This article by show according to Lin Feng to provide friendship sponsorship, starting in the mud row world.
There has been no previous exposure to automated management of the server. I intend to fill this piece of knowledge in this period of time.
Now the server Automation management software, the most used and the most fire is puppet.
Then our protagonist today is puppet. Here are a few steps to explain:
1. What is puppet?
2. Puppet Advantages
3, Installation Preparation work
4. Environment preparation
5, source installation puppet
6, RPM installation puppet
7. Puppet Certificate Authorization
8. Puppet Resources
First, what is puppet?
Puppet is a centralized configuration management system for Lnux, Unix, and Windows platform based on Ruby language development. It uses its own puppet description language, which manages system entities such as profile files, user users, cron tasks, software packages, system services, and so on.
Puppet these system entities as resources, the puppet design goal is to simplify the management of these resources and to properly handle the dependencies between resources.
Puppet relies on the deployment architecture of C/S (client/server). It requires the installation of the Puppet-server software package ("Master") on the puppet server and the installation of the puppet client software (hereinafter referred to as the agent) on the target host that needs to be managed.
When the agent connects to master, the configuration file defined on the master side is compiled and then run on the agent. The default of 30 minutes per agent is to connect the master once to confirm the update of configuration information. However, this approach does not meet the requirements of the system administrator in many scenarios, so many system administrators will also manage the agent through Crontab (Task Scheduler), which is more flexible.
Second, puppet advantages
The puppet syntax allows you to create a separate script that creates a user on all of your target hosts. All target master opportunities interpret and execute this module in turn using the syntax appropriate for the local system. If this configuration is performed on the Red Hat server, the user is established to use the Useradd command, and if the configuration is performed on the FREDDBSD server, the AddUser command is used.
Puppet another remarkable place is its flexibility. Due to the nature of open source software, you are free to get the puppet source code. If you encounter problems and have the ability to deal with them, you can modify or strengthen the puppet code to make them suitable for your environment and then solve the problem.
Puppet is also easy to expand. The support features of custom software packages and the special system environment configuration can be quickly and easily added to the puppet installer.
Three, installation preparation work
The Experiment OS for CentOS 6.5 64bit, the server is: 192.168.199.247, the client is 192.168.199.248.
Before the formal experiment, we had a few things to deal with first.
3.1 Host Time synchronization
In order to reduce unnecessary trouble during the experiment, we need to synchronize time with all hosts (including servers and clients). That is, the time difference between the server and the client cannot exceed the second level.
Use the following command to synchronize time, as follows:
Ntpdate timekeeper.isi.edu
If the time synchronization is in progress, the following error occurs:
Jan 17:20:45 ntpdate[2720]: The NTP socket is on use, exiting
Please turn off the NTPD service for the host and then synchronize the time.
/ETC/INIT.D/NTPD stop
3.2 Modify Host name
Because the host name is written to the certificate when the Puppet is installed, this certificate is required for communication between the client and the server. Therefore, you need to modify the host name of the server and client.
Modify the host name. As follows:
Hostname s.ilanni.com
Execute this command to make the host name effective immediately. However, after the server restarts, this modification is invalidated.
If the hostname is permanently active, the/etc/sysconfig/network file needs to be modified. As follows:
Cat/etc/sysconfig/network
In this experiment, we do not set up a DNS server, directly by modifying the service side and the client's hosts file to achieve their own purpose of resolving the domain name. As follows:
Cat/etc/hosts
192.168.199.247 s.ilanni.com
192.168.199.248 c.ilanni.com
3.3 close iptables and SELinux
All of our experiments are now under close iptables and SELinux.
/etc/init.d/iptables status
Cat/etc/selinux/config
Four, Environment Preparation
Puppet installation can be divided into source installation and RPM installation, but regardless of the installation method, we need to do before the installation of a few needs to explain.
4.1 puppet Installation Instructions
1, because Puppet is developed in the Ruby language, so whether it is the source code or the RPM way to install puppet, we must first install the Ruby language environment
2, puppet from the 2.7 version, you need Hiera support. So Hiera must also be installed.
3, in the previous chapters, we explained that Puppet is a configuration management system, and the management of resources, are the entity of the system. But how are these entities coming? This requires us to install another resource collection software-facter.
Facter is mainly used to collect some information about the host, such as CPU, host IP, etc. Facter These collected information to the puppet server side, the server can be based on different conditions to different node machines to generate different puppet configuration files.
Facter is also developed in the Ruby language, which we can look at in the Facter installation documentation, as follows:
Cat Readme.md
4.2 Install ruby
Ruby is easy to install and we use Yum for installation here. As follows:
Yum-y Install Ruby
After the ruby installation is complete, we'll look at the files it's generated. As follows:
RPM-QL Ruby
We can look at the help information for Ruby as follows:
Ruby-h
In addition, we have to install Ruby-rdoc this package. This package is primarily used to view the help documentation for Ruby. As follows:
Yum-y Install Ruby-rdoc
These are the packages that are related to Ruby, and after installation we begin to install Facter.
4.3 Installing Facter
Facter we can download from the puppet website as follows:
http://downloads.puppetlabs.com/facter/
Note: Facter can also be installed via Yum, where we use the source installation.
Download the latest version of Facter, as follows:
wget http://downloads.puppetlabs.com/facter/facter-2.3.0.tar.gz
Unzip the Facter software package as follows:
TAR-XF facter-2.3.0.tar.gz
Start installing Facter, as follows:
Ruby install.rb or./install.rb
Facter the installation is complete, let's review the use Help for Facter. As follows:
Facter-h
If you want to see Facter detailed help information, we can also facter under man. As follows:
Mans Facter
If there is no problem with the installation, we will display the information collected by Facter after executing the facter command. As follows:
Facter
4.4 Installing Hiera
Hiera is mainly used to control the value of some agent changes frequently, after puppet2.7 version must be installed. If it is not installed, when we install puppet, the system will prompt the following error:
Could not load Hiera; Cannot install
However, before installing Hiera, we must install an additional Yum source, or the package will not be found.
The Yum source, which we can look up puppet official website. As follows:
Https://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html#for-red-hat-enterprise-linux-and-derivatives
Install according to the method of puppet official website. As follows:
RPM-IVH http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
After the Yum source configuration is complete, we will now install the Hiera. As follows:
Yum-y Install Hiera
When the above installation is complete, we can formally install the puppet.
Five, source installation puppet
puppet Server and client source installation using the same software package, the same installation steps, but only in the configuration file slightly different.
Before downloading the puppet source code, we also create the user puppet that the puppet runtime uses on the master side and the agent side. If the master side is not created, Master will report the following error when it starts up:
Create the puppet user as follows:
Useradd-m-s/sbin/nologin Puppet
CAT/ETC/PASSWD |grep Puppet
Note: The puppet server is run as a puppet user, while the puppet client is run by the root user.
The purpose of this is to: Master on the server with a normal user running security is relatively high, and the agent in the client as root user, because master in the creation of users, modify system files and other resources, need to have the highest permissions.
5.1 puppet Source Installation
Puppet source Package, we can download from the puppet official website. At present, the latest version of Puppet is 3.7.3.
http://downloads.puppetlabs.com/puppet/
Download the puppet package. As follows:
wget http://downloads.puppetlabs.com/puppet/puppet-3.7.3.tar.gz
Unzip the Puppet software package as follows:
TAR-XF puppet-3.7.3.tar.gz
Puppet installation method is the same as the installation of Facter, as follows:
Ruby install.rb or./install.rb
Once the Puppet is installed, let's look at its help information as follows:
Puppet Help
Check the installation location of the puppet as follows:
ll/etc/puppet/
The above is the installation of puppet, after the installation is complete. We will now configure puppet.
5.2 Master -side Configuration
Once the Puppet is installed, we will configure the next master side. Copy the puppet.conf file under the puppet source package ext/redhat/directory to the puppet installation directory/etc/puppet/, as follows:
CP ext/redhat/puppet.conf/etc/puppet/
Vi/etc/puppet/puppet.conf
Server = s.ilanni.com
CertName = s.ilanni.com
Pluginsync = False
Where s.ilanni.com represents the host name of the puppet server.
Pluginsync = False indicates the plug-in feature is turned off in the module
Once the configuration file has been modified, we will now configure the startup script on the master side.
Copy the Server.init file under the puppet source package ext/redhat/directory to/etc/init.d/and rename it to puppetmaster. Then give puppetmaster executable permissions. As follows:
CP Ext/redhat/server.init/etc/init.d/puppetmaster
chmod U+x/etc/init.d/puppetmaster
Note: The master side starts, and we can also start with the Puppet Master command. As follows:
Puppet Master
NETSTAT-TUNLP |grep "8140"
PS aux |grep puppet
In fact, the puppetmaster startup script is started with the Puppet Master command, as follows:
Cat/etc/init.d/puppetmaster
Add the puppetmaster to the boot entry. As follows:
Chkconfig--add puppetmaster
Chkconfig puppetmaster on
Chkconfig |grep puppetmaster
After the above configuration is complete, we will start the puppet service as follows:
/etc/init.d/puppetmaster start
PS aux |grep puppet
Netstat-tunlp
Through, we can very puppet service using the TCP protocol of Port 8140, and the runtime uses the puppet user.
After the puppet server configuration is complete, we will now configure the puppet client.
5.3 Agent -side Configuration
Agent-side configuration, only need to copy the puppet.conf file to the puppet installation directory/etc/puppet/, as follows:.
CP ext/redhat/puppet.conf/etc/puppet/
Cat/etc/puppet/puppet.conf
Server = s.ilanni.com
Pluginsync = False
Where s.ilanni.com represents the host name of the puppet server.
Pluginsync = False indicates the plug-in feature is turned off in the module
Agent side start, we can start by puppet Agent command. As follows:
Puppet Agent
PS aux |grep puppet
Through this, we can also see that the agent side runs with the user as root, not the puppet user.
Note: Agent side we use the Puppet Agent command for various management, including the application of the certificate, the synchronization of resources, we are all through this command.
Agent can be run in two ways: the first is the command to connect the master, the second is in the form of daemons running in the system background, the default every 30 minutes to connect the master, but this is not flexible. We generally use the first method and are used in conjunction with crontab.
Six, RPM installation puppet
RPM installation Puppet is relatively simple, we only need yum installation. As follows:
6.1 Puppet Installation Preparation Work
Before using RPM installation, we need to configure an additional Yum source, otherwise the system will not be prompted to find the puppet package. As follows:
Yum-y Install Puppet-server
Installing the additional Yum source, we can find the Yum source on Puppet's official website. As follows:
Https://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html#for-red-hat-enterprise-linux-and-derivatives
Install according to the method of puppet official website. As follows:
RPM-IVH http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Note: The Yum source needs to be configured both on the master side and on the agent side.
6.2 Master -side installation and configuration
Now start Yum to install the Master side as follows:
Yum-y Install Puppet-server
Through, we can see that the installation of Puppet-server is dependent on the Facter, Hiera and puppet three packages.
Now let's look at the new user Puppet-server installation and the user that the puppet service runs on, as follows:
cat/etc/passwd
PS aux |grep puppet
With this, we can see that Puppet-server does create a new user puppet at the time of installation, as well as the actual puppet user that is used at run time.
View the ports used by the puppet service, as follows:
/etc/init.d/puppetmaster start
Netstat-tunlp
After the master end is installed, we configure the puppet service configuration file in the same way as the source installation method. As follows:
Vi/etc/puppet/puppet.conf
Server = s.ilanni.com
CertName = s.ilanni.com
Pluginsync = False
6.3 Agent -side installation and configuration
After the master end is installed, we will install the agent terminal as follows:
Yum-y Install puppet
RPM-installed puppet client as with the source installation, we will now start the puppet client. As follows:
With this, we can see that the puppet user was also created when the agent was installed, but the puppet runtime did not use the user but the root user. This corresponds to the installation of the source code.
After the agent has been installed, we will configure the agent-side configuration file in the same way as the source installation method. As follows:
Vi/etc/puppet/puppet.conf
Server = s.ilanni.com
Pluginsync = False
Vii. Puppet Certificate Authorization
We know that Puppet uses SSL tunneling for security purposes and therefore requires a certificate to authenticate.
7.1 Master end-of-certificate initialization
When the master side starts for the first time, you can view the/var/log/message log file with information similar to the following:
Tail-f/var/log/messages
Jan 06:39:03 localhost puppet-master[1622]: Signed certificate request for CA
Jan 06:39:04 localhost puppet-master[1622]: s.ilanni.com has a waiting certificate request
Jan 06:39:04 localhost puppet-master[1622]: Signed certificate request for s.ilanni.com
Jan 06:39:04 localhost puppet-master[1622]: Removing file puppet::ssl::certificaterequest s.ilanni.com at '/var/lib/ Puppet/ssl/ca/requests/s.ilanni.com.pem '
Jan 06:39:04 localhost puppet-master[1622]: Removing file puppet::ssl::certificaterequest s.ilanni.com at '/var/lib/ Puppet/ssl/certificate_requests/s.ilanni.com.pem '
Jan 06:39:04 localhost puppet-master[1634]: reopening log files
Jan 06:39:04 localhost puppet-master[1634]: starting puppet master version 3.7.3
We can see from the log that the first time you start the master side, the puppet service will create the authentication center locally, grant itself the certificate and key, which we can see in/var/lib/puppet/ssl. As follows:
Ll/var/lib/puppet/ssl
This directory is related to the Ssldir path configured in the/etc/puppet/puppet.conf file.
We can also view the master side of the certificate file that you authorized, as follows:
ll/var/lib/puppet/ssl/ca/signed
7.2 Agent End Request Certificate
When the agent is first connected to the master, it will request a certificate from the master side. If the master side does not grant the agent-side certificate, then the connection between the agent and master ends will not be successful.
At this point the agent will continue to wait for the master-side authorization certificate, and will check the master end every 2 minutes to issue a certificate.
We now use the puppet agent--server s.ilanni.com to connect to the master side as follows:
Puppet Agent--server s.ilanni.com
7.3 Master -End Authorization certificate
After the agent end of the request certificate, we need to switch to the master side, using the Puppet cert command to authorize the agent-side certificate.
For the use of puppet cert, we can view help information for Pupper cert. As follows:
Pupper cert
In, puppet cert has given an example of how to give an authorization certificate to an agent side.
Now let's see which hosts on the master are requesting certificates, as follows:
Puppet cert list
By, we can clearly see that the c.ilanni.com client is requesting a certificate.
Now let's give the agent the authorization certificate, using the following command:
Puppet cert sign c.ilanni.com
Note: If the number of actual production environment clients is more, we can authorize all certificates at once. As follows:
Puppet cert sign--all
View all certified agent terminals on the master side as follows:
Puppet Cert-all
Now let's take a look at the certificate file that is authorized by the master to the agent side, as follows:
ll/var/lib/puppet/ssl/ca/signed
Through, we can see that the master-side licensing client c.ilanni.com The certificate file is C.ilanni.com.pem.
7.4 View Agent-side certificates
After the master-side authorization is complete, we now switch to the agent side to view the authorized certificate file, as follows:
Ll/var/lib/puppet/ssl/certs
Through, we can see that the agent side of the certificate file C.ilanni.com.pem and the master side of the certificate file is the same.
7.5 Puppet Certificate Issues
In the actual production environment, the agent-side hostname that has already passed the master-side authentication may be modified or some other misoperation, which causes the agent to not communicate with the master side properly.
When this happens, our general approach is to remove the master and agent-side related authentication files, and then re-request the certificate on the agent side.
Here's how:
Agent side, delete the/var/lib/puppet/ssl directory, as follows:
Rm-fr/var/lib/puppet/ssl
Master side, delete the certificate file under the/var/lib/puppet/ssl/ca/signed directory, as follows:
Rm-fr/var/lib/puppet/ssl/ca/signed/c.ilanni.com.pem
After the above operation is finished, the agent will apply for the certificate again.
Viii. Resources of Puppet
After the puppet environment has been set up, we will now begin to introduce the contents of puppet resources.
8.1 puppet types of resources and help
Puppet resources, we can view the types of resources supported by puppet through the relevant commands.
Through the previous chapters, we know that Puppet is supported by Subcommands for querying. As follows:
Puppet Help CA
View the resource types supported by puppet. As follows:
Puppet describe--list
You can also query by puppet Resource--type command, as follows:
Puppet Resource--type
Through this, we can see that Puppet supports most of the resources of user, file, crontab and so on.
If you want to see the user's resources, we continue to view them using the puppet describe user command. As follows:
Puppet describe user
If we want to see the specific use of user in the puppet site site.pp file, you can view it with the following command:
Puppet Resource User
We can see that puppet has given the example of user use, and we just need to follow this example.
Note: If puppet describe help does not have the details of the resource's usage in the SITE.PP site, we can go to puppet resource to view it.
This is just a user resource, for example, if you want to see the help of the host resource, we can also use a similar command, as follows:
Puppet Resource Host
If you do not want to view this machine, then you can also go to the puppet website to view, as follows:
Https://docs.puppetlabs.com/references/latest/type.html
8.2 Puppet Resource configuration file
Puppet resource profile in the server/etc/puppet/manifests directory, we need to create a site file site.pp in this directory.
We create a resource in this file that needs to be synchronized to the agent side, as follows:
Cat/etc/puppet/manifests/site.pp
Node default{
file {"/tmp/test.txt":
Content = "Hello,ilanni,this is puppet test!\n"}
}
The above command indicates that the puppet resource profile punch creates a default node, using the file resource, to create test.txt on the agent side of the/tmp/directory, with the contents: Hello,ilanni,this is puppet test!\n
Note: \ n indicates a line break. If you do not add \ n, the contents of the file are displayed as follows:
At the same time, after the site.pp file is created, we need to restart the master side, as follows:
/etc/init.d/puppetmaster restart
Now switch to the agent side to synchronize the resource, as follows:
Puppet Agent--test--server s.ilanni.com
We can see that the agent side has synchronized the resources on the master side to local.
Now let's see if there is a Test.txt file in the/tmp directory on the agent side. As follows:
Cat/tmp/test.txt
Through this, we can see that the agent side has actually synchronized the resources to the master side. The/tmp directory does have test.txt this file, and the content is exactly the same as the master side.
Here is the introduction of puppet3.7 Setup and configuration, the next article we will introduce in the production environment, puppet synchronized resources.
Slime: puppet3.7 Installation and configuration