运维自动化工具---Puppet

案例环境：
-----------------------------------------------------------------
主机  操作系统   IP地址  主要软件
-----------------------------------------------------------------
puppetmaster Centos 6.5 x86_64 192.168.200.131 ruby-* 
       facter-1.7.1.tar.gz
       puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
puppetclient1 Centos 6.5 x86_64 192.168.200.132 ruby-* 
       facter-1.7.1.tar.gz
       puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
puppetclient2 Centos 6.5 x86_64 192.168.200.133 ruby-* 
       facter-1.7.1.tar.gz
       puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
NTP Server Centos 6.5 x86_64 192.168.200.134 
================================================================================
案例实施：
setup1： 搭建puppetmaster
1.1 规划服务器主机名
[root@localhost ~]# vi /etc/sysconfig/network
HOSTNAME=master.test.cn
[root@localhost ~]# vi /etc/hosts
192.168.200.131 master.test.cn
192.168.200.132 client.test.cn
192.168.200.133 client133.test.cn
[root@localhost ~]# hostname master.test.cn
[root@localhost ~]# bash
1.2 配置时间服务器NTP Server
1.2.1
[root@localhost ~]# yum -y install ntp
[root@localhost ~]# vi /etc/ntp.conf 
添加两行：
server 127.127.1.0
fudge 127.127.1.0 stratum 8
[root@localhost ~]# service ntpd start
正在启动 ntpd：                                            [确定]
[root@localhost ~]# chkconfig ntpd on
1.2.2 puppetmaster作为NTP客户端的配置
[root@master ~]# yum -y install ntp
[root@master ~]# ntpdate 192.168.200.134
 7 Jan 22:43:18 ntpdate[3058]: adjust time server 192.168.200.134 offset 0.467919 sec
1.3 安装ruby(注意：Centos的镜像光盘有两张，要做下面的安装，需要将两张盘都挂载，并在*.repo文档中指定路径)
[root@master ~]# yum -y install compat-readline5 ruby*
安装完成后检查ruby的版本
[root@master ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
1.4 puppet 、facter安装
[root@master ~]# useradd -s /sbin/nologin puppet
通过facter工具分析客户端传输过来的信息。
安装facter:
[root@master ~]# tar xf facter-1.7.1.tar.gz 
[root@master ~]# cd facter-1.7.1
[root@master facter-1.7.1]# ruby install.rb 
安装puppet:
[root@master facter-1.7.1]# cd
[root@master ~]# tar xf puppet-2.7.21.tar.gz 
[root@master ~]# cd puppet-2.7.21
[root@master puppet-2.7.21]# ruby install.rb 
安装后的调整：
[root@master puppet-2.7.21]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@master puppet-2.7.21]# cp conf/redhat/puppet.conf /etc/puppet/
[root@master puppet-2.7.21]# cp conf/redhat/server.init /etc/init.d/puppetmaster
[root@master puppet-2.7.21]# chmod +x /etc/init.d/puppetmaster 
[root@master puppet-2.7.21]# mkdir /etc/puppet/manifests
[root@master puppet-2.7.21]# mkdir /etc/puppet/modules
puppet服务证书请求与签名：
（注意：在生产环境中iptalbes默认是全部关闭的）
master端配置：
[root@master puppet-2.7.21]# service iptables stop
修改配置文件
[root@master puppet-2.7.21]# vi /etc/puppet/puppet.conf 
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet
    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
    modulepath = /etc/puppet/modules:/usr/share/puppet/modules   //添加本行，配置服务器模块路径
[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt
    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
 # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
-----------------------------------------------------------------
启动puppet主程序
[root@master puppet-2.7.21]# /etc/init.d/puppetmaster start
启动 puppetmaster：                                        [确定]
=======================================================================
setup2: 搭建puppetclient1、2
首先配置puppetclient1
2.1 规划服务器主机名
[root@localhost ~]# vi /etc/sysconfig/network
HOSTNAME=client.test.cn
[root@localhost ~]# vi /etc/hosts
192.168.200.131 master.test.cn
192.168.200.132 client.test.cn
192.168.200.133 client133.test.cn
[root@localhost ~]# hostname client.test.cn
[root@localhost ~]# bash
[root@client ~]# 
2.2 服务器的时间同步
[root@client ~]# ntpdate 192.168.200.134
 8 Jan 21:52:50 ntpdate[3244]: step time server 192.168.200.134 offset -28.886955 sec
2.3 安装ruby
[root@client ~]# yum -y install compat-readline5 ruby*
安装完成后检查ruby的版本
[root@client ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
2.4 puppet facter安装
[root@client ~]# tar xf facter-1.7.1.tar.gz 
[root@client ~]# cd facter-1.7.1
[root@client facter-1.7.1]# ruby install.rb
[root@client facter-1.7.1]# cd
[root@client ~]# tar xf puppet-2.7.21.tar.gz 
[root@client ~]# cd puppet-2.7.21
[root@client puppet-2.7.21]# ruby install.rb
安装后的调整：
[root@client puppet-2.7.21]# cp conf/redhat/puppet.conf /etc/puppet/
[root@client puppet-2.7.21]# cp conf/redhat/client.init /etc/init.d/puppetclient
[root@client puppet-2.7.21]# chmod  +x /etc/init.d/puppetclient
puppet服务证书请求与签名：
（注意：在生产环境中iptalbes默认是全部关闭的）
[root@client puppet-2.7.21]# service iptables stop
iptables：将链设置为政策 ACCEPT：filter                    [确定]
iptables：清除防火墙规则：                                 [确定]
iptables：正在卸载模块：                                   [确定]
[root@client puppet-2.7.21]# chkconfig iptables off
[root@client puppet-2.7.21]# iptables -F
[root@client puppet-2.7.21]# setenforce 0
192.168.200.132和192.168.200.133一样，操作如下
修改client配置文件
[root@client puppet-2.7.21]# vi /etc/puppet/puppet.conf 
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet
    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
        server = master.test.cn  //添加本行，设置服务器的域名
[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt
    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
----------------------------------------------------------------------------
puppetclient2的配置和puppetclient1类似，注意将主机名修改为client133.test.cn
申请与注册：
Client端：
分别在puppetclient1和puppetclient2上进行注册
[root@client ~]# puppet agent --server=master.test.cn --no-daemonize --verbose
info: Creating a new SSL key for client.test.cn
info: Caching certificate for ca
info: Creating a new SSL certificate request for client.test.cn
info: Certificate Request fingerprint (md5): 91:DB:05:67:4E:E7:62:2B:2F:4C:8C:C6:03:48:7B:64
puppet此时在等待任务，但是在server此时可以查看到申请信息
Master端
查看申请注册的客户端
[root@master ~]# puppet cert --list
  "client.test.cn"    (91:DB:05:67:4E:E7:62:2B:2F:4C:8C:C6:03:48:7B:64)
  "client133.test.cn" (CD:EE:80:26:D6:16:C3:D6:9F:7C:DD:14:A0:99:BA:C4)
将未注册的客户端进行注册：
[root@master ~]# puppet cert sign --all
notice: Signed certificate request for client133.test.cn
notice: Removing file Puppet::SSL::CertificateRequest client133.test.cn at '/var/lib/puppet/ssl/ca/requests/client133.test.cn.pem'
notice: Signed certificate request for client.test.cn
notice: Removing file Puppet::SSL::CertificateRequest client.test.cn at '/var/lib/puppet/ssl/ca/requests/client.test.cn.pem'
通过目录去查看已经注册的客户端：
[root@master ~]# ll /var/lib/puppet/ssl/ca/signed/
总用量 12
-rw-r-----. 1 puppet puppet 1911 1月   8 22:21 client133.test.cn.pem
-rw-r-----. 1 puppet puppet 1907 1月   8 22:21 client.test.cn.pem
-rw-r-----. 1 puppet puppet 1976 1月   8 21:48 master.test.cn.pem
==================================================================
此时，客户端已经完成证书的请求与签名。
setup3: 配置实例：
3.1 配置一个测试节点
节点信息：/etc/puppet/manifests/nodes
模块信息：/etc/puppet/modules
实例要求：为了保护linux的ssh端口被爆破，批量修改客户端ssh端口,22 ---> 9922
在master端的操作：
3.1.1 创建需要的必要目录
[root@master ~]# mkdir -p /etc/puppet/modules/ssh/{manifests,templates,files}
[root@master ~]# mkdir /etc/puppet/manifests/nodes
[root@master ~]# mkdir /etc/puppet/modules/ssh/files/ssh
[root@master ~]# chown -R puppet /etc/puppet/modules/
[root@master ~]# ll /etc/puppet/modules/ssh/
总用量 12
drwxr-xr-x. 3 puppet root 4096 1月   8 22:46 files
drwxr-xr-x. 2 puppet root 4096 1月   8 22:46 manifests
drwxr-xr-x. 2 puppet root 4096 1月   8 22:46 templates
3.1.2 创建模块配置文件install.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/install.pp
首先确定客户端安装ssh服务
class ssh::install {
        package { "openssh":
                ensure => present,
        }
}
--------------------------------------------------------------------------
3.1.3 创建模块配置文件config.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/config.pp
class ssh::config {
        file { "/etc/ssh/sshd_config": //配置客户端需要同步的文件
                ensure => present, //确定客户端此文件存在
                owner => "root", 
                group => "root",
                mode => "0600",
                source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
     //从服务器端同步文件
                require => Class["ssh::install"],
     //调用install.pp确定ssh已经安装
                notify => Class["ssh::service"],
     //如果config.pp发生变化通知service.pp
        }
}
-------------------------------------------------------------------------
3.1.4 创建模块配置文件service.pp,
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/service.pp
class ssh::service {
        service { "sshd":   //确定ssh运行
                ensure => running,
                hasstatus => true,
  //puppet该服务支持status命令，类似service sshd status
                hasrestart => true,
  //puppet该服务支持restart命令，类似service sshd restart
                enable => true,  //服务器是否开机启动
                require => Class["ssh::config"]  //确认config.pp调用
        }
}
--------------------------------------------------------------------------
3.1.5 创建主配置模块文件init.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/init.pp
class ssh {
        include ssh::install,ssh::config,ssh::service
}
---------------------------------------------------------
此时/etc/puppet/modules/ssh/manifests有四个文件
[root@master ~]# ll /etc/puppet/modules/ssh/manifests
总用量 16
-rw-r--r--. 1 root root 271 1月   8 22:58 config.pp
-rw-r--r--. 1 root root  60 1月   8 23:05 init.pp
-rw-r--r--. 1 root root  69 1月   8 22:52 install.pp
-rw-r--r--. 1 root root 159 1月   8 23:04 service.pp
-----------------------------------------------------
3.1.6 建立服务器端ssh统一维护文件。
[root@master ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[root@master ~]# chown puppet /etc/puppet/modules/ssh/files/ssh/sshd_config
----------------------------------------------------------------
3.1.7 创建测试节点配置文件，并将ssh加载进去。
[root@master ~]# vi /etc/puppet/manifests/nodes/ssh.pp
node 'client.test.cn' {
        include ssh
}
node 'client133.test.cn' {
        include ssh
}
-----------------------------------------------
3.1.8 将测试节点载入puppet,即修改site.pp
[root@master ~]# vi /etc/puppet/manifests/site.pp
import "nodes/ssh.pp"
----------------------------------
3.1.9 修改服务器端维护的sshd_config配置文件
[root@master ~]# vi /etc/puppet/modules/ssh/files/ssh/sshd_config
添加一行：
Port 9922
-------------------------------------------------------------------
3.1.10 重启puppet
[root@master ~]# /etc/init.d/puppetmaster restart
停止 puppetmaster：                                        [确定]
启动 puppetmaster：                                        [确定]
-----------------------------------------------------------------------
setup4:测试:
客户端主动拉取
192.168.200.132执行如下命令
[root@client ~]# puppet agent -t
info: Caching catalog for client.test.cn
info: Applying configuration version '1420730314'
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: 
--- /etc/ssh/sshd_config 2013-11-23 06:40:03.000000000 +0800
+++ /tmp/puppet-file20150108-4788-pehloa-0 2015-01-08 23:18:36.011709007 +0800
@@ -11,6 +11,7 @@
 # default value.
 
 #Port 22
+Port 9922
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
info: FileBucket adding {md5}53ad75eb1f2269d23f6e4228353cbca3
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 53ad75eb1f2269d23f6e4228353cbca3
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed '{md5}53ad75eb1f2269d23f6e4228353cbca3' to '{md5}3a2dee85056976947f1c154af9a0bf35'
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Class[Ssh::Service]
info: Class[Ssh::Service]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered 'refresh' from 1 events
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.89 seconds
=======================================================================
此时，在客户端已经成功执行。验证如下
[root@client ~]# grep "9922" /etc/ssh/sshd_config 
Port 9922
---------------------------------
查看服务器ssh服务是否重启：端口是否生效
[root@client ~]# netstat -anpt |grep ssh
tcp        0      0 0.0.0.0:9922                0.0.0.0:*                   LISTEN      5075/sshd           
tcp        0     52 192.168.200.132:22          192.168.200.102:49606       ESTABLISHED 3167/sshd           
tcp        0      0 :::9922                     :::*                        LISTEN      5075/sshd  
-----------------------------------------------------------------------------------------------
setup5:服务器推送同步
当大规模部署时采用服务器推送模式。
Client端：
192.168.200.133端修改
5.1 修改配置文件：
[root@client ~]# vi /etc/puppet/puppet.conf 
最后添加一行如下：
listen = true  //使puppet监听8139端口
[root@client133 ~]# vi /etc/puppet/auth.conf  //验证配置文件auth.conf定义一些验证信息及访问权限
最后一行添加如下：
allow *  //允许任何服务器端推送
5.2 启动puppet客户端
[root@client133 ~]# /etc/init.d/puppetclient start
启动 puppet：                                              [确定]
------------------------------------------------------------------------
此时，在客户端已经成功执行。验证如下
#Port 22
Port 9922
-----------------------------------------
[root@client133 ~]# netstat -anpt |grep "sshd"
tcp        0      0 0.0.0.0:9922                0.0.0.0:*                   LISTEN      3675/sshd           
tcp        0     52 192.168.200.133:22          192.168.200.102:49614       ESTABLISHED 2274/sshd           
tcp        0      0 192.168.200.133:22          192.168.200.102:61164       ESTABLISHED 2182/sshd           
tcp        0      0 :::9922                     :::*                        LISTEN      3675/sshd 
===================================================================================================
Master端也可以强制推送
[root@master ~]# puppet kick client133.test.cn
Triggering client133.test.cn
Getting status
status is success
client133.test.cn finished with exit code 0
Finished
==========================================================
本文来源：http://www.benet.wang/%E6%9C%8D%E5%8A%A1%E6%90%AD%E5%BB%BA/4.html