puppet是一種Linux、Unix、windows平臺的集中配置管理系統(tǒng),使用自有的puppet描述語言,可管理配置文件、用戶、cron任務(wù)、軟件包、系統(tǒng)服務(wù)等。puppet把這些系統(tǒng)實體稱之為資源,puppet的設(shè)計目標(biāo)是簡化對這些資源的管理以及妥善處理資源間的依賴關(guān)系。
puppet采用C/S星狀的結(jié)構(gòu),所有的客戶端和一個或幾個服務(wù)器交互。每個客戶端周期的(默認(rèn)半個小時)向服務(wù)器發(fā)送請求,獲得其最新的配置信息,保證和該配置信息同步。每個puppet客戶端每半小時(可以設(shè)置)連接一次服務(wù)器端, 下載最新的配置文件,并且嚴(yán)格按照配置文件來配置客戶端. 配置完成以后,puppet客戶端可以反饋給服務(wù)器端一個消息. 如果出錯,也會給服務(wù)器端反饋一個消息.
環(huán)境說明:
OS:CentOS 5.4 i386
puppetmaster 192.168.0.12 hostname: puppetmaster.info.com
client 192.168.0.64 hostname: client1.info.com
原理圖:
1) 客戶端通過facter收集客戶端信息并發(fā)送至服務(wù)端
2) 連接服務(wù)端并請求catalog日志
3) 請求節(jié)點(node)的信息
4) 從服務(wù)器端接收節(jié)點(node)的實例
5) 編譯代碼(包括語法檢查等工作)
6) 查詢是否有exported 虛擬資源
7) 如有,則從數(shù)據(jù)庫接收虛擬資源
8) 接收完整的catalog日志
9) 存儲catalog日志到數(shù)據(jù)庫
10) 客戶端接收完整的catalog日志
一、 時間同步,并寫入crontab
15 1 * * * /usr/sbin/ntpdate pool.ntp.org; hwclock -w >/dev/null 2>1
二、 修改主機(jī)名,并寫入/etc/hosts文件
Puppet 要求所有機(jī)器有完整的域名(FQDN),如果沒有 DNS 服務(wù)器提供域名的話,可以在兩臺機(jī)器上設(shè)置主機(jī)名
(注意建議先設(shè)置主機(jī)名再安裝 Puppet,因安裝 Puppet 時會把主機(jī)名寫入證書,客戶端和服務(wù)端通信需要這個證書)
192.168.0.12 puppetmaster.info.com
192.168.0.64 client1.info.com
三、 安裝ruby
[root@puppetmaster ~]# yum install ruby ruby-libs ruby-rdoc -y
[root@puppetmaster ~]# ruby --version
ruby 1.8.5 (2006-08-25) [i386-linux]
我安裝的是1.8.5 ,不要安裝1.8.7 puppet 還不支持,( 我沒試過,如果出現(xiàn)不支持的情況,注意一下這里。)
四、 安裝facter
安裝puppet之前必須先安裝facter
facter是一個系統(tǒng)盤點工具,收集主的一些資料,比如CPU,主機(jī)IP等,它收集到值發(fā)送給puppet服務(wù)器端,服務(wù)器端就可以根據(jù)不同的條件來對不同的節(jié)點機(jī)器生成不同的puppet配置文件
puppet資源下載點 http://downloads.puppetlabs.com/
[root@puppetmaster src]# wget http://downloads.puppetlabs.com/facter/facter-1.6.8.tar.gz
[root@puppetmaster src]# tar xzvf facter-1.6.8.tar.gz
[root@puppetmaster src]# cd facter-1.6.8
[root@puppetmaster facter-1.6.8]# ruby install.rb
[root@puppetmaster puppet-2.7.14]# ruby install.rb
五、 安裝puppet
[root@puppetmaster src]# wget http://downloads.puppetlabs.com/puppet/puppet-2.7.14.tar.gz
[root@puppetmaster src]# tar xzvf puppet-2.7.14.tar.gz
[root@puppetmaster src]# cd puppet-2.7.14
六、 復(fù)制配置文件
[root@puppetmaster puppet-2.7.14]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@puppetmaster puppet-2.7.14]# cp conf/redhat/puppet.conf /etc/puppet/
[root@puppetmaster puppet-2.7.14]# cp conf/redhat/server.init /etc/init.d/puppetmaster
七、 設(shè)置puppetmaster 服務(wù)開機(jī)啟動
[root@puppetmaster puppet-2.7.14]# ls -l /etc/init.d/puppetmaster
-rwxr-xr-x 1 root root 3936 Sep 3 12:13 /etc/init.d/puppetmaster
[root@puppetmaster puppet-2.7.14]#
[root@puppetmaster puppet-2.7.14]# chkconfig --add puppetmaster
[root@puppetmaster puppet-2.7.14]# chkconfig --level 35 puppetmaster on
八、 創(chuàng)建puppet帳號
[root@puppetmaster puppet-2.7.14]# puppetmasterd --mkusers
1)確認(rèn)是否生成清單文件夾
[root@puppetmaster puppet-2.7.14]# ls -l /etc/puppet/
total 16
-rw-r--r-- 1 root root 2552 Sep 3 12:11 auth.conf
-rwxr-xr-x 1 root root 381 Sep 3 12:13 fileserver.conf
drwxr-xr-x 2 root root 4096 Sep 3 12:17 manifests
-rwxr-xr-x 1 root root 853 Sep 3 12:13 puppet.conf
2)確認(rèn)系統(tǒng)生成puppet用戶
[root@puppetmaster puppet-2.7.14]# id puppet
uid=1002(puppet) gid=1002(puppet) groups=1002(puppet)/p>
p>[root@puppetmaster puppet]# cat /etc/passwd |grep puppet
puppet:x:1002:1002::/home/puppet:/bin/bash
3)保證/var/lib/puppet/rrd目錄存在且屬主是puppet
[root@puppetmaster puppet]# ls -l /var/lib/puppet/
total 36
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 bucket
drwxr-xr-x 2 root root 4096 Sep 3 12:17 facts
drwxr-xr-x 2 root root 4096 Sep 3 12:17 lib
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 reports
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 rrd
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 server_data
drwxrwx--x 8 puppet root 4096 Sep 3 12:26 ssl
drwxr-xr-t 2 root root 4096 Sep 3 12:17 state
drwxr-x--- 2 puppet puppet 4096 Sep 3 12:17 yaml
4)查看端口
[root@puppetmaster puppet]# netstat -Tanlp | grep 8140
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 4556/ruby
客戶端:
安裝facter,puppet 同puppetmaster 一樣。但復(fù)制的文件如下
[root@client1 puppet-2.7.14]# cp conf/redhat/client.init /etc/init.d/puppet
[root@client1 puppet-2.7.14]# chkconfig --level 35 puppet on
[root@client1 puppet-2.7.14]# puppetd --mkusers
Could not prepare for execution: Got 1 failure(s) while initializing: change from absent to present failed: Could not create user puppet: Execution of '/usr/sbin/useradd -g puppet -M puppet' returned 3: useradd: invalid numeric argument 'puppet'/p>
p>[root@client1 puppet-2.7.14]# groupadd puppet;useradd -g puppet -M puppet
[root@client1 puppet-2.7.14]# service puppet start
Starting puppet: [ OK ]
測試解析與puppetmaster端口是否暢通
[root@client1 puppet-2.7.14]# telnet puppetmaster.info.com 8140
Trying 192.168.0.12...
Connected to puppetmaster.info.com (192.168.0.12).
Escape character is '^]'./p>
p>[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client1.info.com
info: Certificate Request fingerprint (md5): 07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
# puppetd --test --server puppetmaster.info.com命令是指puppetd 從 puppetmaster.info.com去讀取
puppet配置文件. 第一次連接,雙方會進(jìn)行ssl證書的驗證,這是一個新的客戶端,在服務(wù)器端那里還沒有被認(rèn)證,因此需要在服務(wù)器端進(jìn)行證書認(rèn)證
以下這步批準(zhǔn)證書是在服務(wù)端操作
查看當(dāng)前待批準(zhǔn)證書列表
[root@puppetmaster ~]# puppetca -l
client1.info.com (07:C9:D4:43:3C:3E:D6:D1:0A:B1:8B:71:DB:6B:9D:FE)
批準(zhǔn)當(dāng)前證書
[root@puppetmaster ~]# puppetca -s client1.info.com
notice: Signed certificate request for client1.info.com
notice: Removing file Puppet::SSL::CertificateRequest client1.info.com at '/var/lib/puppet/ssl/ca/requests/client1.info.com.pem'
查看驗證簽名,注意前面的+號,說明已經(jīng)簽名
[root@puppetmaster ~]# puppetca -a --list
+ client1.info.com (03:BE:50:AE:72:1A:39:79:17:F4:E5:74:FD:CC:BC:8C)
+ puppetmaster.info.com (97:34:BF:26:A6:0E:E9:9C:DB:76:D3:53:D0:56:60:83) (alt names: DNS:puppet, DNS:puppet.info.com, DNS:puppetmaster.info.com)
如果要批準(zhǔn)全部證書
puppetca -s -a
也可以在puppetmaster端的puppet.conf加入這行:
autosign = true
服務(wù)端就自動簽證書
回到客戶端操作,從服務(wù)端取回已批準(zhǔn)的證書
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client1.info.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client1.info.com
info: Applying configuration version '1378188531
驗證證書是否正確
服務(wù)端:
[root@puppetmaster ~]# md5sum /var/lib/puppet/ssl/ca/signed/client1.info.com.pem
27a295f39a6b4a6c7ceb74c9c3a5084c /var/lib/puppet/ssl/ca/signed/client1.info.com.pem/p>
p>客戶端:
[root@client1 puppet-2.7.14]# md5sum /etc/puppet/ssl/certs/client1.info.com.pem
27a295f39a6b4a6c7ceb74c9c3a5084c /etc/puppet/ssl/certs/client1.info.com.pem/p>
p>
出現(xiàn)修改主機(jī)名問題引起無法認(rèn)證,需要重新申請證書,操作以下兩個步驟:
服務(wù)端:
[root@puppetmaster ~]# rm /var/lib/puppet/ssl/ca/signed/client1.info.com.pem -rf/p>
p>客戶端:
[root@client1 puppet-2.7.14]# rm /etc/puppet/ssl/certs/ -rf
功能測試
服務(wù)端:
建立pp文件測試
puppet的第一個執(zhí)行的代碼是在/etc/puppet/manifest/site.pp ,因此這個文件必須存在,而且其他的代碼也要通過代碼來調(diào)用.
[root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp
node default {
file {"/tmp/viong.txt":
content=>"good,test pass!\nHello World!\n";}
}
上面的代碼對默認(rèn)連入的puppet客戶端執(zhí)行一個操作,在/tmp目錄生成一個viong.txt文件,內(nèi)容是good,test pass! 回車換行Hello World!回車換行.
初次創(chuàng)建pp文件,需要重啟puppetmaster
[root@puppetmaster ~]# service puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
客戶端:
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
info: Caching catalog for client1.info.com
info: Applying configuration version '1378190404'
notice: /Stage[main]//Node[default]/File[/tmp/viong.txt]/ensure: defined content as '{md5}4750aa5be82dae5db286a5859700dd51'
notice: Finished catalog run in 0.03 seconds
如果報錯
[root@client1 puppet-2.7.14]# puppetd --test --server puppetmaster.info.com
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Syntax error at end of file; expected '}' at /etc/puppet/manifests/site.pp:4 on node client1.info.com
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
可能是/etc/puppet/manifests/site.pp 這個文件書寫格式有問題。
在客戶端查看:
[root@client1 puppet-2.7.14]# ls -l /tmp/viong.txt
-rw-r--r-- 1 root root 29 Sep 3 14:50 /tmp/viong.txt
[root@client1 puppet-2.7.14]# cat /tmp/viong.txt
good,test pass!
Hello World!
