Slime: puppet3.7 Installation and configuration

This article by show according to Lin Feng to provide friendship sponsorship, starting in the mud row world.

There has been no previous exposure to automated management of the server. I intend to fill this piece of knowledge in this period of time.

Now the server Automation management software, the most used and the most fire is puppet.

Then our protagonist today is puppet. Here are a few steps to explain:

1. What is puppet?

2. Puppet Advantages

3, Installation Preparation work

4. Environment preparation

5, source installation puppet

6, RPM installation puppet

7. Puppet Certificate Authorization

8. Puppet Resources

First, what is puppet?

Puppet is a centralized configuration management system for Lnux, Unix, and Windows platform based on Ruby language development. It uses its own puppet description language, which manages system entities such as profile files, user users, cron tasks, software packages, system services, and so on.

Puppet these system entities as resources, the puppet design goal is to simplify the management of these resources and to properly handle the dependencies between resources.

Puppet relies on the deployment architecture of C/S (client/server). It requires the installation of the Puppet-server software package ("Master") on the puppet server and the installation of the puppet client software (hereinafter referred to as the agent) on the target host that needs to be managed.

When the agent connects to master, the configuration file defined on the master side is compiled and then run on the agent. The default of 30 minutes per agent is to connect the master once to confirm the update of configuration information. However, this approach does not meet the requirements of the system administrator in many scenarios, so many system administrators will also manage the agent through Crontab (Task Scheduler), which is more flexible.

Second, puppet advantages

The puppet syntax allows you to create a separate script that creates a user on all of your target hosts. All target master opportunities interpret and execute this module in turn using the syntax appropriate for the local system. If this configuration is performed on the Red Hat server, the user is established to use the Useradd command, and if the configuration is performed on the FREDDBSD server, the AddUser command is used.

Puppet another remarkable place is its flexibility. Due to the nature of open source software, you are free to get the puppet source code. If you encounter problems and have the ability to deal with them, you can modify or strengthen the puppet code to make them suitable for your environment and then solve the problem.

Puppet is also easy to expand. The support features of custom software packages and the special system environment configuration can be quickly and easily added to the puppet installer.

Three, installation preparation work

The Experiment OS for CentOS 6.5 64bit, the server is: 192.168.199.247, the client is 192.168.199.248.

Before the formal experiment, we had a few things to deal with first.

3.1 Host Time synchronization

In order to reduce unnecessary trouble during the experiment, we need to synchronize time with all hosts (including servers and clients). That is, the time difference between the server and the client cannot exceed the second level.

Use the following command to synchronize time, as follows:

Ntpdate timekeeper.isi.edu

If the time synchronization is in progress, the following error occurs:

Jan 17:20:45 ntpdate[2720]: The NTP socket is on use, exiting

Please turn off the NTPD service for the host and then synchronize the time.

/ETC/INIT.D/NTPD stop

3.2 Modify Host name

Because the host name is written to the certificate when the Puppet is installed, this certificate is required for communication between the client and the server. Therefore, you need to modify the host name of the server and client.

Modify the host name. As follows:

Hostname s.ilanni.com

Execute this command to make the host name effective immediately. However, after the server restarts, this modification is invalidated.

If the hostname is permanently active, the/etc/sysconfig/network file needs to be modified. As follows:

Cat/etc/sysconfig/network

In this experiment, we do not set up a DNS server, directly by modifying the service side and the client's hosts file to achieve their own purpose of resolving the domain name. As follows:

Cat/etc/hosts

192.168.199.247 s.ilanni.com

192.168.199.248 c.ilanni.com

3.3 close iptables and SELinux

All of our experiments are now under close iptables and SELinux.

/etc/init.d/iptables status

Cat/etc/selinux/config

Four, Environment Preparation

Puppet installation can be divided into source installation and RPM installation, but regardless of the installation method, we need to do before the installation of a few needs to explain.

4.1 puppet Installation Instructions

1, because Puppet is developed in the Ruby language, so whether it is the source code or the RPM way to install puppet, we must first install the Ruby language environment

2, puppet from the 2.7 version, you need Hiera support. So Hiera must also be installed.

3, in the previous chapters, we explained that Puppet is a configuration management system, and the management of resources, are the entity of the system. But how are these entities coming? This requires us to install another resource collection software-facter.

Facter is mainly used to collect some information about the host, such as CPU, host IP, etc. Facter These collected information to the puppet server side, the server can be based on different conditions to different node machines to generate different puppet configuration files.

Facter is also developed in the Ruby language, which we can look at in the Facter installation documentation, as follows:

Cat Readme.md

4.2 Install ruby

Ruby is easy to install and we use Yum for installation here. As follows:

Yum-y Install Ruby

After the ruby installation is complete, we'll look at the files it's generated. As follows:

RPM-QL Ruby

We can look at the help information for Ruby as follows:

Ruby-h

In addition, we have to install Ruby-rdoc this package. This package is primarily used to view the help documentation for Ruby. As follows:

Yum-y Install Ruby-rdoc

These are the packages that are related to Ruby, and after installation we begin to install Facter.

4.3 Installing Facter

Facter we can download from the puppet website as follows:

http://downloads.puppetlabs.com/facter/

Note: Facter can also be installed via Yum, where we use the source installation.

Download the latest version of Facter, as follows:

wget http://downloads.puppetlabs.com/facter/facter-2.3.0.tar.gz

Unzip the Facter software package as follows:

TAR-XF facter-2.3.0.tar.gz

Start installing Facter, as follows:

Ruby install.rb or./install.rb

Facter the installation is complete, let's review the use Help for Facter. As follows:

Facter-h

If you want to see Facter detailed help information, we can also facter under man. As follows:

Mans Facter

If there is no problem with the installation, we will display the information collected by Facter after executing the facter command. As follows:

Facter

4.4 Installing Hiera

Hiera is mainly used to control the value of some agent changes frequently, after puppet2.7 version must be installed. If it is not installed, when we install puppet, the system will prompt the following error:

Could not load Hiera; Cannot install

However, before installing Hiera, we must install an additional Yum source, or the package will not be found.

The Yum source, which we can look up puppet official website. As follows:

Https://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html#for-red-hat-enterprise-linux-and-derivatives

Install according to the method of puppet official website. As follows:

RPM-IVH http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

After the Yum source configuration is complete, we will now install the Hiera. As follows:

Yum-y Install Hiera

When the above installation is complete, we can formally install the puppet.

Five, source installation puppet

puppet Server and client source installation using the same software package, the same installation steps, but only in the configuration file slightly different.

Before downloading the puppet source code, we also create the user puppet that the puppet runtime uses on the master side and the agent side. If the master side is not created, Master will report the following error when it starts up:

Create the puppet user as follows:

Useradd-m-s/sbin/nologin Puppet

CAT/ETC/PASSWD |grep Puppet

Note: The puppet server is run as a puppet user, while the puppet client is run by the root user.

The purpose of this is to: Master on the server with a normal user running security is relatively high, and the agent in the client as root user, because master in the creation of users, modify system files and other resources, need to have the highest permissions.

5.1 puppet Source Installation

Puppet source Package, we can download from the puppet official website. At present, the latest version of Puppet is 3.7.3.

http://downloads.puppetlabs.com/puppet/

Download the puppet package. As follows:

wget http://downloads.puppetlabs.com/puppet/puppet-3.7.3.tar.gz

Unzip the Puppet software package as follows:

TAR-XF puppet-3.7.3.tar.gz

Puppet installation method is the same as the installation of Facter, as follows:

Ruby install.rb or./install.rb

Once the Puppet is installed, let's look at its help information as follows:

Puppet Help

Check the installation location of the puppet as follows:

ll/etc/puppet/

The above is the installation of puppet, after the installation is complete. We will now configure puppet.

5.2 Master -side Configuration

Once the Puppet is installed, we will configure the next master side. Copy the puppet.conf file under the puppet source package ext/redhat/directory to the puppet installation directory/etc/puppet/, as follows:

CP ext/redhat/puppet.conf/etc/puppet/

Vi/etc/puppet/puppet.conf

Server = s.ilanni.com

CertName = s.ilanni.com

Pluginsync = False

Where s.ilanni.com represents the host name of the puppet server.

Pluginsync = False indicates the plug-in feature is turned off in the module

Once the configuration file has been modified, we will now configure the startup script on the master side.

Copy the Server.init file under the puppet source package ext/redhat/directory to/etc/init.d/and rename it to puppetmaster. Then give puppetmaster executable permissions. As follows:

CP Ext/redhat/server.init/etc/init.d/puppetmaster

chmod U+x/etc/init.d/puppetmaster

Note: The master side starts, and we can also start with the Puppet Master command. As follows:

Puppet Master

NETSTAT-TUNLP |grep "8140"

PS aux |grep puppet

In fact, the puppetmaster startup script is started with the Puppet Master command, as follows:

Cat/etc/init.d/puppetmaster

Add the puppetmaster to the boot entry. As follows:

Chkconfig--add puppetmaster

Chkconfig puppetmaster on

Chkconfig |grep puppetmaster

After the above configuration is complete, we will start the puppet service as follows:

/etc/init.d/puppetmaster start

PS aux |grep puppet

Netstat-tunlp

Through, we can very puppet service using the TCP protocol of Port 8140, and the runtime uses the puppet user.

After the puppet server configuration is complete, we will now configure the puppet client.

5.3 Agent -side Configuration

Agent-side configuration, only need to copy the puppet.conf file to the puppet installation directory/etc/puppet/, as follows:.

CP ext/redhat/puppet.conf/etc/puppet/

Cat/etc/puppet/puppet.conf

Server = s.ilanni.com

Pluginsync = False

Where s.ilanni.com represents the host name of the puppet server.

Pluginsync = False indicates the plug-in feature is turned off in the module

Agent side start, we can start by puppet Agent command. As follows:

Puppet Agent

PS aux |grep puppet

Through this, we can also see that the agent side runs with the user as root, not the puppet user.

Note: Agent side we use the Puppet Agent command for various management, including the application of the certificate, the synchronization of resources, we are all through this command.

Agent can be run in two ways: the first is the command to connect the master, the second is in the form of daemons running in the system background, the default every 30 minutes to connect the master, but this is not flexible. We generally use the first method and are used in conjunction with crontab.

Six, RPM installation puppet

RPM installation Puppet is relatively simple, we only need yum installation. As follows:

6.1 Puppet Installation Preparation Work

Before using RPM installation, we need to configure an additional Yum source, otherwise the system will not be prompted to find the puppet package. As follows:

Yum-y Install Puppet-server

Installing the additional Yum source, we can find the Yum source on Puppet's official website. As follows:

Https://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html#for-red-hat-enterprise-linux-and-derivatives

Install according to the method of puppet official website. As follows:

RPM-IVH http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

Note: The Yum source needs to be configured both on the master side and on the agent side.

6.2 Master -side installation and configuration

Now start Yum to install the Master side as follows:

Yum-y Install Puppet-server

Through, we can see that the installation of Puppet-server is dependent on the Facter, Hiera and puppet three packages.

Now let's look at the new user Puppet-server installation and the user that the puppet service runs on, as follows:

cat/etc/passwd

PS aux |grep puppet

With this, we can see that Puppet-server does create a new user puppet at the time of installation, as well as the actual puppet user that is used at run time.

View the ports used by the puppet service, as follows:

/etc/init.d/puppetmaster start

Netstat-tunlp

After the master end is installed, we configure the puppet service configuration file in the same way as the source installation method. As follows:

Vi/etc/puppet/puppet.conf

Server = s.ilanni.com

CertName = s.ilanni.com

Pluginsync = False

6.3 Agent -side installation and configuration

After the master end is installed, we will install the agent terminal as follows:

Yum-y Install puppet

RPM-installed puppet client as with the source installation, we will now start the puppet client. As follows:

With this, we can see that the puppet user was also created when the agent was installed, but the puppet runtime did not use the user but the root user. This corresponds to the installation of the source code.

After the agent has been installed, we will configure the agent-side configuration file in the same way as the source installation method. As follows:

Vi/etc/puppet/puppet.conf

Server = s.ilanni.com

Pluginsync = False

Vii. Puppet Certificate Authorization

We know that Puppet uses SSL tunneling for security purposes and therefore requires a certificate to authenticate.

7.1 Master end-of-certificate initialization

When the master side starts for the first time, you can view the/var/log/message log file with information similar to the following:

Tail-f/var/log/messages

Jan 06:39:03 localhost puppet-master[1622]: Signed certificate request for CA

Jan 06:39:04 localhost puppet-master[1622]: s.ilanni.com has a waiting certificate request

Jan 06:39:04 localhost puppet-master[1622]: Signed certificate request for s.ilanni.com

Jan 06:39:04 localhost puppet-master[1622]: Removing file puppet::ssl::certificaterequest s.ilanni.com at '/var/lib/ Puppet/ssl/ca/requests/s.ilanni.com.pem '

Jan 06:39:04 localhost puppet-master[1622]: Removing file puppet::ssl::certificaterequest s.ilanni.com at '/var/lib/ Puppet/ssl/certificate_requests/s.ilanni.com.pem '

Jan 06:39:04 localhost puppet-master[1634]: reopening log files

Jan 06:39:04 localhost puppet-master[1634]: starting puppet master version 3.7.3

We can see from the log that the first time you start the master side, the puppet service will create the authentication center locally, grant itself the certificate and key, which we can see in/var/lib/puppet/ssl. As follows:

Ll/var/lib/puppet/ssl

This directory is related to the Ssldir path configured in the/etc/puppet/puppet.conf file.

We can also view the master side of the certificate file that you authorized, as follows:

ll/var/lib/puppet/ssl/ca/signed

7.2 Agent End Request Certificate

When the agent is first connected to the master, it will request a certificate from the master side. If the master side does not grant the agent-side certificate, then the connection between the agent and master ends will not be successful.

At this point the agent will continue to wait for the master-side authorization certificate, and will check the master end every 2 minutes to issue a certificate.

We now use the puppet agent--server s.ilanni.com to connect to the master side as follows:

Puppet Agent--server s.ilanni.com

7.3 Master -End Authorization certificate

After the agent end of the request certificate, we need to switch to the master side, using the Puppet cert command to authorize the agent-side certificate.

For the use of puppet cert, we can view help information for Pupper cert. As follows:

Pupper cert

In, puppet cert has given an example of how to give an authorization certificate to an agent side.

Now let's see which hosts on the master are requesting certificates, as follows:

Puppet cert list

By, we can clearly see that the c.ilanni.com client is requesting a certificate.

Now let's give the agent the authorization certificate, using the following command:

Puppet cert sign c.ilanni.com

Note: If the number of actual production environment clients is more, we can authorize all certificates at once. As follows:

Puppet cert sign--all

View all certified agent terminals on the master side as follows:

Puppet Cert-all

Now let's take a look at the certificate file that is authorized by the master to the agent side, as follows:

ll/var/lib/puppet/ssl/ca/signed

Through, we can see that the master-side licensing client c.ilanni.com The certificate file is C.ilanni.com.pem.

7.4 View Agent-side certificates

After the master-side authorization is complete, we now switch to the agent side to view the authorized certificate file, as follows:

Ll/var/lib/puppet/ssl/certs

Through, we can see that the agent side of the certificate file C.ilanni.com.pem and the master side of the certificate file is the same.

7.5 Puppet Certificate Issues

In the actual production environment, the agent-side hostname that has already passed the master-side authentication may be modified or some other misoperation, which causes the agent to not communicate with the master side properly.

When this happens, our general approach is to remove the master and agent-side related authentication files, and then re-request the certificate on the agent side.

Here's how:

Agent side, delete the/var/lib/puppet/ssl directory, as follows:

Rm-fr/var/lib/puppet/ssl

Master side, delete the certificate file under the/var/lib/puppet/ssl/ca/signed directory, as follows:

Rm-fr/var/lib/puppet/ssl/ca/signed/c.ilanni.com.pem

After the above operation is finished, the agent will apply for the certificate again.

Viii. Resources of Puppet

After the puppet environment has been set up, we will now begin to introduce the contents of puppet resources.

8.1 puppet types of resources and help

Puppet resources, we can view the types of resources supported by puppet through the relevant commands.

Through the previous chapters, we know that Puppet is supported by Subcommands for querying. As follows:

Puppet Help CA

View the resource types supported by puppet. As follows:

Puppet describe--list

You can also query by puppet Resource--type command, as follows:

Puppet Resource--type

Through this, we can see that Puppet supports most of the resources of user, file, crontab and so on.

If you want to see the user's resources, we continue to view them using the puppet describe user command. As follows:

Puppet describe user

If we want to see the specific use of user in the puppet site site.pp file, you can view it with the following command:

Puppet Resource User

We can see that puppet has given the example of user use, and we just need to follow this example.

Note: If puppet describe help does not have the details of the resource's usage in the SITE.PP site, we can go to puppet resource to view it.

This is just a user resource, for example, if you want to see the help of the host resource, we can also use a similar command, as follows:

Puppet Resource Host

If you do not want to view this machine, then you can also go to the puppet website to view, as follows:

Https://docs.puppetlabs.com/references/latest/type.html

8.2 Puppet Resource configuration file

Puppet resource profile in the server/etc/puppet/manifests directory, we need to create a site file site.pp in this directory.

We create a resource in this file that needs to be synchronized to the agent side, as follows:

Cat/etc/puppet/manifests/site.pp

Node default{

file {"/tmp/test.txt":

Content = "Hello,ilanni,this is puppet test!\n"}

}

The above command indicates that the puppet resource profile punch creates a default node, using the file resource, to create test.txt on the agent side of the/tmp/directory, with the contents: Hello,ilanni,this is puppet test!\n

Note: \ n indicates a line break. If you do not add \ n, the contents of the file are displayed as follows:

At the same time, after the site.pp file is created, we need to restart the master side, as follows:

/etc/init.d/puppetmaster restart

Now switch to the agent side to synchronize the resource, as follows:

Puppet Agent--test--server s.ilanni.com

We can see that the agent side has synchronized the resources on the master side to local.

Now let's see if there is a Test.txt file in the/tmp directory on the agent side. As follows:

Cat/tmp/test.txt

Through this, we can see that the agent side has actually synchronized the resources to the master side. The/tmp directory does have test.txt this file, and the content is exactly the same as the master side.

Here is the introduction of puppet3.7 Setup and configuration, the next article we will introduce in the production environment, puppet synchronized resources.

Slime: puppet3.7 Installation and configuration