当前位置: 欧洲杯竞猜 > 服务器运维 > 正文

安装与设定,安装与配置

时间:2019-11-22 07:16来源:服务器运维
安插管理工科具Puppet入门介绍:1 :安装与设定,配置管理puppet Puppet是布局管理工具的生龙活虎种,那篇文章主要介绍一下Puppet的设置与设定。 Puppet学习之puppet的安装和计划 一、Pupp

安插管理工科具Puppet入门介绍:1 :安装与设定,配置管理puppet

Puppet是布局管理工具的生龙活虎种,那篇文章主要介绍一下Puppet的设置与设定。

Puppet学习之puppet的安装和计划

一、Puppet概念

什么是Puppet

Puppet是puppetlabs出品的安排管理工科具,每年每度的DORA的DevOps报告正是有puppetlabs带头做的,puppet作为能够的管理工科具,也是可圈可点。通过可读性很好的设定描述新闻,能够做到相当多繁缛的效率,比方如下保障软件wget被设置,客商admin被创立,而不用关系太多具体细节,剩余的付出Agent/Master构成的Puppet来做。

package { 'wget':
  ensure => installed,
}

user { 'admin':
ensure => present,
}

一、Puppet简介

简介

Agent/Master VS Stand-alone

Puppet能够充作Agent/Master的格局也得以用来斯坦d-alone的情势,前者则单独看做单机版本工具的利用,可依据气象实行分选。

Puppet基于ruby语言开采的自动化系统安插工具,可以C/S形式或单独运维,援助对持有UNIX及类UNIX系统的安插管理,最新版本也开始协助对Windows操作系统有限的片段管理。Puppet适用于服务器管的全方位经过 ,举个例子领头安装、配置更新以致系统下线。

当服务器数量达到一定的规模时,仅依附人为达成批量布署服务器个财富的配置,运维职业将变得繁杂且轻便失误,为了消除这一难题,我们相应咋做吧?大家可以引入一群众工作具,那批工具可编写制定相应的manifests代码,运维它便得以活动完结有着的行事,近年来相比盛行的运转工具主要有:puppet,ansible, slackstack等,在这里大家重视以puppet来打开话题。在一些特大型互连网集团中,运行自动化管理着几百竟然上千台服务器,它能够本着多台服务器进行统风度翩翩操作,举个例子计划联合软件、实行联合上线维护等,况兼能够高效达成上线安顿,收缩人力及人力误操作风险。

设置打算

正文的装置与设定音信如下

IP Hostname OS Puppet软件
192.169.31.131 host131 CentOS7.4 Puppet-server 5.4
192.169.31.133 host133 CentOS7.4 Puppet-agent 5.4

二、Puppet的安装

   

安装Master

安装Puppet Master必要如下步骤:

  • Step 1: rpm -Uvh
  • Step 2: yum install puppetserver

本子确认

[root@host131 ~]# puppet --version
5.4.0
[root@host131 ~]#

Puppet的安装方式协助源码安装、yum安装以至ruby的gem安装。官方网站推荐使用yum来设置puppet,方面随后的进级、管理、维护。Centos能够接纳yum来设置,但是Centos的私下认可源中并未有puppet包,因此须求先安装epel包。Epel是厂家版Linux附加软件包(Extra Packages for Enterprise Linux)的缩写,是七个由极度兴趣小组创立、维护并保管的,针对红帽集团版Linux(本田CR-VHEL)会同衍生发行版(比方CentOS、Scientific Linux)的三个高素质附加软件包项目。

做事原理   

安装Agent

设置Puppet Agent必要如下步骤:

  • Step 1:rpm -Uvh
  • Step 2:yum install puppet-agent

本子确认

[root@host133 ~]# puppet --version
5.4.0
[root@host133 ~]#
  1. Master的安装

puppet的指标是让系统管理员只聚焦于要管理的对象服务器,而忽视达成的细节。puppet不只能够在单机上使用,也足以C/S结构接收,在广阔布置puppet的境况下,经常大家会接受C/S结构,在这里种组织下,服务端运转puppet-master程序客商端运转puppet-client服务程序

开首化设定

yum -y install ruby ruby-libs ruby-shadow

现实的做事流程图如下所示:

启动Puppet master

在master所在节点host131,使用如下命令运行master,在那之中–debug为出口调节和测量检验消息

[[email protected] ~]# puppet master --no-daemonize --debug
Debug: Applying settings catalog for sections main, master, ssl, metrics
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
...

wget ftp://ftp.sunet.se/pub/Linux/distributions/yellowdog/yum/6.2/extras/RPMS/epel-release-5-3.noarch.rpm

对此puppet的的操纵,精晓puppet的劳作规律是一个至关重要的的级差,独有在驾驭了puppet的干活原理后本领越来越好使用puppet,上面让大家后生可畏并领会学习puppet的做事规律:

启动Agent

在agent所在节点host133,尝试连接host133,因为非缺省设定,可透过server=host131传入设定

[[email protected] ~]# puppet agent --server=host131 --test --debug
Debug: Applying settings catalog for sections main, agent, ssl
Debug: Caching environment 'production' (ttl = 0 sec)
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
...
Debug: Dynamically-bound port lookup failed; falling back to ca_port setting
Debug: Creating new connection for https://host131:8140
Exiting; no certificate found and waitforcert is disabled
[[email protected] ~]# 

依附提醒开掘证书设定不得法,所以接下去须要设定服务器侧证书音信

rpm -Uvh epel-release-5-3.noarch.rpm

谈起puppet的行事规律,不能不从以下两个地点来讲到,如下所示:

缺省证书新闻

列出脚下表明消息,开掘存两张证书,个中当前机械host131的和host133,host133前不带 表明此证书未通过查验。

[[email protected] ~]# puppet cert list -all
  "host133" (SHA256) 52:2A:AE:C0:58:47:B1:C3:8E:BC:80:F5:51:71:6C:46:77:58:00:4C:96:61:6D:FA:4E:AD:59:4B:F6:71:78:4E
  "host131" (SHA256) 0E:2E:2B:22:61:E8:F1:59:3A:E4:92:F9:99:2E:3F:D4:7F:D6:E6:83:21:E0:96:4B:1F:4E:7A:A3:D4:EE:FA:78
[[email protected] ~]#

因为证书host133未经过查处,所以从客商端host133发过来的测验消息不可能通过,使用命令对此证书实行核查和确认

[root@host131 ~]# puppet cert sign host133
Signing Certificate Request for:
  "host133" (SHA256) 52:2A:AE:C0:58:47:B1:C3:8E:BC:80:F5:51:71:6C:46:77:58:00:4C:96:61:6D:FA:4E:AD:59:4B:F6:71:78:4E
Notice: Signed certificate request for host133
Notice: Removing file Puppet::SSL::CertificateRequest host133 at '/etc/puppetlabs/puppet/ssl/ca/requests/host133.pem'
[root@host131 ~]# 
[root@host131 ~]# puppet cert list -all
  "host131" (SHA256) 0E:2E:2B:22:61:E8:F1:59:3A:E4:92:F9:99:2E:3F:D4:7F:D6:E6:83:21:E0:96:4B:1F:4E:7A:A3:D4:EE:FA:78
  "host133" (SHA256) 68:4B:45:DD:99:C7:F7:ED:25:BB:DC:BD:18:3A:81:8C:EF:9F:1D:3E:FB:1E:2D:73:B3:77:31:DE:46:E4:E1:E5
[root@host131 ~]# 

yum -y install puppet puppet-server facter

(1卡塔 尔(英语:State of Qatar)定义:使用Puppet特定的言语定义根基配置音讯。常常大家把那一个新闻写在Modules中。

再一次开展Agent连接

重复实行Agent连接,则开掘Agent已经能够平时与Master进行通信了。

[root@host133 ~]# puppet agent --server=host131 --test
Info: Caching certificate for host133
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for host133
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for host133
Info: Applying configuration version '1519038659'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds
[root@host133 ~]# 
  1. Agent的安装

(2卡塔尔模板:在安顿施行以前检查测量检验代码,但并不着实奉行。

yum install ruby ruby-libs ruby-shadow

(3卡塔 尔(英语:State of Qatar)实行:定义的安插活动计划。检查测验并记录下所爆发变化的大器晚成部分。

wget ftp://ftp.sunet.se/pub/Linux/distributions/yellowdog/yum/6.2/extras/RPMS/epel-release-5-3.noarch.rpm

(4卡塔尔国报告:将希望的变动、实际产生的退换及别的退换发送给报告系统。

rpm -Uvh epel-release-5-3.noarch.rpm

正如所示为puppet的行事多少流暗中提示图

yum -y install puppet facter

图片 1

 

数据流表明:

         至此假诺设置进程不报错的话,puppet已经安装成功了。

1.率先具备的节点(Node卡塔 尔(阿拉伯语:قطر‎Node节点将Facts和本机音讯发送给Master

三、Puppet的轻易安顿

2.Master告诉Node节点应该什么安排,将这个音讯写入Catalog后传给Node。

  1. Master的配置

3.Node节点在本机进行代码分析验证并执行,将结果报告给Master。

先来看看puppet主目录下皆有如何文件已经各类文件是做怎么样用的:

4.Master由此API将数据发给解析工具。报告完全能够经过开放API或与别的系统融为大器晚成体。

ls -1 /etc/puppet/

大器晚成体数据流的走向是基于SSL安全合同的,如下图所示:

auth.conf       #定义puppet master的acl文件

图片 2

fileserver.conf   #定义puppet master文件服务器的安插文件

模板文件管理进程表明如下:

manifests        #puppet脚本主文件目录,site.pp文件必需存在

Puppet通过编写翻译Manifest中的内容 (即模板中剧情),将编写翻译好的代码存入Catalog。在举行前先实行代码的印证,再实践,实现最伊始所定义好的景色。代码编写翻译进度如图所示:

modules            #puppet模块目录

图片 3

puppet.conf     #puppet主配置文件

平日来讲所示为豆蔻梢头体puppet自动安插进程中agent和master的详尽的互相进度:

ssl                     #存放ssl证书的目录

图片 4

刚开始以来, puppet.conf无需计划就足以满足。

进程表达:

须求退换hosts文件,注意hosts要和主机名对应。

1. Puppet顾客端Agent将节点名与facts消息发送给Master。

vim  /etc/hosts增加如下内容:

2. Puppet服务端Master通过分类推断乞请的客商端是何人,它就要做哪些。那几个决断是因此site.pp中蕴藏的Node.pp配置文件定义的。

10.1.4.218 puppet.zhang.com puppet

3. Puppet服务端Master将所急需的Class类消息进行编写翻译后存入Catalog并发送给Puppet顾客端Agent,到此产生第3回人机联作。

10.1.4.213 node1.zhang.com node1

4. Puppet顾客端Agent对Catalog实行代码验证(语法检查及错误检查卡塔尔国并实行。首借使代码的认证,并将举行进度的音信及结果写入日志。

10.1.4.214 node2.zhang.com node2

5. Puppet客商端Agent最后达到最最初所定义的处境,並且将结果及此外实践多少通过开放API的花样发送给Puppet服务端Master。

世家要基于实际意况加,作者那边是三个master,多少个agent。

如上正是puppet的做事规律需求注意是:因为任何经过中都以根据ssl完成的,所以首要的是保险agent和master间能够依据ssl通讯!

  1. Agent的配置

   

Agent的安插重假如纠正agent上的/etc/puppet/puppet.conf文件的[agent]部分。

Hardware

在agent上vim /etc/puppet/puppet.conf 增添如下配置

The Puppet agent service has no particular hardware requirements and can run on nearly anything.

server = puppet.zhang.com        #master服务器的地点

However, the Puppet master service is fairly resource intensive, and should be installed on a robust dedicated server.

runinterval = 3600                       #每间距多长期的时日开展自动更新,时间单位为秒

  • At a minimum, your Puppet master server should have two processor cores and at least 1 GB of RAM.
  • To comfortably serve at least 1,000 nodes, it should have 2-4 processor cores and at least 4 GB of RAM.

listen = true                         #顾客端作为二个劳务拓宽监听,允许其余的机器触发puppet运营允许远程触发puppet的节点配置

The demands on the Puppet master vary widely between deployments. The total needs are affected by the number of agents being served, how frequently those agents check in, how many resources are being managed on each agent, and the complexity of the manifests and modules in use.

 

来自 <>

四、puppet的运维和结束

   

  1. Master的开发银行和安歇

Puppet consists of:

Master的启动

  • A puppet-agent "All-in-One" package that installs Puppet, Ruby, Facter, Hiera, and supporting code.
  • A puppetserver package that installs Puppet Server.
  • A puppetdb package that installs PuppetDB.

/etc/rc.d/init.d/puppetmaster start

To install these, read the pre-install instructions, then see the Puppet installation guides for Linux, Windows, and macOS.

也得以以应用 service puppetmaster start运转

   

先是次开发银行建议使用puppet master --verbose --no-daemonize方式运营,有利于测量试验和调节和测验错误,即便选拔前面这种方法,你能够见到运转的百分百经过,运转进度会做一些开头化的做事,为master创制本地证书认证核心,证书和key。并张开socket等待client的连续几天。你能够在/etc/puppet/ssl目录看见相关的文本和目录。

Puppet 5 Platform contents

Master的停止

Puppet 5 Platform contains the following components:

/etc/rc.d/init.d/puppetmaster stop

Package

Contents

puppet-agent

Puppet, Facter, Hiera, MCollective, pxp-agent, root certificates, and prerequisites like Ruby and Augeas

puppetserver

Puppet Server; depends on puppet-agent 5 or greater

puppetdb

PuppetDB

puppetdb-termini

Plugins to let Puppet Server talk to PuppetDB

也能够以使用 service puppetmaster stop结束

   

变越来越多选项能够动用/etc/rc.d/init.d/puppetmaster –h查看

What puppet-agent and Puppet Server are

  1. Agent的开发银行和小憩

We distribute Puppet as two core packages.

Agent的启动

  • puppet-agent — This package contains Puppet's main code and all of the dependencies needed to run it, including Facter, Hiera, and bundled versions of Ruby and OpenSSL. It also includes MCollective. Once it's installed, you have everything you need to run the Puppet agent service and the puppet apply command.

  • puppetserver — This package depends on puppet-agent, and adds the JVM-based Puppet Server application. Once it's installed, Puppet Server can serve catalogs to nodes running the Puppet agent service.

/etc/rc.d/init.d/puppet start

   

也得以利用service puppet start来运营

   

调度的时候能够行使

Settings for agents (all nodes)

puppet agent --server=puppet.zhang.com --no-daemonize –verbose

Roughly in order of importance. Most of these can go in either [main] or [agent], or be specified on the command line.

的方法来运转,那样起步我们能够看出agent是怎样和master创立连接的。

Basics

Agent的停止

  • server — The Puppet master server to request configurations from. Defaults to puppet; change it if that's not your server's name.

    • ca_server and report_server — If you're using multiple masters, you'll need to centralize the CA; one of the ways to do this is by configuring ca_server on all agents. See the multiple masters guide for more details. The report_server setting works about the same way, although whether you need to use it depends on how you're processing reports.
  • certname — The node's certificate name, and the unique identifier it uses when requesting catalogs; defaults to the fully qualified domain name.

    • For best compatibility, you should limit the value of certname to only use letters, numbers, periods, underscores, and dashes. (That is, it should match /A[a-z0-9._-] Z/.)
    • The special value ca is reserved, and can't be used as the certname for a normal node.
  • environment — The environment to request when contacting the Puppet master. It's only a request, though; the master's ENC can override this if it chooses. Defaults to production.

    Note on Non-Certname Node Names

    Although it's possible to set something other than the certname as the node name (using either the node_name_fact or node_name_value setting), we don't generally recommend it. It allows you to re-use one node certificate for many nodes, but it reduces security, makes it harder to reliably identify nodes, and can interfere with other features.

    Setting a non-certname node name is not officially supported in Puppet Enterprise.

/etc/rc.d/init.d/puppet stop

来自 <>

也得以运用service puppet stop来终止。

   

 

二、情状筹算

五、FAQ

CentOS7.3.1611

1.  连连master的时候现身如下报错:

NTP/chroynd

dnsdomainname: Unknown host

DNS

消除办法:检查机器主机名的装置,以致是还是不是增添进hosts。

Sudo users

2.   连接master的时候现身如下报错:

SELinux/Firewalld

err: Could not request certificate: getaddrinfo: Name or service not known

   

消除办法:服务器端没有配备hosts域名绑定,在hosts中加上。

/etc/hosts

3.  接连master的时候现身如下报错:

puppet master: puppet-master.gw.local

warning: peer certificate won't be verified in this SSL session

puppet client: lux-vm32.gw.local

消亡办法:服务端还没重返签发证书,使用puppet cert --list查看

   

4.  接连master的时候现身如下报错:

三、软件设置

err: Could not retrieve catalog from remote server: certificate verify failed

  1. 软件下载

消释办法:顾客端和劳务器端时间差异步,SSL连接要求依据主机上的时日是不是科学。履行更新时间的通令:/sbin/ntpdate asia.pool.ntp.org

rpm repo

 

rpm -Uvh

 

   

 

rpm pacakge

puppetserver

wget

puppet-agent

wget

   

2、安装

puppet master

yum -y install puppetserver (同一时间会设置puppet-agent)

   

puppet agent

yum -y install puppet-agent

   

3、配置

Config files

  • puppet.conf — Puppet's main config file. (Any node.)
  • auth.conf — access control rules for the Puppet master's network services. (Master only.)
  • autosign.conf — a list of pre-approved certificate requests. (CA master only.)
  • csr_attributes.yaml — optional data to be inserted into new certificate requests. (Any node.)
  • device.conf — configuration for network devices managed by the puppet device command. (Any node acting as an intermediary to configure network devices.)
  • fileserver.conf — configuration for additional fileserver mount points. (Master only.)
  • hiera.yaml — global configuration for the Hiera data lookup system. Note that environments and modules can have their own hiera.yaml files. (Master, or standalone nodes running Puppet apply.)
  • routes.yaml — advanced configuration of indirector behavior. (Master only.)

Location

The puppet.conf file is always located at $confdir/puppet.conf.

Although its location is configurable with the config setting, it can only be set on the command line (e.g. puppet agent -t --config ./temporary_config.conf).

The location of the confdir depends on your OS. See the confdir documentation for details.

Examples

Example agent config

[main]
certname = agent01.example.com
server = puppet
environment = production
runinterval = 1h

splay = true

Example master config

[main]
certname = puppetmaster01.example.com
server = puppet
environment = production
runinterval = 1h

strict_variables = true

[master]
dns_alt_names = puppetmaster01,puppetmaster01.example.com,puppet,puppet.example.com
reports = puppetdb
storeconfigs_backend = puppetdb
storeconfigs = true
environment_timeout = unlimited

Puppet uses four config sections:

  • main is the global section used by all commands and services. It can be overridden by the other sections.
  • master is used by the Puppet master service and the Puppet cert command.
  • agent is used by the Puppet agent service.
  • user is used by the Puppet apply command, as well as many of the less common Puppet subcommands.

Puppet prefers to use settings from one of the three application-specific sections (master, agent, or user). If it doesn't find a setting in the application section, it will use the value from main. (If main doesn't set one, it will fall back to the default value.)

来自 <>

   

puppet master

图片 5

   

puppet client

图片 6

   

/etc/puppetlabs/puppet/puppet.conf

图片 7

   

Q:蒙受的标题

Reason: puppet master 内部存款和储蓄器相当不足,暗中同意JVM必要2G

A: 改正java vm内部存款和储蓄器设置

/etc/sysconfig/puppetserver

  1. Update the line:
    # Modify this if you'd like to change the memory allocation, enable JMX, etc
    JAVA_ARGS="-Xms2g -Xmx2g"
    Replace 2g with the amount of memory you want to allocate to Puppet Server. For example, to allocate 1GB of memory, use JAVA_ARGS="-Xms1g -Xmx1g"; for 512MB, use JAVA_ARGS="-Xms512m -Xmx512m".
    For more information about the recommended settings for the JVM, see Oracle's docs on JVM tuning.

  2. Restart the puppetserver service after making any changes to this file.

   

图片 8

   

#询问证书

puppet cert list --all

证书列表中有cs_agnet1的申请,目前是未审核状态(最前面没有 )。审核证书

#生成证书

puppet cert genarate <client DNS name>

#抽成证书

puppet cert sign lux-vm32.gw.local

   

图片 9

   

#启动 puppet agent

puppet agent --test

图片 10

   

puppet agent -test --debug

图片 11

   

puppet master

puppet module search <search_string>

puppet module search apaches

puppet module install <module name>

   

# puppet master --genconfig  #就能够将master的具有配置选项都列出来,大家得以>到四个文书中,能够去查看别的的参数选项和介绍,然则事实上意况大家并无需如此周密的配备文件,只会用到超级少的风度翩翩局地,超越二分之一的选料照旧利用暗许的。

编辑:服务器运维 本文来源:安装与设定,安装与配置

关键词: 欧洲杯竞猜