实验环境：server6:server端

          Server7:client端

须保证server端与client端存在解析，并且时间一致，火墙与selinux关闭

1.安装

Server端：yum install -y puppet-server-3.8.1-1.el6.noarch.rpm

puppet-3.8.1-1.el6.noarch.rpm

facter-2.4.4-1.el6.x86_64.rpm 

hiera-1.3.4-1.el6.noarch.rpm

rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm

ruby-augeas-0.4.1-3.el6.x86_64.rpm

rubygems-1.3.7-5.el6.noarch.rpm

/etc/init.d/puppetmaster start

Client端：yum install puppet-3.8.1-1.el6.noarch.rpm

facter-2.4.4-1.el6.x86_64.rpm

facter-2.4.4-1.el6.x86_64.rpm

rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm

ruby-augeas-0.4.1-3.el6.x86_64.rpm

hiera-1.3.4-1.el6.noarch.rpm

ubygems-1.3.7-5.el6.noarch.rpm -y

2.连接认证

手动签证：

Client： puppet agent  --server=server6.example.com  --no-daemonize  -vt

Server： puppet cert list查看等待签证用户

Puppet cert sign server7.example.com为server7用户签证

在server7上再次执行puppet agent  --server=server6.example.com  --no-daemonize  -vt显示签证成功

Puppet cert list --all 显示所用签证用户

自动签证：

Server: vim /etc/puppet/puppet.conf

在【main】下添加autosign = true 允许所有客户端的认证

vim /etc/puppet/autosign.conf

*.example.com 表示允许所有 example.com 域的主机

Client:  puppet agent  --server=server6.example.com  --no-daemonize  -vt  自动进行验证

删除验证：

Server：puppet cert --clean server7.example.com

Client:   rm -rf /var/lib/puppet/ssl/*

/etc/puppet 配置目录:

组织结构如下:

|-- puppet.conf  #主配置配置文件,详细内容可执行puppet --genconfig

|-- fileserver.conf #文件服务器配置文件

|-- auth.conf  #认证配置文件

|-- autosign.conf #自动验证配置文件

|-- tagmail.conf  #邮件配置文件(将错误信息发送)

|-- manifests #文件存储目录(puppet会先读取该目录的.PP文件<site.pp>)

|--nodes

| puppetclient.pp

|-- site.pp #定义 puppet相关的变量和默认配置。

|-- modules.pp  #加载 class类模块文件(include syslog)

|-- modules #定义模块

|-- syslog  #以syslog 为例

|-- file

|-- manifests

|-- init.pp #class 类配置

|-- templates #模块配置目录

|-- syslog.erb #erb 模板

puppet 资源定义

以下资源均定义在/etc/puppet/manifest/site.pp文件中,在没有指定节点的情况下,对所有

已经经过验证的 client 都生效。

1创建文件

#######同步后在指定目录创建内容为test的testfile文件

File{ “/opt/testfile”:

Content => “test”

}

#######同步files目录下的文件

文件存放位置：

Mkdir /etc/puppet/files

Cp /etc/passwd /etc/puppet/files/

#######配置文件

Vim /etc/puppet/fileserver.conf

[files]

Path /etc/puppet/files

Allow *.example.com

/etc/init.d/puppetmaster reload

######将passwd文件同步

File{

“/mnt/passwd”:

Source => “puppet:///files/passwd”此目录指定的真实目录为（/etc/puppet/files）

}

2软件包定义

Package {

“httpd”:

Ensure => present; ###此处应注意语法格式，服务之间用；隔开 一个服务若含有多条语句每一行需要用，隔开

“vsftpd”:

Ensure => absent ###present :安装  absent:卸载

}

3 服务定义

Service {

“httpd”:

Ensure => running;

“vsftpd”:

Ensure => stopped

}

4 组定义

Group {

“test”:

Gid => 1000

}

5 用户定义

user { "test":

uid => 1000,

gid => 1000,

home => "/home/test",

shell => "/bin/bash" ,

password => westos

}

file { "/home/test":

owner => test,

group => test,

mode => 700,

ensure => directory

}

file { "/home/test/.bash_logout":

source => "/etc/skel/.bash_logout",

owner => test,group => test

}

file { "/home/test/.bash_profile":

source => "/etc/skel/.bash_profile",

owner => test,

group => test

}

file { "/home/test/.bashrc":

source => "/etc/skel/.bashrc",

owner => test,

group => test

}

exec { "echo westos | passwd --stdin test":

path => "/usr/bin:/usr/sbin:/bin", ###调用指令的路径

onlyif => "id test" ###只有在用户test存在是才会执行此条指令

}

6 文件系统挂载

file { "/public":

ensure => directory

}

Mount { “/public”:

device => "172.25.60.5:/var/ftp/pub",

fstype => "nfs",

options => "defaults",

ensure => mounted ###如需卸载 改为absent

}

自动挂载文件系统,并同步fstab 文件

7 crontab任务

cron { echo:

command => "/bin/echo `/bin/date` >> /tmp/echo",

user => root,

hour => [‘2-4‘],

minute => ‘*/10‘

}

任务会在 client 上/var/spool/cron 目录中生成。

不同节点的定义

1 vim /etc/puppet/manifests/site.pp

Import “nodes/*.pp”  ###添加节点 并将旧定义设置为默认节点

Node default {

}

2 Mkdir /etc/puppet/manifests/nodes

vim /etc/puppet/manifests/nodes/server7.pp ###节点文件必须以.pp结尾

node ‘server7.example.com‘ { ###此处必须填写client端主机名

include httpd 导入httpd模块

}

定义httpd模块：

mkdir -p /etc/puppet/modules/httpd/{files,manifests,templates}

cd /etc/puppet/modules/httpd/manifests

vim install.pp ###定义安装内容

class httpd::install {

package { "httpd":

ensure => present

}

}

vim config.pp ######定义配置文件

class httpd::config {

file { "/etc/httpd/conf/httpd.conf":

ensure => present,

source => "puppet:///modules/httpd/httpd.conf",

#####实际路径在/etc/puppet/modules/httpd/files/httpd.conf

require => Class["httpd::install"],

notify => Class["httpd::service"] ####当配置文件传送后，通知 service重载服务

}

}

vim service.pp #####定义服务

class httpd::service {

service { "httpd":ensure => running,

require => Class["httpd::install","httpd::config"]

}

}

Vim init.pp ####定义class类配置

class httpd {

include httpd::install,httpd::config,httpd::service

}

/etc/init.d/puppetmaster reload

在server7上puppet agent  --server=server6.example.com  --no-daemonize  -vt

使用模板创建虚拟主机

将之前files中的httpd.conf进行修改：将NameVirtualHost *:80虚拟主机功能打开

文件存放在templates中，并以.erb为结尾

vim /etc/puppet/modules/httpd/manifests/init.pp

define httpd::vhost($domainname) {

file { "/etc/httpd/conf.d/${domainname}_vhost.conf":

content => template("httpd/httpd_vhost.conf.erb"),

require => Class["httpd::install",”httpd::config”] ,

notify => Class["httpd::service"]

}

file { "/var/www/$domainname":

ensure => directory

}

file { "/var/www/$domainname/index.html":

content => $domainname

}

}

vim /etc/puppet/modules/httpd/templates/httpd_vhost.conf.erb

<VirtualHost *:80>

ServerName <%= domainname %>

DocumentRoot /var/www/<%= domainname %>

ErrorLog logs/<%= domainname %>_error.log

CustomLog logs/<%= domainname %>_access.log common

</VirtualHost>

vim /etc/puppet/manifests/nodes/server7.pp

node ‘server7.example.com‘ {

include httpd

httpd::vhost { ‘server7.example.com‘:

domainname => "server7.example.com",

}

httpd::vhost { ‘www7.example.com‘:

domainname => "www7.example.com",

}

}

Puppet dashboard 安装 (用以web 方式管理puppet)

安装包以及依赖性：

yum install puppet-dashboard-1.2.23-1.el6.noarch.rpm MySQL-server

rubygem-rake-0.8.7-2.1.el6.noarch.rpm

ruby-mysql-2.8.2-1.el6.x86_64.rpm

mysql 5.1 遇到的信息包过大问题 用客户端导入数据的时候,遇到错误代码: 1153 - Got a

packet bigger than ‘max_allowed_packet‘ bytes 终止了数据导入,可以使用如下参数解决:

vim /etc/my.cnf

[mysqld]

max_allowed_packet = 32M ####添加此行

配置数据库：

/etc/init.d/mysqld start

mysql> CREATE DATABASE dashboard_production CHARACTER SET utf8;

mysql> CREATE USER ‘dashboard‘@‘localhost‘ IDENTIFIED BY ‘westos‘;

mysql> GRANT ALL PRIVILEGES ON dashboard_production.* TO ‘dashboard‘@‘localhost‘;

cd /usr/share/puppet-dashboard/

vim config/database.yml ####只留下生产环境配置

 production:

database: dashboard_production

username: dashboard

password: westos

encoding: utf8

adapter: mysql

更改默认时区

vim /usr/share/puppet-dashboard/config/settings.yml

time_zone: ‘Beijing‘

rake RAILS_ENV=production db:migrate

#建立 dashboard所需的数据库和表   若有报错，按照报错内容执行语句

启动服务  /etc/init.d/puppet-dashboard  start

cd /usr/share/puppet-dashboard/log

Chmod 666 production.log

/etc/init.d/puppet-dashboard-workers  start

vim /etc/puppet/puppet.conf   [main]下添加

  Reports = http

Reporturl = http://172.25.60.6:3000/reports

/etc/init.d/puppetmaster  restart

在server7上/etc/puppet/puppet.conf    [agent]下添加

Report = true

/etc/init.d/puppet start

访问 http://172.25.60.6:3000

在客户端安装完 puppet 后,并且认证完后,我们可以看到效果,那怎样让它自动与服务器同步

呢?默认多少分钟跟服务器同步呢?怎样修改同步的时间呢,这时候我们需要配置客户端:

(1) 配置 puppet相关参数和同步时间:

# vi /etc/sysconfig/puppet

PUPPET_SERVER=puppet.example.com #puppet master 的地址

PUPPET_PORT=8140

#puppet 监听端口

PUPPET_LOG=/var/log/puppet/puppet.log #puppet 本地日志

#PUPPET_EXTRA_OPTS=--waitforcert=500 【默认同步的时间,我这里不修改这行参数】

(2) 默认配置完毕后,客户端会半个小时跟服务器同步一次,我们可以修改这个时间。

(3) # vi /etc/puppet/puppet.conf

[agent]

runinterval = 60

#代表 60秒跟服务器同步一次

重启 puppet 服务

Nginx+passenger:

puppet 默认使用基于 Ruby的 WEBRickHTTP来处理 HTTPS请求,单个服务器使用

Apache/Nginx+Passenger 替换掉 WEBRickHTTP,Passenger 是用于将Ruby 程序进行嵌     入执行的Apache模块,实现对puppet 的负载均衡。

yum install -y gcc gcc-c++ curl-devel zlib-devel openssl-devel ruby-devel

gem install passenger-5.0.15.gem rack-1.6.4.gem

gem list 查看local gems

Json

Passenger

Rack

Rake

tar zxf nginx-1.8.0.tar.gz    /mnt

执行Passenger-install-nginx-module

其他选项默认即可，或者根据自己需要调整

关闭puppetmaster服务

Nginx默认安装在/opt/nginx下，修改nginx.conf

#user nobody;

worker_processes 4;

#error_log logs/error.log;

#error_log logs/error.log notice;

#error_log logs/error.log info;

#pid

logs/nginx.pid;

events {

use epoll;

worker_connections 4096;

}

http {

passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.58;

passenger_ruby /usr/bin/ruby;

include

mime.types;

default_type application/octet-stream;

#log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘

# ‘$status $body_bytes_sent "$http_referer" ‘

# ‘"$http_user_agent" "$http_x_forwarded_for"‘;

#access_log logs/access.log main;

sendfile

tcp_nopush

on;

on;

#keepalive_timeout 0;

keepalive_timeout 65;#gzip on;

server {

listen 8140;

server_name server6.example.com;

Root /etc/puppet/rack/public;

passenger_enabled on;

passenger_set_header X_CLIENT_DN $ssl_client_s_dn;

passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;

Ssl on;

ssl_session_timeout 5m;

ssl_certificate /var/lib/puppet/ssl/certs/server6.example.com.pem;

ssl_certificate_key /var/lib/puppet/ssl/private_keys/server6.example.com.pem;

ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;

ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

ssl_verify_client optional;

ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;

ssl_prefer_server_ciphers on;

ssl_verify_depth 1;

ssl_session_cache shared:SSL:128m;

}

}

注释掉以下行：

cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/

Chown puppet.puppet /etc/puppet/rack/config.ru

/opt/nginx/sbin/nginx -t

/opt/nginx/sbin/nginx

puppetmaster 不需要启动 , nginx启动时会自动调用 puppet

学习笔记--Puppet集中配置管理系统