Puppet实现

snow chuai汇总、整理、撰写---2020/07/21

1. Puppet Server安装与配置

1.1) 前期准备
1. 确保FQDN能够解析成功
2. 确保NTP同步成功

1.2) 安装Puppet Server
[root@srv1 ~]# yum install https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm -y
[root@srv1 ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/puppetlabs.repo
[root@srv1 ~]# yum --enablerepo=puppetlabs-products,puppetlabs-deps install puppet-server -y

1.3) 配置Puppet Server
[root@srv1 ~]# vim /etc/puppet/puppet.conf
# 在[main]区段最后,添加Puppet Server的FQDN及别名
[main]
     ......
     ......
     ......
     ......
     ......
     dns_alt_names = srv1.1000y.cloud,srv1

1.4) 启动Puppet Server
# 参数说明:
--verbose:显示详细信息
--no-daemonize:不发送到后台守护进程

# 第一次启动建议采用puppet master --verbose --no-daemonize方式启动，有助于测试和调试错误，如果采用后面这种方式，这样就可以看到启动的整个过程，启动过程会做一些初始化的工作，为master创建本地证书认证中心，证书和key。并打开socket等待client的连接。可以在/etc/puppet/ssl目录看到相关的文件和目录。

[root@srv1 ~]# puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
......
......
......
......
......
......
Notice: Starting Puppet master version 3.8.7
Ctrl+c退出

[root@srv1 ~]# systemctl enable --now puppetmaster

2. Puppet Client安装与配置

2.1) 前期准备
1. 确保FQDN能够解析成功
2. 确保NTP同步成功

2.2) 安装Puppet Server
[root@srv2 ~]# yum install https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm -y
[root@srv2 ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/puppetlabs.repo
[root@srv2 ~]# yum --enablerepo=puppetlabs-products,puppetlabs-deps install puppet -y

2.3) 配置Puppet Server
[root@srv2 ~]# vim /etc/puppet/puppet.conf
# 在[agent]区段最后,添加Puppet Server的FQDN或IP
     ......
     ......
     ......
     ......
     ......
     ......

[agent]
     ......
     ......
     ......
     ......
     ......
     ......
     server = srv1.1000y.cloud

2.4) 测试连接Puppet Server
[root@srv2 ~]# puppet agent --test --ca_server=srv1.1000y.cloud
Info: Creating a new SSL key for srv2.1000y.cloud
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for srv2.1000y.cloud
Info: Certificate Request fingerprint (SHA256): 
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

[root@srv2 ~]# systemctl enable --now puppet

3. 为客户端签发证书

3.1) 查看整套书请求
[root@srv1 ~]# puppet cert list
  "srv2.1000y.cloud" (SHA256) xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

3.2) 签发请求
[root@srv1 ~]# puppet cert --allow-dns-alt-names sign srv2.1000y.cloud
Notice: Signed certificate request for srv2.1000y.cloud
Notice: Removing file Puppet::SSL::CertificateRequest srv2.1000y.cloud at '/var/lib/puppet/ssl/ca/requests/srv2.1000y.cloud.pem'

3.3) 测试Pueept
# 创建一个测试任务清单
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
# 创建一个1000ygroup的组,组ID为2222
group { '1000ygroup':
    ensure => present,
    gid    => 2222,
}

# 注意
1. 默认情况下，Puppet客户机每隔30分钟引用一次Puppet服务器上的清单
2. 如果希望立即使用，请重新启动客户端的Puppet服务
[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# grep 1000ygroup /etc/group
1000ygroup:x:2222:

# 如果打算应用在本地主机
[root@srv1 ~]# puppet apply /etc/puppet/manifests/site.pp
Notice: Compiled catalog for srv1.1000y.cloud in environment production in 0.21 seconds
Notice: /Stage[main]/Main/Group[1000ygroup]/ensure: created
Notice: Finished catalog run in 0.29 seconds

[root@srv1 ~]# grep 1000ygroup /etc/group
1000ygroup:x:2222:

4. 使用Puppet-文件资源管理

4.1) 创建文件(如果文件存在则保留文件放弃创建)
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
file { '/home/testfile.txt':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => 644,
    content => 'This is the puppet test file.',
}

[root@srv2 ~]# systemctl restart puppet

[root@srv2 ~]# ll /home
total 8
drwx------. 2 snow snow 4096 Jul 15 21:33 snow
-rw-r--r--  1 root root   29 Jul 21 17:24 testfile.txt

4.2) 使用变量
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
$contents = 'This is the test Puppet manifest.
Sample contents
Test contents'

file { '/home/1000y.txt':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => 644,    content => "$contents",
}

[root@srv2 ~]# systemctl restart puppet

[root@srv2 ~]# ll /home
total 12
-rw-r--r--  1 root root   64 Jul 21 17:27 1000y.txt
drwx------. 2 snow snow 4096 Jul 15 21:33 snow
-rw-r--r--  1 root root   29 Jul 21 17:24 testfile.txt

4.3) 将Puppet Server上的文件作为模板,应用至Puppet Client
[root@srv1 ~]# vim /etc/puppet/fileserver.conf
......
......
......
......
......
......

# 于文件最后添加如下内容
[extra_files]
    # 指定源文件(模板)所在目录
    path /etc/puppet/files
    allow *

[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
file { '/home/testfile.txt':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => 644,
    source => 'puppet://srv1.1000y.cloud/extra_files/test.txt',
}

[root@srv1 ~]# mkdir /etc/puppet/files
[root@srv1 ~]# echo "1000y.cloud" > /etc/puppet/files/test.txt

[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# cat /home/testfile.txt 
1000y.cloud

4.4) 创建链接文件
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
file { '/root/testfile.link':
    ensure => link,
    target => '/home/testfile.txt',
}

[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# ls
anaconda-ks.cfg  testfile.link

4.5) 查找指定文件，如果文件存在则删除
[root@srv1 ~]# vim //etc/puppet/manifests/site.pp
file { '/home/testfile.link': ensure => absent }

[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# ls
anaconda-ks.cfg

4.6) 将Puppet Server所指定的目录建立至远程客户端
[root@srv1 ~]# vim /etc/puppet/fileserver.conf
......
......
......
......
......
......

# 于文件最后添加如下内容
[extra_dir]
    path /etc/puppet/dirs
    allow *

[root@srv1 ~]# mkdir -p /etc/puppet/dirs/testdir

[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
# 参数purge和force代表:删除源目录中不存在的文件或目录
file { '/home/testdir':
    ensure  => directory,
    recurse => true,
    purge   => true,
    force   => true,
    owner   => 'root',
    group   => 'root',    mode    => 644,
    source  => 'puppet://srv1.1000y.cloud/extra_dir/testdir',
}

[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# ls -l /home
total 16-rw-r--r--  1 root root   64 Jul 21 17:27 1000y.txt
drwx------. 2 snow snow 4096 Jul 15 21:33 snow
drwxr-xr-x  2 root root 4096 Jul 21 17:49 testdir
-rw-r--r--  1 root root   12 Jul 21 17:35 testfile.txt

5. 软件包管理

5.1) 安装软件包
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
package { 'httpd':
    provider => yum,
    ensure   => installed,
}

5.2) 安装最新的软件包
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
package { 'httpd':
    provider => yum,
    ensure   => latest,
}

5.3) 使用rpm安装软件包
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
package { 'epel-release':
    provider => rpm,
    ensure   => installed,
    source   => 'https://mirrors.tuna.tsinghua.edu.cn/epel/epel-release-latest-7.noarch.rpm',
}

5.4) 删除软件包
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
package { 'httpd':
    provider => yum,
    ensure   => purged,
}

6. 服务管理

6.1) 运行服务
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
service { 'httpd':
    name   => 'httpd',
    ensure => running,
    enable => true,
}

6.2) 安装软件并运行其服务
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
package { 'httpd':
    provider => yum,
    ensure   => installed,
}
service { 'httpd':
    name    => 'httpd',
    ensure  => running,
    require => Package['httpd'],
    enable => true,
}

6.3) 停止服务
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
service { 'httpd':
    name   => 'httpd',
    ensure => stopped,
    enable => false,
}

6.4) 重启服务
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
service { 'httpd':
    name   => 'httpd',
    ensure => running,
    restart => 'systemctl restart httpd.service',
}

6.6) 更新服务的配置文件
[root@srv1 ~]# vim /etc/puppet/fileserver.conf
......
......
......
......
......
......
# 与文件最后追加如下内容
[extra_files]
    path /etc/puppet/files
    allow *

[root@srv1 ~]# cp /etc/httpd/conf/httpd.conf /etc/puppet/files

[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
file { '/etc/httpd/conf/httpd.conf':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => 644,
    source => 'puppet://srv1.1000y.cloud/extra_files/httpd.conf',
    notify => Service['httpd'],
}
service { 'httpd':
    name   => 'httpd',
    ensure => running,
    restart => 'systemctl restart httpd.service',
}

7. 用户组管理

7.1) 创建组(如果组存在则放弃动作)
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
group { '1000y': ensure => present }

7.2) 创建组并指定GID(如果组已经存在则放弃操作)
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
group { '1000y':
    ensure => present,
    gid    => 2222,
}

7.3) 删除指定组
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
group { '1000y': ensure => absent }

8. 用户管理

8.1) 创建用户(如果账户存在则放弃动作)
# 创建账户密码
[root@srv1 ~]# python -c 'import crypt,getpass; \
 print(crypt.crypt(getpass.getpass(), \
 crypt.mksalt(crypt.METHOD_SHA512)))'
Password:     # 设定密码
$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0

[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
user { 'snowchuai':
    ensure     => present,
    home       => '/home/snowchuai',
    managehome => true,
    password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
}

8.2) 创建账户并指定UID及GID(如果组已经存在则放弃操作)
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
group { 'snowchuai':
    ensure => present,
    gid    => 2222,
}
user { 'snowchuai':
    ensure     => present,
    home       => '/home/snowchuai',
    managehome => true,
    uid        => 2222,
    gid        => 2222,
    groups     => ['1000y', 'wheel'],
    password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
}

8.3) 在创建用户时设定密码最大及最小有效期，并提交注释信息
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
group { 'snowchuai':
    ensure => present,
    gid    => 2222,
}
user { 'snowchuai':
    ensure           => present,
    home             => '/home/snowchuai',
    managehome       => true,
    uid              => 2222,
    gid              => 2222,
    groups           => ['1000y', 'wheel'],
    password_max_age => 30,
    password_min_age => 1,
    password         => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
    comment          => 'Snow Chuai',
}

8.4) 删除用户并删除用户主目录
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
user { 'snowchuai':
    ensure     => absent,
    home       => '/home/snowchuai',
    managehome => true,
}
[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# su - snow
su: user snow does not exist

9. 执行命令

9.1) 创建文件并执行newaliases
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
file { '/etc/aliases':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => 644,
    source => 'puppet://srv1.1000y.cloud/extra_files/aliases'
}

exec { 'newaliases':
    path        => ['/usr/bin', '/usr/sbin'],
    subscribe   => File['/etc/aliases'],
    refreshonly => true
}

9.2) 执行远程命令
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
exec { 'hostname':
    path        => ['/usr/bin', '/usr/sbin'],
    command => "hostname > ~/hostname.txt",
}

[root@srv2 ~]# systemctl restart puppet
[root@srv2 ~]# cat hostname.txt
srv2.1000y.cloud

10. 为不同的主机制定任务

10.1) 使用node关键字,可以为不同的主机制定任务
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
node 'srv2.1000y.cloud' {
    file { '/home/testfile.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => 644,
        content => 'This is the puppet test file.',
    }
}
node default {
    user { 'snowchuai':
        ensure     => present,
        home       => '/home/snowchuai',
        managehome => true,
        password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
    }
}

10.2) 为不同的主机分配不同的资源
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
node 'srv2.1000y.cloud' {
    file { '/home/testfile.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => 644,
        content => 'This is the puppet test file.',
    }
}
# inherits为继承
node 'srv3.1000y.cloud' inherits 'srv2.1000y.cloud' {
    file { '/home/testfile2.txt':
        ensure  => file,
        content => 'inherits test file.',
    }
}
node default {
    user { 'snowchuai':
        ensure     => present,
        home       => '/home/snowchuai',
        managehome => true,
        password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
    }
}

11. 使用class进行资源管理

11.1) 使用class-1
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
class sample1 {
    file { '/home/testfile.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => 644,
        content => 'This is the puppet test file.',
    }
    user { 'snowchuai':
        ensure     => present,
        home       => '/home/snowchuai',
        managehome => true,
        password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
    }
}
node 'srv2.1000y.cloud' { include 'sample1' }

11.2) 使用class-2(继承)
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
class sample1 {
    file { '/home/testfile.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => 644,
        content => 'This is the puppet test file.',
    }
    user { 'snowchuai':
        ensure     => present,
        home       => '/home/snowchuai',
        managehome => true,
        password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
    }
}
class sample2 inherits sample1 {
    file { '/home/testfile2.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'wheel',
        content => 'test file2',
    }
}
node 'srv3.1000y.cloud' { include 'sample2' }

12. 使用facter Variable

12.1) 显示系统当前的facter Variable
[root@srv1 ~]# facter
architecture => x86_64
augeasversion => 1.4.0
bios_release_date => 01/01/2011
bios_vendor => Seabios
bios_version => 0.5.1
blockdevice_sda_model => QEMU HARDDISK
blockdevice_sda_size => 42949672960
blockdevice_sda_vendor => QEMU
blockdevices => sda
domain => 1000y.cloud
facterversion => 2.4.6
......
......
......
......
......
......

12.2) 调用facter Variable
[root@srv1 ~]# vim /etc/puppet/manifests/site.pp
# 任务功能:
1. 判断OS是否为RedHat或CentOS,其版本是否为7.8.2003
2. 如果是7.8.2003，则应用sample1
3. 如果不是7.8.2003,则应用sample2
4. 如果不是Redhat或CentOS则应用sample3

class sample1 {
    file { '/home/testfile.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => 644,
        content => 'This is the puppet test file.',
    }
}
class sample2 {
    user { 'snowchuai':
        ensure     => present,
        home       => '/home/snowchuai',
        managehome => true,
        password   => '$6$aFLi6D2OKzkxZchn$x5TFRkYUvkw9/4GN/K4EGfnvQ0C0OAsJ4L4sS85cXB/oiEIscxdVJs8HDwEQc4NLZOZgxXtAP5LNZ0AO7AQTC0',
    }
}
class sample3 {
    file { '/home/testfile2.txt':
        ensure  => file,
        owner   => 'root',
        group   => 'wheel',
        content => 'test file2',
    }
}
case $operatingsystem {
    'RedHat', 'CentOS': {
        if $operatingsystemrelease == '7.8.2003' { include 'sample1' }
        else                                { include 'sample2' }
    }
    default:            { include 'sample3' }
}

如对您有帮助，请随缘打个赏。^-^

gold