1。Puppet简介Puppet是PuppetLabs基于ruby语言开发的自动系统配置工具。它可以运行在C/S模式或单机模式下,支持所有UNIX和类UNIX系统的批量配置和管理。***版本也开始支持一些Windows操作系统的有限管理。Puppet适用于服务器管理的全过程,如初始安装、配置、更新、系统下线等。2.Puppet安装配置2.1服务端安装安装puppet-Server首先在服务端和客户端配置hostname,因为puppet是根据hostname检测的,必须同时修改hosts文件:Puppet需要Ruby支持,如果想要查看命令行帮助需要额外的ruby-rdoc包:1.下载puppetlabs-release-5-5.noarch.rpm参考网址:http://yum.puppetlabs.com/el/5/products/x86_64安装[root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm[root@service~]#yuminstallpuppet-server-y...安装:puppet-server.noarch0:2.7.19-1.el5依赖安装:augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5puppet.noarch0:2.7.19-1.el5ruby??.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1ruby-libs.x86_640:1.8.5-24.el5ruby??-shadow.x86_640:1.4.1-7#这一步默认安装rubyruby-libsruby-rdoc等软件包[root@service~]#/etc/init.d/puppetmasterstart关闭iptables,关闭selinux[root@service~]#/etc/init.d/iptablesstop[root@service~]#sed-i'/SELINUX/s/enforcing/disabled/'/etc/selinux/config2.2客户端安装Installpuppet在客户端安装puppet客户端:Puppet需要Ruby支持,如果要查看命令行帮助,还需要额外的ruby-rdoc包:[root@service~]#rpm-ivhpuppetlabs-release-5-5.noarch.rpm[root@service~]#yuminstallpuppet–y...已安装:puppet.noarch0:2.7.19-1.el5已安装依赖项:augeas-libs.x86_640:0.10.0-3facter.x86_641:1.6.11-1.el5ruby??.x86_640:1.8.5-24.el5ruby-augeas.x86_640:0.4.1-1ruby??-libs.x86_640:1.8.5-24.el5ruby-shadow.x86_640:1.4.1-7完成!安装!2.3证书申请Puppet客户端客户端与服务器通过SSL隧道进行通信。客户端安装完成后,需要向服务器申请证书:Approvalcertificatea:client申请证书:puppetd??--test--serverserver.puppet.com上面有SSlsession[root@client~]字样#puppetd--test--serverserver.puppet.com信息:CreatinganewSSLkeyforclient.puppet.com信息:Cachingcertificateforca信息:CreatinganewSSLcertificaterequestforclient.puppet.com信息:CertificateRequestfingerprint(md5):74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DEExiting;nocertificatefoundandwaitforcecertisdisabledb:serveracceptsapplication[root@server~]#puppetca--list"client.puppet.com"(74:34:A9:DC:F6:52:B4:96:D1:FF:D3:68:F6:E5:7B:DE)显示申请的客户端认可证书[root@server~]#puppetca-sclient.puppet.comnotice:Signedcertificaterequestforclient.浦ppet.com通知:RemovingfilePuppet::SSL::CertificateRequestclient.puppet.comat'/var/lib/puppet/ssl/ca/requests/client.puppet.com.pem'puppetca–s?hostnameapprovescurrentcertificatepuppetca-s-a签署所有证书请求c:client检索批准的证书[root@client~]#puppetd--test--serverserver.puppet.cominfo:Cachingcertificateforclient.puppet.cominfo:Cachingcertificate_revocation_listforcainfo:Cachingcatalogforclient.puppet.com信息:Applyingconfigurationversion'1346237401'notice:Finishedcatalogrunin0.02secondsCompleteAttachment:Possibleerrorsreported[root@client-109~]#puppetd-serverserver.puppet.com-testerr:Couldnotretrievecatalogfromremoteserver:certificateverifyfailedtriwarning:Notusingcacheonrecatalognotusing;skippingrun:原因服务器和客户端时间不同步! 2.)错误[root@client~]#puppetd--serverserver.puppet.com--testerr:Couldnotretrievecatalogfromremoteserver:Serverhostname'server.puppet.com'didnotmatchservercertificate;expectedoneofservice.puppet.com,DNS:木偶,DNS:puppet.puppet.com,DNS:service.puppet.com原因:服务器端主机名错误,检查服务器端主机名!3).错误[root@client~]#puppetd--test--serverserver.puppet.com错误:无法从远程服务器检索目录:证书验证失败:[selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]警告:Nousingcacheonfailedcatalog错误:无法检索目录运行;skk:无法发送报告:certificateverifyfailed:[selfsignedcertificateincertificatechainfor/CN=PuppetCA:server.puppet.com]原因:出现以上错误删除客户端ssl文件夹var/lib/puppet/ssl/再次循环申请证书puppetd??--test--serverserver.puppet.com2.4验证puppet配置在server端写个例子测试这个例子的功能非常简单。用于在客户端的/tmp目录下新建一个test.txt文件,内容为:你好,测试!在服务端写代码:【服务端不需要创建这个文件】vi/etc/puppet/manifests/site.ppnodedefault{file{"/tmp/test.txt":content=>"helo,test!";}}2.5客户端测试在客户端执行puppetd。运行成功后,会在/tmp中看到新生成的test.txt:[root@client~]#puppetd--test--serverserver.puppet.com#显示如下信息:Cachingcatalogforclient.puppet.cominfo:Applyingconfigurationversion'1346237596'notice:/Stage[main]//Node[default]/File[/tmp/test.txt]/ensure:definedcontentas'{md5}d7568aced6a958920309da96080e88e0'notice:Finishedcata0**Seecat/tmp/test.txthello,测试!Sincere,puppetserver和client都安装好了,接下来就是深入配置了。2.6Client设置Daemon进程方法一:启动puppet后台运行[root@clienttmp]#puppetd??--serverserver.puppet.com--verbose--waitforcert60注意:--servermaster指定服务器节点地址--waitforcertconnection服务器检查的时间间隔,60分钟--verbose输出冗余信息(可选)方法二:使用crontab定时同步conf|--manifests||--nodes.pp|`--site.pp|--modules#Definition模块|`--用户||--文件||--清单|||--adduser.pp|||--deluser.pp|||--init.pp|||--na.pp||`--sa.pp|`--templates||--caojin_authorized_keys.erb|`--jiaxin_authorized_keys.erb|--puppet.conf#主要配置配置文件3.3用户管理模块用户mofules目录树用户|--file|--manifests||--adduser.pp#添加用户类||--deluser.pp#删除用户||--init.pp||--na.pp|`--sa.pp`--templates|--caojin_authorized_keys.erb#userkey`--jiaxin_authorized_keys.erb#userkeyadduser.ppfileclasslinux::adduser{defineadd_user($username=,$useruid=,$userhome=,$usershell='/bin/bash',$groups){user{$username:uid=>$useruid,shell=>$usershell,groups=>$groups,home=>"/home/$userhome",}文件{"/home/$userhome":owner=>$useruid,group=>$useruid,mode=>700,ensure=>directory;}file{"/home/$userhome/.ssh":owner=>$useruid,group=>$useruid,mode=>700,ensure=>directory,require=>File["/home/$userhome"];}file{"/home/$userhome/.ssh/authorized_keys":owner=>$useruid,group=>$useruid,mode=>600,ensure=>present,content=>template("users/${userhome}_authorized_keys.erb"),require=>File["/home/$userhome/.ssh"];}}}deluser.ppdeluser.ppclasslinux::deluser{user{"caojin":ensure=>absent,}}sa.ppimport"adduser.pp"classlinux::adduser::sainheritslinux::adduser{add_user{"jiaxin":useruid=>2000,username=>jiaxin,userhome=>"jiaxin",groups=>$operatingsystem?{Ubuntu=>["admin"],CentOS=>["wheel"],RedHat=>["车轮”],默认=>[“车轮”],},}}
