| |
Puppet is a configuration management tool, typically, puppet is a C / S structure, of course, where you can have a lot of C, therefore, it can be said to be a star structure. All puppet puppet client to communicate with a server. each puppet client every half hour (may be provided) to connect a server to download the latest profile, and in strict accordance with the configuration file to configure the server. after the configuration, puppet client feedback can be a message to the server. If an error occurs, also a feedback message to the server. the following figure shows a typical puppet configured data flow.
Stability hand puppet with other operators having the biggest difference is a puppet of the configuration with the stability, so you can perform puppet repeatedly, once you update your profile, puppet will be based on the configuration file to change the configuration of your machine state, usually every 30 minutes thereafter. puppet makes your system state with the profile required consistency. for instance, your configuration file which requires ssh service must be turned on. If you are not careful ssh service is turned off, then the next execution puppet of
Time, puppet will find this exception, and then will open ssh service so that the system status and configuration file is consistent .puppet like a magician, and you will chaotic system converges to the desired profile puppet state.
You can use the entire server management lifecycle puppet, from initiation to retire. Unlike traditional such as the sun's Jumpstart or RedHat Kickstart, puppet can be for many years to have the server up to date. As soon as they start the correct configuration, and then never not to manage them. users only need to give the machine usually puppet installed puppet and let them run, and then the rest of the work done by the puppet.
Details and principles of puppet
1. The client sends an authentication request to Puppetd Master, or a signed certificate.
2. Master Client tell you is legitimate.
3. Client Puppetd call Facter, Facter detect some of the variables of the host, such as host names, memory size, IP address. Puppetd this information is sent to the server through SSL connection.
4. The server-side hostname Puppet Master detect the client, and then find the corresponding node configuration manifest, and the part of the resolution. Facter information can be sent over as a variable processing, node involves parsing code only, involving no other code is not resolved. Analytical divided into several stages, the first is the syntax check if the syntax errors on the error; if the syntax right, to continue analysis, interpretation of the results generated in the middle of a "pseudo" (catelog), then the pseudo-code to the client .
5. The client receives the "pseudo" and executed.
6. When the client decided whether or not to perform File document, and if so, initiate a request to the fileserver.
7. The judgment of the client is not configured Report, if configured, put the implementation of the results sent to the server.
8. The server writes the log results of the implementation of the client, and sent to the reporting system.
For the configuration procedure:
System environment: rhel6.5 selinux and iptables disabled
sever: 172.25.254.1 vm1.example.com puppet master
client: 172.25.254.2 vm2.example.com puppet agent
client: 172.25.254.3 vm3.example.com puppet agent
Important: between the server and all client needs to resolve, as well as time synchronization, or will fail validation.
server-side:
puppetmaster installation:
a. If the host can access
# Yum localinstall -y rubygems-1.3.7-1.el6.noarch.rpm
The following entries are added yum repository:
[Puppet]
name = puppet
baseurl = http: //yum.puppetlabs.com/el/6Server/products/x86_64/
gpgcheck = 0
[Ruby]
name = ruby
baseurl = http: //yum.puppetlabs.com/el/6Server/dependencies/x86_64/
gpgcheck = 0
# Yum install puppet-server -y
b. If the host can not access
Yeah need to download the following packages:
[Root @ vm1 update] # ls
facter-2.4.4-1.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm
hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm
puppet-3.8.1-1.el6.noarch.rpm rubygems-1.3.7-5.el6.noarch.rpm
puppet-dashboard-1.2.23-1.el6.noarch.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm
puppet-server-3.8.1-1.el6.noarch.rpm
[Root @ vm1 update] # yum localinstall -y puppet-server-3.8.1-1.el6.noarch.rpm puppet-3.8.1-1.el6.noarch.rpm facter-2.4.4-1.el6.x86_64 .rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby *
/ Etc / puppet configuration directory:
Organizational structure is as follows:
| - Puppet.conf # master configuration profiles, details executable puppet --genconfig
| - Fileserver.conf # file server configuration file
| - Auth.conf # authentication profiles
| - Autosign.conf # automatically validate the configuration file
| - Tagmail.conf # mail profile (to send an error message)
| - Manifests # file storage directory (puppet will first read the directory .PP file < site.pp>)
| --nodes
| Puppetclient.pp
| - Site.pp # define puppet-related variables and the default configuration.
| - Modules.pp # class class load module file (include syslog)
| - Modules # Custom Module
| - Syslog # to syslog Case
| - File
| - Manifests
| - Init.pp #class class configuration
| - Templates # module configuration directory
| - Syslog.erb #erb template
The first code is executed puppet in /etc/puppet/manifest/site.pp, so this file must exist, and that other code also invoked by the document.
[Root @ vm1 puppet] # touch /etc/puppet/manifest/site.pp # This file is no puppet master can not start, and then define the configuration back
[Root @ vm1 puppet] # service puppetmaster start # start the puppet master
[Root @ vm1 puppet] # netstat -antlp | grep ruby
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1863 / ruby
client side:
Just install puppet can be installed with the server-side method:
a.
# Yum install puppet -y
b.
[Root @ vm2 ~] # yum localinstall -y puppet-3.8.1-1.el6.noarch.rpm puppet-3.8.1-1.el6.noarch.rpm facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby *
puppet client to connect to a puppet master:
[Root @ vm2 ~] # puppet agent --server vm1.example.com --no-daemonize --verbose
Info: Creating a new SSL key for vm2.example.com
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for desktop2.example.com
Info: Certificate Request fingerprint (SHA256):
5C: 72: 77: D8: 27: DF: 5A: DF: 34: EF: 25: 97: 5A: CF: 25: 29: 9F: 58: 83: A2: 61: 57: D9: 20: 7B: 1E: C0: 36: 75: 9D:
FB: FC
client certificate authentication request to issue a master, and then wait for the master sign and return the certificate.
--server Parameter specifies the need to connect the puppet master's name or address, default host connection named "puppet" of
If you want to modify the default connection to the host can modify / etc / sysconfig / puppet file PUPPET_SERVER = puppet options
Parameters --no-daemonize puppet client is running in the foreground
--verbose Output parameters so that the client detailed log
In the master side:
[Root @ vm1 puppet] # puppet cert list # show all waiting for the signed certificate
"Vm2.example.com" (SHA256)
CD: BD: 13: D0: B8: 46: 07: F2: B7: AE: 00: C4: E6: E9: E1: A4: 92: F6: A4: F1: AB: F7: FF: 8D: BE: B0: B7: 90: E1:
7B: A8: C0
[Root @ vm1 puppet] # puppet cert sign vm2.example.com #-signed certificate
Signed certificate request for vm2.example.com
Removing file Puppet :: SSL :: CertificateRequest vm2.example.com at
'/var/lib/puppet/ssl/ca/requests/vm2.example.com.pem'
To also sign all certificates, execute the following command:
[Root @ vm1 puppet] # puppet cert sign --all
[Root @ vm1 puppet] # puppet cert clean desktop2.example.com # delete-signed certificate
In two minutes after the signed certificate on the agent side you can see the following output:
Info: Caching certificate for vm2.example.com
Starting Puppet client version 3.0.0
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for vm2.example.com
Info: Applying configuration version '1349536603'
Finished catalog run in 0.13 seconds
Automatic verification:
In the server side, edit puppet.conf file:
[Root @ vm1 puppet] # vim /etc/puppet/puppet.conf
[Main]
autosign = true
# Allow all clients certified
Autosign.conf create files in / etc / puppet directory, as follows:
# Vim /etc/puppet/autosign.conf
* .example.com # Allows the host to express all example.com domain
[Root @ vm1 puppet] # service puppetmaster reload
In the client-side only need to do:
# Puppet agent or # server puppet start
In practice sometimes modify client end of a host name, so you need to generate a certificate:
1) In the server-side implementation: puppet cert --clean desktop2.example.com # you want to delete the original client-side hostname
2) In the client-side implementation: rm -fr / var / lib / puppet / ssl / *
3) puppet agent --server vm1.example.com --no-daemonize --verbose
puppet resource definition
The following resources are defined in /etc/puppet/manifest/site.pp file, in the absence of the specified node case, all the client has already proven effective.
1. Create a file
[Root @ vm1 puppet] # vim /etc/puppet/fileserver.conf adding the following line:
[Files]
path / etc / puppet / files
allow * .example.com
[Root @ vm1 puppet] # service puppetmaster reload # Restart Service
[Root @ vm1 manifests] # vim site.pp
file { "/ mnt / testfile": # Create testfile file in / mnt
source => "puppet: /// files / passwd" # Source: server-side / etc / puppet / files / passwd
source => "/ etc / passwd" # Source: client-side / etc / passwd
}
2. Package Definition
package { "httpd": ensure => present; # install httpd
"Vsftpd": ensure => absent # Uninstall vsftpd
}
3. Service Definition
service { "httpd": ensure => running; # start httpd
"Vsftpd": ensure => stopped # Close vsftpd
}
4. The group definitions
group { "wonder": gid => 600}
5. User-defined
user { "wonder": # Create wonder user
uid => 600,
gid => 600,
home => "/ home / wonder",
shell => "/ bin / bash",
password => westos
}
file { "/ home / wonder":
owner => wonder,
group => wonder,
mode => 700,
ensure => directory
}
file { "/home/wonder/.bash_profile":
source => "/etc/skel/.bash_profile",
owner => wonder,
group => wonder
}
file { "/home/wonder/.bashrc":
source => "/etc/skel/.bashrc",
owner => wonder,
group => wonder
}
user { "test": uid => 900, # create a test user
home => "/ home / test",
shell => "/ bin / bash",
provider => useradd,
managehome => true,
ensure => present
}
exec { "echo westos | passwd --stdin test":
path => "/ usr / bin: / usr / sbin: / bin",
onlyif => "id test"
}
6. The file system mount
mount { "/ mnt": # 172.25.254.252 host needs to open nfs service
device => "172.25.254.252:/var/ftp/pub",
fstype => "nfs",
options => "defaults",
ensure => absent
}
Automatically mounts the file system, and synchronize fstab file, if you need to uninstall instead absent
7. crontab task
cron {echo: # 2 pm to 4 pm every 10 minutes, the time of import / tmp / echo
command => "/ bin / echo` / bin / date` >> / tmp / echo ",
user => root,
hour => [ '2-4'],
minute => '* / 10'
}
# Task will be generated on the client / var / spool / cron directory
Different nodes definitions:
1. Edit site.pp on puppetmaster
[Root @ vm1 puppet] # vim /etc/puppet/manifests/site.pp # write
import "nodes / *. pp"
2. Create a node file
[Root @ vm1 puppet] #vim /etc/puppet/manifests/nodes/vm2.pp
node 'vm2' {
package { "httpd": ensure => present}
}
[Root @ vm1 puppet] #vim /etc/puppet/manifests/nodes/vm3.pp
node 'vm3' {
user { "test": uid => 900,
home => "/ home / test",
shell => "/ bin / bash",
provider => useradd,
managehome => true,
ensure => present
}
exec { "echo westos | passwd --stdin test":
path => "/ usr / bin: / usr / sbin: / bin",
onlyif => "id test"
}
}
Write modules:
[Root @ vm1 puppet] # mkdir -p / etc / puppet / modules / httpd / {files, manifests, templates}
[Root @ vm1 puppet] # cd / etc / puppet / modules / httpd / manifests
[Root @ vm1 manifests] # vim install.pp
class httpd :: install {
package { "httpd":
ensure => present
}
}
[Root @ vm1 manifests] # vim config.pp
class httpd :: config {
file { "/etc/httpd/conf/httpd.conf":
ensure => present,
source => "puppet: ///modules/httpd/httpd.conf",
# Actual path /etc/puppet/modules/httpd/files/httpd.conf
require => Class [ "httpd :: install"],
notify => Class [ "httpd :: service"]
}
}
[Root @ vm1 manifests] # vim service.pp
class httpd :: service {
service { "httpd":
ensure => running,
require => Class [ "httpd :: install", "httpd :: config"]
}
file { "/var/www/html/index.html": # Add web page
source => "puppet: ///files/index.html"
}
}
[Root @ vm1 manifests] # vim init.pp
class httpd {
include httpd :: install, httpd :: config, httpd :: service
}
[Root @ vm1 manifests] # vim /etc/puppet/manifests/nodes/vm2.pp
node 'vm2' {
include httpd
}
[Root @ vm1 manifests] # service puppetmaster reload
Template (add a virtual host configuration):
Files are stored in the templates directory to * .erb end.
[Root @ vm1 manifests] # vim /etc/puppet/modules/httpd/manifests/init.pp # add the following line
define httpd :: vhost ($ domainname) {
#file { "/etc/httpd/conf/httpd.conf":
#
content => template ( "httpd / httpd.conf.erb")
#}
file { "/etc/httpd/conf.d/${domainname}_vhost.conf":
content => template ( "httpd / httpd_vhost.conf.erb"),
require => Class [ "httpd :: install"],
notify => Class [ "httpd :: service"]
}
file { "/ var / www / $ domainname":
ensure => directory
}
file { "/var/www/$domainname/index.html":
content => $ domainname
}
}
[Root @ vm1 manifests] # vim /etc/puppet/modules/httpd/templates/httpd_vhost.conf.erb
< VirtualHost *: 80>
ServerName < % = domainname%>
DocumentRoot / var / www / < % = domainname%>
ErrorLog logs / < % = domainname%> _ error.log
CustomLog logs / < % = domainname%> _ access.log common
< / VirtualHost>
[Root @ vm1 manifests] # vi /etc/puppet/manifests/nodes/vm2.pp
node 'vm2' {
include httpd
httpd :: vhost { 'server2.example.com':
domainname => "server2.example.com",
}
}
Puppet dashboard installation (for web manage puppet)
Dependency:
* Ruby 1.8.7
* RubyGems
* Rake> = 0.8.3
* MySQL server 5.x
* Ruby-MySQL bindings 2.7.x or 2.8.x
The required installation package puppet-dashboard-1.2.12-1.el6.noarch.rpm rubygem-rake-0.8.7-2.1.el6.noarch.rpm ruby-mysql-2.8.2-1.el6.x86_64.rpm
[Root @ vm1 manifests] # yum localinstall -y puppet-dashboard-1.2.12-1.el6.noarch.rpm rubygem-rake-0.8.7-2.1.el6.noarch.rpm ruby-mysql-2.8.2-1 .el6.x86_64.rpm
[Root @ vm1 manifests] # yum install -y mysql mysql-server
[Root @ vm1 manifests] # /etc/init.d/mysqld start
Configure mysql database:
mysql> CREATE DATABASE dashboard_production CHARACTER SET utf8;
Query OK, 1 row affected (0.00 sec)
mysql> CREATE USER 'dashboard' @ 'localhost' IDENTIFIED BY 'westos';
Query OK, 0 rows affected (0.01 sec)
. Mysql> GRANT ALL PRIVILEGES ON dashboard_production * TO 'dashboard' @ 'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql>
# Cd / usr / share / puppet-dashboard /
[Root @ vm1 puppet-dashboard] # vim config / database.yml # leaving only the production environment configuration
production:
database: dashboard_production
username: dashboard
password: westos
encoding: utf8
adapter: mysql
[Root @ vm1 puppet-dashboard] # rake RAILS_ENV = production db: migrate
# Establishment of databases and tables dashboard required
puppet-dashboard default time zone is incorrect, you need to modify:
[Root @ vm1 puppet-dashboard] # vim /usr/share/puppet-dashboard/config/settings.yml
time_zone: 'Beijing'
Start the service:
[Root @ vm1 puppet-dashboard] # service puppet-dashboard start
Starting Puppet Dashboard: => Booting WEBrick
=> Rails 2.3.14 application starting on http://0.0.0.0:3000
[OK]
[Root @ vm1 puppet-dashboard] # chmod 0666 /usr/share/puppet-dashboard/log/production.log
[Root @ vm1 puppet-dashboard] # service puppet-dashboard-workers start
Real-time reporting summary:
Set the server side:
root @ vm1 ~] # vim /etc/puppet/puppet.conf
[Main]
# Add the following two
reports = http
reporturl = http://172.25.254.1:3000/reports
root @ vm1 ~] # service puppetmaster reload
Setting client side:
[Root @ vm1 puppet-dashboard] # vim /etc/puppet/puppet.conf # add the following line
[Agent]
report = true
[Root @ vm1 puppet-dashboard] # service puppet reload
After installing the client puppet, and the authentication is complete, we can see the effect, and how that it is automatically synchronized with the server
? The default number of minutes it synchronize it with the server how to modify it to synchronize time, this time we need to configure the client?:
(1) Configuration puppet parameters and time synchronization:
[Root @ vm2 ~] # vim / etc / sysconfig / puppet
PUPPET_SERVER = puppet.example.com #puppet master address
PUPPET_PORT = 8140 #puppet listening port
PUPPET_LOG = / var / log / puppet / puppet.log #puppet local log
#PUPPET_EXTRA_OPTS = - Waitforcert = 500 [default sync time I have here does not modify this line Parameters
(2) the default configuration has been completed, the client synchronizes with the server for half an hour, we can change this time.
[Root @ vm2 ~] # vim /etc/puppet/puppet.conf
[Agent]
runinterval = 60 # on behalf of 60 seconds to synchronize with the server once
[Root @ vm2 ~] # service puppet reload
Optimization of the puppet by nginx + passenger replace the puppet of WEBRickHTTP, to handle HTTPS requests and load balancing to achieve puppet. |
|
|
|