- Puppet模块
- Puppet部署master/agent模式
- Puppet多环境配置
- Puppet kick机制
一、Puppet模块
模块就是一个按约定的、预定义的层级结构存放了多个文件或子目录的目录,目录里的这些文件或子目录必须遵循一定格式的命名规范
puppet会在配置的路径下查找所需要的模块,默认路径:/etc/puppet/modules和/usr/share/puppet/modules
(一)puppet模块目录结构
MODULES_NAME/:
模块名只能以小写字母开头,可以包含小写字母、数字和下划线,但不能使用"main"和"settings"-
模块名目录下的子目录:
- manifests/:类定义文件
init.pp:必须存在一个类定义,类名称必须与模块名称相同 - files/:静态文件
类定义中的格式(puppet URL):puppet:///modules/MODULE_NAME/FILE_NAME - templates/:
类定义中的格式:tempate('MOD_NAME/TEMPLATE_FILE_NAME') - lib/:插件目录,常用于存储自定义的facts以及自定义类型
- spec/:类似于tests目录,存储lib/目录下插件的使用帮助和范例
- tests/:当前模块的使用帮助或使用范例文件
- manifests/:类定义文件
注意:
1、puppet 3.8及以后的版本中,资源清单文件的文件名要与文件子类名保持一致,例如某子类名为"base_class::child_class",其文件名应该为"child_class.pp"
2、无需在资源清单文件中使用import语句;
3、manifests目录下可存在多个清单文件,每个清单文件包含一个类,其文件名同类名;
(二)puppet的配置
puppet config命令:获取或设定puppet配置参数
puppet config print [argument]
puppet config print modulepath:puppet查找模块文件的路径puppet配置文件:/etc/puppet/puppet.conf
puppet config设定的配置直接保存在配置文件中-
实验1:建立一个模块,实现redis的主从配置
mkdir modules/redis/{manifests,files,templates,lib,spec,tests} -pv // 建立模块目录结构 cd modules/redis vim manifests/init.pp class redis { package{'redis': ensure => latest, } -> service{'redis': ensure => running, enable => true, hasrestart => true, restart => 'service redis restart', } } vim manifests/master.pp class redis::master inherits redis { file{'/etc/redis.conf': ensure => file, source => 'puppet:///modules/redis/redis-master.conf', owner => redis, group => root, require => Package['redis'], } Service['redis'] { restart => 'systemctl restart redis.service', subscribe => File['/etc/redis.conf'], } } vim manifests/slave.pp class redis::slave($masterip,$masterport='6379',$masterpass='') inherits redis { file{'/etc/redis.conf': ensure => file, content => template('/redis/redis-slave.conf.erb'), owner => redis, group => root, require => Package['redis'], } Service['redis'] { restart => 'systemctl restart redis.service', subscribe => File['/etc/redis.conf'], } } cp /etc/redis.conf files/redis-master.conf cp /etc/redis.conf files/redis-slave.conf vim files/redis-master.conf bind 0.0.0.0 vim files/redis-slave.conf bind 0.0.0.0 slaveof 192.168.136.230 6379 cp -r /root/modules/redis/ /etc/puppet/modules/ puppet module list puppet apply -v --noop -e "include redis" puppet apply -v --noop -e "include redis::master" puppet apply -v --noop -e "include redis::slave"
二、Puppet部署master/agent模式
(一)puppet的master/agent模式工作原理
-
工作步骤:
- 步骤1:agent每隔30min向master发送自己的主机名和有关系统信息
- 步骤2:master确定agent身份并根据站点清单将相关类编译为伪代码(catalog),然后发送给agent
- 步骤3:agent接收到伪代码后,先执行状态查询,然后强制打成伪代码中的目标状态
master/agent实现互通的问题;
通过主机名实现互通,故需要在puppet的内网中设置DNS服务器-
master/agent之间的安全通信问题:
- 双方通信内容涉及敏感配置信息,必须加密
- 由于master/agent主机位于内网,外网无法直接访问,故不需要专业CA机构签发证书,由master负责自签发证书
- agent主机会在第一次正式通信之前,向master发送证书请求,master端需要手动签发
master如何确定不同agent需要应用哪些模块中的哪些类的问题:
根据站点清单的定义
(二)配置master/agent模式的命令
安装程序包:facter(收集系统信息), puppet(agent端), puppet-server (master端)
初始化master:
puppet master --no-daemonize --verbose生成一个完整的配置参数列表:
puppet master --genconfig
puppet agent --genconfig打印基于默认配置生效的各配置参数列表:
puppet config <action> [--section SECTION_NAME]
puppet config print基于命令行设定某参数的值:
puppet config setmaster端管理证书签署:
puppet cert <action> [--all|-a] [<host>]
action:
list
sign
revoke
clean:吊销指定的客户端的证书,并删除与其相关的所有文件
(三)站点清单的定义:
主机名定义:要求见名识意
主机名(主机角色)#-机架-机房-运营商-区域.域名
www1-rack1-yz-unicom-bj.magedu.com-
站点清单配置路径:/etc/puppet/manifests/site.pp
//每个节点公共的定义 node 'base' { include ntp } node 'HOSTNAME' { ...puppet code... } // 节点定义支持pattern node /node[0-9]+\.magedu\.com/ { ...puppet code... } // 节点定义的继承 node NODE inherits PAR_NODE_DEF { ...puppet code... } 清单配置信息可模块化组织:
nodes.d/:
可通过多个pp文件分别定义各类站点的清单,而后统一导入site.pp
site.pp文件使用中如下配置:
import 'nodes.d/*.pp'-
实验2:puppet部署master/agent模式示例,实现配置一个redis主从服务器
实验环境:
master主机名:node0.hellopeiyang.com
agent(redis master)主机名:node1.hellopeiyang.com
agent(redis slave)主机名:node2.hellopeiyang.com步骤1:master和agent端主机的通用设置
// 同步时间 ntpdate 172.18.0.1 // 配置主机名,HOST_NAME视情况替换为实验环境中主机名的要求 hostnamectl set-hostname HOST_NAME // 本例不再配置DNS服务器,通过配置/etc/hosts文件代替 vim /etc/hosts 192.168.136.230 node0.hellopeiyang.com 192.168.136.130 node1.hellopeiyang.com 192.168.136.131 node2.hellopeiyang.com- 步骤2:master端配置模块
mkdir /etc/puppet/modules/redis/{manifests,files,templates,tests,lib,spec} -pv cd /etc/puppet/modules/ vim redis/manifests/init.pp class redis { package{'redis': ensure => latest, } -> service{'redis': ensure => running, enable => true, hasrestart => true, restart => 'service redis restart', } } vim redis/manifests/master.pp class redis::master inherits redis { file{'/etc/redis.conf': ensure => file, source => 'puppet:///modules/redis/redis-master.conf', owner => redis, group => root, require => Package['redis'], } Service['redis'] { restart => 'systemctl restart redis.service', subscribe => File['/etc/redis.conf'], } } vim redis/manifests/slave.pp class redis::slave($masterip,$masterport='6379') inherits redis { file{'/etc/redis.conf': ensure => file, content => template('redis/redis-slave.conf.erb'), owner => redis, group => root, require => Package['redis'], } Service['redis'] { restart => 'systemctl restart redis.service', subscribe => File['/etc/redis.conf'], } } cp /etc/redis.conf redis/files/redis-master.conf vim redis/files/redis-master.conf bind 0.0.0.0 cp /etc/redis.conf redis/templates/redis-slave.conf.erb vim redis/templates/redis-slave.conf.erb bind 0.0.0.0 slaveof <%= @masterip %> <%= @masterport %> tree .- 步骤3:master端配置主机清单
yum install puppet-server vim /etc/puppet/manifests/site.pp node 'node1.hellopeiyang.com' { include redis::master } node 'node2.hellopeiyang.com' { class {'redis::slave': masterip => '192.168.136.130', masterport => '6379', } }- 步骤4:agent端配置puppet
/etc/puppet/puppet.conf server = node0.hellopeiyang.com // [main]或[agent]下均可- 步骤5:启动puppet服务
systemctl start puppetmaster.service // master端 systemctl start puppetagent.service // agent端- 步骤6:master端签发证书
puppet cert list puppet cert sign node1.hellopeiyang.com puppet cert sign node2.hellopeiyang.com puppet cert list --all签发node1.hellopeiyang.com发来的证书请求
查看所有由 puppet master签发的证书,包含为自身签发的证书
- 步骤7:测试
redis master节点(node1.hellopeiyang.com)的redis服务启动,创建键值对mykey: "hello today"
redis slave节点(node2.hellopeiyang.com)的redis服务启动,查询到键mykey的值"hello today"
三、Puppet多环境配置
puppet支持master端根据agent端发送的环境配置应用不同的模块及不同的类,并且可以切换
默认环境是production
(一)master端的配置:
(1)puppet 3.4 之前的版本配置多环境的方法:
各环境配置:
/etc/puppet/environments/{production,development,testing}-
编辑配置文件:/etc/puppet/puppet.conf
[master] # modulepath= # manifest= environments = production, development, testing [production] modulepath=/etc/puppet/environments/production/modules/ manifest=/etc/puppet/environments/production/manifests/site.pp [development] modulepath=/etc/puppet/environments/development/modules/ manifest=/etc/puppet/environments/development/manifests/site.pp [testing] modulepath=/etc/puppet/environments/testing/modules/ manifest=/etc/puppet/environments/testing/manifests/site.pp
(2)puppet 3.6之后的版本配置多环境的方法:
-
编辑配置文件:/etc/puppet/puppet.conf,添加如下:
[master] environmentpath = $confdir/environments -
在多环境配置目录下为每个环境准备一个子目录
ENVIRONMENT_NAME | |-----manifests | | | |-----site.pp modules/
(二)agent端的配置:
-
编辑配置文件:/etc/puppet/puppet.conf,添加如下:
// [agent]字段下添加 environment = ENVIRONMENT_NAME // 指定环境 -
实验3:puppet多环境配置举例
实验环境:继承实验2中搭建的master/agent环境,至保留以下主机节点
node0.hellopeiyang.com:作为puppet master
node1.hellopeiyang.com:作为puppet agent实验要求:规划node1.hellopeiyang.com主机在三种环境(开发、测试、生产)下的memcached设置
步骤1:配置文件指定多环境目录路径
vim /etc/puppet/puppet.conf // 添加如下内容 [master] environmentpath = $confdir/environments- 步骤2:配置多环境的模块及主机清单
// 构建多环境目录结构 mkdir -pv /etc/puppet/environments/{testing,development,production}/{manifests,modules} // 构建模块目录结构 mkdir /root/memcached/{manifests,files,templates} -pv vim /root/memcached/manifests/init.pp class memcached ($maxmemory="64") { package{'memcached': ensure => 'latest', } file{'/etc/sysconfig/memcached': ensure => file, content => template('memcached/memcached.erb'), owner => 'root', group => 'root', mode => '0644', } service{'memcached': ensure => running, enable => true, } Package['memcached'] -> File['/etc/sysconfig/memcached'] ~> Service['memcached'] } yum install memcached // 安装只为了获取配置文件用作模板,实际工作中不需要 cp /etc/sysconfig/memcached /root/memcached/templates/memcached.erb vim /root/memcached/templates/memcached.erb CACHESIZE="<%= @maxmemory %>" // 修改本行 // 模块配置完成,复制进多环境目录结构中 cp -r /root/memcached/ /etc/puppet/environments/testing/modules/ cp -r /root/memcached/ /etc/puppet/environments/development/modules/ cp -r /root/memcached/ /etc/puppet/environments/production/modules/ // 配置每个环境的主机清单 cd /etc/puppet/ vim environments/development/manifests/site.pp node 'node1.hellopeiyang.com' { include memcached } vim environments/testing/manifests/site.pp node 'node1.hellopeiyang.com' { class {'memcached': maxmemory => '128', } } vim environments/production/manifests/site.pp node 'node1.hellopeiyang.com' { class {'memcached': maxmemory => '256', } } systemctl start puppetmaster.service tree environments/master端最终配置完成后的目录结构:
- 步骤3:测试
// 执行development环境下的配置 puppet agent --no-daemonize -v --environment=development grep -i 'cachesize' /etc/sysconfig/memcached // 执行testing环境下的配置 puppet agent --no-daemonize -v --environment=testing grep -i 'cachesize' /etc/sysconfig/memcached // 执行production环境下的配置 puppet agent --no-daemonize -v --environment=production grep -i 'cachesize' /etc/sysconfig/memcachedpuppet在development环境下成功配置
puppet在testing环境下成功配置
puppet在production环境下成功配置
- 步骤4:按照agent的默认环境配置
实际上主机节点的环境很少变更,在配置文件中配置默认环境后,可以直接启动服务
vim /etc/puppet/puppet.conf environment = testing // [agent]字段下添加 grep -i 'cachesize' /etc/sysconfig/memcached systemctl start puppetagent.service grep -i 'cachesize' /etc/sysconfig/memcached
(三)额外配置文件:
- 文件系统:fileserver.conf,文件传送有关
- 认证(URL):auth.conf
四、Puppet kick机制
puppet kick:master端主动向agent端推送消息,通知其立即向master端拉取最新的配置
使用情况:当需要立即修改agent的配置时采用
实现条件:
agent端打开监听端口
agent端认证master端-
puppet的配置
- agent端:
/etc/puppet/puppet.conf [agent] listen = true vim /etc/puppet/auth.conf path /run method save auth any allow master.magedu.com systemctl restart puppetagent.service- master端:
puppet kick
puppet kick [--host <HOST>] [--all]
-
实验4:在实验3的基础上,实现通过puppet kick机制通知agent立即更新配置
- 步骤1:agent端设置
vim /etc/puppet/puppet.conf [agent] // agent字段下添加如下内容 Listen = true vim /etc/puppet/auth.conf // 添加如下内容 path /run method save auth any allow node0.hellopeiyang.com // 以上添加的内容必须在以下内容之上添加 path / auth any systemctl restart puppetagent.service- 步骤2:master端修改配置,通过puppe kick机制通知agent端
cd /etc/puppet/environments/testing/ // 建立一个模块nginx mkdir modules/nginx/{manifests,files,templates} -pv vim modules/nginx/manifests/init.pp class nginx { package{'nginx': ensure => latest, } } // 将nginx类添加至主机清单 vim manifests/site.pp node 'node1.hellopeiyang.com' { class {'memcached': maxmemory => '128', } include nginx // 新增内容 } systemctl restart puppetmaster.service puppet kick node1.hellopeiyang.com
