Puppet基础
===============================================================================
概述:
===============================================================================
1.运维工具(Operations)介绍
★OS Provision:
bare metal(裸机):pxe, cobbler
virutal machine(虚拟机):image file template
★Configuration:
ansible(agentless)
puppet(master/agent)(ruby)
saltstack(python)
★Command and Control:
ansible(playbook)
fabric(fab)
func
...
附图:
运维工具层次图
1.puppet简介
puppet是一个IT基础设施自动化管理工具,它能够帮助系统管理员管理基础设施的整个生命周期:供应(provisioning)、配置(configuration)、联动(orchestration)及报告(reporting)
基于puppet,可实现自动化重复任务、快速部署关键性应用以及在本地或云端完成主动管理变更和快速扩展架构规模等;
遵循GPL协议(2.7.0-),基于ruby语言研发,2.7.0以后使用(Apache 2.0 license)
对于系统管理员是抽象的,只依赖于ruby和facter
能管理多达40多种资源,例如:file、user、group、host、package、service、cron、exec、yum repo等,适合整个软件生命周期管理
1.puppet工作模型和工作原理
★puppet通过声明性、基于模型的方法进行IT自动化管理
定义:使用Puppet特定的语言定义基础配置信息。通常我们把这些信息写在Modules中。
模板:在配置执行之前检测代码,但并不真正执行。
执行:定义的配置自动部署。检测并记录下所发生变化的部分
报告:将期待的变化、实际发生的变化及任何修改发送给报告系统。
附图:
puppet工作数据流示意图:
★数据流说明:
首先所有的节点(Node)Node节点将Facts和本机信息发送给Master
Master告诉Node节点应该如何配置,将这些信息写入Catalog后传给Node。
Node节点在本机进行代码解析验证并执行,将结果反馈给Master。
Master通过API将数据发给分析工具。报告完全可以通过开放API或与其他系统集成。
整个数据流的走向是基于SSL安全协议的,如下图所示:
★模板文件处理过程说明如下:
Puppet通过编译Manifest(清单)中的内容 (即模板中内容),将编译好的代码存入Catalog。在执行前先进行代码的验证,再执行,完成最开始所定义好的状态。代码编译过程如图所示:
★整个puppet自动部署过程中agent和master的详细的交互过程:
★过程说明:
1. Puppet客户端Agent将节点名与facts信息发送给Master。
2. Puppet服务端Master通过分类判断请求的客户端是谁,它将要做什么。这个判断是通过site.pp中包含的
Node.pp配置文件定义的。
3. Puppet服务端Master将所需要的Class类信息进行编译后存入Catalog并发送给Puppet客户端Agent,到此完 成第一次交互。
4. Puppet客户端Agent对Catalog进行代码验证(语法检查及错误检查)并执行。主要是代码的验证,并将执行
过程的信息及结果写入日志。
5. Puppet客户端Agent最终达到最开始所定义的状态,并且将结果及任何执行数据通过开放API的形式发送给
Puppet服务端Master。
以上就是puppet的工作原理需要注意是:因为整个过程中都是基于ssl实现的,所以首要的是保证agent和master间可以基于ssl通讯!
★puppet的工作模型:
单机模型:手动应用清单;
master/agent:由agent周期性地向Master请求清单并自动应用于本地;
如上就是整个puppet的工作模型和工作原理,我们主要的学习过程就集中在如何去书写站点请求manifest(清单)。所以,以下我将首先从puppet的单机模型讲起,然后再扩展到master/agent模型。
1.puppet安装
★puppet官方下载路径:
https://yum.puppetlabs.com/el/7/products/x86_64/
2.单机模型下的puppet程序环境
★配置文件:/etc/puppet/
puppet.conf
★主程序:/usr/bin/puppet
★puppet程序:
演示:
1.这是我在如上官方下载的puppet相关程序的rpm包,使用yum直接安装,会自动解决依赖到的ruby环境,如下:
[root@centos7 puppet]# ls facter-2.4.6-1.el7.x86_64.rpm puppet-3.8.7-1.el7.noarch.rpm puppet-server-3.8.7-1.el7.noarch.rpm [root@centos7 puppet]# yum install ./puppet-3.8.7-1.el7.noarch.rpm ./facter-2.4.6-1.el7.x86_64.rpm Dependencies Resolved # 依赖到的相关程序包如下: ======================================================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================================================= Installing: facter x86_64 1:2.4.6-1.el7 /facter-2.4.6-1.el7.x86_64 273 k puppet noarch 3.8.7-1.el7 /puppet-3.8.7-1.el7.noarch 6.3 M Installing for dependencies: hiera noarch 1:1.3.4-5.el7 epel 25 k libselinux-ruby x86_64 2.2.2-6.el7 CDROM 127 k ruby-augeas x86_64 0.5.0-1.el7 epel 23 k ruby-shadow x86_64 1.4.1-23.el7 epel 14 k Transaction Summary ======================================================================================================================================================================= Install 2 Packages (+4 Dependent packages)
2.puppet程序相关命令
[root@centos7 ~]# puppet help Usage: puppet <subcommand> [options] <action> [options] Available subcommands: agent The puppet agent daemon apply Apply Puppet manifests locally # 在本地应用资源清单 ca Local Puppet Certificate Authority management. catalog Compile, save, view, and convert catalogs. cert Manage certificates and requests certificate Provide access to the CA for certificate management. certificate_request Manage certificate requests. certificate_revocation_list Manage the list of revoked certificates. config Interact with Puppet‘s settings. describe Display help about resource types device Manage remote network devices doc Generate Puppet documentation and references facts Retrieve and store facts. file Retrieve and store files in a filebucket filebucket Store and retrieve files in a filebucket help Display Puppet help. inspect Send an inspection report instrumentation_data Manage instrumentation listener accumulated data. DEPRECATED. instrumentation_listener Manage instrumentation listeners. DEPRECATED. instrumentation_probe Manage instrumentation probes. Deprecated key Create, save, and remove certificate keys. kick Remotely control puppet agent man Display Puppet manual pages. master The puppet master daemon module Creates, installs and searches for modules on the Puppet Forge. node View and manage node definitions. parser Interact directly with the parser. plugin Interact with the Puppet plugin system. queue Deprecated queuing daemon for asynchronous storeconfigs report Create, display, and submit reports. resource The resource abstraction layer shell resource_type View classes, defined resource types, and nodes from all manifests. secret_agent Mimics puppet agent. status View puppet server status. See ‘puppet help <subcommand> <action>‘ for help on a specific subcommand action. See ‘puppet help <subcommand>‘ for help on a specific subcommand. Puppet v3.8.7
3.puppet apply:
★作用:
Applies a standalone Puppet manifest to the local system.(手动在本地应用自愿清单中的配置)
★语法格式:
puppet apply [-d|--debug] [-v|--verbose] [-e|--execute] [--noop] <file>
如果把OS的所有配置,如用户账号、特定的文件、文件所属的目录、运行的服务、程序包以及cron任务等,看作是许多独立原子单元的集合的话,这些所谓的“单元”就是“资源”,不过,这些资源在其大小、复杂程度以及生命周期的跨度上等多个维度上可能会各不相同。
通常来说,类属于同一种资源的属性是相近的,如文件都有其属主和属组,而用户账号则由用户名、UID、GID等组成。但,即便是同一种资源,其在不同OS上的实现方式却又可能各不相同,例如,在windows上和Linux上启动和停止服务的方式相去甚远。
★因此,puppet从以下三个维度来对资源完成抽象:(RAL如何抽象资源的?):
相似的资源被抽象成同一种资源“类型”,如程序包资源、用户资源及服务资源等;
将资源属性或状态的描述与其实现方式剥离开来,如仅说明安装一个程序包而不用关心其具体是通过yum、pkgadd、ports或是其它方式实现;
仅描述资源的目标状态,也即期望其实现的结果,而不是其具体过程,如“确定nginx运行起来”而不是具体描述为“运行nginx命令将其启动起来”;
※这三个也被称作puppet的资源抽象层(RAL)。RAL由type(类型)和provider(提供者,即不同OS上的特定实现)组成。
1.puppet 资源结构
在为puppet定义一个资源时,需要为其指定所属的类型和资源标题,并同时配置一系列的属性和对应的值。puppet通过其特有的语言来描述和管理资源,如下面所示的资源定义。
这种语法被称作“资源申报(resource declaration)”,它是puppet语言的核心组成部分。上述的定义中,仅描述了资源的目标状态而没有提到为达成目标所需要采取的任何步骤。而资源定义的核心也可以抽象为type、title、attribute和value四个部分。
puppet有许多内置的资源类型,而通过安装插件还可以继续新增额外的类型。可以通过puppet官方的类型参考页面(http://docs.puppetlabs.com/references/latest/type.html)获取详细的信息。也可以使用“puppet describe”命令来获取puppet当前所支持的类型列表及每种类型的详细信息,下面给出了一个简要的使用说明。
★puppet describe:
☉作用:
Prints help about Puppet resource types, providers, and metaparameters.
☉语法格式:
puppet describe [-h|--help] [-s|--short] [-p|--providers] [-l|--list] [-m|--meta] [type]
☉常用选项:
puppet describe -l:列出所有资源类型;例如puppet支持的所有资源类型及其描述信息;
puppet describe -s <TYPE>:显示指定类型的简要帮助信息;
puppet describe <TYPE>:显示指定资源的详细说明;
puppet describe -m:显示指定类型的元参数,一般与-s一同使用;
2.puppet 资源定义:
如前所述,资源是puppet用于模型化系统配置的基础单元,每个资源都从某个角度描述了系统属性,如某程序包必须安装或某用户必须移除等。在puppet,用于完成此类功能的代码也即“资源申报”。
★资源定义:
向资源类型的属性赋值来实现,可称为资源类型实例化;
定义了资源实例的文件即清单,manifest;
★定义资源的语法:
在定义时,资源类型必须使用小写字符;而资源名称(title)仅是一个字符串,但要求在同一个类型中其必须惟一,这意味着,可以同时有名为nginx的“service”资源和“package”资源,但在“package”类型的资源中只能有一个名为“nginx”。
1.group:
作用:
Manage groups.(管理组)
属性:
name:组名;
gid:GID;
system:是否为系统组;
ensure:目标状态,present/absent;
members:成员用户;
演示:
[root@centos7 ~]# mkdir mainfests
[root@centos7 ~]# cd mainfests/
[root@centos7 mainfests]# ls
# 定义group资源
[root@centos7 mainfests]# vim group.pp
group {‘mygrp‘:
name => ‘mygrp‘,
ensure => present,
gid => 3000,
system => false,
}
# 试运行
[root@centos7 mainfests]# puppet apply --verbose --noop group.pp
Notice: Compiled catalog for centos7 in environment production in 0.32 seconds
Info: Applying configuration version ‘1484056729‘
Notice: /Stage[main]/Main/Group[mygrp]/ensure: current_value absent, should be present (noop) #提示当前为absent,应该为present(noop)
Notice: Class[Main]: Would have triggered ‘refresh‘ from 1 events
Notice: Stage[main]: Would have triggered ‘refresh‘ from 1 events
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.06 seconds
[root@centos7 mainfests]# puppet apply --verbose group.pp # 真正执行
Notice: Compiled catalog for centos7 in environment production in 0.28 seconds
Info: Applying configuration version ‘1484057172‘
Notice: /Stage[main]/Main/Group[mygrp]/ensure: created # 已经创建
Notice: Finished catalog run in 0.13 seconds
[root@centos7 mainfests]# tail /etc/group
tcpdump:x:72:
memcached:x:985:
dhcpd:x:177:
zabbix:x:984:
varnish:x:983:
haproxy:x:188:
haclient:x:189:
tomcat:x:982:
puppet:x:52:
mygrp:x:3000: # 创建的组2.user:
作用:
Manage users.(管理用户)
属性:
name:用户名;
uid: UID;
gid:基本组ID;
groups:附加组,不能包含基本组;
comment:注释;
expiry:过期时间 ;
home:家目录;
shell:默认shell类型;
system:是否为系统用户 ;
ensure:present/absent;
password:加密后的密码串;
演示:
[root@centos7 mainfests]# vim user.pp
group {‘mygrp‘:
name => ‘mygrp‘,
ensure => present,
gid => 3000,
system => false,
}
user {‘centos‘:
name => ‘centos‘,
ensure =>present,
uid =>4000,
groups => ‘mygrp‘,
}
[root@centos7 mainfests]# puppet apply --verbose --noop user.pp
Notice: Compiled catalog for centos7 in environment production in 0.51 seconds
Info: Applying configuration version ‘1484059044‘
Notice: /Stage[main]/Main/Group[mygrp]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Main/User[centos]/ensure: current_value absent, should be present (noop)
Notice: Class[Main]: Would have triggered ‘refresh‘ from 2 events
Notice: Stage[main]: Would have triggered ‘refresh‘ from 1 events
Notice: Finished catalog run in 0.08 seconds
[root@centos7 mainfests]# puppet apply --verbose user.pp
Notice: Compiled catalog for centos7 in environment production in 0.51 seconds
Info: Applying configuration version ‘1484059058‘
Notice: /Stage[main]/Main/Group[mygrp]/ensure: created
Notice: /Stage[main]/Main/User[centos]/ensure: created
Notice: Finished catalog run in 0.32 seconds3.package:
作用:
Manage packages.(管理程序包)
属性:
ensure:installed, present, latest, absent
name:包名;
source:程序包来源,仅对不会自动下载相关程序包的provider有用,例如rpm或dpkg;
演示:
[root@centos7 mainfests]# vim package.pp
package {‘nginx‘:
ensure => installed,
name => ‘nginx‘
} # 没有指定provider,会自动去搜索可用的provider,本机只有yum
[root@centos7 mainfests]# puppet apply --verbose --noop package.pp
Notice: Compiled catalog for centos7 in environment production in 0.71 seconds
Info: Applying configuration version ‘1484060692‘
Notice: /Stage[main]/Main/Package[nginx]/ensure: current_value absent, should be present (noop)
Notice: Class[Main]: Would have triggered ‘refresh‘ from 1 events
Notice: Stage[main]: Would have triggered ‘refresh‘ from 1 events
Notice: Finished catalog run in 0.40 seconds
# 也可以使用source指定程序宝来源
[root@centos7 mainfests]# cat package.pp
package {‘nginx‘:
ensure => installed,
name => ‘nginx‘,
provider => ‘rpm‘,
source => ‘/root/nginx/nginx-1.10.0-1.el7.ngx.x86_64.rpm‘
}4.service:
作用:
Manage running services.
属性:
ensure:Whether a service should be running. Valid values are `stopped` (also called `false`), `running` (also called `true`).
enable:Whether a service should be enabled to start at boot. Valid values are `true`, `false`, `manual`.
name:
path:The search path for finding init scripts. Multiple values should be separated by colons or provided as an array. 脚本的搜索路径,默认为/etc/init.d/;
hasrestart:ture,false
hasstatus:ture,false
restart:Specify a *restart* command manually. If left unspecified, the service will be stopped and then started. 通常用于定义reload操作;
演示:
[root@centos7 mainfests]# vim service.pp
package {‘nginx‘:
ensure => installed,
name => ‘nginx‘,
provider => ‘rpm‘,
source => ‘/root/nginx/nginx-1.10.0-1.el7.ngx.x86_64.rpm‘
}
service {‘nginx‘:
ensure => running,
enable => true,
} # 没有指定启动方式,默认为使用systemd或者service脚本启动
[root@centos7 mainfests]# puppet apply --verbose --noop service.pp
Notice: Compiled catalog for centos7 in environment production in 1.01 seconds
Info: Applying configuration version ‘1484062595‘
Notice: /Stage[main]/Main/Service[nginx]/ensure: current_value stopped, should be running (noop)
Info: /Stage[main]/Main/Service[nginx]: Unscheduling refresh on Service[nginx]
Notice: Class[Main]: Would have triggered ‘refresh‘ from 1 events
Notice: Stage[main]: Would have triggered ‘refresh‘ from 1 events
Notice: Finished catalog run in 0.48 seconds
# 我们也可以手动指定启动
[root@centos7 mainfests]# cat service.pp
package {‘nginx‘:
ensure => installed,
name => ‘nginx‘,
provider => ‘rpm‘,
source => ‘/root/nginx/nginx-1.10.0-1.el7.ngx.x86_64.rpm‘
}
service {‘nginx‘:
ensure => running,
enable => true,
start => ‘/usr/sbin/nginx‘,
restart => ‘/usr/sbin/nginx -t && /usr/sbin/nginx -s reload‘,
}2.puppet 资源定义:
本文出自 “逐梦小涛” 博客,请务必保留此出处http://1992tao.blog.51cto.com/11606804/1890925
原文:http://1992tao.blog.51cto.com/11606804/1890925