(?)企业部分之puppet

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了(?)企业部分之puppet相关的知识,希望对你有一定的参考价值。

必须要有域名解析以及时间必须同步

 

需要三台虚拟机:server1,server2.server3

 

server1 1024M

server2/server3 512M

 

需要软件包:

 

update目录下

 

1.环境配置

server1

cd update/

yum install -y puppet-server-3.8.1-1.el6.noarch.rpm puppet-3.8.1-1.el6.noarch.rpm facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm rubygems-1.3.7-5.el6.noarch.rpm

 

/etc/init.d/puppetmaster start

 

ls /etc/puppet/

 

 

server2/server3

cd update/

yum install -y puppet-3.8.1-1.el6.noarch.rpm facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm rubygems-1.3.7-5.el6.noarch.rpm

 

ls /etc/puppet/

 

2.证书

server1

puppet cert list##显示所有等待签名的证书。此时无

puppet cert list --all##显示所有签名的证书

 

server2上:puppet agent --server server1.example.com --no-daemonize -vt

 

puppet cert list

 

puppet cert sign server2.example.com##签名证书

puppet cert list --all

 

server2上:puppet agent --server server1.example.com --no-daemonize -vt

 

3.自动签名证书

vim /etc/puppet/puppet.conf

[main]下面加上autosign = true

 

创建一个autosign.conf文件,内容如下:

*.example.com

 

/etc/init.d/puppetmaster reload

 

server3上:puppet agent --server server1.example.com --no-daemonize -vt

 

puppet cert list --all

 

3.删除证书(更新证书)

server1

puppet cert clean server2.example.com

 

server2

cd /var/lib/puppet/ssl/

rm -rf *

 

puppet agent --server server1.example.com --no-daemonize -vt##由于配置文件,自动签名证书

 

4.puppet 资源定义

server1

vim /etc/puppet/manifest/site.pp##在没有指定节点的情况下,对所有已经经过验证的 client 都生效。

file {

        ‘/tmp/testfile‘:

        content => ‘www.westos.org‘,

        mode => 600,

        owner => puppet,

        group => puppet

}

 

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

ll /tmp/testfile

 

server1

cd /etc/puppet/

mkdir files

cp /etc/passwd files/

vim fileserver.conf

在内容的最后加上以下内容:

[files]

path /etc/puppet/files

allow *.example.com

 

/etc/init.d/puppetmaster reload

 

vim /etc/puppet/manifest/site.pp

在之前内容的最后加上以下内容:

file {

        ‘/tmp/passed‘:

        source => ‘puppet:///files/passwd‘

}

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

ll /tmp/passed

 

server1

vim /etc/puppet/manifests/site.pp

在之前内容的最后加上以下内容:

package {

        ‘httpd‘:

        ensure => present

}

 

service {

        ‘httpd‘:

        ensure => running,

        require => Package[‘httpd‘]

}

 

server2

rpm -q httpd

 

puppet agent --server server1.example.com --no-daemonize -vt

rpm -q httpd

/etc/init.d/httpd status

 

5.创建用户

server1

vim /etc/puppet/manifests/site.pp

在之前内容的最后加上以下内容:

user { "test": uid => 900,

home => "/home/test",

shell => "/bin/bash",

provider => useradd,

managehome => true,

ensure => present,

password => westos

}

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

tail -n 3 /etc/passwd

tail -n 3 /etc/shadow##此时密码是明文

 

##将密码显示加密##

server1

vim /etc/puppet/manifests/site.pp

password => westos加上注释

在之前内容的最后加上以下内容:

exec {

      ‘echo westos | passwd --stdin test‘:

      path => "/usr/bin:/bin",

      onlyif => ‘id test‘

}

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

tail -n 3 /etc/shadow##此时密码是密文

 

6.挂载

server1

vim /etc/puppet/manifests/site.pp

exec这一段内容都加上注释

package的内容改为如下:

package {

        [‘httpd‘,‘nfs-utils‘]:

        ensure => present

}

 

并在之前内容的最后加上以下内容:

file { "/public":

ensure => directory

}

 

mount { "/public":

device => "172.25.45.250:/mnt",

fstype => "nfs",

options => "defaults",

ensure => mounted

}

 

【物理机】

systemctl status nfs

systemctl start nfs

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

此时报错不是因为权限问题,修改之后依然报错,通过一些技术帖,发现是因为端口号的问题:

I googled and found that since the port is over 1024 I needed to add the "insecure" option to the relevant line in /etc/exports on the server. Once I did that (and ran exportfs -r), the mount -a on the client worked.

//如果端口号大于1024,则需要将 insecure 选项加入到配置文件(/etc/exports)相关选项中mount客户端才能正常工作。

 

查看exports手册中关于secure选项的说明

 

man exports

//secure 选项要求mount客户端请求源端口小于1024(然而在使用 NAT 网络地址转换时端口一般总是大于1024的),默认情况下是开启这个选项的,如果要禁止这个选项,则使用 insecure 标识

 

所以解决方法要修改配置文件/etc/exports,加入 insecure 选项。

 

【物理机】

vim /etc/exports

加入以下内容:

/mnt  *(insecure,rw,async,no_root_squash)

 

systemctl restart nfs//重启服务

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

 

df

 

vim /etc/fstab

 

7.

server1

vim /etc/puppet/manifests/site.pp

在之前内容的最后加上以下内容:

cron { echo:

command => "/bin/echo `/bin/date` >> /tmp/echo",

user => root,

hour => [‘2-4‘],

minute => ‘*/10‘

}

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

 

/etc/init.d/crond status

 

cd /var/spool/cron/

cat root ##crontab -l

 

7.

mkdir nodes

cp site.pp nodes/server2.pp

cp site.pp nodes/server3.pp

 

vim site.pp

将内容注释掉,在最前面添上:import ‘nodes/*.pp‘

 

cd nodes/

vim server2.pp

将内容修改为如下:

node ‘server2.example.com‘ {

 

package {

‘httpd‘:

ensure => present

}

 

service {

‘httpd‘:

ensure => running,

require => Package[‘httpd‘]

}

}

 

 

vim server3.pp

将内容改为如下:

node ‘server3.example.com‘ {

 

package {

‘httpd‘:

ensure => present

}

 

service {

‘httpd‘:

ensure => stopped,

require => Package[‘httpd‘]

}

}

 

server2/server3

puppet agent --server server1.example.com --no-daemonize -vt

/etc/init.d/httpd status

 

 

8.

server1

cd /etc/puppet/modules/

mkdir vsftpd

 

cd vsftpd

mkdir files

cd files/

yum install -y vsftpd

cp /etc/vsftpd/vsftpd.conf .

rpm -e vsftpd

ll vsftpd.conf##权限为600

chmod 644 vsftpd.conf

 

vim vsftpd.conf

12anonymous_enable的值改为NO

 

md5sum vsftpd.conf##anonymous_enable的值为YES时,值不同

 

cd ..

touch install.pp config.pp service.pp init.pp

 

vim install.pp

内容如下:

class vsftpd::install {

        package {

        ‘vsftpd‘:

        ensure => present

}

}

 

vim config.pp

内容如下:

class vsftpd::config {

        file {

        ‘/etc/vsftpd/vsftpd.conf‘:

        source => ‘puppet:///modules/vsftpd/vsftpd.conf‘,

        mode => 600,

        require => Class[‘vsftpd::install‘],

        notify => Class[‘vsftpd::service‘]

}

}

 

 

vim service.pp

内容如下:

class vsftpd::service {

service {

        ‘vsftpd‘:

        ensure => running,

        require => Class[‘vsftpd::install‘,‘vsftpd::config‘]

}

}

 

vim init.pp

内容如下:

class vsftpd {

        include vsftpd::install,vsftpd::config,vsftpd::service

}

 

 

cd /etc/puppet/manifests/nodes

vim server2.pp

node ‘server2.example.com‘ 的下面添上一行:include vsftpd

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

报错!

解决方法:在server1/etc/puppet/modules/vsftpd下建立一个manifests目录,将*.pp文件移到该目录下。

server1

cd /etc/puppet/modules/vsftpd

mkdir manifests

mv *.pp manifests/

 

可以看到该结构:

 

server2

puppet agent --server server1.example.com --no-daemonize -vt

 

server3

time puppet agent --server server1.example.com --no-daemonize -vt

 


以上是关于(?)企业部分之puppet的主要内容,如果未能解决你的问题,请参考以下文章

(?)企业部分之HA集群

企业部分之cacti

企业部分之Varnish

企业部分之nginx(未完)

(?)企业部分之ganglia(未完)

(?)企业部分之nagios(未完)