http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/
[epel-puppet]
name=epel puppet
baseurl=http://tmz.fedorapeople.org/repo/puppet/epel/5/$basearch/
enabled=0
gpgcheck=0
[puppetlabs]
name=Puppet Labs Packages
baseurl=http://yum.puppetlabs.com/el/
enabled=0
gpgcheck=0
yum --enablerepo=epel,epel-puppet install puppet-server
一、Puppet简介
系统管理员经常陷入一系列的重复任务中:如升级软件包、管理配置文件、系统服务、cron任务以及添加新的配置、修复错误等。这些任务通常是重复低效的,解决这类任务的第一反应是让他们自动化,于是出现了定制脚本。由于环境复杂,定制脚本和应用程序一再被重复开发,并且很难适合多种平台,灵活性和功能也很难保证,于是像Puppet这样的自动化配置管理工具便出现了。
在开源世界里,有很多配置工具可供选择,这个领域一些关键的产品有:
Puppet(http://puppet.reductivelabs.com/):Ruby写成的配置管理工具,使用C/S架构,使用declarative language配置客户端。
Cfengine(http://www.cfengine.org):最先发布的开源配置工具之一,1993年发布,同样是C/S架构,通常应用于教育机构。
LCFG(http://www.lcfg.org/):C/S架构的配置管理工具,使用XML定义配置。
Bcfg2:Python编写的C/S架构的配置管理工具,使用规格书和客户机响应配置目标主机。
本文档致力于描述使用Puppet管理你的主机、应用程序、后台程序和各种服务。
Puppet简介:
1. Puppet的用途
Puppet是开源的基于Ruby的系统配置管理工具,依赖于C/S的部署架构。主要开发者是Luke Kanies,遵循GPLv2版权协议。从1997年开始Kanies参与UNIX的系统管理工作,Puppet的开发源于这些经验。因为对已有的配置工具不甚满意,从2001年到2005年间,Kanies开始在Reductive实验室从事工具的开发。很快,Reductive实验室发布了他们的旗舰产品——Puppet。
2. Pupput的特性
许多系统配置管理工具工作的方式非常类似,如cfengine。是什么让Puppet与众不同?
Puppet的语法允许你创建一个单独脚本,用来在你所有的目标主机上建立一个用户。所有的目标主机会依次使用适用于本地系统的语法解释和执行这个模块。举例:如果这个配置是在Red Hat服务器上执行,建立用户使用useradd命令;如果这个配置是在FreeBSD主机上执行,使用的是adduser命令。
Puppet另一个卓越的地方是它的灵活性。源于开源软件的天性,你可以自由的获得Puppet的源码,如果你遇到问题并且有能力的话,你可以修改或者加强Puppet的代码去适用于你的环境。另外,社区开发者和捐献者还在不断增强Puppet的功能。一个大的开发者和用户社区也致力于提供Puppet的文档和技术支持。
Puppet也是易于扩展的。定制软件包的支持功能和特殊的系统环境配置能够快速简单的添加进Puppet的安装程序中。
3. Puppet的工作模式
Puppet是一个C/S架构的配置管理工具,在中央服务器上安装puppet-server软件包(被称作Puppet master)。在需要管理的目标主机上安装puppet客户端软件(被称作Puppet Client)。当客户端连接上Puppet master后,定义在Puppet master上的配置文件会被编译,然后在客户端上运行。每个客户端默认每半个小时和服务器进行一次通信,确认配置信息的更新情况。如果有新的配置信息或者配置信息已经改变,配置将会被重新编译并发布到各客户端执行。也可以在服务器上主动触发一个配置信息的更新,强制各客户端进行配置。如果客户端的配置信息被改变了,它可以从服务器获得原始配置进行校正。
4. Puppet的未来
最后,Puppet是一个年轻的工具,仍然处于开发和发展中。Puppet社区快速壮大,并且许多新的想法不断融入,促使开发、更新和模块每天都在呈现。
二、配置安装(Puppet 2.6.4 CentOS 5.4安装):
在puppet服务器端和客户端配置软件仓库:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
[root@puppetmaster ~]# vi /etc/yum.repos.d/epel.repo
添加:
[epel-puppet]
name=epel puppet
baseurl=http://tmz.fedorapeople.org/repo/puppet/epel/5/$basearch/
enabled=0
gpgcheck=0
添加仓库puppet.repo:
[root@puppetmaster ~]# vi /etc/yum.repos.d/puppet.repo
[puppetlabs]
name=Puppet Labs Packages
baseurl=http://yum.puppetlabs.com/base/
enabled=0
gpgcheck=0
Puppet Master安装:
[root@puppetmaster ~]# yum --enablerepo=epel,epel-puppet install puppet-server
修改hosts,添加下面两条记录:
[root@puppetmaster ~]# vi /etc/hosts
192.168.0.10 puppetmaster.leju.com puppet
192.168.0.100 puppetclient.leju.com
配置Puppet:
[root@puppetmaster ~]# cd /etc/puppet/
[root@puppetmaster puppet]# vi puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppetmaster.leju.com
report = true
listen = true
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
autosign = true
reports = store
[root@puppetmaster puppet]# vi fileserver.conf
[files]
path /etc/puppet/files
allow *
[modules]
allow *
[plugins]
allow *
[root@puppetmaster puppet]# mkdir /etc/puppet/files
[root@puppetmaster puppet]# cd manifests/
创建site.pp,此为puppet入口配置文件:
[root@puppetmaster manifests]# vi site.pp
import "modules.pp"
import "roles.pp"
import "nodes.pp"
# General settings for standard types
Exec { path => "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" }
filebucket { main: server => "puppetmaster.leju.com" }
File { backup => main }
创建modules.pp,用于导入模块:
[root@puppetmaster manifests]# vi modules.pp
import "test"
创建roles.pp,用于定义服务器角色:
[root@puppetmaster manifests]# vi roles.pp
class baseclass {
include test
}
创建nodes.pp,用于配置服务器节点:
[root@puppetmaster manifests]# vi nodes.pp
node 'basenode' {
include baseclass
}
node 'puppetclient.leju.com' inherits basenode {
tag("test")
}
node 'puppetmaster.leju.com' inherits basenode {
tag("test")
}
[root@puppetmaster manifests]# cd ..
[root@puppetmaster puppet]# mkdir modules
创建一个test模块:
[root@puppetmaster modules]# mkdir -p test/manifests/
[root@puppetmaster modules]# mkdir test/files/
[root@puppetmaster modules]# cd test/files/
[root@puppetmaster files]# vi test.txt
test line!
[root@puppetmaster files]# cd ../manifests/
创建test类,用来下发一个文件到客户端:
[root@puppetmaster manifests]# vi init.pp
class test {
file { "/tmp/test.txt":
ensure => present,
group => "root",
owner => "root",
mode => "0644",
source => "puppet:///test/test.txt"
}
}
启动Puppet Master:
[root@puppetmaster manifests]# /etc/init.d/puppetmaster start
确保8140端口已启动。
Puppet客户端安装:
[root@puppetclient ~]# yum --enablerepo="epel,epel-puppet" install puppet
修改hosts,添加下面两条记录:
[root@puppetclient ~]# vi /etc/hosts
192.168.0.10 puppetmaster.leju.com puppet
192.168.0.100 puppetclient.leju.com
配置puppet:
[root@puppetclient ~]# cd /etc/puppet/
[root@puppetclient puppet]# vi puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppetmaster.leju.com
report = true
listen = true
[root@puppetclient puppet]# vi namespaceauth.conf
[puppetrunner]
allow puppetmaster.leju.com
allow *.leju.com
[root@puppetclient puppet]# vi auth.conf
在最后一行添加allow *
......
path /
auth any
allow *
[root@puppetclient puppet]# cd
执行puppetd:
[root@puppetclient ~]# puppetd --noop --test --trace --debug
如果Puppet Master没有设置:autosign = true,需要在Puppet Master执行:
[root@puppetmaster ~]# puppet cert -l
puppetclient.leju.com
[root@puppetmaster ~]# puppet cert -s puppetclient.leju.com
这样为puppetclient.leju.com签名。然后回到客户端在此执行:
[root@puppetclient ~]# puppetd --noop --test --trace --debug
加入--noop,配置并不会在客户端真正应用,主要用于测试,看打印输出有没有错误,无错执行:
[root@puppetclient ~]# puppetd --test --trace --debug
查看文件:
[root@puppetclient ~]# ll /tmp/
total 8
-rw-r--r-- 1 root root 11 Feb 25 22:35 test.txt
文件已被下发。
也可以在Puppet Master上进行推送:
[root@puppetmaster ~]# puppet kick -d --host puppetclient.leju.com
Triggering puppetclient.leju.com
Getting status
status is success
puppetclient.leju.com finished with exit code 0
Finished
返回0说明触发客户端上的puppetd成功。
设置puppet开机自启动:
chkconfig --level 2345 puppet on
修改puppetmaster使用Passenger
Passenger是Apache 2.x的一个扩展,用来在Apache中运行Rails或Rack应用。puppetmaster默认使用WEBrick提供文件服务,如果你的 puppet客户端很多,puppetmaster的文件服务性能会很差,为了使puppetmaster更健壮,所以使用Apache提供文件服务。
安装:
[root@puppetmaster ~]# yum install httpd httpd-devel ruby-devel rubygems
Passenger 2.2.2 RHEL5上运行的很好。
添加foreman.repo仓库:
[root@puppetmaster ~]# vi /etc/yum.repos.d/foreman.repo
[foreman]
name=Foreman stable repository
baseurl=http://yum.theforeman.org/stable
gpgcheck=0
enabled=1
[root@puppetmaster ~]# yum install rubygem-passenger-2.2.2-1
[root@puppetmaster ~]# rubygem-rack-1.0.1-1
[root@puppetmaster ~]# passenger-install-apache2-module
安装Apache ssl模块:
[root@puppetmaster ~]# yum install mod_ssl
配置Puppet rack应用:
mkdir -p /etc/puppet/rack/puppetmasterd/
mkdir /etc/puppet/rack/puppetmasterd/public /etc/puppet/rack/puppetmasterd/tmp
cp /usr/share/puppet/ext/rack/files/apache2.conf /etc/httpd/conf.d/puppetmasterd.conf
cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/puppetmasterd/
chown puppet /etc/puppet/rack/puppetmasterd/config.ru
[root@puppetmaster ~]# vi /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-2.2.2/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.2
PassengerRuby /usr/bin/ruby
PassengerMaxPoolSize 30
PassengerPoolIdleTime 1500
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
[root@puppetmaster ~]# vi /etc/httpd/conf.d/puppetmasterd.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster.leju.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppetmaster.leju.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /etc/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
修改puppetmaster配置文件,添加下面两行:
[root@puppetmaster ~]# vi /etc/puppet/puppet.conf
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
修改/etc/sysconfig/puppetmaster:
[root@puppetmaster ~]# vi /etc/sysconfig/puppetmaster
# 在最后添加以下行:
PUPPETMASTER_EXTRA_OPTS="--reports store"
如果同时需要向foreman和puppet-dashboard报告,则添加下面行:
PUPPETMASTER_EXTRA_OPTS="--reports store, foreman, puppet_dashboard"
停止puppetmaster服务并启动apache服务:
[root@puppetmaster ~]# /etc/init.d/puppetmaster stop
[root@puppetmaster ~]# /etc/init.d/httpd start
开机不在启动puppetmaster服务,开机启动httpd服务:
[root@puppetmaster ~]# chkconfig --level 2345 puppetmaster off
[root@puppetmaster ~]# chkconfig --level 2345 httpd on
确保8140端口已启用:
[root@puppetmaster ~]# netstat -tunlp |grep 8140
tcp 0 0 :::8140 :::* LISTEN 9834/httpd
在客户端测试,看是否打印错误日志:
[root@puppetclient ~]# puppetd --test --trace --debug