Puppet安装配置

Puppet安装配置

官方网站：

https://puppet.com

环境：

CentOS7.2

puppet-3.8.7

yum安装

rpm -ihv http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

服务端node5.example.com

yum -y install puppet-server

systemctl start puppetmaster

systemctl enable puppetmaster

客户端node6.example.com

yum -y install puppet

systemctl start puppet

systemctl enable puppet

一.客户端注册

1./etc/puppet/puppet.conf中指定puppet server

在[agent]段添加

server = node5.example.com

2.重启puppet agent

systemctl restart puppet

3.生成证书请求文件csr,并发送给puppet server

[root@node6 ~]# puppet agent -t

Exiting; no certificate found and waitforcert is disabled

4.puppet server签发(sign)

[root@node5 ~]# puppet cert list --all

  "node6.example.com" (SHA256) DD:C7:16:3A:BE:C9:F1:44:C1:76:21:60:57:15:EF:ED:1E:97:BC:FE:43:A3:45:4D:32:D9:9A:E6:E0:CE:3E:A7

+ "node5.example.com" (SHA256) 4D:C2:73:E8:97:3D:11:1F:D5:43:D6:DA:91:DE:9D:2C:87:0B:39:E9:46:1F:23:B2:4E:0A:01:E7:44:DE:1A:8E (alt names: "DNS:node5.example.com", "DNS:puppet", "DNS:puppet.example.com")

[root@node5 ~]# puppet cert sign node6.example.com

Notice: Signed certificate request for node6.example.com

Notice: Removing file Puppet::SSL::CertificateRequest node6.example.com at '/var/lib/puppet/ssl/ca/requests/node6.example.com.pem'

5.从puppet server下载签发好的证书，注册完成

[root@node6 ~]# puppet agent -t

Exiting; no certificate found and waitforcert is disabled

[root@node6 ~]# puppet agent -t

Info: Caching certificate for node6.example.com

Info: Caching certificate_revocation_list for ca

Info: Caching certificate for node6.example.com

Warning: Unable to fetch my node definition, but the agent run will continue:

Warning: undefined method `include?' for nil:NilClass

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Caching catalog for node6.example.com

Info: Applying configuration version '1477232225'

Info: Creating state file /var/lib/puppet/state/state.yaml

Notice: Finished catalog run in 0.01 seconds

第一次run会出现Warning

删除客户端证书

puppet cert clean node6.example.com

puppet cert clean --all #删除所有证书，包括puppet server本身

二.配置管理

http://puppet.wikidot.com

说明:puppet默认会从site.pp开始执行，.pp配置定义完成后，客户端即时生效需要在客户端执行puppet agent -t

1.创建根pp文件---site.pp

touch /etc/puppet/manifests/site.pp

2.用户组

cat >>/etc/puppet/manifests/group.pp <<'EOF'

group{'test':

        gid => 2000,

        ensure => present,

}

group{'testgroup1':

        gid => 2001,

        ensure => present,

}

group{'testgroup2':

        gid => 2002,

        ensure => present,

}

EOF

cat >>/etc/puppet/manifests/site.pp <<'EOF'

import 'group.pp'

EOF

3.用户

cat >>/etc/puppet/manifests/user.pp <<'EOF'

$testgroup=['testgroup1','testgroup2']

user{'test':

        ensure => present,

        #ensure => absent,

        uid => 2000,

        gid => 2000,

        groups => $testgroup,

        comment => 'test user',             password => '$6$zY6UhOtQ$IcTmGUMZ/4okmiYjnYe0WmjZe74tlbR0a5uJhP5wI8JdE6Zh6busaePmRLKjC1ikS.oCOIQ2EEfg57uRuwttP.',

        shell => '/bin/bash',

        home => '/home/test',

        managehome => true,

}

EOF

cat >>/etc/puppet/manifests/site.pp <<'EOF'

import 'user.pp'

EOF

提示:password的值必需是hash过的，如/etc/shadow中的password段

4.计划任务

cat >>/etc/puppet/manifests/cron.pp <<'EOF'

cron { 'ntpdate':

        command=>'/usr/sbin/ntpdate pool.ntp.org',

        user => 'root',

        minute => '*/5',

}

EOF

cat >>/etc/puppet/manifests/site.pp <<'EOF'

import 'cron.pp'

EOF

5.exec & file(dir)

http://puppet.wikidot.com/file

cat >>/etc/puppet/manifests/exec.pp <<'EOF'

$PATH=['/bin','/sbin','/usr/bin','/usr/sbin','/usr/local/bin','usr/local/sbin']

file {'/root/test.sh':

        content => 'echo "hello word">/tmp/test_puppet.txt',

        mode => 0755,

}

file {'/var/www/html/dedemcs':

        source => 'puppet:///modules/lamp/dedecms',

        recurse => true,

        owner => 'apache',

        group => 'apache',

}

exec { '/root/test.sh':

        cwd => '/root',        

        user => 'root',

        path => $PATH,

}

EOF

cat >>/etc/puppet/manifests/site.pp <<'EOF'

import 'exec.pp'

EOF

感觉puppet同步目录的效率不尽人意，可以考虑rsync

[root@node6 ~]# ls -ld /var/www/html/dedemcs/

drwxr-xr-x. 14 apache apache 4096 10月 23 20:46 /var/www/html/dedemcs/

6.类和子类

i.定义类

mkdir -p /etc/puppet/modules/lamp/{manifests,files}

cat >>/etc/puppet/modules/lamp/manifests/init.pp <<'EOF'

class lamp::mariadb {

        $mariadb_packages = ['mariadb-server','mariadb']

        package {$mariadb_packages:ensure => installed}

        service {'mariadb': ensure => 'running',enable => true}

}

class lamp::php {

        $php_packages = ['php','php-mysql','php-gd','php-mbstring']

        package {$php_packages:ensure => installed}

}

class lamp::httpd {

        package {'httpd': ensure => installed}

        file {'/etc/httpd/conf/httpd.conf': source => 'puppet:///modules/lamp/httpd.conf',notify => Service[httpd]}

        file {'/var/www/html/index.html': source => 'puppet:///modules/lamp/index.html'}

        service {'httpd': ensure=>'running',enable => true}

        Package['httpd']->File['/etc/httpd/conf/httpd.conf']~>Service['httpd']

        Package['httpd']~>Service['httpd']

}

class lamp::mariadb-sub inherits lamp::mariadb {

        $PATH=['/bin','/sbin','/usr/bin','/usr/sbin','/usr/local/bin','usr/local/sbin']

        exec {'mariadb-test':

                command => 'mysql -uroot -e "DROP DATABASE IF EXISTS test;"',

                user => 'root',

                path => $PATH,

        }

}

EOF

ii.引用类

cat >>/etc/puppet/manifests/node6.pp <<'EOF'

node 'node6.example.com' {

        include lamp::mariadb-sub

        include lamp::php

        include lamp::httpd

}

EOF

cat >>/etc/puppet/manifests/site.pp <<'EOF'

import 'node6.pp'

EOF

说明:class名默认为/etc/puppet/modules下面的目录名，如上，我定义了一个叫lamp的class

首先需要在/etc/puppet/modules下创建lamp/{maniffests,files}目录

再定义class内容/etc/puppet/modules/lamp/manifests/init.pp, init.pp名字也是默认的，引用类时只需要include对应类的名字即可。这里定义了3个父类一个子类，是否有意义暂且不谈，这里只描述下子类继承的概念。

notify => Service[httpd] 参数可以通知puppet agent，当服务配置发生变更时自动重载对应服务，非常实用。

[root@node6 ~]# puppet agent -t

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Loading facts

Info: Caching catalog for node6.example.com

Info: Applying configuration version '1477223265'

Notice: /Stage[main]/Main/Exec[/root/test.sh]/returns: executed successfully

Notice: /Stage[main]/Lamp::Mariadb-sub/Exec[mariadb-test]/returns: executed successfully

Notice: Finished catalog run in 0.37 seconds

7.定义

http://puppet.wikidot.com/intro

补充

安装模块

puppet module install puppetlabs-apache

[root@node5 manifests]# puppet module install puppetlabs-apache

Notice: Preparing to install into /etc/puppet/modules ...

Notice: Downloading from https://forgeapi.puppetlabs.com ...

Notice: Installing -- do not interrupt ...

/etc/puppet/modules

└─┬ puppetlabs-apache (v1.10.0)

  ├── puppetlabs-concat (v2.2.0)

  └── puppetlabs-stdlib (v4.13.1)

三.WebUI

以foreman为例:

请参看Foreman安装配置

另puppetdashboard，见

http://puppet.wikidot.com/puppetdashboard