Puppet
学习puppet的配置语法,在单机上测试是最快能够实现的,而最终我们还是需要在puppet的master-agent下工作,下面我们来尝试master-agent模式下工作。
agent:默认每隔30分钟向master发送node name和facts,并请求catalog。
master:验证客户端身份,查找与请求node相关的site manifest,编译生成catalog,并发送给客户端。
puppet的master-agent基于https的ssl xmlrpc完成,master监听在tcp/8140端口。
Puppet配置
主配置文件:/etc/puppet/puppet.conf
奇怪的是这里面并没有多少配置,我们还可以通过命令puppet config print来打印当前puppet的默认配置,我们需要改变puppet的配置可以通过puppet config set NAME=VALUEl 来设置,当然这些配置都是可以写在配置文件中,所以先说下配置文件,配置文件是根据ini风格的,主要分为三段:
- [main]:全局通用的
- [master]:puppet master模式下专用
- [agent]:puppet agent模式下专用
我们可以通过命令:
puppet master --genconfig生成master的配置选项puppet agent --genconfig生成agent的配置选项
我们可以通过这些选项来参考配置/etc/puppet/puppet.conf文件。
我们还可以通过puppet的来获取配置文档:
1 | ~]# puppet doc --list |
2 | configuration - A reference for all settings |
3 | function - All functions available in the parser |
4 | indirection - Indirection types and their terminus classes |
5 | metaparameter - All Puppet metaparameters and all their details |
6 | providers - Which providers are valid for this machine |
7 | report - All available transaction reports |
8 | type - All Puppet resource types and all their details |
9 | ~]# puppet doc -r configuration 这里的文档可以很详细的介绍配置文件的每一个选项 |
然而我们默认的puppet的配置就可以实现puppet master-agent模式的工作了
配置puppet master/agent
master: 10.211.55.6
agent: 10.211.55.43
master-agent 因为通过https,所以强依赖fqdn,所以在/etc/hosts文件中写好对应关系。
生成ca并且生成自签证书: master
1 | ~]# puppet master --no-daemonize -v |
2 | Info: Creating a new SSL key for ca |
3 | Info: Creating a new SSL certificate request for ca |
4 | Info: Certificate Request fingerprint (SHA256): 3C:3E:F1:19:C7:D1:7A:9A:69:CB:47:FD:82:34:F7:2C:1B:2B:CB:AC:4B:71:12:C1:EF:53:DB:2D:9F:78:86:98 |
5 | Notice: Signed certificate request for ca |
6 | Info: Creating a new certificate revocation list |
7 | Info: Creating a new SSL key for init.localdomain |
8 | Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml |
9 | Info: Creating a new SSL certificate request for init.localdomain |
10 | Info: Certificate Request fingerprint (SHA256): 95:D9:11:CF:A5:5A:26:AA:E8:28:CF:5B:26:13:69:F3:15:DA:A7:DC:45:B0:9B:67:E0:3E:BF:38:84:C2:39:2C |
11 | Notice: init.localdomain has a waiting certificate request |
12 | Notice: Signed certificate request for init.localdomain |
13 | Notice: Removing file Puppet::SSL::CertificateRequest init.localdomain at '/var/lib/puppet/ssl/ca/requests/init.localdomain.pem' |
14 | Notice: Removing file Puppet::SSL::CertificateRequest init.localdomain at '/var/lib/puppet/ssl/certificate_requests/init.localdomain.pem' |
15 | Notice: Starting Puppet master version 3.8.7 |
16 | |
17 | ~]# systemctl start puppetmaster |
18 | ~]# systemctl status puppetmaster |
19 | ● puppetmaster.service - Puppet master |
20 | Loaded: loaded (/usr/lib/systemd/system/puppetmaster.service; disabled; vendor preset: disabled) |
21 | Active: active (running) since Mon 2017-09-11 10:25:44 EDT; 6s ago |
22 | Main PID: 11846 (puppet) |
23 | CGroup: /system.slice/puppetmaster.service |
24 | └─11846 /usr/bin/ruby /usr/bin/puppet master --no-daemonize |
25 | |
26 | Sep 11 10:25:44 INIT systemd[1]: Started Puppet master. |
27 | Sep 11 10:25:44 INIT systemd[1]: Starting Puppet master... |
28 | Sep 11 10:25:45 INIT puppet[11846]: Notice: Starting Puppet master version 3.8.7 |
生成证书签署请求:agent
1 | ~]# puppet agent --server=init.localdomain --no-daemonize -v |
2 | Info: Creating a new SSL key for node2.localdomain |
3 | Info: Caching certificate for ca |
4 | Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml |
5 | Info: Creating a new SSL certificate request for node2.localdomain |
6 | Info: Certificate Request fingerprint (SHA256): F0:4C:4F:A5:E4:38:89:88:A1:CF:96:C1:D0:F8:94:2A:35:7F:2C:B8:93:2F:E0:FF:A9:10:30:65:90:55:DF:31 |
7 | Info: Caching certificate for ca |
签署证书:master
1 | ~]# puppet cert list |
2 | "node2.localdomain" (SHA256) F0:4C:4F:A5:E4:38:89:88:A1:CF:96:C1:D0:F8:94:2A:35:7F:2C:B8:93:2F:E0:FF:A9:10:30:65:90:55:DF:31 |
3 | ~]# puppet cert sign node2.localdomain |
4 | Notice: Signed certificate request for node2.localdomain |
5 | Notice: Removing file Puppet::SSL::CertificateRequest node2.localdomain at '/var/lib/puppet/ssl/ca/requests/node2.localdomain.pem' |
6 | ~]# puppet cert list --all |
7 | + "init.localdomain" (SHA256) 0F:F0:7D:D4:6C:0E:5A:F8:89:87:11:75:2F:F5:76:EB:69:6C:A9:CA:45:9E:CF:E3:E9:42:9F:18:83:4F:16:70 (alt names: "DNS:INIT.localdomain", "DNS:init.localdomain", "DNS:puppet", "DNS:puppet.localdomain") |
8 | + "node2.localdomain" (SHA256) F6:A3:95:01:B4:95:96:C9:36:B3:80:ED:A1:CF:3A:D5:5F:74:96:3B:5E:46:5F:5F:16:D0:F2:39:4F:F8:21:E6 |
再次连接master:agent
1 | ~]# puppet agent --server=init.localdomain --no-daemonize -v |
2 | Info: Caching certificate for node2.localdomain |
3 | Info: Caching certificate_revocation_list for ca |
4 | Info: Caching certificate for node2.localdomain |
5 | Notice: Starting Puppet client version 3.8.7 |
6 | Warning: Unable to fetch my node definition, but the agent run will continue: |
7 | Warning: undefined method `include?' for nil:NilClass |
8 | Info: Retrieving pluginfacts |
9 | Info: Retrieving plugin |
10 | Info: Caching catalog for node2.localdomain |
11 | Info: Applying configuration version '1505141658' |
12 | Info: Creating state file /var/lib/puppet/state/state.yaml |
13 | Notice: Finished catalog run in 0.01 seconds |
14 | ~]# systemctl start puppetagent |
配置站点manifest
在master配置manfest,让agent来获取配置信息。
1 | 查看下模块 |
2 | ~]# puppet module list |
3 | /etc/puppet/modules (no modules installed) |
4 | /usr/share/puppet/modules (no modules installed) |
获取模块有两种途径:
- puppet module install:从Puppet Forge下载别人上传的模块,但是基本不会这么用
- 自研:自己按照业务写出模块
这里我们自己写:
1 | 查看模块路径 |
2 | ~]# puppet config print | grep modulepath |
3 | basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules |
4 | modulepath = /etc/puppet/modules:/usr/share/puppet/modules |
1 | ~]# mkdir -pv /etc/puppet/modules/webserver/{manifests,files,templates,tests,lib,spec} |
2 | ~}# cd /etc/puppet/modules/webserver/manifests |
3 | ~]# touch init.pp |
4 | ~]# cat init.pp |
5 | class webserver { |
6 | package {'nginx-server': |
7 | name => 'nginx', |
8 | ensure => latest |
9 | } -> |
10 | file {'nginx.conf': |
11 | content => template("webserver/nginx.conf.erb"), |
12 | path => "/etc/nginx/nginx.conf", |
13 | ensure => file, |
14 | backup => '.puppet.bak' |
15 | } |
16 | service {'nginx': |
17 | ensure => running, |
18 | enable => true, |
19 | subscribe => File['nginx.conf'], |
20 | hasstatus => true, |
21 | hasrestart => true, |
22 | restart => "systemctl reload nginx", |
23 | path => ['/usr/bin','/usr/sbin'], |
24 | require => [Package['nginx-server'],File['nginx.conf']] |
25 | } |
26 | |
27 | } |
28 | ~]# cat /etc/puppet/modules/webserver/templates/nginx.conf.erb |
29 | user nginx; |
30 | worker_processes <%= @processorcount %>; |
31 | error_log /var/log/nginx/error.log; |
32 | pid /run/nginx.pid; |
33 | include /usr/share/nginx/modules/*.conf; |
34 | |
35 | events { |
36 | worker_connections 1024; |
37 | } |
38 | http { |
39 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
40 | '$status $body_bytes_sent "$http_referer" ' |
41 | '"$http_user_agent" "$http_x_forwarded_for"'; |
42 | |
43 | access_log /var/log/nginx/access.log main; |
44 | |
45 | sendfile on; |
46 | tcp_nopush on; |
47 | tcp_nodelay on; |
48 | keepalive_timeout 65; |
49 | types_hash_max_size 2048; |
50 | |
51 | include /etc/nginx/mime.types; |
52 | default_type application/octet-stream; |
53 | include /etc/nginx/conf.d/*.conf; |
54 | |
55 | |
56 | server { |
57 | listen 80 default_server; |
58 | listen [::]:80 default_server; |
59 | server_name _; |
60 | root /usr/share/nginx/html; |
61 | |
62 | include /etc/nginx/default.d/*.conf; |
63 | |
64 | location / { |
65 | } |
66 | |
67 | error_page 404 /404.html; |
68 | location = /40x.html { |
69 | } |
70 | |
71 | error_page 500 502 503 504 /50x.html; |
72 | location = /50x.html { |
73 | } |
74 | } |
75 | } |
76 | ~]# mkdir -pv /etc/puppet/manifests/WEB-server |
77 | ~]# cat /etc/puppet/manifests/WEB-server/nginx.pp |
78 | node "node2.localdomain" { |
79 | include webserver |
80 | } |
81 | ~]# cat /etc/puppet/manifests/site.pp |
82 | import "WEB-server/*.pp" |
agent测试:
1 | ~]# puppet agent --server=init.localdomain --no-daemonize -v |
2 | Notice: Starting Puppet client version 3.8.7 |
3 | Info: Retrieving pluginfacts |
4 | Info: Retrieving plugin |
5 | Info: Caching catalog for node2.localdomain |
6 | Info: Applying configuration version '1505146109' |
7 | Notice: /Stage[main]/Webserver/Package[nginx-server]/ensure: created |
8 | Notice: /Stage[main]/Webserver/File[nginx.conf]/content: content changed '{md5}93bc8e01bfd45e7e18b23acc178ae25b' to '{md5}d59259148b6776a7c7b6e54106672722' |
9 | Info: /Stage[main]/Webserver/File[nginx.conf]: Scheduling refresh of Service[nginx] |
10 | Notice: /Stage[main]/Webserver/Service[nginx]/ensure: ensure changed 'stopped' to 'running' |
11 | Info: /Stage[main]/Webserver/Service[nginx]: Unscheduling refresh on Service[nginx] |
12 | Notice: Finished catalog run in 0.74 |
13 | ~]# systemctl start puppetagent |
这样机遇master-agent的服务就可以正常工作了。
节点管理:
site.pp定义节点的方式
(1)以主机名直接给出其相关定义:
1node ‘NODE_NAME’ {2... puppet code ...3}(2)把功能相近的主机事先统一格式命名,按统一格式调用:
1node /^web\d+\.jusene\.com/ {2... puppet code ...3}
节点继承:
1 | node basenode { |
2 | include ntp |
3 | } |
4 | |
5 | node node inherits basenode { |
6 | include class |
7 | } |
节点分段管理:
1 | /etc/puppet/manifests/ |
2 | site.pp |
3 | import "web/*.pp" |
4 | import "db/*.pp" |
5 | web |
6 | proxy.pp |
7 | web.pp |
8 | db |
9 | mysql.pp |
10 | sqlite.pp |