centos6.5环境自动化运维之puppet实现nginx反向代理功能及puppet安装配置详解

  puppet是一种Linux、Unix、windows平台的集中配置管理系统，使用自有的puppet描述语言，可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源，puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。
  puppet采用C/S星状的结构，所有的客户端和一个或几个服务器交互。每个客户端周期的（默认半个小时）向服务器发送请求，获得其最新的配置信息，保证和该配置信息同步。每个puppet客户端每半小时(可以设置)连接一次服务器端, 下载最新的配置文件,并且严格按照配置文件来配置客户端. 配置完成以后,puppet客户端可以反馈给服务器端一个消息. 如果出错,也会给服务器端反馈一个消息.

环境准备：

master:192.168.8.39
agent1:192.168.8.44
agent2:192.168.8.45


需要添加对主机名的解析
# vim /etc/hosts


192.168.8.39 node2.chinasoft.com node2
192.168.8.44 node44.chinasoft.com node44
192.168.8.45 node45.chinasoft.com node45
将解析传送到两个节点中
# scp /etc/hosts 192.168.8.44:/etc/
# scp /etc/hosts 192.168.8.45:/etc/

一、服务端软件的安装

# yum install -y facter-1.7.3
# yum install -y puppet-2.7.25
# yum install puppet-server-2.7.25


默认的yum源中没有puppet软件，可以自定义puppet官方的yum源获取
# cd /etc/yum.repos.d
# vim puppet.repo


[puppet]
name=Puppet Project
baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
enabled=1
gpgcheck=0
cost=300

二、服务端master配置：

在主机上安装nginx(方便获取模板文件)
# yum install -y nginx
# cd /etc/puppet/modules/
# mkdir -pv nginx/{manifests,files,templates}


创建主类
# vim /etc/puppet/modules/nginx/manifests/init.pp
class nginx {
        package {'nginx':
                ensure => installed,
        }


        file {'nginx.conf':
                ensure => file,
                content => template('nginx/nginx.conf.erb'),
                path   => '/etc/nginx/nginx.conf',
                require => Package['nginx'],
                mode    => '0644',
        }
}


创建web继承类
# vim /etc/puppet/modules/nginx/manifests/web.pp
class nginx::web inherits nginx{
        file {'nginx.web.conf':
                ensure => file,
                source => "puppet:///modules/nginx/nginx.web.conf",
                path => '/etc/nginx/conf.d/default.conf',
                require => Package['nginx'],
                mode => '0644',
        }


        service {'nginx':
                ensure => true,
                enable => true,
                restart => '/etc/init.d/nginx reload',
                subscribe => File['nginx.conf','nginx.web.conf'],
        }


}


创建反向代理rproxy.pp类
# vim /etc/puppet/modules/nginx/manifests/rproxy.pp
class nginx::rproxy inherits nginx{


        file {'nginx.rproxy.conf':
                ensure => file,
                source => "puppet:///modules/nginx/nginx.rproxy.conf",
                path => '/etc/nginx/conf.d/default.conf',
                require => Package['nginx'],
                mode => '0644',
        }


        service{'nginx':
                ensure => true,
                enable => true,
                restart => '/etc/init.d/nginx reload',
                subscribe => File['nginx.conf','nginx.rproxy.conf'],
        }
}


也可以通过puppet调用的方式安装nginx
[root@node2 manifests]# puppet apply -d -v -e 'include nginx'
# vim local.pp
node 'node2.chinasoft.com'{
        include nginx
}
# puppet apply local.pp


创建模板配置文件
# cp /etc/nginx/nginx.conf templates/
# vim /etc/puppet/modules/nginx/templates/nginx.conf 

worker_processes  <%= @processorcount %>;

# mv /etc/puppet/modules/nginx/templates/nginx.conf /etc/puppet/modules/nginx/templates/nginx.conf.erb


分别定义web定义nginx.web.conf和反向代理nginx.rproxy.conf 
# cp /etc/nginx/conf.d/default.conf  /etc/puppet/modules/nginx/files/nginx.rproxy.conf 

# cp /etc/nginx/conf.d/default.conf  /etc/puppet/modules/nginx/files/nginx.web.conf 

# vim /etc/puppet/modules/nginx/files/nginx.rproxy.conf

显示master的过程
# puppet master --no-daemonize -d -v 
将默认的配置导入
# puppet master --genconfig >> /etc/puppet/puppet.conf
启动主服务
# service puppetmaster start

三、客户端agent配置：

软件安装
# yum install facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm -y
请求证书
[root@node44 ~]# puppet agent --server node2.chinasoft.com -d -v --noop --test


服务端：
[root@node2 manifests]# puppet cert list
  "localhost.chinasoft.com" (6B:F4:26:12:92:BE:08:F8:90:49:9B:21:D7:25:89:86)
  "node44.chinasoft.com"    (E5:1D:A1:49:E4:D8:61:90:87:B5:DD:7B:0F:FD:EE:46)


颁发证书
[root@node2 manifests]# puppet cert sign node44.chinasoft.com


客户端再次执行请求
[root@node44 ~]# puppet agent --server node2.chinasoft.com -d -v --noop --test

在服务端定义node44节点，并导入

[root@node2 manifests]# cd /etc/puppet/manifests/
[root@node2 manifests]#vim  node44.chinasoft.com.pp
node 'node44.chinasoft.com' {
        include nginx::web
}
[root@node2 manifests]# vim site.pp
import "*.chinasoft.com.pp"


客户端请求
[root@node44 ~]# puppet agent --server node2.chinasoft.com -d -v --test


通过查看可以看到nginx已经顺利安装

四、添加新的客户端节点8.45

# yum install -y epel-release
# yum install facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm -y
启动服务

# service puppet start

添加server

# vim /etc/puppet/puppet.conf 

在master上颁发证书并定义node45的节点信息
[root@node2 nginx]# puppet cert list
  "localhost.chinasoft.com" (6B:F4:26:12:92:BE:08:F8:90:49:9B:21:D7:25:89:86)
  "node45.chinasoft.com"    (20:4C:8D:C3:66:E2:1A:31:E3:40:25:C6:79:8B:BA:3A)
[root@node2 nginx]# puppet cert sign node45.chinasoft.com
notice: Signed certificate request for node45.chinasoft.com
notice: Removing file Puppet::SSL::CertificateRequest node45.chinasoft.com at '/var/lib/puppet/ssl/ca/requests/node45.chinasoft.com.pem'
[root@node2 ~]# vim /etc/puppet/manifests/node45.chinasoft.com.pp
node 'node45.chinasoft.com'{
include nginx::rproxy
}


客户端手动请求(默认可能需要30分钟master向agent推送)
# 
[root@node45 ~]# puppet agent --server node2.chinasoft.com -d -v --test

常用核心组件使用定义举例：

1、软件包及服务管理


# cat nginx.pp 
package {'nginx':
ensure => present,
name => nginx,
}


service {'nginx':
ensure => true,
name   => nginx,
enable => true,
}


# puppet apply nginx.pp 


2、文件属性
file {'/tmp/abc.txt':
        ensure => present,
        content => 'Hello puppet',
}


[root@node5 tmp]# ls
abc.txt  nginx.pp  test1.pp  test2.pp  test.pp
[root@node5 tmp]# cat abc.txt
Hello puppet


# vim test3.pp


file {'abc.txt':
ensure => present,
content => 'hello puppet',
path    => '/tmp/abc2.txt',
}


file {'fstab.symlink':
ensure => present,
target => '/etc/fstab',
path   => '/tmp/fstab.symlink',
}


3、exec命令
# vim test5.pp 
exec {'echo command':
command => 'mktemp /tmp/tmp.XXXX',
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}


4、依赖关系


# vim test6.pp 
package {'nginx':
ensure => present,
name => nginx,
}


service {'nginx':
ensure => true,
name => nginx,
enable => true,
require => Package['nginx'],
}


# cat test7.pp 
file {'/tmp/test4.txt':
ensure => file,
content => 'hello puppet',
}


exec {'monitor':
command => 'echo "/tmp/text4.txt changed" >> /tmp/monitor.txt',
subscribe => File['/tmp/test4.txt'],
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}


添加refreshonly => true 仅当改变时：
file {'/tmp/test4.txt':
ensure => file,
content => 'hello puppet',
}


exec {'monitor':
command => 'echo "/tmp/text4.txt changed" >> /tmp/monitor.txt',
refreshonly => true,
subscribe => File['/tmp/test4.txt'],
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}


5、对用户及组管理
生成密码：
# openssl passwd -1 -salt `openssl rand -hex 4`


# cat test8.pp 
group {'testgrp':
ensure => present,
gid    => 1001,
} ->


user {'testuser':
ensure => present,
gid    => 1001,
uid    => 1001,
home   => '/home/test',
shell  => '/bin/tcsh',
password => '$1$7de78495$Of24FLn9EsKbhxxZlZFmF.',
managehome => true,
}


# vim file.pp
file {'/tmp/file1.txt':
ensure => file,
content => 'hello jack',
notify => Notify['notice'],
}


notify {'notice': message => '/tmp/file1.txt has changed',}


变量名的使用


# vim package1.pp 
$pkgname='httpd'


package{$pkgname:
        ensure => present,
}


service {$pkgname:
        ensure => true,
        enable => true,
        name => httpd,
        require => Package[$pkgname],
}

系统变量的引用：

执行facter可以打印出系统的变量
# facter
# cat sysinfo.txt 
 CentOS 
 RedHat 
 4 
 [root@node5 tmp]# cat facter.pp 
file {'/tmp/sysinfo.txt':
ensure => file,
content => " $operatingsystem \n $osfamily \n $processorcount \n $kernal"
}


# vim facter2.pp


$webserver = $operatingsystem ? {
/^(?i-mx:centos|fedora|redhat)/ => 'httpd',
/^(?i-mx:ubuntu|debian)/ => 'apache2',
}


$webprovider = $operatingsystem ? {
/^(?i-mx:centos|fedora|redhat)/ => 'yum',
/^(?i-mx:ubuntu|debian)/ => 'apt',
}


package {"$webserver":
ensure => present,
provider => $webprovider,
}


case语句方式
# vim facter3.pp
case $operatingsystem {
        /^(?i-mx:centos|redhat|fedora)/: {package {'httpd' : ensure => present, provider => 'yum',}}
        /^(?i-mx:ubuntu|debian)/: {package {'apache2' : ensure => present, provider => 'apt',}}
        default: {notify {'notice': message => 'unknown system',}}
}


class类的使用


# cat class1.pp 
class nginx {
package {'nginx':
ensure => present,
name => 'nginx',
}

service {'nginx':
ensure => true,
name => 'nginx',
require => Package['nginx'],
enable => true,
}
}


include nginx # 调用实例


定义类调用
# cat class2.pp 
$webserver = $operatingsystem ? {
/^(?i-mx:centos|redhat|fedora)/ => 'httpd',
/^(?i-mx:ubuntu|debian)/ => 'apache2',
}


class httpd ($pkgname = 'apache2') {
package {"$pkgname":
ensure => present,
name   => $pkgname,
}

service {"$pkgname" :
ensure => true,
enable => true,
require => Package["$pkgname"],
name => $pkgname,
}
}


class {'httpd':
pkgname => $webserver,
}

puppet高级功能之自动签发证书

1、自动签发证书
可以设置master自动签发所有的证书，我们只需要在/etc/puppet 目录下创建 autosign.conf 文件。（不需要修改 /etc/puppet/puppet.conf文件，因为我默认的autosign.conf 文件的位置没有修改）


服务端配置：
cat > /etc/puppet/autosign.conf <<EOF
*.chinasoft.com
EOF
这样就会对所有来自 magedu.com 的机器的请求，都自动签名


# cd /etc/puppet/manifests


添加node5主机的模板
# vim node5.chinasoft.com.pp 
node 'node5.chinasoft.com' {
        include nginx::web
}
重新加载让配置生效
# service puppetmaster reload


node5客户端：
添加对master主机的解析
192.168.8.41 node3.chinasoft.com node3
安装puppet客户端
# yum localinstall -y facter-1.7.5-1.el6.x86_64.rpm puppet-2.7.25-1.el6.noarch.rpm 
执行请求
# puppet agent --server node2.chinasoft.com -v -d --test


可以看到nginx已经成功安装


可以通过在网站搜索别人已经配置好的软件安装模板
http://forge.puppetlabs.com