puppet

一.前提工作1.资料阿里,飞天 5khttp://puppet.wikidoc.com前端管理系统keepcache=1 保存包2.环境redhat6.4主机:192.168.2.100 server100.example.com    server主机:192.168.2.103 server103.example.com     client主机:192.168.2.113 server113.example.com     client各主机相互解析* iptables -F* getenforce is Disabled* date* yum 源的配置(网络安装,确定可以上网 )100,103,113 主机的 yum 如下*vim /etc/yum.repos.d/rhel-source.repo[rhel-source]name=Red Hat Enterprise Linux $releasever - $basearch - Sourcebaseurl=ftp://192.168.2.251/pub/rhel6.5enabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release[puppet]name=puppetbaseurl=http://yum.puppetlabs.com/el/6Server/products/x86_64/gpgcheck=0[ruby]name=rubybaseurl=http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/gpgcheck=03.安装在 100 主机上 server* yum install -y puppet-serverError: Package: rubygem-json-1.5.5-1.el6.x86_64 (ruby)Requires: rubygems下面是解决 error 和 依赖性:下载 rubygems-1.8.16-1.el6.noarch.rpm* yum localinstall -y rubygems-1.8.16-1.el6.noarch.rpm在 103 和 113 主机上 client* yum install -y puppet下面解决 error 和依赖性下载 rubygems-1.8.16-1.el6.noarch.rpm* yum localinstall -y rubygems-1.8.16-1.el6.noarch.rpm4.在 100 主机上开启 puppet 服务* touch /etc/puppet/manifests/site.pp注意:创建文件 site.pp,才能开启服务 puppetmaster* /etc/init.d/puppetmaster start可以使用命令查看 8140 端口是否开启:netstat -antlpe二.手动签名与自动签名1.手动签名 (client 端发出请求,server 手动签证)* 103 client 端发出请求: puppet agent --server server100.example.com --no-daemonize --verboseInfo: Caching certificate for caInfo: csr_attributes file loading from /etc/puppet/csr_attributes.yamlInfo: Creating a new SSL certificate request for server103.example.comInfo: Certificate Request fingerprint (SHA256):54:D4:A2:AD:44:95:57:B0:F7:5E:74:8B:5B:9E:5B:E2:91:95:75:A7:B8:78:0E:C8:63:87:AC:D0:CF:98:71:2C一定出现这些信息之后:在 100 主机上才能进行签证* 在 100 主机上列举:puppet cert list"server103.example.com" (SHA256)54:D4:A2:AD:44:95:57:B0:F7:5E:74:8B:5B:9E:5B:E2:91:95:75:A7:B8:78:0E:C8:63:87:AC:D0:CF:98:71:2C* 在 100 主机上签证:puppet cert sign server103.example.com* 在 103 主机上等待一会,出现结果:Notice: Finished catalog run in 0.10 seconds之后: ctrl+c2.自动签名 (client 端发出请求,server 端自动进行签证)* 在 100 主机上 vim /etc/puppet/puppet.conf注意在 main 下面写[main]autosign = true* 在 100 主机上 vim /etc/puppet/autosign.conf*.example.com* 在 100 主机上 /etc/init.d/puppetmaster reload* 在 113 主机上验证自动签证(server 端不需要执行任何操作) puppet agent --serverserver100.example.com --no-daemonize --verbose三.资源定义注意:资源均定义在/etc/puppet/manifest/site.pp 文件中1.文件定义* 在 100 主机上:vim /etc/puppet/manifests/site.ppfile { "/tmp/test.file":content => "www.westos.org", 注意:如果有多个参数就用“,”隔开mode => 600}在 103 主机上测试* 在 103 主机上:puppet agent --server server100.example.com --no-daemonize --verboseNotice: /Stage[main]/Main/File[/tmp/test.file]/ensure: defined content as '{md5d93485f9ba96d89495f1c3f6583ad624'Notice: Finished catalog run in 0.16 seconds* 在 103 主机上检查结果:cat /tmp/test.filewww.westos.org注意 1:在 103 主机上;/tmp/test.file 改为:server103.example.com 之后,再次执行:puppet agent --server server100.example.com --no-daemonize --verbose结果:/tmp/test.file 内容:www.westos.org结论:/tmp/test.file 内容 以 server 端为准注意 2:文件是否修改,根据:md5 d93485f9ba96d89495f1c3f6583ad624文件不同,md5 的加密字符串不同md5sum /tmp/test.file //利用 md5sum 可以查看加密字符2.定义包 服务 指定配置文件 开启服务 在 100 主机上注意:1)确定 client 的 yum 是没有问题的2)文件 fileserver.conf 中添加的内容与 site.pp 文件中的内容* cat fileserver.conf[文件配置域]path /etc/puppet/filesallow *.example.com* cat site.ppfile {"/temp/vsftpd.conf":source => puppet:///文件配置域/files}3) 在 server 端的 site.pp 文件中 顺序是:安装包,配置文件,开启服务在 client 端执行时的顺序是:安装包,开启服务,配置文件上面是有问题的,因为配置文件没有生效* 192.168.2.2 复制到 100 主机上:scp httpd.conf root@192.168.2.100:/etc/puppet/files/* vim /etc/puppet/files/httpd.conf//为了测试修改文件,在 client 查看是否是修改的Order allow,denyAllow from 192.168.2.2* mkdir /etc/puppet/files* vim /etc/puppet/fileserver.conf[httpdconf]path /etc/puppet/filesallow *.example.com* vim /etc/puppet/manifests/site.pppackage { "httpd":ensure => installed,allow_virtual => false}file { "/etc/httpd/conf/httpd.conf":source => "puppet:///httpdconf/httpd.conf" 解释 "puppet://"表示 puppet 服务器,相当“httpd://”}service { "httpd":ensure => running}* /etc/init.d/puppetmaster reload测试在 103 主机上* puppet agent --server server100.example.com --no-daemonize --verbose //执行 2 次 第一次会报错,但安装 httpd 成功*文件是否和 server 设置的一样 cat /etc/httpd/conf/httpd.confOrder allow,denyAllow from 192.168.1.23.定义用户在 100 主机上* vim /etc/puppet/manifests/site.ppuser { "user1": uid => 800,provider => useradd,managehome => true,ensure => present,password => westos}测试在 103 主机上* puppet agent --server server100.example.com --no-daemonize --verbose* id user1* ll /home/user1* vim /etc/shadowuser1:westos:16291:0:99999:7:::4.定义文件系统挂载 在 100 主机上* vim /etc/puppet/manifests/site.ppfile { "/public":ensure => directory}mount { "/public":device => "192.168.2.251:/var/ftp/pub",fstype => "nfs",options => "defaults",ensure => mounted}测试在 103 主机上* 测试之前确定下面内容:在 103 主机上安装:mount.nfs ( yum install -y mount.nfs 或者安装 nfs-utils)在 192.168.2.251 主机上: showmount -e 结果:/var/ftp/pub/ *(ro)在 192.168.2.251 主机上: /etc/init.d/nfs start* puppet agent --server server100.example.com --no-daemonize --verbose5.定义 crontab 任务在 100 主机上* vim /etc/puppet/manifests/site.ppcron { echo:command => "/bin/echo `/bin/date` >> /tmp/echo",user => root,hour => ['2-4'],minute => '*/10'}测试在 103 主机上* 测试之前确定:在 103 主机上:/etc/init.d/crond start* puppet agent --server server100.example.com --no-daemonize --verbose* crontab -l 结果如下: //也可以在目录:cat /var/spool/cron/root 查看# HEADER: This file was autogenerated at Sat Aug 09 14:47:13 +0800 2014 by puppet.# HEADER: While it can still be managed manually, it is definitely not recommended.# HEADER: Note particularly that the comments starting with 'Puppet Name' should# HEADER: not be deleted, as doing so could cause duplicate cron jobs.# Puppet Name: echo*/10 2-4 * * * /bin/echo `/bin/date` >> /tmp/echo四.不同节点的定义1.在 100 主机上* mkdir /etc/puppet/manifests/nodes* cp /etc/puppet/manifests/site.pp /etc/puppet/manifests/nodes/server103.pp* cp /etc/puppet/manifests/site.pp /etc/puppet/manifests/nodes/server113.pp* vim /etc/puppet/manifests/nodes/server103.ppnode 'server103.example.com' { package { "httpd":ensure => installed,allow_virtual => false}file { "/etc/httpd/conf/httpd.conf":source => "puppet:///httpdconf/httpd.conf"}service { "httpd":ensure => running}user { "user1": uid => 800,provider => useradd,managehome => true,ensure => present,password => westos}}* vim /etc/puppet/manifests/nodes/server113.ppnode 'server113.example.com' { package { "httpd":ensure => installed,allow_virtual => false}file { "/etc/httpd/conf/httpd.conf":source => "puppet:///httpdconf/httpd.conf"}service { "httpd":ensure => running}user { "user1": uid => 800,provider => useradd,managehome => true,ensure => present,password => westos}}* vim /etc/puppet/manifests/site.ppimport "nodes/server103.pp"import "nodes/server113.pp" 或者import "*.pp"测试在 103 和 113 主机上* 在 103 主机上:puppet agent --server server100.example.com --no-daemonize --verbose* 在 113 主机上:puppet agent --server server100.example.com --no-daemonize –verbose五.模块在 100 主机上* mkdir -p /etc/puppet/modules/vsftpd/{files,manifests,templates}* vim /etc/puppet/modules/vsftpd/manifests/install.ppclass vsftpd::install { package { "vsftpd":ensure => present,allow_virtual => false}}* vim /etc/puppet/modules/vsftpd/manifests/config.ppclass vsftpd::config { file { "/etc/vsftpd/vsftpd.conf":ensure => present,source => "puppet:///modules/vsftpd/vsftpd.conf",#source => "puppet:///文件配置域/modules/vsftpd/files/vsftpd.conf",mode => 0600,注意:#实际路径在/etc/puppet/modules/vsftpd/files/vsftpd.conf注意:/etc/puppet/fileserver.conf 文件中的配置与这块的要一致#vim /etc/puppet/fileserver.conf[文件配置域]path:/etc/puppet/require => Class["vsftpd::install"],notify => Class["vsftpd::service"]}}* vim /etc/puppet/modules/vsftpd/manifests/service.ppclass vsftpd::service { service { "vsftpd":ensure => running,require => Class["vsftpd::install","vsftpd::config"]}}* vim /etc/puppet/modules/vsftpd/manifests/init.ppclass vsftpd { include vsftpd::install,vsftpd::config,vsftpd::service}* 在 192.168.2.2 主机复制到 100:scp /etc/vsftpd/vsftpd.conf192.168.2.100:/etc/puppet/modules/vsftpd/files/* chmod 644 /etc/puppet/modules/vsftpd/files/vsftpd.conf //可以使 puppet 用户可以读(other 具有读的权限)* vim /etc/puppet/modules/vsftpd/files/vsftpd.confanonymous_enable=NO* vim /etc/puppet/manifests/nodes/server113.ppnode 'server113.example.com' { include vsftpd //添加 vsftpd 模块名测试* 在 113 主机上:puppet agent --server server100.example.com --no-daemonize --verbose* 在 113 主机上:lftp localhost //无法登录lftp localhost:~> lsInterruptlftp localhost:~> quit* 在 100 主机上: vim /etc/puppet/modules/vsftpd/files/vsftpd.confanonymous_enable=YES* 在 113 主机上:puppet agent --server server100.example.com --no-daemonize --verbose* 在 113 主机上:lftp localhost //登录成功lftp localhost:~> lsdrwxr-xr-x 2 004096 Feb 12 2013 publftp localhost:/> quit添加的:使用 template 配置虚拟主机在 puppet-server 做下面操作[root@server1 manifests]# vim /etc/puppet/manifests/nodes.ppnode 'server2.example.com'{ include httpdhttpd::vhost {'server2.example.com':domainname => "server2.example.com"}httpd::vhost {'virtual.example.com'://创建虚拟主机 server2.example.com//创建虚拟主机 virtual.example.com,如果想创建多台虚拟主机,可以继续添加domainname => "virtual.example.com"}}[root@server1 manifests]# vim /etc/puppet/modules/httpd/manifests/init.ppclass httpd { include httpd::install,httpd::config,httpd::service}define httpd::vhost($domainname){ #file {"/etc/httpd/conf/httpd.conf":#content => template("httpd/httpd.conf.erb")#}file {"/etc/httpd/conf.d/${domainname}_vhost.conf":#path => '/etc/httpd/conf/httpd_vhost.conf',content => template("httpd/httpd_vhost.conf.erb"),require => Class["httpd::install"],notify => Class["httpd::service"]}file {"/var/www/$domainname":ensure => directory}file {"/var/www/$domainname/index.html":content => $domainname}}[root@server1 manifests]# vim /etc/puppet/modules/httpd/manifests/config.ppclass httpd::config { file { "/etc/httpd/conf/httpd.conf":ensure => present,#source => "puppet:///modules/httpd/httpd.conf",content => template("httpd/httpd.conf.erb"),require => Class["httpd::install"],notify => Class["httpd::service"]}}[root@server1 templates]# ls /etc/puppet/modules/httpd/templateshttpd.conf.erb httpd_vhost.conf.erb在 templates 模板下:文件 httpd.conf.erb 是 httpd 的配置文件,添加后缀 erb。因为必须是 erb 结尾的文件 httpd_vhost.conf.erb 是虚拟主机配置文件,内容如下[root@server1 templates]# vim httpd_vhost.conf.erb<virtualhost *:80>servername <%= domainname %>documentroot /var/www/<%= domainname %>errorlog logs/<%= domainname %>_error.logcustomlog logs/<%= domainname %>_access.log common</virtualhost>六.用以 web 方式管理 puppet解释:使用 web 方式,使 client 的信息在网页上显示1.Puppet dashboard 安装 在 100 主机上* yum install puppet-dashboard -y解决依赖性:Error: Package: puppet-dashboard-1.2.23-1.el6.noarch (puppet)Requires: rubygem(rake)下载 rubygem-rake-0.9.2.2-40.el6sat.noarch.rpmrpm -ivh rubygem-rake-0.9.2.2-40.el6sat.noarch.rpm* yum install -y mysql-server mysql puppet-dashboard* /etc/init.d/mysqld start* mysql_secure_installation2. dashboard 关于数据库的配置* vim /usr/share/puppet-dashboard/config/database.ymlproduction:database: dashboard_productionusername: dashboardpassword: westosencoding: utf8adapter: mysql下面的删除3.dashboard 所需要的库和表* vim /usr/share/puppet-dashboard/config/add.sqlCREATE DATABASE dashboard_production CHARACTER SET utf8;CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'westos';GRANT ALL PRIVILEGES ON dashboard_production.* TO 'dashboard'@'localhost';* mysql -pwestos < /usr/share/puppet-dashboard/config/add.sql* mysql -udashboard -pwestos //查看是否有库:dashboard_productionmysql> show databases;+----------------------+| Database|+----------------------+| information_schema || dashboard_production |+----------------------+4.时区* vim /usr/share/puppet-dashboard/config/settings.ymltime_zone:'Beijing'可以用命令:rake time:zones:local 查看时区* UTC +08:00 *BeijingChongqingHong Kong5.建立 dashboard 所需要的库和表* rake RAILS_ENV=production db:migrate 数据库迁移,出现如下信息== CreateNodeClassMemberships: migrating =====================================-- create_table(:node_class_memberships)-> 0.0765s== CreateNodeClassMemberships: migrated (0.0769s) ============================== CreateNodeGroups: migrating===============================================-- create_table(:node_groups)-> 0.0759s== CreateNodeGroups: migrated (0.0769s) ======================================6.开启服务* /etc/init.d/puppet-dashboard start* /etc/init.d/puppet-dashboard-workers start注意:* chmod 666 /usr/share/puppet-dashboard/log/production.log需要用到该目录日志文件时,则修改权限使得 puppet 可以写 ,用日志文件:/var/log/messages 也可以7.测试访问:192.168.2.100:30008.client 同步结果回报到 web 网页中 (客户端需要:手动同步)在 100 主机上* vim /etc/puppet/puppet.conf[main]autosign = truereports = httpreporturl = http://192.168.2.100:3000/reports* /etc/init.d/puppetmaster reload在 103 和 113 主机上* vim /etc/puppet/puppet.conf[agent]report = true* puppet agent --server server100.example.com --no-daemonize --verbose测试 访问:192.168.2.100:3000 刷新9.client 同步结果回报到 web 网页中注意:客户端不需要手动同步,每个 5 分钟会自动同步在 103 和 113 主机上* vim /etc/sysconfig/puppet# The puppetmaster serverPUPPET_SERVER=server100.example.com/etc/init.d/puppet start* vim /etc/puppet/puppet.conf[agent]report = trueruninterval = 300//每隔 5 分钟与 server 端同步一次,默认情况:半小时一次* /etc/init.d/puppet reload测试 访问:192.168.2.100:3000点击:Enable autorefresh点击主机名,查看同步次数解决1. 在实际中有时会修改 client 端的主机名,这样就需要重新生成证书:* 在 100 主机:puppet cert --clean server103.example.com* 在 103 主机:rm -rf /var/lib/puppet/ssl/** 在 103 主机:puppet agent --server server100.example.com --no-daemonize --verbose2.在 103 主机上:puppet agent --server server100.example.com --no-daemonize --verboseError: Could not set 'file' on ensure: cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-3221-1c8df00-9' at 10:/etc/puppet/manifests/site.ppError: Could not set 'file' on ensure: cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-3221-1c8df00-9' at 10:/etc/puppet/manifests/site.ppWrapped exception:cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-3221-1c8df00-9'Error: /Stage[main]/Main/File[/etc/httpd/conf/httpd.conf]/ensure: change from absent to file failed:Could not set 'file' on ensure: cannot generate tempfile `/etc/httpd/conf/httpd.conf20140809-3221-1c8df00-9' at 10:/etc/puppet/manifests/site.ppError: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: httpd:unrecognized serviceWrapped exception:Execution of '/sbin/service httpd start' returned 1: httpd: unrecognized serviceError: /Stage[main]/Main/Service[httpd]/ensure: change from stopped to running failed: Could notstart Service[httpd]: Execution of '/sbin/service httpd start' returned 1: httpd: unrecognized service原因:第一次报错,因为没有文件,但是 httpd 安装成功. 第二次运行:在 httpd 安装的前提下,文件都有解决方法:再运行一次:puppet agent --server server100.example.com --no-daemonize --verbose解释1.如果想保存包,该做什么?例如:保存:puppet-server 包 puppet 包等等* vim /etc/yum.conf[main]cachedir=/var/cache/yum/$basearch/$releaseverkeepcache=1* puppet 包的路径:/var/cache/yum/x86_64/6Server/* chmod 666 /usr/share/puppet-dashboard/log/production.log需要用到该目录日志文件时,则修改权限使得 puppet 可以写 ,用日志文件:/var/log/messages 也可以注意:#mysql 5.1 遇到的信息包过大问题 用客户端导入数据的时候,遇到错误代码: 1153 - Got apacket bigger than 'max_allowed_packet' bytes 终止了数据导入,可以使用如下参数解决:(rhel6.3 上未遇到)# vi /etc/my.cnf[mysqld]max_allowed_packet = 32M#添加此行