Puppet的工作原理让管理员只关注要管理的目标,而忽略实现细节。Puppet既可以在单机上使用,也可以在C/S结构中使用。在大规模使用puppet的情况下,通常采用C/S结构。在这个结构中,puppetclient只运行puppetclient,Puppetserver只运行puppetmaster。具体工作流程如图:环境使用四台服务器模拟搭建puppet环境,拓扑图如下:环境表实验步骤1.搭建PuppetMaster(1)规划三台服务器hostname[root@localhost~]#vim/etc/hostnamemaster.test.cn[root@localhost~]#vim/etc/hosts192.168.126.138master.test.cn192.168.126.148client01.test.cn192.168.126.158client02.test.cn(2)服务器时间同步因为puppet需要用到SSL证书,依赖时间同步,所以需要搭建NTP服务器1)搭建NTPServer[root@localhost~]#yuminstallntp-y[root@localhost~]#vim/etc/ntp.conf添加如下两行:server127.127.1.0#指定本地为时间源服务器fudge127.127.1.0stratum8其作用是使用本地时间作为NTP服务,提供NTP客户端时/etc/ntp.conf中定义的服务器不可用。2)启动ntp服务,设置开机自启动[root@localhost~]#systemctlstopfirewalld.service[root@localhost~]#systemctldisablefirewalld.service[root@localhost~]#setenforce0[root@localhost~]#systemctlstartntpd.service[root@localhost~]#systemctlenablentpd.service[root@localhost~]#ntpstat#synchronizedtoNTPserver(193.228.143.13)atstratum3timecorrecttowithin517mspollingserverevery64s3)puppetmaster作为NTP客户端配置[root@master~]#yuminstallntpdate-y[root@master~]#ntpdate192.168.126.1596Aug09:45:03ntpdate[3488]:adjusttimeserver192.168.126.159offset-0.072288sec#调整时间服务器192.168.126.159offset-0.072288sec4)配置YUM源[root@master~]#yuminstallel-release-y[root@master~]#yuminstallpuppet-server-y#安装puppetserver5)启动puppet主程序[root@master~]#systemctlstopfirewalld.service[root@master~]#systemctldisablefirewalld.service[root@master~]#setenforce0[root@master~]#systemctlstartpuppetmaster.service[root@master~]#systemctlenablepuppetmaster.service2。搭建puppetclient(两个客户端配置相同)1)通过域名puppetmaster[root@client01~]#pping通ingmaster.test.cnPINGmaster.test.cn(192.168.126.138)56(84)bytesofdata.64bytesfrommaster.test.cn(192.168.126.138):icmp_seq=1ttl=64time=1.06ms64bytesfrommaster.test.cn(192.168.126.138:icmp_seq)=2ttl=64time=3.27ms64bytesfrommaster.test.cn(192.168.126.138):icmp_seq=3ttl=64time=0.382ms64bytesfrommaster.test.cn(192.168.126.138):icmp_seq=4ttl=64time=0.660ms2)服务器时间同步[rootclient01~]#yuminstallntpdate-y[root@client01~]#vim/etc/ntp.confserver127.127.1.0#指定本地为时间源服务器fudge127.127.1.0stratum8[root@client01~]#ntpdate192.168.126.1596Aug10:01:12ntpdate[3303]:adjusttimeserver192.168.126.159offset-0.012348sec3)配置YUM源[root@client01~]#yuminstallel-release-y[root@client01~]#yuminstallpuppet-y#安装puppet客户端4)修改puppet配置文件/etc/puppet/puppet.conf[root@client01~]#vim/etc/puppet/puppet.conf[main]#ThePuppetlog目录.#默认值为'$vardir/log'.logdir=/var/log/puppet#保存PuppetPID文件的位置。#默认值为'$vardir/run'.rundir=/var/run/puppet#WhereSSLcertificatesarekept.#默认值是'$confdir/ssl'.ssldir=$vardir/sslserver=master.test.cn#添加puppetmaster的地址5)分别在puppetclient01和puppetclient01上注册[root@client01~]#puppeagent--server=master.test.cn--no-daemonize--verboseInfo:CreatinganewSSLkeyforclient01.test.cnInfo:CachingcertificateforcaInfo:csr_attributesfileloadingfrom/etc/puppet/csr_attributes.yamlInfo:CreatinganewSSLcertificaterequestforclient01.test.cnInfo:CertificateRequest1finger:3CertificateCRequestert6:5CertificateCRequestert6:5证书请求:16:9F:CE:F2:AD:D2:3F:56:C7:9B:D9:87:5C:F8:2D:30:7D:FE:49:66:46:2A:D9:FCInfo:Cachingcertificateforca6)查看申请注册的客户端[root@master~]#puppetcert--list"client01.test.cn"(SHA256)C1:1F:11:32:53:96:AA:91:16:9F:CE:F2:AD:D2:3F:56:C7:9B:D9:87:5C:F8:2D:30:7D:FE:49:66:46:2A:D9:FC"client02.test.cn"(SHA256)7C:C9:22:59:B2:1E:2B:F5:12:30:4D:88:D9:B1:AF:60:FE:02:65:77)是未注册的客户端注册[root@master~]#puppetcertsign--allNotice:Signedcertificaterequestforclient01.test.cn注意:移除filePuppet::SSL::CertificateRequestclient01.test.cnat'/var/lib/puppet/ssl/ca/requests/client01.test.cn.pem'Notice:Signedcertificaterequestforclient02.test.cnNotice:RemovingfilePuppet::SSL::CertificateRequestclient02.test.cnat'/var/lib/puppet/ssl/ca/requests/client02.test.cn.pem'8)查看注册客户端[root@master~]#ll/var/lib/puppet/ssl/ca/signed/总使用量12-rw-r--r--.1puppetpuppet1952August621:22client01.test.cn.pem-rw-r--r--.1puppetpuppet1952August621:22client02.test.cn.pem-rw-r--r--.1puppetpuppet2021August621:06master.test.cn.pem此时客户端已经完成证书申请和签名配置示例这里为了保护linuxssh端口,修改客户端client1的sshd端口,设置修改22端口为9922,实现重启工作。首先创建ssh模块。ssh模块下有三个文件:manifests、templates和files。manifests中包含一个init.pp文件,是模块的初始入口文件。当导入模块时,它将从init.pp开始执行。所有的代码都可以写在init.pp中,也可以分成多个pp文件,init会包含其他文件。定义类名时,必须是ssh,这样才能实现调用。文件目录是模块的文件分布目录。Puppet提供了一种文件分发机制,类似于rsync模块。templates目录包含erb模型文件,这些文件与文件资源的模板属性有关,但很少使用。具体配置如下:1)创建必要的目录:[root@master~]#cd/etc/puppet/[root@masterpuppet]#mkdir-pmodules/ssh/{manifests,templates,files}[root@masterpuppet]#mkdirmanifests/nodes[root@masterpuppet]#mkdirmodules/ssh/files/ssh[root@masterpuppet]#chown-Rpuppetmodules/#修改权限2)查看/etc/puppet/modules/ssh目录下的结构[root@masterpuppet]#llmodules/ssh/Totalusage0drwxr-xr-x.3puppetroot17August621:32filesdrwxr-xr-x.2puppetroot6August621:31manifestsdrwxr-xr-x.2puppetroot6August621:31templates3)创建模块配置文件install.pp[root@masterpuppet]#vim/etc/puppet/modules/ssh/manifests/install.pp输入以下信息(首先确保客户端已经安装了ssh服务):classssh::install{package{"openssh":ensure=>present,}}4)创建模块配置文件config.pp[root@masterpuppet]#vim/etc/puppet/modules/ssh/manifests/config.ppclassssh::config{file{"/etc/ssh/sshd_config":#配置客户端需要同步的文件ensure=>present,#确认客户端中有这个文件owner=>"root",#fileownergroup=>"root",#filegroupmode=>"0600",#文件权限属性source=>"puppet://$puppetserver/modules/ssh/ssh/sshd_config",#从服务器同步文件require=>Class["ssh::install"],#调用install.pp确认ssh已经安装notify=>Class["ssh::service"],#ifconfig.pp发生变化,通知service.pp}}5)创建模块配置文件service.pp[root@masterpuppet]#vim/etc/puppet/modules/ssh/manifests/service.ppclassssh::service{service{"sshd":ensure=>running,#确认ssh正在运行hasstatus=>true,#puppet这个服务支持status命令,类似servicesshdstatushasrestart=>true,#puppet这个服务支持重启,类似servicesshdrestartenable=>true,#是否是服务器启动require=>Class["ssh::config"]#Confirmconfig.ppcall}}6)创建模块主配置文件init.pp[root@masterpuppet]#vim/etc/puppet/modules/ssh/manifests/init.ppclassssh{includessh::install,ssh::config,ssh::service#加载配置文件到ssh类中}7)此时/etc/puppet/models/ssh/mainfests中有四个文件目录[root@masterpuppet]#ll/etc/puppet/modules/ssh/manifests/totalusage16-rw-r--r--.1rootroot2488-621:40config.pp-rw-r--r--.1rootroot608-621:46init.pp-rw-r--r--.1rootroot648month621:38install.pp-rw-r--r--.1rootroot1658month621:42service.pp8)由于server和clientsshs建立server端ssh统一维护文件_config文件默认相同。此时将服务器的/etc/ssh/sshd_config复制到模块默认路径下[root@masterpuppet]#cp/etc/ssh/sshd_config/etc/puppet/modules/ssh/files/ssh/[root@masterpuppet]#chown-Rpuppet/etc/puppet/modules/ssh/files/ssh/#修改权限9)创建测试节点配置文件,加载ssh进去。[root@masterpuppet]#vim/etc/puppet/manifests/nodes/ssh.ppnode'client01.test.cn'{includessh}node'client02.test.cn'{includessh}10)将测试节点加载到puppet中,即修改site.pp。[root@masterpuppet]#vim/etc/puppet/manifests/site.ppimport"nodes/ssh.pp"11)修改服务器维护的sshd_config配置文件[root@masterpuppet]#vim/etc/puppet/modules/ssh/files/ssh/sshd_configPort22#Changeto992212)重启puppet服务[root@masterpuppet]#systemctlrestartpuppetmaster.service2.客户端主动拉取一般在小规模的自动化集群中。如果服务上线时需要重启代码,为了防止网站暂时无法访问的问题,每个客户端运行一次puppetagent-t命令,选择方式根据客户端集群大小.根据经验,一般puppetserver会和每个client建立ssh信任,然后自定义shell脚本,ssh允许client批量执行puppet同步命令。1)Client01:[root@client01~]#puppetagent-t....//省略Notice:/Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:---/etc/ssh/sshd_config2017-08-0710:28:25.000000000+0800+++/tmp/puppet-file20180806-5162-jc80yr2018-08-0622:25:58.726506429+0800@@-14,7+14,7@@#SELinuxaboutthischange.#semanageport-a-tssh_port_t-ptcp#PORTNUMBER#-#Port22+Port9922#AddressFamilyany#ListenAddress0.0.0.0#ListenAddress::.....//省略Client02:...//省略注意事项:/Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:---/etc/ssh/sshd_config2017-08-0710:28:25.000000000+0800+++/tmp/puppet-file20180806-4667-149tj112018-08-0622:27:39.362282788+0800@@-14,7+14,7@@#SELinuxaboutthischange.#semanageport-a-tssh_port_t-ptcp#PORTNUMBER#-#Port22+Port9922#AddressFamilyany#ListenAddress0.0.0.0#ListenAddress::...//省略2)此时在client端成功执行命令,验证如下:[root@client01~]#cat/etc/ssh/sshd_config|grepPortPort9922#GatewayPortsno3)检查是否er服务端ssh服务重启,端口是否有效。[root@client01~]#netstat-tunlp|grepsshtcp000.0.0.0:99220.0.0.0:*LISTEN5428/sshdtcp600:::9922:::*LISTEN5428/sshd3。服务器推送同步1)大规模部署时,使用服务器推送方式。client:[root@client02~]#vim/etc/puppet/puppet.conf最后一行添加listen=true#让puppet监听8139端口2)验证配置文件auth.conf定义了一些验证信息和访问权限[root@client02~]#vim/etc/puppet/auth.conf最后一行加入allow*#Allowanyserverpush3)启动puppetclient[root@client02~]#systemctlstartpuppetagent.service[root@client02~]#cat/etc/ssh/sshd_config#View……//省略Port9922#AddressFamilyany#ListenAddress0.0.0.0#ListenAddress::……//省略4)开始向客户端推送Master:[root@masterpuppet]#puppetkickclient02.test.cnTriggeringclient02.test.cnGettingstatusstatusissuccessclient02.test.cnfinishedwithxitcode0Finished5)验证结果如下[root@masterpuppet]#cat/etc/ssh/sshd_config|grepPort#Port22#GatewayPortsno6)检查服务器是否有ssh服务是否重启以及端口是否有效。[root@client02~]#netstat-tunlp|grepsshtcp000.0.0.0:99220.0.0.0:*LISTEN4908/sshdtcp600:::9922:::*LISTEN4908/sshd实验成功,仅供参考。
