: While it can still be managed manually, it is definitely not recommended.

# HEADER: Note particularly that the comments starting with 'Puppet Name' should

# HEADER: not be deleted, as doing so could cause duplicate cron jobs.

#####ntpdate time##########

*/5 * * * * /usr/sbin/ntpdate time.nist.nov >/dev/null 2>&1

# Puppet Name: ntp time

PATH=/bin:/usr/bin:/usr/sbin

*/10 2-4 2,4 * * /usr/sbin/ntpdate  pool.ntp.org >/dev/null 2>&1

6.5例子五：同步master端/etc/puppet/system_conf/script下的文件到agent

a)修改master配置文件

[ system_conf ]

path /etc/puppet/system_conf/

alow *

b)重启master

/etc/init.d/puppetmaster restart

c)把需要同步的文件放到master 的/etc/puppet/system_conf/script下

d)修改master端 site.pp

file { “/etc/resolv.conf”:

mode=>644,

source => “puppet://master.test.com/system_conf/resolv.conf”

}

可以配置：

系统文件 hosts ,resolv.conf ,i18n ,yum配置文件

脚本文件 /script/service_all_clear.sh

分析：

我希望把文件推送到agent端

1.       修改master端配置文件fileserver.conf

2.       我需要把目录共享出去，这样才能读到共享里面的文件

[root@master puppet]# pwd

/etc/puppet

[root@master puppet]# mkdir -p /etc/puppet/system_conf

[root@master puppet]# cd /etc/puppet/system_conf/

[root@master system_conf]# vim a.log

[root@master system_conf]# ll a.log

-rw-r--r-- 1 root root 7 Dec  5 01:34 a.log

修改配置文件

[root@master puppet]# pwd

/etc/puppet

[root@master puppet]# tail -4 fileserver.conf

# add by xiedi

 [system_conf]

        path /etc/puppet/system_conf/

        allow *

重启生效

[root@master puppet]# /etc/init.d/puppetmaster restart

Stopping puppetmaster:                                     [  OK  ]

Starting puppetmaster:                                     [  OK  ]

修改master端的配置文件site.pp

[root@master manifests]# vim site.pp

file {"/etc/resolv.conf":

mode => 777,

source => "puppet://master.test.com/system_conf/resolv.conf";

}

创建需要同步的文件，直接拷贝到目标目录，注意同步目录为配置文件指定目录/etc/puppet/system_conf这个是写到配置文件fileserver.conf

[root@master manifests]# cp /etc/resolv.conf /etc/puppet/system_conf/

[root@master manifests]# ll /etc/puppet/system_conf/

a.log        resolv.conf

[root@master manifests]# ll /etc/puppet/system_conf/resolv.conf

-rw-r--r-- 1 root root 21 Dec  5 01:43 /etc/puppet/system_conf/resolv.conf

agent端测试

[root@agent ~]# puppetd --test --server master.test.com

info: Caching catalog for agent.test.com

info: Applying configuration version '1449251085'

notice: /Stage[main]//File[/etc/resolv.conf]/mode: mode changed '644' to '777'

notice: Finished catalog run in 0.08 seconds

[root@agent ~]# ll /etc/resolv.conf

-rwxrwxrwx. 1 root root 21 Nov 17 08:39 /etc/resolv.conf

已修改完成！需要注意的是同步系统文件的权限问题。

可以配置：

系统文件  hosts , resolv.conf ，i18n ,yum配置文件

脚本文件  /script/service_all_clear.sh