puppet 安装
puppet 的核心组件: 资源
资源清单: manifests
资源清单及清单中的资源定义的所依赖的文件,模版等数据按照特定结构组织成为 模块
安装: https://yum.puppetlabs.com/
ruby环境: ruby ruby-libs ruby-shadow
master: puttet-server
slave: puppet, facter
[root@k8s1 ~]# puppet help Usage: puppet <subcommand> [options] <action> [options] Available subcommands: agent The puppet agent daemon apply Apply Puppet manifests locally ca Local Puppet Certificate Authority management. catalog Compile, save, view, and convert catalogs. cert Manage certificates and requests certificate Provide access to the CA for certificate management. certificate_request Manage certificate requests. certificate_revocation_list Manage the list of revoked certificates. config Interact with Puppet's settings. describe Display help about resource types device Manage remote network devices doc Generate Puppet documentation and references facts Retrieve and store facts. file Retrieve and store files in a filebucket filebucket Store and retrieve files in a filebucket help Display Puppet help. inspect Send an inspection report instrumentation_data Manage instrumentation listener accumulated data. DEPRECATED. instrumentation_listener Manage instrumentation listeners. DEPRECATED. instrumentation_probe Manage instrumentation probes. Deprecated key Create, save, and remove certificate keys. kick Remotely control puppet agent man Display Puppet manual pages. master The puppet master daemon module Creates, installs and searches for modules on the Puppet Forge. node View and manage node definitions. parser Interact directly with the parser. plugin Interact with the Puppet plugin system. queue Deprecated queuing daemon for asynchronous storeconfigs report Create, display, and submit reports. resource The resource abstraction layer shell resource_type View classes, defined resource types, and nodes from all manifests. secret_agent Mimics puppet agent. status View puppet server status. See 'puppet help <subcommand> <action>' for help on a specific subcommand action. See 'puppet help <subcommand>' for help on a specific subcommand. Puppet v3.8.7
获取所有的资源类型:
[root@k8s1 ~]# puppet describe --list
[root@k8s1 ~]# puppet describe package
puppet 从3个维度来对资源完成抽象
1.相似的资源被抽象成同一种资源“类型”,如程序包资源,用户资源及服务资源等;
2.将资源属性或状态的描述与其实现方式剥离开来,如仅说明安装一个程序包而不用关心具体是通过yum、pakadd、ports或其他方式实现
3.仅描述资源的目标状态,期望其实现的结果,而不是其具体过程,如“确定nginx运行起来”而不是具体描述为“运行nginx” 命令将其启动起来
这三个 也被成为puppet 的资源抽象层(RAL)
RAL 由type(类型)和 provider(提供者,即不同os上的特定实现)组成
资源的特殊属性
1. Name/Namevar 名称变量
大多数类型都有一个属性,该属性标识目标系统上的资源
被称为namevar,通常简称的名字
namevar值必须唯一每个资源类型
2. Ensure (保证,确保)
用于大多数资源中,用于控制资源的存在性。
ensure => file 存在且为一个普通文件
ensure =>directory 存在且为一个目录
ensure =>present 存在
ensure =>absent 不存在,删除
3. Metaparmeters(参数)
定义资源:
type {'title':
attribute1 => value1,
attribute2 => value2,
}
type 必须小写: title在同一个资源下必须唯一:
常用的资源类型:
user,group,file,package,service,exec,cron, notify
[root@k8s1 manifest]# cat test.pp group {'distro': gid => 2000, ensure => present, } user {'centos': uid => 2000, gid => 2000, shell => '/bin/bash', home => '/home/centos', ensure => present, }
agent上执行
[root@k8s1 manifest]# puppet apply -v test.pp
group: 管理组资源:
name: 组名 ,namevar 组名 gid: GID 组id system: true,false 系统组 ensure: present, absent 建立或者删除 members:组成员, 可以在这个组中加用户
user:用户资源
commet: 注释信息 ensure: present,absent expiry: 过期时间 groups: 附加组 home: 家目录 shell: 默认shell name: namevar system: 是否是系统用户, true,false uid: UID password: 密码 gid 基本组id
file: 管理文件及其内容、从属关系以及权限:
内容可通过content属性直接给出,也可以通过source属性根据远程服务器路径下载生成:
指明文件内容来源:
content: 直接给出文件内容,支持\n \t source: 从指定位置下载文件: ensure: file,directory,links,present,absent 常用属性: force:强制运行,可用值 yes,no,true,false group: 属组 owner:属主 mode: 指明权限, '0755' 还支持u g o方式 path: 目标路径,放置的路径 source: 源文件路径,可以是本地文件路径,也可以使用puppet:///modules/modules_name/file_name
file { "/etc/nfs.conf":
source => [
"puppet:///modules/nfs/conf.$host",
"puppet:///modules/nfs/conf.$operatingsystem",
"puppet:///modules/nfs/conf"
]
}
target: 当ensure为“link”时,target表示path指向的文件是一个符号链接文件,其目标为此target属性所指向的路径,此时content source属性失败
[root@k8s1 manifest]# cat file.pp #建立一个目录 file {'/tmp/mytest': ensure => directory } #新建一个文件,并且内容是content中指定的内容,以及相关属主属组权限 file {'/tmp/puppet-test': content => "puppet-test file \n2 line\n3 line", ensure => 'file', group => 'puppet', owner => 'ftp', mode => '0777', } #copy一份文件 file {'/tmp/fatab-bak': source => '/etc/fstab', ensure => "file", } #做一个连接 file {'/tmp/puppet.target.link': ensure => 'link', target => '/etc/fstab', }
执行
# puppet apply -v file.pp
exec:
运行一外部命令,命令应该具有幂等性
1.命令本身具有幂等性,多此运行命名,不会对系统有损害, yum update
2.资源有onlyif, unless, creates 等属性以实现命令的条件式运行。
3.资源有refreshonly属性,以实现只有订阅的资源发生变化时才执行:依赖的资源改变了,才运行,如:配置文件更新
command: 运行的命令: NameVar
creates: 此属性指定的文件不存在时才执行此命令。
#creates属性 如果/var/tmp/myfile 这个文件不存在,才会执行tar 命令,cwd 先cd到/var/tmp路径下,在 解压缩。
exec { "tar -xf /Volumes/nfs02/important.tar":
cwd => "/var/tmp",
creates => "/var/tmp/myfile",
path => ["/usr/bin", "/usr/sbin"]
}
属性
cwd: 此属性指定的路径下运行命令,就是 cd 到路径下 user: 以指定的用户身份运行命令。 group: 指定组 onlyif: 给定一个测试命令:仅在此命令执行成功(返回状态码为0)时 才运行command指定的命令: unless: 给定一个测试命令:仅在此命令执行失败(返回状态码为1)时 才运行command指定的命令: refresh: 接受到其他资源发来的refresh通知时,默认是重新执行exec定义的command,refresh属性可改变这种行为,即可指定仅在refresh时运行的命令 refreshonly: 仅在收到refresh通知,才运行此资源。 refreshonly: 期望的状态返回值,返回非此值时表示命令执行失败。 tries: 尝试执行的次数, timeout: 超时时长。 path: 指明命令搜索路径,其功能类型PATH环境变量:path => ['/usr/bin','/usr/sbin'],
exec { "logrotate":
path => "[/usr/bin:/usr/sbin:/bin]",
onlyif => "test `du /var/log/messages | cut -f1` -gt 100000"
}
# unless属性,假如grep 不成功的时候,不包含root的时候,才执行命令。 exec { "/bin/echo root >> /usr/lib/cron/cron.allow": path => "[/usr/bin:/usr/sbin:/bin"], unless => "grep root /usr/lib/cron/cron.allow 2>/dev/null" }
exec { newaliases: path => ["/usr/bin", "/usr/sbin"], subscribe => File["/etc/aliases"], refreshonly => true }
[root@k8s1 manifest]# cat exec.pp exec{'modprobe ip_vs': user => root, group => root, refresh => 'modprobe -r ip_vs', timeout => 5, tries => 2, path => ['/usr/bin','/usr/sbin'], } #假如/tmp/hello.txt不存在,运行echo hello exec{'echo hello >> /tmp/hello.txt': user => root, group => root, creates => '/tmp/hello.txt', path => ['/usr/bin','/usr/sbin'], } exec{'echo hello >> /tmp/hello1.txt': user => root, group => root, unless => 'test -e /tmp/hello1.txt', path => ['/usr/bin','/usr/sbin'], }
notify: 通知信息
Sends an arbitrary message to the agent run-time log.
message: 要发送的消息的内容: NameVar
[root@k8s1 manifest]# cat notify.pp notify{'this is run-time agent log':}
cron: 计划任务:
常用属性:
ensure: present absent
command: 运行的jobs
hour: 小时
minute: 分钟
month: 月
monthday: 日
weekday: 周
name: 名称
user: 运行的用户
environment: 运行时的环境变量
cron{'sync time':
command => '/usr/sbin/ntpdate 192.168.20.220 & >/dev/null',
minute => '*/10',
user => root,
ensure => present,
}
package 管理程序包
常用属性:
configfile: 更新程序包后,老的配置文件处理方式, keep或replace
ensure: installed, latest(最新版本), version(2.3.1-2.el7), present,absent
name: 程序报名称
source: 需要指定软件包的路径或URL,如果使用rpm,需要指明包的路径。
provider 使用 包的来源(yum, rpm)
package{'zsh':
ensure => latest,
}
package{'zabbix':
ensure => installed,
source => '/tmp/rpm/zabbix22-2.2.16-1.el7.x86_64.rpm',
provider => rpm,
}
service: 管理服务
常用属性
enable: 是否开机启动,true、false。 ensure: 启动(running),停止(stopped) hasrestart: 是否支持restart参数,用来说明当前的程序自带restart功能 hasstatus: 是否支持status参数 name: 服务名称,namevar path: 脚本查找路径 pattern: 用户搜索此服务相关的进程的模式: 当脚本不支持restart/status时,用于确定服务是否处于运行状态 restart: 用于执行 重启 命令,如果不支持hasrestart,那么使用restart定义,先kill,然后在启动 start: 用于执行启动命令 stop: 用于执行停止命令 status: 用于执行状态检查命令
package{'nginx':
ensure => latest,
allow_virtual => false,
}
service{'nginx':
ensure => running,
enable => true,
hasrestart => true,
hasstatus => true,
restart => 'systemctl reload nginx.service'
}
#############################################################
package{'zabbix22-agent':
ensure => latest,
allow_virtual => false,
}
service{'zabbix-agent':
ensure => running,
enable => true,
hasrestart => true,
hasstatus => true,
restart => 'systemctl restart zabbix-agent.service'
}
特殊属性: metaparameters
1.定义依赖关系,有次序的关系,
puppet提供了before(之前)、 require(要求)、notify(通知)、subscribe(订阅) 四个参数来定义资源间的相关性。
被依赖的资源中使用:before
依赖其它资源的资源: require
这四个元参数都以另外的其他资源或者资源数组作为其值,这称为资源引用
资源引用要通过"Type['title']"的方式进行,如User['magedu'] , 注意:资源引用时,其类型名的首字母要大写。
before 定义
group {'linux': gid => 3000, ensure => present, before => User['suse'], #在创建user suse账户前,先创建linux 组, } user {'suse': uid => 3000, gid => 3000, shell => '/bin/bash', home => '/home/suse', ensure => present, }
###################################################
require 定义, 在user中定义 linux组必须存在,才能创建suse用户。
group {'linux':
gid => 3000,
ensure => present,
}
user {'suse':
uid => 3000,
gid => 3000,
shell => '/bin/bash',
home => '/home/suse',
ensure => present,
require => Group['linux']
}
#########################################################
使用 -> 符号,表示先group,后user
group{'tomcat':
gid => 5001,
ensure => present,
} ->
user{'tomcat':
uid => 5001,
gid => 5001,
ensure => present,
home => '/home/tomcat',
shell => '/bin/bash',
}
2.定义通知关系
subscribe 当 file 文件变化时,重启nginx服务。
subscribe 订阅, notify 通知
###############################
定义不了重启
package{'nginx': ensure => latest, } file{'nginx.conf': source => '/tmp/nginx.conf',
path => '/etc/nginx/nginx.conf' ensure => file, require => Package['nginx'],
# notify => Service['nginx'] } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, #subscribe => File['/etc/nginx/nginx.conf'],
require => [Package['nginx'],File['nginx.conf']] }
当文件/tmp/nginx.conf 内容变更了,要让servie 重启, 所以require定义不了重启。需要使用notify和subscribe。
notify 定义在前资源,自己发生改变要通知 后面的资源。
subscribe 定义在后资源, 自己监控着 前资源,如果前资源发生改变,自己做什么操作
package{'nginx': ensure => latest, allow_virtual => false, } file{'nginx.conf': path => '/etc/nginx/nginx.conf', source => '/tmp/nginx.conf', ensure => file, require => Package['nginx'], } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, restart => 'systemctl reload nginx.service', require => [Package['nginx'],File['nginx.conf']], subscribe => File['nginx.conf'], }
puppet 变量
puttet 的变量名称必须以$开头,复制操作符为 =
任何正常数据类型(非正则)的值都可以赋予puppet中的变量,如字符串、数值、布尔型、数组、hash以及特殊的undef值。
puppet的每个变量都有2个名字,简短名称和长格式完全限定名称,完全限定名称的格式为“$scope::variable”
scope是一个特定的代码区域,用于同程序中的其他代码隔离开来
在puppet中,scope可以用于限定变量及资源默认属性的作用范围,但不能用于限定资源名称及资源引用的生效范围。
每个变量有两种引用路径:
相对路径:
绝对路径: $::scope::scope::variable
正则表达式
属于puppet的非标准数据类型,不能赋值给变量,仅能用于有限的几个接受正则表达式的地方,即接受使用“=~”及“!~” 匹配操作符的位置,通常包括case 语句中的
selector,以及节点名称匹配的位置
正则表达式不能传递给函数或者用户资源属性的定义
puppet中额正则表达式支持使用(?<ENABLED OPTION启用的选项>:<SUBPATTERN>) 和 (?-<DISABLED OPTION>:<SUBPATTERN>禁用使用-号)两个特殊的符号
OPTION 正则表达式匹配选项 i (忽略字符大小写),m(把 . 当作换行符) ,x (忽略模式中的空白字符和注释)
- 减号取反义
$packages = $operatingsystem ? { /(?i-mx:(ubuntu|debian))/ => 'apache2', /(?i-mx:(redhat|centos))/ => 'httpd', }
operatingsystem的值 匹配 ubuntu 和 redhat,如果匹配了,那么 packages 的值为apache2 或者 httpd。
puppet中变量的种类
1.自定义变量
2.facter变量: 可直接引用, 使用命令 facter -p
3.内置变量:
客户端内置: $clientcert, $clientversion
服务器断内置: $servername $serverversion $serverip $module_name
puppet 条件语句
if case unless selector
单分支 if CONITION { statement } if conition { statement } else { statement }
多分支 if conition { statemnet } elsif { statemnet } else { statemnet}
if $processorcount>1 { notice("process count 4") } else { notice("process not 4") }
notice是内置变量,输出结果。
conition的用法:
1. 比较表达式
2. 变量引用
3. 有返回值函数调用
判断文件系统是什么
if $filesystems =~ /^(?i-mx:(xfs|ext4|ext3))/ { notice("linux filesystem is $1") }
case contorl_express {
case1: {statemnet.....}
case2: { statemnet....}
default: { statement... }
}
case $filesystems { 'xfs': {notice(" this's linux filesystem is xfs")} 'ext3': {notice(" this's linux filesystem is ext3")} 'ext4': {notice(" this's linux filesystem is ext4")} 'zfs': {notice(" this's linux filesystem is zfs")}
default: {notice("nothing")} }
contorl_express 表达式、变量、函数(有返回值)
select 是返回一个值,不是执行代码块 ,不能用于一个已经嵌套于selector的case中,
CONTROL_VARIABLE ? {
case1 => value1
case2 => value2
default => valueN
}
$packages = $operatingsystem ? { /(?i-mx:(ubuntu|debian))/ => 'apache2', /(?i-mx:(redhat|centos))/ => 'httpd',
dafult => 'httpd' } operatingsystem的值 匹配 ubuntu 和 redhat,如果匹配了,那么 packages 的值为apache2 或者 httpd。
select 使用要点:
1.这个selector 语句会被当作一个单独的值,puppet会将控制变量按列出的次序与每个case进行比较,并在遇到一个匹配的case后,将其值作为整个语句的值进行返回,
2.控制变量与个case比较的方式与case相同,但如果没有任何一个case与控制变量匹配是,puppet在编译时会返回一个错误,因此,实践中,其必须提供default case。
类: class
创建后可在puppet全局进行调用,类可以被继承。类的名字只能小写
class nginx { $package = $operatingsystem ? { /^(?i-mx:(centos|redhat))/ => nginx, /^(?i-mx:(debian|ubuntu))/ => httpd, } package{$package: ensure => latest,
allow_virtual => false, } file{'nginx.conf': ensure => file, source => '/tmp/nginx.conf', path => '/etc/nginx/nginx.conf', require => Package['$package'], } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, restart => 'systemctl reload nginx.service', subscribe => File['nginx.conf'], } } include nginx
在manifest文件中定义的类不会直接被执行,他们需要事先声明后才能被执行。
声明类(调用类)的方式:
1. 用 include 声明一个类 2. 用 require 声明一个类 3. 像声明一个 resource(资源) 声明一个类 4. 用ENC的方式声明一个类
1.include 声明
使用方法 include base::linux
include base::linux,nginx 声明2个类
class nginx { package{'nginx': ensure => latest, } file{'nginx.conf': path => '/etc/nginx/nginx.conf', ensure => file, source => '/tmp/nginx.conf', require => Package['nginx'], } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, restart => 'systemctl reload nginx.service', require => Package['nginx'], subscribe => File['nginx.conf'], } } include nginx
类的声明方式一:
include class_name , class_name,........
定义能接受参数的类:
class class_name($arg1='value1',$arg2='value2'){
.....code
}
类声明方式二:
class{'class_name':
arg1 => value,
arg2 => value,
}
2.resource(像声明一个资源一样,声明一个类),带参数的
class {'apache'
version => '2.2.6',
}
class{'base::linux':}
class nginx($webserver='nginx') { package{$webserver: ensure => latest, } file{'nginx.conf': path => '/etc/nginx/nginx.conf', ensure => file, source => '/tmp/nginx.conf', require => Package['nginx'], } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, restart => 'systemctl reload nginx.service', require => Package['nginx'], subscribe => File['nginx.conf'], } } ###########resource 调用类################### #nginx 是 上面定义的 class_name class{'nginx': webserver => 'nginx', }
3.require
4.ENC
类的继承:
定义方式:
基类/父类 子类 继承 基类/父类
class base_class::class_name inherits base_class {
...... puppet code........
}
作用:继承一个已有的类,并实现覆盖资源属性,或向资源属性追加额外值:
=>,+>
类继承时:
1.声明子类时,其基类会被自动首先声明。
2.基类成为了子类的父作用域,基类中的变量和属性默认值会被子类复制一份:
3.子类可以覆盖父类中同一资源的相同属性的值。
# 安装应用程序和启动服务都是相同的,
class nginx { package{'nginx': ensure => latest, } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, restart => 'systemctl reload nginx.service', } } class nginx::webserver inherits nginx { file{'nginx.conf': ensure => file, path => '/etc/nginx/nginx.conf', source => '/tmp/nginx_web.conf', notify => Service['nginx'], } } class nginx::proxy inherits nginx { file{'nginx.conf': ensure => file, path => '/etc/nginx/nginx.conf', source => '/tmp/nginx_proxy.conf', notify => Service['nginx'], } } include nginx::proxy #调用子类
在子类中覆盖父类中已经定义的资源属性值:
[root@k8s1 manifest]# cat class5.pp class nginx { package{'nginx': ensure => latest, name => nginx, } service{'nginx': ensure => running, enable => true, hasrestart => true, hasstatus => true, restart => 'systemctl reload nginx.service', } } class nginx::webserver inherits nginx { Package['nginx'] { #子类可以覆盖父类中同一资源的相同属性的值。 name => tengine,
#name +> varnish, ####表示追加安装varnish,
}
file{'nginx.conf':
ensure => file,
path => '/etc/nginx/nginx.conf',
source => '/tmp/nginx_web.conf',
notify => Service['nginx'],
}
}
class nginx::proxy inherits nginx {
file{'nginx.conf':
ensure => file,
path => '/etc/nginx/nginx.conf',
source => '/tmp/nginx_proxy.conf',
notify => Service['nginx'],
}
}
include nginx::webserver
模版:
基于ERB模版语言,在静态文件中使用变量等变成元素生成适用于多种不同的环境的文本文件,用于实现在文本文件中嵌入ruby代码,原来的文本信息不会被改变
但ruby代码会被执行,执行结果将直接替换原来代码:
<%= Ruby Expression %>: 替换为表达式的值:
<% Ruby Expression %>: 仅执行代码,不替换
<%# comment %>: 文本注释:
<%%: 输出为<%
%%>: 输出为%>
<%- Ruby code %>: 忽略空白字符:
<% Ruby code -%>: 忽略空白行:
在模版中可是使用变量,包括puppet的任意可用变量,但变量名以@字符开头。
条件判断:
<% if condition -%>
some text
<% end %>
<% if condition -%>
some text
<% else %>
some text
<% end %>
迭代:
<% @ArrayName.echo do | Variable_name | -%>
some text with <%= Variable_name %>
<% end %>
使用模版实例:
1. 修改nginx配置文件
2. 修改puppet配置文件
class nginx::webserver inherits nginx {
Package['nginx'] {
name => nginx,
}
file{'nginx.conf':
ensure => file,
path => '/etc/nginx/nginx.conf',
#source => '/tmp/nginx_web.conf',
# template函数对/tmp/nginx_web.conf进行计算,生成数据流,把数据流当成内容
content => template('/tmp/nginx_web.conf'),
notify => Service['nginx'],
}
}
3. 验证结果 vi /etc/nginx/nginx.conf
模块:
路径 /etc/puppet/modules
/etc/puppet/modules/manifests/
init.pp: 至少应该包含一个与当前模块名称同名类:
/etc/puppet/modules/files: 静态文件 puppet:///module/module_name/file_name
/etc/puppet/modules/template: 模版文件目录: template('module_name/template_name')
/etc/puppet/modules/lib: 插件目录
/etc/puppet/modules/tests: 当前模块的使用帮助及实例文件
/etc/puppet/modules/spec: 类似与tests目录,存储lib目录下定义的常见的使用帮助及示例文件
模块管理命令
[root@k8s1 modules]# puppet help module
USAGE: puppet module <action> [--environment production ] [--modulepath $basemodulepath ] This subcommand can find, install, and manage modules from the Puppet Forge, a repository of user-contributed Puppet code. It can also generate empty modules, and prepare locally developed modules for release on the Forge. OPTIONS: --render-as FORMAT - The rendering format to use. --verbose - Whether to log verbosely. --debug - Whether to log debug information. --environment production - The environment Puppet is running in. For clients (e.g., `puppet agent`) this determines the environment itself, which is used to find modules and much more. For servers (i.e., `puppet master`) this provides the default environment for nodes we know nothing about. --modulepath $basemodulepath - The search path for modules, as a list of directories separated by the system path separator character. (The POSIX path separator is ':', and the Windows path separator is ';'.) Setting a global value for `modulepath` in puppet.conf is deprecated. Please use directory environments instead. If you need to use something other than the default modulepath of `<ACTIVE ENVIRONMENT'S MODULES DIR>:$basemodulepath`, you can set `modulepath` in environment.conf. For more info, see http://docs.puppetlabs.com/puppet/latest/reference/environments.html ACTIONS: build Build a module release package. changes Show modified files of an installed module. generate Generate boilerplate for a new module. install Install a module from the Puppet Forge or a release archive. list List installed modules search Search the Puppet Forge for a module. uninstall Uninstall a puppet module. upgrade Upgrade a puppet module.
#找到本地安装的puppet 模块。
[root@k8s2 puppet]# puppet module list
/etc/puppet/modules (no modules installed)
/usr/share/puppet/modules (no modules installed)
#从forgeapi.puppetlabs.com 中查找nginx模块.
#从forgeapi.puppetlabs.com 中安装nginx模块
puppet module install nginx
模块的具体应用
[root@k8s1 template]# mkdir -pv /etc/puppet/modules/nginx/{manifests,files,templates,tests,lib,spec} /etc/puppet/modules/nginx/mainfests/init.pp 中必须有一个类,类的名称必须与 /etc/puppet/modules/nginx目录的nginx相同 [root@k8s1 template]# cp /root/manifest/test2.pp /etc/puppet/modules/nginx/manifests/init.pp 静态文件放置在 /etc/puppet/modules/nginx/files/目录下 [root@k8s1 template]# cp /tmp/nginx_proxy.conf /etc/puppet/modules/nginx/files/ nginx_web.conf 是模版文件(<%= @processcount -%>),放置在/etc/puppet/modules/nginx/templates/目录下,并且改名成nginx_web.conf.erb [root@k8s1 template]# cp /tmp/nginx_web.conf /etc/puppet/modules/nginx/templates/nginx_web.conf.erb
修改/etc/puppet/modules/manifests/init.pp文件,修改file 中的source属性:
执行命令,--noop表示不进行应用,执行是否正确:
[root@k8s1 manifests]# puppet apply -v --noop -e "include nginx::proxy"
Notice: Compiled catalog for k8s1 in environment production in 1.32 seconds
Info: Applying configuration version '1494307794'
Notice: /Stage[main]/Nginx::Webserver/File[nginx.conf]/ensure: current_value absent, should be file (noop)
Info: /Stage[main]/Nginx::Webserver/File[nginx.conf]: Scheduling refresh of Service[nginx]
Notice: Class[Nginx::Webserver]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Nginx/Package[nginx]/ensure: current_value absent, should be latest (noop)
Notice: /Stage[main]/Nginx/Service[nginx]/ensure: current_value stopped, should be running (noop)
Info: /Stage[main]/Nginx/Service[nginx]: Unscheduling refresh on Service[nginx]
Notice: Class[Nginx]: Would have triggered 'refresh' from 2 events
Notice: Stage[main]: Would have triggered 'refresh' from 2 events
Notice: Finished catalog run in 0.34 seconds
执行并应用:
[root@k8s2 manifests]# puppet apply -v -e "include nginx::proxy"
puppet master/agent:
agent: 默认30分钟向master 发送node name 和facts,并请求catalog
master: 验证客户端身份, 查找与其相关的site manifest, 编译生成catalog,并发送给客户端。
ssl xmlrpc , https 8140/tcp 端口
master 安装软件: puppet, puppet-server, facter
agent 安装软件: puppet facter
#安装puppet server端
[root@k8s3 ~]# yum -y install puppet-server
puppet server配置文件 vim /etc/puppet/puppet.conf
puppet server默认的系统配置信息
[root@k8s2 puppet]# puppet help config USAGE: puppet config <action> [--section SECTION_NAME] This subcommand can inspect and modify settings from Puppet's 'puppet.conf' configuration file. For documentation about individual settings, see http://docs.puppetlabs.com/references/latest/configuration.html. OPTIONS: --render-as FORMAT - The rendering format to use. --verbose - Whether to log verbosely. --debug - Whether to log debug information. --section SECTION_NAME - The section of the configuration file to interact with. ACTIONS: print Examine Puppet's current settings. set Set Puppet's settings. See 'puppet man config' or 'man puppet-config' for full help.
#查看默认配置信息
[root@k8s2 puppet]# puppet config print
#启动master服务 守护进程,-D 放置到后台
[root@k8s2 puppet]# puppet master -D
#启动agent服务 守护进程,-D 放置到后台
[root@k8s2 puppet]# puppet agent --server=puppet.domain.cn -D
手动生成完整配置文件:
master:
[root@k8s2 puppet]# puppet master --genconfig > /etc/puppet/puppet_default.conf
agent:
[root@k8s2 puppet]# puppet agent --genconfig > /etc/puppet/puppet_default.conf
说明:
(1) 生成新的配置文件之前,不能删除或移除原有的puppet.conf:
(2) 生成的配置中,有的参数已经被废弃,与现有puppet版本可能兼容,
(3) 有的参数的默认值与现有版本所支持值可能不相兼容:
获取puppet 文档:
puppet doc
分段, 称为reference
列出所有的reference:
puppet doc --list
查看某一 reference:
puppet doc -r REFERENCE_NAME
配置文件的组成部分:
[main]
[master]
[agent]
签署证书:
puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] [--digest <digest>] [<host>]
EXAMPLE
-------
$ puppet cert list 显示请求的证书
$ puppet cert sign culain.madstop.com 签署证书
配置agent/master
1. 配置master;
# puppet master --no-daemonize -v #启动测试模式,如果无问题,kill掉
# systemctl start puppetmaster.service
# systemctl enable puppetmaster.service
2. 配置agent端
# puppet agent --server=master_host_name --no-daemonize --noop --test -v
# puppet agent --server=master_host_name --no-daemonize -v -d #发送证书签署请求给master:
3. 在master端为客户签署证书
# puppet cert list #待签署的请求
# puppet cert sign node_name
# puppet cert sign --all #签署全部
# puppet cert clean node_name #清除指定节点
4. 在master端:
(1) 安装所有用到的module,或者自己写
(2) 定义site manifest;
/etc/puppet/manifests/site.pp
node 'NODE_NAME' {
....puppet code......
}
例如:
node "k8s3" {
include nginx::proxy
}
5. agent端
(1)修改vim /etc/puppet/puppet.conf ,添加server 的地址
server = k8s2
(2) 启动客户端agent 进程
[root@k8s1 nginx]# systemctl start puppetagent.service
6. 节点管理:
site.pp 定义节点的方式:
(1) 以主机名直接给出其相关定义
node 'node_name' {
..... puppet code ......
}
(2) 把功能相近的主机按照统一的命名,按照统一格式调用:
node /^web\d+\.abcg\.com/ {
... puppet code .......
}
7. master 检查manifests中 init.pp 语法是否正确
master: puppet parser validate /etc/puppet/modules/copyfiletest/manifests/init.pp
agent: puppet agent --server=k8s2 --no-daemonize --noop --test -v
主机命名方式:
角色名-运营商-机房名-机器ip.域名
web1-cnc-wx-172.16.230.3.abc.com
对节点配置分段管理
/etc/puppet/mainfests/
site.pp
import "webserver/*.pp"
webserver/
tomcat.pp
nginx.pp
cache/
varnish.pp
squid.pp
api
kong.pp
面临的问题:
1. 主机名解析:(ddns)
2. 如何为系统准备好puppet agent;
puppet的配置文件:
master环境配置:开发环境、测试环境、生产环境
# vim /etc/puppet/puppet/conf
[master]
environment = production,testing,development
[production] manifest=/etc/puppet/environments/production/manifests/site.pp modulepath=/etc/puppet/environments/production/modules/ fileserverconfig=/etc/puppet/fileserver.conf
[testing]
manifest=/etc/puppet/environments/testing/manifests/site.pp
modulepath=/etc/puppet/environments/testing/modules/
fileserverconfig=/etc/puppet/fileserver.conf
[development]
manifest=/etc/puppet/environments/development/manifests/site.pp
modulepath=/etc/puppet/environments/development/modules/
fileserverconfig=/etc/puppet/fileserver.conf
# 修改puppet.conf 配置文件,重启服务
# systemctl restart puppetmaster.service
agent 配置有两种方法:
第一种 [agent] environment = testing 或者 enviroment=development 或者 enviroment=production
第二种 puppet agent --test --noop --environment [testing, development, production]
puppet 默认是production环境
[root@k8s1 example_env]# puppet config print | grep env
environment = production
puppet的文件服务器
fileserver.conf 生效的结果是结合puppet.conf 与auth.conf: 用于实现安全配置,例如agent能够或不能访问master端的那些文件。
[mount_point]
path /etc/puppet/file
allow hostname
allow_ip ip
deny all
auth.conf 配置文件:
认证配置文件,为puppet提供acl功能, 主要应用于puppet的Restful。
namespace.conf 用于控制名称空间的访问法则。
[puppetrun]
all node_hostname
名称空间:
fileserver, puppetmaster, puppetruners,puppetreports, resource
autosign.conf:
让master 在接受到agent 的证书签署后直接自动为其签署:
puppet kick 触发每个agent,agent从master直接请求。
puppet dashboard
安装puppet-dashboard:
# yum install rubygem-rake ruby-mysql
yum localinstall puppet-dashboard
gem install rake
实例:
所有服务器 ntpdate 放置在/etc/crontab 文件中,需要判断文件中是否有ntp时间,如果没有,添加ntpdate,并且重启crond服务
master 端: 1.新建ntptime 类,用于同步时间
mkdir -pv /etc/puppet/modules/ntptime/{files,manifests,spec,lib,templates,tests} 2. 编辑 /etc/puppet/modules/ntptime/manifests/init.pp 文件,写ntptime类
3. 修改总的资源清单 /etc/puppet/manifests/site.pp
4. master 测试语法是否错误
puppet parser validate /etc/puppet/modules/ntptime/manifests/init.pp
5. agent 测试是否能够执行
puppet agent --server=k8s2 --no-daemonize --noop --test -v
6. 重启agent
systemctl enable puppetagent.service
