運維自動化工具---Puppet

時間  2019-11-21
標籤 自動化 工具 puppet 欄目 測試自動化 简体版
原文   原文鏈接

案例環境:
-----------------------------------------------------------------
主機  操做系統   IP地址  主要軟件
-----------------------------------------------------------------
puppetmaster Centos 6.5 x86_64 192.168.200.131 ruby-* 
       facter-1.7.1.tar.gz
       puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
puppetclient1 Centos 6.5 x86_64 192.168.200.132 ruby-* 
       facter-1.7.1.tar.gz
       puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
puppetclient2 Centos 6.5 x86_64 192.168.200.133 ruby-* 
       facter-1.7.1.tar.gz
       puppet-2.7.21.tar.gz
----------------------------------------------------------------------------
NTP Server Centos 6.5 x86_64 192.168.200.134 
================================================================================
案例實施:
setup1: 搭建puppetmaster
1.1 規劃服務器主機名
[root@localhost ~]# vi /etc/sysconfig/network
HOSTNAME=master.test.cn
[root@localhost ~]# vi /etc/hosts
192.168.200.131 master.test.cn
192.168.200.132 client.test.cn
192.168.200.133 client133.test.cn
[root@localhost ~]# hostname master.test.cn
[root@localhost ~]# bash
1.2 配置時間服務器NTP Server
1.2.1
[root@localhost ~]# yum -y install ntp
[root@localhost ~]# vi /etc/ntp.conf 
添加兩行:
server 127.127.1.0
fudge 127.127.1.0 stratum 8
[root@localhost ~]# service ntpd start
正在啓動 ntpd:                                            [肯定]
[root@localhost ~]# chkconfig ntpd on
1.2.2 puppetmaster做爲NTP客戶端的配置
[root@master ~]# yum -y install ntp
[root@master ~]# ntpdate 192.168.200.134
 7 Jan 22:43:18 ntpdate[3058]: adjust time server 192.168.200.134 offset 0.467919 sec
1.3 安裝ruby(注意:Centos的鏡像光盤有兩張,要作下面的安裝,須要將兩張盤都掛載,並在*.repo文檔中指定路徑)
[root@master ~]# yum -y install compat-readline5 ruby*
安裝完成後檢查ruby的版本
[root@master ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
1.4 puppet 、facter安裝
[root@master ~]# useradd -s /sbin/nologin puppet
經過facter工具分析客戶端傳輸過來的信息。
安裝facter:
[root@master ~]# tar xf facter-1.7.1.tar.gz 
[root@master ~]# cd facter-1.7.1
[root@master facter-1.7.1]# ruby install.rb 
安裝puppet:
[root@master facter-1.7.1]# cd
[root@master ~]# tar xf puppet-2.7.21.tar.gz 
[root@master ~]# cd puppet-2.7.21
[root@master puppet-2.7.21]# ruby install.rb 
安裝後的調整:
[root@master puppet-2.7.21]# cp conf/redhat/fileserver.conf /etc/puppet/
[root@master puppet-2.7.21]# cp conf/redhat/puppet.conf /etc/puppet/
[root@master puppet-2.7.21]# cp conf/redhat/server.init /etc/init.d/puppetmaster
[root@master puppet-2.7.21]# chmod +x /etc/init.d/puppetmaster 
[root@master puppet-2.7.21]# mkdir /etc/puppet/manifests
[root@master puppet-2.7.21]# mkdir /etc/puppet/modules
puppet服務證書請求與簽名:
(注意:在生產環境中iptalbes默認是所有關閉的)
master端配置:
[root@master puppet-2.7.21]# service iptables stop
修改配置文件
[root@master puppet-2.7.21]# vi /etc/puppet/puppet.conf 
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet
    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
    modulepath = /etc/puppet/modules:/usr/share/puppet/modules   //添加本行,配置服務器模塊路徑
[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt
    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
 # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
-----------------------------------------------------------------
啓動puppet主程序
[root@master puppet-2.7.21]# /etc/init.d/puppetmaster start
啓動 puppetmaster:                                        [肯定]
=======================================================================
setup2: 搭建puppetclient一、2
首先配置puppetclient1
2.1 規劃服務器主機名
[root@localhost ~]# vi /etc/sysconfig/network
HOSTNAME=client.test.cn
[root@localhost ~]# vi /etc/hosts
192.168.200.131 master.test.cn
192.168.200.132 client.test.cn
192.168.200.133 client133.test.cn
[root@localhost ~]# hostname client.test.cn
[root@localhost ~]# bash
[root@client ~]# 
2.2 服務器的時間同步
[root@client ~]# ntpdate 192.168.200.134
 8 Jan 21:52:50 ntpdate[3244]: step time server 192.168.200.134 offset -28.886955 sec
2.3 安裝ruby
[root@client ~]# yum -y install compat-readline5 ruby*
安裝完成後檢查ruby的版本
[root@client ~]# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
2.4 puppet facter安裝
[root@client ~]# tar xf facter-1.7.1.tar.gz 
[root@client ~]# cd facter-1.7.1
[root@client facter-1.7.1]# ruby install.rb
[root@client facter-1.7.1]# cd
[root@client ~]# tar xf puppet-2.7.21.tar.gz 
[root@client ~]# cd puppet-2.7.21
[root@client puppet-2.7.21]# ruby install.rb
安裝後的調整:
[root@client puppet-2.7.21]# cp conf/redhat/puppet.conf /etc/puppet/
[root@client puppet-2.7.21]# cp conf/redhat/client.init /etc/init.d/puppetclient
[root@client puppet-2.7.21]# chmod  +x /etc/init.d/puppetclient
puppet服務證書請求與簽名:
(注意:在生產環境中iptalbes默認是所有關閉的)
[root@client puppet-2.7.21]# service iptables stop
iptables:將鏈設置爲政策 ACCEPT:filter                    [肯定]
iptables:清除防火牆規則:                                 [肯定]
iptables:正在卸載模塊:                                   [肯定]
[root@client puppet-2.7.21]# chkconfig iptables off
[root@client puppet-2.7.21]# iptables -F
[root@client puppet-2.7.21]# setenforce 0
192.168.200.132和192.168.200.133同樣,操做以下
修改client配置文件
[root@client puppet-2.7.21]# vi /etc/puppet/puppet.conf 
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet
    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
        server = master.test.cn  //添加本行,設置服務器的域名
[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt
    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
----------------------------------------------------------------------------
puppetclient2的配置和puppetclient1相似,注意將主機名修改成client133.test.cn
申請與註冊:
Client端:
分別在puppetclient1和puppetclient2上進行註冊
[root@client ~]# puppet agent --server=master.test.cn --no-daemonize --verbose
info: Creating a new SSL key for client.test.cn
info: Caching certificate for ca
info: Creating a new SSL certificate request for client.test.cn
info: Certificate Request fingerprint (md5): 91:DB:05:67:4E:E7:62:2B:2F:4C:8C:C6:03:48:7B:64
puppet此時在等待任務,可是在server此時能夠查看到申請信息
Master端
查看申請註冊的客戶端
[root@master ~]# puppet cert --list
  "client.test.cn"    (91:DB:05:67:4E:E7:62:2B:2F:4C:8C:C6:03:48:7B:64)
  "client133.test.cn" (CD:EE:80:26:D6:16:C3:D6:9F:7C:DD:14:A0:99:BA:C4)
將未註冊的客戶端進行註冊:
[root@master ~]# puppet cert sign --all
notice: Signed certificate request for client133.test.cn
notice: Removing file Puppet::SSL::CertificateRequest client133.test.cn at '/var/lib/puppet/ssl/ca/requests/client133.test.cn.pem'
notice: Signed certificate request for client.test.cn
notice: Removing file Puppet::SSL::CertificateRequest client.test.cn at '/var/lib/puppet/ssl/ca/requests/client.test.cn.pem'
經過目錄去查看已經註冊的客戶端:
[root@master ~]# ll /var/lib/puppet/ssl/ca/signed/
總用量 12
-rw-r-----. 1 puppet puppet 1911 1月   8 22:21 client133.test.cn.pem
-rw-r-----. 1 puppet puppet 1907 1月   8 22:21 client.test.cn.pem
-rw-r-----. 1 puppet puppet 1976 1月   8 21:48 master.test.cn.pem
==================================================================
此時,客戶端已經完成證書的請求與簽名。
setup3: 配置實例:
3.1 配置一個測試節點
節點信息:/etc/puppet/manifests/nodes
模塊信息:/etc/puppet/modules
實例要求:爲了保護linux的ssh端口被爆破,批量修改客戶端ssh端口,22 ---> 9922
在master端的操做:
3.1.1 建立須要的必要目錄
[root@master ~]# mkdir -p /etc/puppet/modules/ssh/{manifests,templates,files}
[root@master ~]# mkdir /etc/puppet/manifests/nodes
[root@master ~]# mkdir /etc/puppet/modules/ssh/files/ssh
[root@master ~]# chown -R puppet /etc/puppet/modules/
[root@master ~]# ll /etc/puppet/modules/ssh/
總用量 12
drwxr-xr-x. 3 puppet root 4096 1月   8 22:46 files
drwxr-xr-x. 2 puppet root 4096 1月   8 22:46 manifests
drwxr-xr-x. 2 puppet root 4096 1月   8 22:46 templates
3.1.2 建立模塊配置文件install.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/install.pp
首先肯定客戶端安裝ssh服務
class ssh::install {
        package { "openssh":
                ensure => present,
        }
}
--------------------------------------------------------------------------
3.1.3 建立模塊配置文件config.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/config.pp
class ssh::config {
        file { "/etc/ssh/sshd_config": //配置客戶端須要同步的文件
                ensure => present, //肯定客戶端此文件存在
                owner => "root", 
                group => "root",
                mode => "0600",
                source => "puppet://$puppetserver/modules/ssh/ssh/sshd_config",
     //從服務器端同步文件
                require => Class["ssh::install"],
     //調用install.pp肯定ssh已經安裝
                notify => Class["ssh::service"],
     //若是config.pp發生變化通知service.pp
        }
}
-------------------------------------------------------------------------
3.1.4 建立模塊配置文件service.pp,
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/service.pp
class ssh::service {
        service { "sshd":   //肯定ssh運行
                ensure => running,
                hasstatus => true,
  //puppet該服務支持status命令,相似service sshd status
                hasrestart => true,
  //puppet該服務支持restart命令,相似service sshd restart
                enable => true,  //服務器是否開機啓動
                require => Class["ssh::config"]  //確認config.pp調用
        }
}
--------------------------------------------------------------------------
3.1.5 建立主配置模塊文件init.pp
[root@master ~]# vi /etc/puppet/modules/ssh/manifests/init.pp
class ssh {
        include ssh::install,ssh::config,ssh::service
}
---------------------------------------------------------
此時/etc/puppet/modules/ssh/manifests有四個文件
[root@master ~]# ll /etc/puppet/modules/ssh/manifests
總用量 16
-rw-r--r--. 1 root root 271 1月   8 22:58 config.pp
-rw-r--r--. 1 root root  60 1月   8 23:05 init.pp
-rw-r--r--. 1 root root  69 1月   8 22:52 install.pp
-rw-r--r--. 1 root root 159 1月   8 23:04 service.pp
-----------------------------------------------------
3.1.6 創建服務器端ssh統一維護文件。
[root@master ~]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[root@master ~]# chown puppet /etc/puppet/modules/ssh/files/ssh/sshd_config
----------------------------------------------------------------
3.1.7 建立測試節點配置文件,並將ssh加載進去。
[root@master ~]# vi /etc/puppet/manifests/nodes/ssh.pp
node 'client.test.cn' {
        include ssh
}
node 'client133.test.cn' {
        include ssh
}
-----------------------------------------------
3.1.8 將測試節點載入puppet,即修改site.pp
[root@master ~]# vi /etc/puppet/manifests/site.pp
import "nodes/ssh.pp"
----------------------------------
3.1.9 修改服務器端維護的sshd_config配置文件
[root@master ~]# vi /etc/puppet/modules/ssh/files/ssh/sshd_config
添加一行:
Port 9922
-------------------------------------------------------------------
3.1.10 重啓puppet
[root@master ~]# /etc/init.d/puppetmaster restart
中止 puppetmaster:                                        [肯定]
啓動 puppetmaster:                                        [肯定]
-----------------------------------------------------------------------
setup4:測試:
客戶端主動拉取
192.168.200.132執行以下命令
[root@client ~]# puppet agent -t
info: Caching catalog for client.test.cn
info: Applying configuration version '1420730314'
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: 
--- /etc/ssh/sshd_config 2013-11-23 06:40:03.000000000 +0800
+++ /tmp/puppet-file20150108-4788-pehloa-0 2015-01-08 23:18:36.011709007 +0800
@@ -11,6 +11,7 @@
 # default value.
 
 #Port 22
+Port 9922
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
info: FileBucket adding {md5}53ad75eb1f2269d23f6e4228353cbca3
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 53ad75eb1f2269d23f6e4228353cbca3
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed '{md5}53ad75eb1f2269d23f6e4228353cbca3' to '{md5}3a2dee85056976947f1c154af9a0bf35'
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Class[Ssh::Service]
info: Class[Ssh::Service]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered 'refresh' from 1 events
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.89 seconds
=======================================================================
此時,在客戶端已經成功執行。驗證以下
[root@client ~]# grep "9922" /etc/ssh/sshd_config 
Port 9922
---------------------------------
查看服務器ssh服務是否重啓:端口是否生效
[root@client ~]# netstat -anpt |grep ssh
tcp        0      0 0.0.0.0:9922                0.0.0.0:*                   LISTEN      5075/sshd           
tcp        0     52 192.168.200.132:22          192.168.200.102:49606       ESTABLISHED 3167/sshd           
tcp        0      0 :::9922                     :::*                        LISTEN      5075/sshd  
-----------------------------------------------------------------------------------------------
setup5:服務器推送同步
當大規模部署時採用服務器推送模式。
Client端:
192.168.200.133端修改
5.1 修改配置文件:
[root@client ~]# vi /etc/puppet/puppet.conf 
最後添加一行以下:
listen = true  //使puppet監聽8139端口
[root@client133 ~]# vi /etc/puppet/auth.conf  //驗證配置文件auth.conf定義一些驗證信息及訪問權限
最後一行添加以下:
allow *  //容許任何服務器端推送
5.2 啓動puppet客戶端
[root@client133 ~]# /etc/init.d/puppetclient start
啓動 puppet:                                              [肯定]
------------------------------------------------------------------------
此時,在客戶端已經成功執行。驗證以下
#Port 22
Port 9922
-----------------------------------------
[root@client133 ~]# netstat -anpt |grep "sshd"
tcp        0      0 0.0.0.0:9922                0.0.0.0:*                   LISTEN      3675/sshd           
tcp        0     52 192.168.200.133:22          192.168.200.102:49614       ESTABLISHED 2274/sshd           
tcp        0      0 192.168.200.133:22          192.168.200.102:61164       ESTABLISHED 2182/sshd           
tcp        0      0 :::9922                     :::*                        LISTEN      3675/sshd 
===================================================================================================
Master端也能夠強制推送
[root@master ~]# puppet kick client133.test.cn
Triggering client133.test.cn
Getting status
status is success
client133.test.cn finished with exit code 0
Finished
==========================================================
本文來源:http://www.benet.wang/%E6%9C%8D%E5%8A%A1%E6%90%AD%E5%BB%BA/4.htmlhtml

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程