|
|
Posted on 10/20/2014 9:47:45 AM
|
|
|
1. Introduction to Puppet
System administrators are often stuck in a series of repetitive tasks: upgrading packages, managing configuration files, system services, cron tasks, adding new configurations, fixing bugs, etc. These tasks are often repetitive and inefficient, and the first response to solving these tasks is to automate them, so custom scripts appear. Due to the complexity of the environment, custom scripts and applications are repeatedly developed and difficult to fit multiple platforms, and flexibility and functionality are difficult to guarantee, so automated configuration management tools like Puppet have emerged.
In the open source world, there are many configuration tools to choose from, and some of the key products in this space are:
Puppet (http://puppet.reductivelabs.com/): A configuration management tool written in Ruby that uses the C/S architecture to configure the client in declarative language.
Cfengine (http://www.cfengine.org): One of the first open source configuration tools to be released, released in 1993, it is also a C/S architecture, usually used in educational institutions.
LCFG(http://www.lcfg.org/): A configuration management tool for C/S architectures that uses XML to define configurations.
Bcfg2: A configuration management tool for C/S architecture written in Python that uses specifications and client responses to configure the target host.
This document is dedicated to describing how to use Puppet to manage your host, applications, background programs, and various services.
About Puppet:
1. What is Puppet used for?
Puppet is an open-source Ruby-based system configuration management tool that relies on the C/S deployment architecture. The main developer is Luke Kanies, which follows the GPLv2 copyright license. Since 1997, Kanies has been involved in UNIX system administration, and the development of Puppet stemmed from this experience. Not satisfied with the configuration tools available, Kanies began developing tools in the Reductive lab between 2001 and 2005. Soon, Reductive Labs released their flagship product, Puppet.
2. Features of Pupput
Many system configuration management tools work very similarly, such as cfengine. What makes Puppet unique?
Puppet's syntax allows you to create a separate script to build a user on all your target hosts. All target hosts will interpret and execute the module in turn using the syntax applicable to the local system. For example, if this configuration is executed on a Red Hat server, create a user using the useradd command; If this configuration is executed on a FreeBSD host, the adduser command is used.
Another remarkable aspect of Puppet is its flexibility. Due to the nature of open source software, you can freely obtain the source code of Puppet, and if you encounter problems and have the ability, you can modify or enhance the code of Puppet to suit your environment. In addition, community developers and donors continue to enhance Puppet's capabilities. A large community of developers and users is also committed to providing documentation and technical support for Puppet.
Puppet is also easy to scale. Custom package support and special system environment configurations can be added quickly and easily to the Puppet installer.
3. Puppet's working mode
Puppet is a C/S architecture configuration management tool that installs the puppet-server package (known as Puppet master) on a central server. Install the Puppet client software (called Puppet Client) on the target host that needs to be managed. When the client connects to the Puppet master, the configuration file defined on the Puppet master is compiled and then run on the client. By default, each client communicates with the server every half hour to confirm the update of configuration information. If there is new configuration information or configuration information has changed, the configuration will be recompiled and published to each client for execution. You can also actively trigger an update of configuration information on the server to force each client to configure it. If the client's configuration information is changed, it can get the original configuration from the server to correct it.
Configuration Management: Puppet Installation and Use (1)
4. The future of Puppet
Finally, Puppet is a young tool that is still under development and development. The Puppet community is growing rapidly, and many new ideas are constantly being incorporated, prompting development, updates, and modules to be presented every day.
2. Configuration and installation (Puppet 2.6.4 CentOS 5.4 installation):
Configure the repository on the puppet server and client:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
[root@puppetmaster ~]# vi /etc/yum.repos.d/epel.repo
Add to:
[epel-puppet]
name=epel puppet
baseurl=http://tmz.fedorapeople.org/repo/puppet/epel/5/$basearch/
enabled=0
gpgcheck=0
Add the repository puppet.repo:
[root@puppetmaster ~]# vi /etc/yum.repos.d/puppet.repo
[puppetlabs]
name=Puppet Labs Packages
baseurl=http://yum.puppetlabs.com/base/
enabled=0
gpgcheck=0
Puppet Master Installation:
[root@puppetmaster ~]# yum --enablerepo=epel,epel-puppet install puppet-server
Modify hosts and add the following two records:
[root@puppetmaster ~]# vi /etc/hosts
192.168.0.10 puppetmaster.leju.com puppet
192.168.0.100 puppetclient.leju.com
Configuring Puppet:
[root@puppetmaster ~]# cd /etc/puppet/
[root@puppetmaster puppet]# vi puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppetmaster.leju.com
report = true
listen = true
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
autosign = true
reports = store
[root@puppetmaster puppet]# vi fileserver.conf
[files]
path /etc/puppet/files
allow *
[modules]
allow *
[plugins]
allow *
[root@puppetmaster puppet]# mkdir /etc/puppet/files
[root@puppetmaster puppet]# cd manifests/
Create site.pp, which is the puppet entry configuration file:
[root@puppetmaster manifests]# vi site.pp
import "modules.pp"
import "roles.pp"
import "nodes.pp"
# General settings for standard types
Exec { path => "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" }
filebucket { main: server => "puppetmaster.leju.com" }
File { backup => main }
Create modules.pp to import modules:
[root@puppetmaster manifests]# vi modules.pp
import "test"
Create roles.pp to define server roles:
[root@puppetmaster manifests]# vi roles.pp
class baseclass {
include test
}
Create nodes.pp to configure the server nodes:
[root@puppetmaster manifests]# vi nodes.pp
node 'basenode' {
include baseclass
}
node 'puppetclient.leju.com' inherits basenode {
tag("test")
}
node 'puppetmaster.leju.com' inherits basenode {
tag("test")
}
[root@puppetmaster manifests]# cd ..
[root@puppetmaster puppet]# mkdir modules
Create a test module:
[root@puppetmaster modules]# mkdir -p test/manifests/
[root@puppetmaster modules]# mkdir test/files/
[root@puppetmaster modules]# cd test/files/
[root@puppetmaster files]# vi test.txt
test line!
[root@puppetmaster files]# cd .. /manifests/
Create a test class to deliver a file to the client:
[root@puppetmaster manifests]# vi init.pp
class test {
file { "/tmp/test.txt":
ensure => present,
group => "root",
owner => "root",
mode => "0644",
source => "puppet:///test/test.txt"
}
}
Launching Puppet Master:
[root@puppetmaster manifests]# /etc/init.d/puppetmaster start
Make sure port 8140 is up.
Puppet client installation:
[root@puppetclient ~]# yum --enablerepo="epel,epel-puppet" install puppet
Modify hosts and add the following two records:
[root@puppetclient ~]# vi /etc/hosts
192.168.0.10 puppetmaster.leju.com puppet
192.168.0.100 puppetclient.leju.com
Configuring the puppet:
[root@puppetclient ~]# cd /etc/puppet/
[root@puppetclient puppet]# vi puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppetmaster.leju.com
report = true
listen = true
[root@puppetclient puppet]# vi namespaceauth.conf
[puppetrunner]
allow puppetmaster.leju.com
allow *.leju.com
[root@puppetclient puppet]# vi auth.conf
Add allow * to the last line
......
path /
auth any
allow *
[root@puppetclient puppet]# cd
Execute puppetd:
[root@puppetclient ~]# puppetd --noop --test --trace --debug
If Puppet Master does not set: autosign=true, it needs to be executed in Puppet Master:
[root@puppetmaster ~]# puppet cert -l
puppetclient.leju.com
[root@puppetmaster ~]# puppet cert -s puppetclient.leju.com
Sign puppetclient.leju.com like this. Then go back to the client to execute here:
[root@puppetclient ~]# puppetd --noop --test --trace --debug
Join --noop, the configuration will not be really applied on the client, mainly used for testing, to see if there are any errors in the printout, and execute without errors:
[root@puppetclient ~]# puppetd --test --trace --debug
View the document:
[root@puppetclient ~]# ll /tmp/
total 8
-rw-r--r-- 1 root root 11 Feb 25 22:35 test.txt
The document has been issued.
It is also possible to push on Puppet Master:
[root@puppetmaster ~]# puppet kick -d --host puppetclient.leju.com
Triggering puppetclient.leju.com
Getting status
status is success
puppetclient.leju.com finished with exit code 0
Finished
Returning 0 indicates that puppetd on the client was triggered successfully.
Set the puppet to boot auto-start:
chkconfig --level 2345 puppet on
Modify puppetmaster to use Passenger
Passenger is an extension of Apache 2.x for running Rails or Rack applications in Apache. puppetmaster uses WEBrick to provide file services by default, if you have many puppet clients, puppetmaster's file service performance will be poor, in order to make puppetmaster more robust, so use Apache to provide file services.
Installation:
[root@puppetmaster ~]# yum install httpd httpd-devel ruby-devel rubygems
Passenger 2.2.2 RHEL5 works fine.
Add foreman.repo repository:
[root@puppetmaster ~]# vi /etc/yum.repos.d/foreman.repo
[foreman]
name=Foreman stable repository
baseurl=http://yum.theforeman.org/stable
gpgcheck=0
enabled=1
[root@puppetmaster ~]# yum install rubygem-passenger-2.2.2-1
[root@puppetmaster ~]# rubygem-rack-1.0.1-1
[root@puppetmaster ~]# passenger-install-apache2-module
Installing the Apache SSL module:
[root@puppetmaster ~]# yum install mod_ssl
To configure the Puppet rack application:
mkdir -p /etc/puppet/rack/puppetmasterd/
mkdir /etc/puppet/rack/puppetmasterd/public /etc/puppet/rack/puppetmasterd/tmp
cp /usr/share/puppet/ext/rack/files/apache2.conf /etc/httpd/conf.d/puppetmasterd.conf
cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/puppetmasterd/
chown puppet /etc/puppet/rack/puppetmasterd/config.ru
[root@puppetmaster ~]# vi /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-2.2.2/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.2
PassengerRuby /usr/bin/ruby
PassengerMaxPoolSize 30
PassengerPoolIdleTime 1500
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
[root@puppetmaster ~]# vi /etc/httpd/conf.d/puppetmasterd.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:! ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster.leju.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppetmaster.leju.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /etc/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Modify the puppetmaster configuration file to add the following two lines:
[root@puppetmaster ~]# vi /etc/puppet/puppet.conf
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
Modify /etc/sysconfig/puppetmaster:
[root@puppetmaster ~]# vi /etc/sysconfig/puppetmaster
# Add the following line at the end:
PUPPETMASTER_EXTRA_OPTS="--reports store"
If you need to report to both foreman and puppet-dashboard, add the following line:
PUPPETMASTER_EXTRA_OPTS="--reports store, foreman, puppet_dashboard"
Stop the puppetmaster service and start the apache service:
[root@puppetmaster ~]# /etc/init.d/puppetmaster stop
[root@puppetmaster ~]# /etc/init.d/httpd start
Boot does not start the puppetmaster service, boot starts the httpd service:
[root@puppetmaster ~]# chkconfig --level 2345 puppetmaster off
[root@puppetmaster ~]# chkconfig --level 2345 httpd on
Make sure port 8140 is enabled:
[root@puppetmaster ~]# netstat -tunlp |grep 8140
tcp 0 0 :::8140 :::* LISTEN 9834/httpd
Test on the client side to see if the error log is printed:
[root@puppetclient ~]# puppetd --test --trace --debug |
Previous:php-fpm.conf important parameters are explained in detailNext:On October 25, 2014 (Saturday), at 16 p.m., the air defense and disaster prevention alarm was tested
|
