介绍
Puppet是一个开放源代码配置管理实用程序,它使用户可以自动运行,并且在需要时还可以远程管理多个系统及其配置。 Puppet是声明性的,这意味着用户只需要请求服务或资源的状态,而不必真正考虑如何实现此状态。
换句话说,假设您是一名管理数百个系统的系统管理员,并且需要确保该特定资源hello软件包已安装。为了以传统的系统管理方式实现此目的,管理员用户将需要进行多项检查,例如软件包安装的当前状态,操作系统平台的类型,在实际软件包安装发生之前要使用的安装命令。作为人偶的声明者,用户只需定义所需包装的状态,人偶将负责其余的工作。如果安装了我们的软件包”hello”,则puppet将不执行任何操作,而如果未安装软件包,则将对其进行安装。
情境
在我们的场景中,我们不会运行数百个操作系统并尝试对其进行管理。我们的目标将比这简单得多。实际上,我们将只运行两个单独的系统,分别运行puppet master和puppet agent。因此,我们将通过主控人偶服务器尝试配置一个远程节点,并使用人偶代理安装”hello”软件包。这将以最低限度的最低配置来完成。
术语
- puppet master-托管和编译所有代理配置清单的中央服务器
- puppet agent-一种服务,该服务在节点上运行,并与主puppet服务器定期检查配置状态,并获取最新的配置清单
- manifest-人偶召集人和人偶代理人之间交换的配置文件
- 节点-运行Puppet(木偶)服务的操作系统
方案设置
在本教程中,我将简单地将两个主机都称为master和node1。两者都使用的操作系统master和node1实例是Debian 8 Jessie。也可以使用Ubuntu Linux作为本教程的替代方法。底层网络配置无关紧要。但是,预计node1可以解决master主机的名称,两台主机均已连接,并且已应用正确的防火墙设置以允许人偶master和node1代理沟通:
root@node1:/# ping -c 1 master
PING master (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: icmp_seq=0 ttl=64 time=0.083 ms
--- master ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.083/0.083/0.083/0.000 ms
注意:阅读附录,了解如何设置以上内容Docker轻松实现场景。
Pupper Master的安装和配置
让我们从安装puppet master开始:
root@master:~# apt-get install puppetmaster-passenger
上面的命令将与Apache和Passenger一起安装Puppet。因此,我们将使用Apache Passenger在端口上运行puppet master,而不是使用典型的WEBrick服务器8140。默认和自动生成的Apache Passenger配置文件可以位于/etc/apache2/sites-available/puppetmaster.conf:
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
Listen 8140
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/master.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
Options None
AllowOverride None
Order allow,deny
allow from all
查看上面的配置文件,我们可以注意到许多基于系统主机名自动生成的SSL证书。确认所有列出的证书路径都指向正确的人偶SSL证书。否则,将需要生成新的SSL证书。如果需要首先生成新证书,请删除当前证书:
root@master:~# rm -rf /var/lib/puppet/ssl
接下来,在前台运行puppet来查看要生成的新证书。完成后,使用CTRL + C组合键停止该过程:
root@master:~# puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): FA:D8:2A:0F:B4:0B:91:8C:01:AD:71:B4:49:66:1F:B1:38:BE:A4:4E:AF:76:16:D2:97:50:C8:A3:8F:35:CC:F2
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for master
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for master
Info: Certificate Request fingerprint (SHA256): 43:67:42:68:64:73:83:F7:36:2B:2E:6F:06:20:65:87:AB:61:96:2A:EB:B2:91:A9:58:8E:3F:F0:26:63:C3:00
Notice: master has a waiting certificate request
Notice: Signed certificate request for master
Notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/ca/requests/master.pem'
Notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/certificate_requests/master.pem'
Notice: Starting Puppet master version 3.7.2
^CNotice: Caught INT; calling stop
在启动我们的人偶母版之前,我们首先需要创建一个默认的空白配置清单:
root@master:~# > /etc/puppet/manifests/site.pp
一切准备就绪,可以在重新启动后启动puppet master:
root@master:~# systemctl enable apache2
Synchronizing state for apache2.service with sysvinit using update-rc.d...
Executing /usr/sbin/update-rc.d apache2 defaults
Executing /usr/sbin/update-rc.d apache2 enable
并通过启动apache网络服务器来启动puppet master:
root@master:~# service apache2 start
[ ok ] Starting web server: apache2.
root@master:~#
确认Puppet(木偶)正在运行
# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 20228 2016 ? Ss 11:53 0:00 /bin/bash
root 1455 0.0 0.0 98272 4600 ? Ss 12:40 0:00 /usr/sbin/apache2 -k start
root 1458 0.0 0.0 223228 1920 ? Ssl 12:40 0:00 PassengerWatchdog
root 1461 0.0 0.0 506784 4156 ? Sl 12:40 0:00 PassengerHelperAgent
nobody 1466 0.0 0.0 226648 4892 ? Sl 12:40 0:00 PassengerLoggingAgent
www-data 1476 0.0 0.0 385300 5116 ? Sl 12:40 0:00 /usr/sbin/apache2 -k start
www-data 1477 0.0 0.0 450880 5608 ? Sl 12:40 0:00 /usr/sbin/apache2 -k start
root 1601 0.0 0.0 17484 1140 ? R+ 12:44 0:00 ps aux
并在港口上听8140:
# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 0 :::8140 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
人偶节点配置
目前,我们的主服务器正在运行,并且期待来自puppet代理的请求,因此是时候在以下位置安装我们的puppet代理了:node1:
# apt-get install puppet
接下来,我们需要通过从其配置文件中删除所有主服务器默认指令来配置人偶作为代理/etc/puppet/puppet.conf:来自:
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
至:
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
[agent]
server = master
以上指令server = master定义要由人偶代理程序连接到的主服务器。凡字master在我们的情况下,作为解析为主服务器IP地址的主机名:
# ping -c 1 master
PING master (172.17.0.43): 56 data bytes
64 bytes from 172.17.0.43: icmp_seq=0 ttl=64 time=0.226 ms
--- master ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.226/0.226/0.226/0.000 ms
安装部分完成后,剩下的是使puppet在重新启动后启动并启动puppet:
# systemctl enable puppet
Synchronizing state for puppet.service with sysvinit using update-rc.d...
Executing /usr/sbin/update-rc.d puppet defaults
Executing /usr/sbin/update-rc.d puppet enable
root@node1:/# service puppet start
[ ok ] Starting puppet agent.
此外,默认情况下,在未配置新主机上安装代理后,该代理将被禁用。要启用p代理,我们需要运行:
root@node1:/# puppet agent --enable
签署代理证书
两位主持人master和node1启动并运行。使主服务器和代理程序都进行对话所需的最后一组配置是签名node1的证书申请。在我们启动on代理之后node1发出了证书签名请求master服务器:
root@master:/# puppet cert list
"node1" (SHA256) 2C:62:B3:A4:1A:66:0A:14:17:93:86:E4:F8:1C:E3:4E:25:F8:7A:7C:FB:FC:6B:83:97:F1:C8:21:DD:52:E4:91
默认情况下,每个证书签名请求都必须手动签名:
root@master:/# puppet cert sign node1
Notice: Signed certificate request for node1
Notice: Removing file Puppet::SSL::CertificateRequest node1 at '/var/lib/puppet/ssl/ca/requests/node1.pem'
在此阶段,我们的主人应托管两个签名证书:
root@master:/# puppet cert list --all
+ "master" (SHA256) EE:E0:0A:5C:05:17:FA:11:05:E8:D0:8C:29:FC:D2:1F:E0:2F:27:A8:66:70:D7:4B:A1:62:7E:BA:F4:7C:3D:E8
+ "node1" (SHA256) 99:DC:41:BA:26:FE:89:98:DC:D6:F0:34:64:7A:DF:E2:2F:0E:84:48:76:6D:75:81:BD:EF:01:44:CB:08:D9:2A
触发人偶配置请求
现在该创建第一个配置清单了。如上所述,我们现在要确保该软件包hello可用于node1。打开默认清单/etc/puppet/manifests/site.pp文件放在master主机并添加以下简单节点配置:
package { "hello":
ensure => "installed"
}
我们的代理商node1默认设置为每30分钟检索一次主服务器的配置。如果我们不想等待,可以手动触发配置请求:
root@node1:/# hello
bash: hello: command not found
软件包hello当前在上不可用node1。手动触发新的配置请求:
root@node1:/# puppet agent --test
Info: Caching certificate_revocation_list for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for node1
Info: Applying configuration version '1434159185'
Notice: /Stage[main]/Main/Package[hello]/ensure: ensure changed 'purged' to 'present'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 4.00 seconds
从上面的输出中,我们可以看到已应用了新配置,并且软件包”hello”现在可用:
root@node1:/# hello
Hello, world!
结论
上面的文字显示了一个简单的人偶配置过程。但是,它应该作为多节点部署的起点。要添加更多节点,只需在上面的re-visitPuppet node configuration section和Signing Agent Certificate本文的各个部分。
故障排除
apache2:无法使用172.17.0.43可靠地确定服务器的标准域名。全局设置’ServerName’指令以禁止显示此消息
# echo "ServerName `hostname`" >> /etc/apache2/apache2.conf
注意:跳过Puppet配置客户端的运行;在管理上被禁用(原因:“默认情况下在新安装或未配置的旧安装上已禁用”);对re-enable使用’puppet agent –enable’。
root@node1:/# puppet agent --enable
附录
使用Docker进行快速场景设置
的linuxconfig/sandbox是一个包含基本文本编辑和联网工具的Docker映像,可帮助您配置p主播和代理并对其进行故障排除。首先启动Puppet(木偶)大师:
# docker run -it -h master --name=master linuxconfig/sandbox /bin/bash
一旦Puppet(木偶)大师启动并开始运行node1:
# docker run -it -h node1 --name=node1 --link master:master linuxconfig/sandbox /bin/bash