puppet自动化管理

标签：puppet

puppet
一.前提工作
1.资料
阿里,飞天 5k
http://puppet.wikidoc.com
前端管理系统
keepcache=1 保存包
2.环境
redhat6.4
主机:192.168.2.100 server100.example.com    server
主机:192.168.2.103 server103.example.com     client
主机:192.168.2.113 server113.example.com     client
各主机相互解析
* iptables -F
* getenforce is Disabled
* date
* yum 源的配置(网络安装,确定可以上网 )100,103,113 主机的 yum 如下
*vim /etc/yum.repos.d/rhel-source.repo
[rhel-source]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=ftp://192.168.2.251/pub/rhel6.5
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[puppet]
name=puppet
baseurl=http://yum.puppetlabs.com/el/6Server/products/x86_64/
gpgcheck=0
[ruby]
name=ruby
baseurl=http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/
gpgcheck=0
3.安装
在 100 主机上 server
* yum install -y puppet-server
Error: Package: rubygem-json-1.5.5-1.el6.x86_64 (ruby)
Requires: rubygems
下面是解决 error 和 依赖性:
下载 rubygems-1.8.16-1.el6.noarch.rpm
* yum localinstall -y rubygems-1.8.16-1.el6.noarch.rpm
在 103 和 113 主机上 client
* yum install -y puppet
下面解决 error 和依赖性下载 rubygems-1.8.16-1.el6.noarch.rpm
* yum localinstall -y rubygems-1.8.16-1.el6.noarch.rpm
4.在 100 主机上开启 puppet 服务
* touch /etc/puppet/manifests/site.pp
注意:创建文件 site.pp,才能开启服务 puppetmaster
* /etc/init.d/puppetmaster start
可以使用命令查看 8140 端口是否开启:netstat -antlpe

二.手动签名与自动签名
1.手动签名 (client 端发出请求,server 手动签证)
* 103 client 端发出请求: puppet agent --server server100.example.com --no-daemonize --verbose
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for server103.example.com
Info: Certificate Request fingerprint (SHA256):
54:D4:A2:AD:44:95:57:B0:F7:5E:74:8B:5B:9E:5B:E2:91:95:75:A7:B8:78:0E:C8:63:87:AC:D0:C
F:98:71:2C
一定出现这些信息之后:在 100 主机上才能进行签证
* 在 100 主机上列举:puppet cert list
"server103.example.com" (SHA256)
54:D4:A2:AD:44:95:57:B0:F7:5E:74:8B:5B:9E:5B:E2:91:95:75:A7:B8:78:0E:C8:63:87:AC:D0:C
F:98:71:2C
* 在 100 主机上签证:puppet cert sign server103.example.com
* 在 103 主机上等待一会,出现结果:Notice: Finished catalog run in 0.10 seconds
之后: ctrl+c
2.自动签名 (client 端发出请求,server 端自动进行签证)
* 在 100 主机上 vim /etc/puppet/puppet.conf
注意在 main 下面写
[main]
autosign = true
* 在 100 主机上 vim /etc/puppet/autosign.conf
*.example.com
* 在 100 主机上 /etc/init.d/puppetmaster reload
* 在 113 主机上验证自动签证(server 端不需要执行任何操作) puppet agent --server
server100.example.com --no-daemonize --verbose
三.资源定义
注意:资源均定义在/etc/puppet/manifest/site.pp 文件中
1.文件定义
* 在 100 主机上:vim /etc/puppet/manifests/site.pp
file { "/tmp/test.file":
content => "www.westos.org", 注意:如果有多个参数就用“,”隔开
mode => 600
}
在 103 主机上测试
* 在 103 主机上:puppet agent --server server100.example.com --no-daemonize --verbose
Notice: /Stage[main]/Main/File[/tmp/test.file]/ensure: defined content as ‘{md5d93485f9ba96d89495f1c3f6583ad624‘
Notice: Finished catalog run in 0.16 seconds
* 在 103 主机上检查结果:cat /tmp/test.file
www.westos.org
注意 1:
在 103 主机上;/tmp/test.file 改为:server103.example.com 之后,
再次执行:puppet agent --server server100.example.com --no-daemonize --verbose
结果:/tmp/test.file 内容:www.westos.org
结论:/tmp/test.file 内容 以 server 端为准
注意 2:
文件是否修改,根据:md5 d93485f9ba96d89495f1c3f6583ad624
文件不同,md5 的加密字符串不同
md5sum /tmp/test.file //利用 md5sum 可以查看加密字符
2.定义包 服务 指定配置文件 开启服务 在 100 主机上
注意:1)确定 client 的 yum 是没有问题的
2)文件 fileserver.conf 中添加的内容与 site.pp 文件中的内容
* cat fileserver.conf
[文件配置域]
path /etc/puppet/files
allow *.example.com
* cat site.pp
file {"/temp/vsftpd.conf":
source => puppet:///文件配置域/files
}
3) 在 server 端的 site.pp 文件中 顺序是:安装包,配置文件,开启服务
在 client 端执行时的顺序是:安装包,开启服务,配置文件
上面是有问题的,因为配置文件没有生效
* 192.168.2.2 复制到 100 主机上:scp httpd.conf root@192.168.2.100:/etc/puppet/files/
* vim /etc/puppet/files/httpd.conf
//为了测试修改文件,在 client 查看是否是修改的
Order allow,deny
Allow from 192.168.2.2
* mkdir /etc/puppet/files
* vim /etc/puppet/fileserver.conf
[httpdconf]
path /etc/puppet/files
allow *.example.com
* vim /etc/puppet/manifests/site.pp
package {
"httpd":
ensure => installed,
allow_virtual => false
}
file {
"/etc/httpd/conf/httpd.conf":
source => "puppet:///httpdconf/httpd.conf" 解释 "puppet://"表示 puppet 服务器,相当“httpd://”
}
service {
"httpd":
ensure => running}
* /etc/init.d/puppetmaster reload
测试在 103 主机上
* puppet agent --server server100.example.com --no-daemonize --verbose //执行 2 次 第一次会报错,
但安装 httpd 成功
*文件是否和 server 设置的一样 cat /etc/httpd/conf/httpd.conf
Order allow,deny
Allow from 192.168.1.2
3.定义用户在 100 主机上
* vim /etc/puppet/manifests/site.pp
user {
"user1": uid => 800,
provider => useradd,
managehome => true,
ensure => present,
password => westos
}
测试在 103 主机上
* puppet agent --server server100.example.com --no-daemonize --verbose
* id user1
* ll /home/user1
* vim /etc/shadow
user1:westos:16291:0:99999:7:::
4.定义文件系统挂载 在 100 主机上
* vim /etc/puppet/manifests/site.pp
file {
"/public":
ensure => directory
}
mount {
"/public":
device => "192.168.2.251:/var/ftp/pub",
fstype => "nfs",
options => "defaults",
ensure => mounted
}
测试在 103 主机上
* 测试之前确定下面内容:
在 103 主机上安装:mount.nfs ( yum install -y mount.nfs 或者安装 nfs-utils)
在 192.168.2.251 主机上: showmount -e 结果:/var/ftp/pub/ *(ro)
在 192.168.2.251 主机上: /etc/init.d/nfs start
* puppet agent --server server100.example.com --no-daemonize --verbose
5.定义 crontab 任务在 100 主机上
* vim /etc/puppet/manifests/site.pp
cron {
echo:
command => "/bin/echo `/bin/date` >> /tmp/echo",
user => root,
hour => [‘2-4‘],
minute => ‘*/10‘
}测试在 103 主机上
* 测试之前确定:
在 103 主机上:/etc/init.d/crond start
* puppet agent --server server100.example.com --no-daemonize --verbose
* crontab -l 结果如下: //也可以在目录:cat /var/spool/cron/root 查看
# HEADER: This file was autogenerated at Sat Aug 09 14:47:13 +0800 2014 by puppet.
# HEADER: While it can still be managed manually, it is definitely not recommended.
# HEADER: Note particularly that the comments starting with ‘Puppet Name‘ should
# HEADER: not be deleted, as doing so could cause duplicate cron jobs.
# Puppet Name: echo
*/10 2-4 * * * /bin/echo `/bin/date` >> /tmp/echo
四.不同节点的定义
1.在 100 主机上
* mkdir /etc/puppet/manifests/nodes
* cp /etc/puppet/manifests/site.pp /etc/puppet/manifests/nodes/server103.pp
* cp /etc/puppet/manifests/site.pp /etc/puppet/manifests/nodes/server113.pp
* vim /etc/puppet/manifests/nodes/server103.pp
node ‘server103.example.com‘ {
package {
"httpd":
ensure => installed,
allow_virtual => false
}
file {
"/etc/httpd/conf/httpd.conf":
source => "puppet:///httpdconf/httpd.conf"
}
service {
"httpd":
ensure => running
}
user {
"user1": uid => 800,
provider => useradd,
managehome => true,
ensure => present,
password => westos
}
}
* vim /etc/puppet/manifests/nodes/server113.pp
node ‘server113.example.com‘ {
package {
"httpd":
ensure => installed,
allow_virtual => false
}file {
"/etc/httpd/conf/httpd.conf":
source => "puppet:///httpdconf/httpd.conf"
}
service {
"httpd":
ensure => running
}
user {
"user1": uid => 800,
provider => useradd,
managehome => true,
ensure => present,
password => westos
}
}
* vim /etc/puppet/manifests/site.pp
import "nodes/server103.pp"
import "nodes/server113.pp" 或者
import "*.pp"
测试在 103 和 113 主机上
* 在 103 主机上:puppet agent --server server100.example.com --no-daemonize --verbose
* 在 113 主机上:puppet agent --server server100.example.com --no-daemonize –verbose
五.模块
在 100 主机上
* mkdir -p /etc/puppet/modules/vsftpd/{files,manifests,templates}
* vim /etc/puppet/modules/vsftpd/manifests/install.pp
class vsftpd::install {
package { "vsftpd":
ensure => present,
allow_virtual => false
}
}
* vim /etc/puppet/modules/vsftpd/manifests/config.pp
class vsftpd::config {
file { "/etc/vsftpd/vsftpd.conf":
ensure => present,
source => "puppet:///modules/vsftpd/vsftpd.conf",
#source => "puppet:///文件配置域/modules/vsftpd/files/vsftpd.conf",
mode => 0600,
注意:#实际路径在/etc/puppet/modules/vsftpd/files/vsftpd.conf
注意:/etc/puppet/fileserver.conf 文件中的配置与这块的要一致
#vim /etc/puppet/fileserver.conf
[文件配置域]
path:/etc/puppet/
require => Class["vsftpd::install"],
notify => Class["vsftpd::service"]}
}
* vim /etc/puppet/modules/vsftpd/manifests/service.pp
class vsftpd::service {
service { "vsftpd":
ensure => running,
require => Class["vsftpd::install","vsftpd::config"]
}
}
* vim /etc/puppet/modules/vsftpd/manifests/init.pp
class vsftpd {
include vsftpd::install,vsftpd::config,vsftpd::service
}
* 在 192.168.2.2 主机复制到 100:scp /etc/vsftpd/vsftpd.conf
192.168.2.100:/etc/puppet/modules/vsftpd/files/
* chmod 644 /etc/puppet/modules/vsftpd/files/vsftpd.conf //可以使 puppet 用户可以读(other 具有读
的权限)
* vim /etc/puppet/modules/vsftpd/files/vsftpd.conf
anonymous_enable=NO
* vim /etc/puppet/manifests/nodes/server113.pp
node ‘server113.example.com‘ {
include vsftpd //添加 vsftpd 模块名
测试
* 在 113 主机上:puppet agent --server server100.example.com --no-daemonize --verbose
* 在 113 主机上:lftp localhost //无法登录
lftp localhost:~> ls
Interrupt
lftp localhost:~> quit
* 在 100 主机上: vim /etc/puppet/modules/vsftpd/files/vsftpd.conf
anonymous_enable=YES
* 在 113 主机上:puppet agent --server server100.example.com --no-daemonize --verbose
* 在 113 主机上:lftp localhost //登录成功
lftp localhost:~> ls
drwxr-xr-x 2 0
0
4096 Feb 12 2013 pub
lftp localhost:/> quit
添加的:使用 template 配置虚拟主机
在 puppet-server 做下面操作
[root@server1 manifests]# vim /etc/puppet/manifests/nodes.pp
node ‘server2.example.com‘{
include httpd
httpd::vhost {‘server2.example.com‘:
domainname => "server2.example.com"
}
httpd::vhost {‘virtual.example.com‘:
//创建虚拟主机 server2.example.com
//创建虚拟主机 virtual.example.com,如果想创建
多台虚拟主机,可以继续添加
domainname => "virtual.example.com"
}
}
[root@server1 manifests]# vim /etc/puppet/modules/httpd/manifests/init.ppclass httpd {
include httpd::install,httpd::config,httpd::service
}
define httpd::vhost($domainname){
#file {"/etc/httpd/conf/httpd.conf":
#
content => template("httpd/httpd.conf.erb")
#}
file {"/etc/httpd/conf.d/${domainname}_vhost.conf":
#path => ‘/etc/httpd/conf/httpd_vhost.conf‘,
content => template("httpd/httpd_vhost.conf.erb"),
require => Class["httpd::install"],
notify => Class["httpd::service"]
}
file {"/var/www/$domainname":
ensure => directory
}
file {"/var/www/$domainname/index.html":
content => $domainname
}
}
[root@server1 manifests]# vim /etc/puppet/modules/httpd/manifests/config.pp
class httpd::config {
file { "/etc/httpd/conf/httpd.conf":
ensure => present,
#source => "puppet:///modules/httpd/httpd.conf",
content => template("httpd/httpd.conf.erb"),
require => Class["httpd::install"],
notify => Class["httpd::service"]
}
}
[root@server1 templates]# ls /etc/puppet/modules/httpd/templates
httpd.conf.erb httpd_vhost.conf.erb
在 templates 模板下:
文件 httpd.conf.erb 是 httpd 的配置文件,添加后缀 erb。因为必须是 erb 结尾的
文件 httpd_vhost.conf.erb 是虚拟主机配置文件,内容如下
[root@server1 templates]# vim httpd_vhost.conf.erb
<virtualhost *:80>
servername <%= domainname %>
documentroot /var/www/<%= domainname %>
errorlog logs/<%= domainname %>_error.log
customlog logs/<%= domainname %>_access.log common
</virtualhost>
六.用以 web 方式管理 puppet
解释:使用 web 方式,使 client 的信息在网页上显示
1.Puppet dashboard 安装 在 100 主机上
* yum install puppet-dashboard -y
解决依赖性:
Error: Package: puppet-dashboard-1.2.23-1.el6.noarch (puppet)Requires: rubygem(rake)
下载 rubygem-rake-0.9.2.2-40.el6sat.noarch.rpm
rpm -ivh rubygem-rake-0.9.2.2-40.el6sat.noarch.rpm
* yum install -y mysql-server mysql puppet-dashboard
* /etc/init.d/mysqld start
* mysql_secure_installation
2. dashboard 关于数据库的配置
* vim /usr/share/puppet-dashboard/config/database.yml
production:
database: dashboard_production
username: dashboard
password: westos
encoding: utf8
adapter: mysql
下面的删除
3.dashboard 所需要的库和表
* vim /usr/share/puppet-dashboard/config/add.sql
CREATE DATABASE dashboard_production CHARACTER SET utf8;
CREATE USER ‘dashboard‘@‘localhost‘ IDENTIFIED BY ‘westos‘;
GRANT ALL PRIVILEGES ON dashboard_production.* TO ‘dashboard‘@‘localhost‘;
* mysql -pwestos < /usr/share/puppet-dashboard/config/add.sql
* mysql -udashboard -pwestos //查看是否有库:dashboard_production
mysql> show databases;
+----------------------+
| Database
|
+----------------------+
| information_schema |
| dashboard_production |
+----------------------+
4.时区
* vim /usr/share/puppet-dashboard/config/settings.yml
time_zone:‘Beijing‘
可以用命令:rake time:zones:local 查看时区
* UTC +08:00 *
Beijing
Chongqing
Hong Kong
5.建立 dashboard 所需要的库和表
* rake RAILS_ENV=production db:migrate 数据库迁移,出现如下信息
== CreateNodeClassMemberships: migrating =====================================
-- create_table(:node_class_memberships)
-> 0.0765s
== CreateNodeClassMemberships: migrated (0.0769s) ============================
== CreateNodeGroups: migrating
===============================================
-- create_table(:node_groups)
-> 0.0759s
== CreateNodeGroups: migrated (0.0769s) ======================================
6.开启服务
* /etc/init.d/puppet-dashboard start* /etc/init.d/puppet-dashboard-workers start
注意:
* chmod 666 /usr/share/puppet-dashboard/log/production.log
需要用到该目录日志文件时,则修改权限使得 puppet 可以写 ,用日志文件:/var/log/messages 也可以
7.测试访问:192.168.2.100:3000
8.client 同步结果回报到 web 网页中 (客户端需要:手动同步)
在 100 主机上
* vim /etc/puppet/puppet.conf
[main]
autosign = true
reports = http
reporturl = http://192.168.2.100:3000/reports
* /etc/init.d/puppetmaster reload
在 103 和 113 主机上
* vim /etc/puppet/puppet.conf
[agent]
report = true
* puppet agent --server server100.example.com --no-daemonize --verbose
测试 访问:192.168.2.100:3000 刷新
9.client 同步结果回报到 web 网页中
注意:客户端不需要手动同步,每个 5 分钟会自动同步
在 103 和 113 主机上
* vim /etc/sysconfig/puppet
# The puppetmaster server
PUPPET_SERVER=server100.example.com
/etc/init.d/puppet start
* vim /etc/puppet/puppet.conf
[agent]
report = true
runinterval = 300
//每隔 5 分钟与 server 端同步一次,默认情况:半小时一次
* /etc/init.d/puppet reload
测试 访问:192.168.2.100:3000
点击:Enable autorefresh
点击主机名,查看同步次数
解决
1. 在实际中有时会修改 client 端的主机名,这样就需要重新生成证书:
* 在 100 主机:puppet cert --clean server103.example.com
* 在 103 主机:rm -rf /var/lib/puppet/ssl/*
* 在 103 主机:puppet agent --server server100.example.com --no-daemonize --verbose
2.在 103 主机上:puppet agent --server server100.example.com --no-daemonize --verbose
Error: Could not set ‘file‘ on ensure: cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-
3221-1c8df00-9‘ at 10:/etc/puppet/manifests/site.pp
Error: Could not set ‘file‘ on ensure: cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-
3221-1c8df00-9‘ at 10:/etc/puppet/manifests/site.pp
Wrapped exception:
cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-3221-1c8df00-9‘
Error: /Stage[main]/Main/File[/etc/httpd/conf/httpd.conf]/ensure: change from absent to file failed:
Could not set ‘file‘ on ensure: cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-3221-1c8df00-9‘ at 10:/etc/puppet/manifests/site.pp
Error: Could not start Service[httpd]: Execution of ‘/sbin/service httpd start‘ returned 1: httpd:
unrecognized service
Wrapped exception:
Execution of ‘/sbin/service httpd start‘ returned 1: httpd: unrecognized service
Error: /Stage[main]/Main/Service[httpd]/ensure: change from stopped to running failed: Could not
start Service[httpd]: Execution of ‘/sbin/service httpd start‘ returned 1: httpd: unrecognized service
原因:第一次报错,因为没有文件,但是 httpd 安装成功. 第二次运行:在 httpd 安装的前提下,文件都
有
解决方法:再运行一次:puppet agent --server server100.example.com --no-daemonize --verbose
解释
1.如果想保存包,该做什么?例如:保存:puppet-server 包 puppet 包等等
* vim /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=1
* puppet 包的路径:/var/cache/yum/x86_64/6Server/
* chmod 666 /usr/share/puppet-dashboard/log/production.log
需要用到该目录日志文件时,则修改权限使得 puppet 可以写 ,用日志文件:/var/log/messages 也可以
注意:
#mysql 5.1 遇到的信息包过大问题 用客户端导入数据的时候,遇到错误代码: 1153 - Got a
packet bigger than ‘max_allowed_packet‘ bytes 终止了数据导入,可以使用如下参数解决:
(rhel6.3 上未遇到)
# vi /etc/my.cnf
[mysqld]
max_allowed_packet = 32M
#添加此行

本文出自 “lyh1999” 博客，转载请与作者联系！

puppet自动化管理

标签：puppet

原文地址：http://lyh1999.blog.51cto.com/8692612/1637380