puppet 学习笔记

推荐参考：
puppet运维自动化之puppet基础知识介绍：http://os.51cto.com/art/201205/334201.htm（推荐，很基础）
puppet安装配置：http://blog.chinaunix.net/uid-24250828-id-3882898.html
puppet资源下载点：http://downloads.puppetlabs.com/
puppet官方说明文档：https://docs.puppetlabs.com/guides/install_puppet/install_el.html
Puppet学习之puppet的安装和配置 ：http://blog.chinaunix.net/uid-23500957-id-3808027.html

本文安装参考：Centos5上如何安装puppet：http://os.51cto.com/art/201209/357189.htm，CentOS建议使用这种方法，大致思路是配置好puppet软件源，用yum安装。

[b]1、安装好软件后client端需要修改配置文件：[/b]

[root@agent1 ~]# vim /etc/puppet/puppet.conf
[agent]
server = puppetmaster           //server服务器主机名或IP地址
certname = agent1               //本机主机名
runinterval = 60                //自动同步时间间隔
listen = true
report = true
pluginsysc = false      //(如果你有自己定义的plugin，需要将其设定为true，如果没有就设为false，一样OK)

2、认证2.1 通过调试模式启动节点向Puppetmaster端发起认证

[root@agent1 ~]# puppet agent --test
info: Creating a new SSL key for agent1
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent1
info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9
Exiting; no certificate found and waitforcert is disabled

2.2 服务器端确定认证

[root@puppetmaster ~]# puppet cert --list --all     #查看认证情况
"agent1"  (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9)     #未认证
+ "puppetmaster" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")

[root@puppetmaster ~]# puppet cert --sign agent1     #注册agent1
notice: Signed certificate request for agent1
notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/var/lib/puppet/ssl/ca/requests/agent1'

[root@puppetmaster ~]# puppet cert --list --all      #再次查看认证情况
+ "agent1"  (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)      #带"+"表示已认证
+ "puppetmaster" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8)

[root@puppetmaster ~]# tree /var/lib/puppet/ssl/     #另外一种查看认证的方式
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │  └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       ├── agent1.pem      #已经注册成功
│       └── puppetmaster.pem
├── certificate_requests
│   ├── certs
│   ├── ca.pem
│   └── puppetmaster.pem
├── crl.pem
├── private
├── private_keys
│   └── puppetmaster.pem
└── public_keys
└── puppetmaster.pem

9 directories, 14 files

3、创建模块目录结构
注意：在未指定modulepath搜索路径的情况下，会有默认搜索路径的，可通过以下方式查看到

[root@puppetmaster ~]# puppet master --genconfig >/etc/puppet/puppet.conf.out
[root@puppetmaster ~]# cat /etc/puppet/puppet.conf.out | grep modulepath
modulepath = /etc/puppet/modules:/usr/share/puppet/modules

[root@puppetmaster modules]# tree /etc/puppet/modules/test/
/etc/puppet/modules/test/
|-- files
|-- manifests
|   └-- init.pp
└--templates

4、测试test模块

[root@agent1 ~]# puppet agent --test  #测试节点agent1
或者：#puppet agent --server puppetserverhost --test

5、主配置文件生成（默认已有，可忽略）

[root@puppetmaster puppet]# puppetmasterd --genconfig > puppet.conf

6、 在agent 端看到运行结果。

[root@agent1 ~]# puppetd --test --trace --debug

还可以在master端运行一个命令，也同样可以将配置应用到agent端。

[root@puppetmaster puppet]# puppet kick -d --host agent1

具体请参考： http://blog.sina.com.cn/s/blog_4e424e210100plcw.html
7、 要写自己manifest[b]，必须要学习puppet语言。 [/b]

补充：puppet资源package详细介绍（附案例）:http://kisspuppet.com/2013/11/11/package/

ps：puppet可以把服务器IP作为 certname名字，对于公司内网没有DNS服务器的有帮助。以下我公司的就是如此。

自己写了个公司puppet自动安装脚本（agent端），在此记录下（有些东西是多余的，我只是适应公司服务器的环境，仅供参考）：

#!/bin/bash
#time:2014/12/10     by:Lance

SERVER_IP=`ifconfig | grep 172.16.8. |sed -n '1p' | awk '{print $2}' | awk -F':' '{print $2}'`

check_file(){
#验证是否已经安装puppet
if [ `rpm -qa | grep puppet- | wc -l` -ge 1 ]; then
echo "此服务器已经安装puppet！！"
exit 0
fi

#验证puppet文件夹是否存在
if [ -d /etc/puppet ]; then
echo "/etc/puppet已经存在，正在备份。。。"
mv /etc/puppet/puppet.conf /etc/puppet/puppet.conf.bak
mv /etc/puppet/auth.conf /etc/puppet/auth.conf.bak
fi
}

check_system_clock(){
#sync time
/usr/sbin/ntpdate 202.120.2.101 && /sbin/hwclock -w
if [ -f /var/spool/cron/root ]; then
if [ `grep ntpdate /var/spool/cron/root | wc -l` -eq 0 ]; then
echo "ntpdate计划任务不存在，正在添加。。。"
echo "01 1 * * * /usr/sbin/ntpdate 202.120.2.101 && /sbin/hwclock -w >/dev/null 2>&1" >>/var/spool/cron/root
fi
fi

#System Time
if [ ! `cat /etc/sysconfig/clock |grep -i Shanghai` ];then
echo "Time zone false ...正在修改。。。"
sleep 3
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
fi
}

check_repo(){
TEST=0
#CentOS yum 源修改
if [ ! -f /etc/yum.repos.d/epel.repo ] && [ ! -f /etc/yum.repos.d/CentOS* ] &&( [ -f /etc/yum.repos.d/local.repo ] || [ -f /etc/yum.repos.d/2.repo ]); then
cp /etc/yum.repos.d/bak/epel.repo /etc/yum.repos.d/epel.repo
cp /etc/yum.repos.d/bak/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
mv /etc/yum.repos.d/local.repo /etc/yum.repos.d/local.repo.bak &>/dev/null
mv /etc/yum.repos.d/2.repo /etc/yum.repos.d/2.repo.bak &>/dev/null
TEST=2
#yum clean all
yum makecache
fi
}

check_recovery(){
if [ $TEST -eq 2 ]; then
mv /etc/yum.repos.d/local.repo.bak /etc/yum.repos.d/local.repo &>/dev/null
mv /etc/yum.repos.d/2.repo.bak /etc/yum.repos.d/2.repo &>/dev/null
fi
}

epel_yum(){
#验证操作系统版本并下载安装puppet yum源
if [ `uname -r | grep el6 | wc -l` -eq 1 ] && [ `rpm -qa | grep epel |wc -l` -eq 0 ]; then
#	rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm wget https://yum.puppetlabs.com/el/6.5/products/x86_64/puppetlabs-release-6-5.noarch.rpm rpm -ivh puppetlabs-release-6-5.noarch.rpm
rm -rf puppetlabs-release-6-5.noarch.rpm
elif [ `uname -r | grep el5 | wc -l` -eq 1 ] && [ `rpm -qa | grep epel |wc -l` -eq 0 ]; then
rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm fi
}

check_install(){
#puppet_client端安装
yum install puppet -y

if [ $? -eq 0 ];then
echo "安装完成，即将修改puppet配置文件。。。"

cat >> /etc/puppet/puppet.conf <<EOF

server = 172.16.8.129        #server端IP地址
certname = $SERVER_IP
runinterval = 60             #puppet客户端向server自动请求时间间隔
listen = true
report = true
EOF

echo "修改完成，即将启动puppet。。。"

chkconfig puppet on
/etc/init.d/puppet start

fi
}

#检查网络
check_network(){
ping -c 1 www.baidu.com  &>/dev/null
if [ $? -ne 0 ]; then
echo "外网故障，即将修改。。。"
route add -net 0.0.0.0/0 gw 172.16.8.2
fi
}

check_network
check_file
check_system_clock
check_repo
epel_yum
check_install
check_recovery