Puppet
二、安装部署
1、环境描述
master:172.16.0.167
node1:172.16.0.168
hosts文件如下:
[root@master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.167 master.yes.com
172.16.0.168 node1.yes.com
master端:
[root@master ~]# hostname
master.yes.com
[root@master ~]# cat /etc/hostname
master.yes.com
node1端:
[root@node1 ~]# hostname
node1.yes.com
[root@node1 ~]# cat /etc/hostname
node1.yes.com
2、安装配置
1)安装软件
master:
[root@master ~]# cd /etc/yum.repos.d/
[root@master yum.repos.d]# ls
bak CentOS-Debuginfo.repo CentOS-Sources.repo
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo mnt_cdrom.repo.gz
[root@master yum.repos.d]# rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
[root@master yum.repos.d]# yum install ruby ruby-libs puppet puppet-server facter -y
facter:系统盘点工具,负责采集系统信息的
agent: yum配置同master
[root@node1 yum.repos.d]# rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
[root@node1 yum.repos.d]# yum install ruby ruby-libs puppet facter -y
2)master操作
[root@master yum.repos.d]# puppet -V
3.6.2
a、准备site.pp
[root@master ~]# touch /etc/puppet/manifests/site.pp
b、启动服务
[root@master ~]# systemctl start puppetmaster.service
[root@master ~]# systemctl enable puppetmaster.service
[root@master ~]# ls /var/lib/puppet/ssl/ca/signed/ —— 已签名的证书再次
master.yes.com.pem
3)agent操作
a、修改配置文件
[root@node1 ~]# vim /etc/puppet/puppet.conf
server = master.yes.com //在[main]段添加,指定谁是我的master
b、启动服务
[root@node1 ~]# systemctl start puppet
[root@node1 ~]# systemctl enable puppet
4)master操作
查看签名请求列表
[root@master ~]# puppet cert -l
"node1.yes.com" (SHA256) 92:0B:27:72:08:92:BE:CA:14:31:43:6B:B8:90:20:86:3D:64:E0:E1:B4:79:46:D5:29:E0:8E:6E:96:35:14:7D
签发所有的证书请求
[root@master ~]# puppet cert -sa
------
-l:查看列表
-a:查看所有的
-s:签发证书请求
-----
-----------------------------------------
证书存放路径:
/var/lib/puppet/ssl
[root@master puppet]# cd /var/lib/puppet/ssl
[root@master ssl]# ls
ca certs private public_keys
certificate_requests crl.pem private_keys
证书请求在哪?
[root@master requests]# pwd
/var/lib/puppet/ssl/ca/requests
-----------------------------------------
-------------------------------------------------------
插曲:
[root@master ~]# rpm -ql puppet-server
/etc/puppet/fileserver.conf 文件服务器相关的配置文件
/etc/puppet/manifests 清单目录,存放配置文件的,配置文件以.pp结尾
/usr/lib/systemd/system/puppetmaster.service
/usr/share/man/man8/puppet-kick.8.gz
/usr/share/man/man8/puppet-master.8.gz
/usr/share/man/man8/puppet-queue.8.gz
[root@master ~]# rpm -ql puppet | head -20
/etc/NetworkManager
/etc/NetworkManager/dispatcher.d
/etc/NetworkManager/dispatcher.d/98-puppet
/etc/logrotate.d/puppet
/etc/puppet
/etc/puppet/auth.conf 认证相关的配置文件
/etc/puppet/modules 模块目录
/etc/puppet/puppet.conf 主配置文件
/usr/bin/extlookup2hiera
/usr/bin/puppet
[root@master ~]# yum install tree -y
[root@master ~]# tree /etc/puppet/
/etc/puppet/
├── auth.conf
├── fileserver.conf
├── manifests
│ └── site.pp //puppetmaster第一个加载的配置文件
├── modules
└── puppet.conf
2 directories, 4 files
[root@master ~]# ls -d /var/lib/puppet/ssl —— 存放与ssl加密连接相关的 文件,比如证书文件等
/var/lib/puppet/ssl
-------------------------------------------------------
Anisble
1、安装ansible ------ 167
[root@master ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
[root@master ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.0.244 0.0.0.0 UG 100 0 0 ens33
172.16.0.0 0.0.0.0 255.255.0.0 U 100 0 0 ens33
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
[root@master ~]# ls /etc/yum.repos.d/
bak CentOS-Debuginfo.repo CentOS-Sources.repo epel-testing.repo
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo mnt_cdrom.repo.gz
CentOS-CR.repo CentOS-Media.repo epel.repo
[root@master ~]# rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
[root@master ~]# yum install ansible -y
[root@master ~]# rpm -ql ansible | head -20
/etc/ansible 配置目录
/etc/ansible/ansible.cfg 配置文件
/etc/ansible/hosts 定义被管主机列表的文件 host inventory
/etc/ansible/roles 定义角色的
/usr/bin/ansible 命令
/usr/bin/ansible-doc
[root@master ~]# ansible-doc -l 查看ansible支持的模块列表
[root@master ~]# ansible-doc ping //查看ping模块的帮助
/usr/bin/ansible-playbook 运行ansible的剧本的
2、ansible的简单配置
[root@master ~]# vim /etc/ansible/hosts
# Ex 1: Ungrouped hosts, specify before any group headers.
## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
## [webservers]
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110
# If you have multiple hosts following a pattern(模式) you can specify
# them like this:
## www[001:006].example.com 六台机器
简单演示
[root@master ~]# vim /etc/ansible/hosts
172.16.0.168
[root@master ~]# ansible 172.16.0.168 -m ping -k
-k:提示输入密码
SSH password:
172.16.0.168 | FAILED! => {
"msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host."
}
[root@master ~]# ssh 172.16.0.168
The authenticity of host '172.16.0.168 (172.16.0.168)' can't be established.
ECDSA key fingerprint is SHA256:UxvDcaHHOg3F4Zwte3QiR1KN35pFyGYBSWnVhqMoSeQ.
ECDSA key fingerprint is MD5:3f:9f:aa:08:70:c6:0c:00:39:5a:f0:c6:5b:04:4e:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.168' (ECDSA) to the list of known hosts.
root@172.16.0.168's password:
[root@master ~]# ansible 172.16.0.168 -m ping -k
SSH password:
172.16.0.168 | SUCCESS => {
"changed": false,
"ping": "pong"
}
------
报错:原因:是该主机不在ansible的管理列表中
[root@master ~]# ansible 172.16.0.169 -m ping -k
SSH password:
[WARNING]: Could not match supplied host pattern, ignoring: 172.16.0.169
[WARNING]: No hosts matched, nothing to do
----------------------------
案例一:定义一个主机组
[root@master ~]# vim /etc/ansible/hosts
[test]
172.16.0.168
172.16.0.169
[root@master ~]# ansible test -m ping -k
SSH password:
172.16.0.169 | SUCCESS => {
"changed": false,
"ping": "pong"
}
172.16.0.168 | SUCCESS => {
"changed": false,
"ping": "pong"
}
--------------------------------
方式二:如果不使用-k,想要不交互
[root@master ~]# vim /etc/ansible/hosts
172.16.0.168 ansible_ssh_user=root ansible_ssh_pass=redhat
[root@master ~]# ansible 172.16.0.168 -m ping
172.16.0.168 | SUCCESS => {
"changed": false,
"ping": "pong"
}
方式三:走ssh免密码登录 ******* 常用的方式
批量传输公钥
服务器端生成密钥对
[root@master ~]# ssh-keygen
[root@master ~]# yum install expect -y
[root@master ~]# cat /root/ip_list.txt
172.16.0.168
172.16.0.169
[root@master ~]# cat scp_ssh_key.sh
#!/bin/bash
for ipaddr in `cat /root/ip_list.txt`
do
cmd="ssh-copy-id $ipaddr"
expect -c "
set timeout 60
spawn $cmd
expect {
"(yes/no)?" {send "yes
";exp_continue}
"$ipaddr's password:" {send "redhat
";exp_continue}
}
"
done
[root@master ~]# chmod +x scp_ssh_key.sh
[root@master ~]# ./scp_ssh_key.sh