運維自動化之Puppet學習

1、說明

1.1常用實現功能

可管理配置文件、進行用戶管理、實現文件分發（建議小文件）、實現cron任務管理、實現分類管理客戶端、軟件安裝、服務管理、定時腳本、執行命令、實現目標客戶端執行腳本（前提是客戶端已經存在該腳本）

1.2軟件說明

操作系統：	debian wheezy 7.2_64bit Linux localhost 3.2.0-4-amd64 #1 SMP  Debian 3.2.51-1 x86_64 GNU/Linux
在線安裝版本	ruby  1.9.3 \ facter 1.6.10 \ puppet2.7.23
源碼安裝版本	ruby-1.8.7-p374.tar.gz  \  facter-1.7.4.tar.gz  \

2、安裝

2.1安裝使用軟件

# apt-get install build-essential vim unzipntpdate

2.2在線安裝

（1）服務器端

# vim /etc/hostname      //灰色標記的內容均為文件內容

puppet.master.com

# vim /etc/hosts    //沒有DNS時

192.168.24.8   puppet.master.com

192.168.24.14 web.agent1.com

192.168.24.15  dydg100.agent2.com

# apt-getinstall puppetmaster

（2）客戶端

# vim /etc/hostname

web.agent1.com

# vim /etc/hosts    //沒有DNS時

192.168.24.8   puppet.master.com

192.168.24.14 web.agent1.com

# apt-getinstall puppet

# vim /etc/default/puppet  

START=yes

 

（3）版本信息

# ruby -v

ruby 1.9.3p194 (2012-04-20 revision 35410)[x86_64-linux]

# whereis ruby

ruby: /usr/bin/ruby1.8 /usr/bin/ruby/usr/lib/ruby /usr/share/man/man1/ruby.1.gz

# facter -v

1.6.10

# whereis facter

facter: /usr/bin/facter/usr/share/man/man8/facter.8.gz

# puppet -V

2.7.23

# whereis puppet

puppet: /usr/bin/puppet /etc/puppet/usr/share/man/man8/puppet.8.gz

2.3源碼安裝（沒有測試完，僅供查考）

（1）安裝openssl

# tarzxvf openssl-1.0.1.tar.gz

# cdopenssl-1.0.1

#./config -fPIC --prefix=/usr/local/openssl enable-shared

# make&& make install

（2）安裝Ruby

### 下載頁面：http://cache.ruby-lang.org/pub/ruby/

# wget http://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p374.tar.gz

# tarzxvf ruby-1.8.7-p374.tar.gz

# cd ruby-1.8.7-p374

#./configure

# make&& make install

# cd ruby-1.8.7-p374/ext/openssl

# rubyextconf.rb –with-openssl-dir=/usr/local/openssl \

--with-openssl-include=/usr/local/openssl/include\

--with-openssl-lib=/usr/local/openssl/lib

# make&& make install  //否則安裝puppet時報錯：Could not load openssl; cannotinstall

# whereisruby     // ruby: /usr/local/bin/ruby/usr/local/lib/ruby

# ruby -v         // ruby 1.8.7 (2013-06-27 patchlevel374) [x86_64-linux]

# ruby-ropenssl -e "puts :yep"  //輸出 yep 說明Ruby所依賴的OpenSSL 庫無問題

### 備注：ruby中文網址：https://www.ruby-lang.org/zh_cn/downloads/

（3）安裝Facter

### 下載頁面：http://puppetlabs.com/misc/download-options

# wgethttp://downloads.puppetlabs.com/facter/facter-1.7.4.tar.gz

# tarzxvf facter-1.7.4.tar.gz

# cdfacter-1.7.4

# rubyinstall.rb

# whereisfacter    // facter:/usr/local/bin/facter

# facter -v        // 1.7.4

（4）安裝Puppet

### 下載頁面：http://puppetlabs.com/misc/download-options

# wget http://downloads.puppetlabs.com/puppet/puppet-3.4.2.tar.gz

# tarzxvf puppet-3.4.2.tar.gz

# cdpuppet-3.4.2

# rubyinstall.rb

 

3、配置

3.1服務器端

1、puppet.conf

# vim /etc/puppet/puppet.conf

# 默認配置暫時沒有做修改

2、啟動

# /etc/init.d/puppetmaster start

 

3.2客戶端

1、puppet.conf

# vim /etc/puppet/puppet.conf

[main]

logdir=/var/log/puppet

vardir=/var/lib/puppet

ssldir=/var/lib/puppet/ssl

rundir=/var/run/puppet

factpath=$vardir/lib/facter

templatedir=$confdir/templates

prerun_command=/etc/puppet/etckeeper-commit-pre

postrun_command=/etc/puppet/etckeeper-commit-post

 

[master]

# These are needed when the puppetmaster is run bypassenger

# and can safely be removed if webrick is used.

ssl_client_header = SSL_CLIENT_S_DN

ssl_client_verify_header = SSL_CLIENT_VERIFY

 

[agent]

server = puppet.master.com   //配置服務器端主機名

2、puppet

//以下解決啟動報: puppet notconfigured to start, please edit /etc/default/puppet to enable

# vim /etc/default/puppet  

START=yes

3、啟動客戶端

# /etc/init.d/puppet start

3.3證書

3.3.1證書注冊

（1）客戶端注冊請求

# puppet agent --test

（2）服務端查看注冊請求

# puppet cert list --all  

（3）服務端受理注冊請求

# puppet cert sign web.agent1.com

（4）客戶端確認注冊是否成功

# puppet agent --test

info: Caching catalog for web.agent1.com

info: Applying configuration version '1392266761'

notice: Finished catalog run in 0.03 seconds

（5）啟動服務器端和客戶端

3.3.2證書變更

###客戶端

# /etc/init.d/puppet stop

# rm -rf /var/lib/puppet

### 服務器端

# puppet cert clean web.agent1.com    //刪除客戶端認證

# puppet cert list --all     //服務端查看注冊請求

### 客戶端

# puppetd --server puppet.master.com --test    //重新生成認證

info: Caching catalog for web.agent1.com

info: Applying configuration version '1392265820'

notice: Finished catalog run in 0.03 seconds

### 服務器端

# puppet cert list --all     //查看所有客戶端的請求(有+號的代表已經簽好證書可以通信，沒有加號的代表尚未簽好證書。

"web.agent1.com"  //若沒有加號，沒有簽好證書，需要重新認證

# puppet cert sign web.agent1.com   //受理注冊請求，完成認證

### 客戶端

//測試是否正常

# puppet agent --test --noop --server puppet.master.com

info: Caching catalog for web.agent1.com

info: Applying configuration version '1392266401'

notice: Finished catalog run in 0.03 seconds

 

3.2.3服務器端自動受理注冊

（1）在服務端

#vim /etc/puppet/puppet.conf

[master]

autosign = /etc/puppet/autosign.com

#vim /etc/puppet/autosign.conf

web.agent1.com

game.agent2.com

3.4客戶端測試

#puppet agent --test --noop --server puppet.master.com

 

4、用戶組資源

# puppet -V     2.7.23

4.1目錄結構

#tree puppet

puppet

├── auth.conf

├── etckeeper-commit-post

├── etckeeper-commit-pre

├── fileserver.conf

├── manifests

│   ├── modules.pp

│   ├── nodes

│   │   ├── gameapp

│   │   │   └── agent2.pp

│   │   ├── gamedb

│   │   │   └── agent1.pp

│   │   └── site.pp

│   └── site.pp

├── modules

│   └── users

│       ├── file

│       ├── manifests

│       │   ├── addgroup.pp

│       │   ├── adduser.pp

│       │   └── init.pp

│       └── templates

│           ├── laowafang_authorized_keys.erb

│           ├── dada_authorized_keys.erb

│           ├── zhiban1_authorized_keys.erb

│           └── zw_authorized_keys.erb

├── puppet.conf

└── templates

 

4.2操作過程

4.2.1創建模版目錄

# cd /etc/puppet/modules

# mkdir -p user/{manifests,templates,files}

# touch user/manifests/init.pp

# touch user/manifests/addgroup.pp

# touch user/manifests/adduser.pp

4.2.2 users模塊清單

（1）init.pp內容，入口程序，必須創建

# cat /etc/puppet/modules/users/manifests/init.pp

class users {

   include users

}

（2）addgroup.pp創建用戶組用“定義”資源容器

# cat /etc/puppet/modules/users/manifests/addgroup.pp

define users::addgroup ($groupname='')

{

   includeusers

       group

       {   $groupname:

          ensure => present,

       }

}

（3）adduser.pp創建用戶

# cat # cat /etc/puppet/modules/users/manifests/adduser.pp

define users::adduser ($username='', $useruid='',$userhome='', $usershell='/bin/bash', $groupid)

{

   includeusers

   user

   {   $username:

      ensure  => present,

      uid   => $useruid,

       shell=> $usershell,

       gid=> $groupid,

      home  =>"/home/$userhome",

   }

   file

   {   "/home/$userhome":

      owner   => $useruid,

      group   => $useruid,

      mode    => 700,

      ensure  => directory;

   }

   file

   {   "/home/$userhome/.ssh":

      owner   => $useruid,

      group   => $useruid,

      mode    => 700,

      ensure  => directory,

       require=> File["/home/$userhome"];

   }

   file

   {   "/home/$userhome/.ssh/authorized_keys":

      owner   => $useruid,

      group   => $useruid,

      mode    => 600,

      ensure  => present,

       content=> template("users/${userhome}_authorized_keys.erb"),

       require=> File["/home/$userhome/.ssh"];

   }

}

（4）templates下*.erb文件為sshKey文件

4.2.3節點實現創建用戶及其組

1、創建對應節點所需文件

# mkdir -p /etc/puppet/manifests/nodes/gamedb

# mkdir -p /etc/puppet/manifests/nodes/gameapp

# touch /etc/puppet/manifests/modules.pp

# touch /etc/puppet/manifests/site.pp

# touch /etc/puppet/manifests/nodes/site.pp

# touch /etc/puppet/manifests/nodes/gamedb/agent1.pp

# touch /etc/puppet/manifests/nodes/gameapp/agent2.pp

2、文件內容清單

（1）modules.pp

# cat /etc/puppet/manifests/modules.pp

import "users"

（2）site.pp

# cat /etc/puppet/manifests/site.pp

import "nodes/site.pp"

import "modules.pp"

 

#user { 'zw':          //注釋的是測試刪除所有節點用戶用的

#       ensure=> absent,

#}

#user { 'laowafang':

#       ensure=> absent,

#}

（3）site.pp

# cat /etc/puppet/manifests/nodes/site.pp

import "gamedb/agent1.pp"

import "gameapp/agent2.pp"

（4）agent1.pp

# cat /etc/puppet/manifests/nodes/gamedb/agent1.pp

node "web.agent1.com" {

   includeusers

 

  users::addgroup { 'allgroup':

      groupname => [ 'yanfa', 'ywsa', 'ywdba', 'zhiban' ]

   }

  users::adduser { 'zw':

      username => 'zw',

       useruid=> 1000,

      userhome => 'zw',

       groupid=> 'ywsa',

   }

  users::adduser { 'laowafang':

      username => 'laowafang',

       useruid=> 1001,

       userhome=> 'laowafang',

       groupid=> 'ywdba',

   }

}

（5）agent2.pp

# cat /etc/puppet/manifests/nodes/gameapp/agent2.pp

node "dydg100.agent2.com" {

   includeusers

 

  users::addgroup { 'allgroup':

      groupname => [ 'ywsa', 'ywdba', 'yanfa', 'zhiban' ]

   }

  users::adduser { 'zw':

      username => 'zw',

       useruid=> 1000,

      userhome => 'zw',

       groupid=> 'ywsa',

   }

  users::adduser { 'dada':

      username => 'dada',

       useruid => 1001,

      userhome => 'dada',

       groupid=> 'yanfa',

   }

  users::adduser { 'zhiban1':

      username => 'zhiban1',

       useruid=> 1002,

      userhome => 'zhiban1',

       groupid=> 'zhiban',

   }

}

 

4.2.4客戶端測試

### 兩個客戶端分別測試

# puppetagent --test --noop --server puppet.master.com  //進行檢查

info: Caching catalog for web.agent1.com

info: Applying configuration version'1393300345'

……省略

notice: Finished catalog run in 0.10seconds

#puppet agent --test --server puppet.master.com    //真正創建

 

5、常用操作

# puppet parser validate adduser.pp    //檢查語法

# puppet master --genconfig |grepmodulepath  //檢查對應配置文件路徑

# puppet module list    //查看已安裝的模塊

### 剛學習到此，主要是摸清楚了軟件目錄結構和運行流程，其中沒有詳細的解釋說明，基本都是實際操作，大家可以另行查看其他說明，推薦圖書：劉宇的《puppet實戰》，高永超翻譯的《精通puppet配置管理工具》。有時間繼續補上其他的……