Jusene's Blog

Puppet 配置语言学习(三)

字数统计: 1.8k阅读时长: 9 min
2017/09/11 Share

Puppet

学习puppet的配置语法,在单机上测试是最快能够实现的,而最终我们还是需要在puppet的master-agent下工作,下面我们来尝试master-agent模式下工作。

agent:默认每隔30分钟向master发送node name和facts,并请求catalog。
master:验证客户端身份,查找与请求node相关的site manifest,编译生成catalog,并发送给客户端。

puppet的master-agent基于https的ssl xmlrpc完成,master监听在tcp/8140端口。

Puppet配置

主配置文件:/etc/puppet/puppet.conf

奇怪的是这里面并没有多少配置,我们还可以通过命令puppet config print来打印当前puppet的默认配置,我们需要改变puppet的配置可以通过puppet config set NAME=VALUEl 来设置,当然这些配置都是可以写在配置文件中,所以先说下配置文件,配置文件是根据ini风格的,主要分为三段:

  • [main]:全局通用的
  • [master]:puppet master模式下专用
  • [agent]:puppet agent模式下专用

我们可以通过命令:

  • puppet master --genconfig 生成master的配置选项
  • puppet agent --genconfig 生成agent的配置选项

我们可以通过这些选项来参考配置/etc/puppet/puppet.conf文件。

我们还可以通过puppet的来获取配置文档:

1
~]# puppet doc --list
2
configuration - A reference for all settings
3
function - All functions available in the parser
4
indirection - Indirection types and their terminus classes
5
metaparameter - All Puppet metaparameters and all their details
6
providers - Which providers are valid for this machine
7
report - All available transaction reports
8
type - All Puppet resource types and all their details
9
~]# puppet doc -r configuration  这里的文档可以很详细的介绍配置文件的每一个选项

然而我们默认的puppet的配置就可以实现puppet master-agent模式的工作了

配置puppet master/agent

master: 10.211.55.6
agent: 10.211.55.43

master-agent 因为通过https,所以强依赖fqdn,所以在/etc/hosts文件中写好对应关系。

生成ca并且生成自签证书: master

1
~]# puppet master --no-daemonize -v 
2
Info: Creating a new SSL key for ca
3
Info: Creating a new SSL certificate request for ca
4
Info: Certificate Request fingerprint (SHA256): 3C:3E:F1:19:C7:D1:7A:9A:69:CB:47:FD:82:34:F7:2C:1B:2B:CB:AC:4B:71:12:C1:EF:53:DB:2D:9F:78:86:98
5
Notice: Signed certificate request for ca
6
Info: Creating a new certificate revocation list
7
Info: Creating a new SSL key for init.localdomain
8
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
9
Info: Creating a new SSL certificate request for init.localdomain
10
Info: Certificate Request fingerprint (SHA256): 95:D9:11:CF:A5:5A:26:AA:E8:28:CF:5B:26:13:69:F3:15:DA:A7:DC:45:B0:9B:67:E0:3E:BF:38:84:C2:39:2C
11
Notice: init.localdomain has a waiting certificate request
12
Notice: Signed certificate request for init.localdomain
13
Notice: Removing file Puppet::SSL::CertificateRequest init.localdomain at '/var/lib/puppet/ssl/ca/requests/init.localdomain.pem'
14
Notice: Removing file Puppet::SSL::CertificateRequest init.localdomain at '/var/lib/puppet/ssl/certificate_requests/init.localdomain.pem'
15
Notice: Starting Puppet master version 3.8.7
16
17
~]# systemctl start puppetmaster
18
~]# systemctl status puppetmaster
19
● puppetmaster.service - Puppet master
20
   Loaded: loaded (/usr/lib/systemd/system/puppetmaster.service; disabled; vendor preset: disabled)
21
   Active: active (running) since Mon 2017-09-11 10:25:44 EDT; 6s ago
22
 Main PID: 11846 (puppet)
23
   CGroup: /system.slice/puppetmaster.service
24
           └─11846 /usr/bin/ruby /usr/bin/puppet master --no-daemonize
25
26
Sep 11 10:25:44 INIT systemd[1]: Started Puppet master.
27
Sep 11 10:25:44 INIT systemd[1]: Starting Puppet master...
28
Sep 11 10:25:45 INIT puppet[11846]: Notice: Starting Puppet master version 3.8.7

生成证书签署请求:agent

1
~]# puppet agent --server=init.localdomain --no-daemonize -v
2
Info: Creating a new SSL key for node2.localdomain
3
Info: Caching certificate for ca
4
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
5
Info: Creating a new SSL certificate request for node2.localdomain
6
Info: Certificate Request fingerprint (SHA256): F0:4C:4F:A5:E4:38:89:88:A1:CF:96:C1:D0:F8:94:2A:35:7F:2C:B8:93:2F:E0:FF:A9:10:30:65:90:55:DF:31
7
Info: Caching certificate for ca

签署证书:master

1
~]# puppet cert list
2
  "node2.localdomain" (SHA256) F0:4C:4F:A5:E4:38:89:88:A1:CF:96:C1:D0:F8:94:2A:35:7F:2C:B8:93:2F:E0:FF:A9:10:30:65:90:55:DF:31
3
~]#  puppet cert sign node2.localdomain
4
Notice: Signed certificate request for node2.localdomain
5
Notice: Removing file Puppet::SSL::CertificateRequest node2.localdomain at '/var/lib/puppet/ssl/ca/requests/node2.localdomain.pem'
6
~]# puppet cert list --all
7
+ "init.localdomain"  (SHA256) 0F:F0:7D:D4:6C:0E:5A:F8:89:87:11:75:2F:F5:76:EB:69:6C:A9:CA:45:9E:CF:E3:E9:42:9F:18:83:4F:16:70 (alt names: "DNS:INIT.localdomain", "DNS:init.localdomain", "DNS:puppet", "DNS:puppet.localdomain")
8
+ "node2.localdomain" (SHA256) F6:A3:95:01:B4:95:96:C9:36:B3:80:ED:A1:CF:3A:D5:5F:74:96:3B:5E:46:5F:5F:16:D0:F2:39:4F:F8:21:E6

再次连接master:agent

1
~]# puppet agent --server=init.localdomain --no-daemonize -v
2
Info: Caching certificate for node2.localdomain
3
Info: Caching certificate_revocation_list for ca
4
Info: Caching certificate for node2.localdomain
5
Notice: Starting Puppet client version 3.8.7
6
Warning: Unable to fetch my node definition, but the agent run will continue:
7
Warning: undefined method `include?' for nil:NilClass
8
Info: Retrieving pluginfacts
9
Info: Retrieving plugin
10
Info: Caching catalog for node2.localdomain
11
Info: Applying configuration version '1505141658'
12
Info: Creating state file /var/lib/puppet/state/state.yaml
13
Notice: Finished catalog run in 0.01 seconds
14
~]# systemctl start puppetagent

配置站点manifest

在master配置manfest,让agent来获取配置信息。

1
查看下模块
2
~]# puppet module list
3
/etc/puppet/modules (no modules installed)
4
/usr/share/puppet/modules (no modules installed)

获取模块有两种途径:

  • puppet module install:从Puppet Forge下载别人上传的模块,但是基本不会这么用
  • 自研:自己按照业务写出模块

这里我们自己写:

1
查看模块路径
2
~]# puppet config print | grep modulepath
3
basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules
4
modulepath = /etc/puppet/modules:/usr/share/puppet/modules
1
~]# mkdir -pv /etc/puppet/modules/webserver/{manifests,files,templates,tests,lib,spec}
2
~}# cd /etc/puppet/modules/webserver/manifests
3
~]# touch init.pp
4
~]# cat init.pp
5
class webserver { 
6
	package {'nginx-server':
7
			name => 'nginx',
8
			ensure => latest
9
	} ->
10
	file {'nginx.conf':
11
			content => template("webserver/nginx.conf.erb"),
12
			path => "/etc/nginx/nginx.conf",
13
			ensure => file,
14
			backup => '.puppet.bak'
15
	}
16
	service {'nginx':
17
			ensure => running,
18
			enable => true,
19
			subscribe => File['nginx.conf'],
20
			hasstatus => true,
21
			hasrestart => true,
22
			restart => "systemctl reload nginx",
23
			path => ['/usr/bin','/usr/sbin'],
24
			require => [Package['nginx-server'],File['nginx.conf']]
25
	}
26
27
}
28
~]# cat /etc/puppet/modules/webserver/templates/nginx.conf.erb
29
user nginx;
30
worker_processes <%= @processorcount %>;
31
error_log /var/log/nginx/error.log;
32
pid /run/nginx.pid;
33
include /usr/share/nginx/modules/*.conf;
34
35
events {
36
    worker_connections 1024;
37
}
38
http {
39
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
40
                      '$status $body_bytes_sent "$http_referer" '
41
                      '"$http_user_agent" "$http_x_forwarded_for"';
42
43
    access_log  /var/log/nginx/access.log  main;
44
45
    sendfile            on;
46
    tcp_nopush          on;
47
    tcp_nodelay         on;
48
    keepalive_timeout   65;
49
    types_hash_max_size 2048;
50
51
    include             /etc/nginx/mime.types;
52
    default_type        application/octet-stream;
53
	include /etc/nginx/conf.d/*.conf;
54
55
    
56
     server {
57
        listen       80 default_server;
58
        listen       [::]:80 default_server;
59
        server_name  _;
60
        root         /usr/share/nginx/html;
61
62
        include /etc/nginx/default.d/*.conf;
63
64
        location / {
65
        }
66
67
        error_page 404 /404.html;
68
            location = /40x.html {
69
        }
70
71
        error_page 500 502 503 504 /50x.html;
72
            location = /50x.html {
73
        }
74
    }
75
}
76
~]# mkdir -pv /etc/puppet/manifests/WEB-server
77
~]# cat /etc/puppet/manifests/WEB-server/nginx.pp
78
node "node2.localdomain" {
79
	include webserver
80
}
81
~]# cat /etc/puppet/manifests/site.pp
82
import "WEB-server/*.pp"

agent测试:

1
~]# puppet agent --server=init.localdomain --no-daemonize -v 
2
Notice: Starting Puppet client version 3.8.7
3
Info: Retrieving pluginfacts
4
Info: Retrieving plugin
5
Info: Caching catalog for node2.localdomain
6
Info: Applying configuration version '1505146109'
7
Notice: /Stage[main]/Webserver/Package[nginx-server]/ensure: created
8
Notice: /Stage[main]/Webserver/File[nginx.conf]/content: content changed '{md5}93bc8e01bfd45e7e18b23acc178ae25b' to '{md5}d59259148b6776a7c7b6e54106672722'
9
Info: /Stage[main]/Webserver/File[nginx.conf]: Scheduling refresh of Service[nginx]
10
Notice: /Stage[main]/Webserver/Service[nginx]/ensure: ensure changed 'stopped' to 'running'
11
Info: /Stage[main]/Webserver/Service[nginx]: Unscheduling refresh on Service[nginx]
12
Notice: Finished catalog run in 0.74 
13
~]# systemctl start puppetagent

这样机遇master-agent的服务就可以正常工作了。

节点管理:
site.pp定义节点的方式

  • (1)以主机名直接给出其相关定义:

    1
    node ‘NODE_NAME’ {
    2
    ... puppet code ...
    3
    }
  • (2)把功能相近的主机事先统一格式命名,按统一格式调用:

    1
    node /^web\d+\.jusene\.com/ {
    2
    ... puppet code ...
    3
    }

节点继承:

1
node basenode {
2
	include ntp
3
}
4
5
node node inherits basenode {
6
	include class 
7
}

节点分段管理:

1
/etc/puppet/manifests/
2
					site.pp
3
						import "web/*.pp"
4
						import "db/*.pp"
5
					web
6
						proxy.pp
7
						web.pp
8
					db
9
						mysql.pp
10
						sqlite.pp
CATALOG
  1. 1. Puppet
  2. 2. Puppet配置
    1. 2.1. 配置puppet master/agent
  3. 3. 配置站点manifest