随着各种业务对IT的依赖渐重,企业的IT基础架构规模不断扩张。作为一名系统工程师我们将如何应对这种日益增长的IT架构呢?以前系统工程师就像流水线上的一名工人,不断重复做着同样的工作,现在这一切即将改变,我们将引入运维自动化工具puppet。
为实现这一目的,我们将引入一批工具,这批工具是“可编程”的,系统管理员只需要为这批工具写上几行“代码”,它便会自动完成所有的工作,这批工具是运维自动化puppet。在一些大型互联网中,运维自动化管理这几百甚至上千台服务器,它可以针对多台服务器进行统一操作,如部署统一软件、进行统一上线维护等,而且能够快速完成上线部署,减少人力及人力误操作风险。
Puppet工作原理如下:
Puppet的目的是让管理员只集中于要管理的目标,而忽略实现的细节。Puppet既可以在单机上使用,也可以易C/S结构使用。在大规模使用Puppet的情况下,通常使用C/S结构,在这种结构中puppet客户端只运行puppeclient,puppet服务器端只运行puppetmaster
Puppet工作流程
1.客户端puppet调用facter(facter是通过SSL加密收集及检测分析客户端配置信息的一个工具),facter探测出主机的一些变量,如主机名、内存大小、ip地址等。Puppet把这些信息通过SSL连接发送到服务器端。
2.服务器端的puppetmaster通过facter工具分析检测客户端的主机名,然后找到项目主配置文件manifest里面对应的node配置,并对该部分内容进行解析。Facter发送过来的信息可以作为变量处理,node牵涉到的代码才解析,其他没牵涉的代码不解析。解析分为几个阶段,首先进行语法检查,如果语法没错,就继续解析,解析的结果生成一个中间的“伪代码”,然后把伪代码发给客户端。
3.客户端接受到“伪代码”并且执行,客户端把执行结果发送给服务器。
4.服务器段把客户端的执行结果写入日志。
Puppet工作过程中有一下两点值得注意
1.为了保证安全,Client和Master之间是基于SSL和证书的,只有经Master证书认证的Client可以与Master通信
2.puppet会让系统保持在人们所期望的某种状态并一直维持下去,如检测某个文件并保证其一直存在,保证ssh服务始终开启,如果文件被删除了或者ssh服务被关闭了,puppet下次执行时(默认30分钟),会重新创建该文件或者启动ssh服务
案例环境:
搭建puppetmaster
在小规模puppet环境下,一般是修改/etc/hosts文件,然而上千台服务器,我们需要搭建自己的DNS服务器来实现服务通过主机名进行通信,此实验我们通过修改/etc/hosts/文件来实现
192.168.10.10 masterpuppet
Vim /etc/sysconfig/network
修改HOSTNAME=master.test.cn
Vim /etc/hosts
添加一下几行
192.168.10.10 master.test.cn
192.168.10.11 client.test.cn
192.168.10.12 client12.test.cn
[aaa@qq.com /]# hostname
master.test.cn
[aaa@qq.com /]# bash
[aaa@qq.com /]# yum -y install ntp --安装ntp服务器 192.168.10.100
Vim /etc/ntp.conf
添加两行
Server 127.0.0.1
fudge 127.127.1.0 stratum 8
其作用是当/etc/ntp.conf中定义的server都不可用时,将使用local时间作为NTP服务提供给NTP客户端
[aaa@qq.com /]# service ntpd start
正在启动 ntpd: [确定]
[aaa@qq.com /]# chkconfig ntpd on
在masterpuppet中安装ntp
[aaa@qq.com /]# yum -y install ntp
[aaa@qq.com /]# ntpdate 192.168.10.100 --指向NTP服务器
15 Jun 20:57:47 ntpdate[3698]: step timeserver 192.168.10.100 offset 274.790513 sec
安装ruby
一定要先安装compat-readline5
[aaa@qq.com/]# rpm–ivh /media/CentOS_6.5_Final/Packages/compat-readline5-5.2-17.1.el6.x86_64.rpm
Preparing... ########################################### [100%]
packagecompat-readline5-5.2-17.1.el6.x86_64 is already installed
[aaa@qq.com /]#
[aaa@qq.com Packages]# yum -y install ruby
[aaa@qq.com Packages]# ruby –v --查看版本
ruby 1.8.7 (2013-06-27 patchlevel 374) [x86_64-linux]
安装puppet、facter
[aaa@qq.com /]# useradd -s /sbin/nologin puppet
[aaa@qq.com /]# tar -zxf facter-1.7.1.tar.gz
[aaa@qq.com /]# cd facter-1.7.1
[aaa@qq.com facter-1.7.1]# ls
acceptance bin CONTRIBUTING.md documentation etc ext Gemfile install.rb lib libexec LICENSE man Rakefile README.md spec
[aaa@qq.com facter-1.7.1]# ruby install.rb
[aaa@qq.com /]#
[aaa@qq.com /]# tar zxf puppet-2.7.21.tar.gz
[aaa@qq.com /]# cd puppet-2.7.21
[aaa@qq.com puppet-2.7.21]# ruby install.rb
[aaa@qq.com puppet-2.7.21]# cpconf/redhat/fileserver.conf /etc/puppet/
[aaa@qq.com puppet-2.7.21]# cpconf/redhat/puppet.conf /etc/puppet/
[aaa@qq.com puppet-2.7.21]# cpconf/redhat/server.init /etc/init.d/puppetmaster
[aaa@qq.com puppet-2.7.21]#
[aaa@qq.com puppet-2.7.21]# chmod +x/etc/init.d/puppetmaster
[aaa@qq.com puppet-2.7.21]# mkdir /etc/puppet/manifests --创建puppet主目录
[aaa@qq.com puppet-2.7.21]# mkdir /etc/puppet/modules
[aaa@qq.com puppet-2.7.21]#
[aaa@qq.com puppet-2.7.21]# vim /etc/puppet/puppet.conf
[main]
# The Puppetlog directory.
# The defaultvalue is '$vardir/log'.
logdir =/var/log/puppet
# Where PuppetPID files are kept.
# The defaultvalue is '$vardir/run'.
rundir =/var/run/puppet
# Where SSLcertificates are kept.
# The defaultvalue is '$confdir/ssl'.
ssldir =$vardir/ssl
modulepath=/etc/puppet/modules:/usr/share/puppet/modules --添加一行:配置服务模块路径
启动puppet主程序
[aaa@qq.com puppet-2.7.21]# /etc/init.d/puppetmasterstart
启动 puppetmaster: [确定]
[aaa@qq.com puppet-2.7.21]#
搭建puppetclient
规划服务器主机名
[aaa@qq.com /]# hostname client.test.cn
[aaa@qq.com /]#
[aaa@qq.com /]# bash
[aaa@qq.com /]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.10.10 master.test.cn
192.168.10.11 client.test.cn
192.168.10.12 client12.test.cn
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[aaa@qq.com /]# yum -y install ntp --安装NTP服务
[aaa@qq.com /]# ntpdate 192.168.10.100
15 Jun 22:42:13 ntpdate[61915]: step time server192.168.10.100 offset -274.510582 sec
安装compat-readline5
安装ruby
[aaa@qq.com /]# rpm -ivh /media/CentOS_6.5_Final/Packages/compat-readline5-5.2-17.1.el6.x86_64.rpm
warning:/media/CentOS_6.5_Final/Packages/compat-readline5-5.2-17.1.el6.x86_64.rpm:Header V3 RSA/SHA256 Signature, key ID c105b9de: NOKEY
Preparing... ###########################################[100%]
packagecompat-readline5-5.2-17.1.el6.x86_64 is already installed
[aaa@qq.com /]# yum -y install ruby
[aaa@qq.com /]# useradd -s /sbin/nologin puppet
[aaa@qq.com /]# tar -zxf facter-1.7.1.tar.gz
[aaa@qq.com /]# cd facter-1.7.1
[aaa@qq.com facter-1.7.1]# ls
acceptance CONTRIBUTING.md etc Gemfile lib LICENSE Rakefile spec
bin documentation ext install.rb libexec man README.md
[aaa@qq.com facter-1.7.1]# ruby install.rb
[aaa@qq.com /]# tar zxf puppet-2.7.21.tar.gz
[aaa@qq.com /]# cd puppet-2.7.21
[aaa@qq.com puppet-2.7.21]# ls
bin examples install.rb Rakefile spec
CHANGELOG ext lib README_DEVELOPER.md tasks
conf Gemfile LICENSE README.md test
CONTRIBUTING.md Gemfile.lock man sbin
[aaa@qq.com puppet-2.7.21]# ruby install.rb
[aaa@qq.com puppet-2.7.21]# cpconf/redhat/puppet.conf /etc/puppet
[aaa@qq.com puppet-2.7.21]# cpconf/redhat/client.init /etc/init.d/puppetclient
[aaa@qq.com puppet-2.7.21]# chmod +x/etc/init.d/puppetclient
[aaa@qq.com puppet-2.7.21]#
[aaa@qq.com /]# vim /etc/puppet/puppet.conf
[main]
# The Puppetlog directory.
# The defaultvalue is '$vardir/log'.
logdir =/var/log/puppet
# Where PuppetPID files are kept.
# The defaultvalue is '$vardir/run'.
rundir =/var/run/puppet
# Where SSLcertificates are kept.
# The defaultvalue is '$confdir/ssl'.
ssldir =$vardir/ssl
server =master.test.cn --添加一行,设置服务器的域名
分别在puppetclient1 和 puppetclient2上进行注册
[aaa@qq.com /]# puppet agent --server=master.test.cn--no-daemonize --verbose
info: Creating a new SSL key for client.test.cn
info: Caching certificate for ca
info: Creating a new SSL certificate request forclient.test.cn
info: Certificate Request fingerprint (md5):64:7B:EF:54:72:45:2A:F1:95:A5:BE:0E:68:BD:39:09
^CCancelling startup --按ctrl+C结束,因为Puppet一直在等待任务,但是已经从server查看到申请的信息
[aaa@qq.com /]# puppet cert –list --查看申请注册的客户端
"client.test.cn" (64:7B:EF:54:72:45:2A:F1:95:A5:BE:0E:68:BD:39:09)
"client12.test.cn"(B5:0C:8C:5E:5B:D9:61:09:76:13:F1:E2:62:4D:AB:0C)
[aaa@qq.com /]#
配置一个测试节点
节点信息:/etc/puppet/manifeste/nodes
模块信息:/etc/puppet/moudules
为了保护Linux的ssh端口**,批量修改客户端的sshd端口,将端口22修改为9922,并实现重启工作。
创建ssh模块,模块目录为ssh,模块下面有三个文件:manifests、templates和files。
Manifests里面必须要包含一个init.pp的文件,这是该模块的初始(入口)文件,导入一个模块的时候,会从init.pp开始执行。可以把所有的代码都写到init.pp里面,也可以分成多个pp文件,init再去包含其他文件,定义class类名的时候必须是ssh,这样能实现调用。
files目录是该模块的文件发布目录,puppet提供一个文件分发机制,类似rsync的模块。
Templates目录包含erb模型文件,这个和file资源的template属性有关(很少用)。
Master端:
创建需要的必要目录
[aaa@qq.com /]# mkdir -p/etc/puppet/modules/ssh/{manifests,templates,files}
[aaa@qq.com /]# mkdir /etc/puppet//manifests/nodes
[aaa@qq.com /]# mkdir /etc/puppet/modules/ssh/files/ssh
[aaa@qq.com /]# chown -R puppet /etc/puppet/modules/
[aaa@qq.com /]#
[aaa@qq.com /]# ll /etc/puppet/modules/ssh/
总用量 12
drwxr-xr-x. 3 puppet root 4096 6月 15 23:01 files
drwxr-xr-x. 2 puppet root 4096 6月 15 23:00 manifests
drwxr-xr-x. 2 puppet root 4096 6月 15 23:00 templates
[aaa@qq.com /]#
创建模块配置文件install.pp
aaa@qq.com /]# vim/etc/puppet/modules/ssh/manifests/install.pp
class ssh::install { --输入这些信息(首先确定客户端安装SSH服务)
package { "openssh":
ensure=> present,
}
}
创建模块配置文件config.pp
[aaa@qq.com /]# vim/etc/puppet/modules/ssh/manifests/config.pp
class ssh::config { --输入以下信息配置需要同步的文件
file { "/etc/ssh/sshd_config": --配置客户端需要同步的文件
ensure => present, --确定客户端此文件存在
owner => "root", --文件所属用户
group=> "root", --文件所属组
mode => "0600", --文件属性
source =>"puppet://$puppetserver/modules/ssh/ssh/sshd_config",
从服务器端同步文件
require => Class ["ssh::install"], --调用install.pp确定ssh已经安装
notify => Class ["ssh::service"], --如果config.pp发生变化通知service.pp
}
}
~
创建模块配置文件service.pp
[aaa@qq.com /]# vim/etc/puppet/modules/ssh/manifests/service.pp
class ssh::service {
service {"sshd":
ensure => running, --确定ssh运行
hasstatus => true, --puppet该服务支持status命令,即类似service
sshd status
hasrestart => true, --即类似servicesshd restart
enable => true, --服务器是否开机启动
require => Class["ssh::config"] --确认config.pp调用
}
}
创建模块主配置文件init.pp
[aaa@qq.com /]# vim/etc/puppet/modules/ssh/manifests/init.pp
class ssh { --将以上的配置文件加载进入
includessh::install,ssh::config,ssh::service
}
建立服务器端ssh统一维护文件
由于服务器端和客户端的sshd_config文件默认一样,此时将服务器端/etc/ssh/sshd_config复制到模块默认路径
[aaa@qq.com /]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/ssh/
[aaa@qq.com /]# chown puppet/etc/puppet/modules/ssh/files/ssh/sshd_config
创建测试节点配置文件,并将ssh加载进去
[aaa@qq.com /]# vim /etc/puppet/manifests/nodes/ssh.pp
node 'client.test.cn' {
include ssh
}
node 'client12.test.cn ‘{
include ssh
}
将测试节点载入puppet,即修改site.pp
[aaa@qq.com /]# vim /etc/puppet/manifests/site.pp
import "nodes/ssh.pp"
修改服务器端维护的sshd_config配置文件
[aaa@qq.com /]# vim/etc/puppet/modules/ssh/files/ssh/sshd_config
GSSAPIKeyExchange no
# GSSAPITrustDNSno
# BatchMode no
# CheckHostIP yes
AddressFamily any
# ConnectTimeout0
# StrictHostKeyChecking ask
# IdentityFile~/.ssh/identity
# IdentityFile~/.ssh/id_rsa
# IdentityFile~/.ssh/id_dsa
Port 9922
ListenAddress 0.0.0.0
ListenAddress ::
# Protocol 2,1
重启puppet
[aaa@qq.com /]# /etc/init.d/puppetmaster restart
停止 puppetmaster: [确定]
启动 puppetmaster: [确定]
[aaa@qq.com /]#
Client端:
[aaa@qq.com ssh]#puppet agent -t
info: Caching catalog for client.test.cn
info: Applying configuration version '1497543609'
notice:/Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content:
--- /etc/ssh/sshd_config 2013-11-2306:40:03.000000000 +0800
+++ /tmp/puppet-file20170616-65106-1jwf8a9-0 2017-06-16 00:15:36.186586315 +0800
@@ -1,138 +1,61 @@
-# $OpenBSD:sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+# $OpenBSD:ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
-# This is the sshd server system-wide configurationfile. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled withPATH=/usr/local/bin:/bin:/usr/bin
验证:
Vim /etc/ssh /sshd_config
IdentityFile~/.ssh/identity
# IdentityFile~/.ssh/id_rsa
# IdentityFile~/.ssh/id_dsa
Port 9922
# ListenAddress 0.0.0.0
# ListenAddress ::
# Protocol 2,1
# Cipher 3des
# Ciphersaes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACshmac-md5,hmac-sha1,aaa@qq.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDeviceany:any
# PermitLocalCommand no
# VisualHostKeyno
服务器推送同步
当大规模部署时采用服务器推送模式
Client端:
Vim /etc/puppet/puppet.conf
最后一行添加
Listen = true --使puppet监听8139端口
Vim /etc/puppet/auth.conf 验证配置文件auth.conf定义一些验证信息及访问权限
最后一行添加
allow * 允许任何服务端推送
启动puppet客户端
/etc/init.d/puppetclient start
查看/etc/ssh/sshd_config的内容如下
#port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#listenAddress ::
确认启动ssh服务
Netstat –tunlp | grep ssh
Master端:
开始往客户端推送
puppet kick client12.test.cn
校验结果
vim /etc/ssh/sshd_config
Port 9922
#AddressFamily any
#ListenAddress 0.0.0.0
#listenAddress ::