& Lt; Puppet centralized Configuration Management System & gt;

Puppet centralized Configuration Management System
Puppet is a configuration management tool. It is typical that puppet is a C/S structure. Of course, there can be a lot of C here, because
This can also be said to be a star structure. All puppet clients communicate with puppet on the same server. Each
The puppet client connects to the server every 30 minutes, downloads the latest configuration file, and strictly follows the configuration
After the configuration is complete, the puppet client can send a message to the server. If an error occurs,
A message is also sent to the server, showing the data flow of a typical puppet configuration.
Stability
The biggest difference between puppet and other manual operators is that the puppet configuration is stable, so you can
Run puppet. Once you update your configuration file, puppet will change the configuration of your machine according to the configuration file.
Check once every 30 minutes. puppet will make your system status consistent with the State required by the configuration file. For example, if you configure
The ssh service must be enabled in the file. If the ssh service is disabled accidentally
Puppet will find this exception, and then enable the ssh service to keep the system status and configuration file one
As a result, puppet is like a magician who will converge your chaotic system to the desired state in the puppet configuration file.
You can use puppet to manage the entire lifecycle of the server, from initialization to retirement.
Jumpstart or redhat Kickstart, puppet can keep the server up to date for years.
You do not need to worry about them anymore. Usually puppet users only need to install puppet on the machine and
Run, and the rest of the work is done by puppet.
Details and principles of puppet
Puppet aims to focus on the goals you want to manage, while ignoring implementation details, such as command names, parameters, or files.
Format. puppet regards users, software packages, and services in the system as "Resources". puppet manages these resources.
And the interconnection between resources.
Puppet adopts a very simple C/S architecture. All data interaction is performed through SSL to ensure security. It works
Process
1. The client Puppetd initiates an authentication request to the Master or uses a signed certificate.
2. The Master tells the Client that you are legal.
3. The client Puppetd calls Facter. Facter detects some host variables, such as host name, memory size, and IP address.
. Puppetd sends the information to the server through an SSL connection.
4. The Puppet Master on the server detects the host name of the client, finds the node configuration corresponding to the manifest, and
Some content is parsed. The information sent by Facter can be used for variable processing, and the Code involved by node is parsed.
The Code not involved is not parsed. Parsing involves several phases. The first step is syntax check. If a syntax error occurs, an error is returned.
That's right. Let's continue parsing. The parsing result will generate an intermediate "pseudo code" (catelog), and then send the pseudo code to the customer.
User.
5. The client receives and runs the pseudo code.
6. The client determines whether a File exists during execution. If yes, it initiates a request to the fileserver.
7. The client determines whether a Report is configured. If the Report is configured, the execution result is sent to the server.
8. The server writes the execution result of the client to the log and sends it to the reporting system.
Http: // puppet. wikidot.com Chinese wiki
System Environment: rhel6.3 selinux and iptables disabled
Sever: 192.168.0.201 extends top1.example.com puppet master
Client: 192.168.0.202 extends top2.example.com puppet agent
Client: 192.168.0.203 paitop3.example.com puppet agent
Important: resolution and time synchronization are required between the server and all clients. Otherwise, verification fails.
Server:
# Yum localinstall-y rubygems-1.3.7-1.el6.noarch.rpm
Add the following entries to the yum Repository:
[Puppet]
Name = puppet
Base url = http://yum.puppetlabs.com/el/6Server/products/x86_64/
Gpgcheck = 0
[Ruby]
Name = ruby
Base url = http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/
Gpgcheck = 0
# Yum install puppet-server-y
/Etc/puppet configuration directory:
The organizational structure is as follows:
| -- Puppet. conf # Master configuration file. For details, run puppet -- genconfig.
| -- Fileserver. conf # file server configuration file
| -- Auth. conf # authentication configuration file
| -- Autosign. conf # automatically verify the configuration file
| -- Tagmail. conf # mail configuration file (send error messages)
| -- Manifests # file storage directory (puppet will first read the. PP file in this directory <site. pp>)
| -- Nodes
| Puppetclient. pp
| -- Site. pp # defines puppet-related variables and default configurations.
| -- Modules. pp # load the class module File (include syslog)
| -- Modules # definition module
| -- Syslog # syslog is used as an example.
| -- File
| -- Manifests
| -- Init. pp # class configuration
| -- Templates # module configuration directory
| -- Syslog. erb # erb Template
The first code executed by puppet is in/etc/puppet/manifest/site. pp. Therefore, this file must exist
Other code should also be called through this file.
# Touch/etc/puppet/manifest/site. pp # the puppet master cannot be started without this file. The configuration will be defined later.
# Service puppetmaster start # start puppet master
# Netstat-antlp | grep ruby
Tcp 0 0 0.0.0.0: 8140 0.0.0.0: * LISTEN 1596/ruby
Client:
You only need to install puppet. The installation method is the same as that on the server side:
# Yum install puppet-y
Connect the puppet client to the puppet master:
# Puppet agent -- server = puppet.example.com -- no-daemonize -- verbose
Info: Creating a new SSL key for topics top2.example.com
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for topics top2.example.com
Info: Certificate Request fingerprint (SHA256 ):
5C: 72: 77: D8: 27: DF: 5A: DF: 34: EF: 25: 97: 5A: CF: 25: 29: 9F: 58: 83: A2: 61: 57: D9: 20: 7B: 1E: C0: 36: 75: 9D:
FB: FC
The client sends a certificate verification request to the master and waits for the master to sign and return the certificate.
Parameter -- server specifies the name or address of the puppet master to be connected. The default connection name is "puppet ".
To modify the default host connection, you can modify the PUPPET_SERVER = puppet option in the/etc/sysconfig/puppet file.
The parameter -- no-daemonize is the puppet client running on the foreground
Parameter -- verbose enables the client to output detailed logs
On the master side:
# Puppet cert list # display all certificates waiting for signature
"Maid" (SHA256)
CD: BD: 13: D0: B8: 46: 07: F2: B7: AE: 00: C4: E6: E9: E1: A4: 92: F6: A4: F1: AB: F7: FF: 8D: BE: B0: B7: 90: E1:
7B: A8: C0
# Puppet cert sign your top2.example.com # signature certificate
Signed certificate request for your top2.example.com
Removing file Puppet: SSL: CertificateRequest reply top2.example.com
'/Var/lib/puppet/ssl/ca/requests/shorttop2.example.com. pem'
To sign all certificates at the same time, run the following command:
# Puppet cert sign -- all
# Puppet cert clean topics top2.example.com # delete a signature certificate
Two minutes after the certificate is signed, the following output is displayed on the agent:
Info: Caching certificate for topics top2.example.com
Starting Puppet client version 3.0.0
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for your top2.example.com
Info: Applying configuration version '20140901'
Finished catalog run in 0.13 seconds
Automatic Verification:
On the server side, edit the puppet. conf file:
[Main]
Autosign = true # Allow all clients to authenticate
Create the autosign. conf file in the/etc/puppet directory. The content is as follows:
* .Example.com # indicates that all hosts in the example.com domain are allowed.
# Service puppetmaster reload
On the client side, you only need to execute:
# Puppet agent
Or
# Server puppet start
In practice, sometimes the host name of the client is modified, so you need to regenerate the certificate:
1) run the following command on the server: puppet cert -- clean topics top2.example.com # The original client host name you want to delete
2) Run rm-fr/var/lib/puppet/ssl/* on the client /*
Puppet agent -- server = puppet.example.com
Puppet resource Definition
The following resources are defined in the/etc/puppet/manifest/site. pp file. If no node is specified
All verified clients take effect.
1. Create a file
File {"/var/www/html/index.html": content => "www.example.com "}
Mkdir/etc/puppet/files
Echo www.redhat.org>/etc/puppet/files/index.html
Vi/etc/puppet/fileserver. conf
[Files]
Path/etc/puppet/files
Allow * .example.com
Service puppetmaster reload
File {"/var/www/html/index.html ":
Source => "puppet: // files/index.html ",
}
2. Software Package Definition
Package {"httpd": ensure => present;
"Vsftpd": ensure => absent
}
3. Service Definition
Service {"httpd": ensure => running;
"Vsftpd": ensure => stopped
}
4. Group Definition
Group {"wxh": gid => 600}
5. User Defined
User {"wxh ":
Uid = & gt; 600,
Gid = & gt; 600,
Home => "/home/wxh ",
Shell => "/bin/bash ",
Password => westos
}
File {"/home/wxh ":
Owner => wxh,
Group => wxh,
Mode = & gt; 700,
Ensure => directory
}
File {"/home/wxh/. bash_logout ":
Source => "/etc/skel/. bash_logout ",
Owner => wxh,
Group => wxh
}
File {"/home/wxh/. bash_profile ":
Source => "/etc/skel/. bash_profile ",
Owner => wxh,
Group => wxh
}
File {"/home/wxh/. bashrc ":
Source => "/etc/skel/. bashrc ",
Owner => wxh,
Group => wxh
}
User {"test": uid = & gt; 900,
Home => "/home/test ",
Shell => "/bin/bash ",
Provider => useradd,
Managehome => true,
Ensure => present
}
Exec {"echo westos | passwd -- stdin test ":
Path => "/usr/bin:/usr/sbin:/bin ",
Onlyif => "id test"
}
6. Mount the File System
File {"/public ":
Ensure => directory
}
Mount {"/public ":
Device => "192.168.0.254:/var/ftp/pub ",
Fstype => "nfs ",
Options => "defaults ",
Ensure => mounted
}
Automatically mount the file system and synchronize the fstab file. If you need to unmount the file system, change it to absent.
7. crontab task
Cron {echo:
Command => "/bin/echo '/bin/date'>/tmp/echo ",
User => root,
Hour => ['2-4'],
Minute => '*/10'
}
# The task is generated in the/var/spool/cron directory on the client.
Definition of different nodes:
1. Edit site. pp on puppetmaster
# Vi/etc/puppet/manifests/site. pp
Import "nodes. pp"
2. Create a node File
# Vi/etc/puppet/manifests/nodes. pp
Node 'worker top2 .example.com '{
File {"/var/www/html/index.html ":
Content => "topics top2.example.com"
}
}
Node 'worker top3 .example.com '{
File {"/var/www/html/index.html ":
Content => "shorttop3.example.com"
}
}
Writing module:
Mkdir-p/etc/puppet/modules/httpd/{files, manifests, templates}
Cd/etc/puppet/modules/httpd/manifests
Vi install. pp
Class httpd: install {
Package {"httpd ":
Ensure => present
}
}
Vi config. pp
Class httpd: config {
File {"/etc/httpd/conf/httpd. conf ":
Ensure => present,
Source => "puppet: // modules/httpd. conf ",
# The actual path is in/etc/puppet/modules/httpd/files/httpd. conf.
Require => Class ["httpd: install"],
Policy => Class ["httpd: service"]
}
}
Vi service. pp
Class httpd: service {
Service {"httpd ":
Ensure => running,
Require => Class ["httpd: install", "httpd: config"]
}
}
Vi init. pp
Class httpd {
Include httpd: install, httpd: config, httpd: service
}
Vi nodes. pp
Node 'server90 .example.com '{
Include httpd
}
Service puppetmaster reload
Puppet dashboard installation (for managing puppet through web)
Dependency:
* Ruby 1.8.7
* RubyGems
* Rake> = 0.8.3
* MySQL server 5.x
* Ruby-MySQL bindings 2.7.x or 2.8.x
# Rpm-ivh rubygem-rake-0.8.7-2.1.el6.noarch.rpm
# Yum install puppet-dashboard ruby-mysql-server-y
# Mysql 5.1 encounters an error code 1153-Got a when importing data using the client because the information package is too large
Packet bigger than 'max _ allowed_packet 'bytes terminates the data import. You can use the following parameters to solve the problem:
(Not encountered on rhel6.3)
# Vi/etc/my. cnf
[Mysqld]
Max_allowed_packet = 32 M # Add this row
# Server mysqld start
Configure the mysql database:
Mysql> create database dashboard_production character set utf8;
Query OK, 1 row affected (0.00 sec)
Mysql> create user 'dashboard '@ 'localhost' identified by 'westos ';
Query OK, 0 rows affected (0.01 sec)
Mysql> grant all privileges on dashboard_production. * TO 'dashboard' @ 'localhost ';
Query OK, 0 rows affected (0.00 sec)
Mysql>
# Cd/usr/share/puppet-dashboard/
# Vi config/database. yml # Only production environment configuration is left
Production:
Database: dashboard_production
Username: dashboard
Password: westos
Encoding: utf8
Adapter: mysql
# Rake RAILS_ENV = production db: migrate # databases and tables required for creating a dashboard
The Default Time Zone of puppet-dashboard is incorrect and needs to be modified:
# Vi/usr/share/puppet-dashboard/config/settings. yml
Time_zone: 'beijing'
Start the service:
# Service puppet-dashboard start
Starting Puppet Dashboard: => Booting WEBrick
=> Rails 2.3.14 application starting on http: // 0.0.0.0: 3000 [OK]
# Chmod 0666/usr/share/puppet-dashboard/log/production. log
# Service puppet-dashboard-workers start
Real-time report summary:
Set the server:
# Vi/etc/puppet. conf
[Main] # Add the following two items
Reports = http
Reporturl = http: // 192.168.0.201: 3000/reports
# Service puppetmaster reload
Set the client:
# Vi/etc/puppet. conf
[Agent] # Add the following lines
Report = true
# Service puppet reload
After the client has installed puppet and the authentication is complete, we can see the effect. How can we make it automatically synchronized with the server?
What about it? By default, how many minutes does it synchronize with the server? How can we modify the synchronization time? In this case, we need to configure the client:
(1) Configure puppet parameters and synchronization time:
# Vi/etc/sysconfig/puppet
PUPPET_SERVER = puppet.example.com # address of puppet master
PUPPET_PORT = 8140 # puppet listening port
PUPPET_LOG =/var/log/puppet. log # puppet local log
# PUPPET_EXTRA_OPTS = -- waitforcert = 500 [Default synchronization time. I will not modify this line of parameters here]
(2) After the default configuration is completed, the client will synchronize with the server half an hour. We can modify this time.
# Vi/etc/puppet. conf
[Agent]
Runinterval = 60 # synchronization with the server in 60 seconds
# Service puppet reload