Puppet Manager

 

         在master模式下,我们给每个agent应用的manifest可能不止一个,所以在master端需要根据agent的主机名来建立一个站点清单(也可能是多个站点清单),将某个agent要应用的所有manifest都填入这个清单中,然后直接应用这个清单即可;

 

                  agent:默认每隔三十分钟向master发送node name和facts,并请求catalog;

                   master:验证客户端身份,查找与其相关的site manifest,编译生成catalog,并发送给客户端;

                   软件安装:直接使用yum安装即可

                            在master端需要安装puppet和puppet-server;也可以安装facter,用来管理自己;

                                     puppetmaster监听在TCP的8140端口;

                            在agent端需要安装puppet和facter;

                                     puppetagent监听在TCP的8139端口;

                   配置文件:

                            /etc/puppet/puppet.conf

                                     此配置文件类似于ini格式:

                                               main段:适用于master和agent,为全局配置;

                                               agent段:适用于agent,仅在agent上生效;

                                               master段:适用于master,仅在master上生效;

                                     且此文件支持类似变量的功能,可以通过puppet config print查看支持的所有变量(也是默认配置),且可以使用”puppet config set [setting_name] [setting_value]”修改这些变量的值;

                            可以通过puppet master|agent --genconfig来生成符合此环境(需要基于默认的配置文件,所以咋生成这些信息之前不可以移动原来的配置文件)的配置信息(默认是发送到显示器上的,如果想要使用,则需要将其重定向到配置文件中,但是生成的信息中有的参数可能已经废弃,与现在的puppet版本可能不兼容);

                            关于配置文件的更详细的信息可以通过puppet doc命令查看;

                                     puppet doc --list :可以查看文档包含的reference;

                                     puppet doc -r :可以查看上面命令输出的某种reference的详细信息;

                                               示例:puppet doc -r type

                            Note:因为puppet master与agent的通信与hostname有关,所以一定要设置合适的主机名,建议master端使用FQDN(比如hello.guowei.com)格式的主机名,否则签证的时候可能会有错误,它会在你的主机名后加上.localdomain

                   启动服务:

                            master:第一次启动puppet master端服务时,建议使用puppet master –v --no-daemonize来查看启动是否正常(可以通过此命令的输出来了解服务启动流程,包括CA建立、字签证书、证书存放路径等),之后再通过脚本或者systemctl来启动服务;

                            agent:第一次启动puppet agent端服务时,建议使用puppet agent--server=SERVER_NAME --test来测试一下是否可以正常工作;然后再通过puppet agen --server SERVER_NAME向master端发送签证请求;这些都测试完毕以后,最后要编辑/etc/puppet/puppet.conf在[agent]或[main]中指定一下server地址,接着启动puppetagent服务(systemctl start puppetagent.service),以后agent就可以自动回去配置信息了;

                                     示例:

                                               ~]# cat /etc/puppet/puppet.conf

                                                        [agent]

                                                        listen = true

                                                        server = node1.guowei.com

                   签署证书:

                            1.puppet master –v --no-daemonize     --->  master端

                            2.停止上面运行的命令Ctrl+c

                            3.systemctl start puppetmaster.service   --->  master端

                                     启动puppetmaster服务,监听在8140端口

                            4. puppet agen --server SERVER_NAME   --->  agent端

                                     agent向master发起证书签署请求

                            5. puppet cert --list                   --->  master端

                                     master端查看要求证书签署的agent

                            6.puppet cert sign AGENT_HOSTNAME   --->  master端

                                     签署agent;

                            7.agent与master建立连接完毕;

                            撤销证书,重新签署:

                                     1. puppet cert clean AGENT_HOSTNAME    --->  master端

                                     2. rm -rf /var/lib/puppet/ssl/*             --->  agent端

                                               如果出现错误,重新签署一直没有成功就直接rm -rf /var/lib/puppet/*(根据情况而定,最坏的是master和agent都要执行这个命令),然后重启master,重新签署;

                                     3. puppet agent --server= SERVER_NAME --no-daemonize -v     --->  agent端

                                     4. puppet cert sign AGENT_HOSTNAME     --->  master端

                   安装所有要用到的模块:

                            puppet module install

                            自己制作

                   定义site manifest:

                            站点清单一般位于/etc/puppet/manifests/路径下,且要命名为site.pp;

                                     site.pp定义节点的方式:

                                               1.以主机名直接给出其相关定义:

                                                        node 'NODE_ANME' {

                                                                 … puppet code …

                                                        }

                                               2.把功能相近的主机事先按统一格式命名,按统一格式调用:

                                                        node /^web[0-9]+.guowei.com/ {

                                                                  … puppet code …

                                                        }

                                     示例:基于上一篇文章中的示例(最后一个示例)

                                               ~]#cat /etc/puppet/manifests/site.pp

                                                        node 'node2.guwoei.com' {

                                                                 include nginx::proxy

                                                        }

                                               ~]#puppet agent --server=node1.guowei.com --no-daemonize -v

                            节点的继承:

                                     node 'basenode' {

                                               include ntp

                                     }

                                     node 'web.guowei.com' inherits basenode {

                                               include ngnx::proxy

                                     }

                            对节点进行分段管理:

                                     在/etc/puppet/manifests/目录中根据情况创建多个子目录,然后在这些子目录中创建符合情况的.pp文件,最后在site.pp文件中引入这个.pp文件即可;

                                     示例:

                                               ~]# tree /etc/puppet/manifests/

                                                        /etc/puppet/manifests/

                                                        ├── appservers

                                                        │   └── tomcat.pp

                                                        ├── cacheservers

                                                        │   └── varnish.pp

                                                        ├── site.pp

                                                        └── webservers

                                                            └── nginx.pp

                                               ~]#cat /etc/puppet/manifests/site.pp

                                                        import "webservers/*.pp"

                            建议的主机命名方式:

                                     角色-运营商-机房名-IP.DOMAIN.TLD

                   puppet的配置文件中的环境配置段:

                            环境配置端可以实现将不同的场景(比如生产环境、测试环境、开发环境)中的主机分别对待,为其制定特有的manifest路径,从而实现为其发送不同的配置信息,以适应其所处的环境;

                            示例:

                                     master端的环境配置段:

                                              vim /etc/puppet/puppet.conf

                                                        ……..

                                                        [master]

                                                        environment = production,testing

                                                                 声明master支持的环境配置段;

                                                       [production]

                                                       manifest = /etc/puppet/enviroments/production/manifests/site.pp

                                                        modulepath = /etc/puppet/enviroments/production/modules/

                                                       fileserverconfig = /etc/puppet/fileserver.conf

                                                                 指定master端提供的文件服务器的配置文件;

                                                       [testing]

                                                       manifest = /etc/puppet/enviroments/testing/manifests/site.pp

                                                       modulepath = /etc/puppet/enviroments/testing/modules/

                                                       fileserverconfig = /etc/puppet/fileserver.conf

                                                       …….

                                     agent端的对应配置:

                                              [agent]

                                               environment = production

                                                        根据自己所属的环境来指定,agent会自动发送此信息,以说明自己的身份,从而让master发送正确的配置信息给自己;

                   Puppet自带的文件服务器:

                            通过fileserver.conf文件且需要结合puppet.conf和auth.conf文件来定义文件服务器;auth.conf是用来实现对agent能否访问master的某个路径做安全管理的(即为puppet提供ACL功能);

                            fileserver.conf格式:

                                     [mount_point]

                                     path /PATH/TO/SOMEWHERE

                                     allow HOSTNAME

                                     allow_ip IP_ADDR

                                     deny all

                            auth.conf格式:

                                     path /path_to_somewhere

                                     auth yes

                                     method find,save

                                     allow

                                     allow HOSTNAME

                                     allow_ip IP_ADDR

                   自动签署证书:autosign.conf:

                            让master在接收到agent的证书签署请求后,直接自动为其签署证书;

                            格式:

                                     直接指明主机名即可,支持通配符;

                                               *.guowei.com

         Puppet的自动推送:kick

                   可以实现将新添加的配置立即同步到agent端,使其马上生效;同步方法为:master通知agent到自己这里来请求新配置;

                   通过namespace.conf文件,指定哪些主机可以出发kick功能;

                            格式:

                                     [puppetrunner]

                                               allow HOSTNAME

         使用Puppet面临的问题:

                   1.主机名:合理命名主机,且如果主机过多,一般建议使用DNS来提供IP地址解析;

                            DDNS:在主机获得地址以后,自动的将IP地址和主机名提交到DNS服务器,完成添加映射关系;

                   2.如何为系统准备好puppet agent;

                            可以在安装系统的时候直接将puppet集成到系统中,然后在通过kickstart文件,安装启动puppet;

                  

    注:根据马哥视频做的学习笔记,如有错误,欢迎指正;侵删

原文地址:https://www.cnblogs.com/guowei-Linux/p/11378798.html