puppet自动化部署

主机环境：
server(master)端：172.25.7.1（server1.example.com）
client(agent)端：172.25.7.2 172.25.7.3
实验前提：server端和client端互相有主机名解析（当主机数很多时可以在dns服务器上完成主机名解析），时间一致
注意在做实验时不要打开client端的puppet服务！
（一）装包
server端：puppet-server-3.8.1-1.el6.noarch.rpm
依赖性：puppet-3.8.1-1.el6.noarch.rpm facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm rubygems-1.3.7-5.el6.noarch.rpm
客户端：puppet-3.8.1-1.el6.noarch.rpm
依赖性：facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm rubygems-1.3.7-5.el6.noarch.rpm
联网时，把以下条目加入yum仓库：

[puppet]
name=puppet
baseurl=http://yum.puppetlabs.com/el/6Server/products/x86_64/
gpgcheck=0
[ruby]
name=ruby
baseurl=http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/
gpgcheck=0

（二）启动服务
server端：
/etc/init.d/puppetmaster start
侦听TCP/8140端口
lient端：
不能启动puppet服务，否则会将进程打到后台，看不到报错，所以在实验时不要打开puppet服务，用以下两条任一条命令测试：
puppet agent --server server1.example.com --test
测试，让客户端连接到puppet master，client向master发出证书验证请求，然后等待master签名并返回证书。参数--server 指定了需要连接的 puppet master 的名字或是地址,默认连接名为“puppet”的主机如要修改默认连接主机可以修改/etc/sysconfig/puppet 文件中的PUPPET_SERVER=puppet 选项参数--no-daemonize 是 puppet 客户端运行在前台参数--verbose 使客户端输出详细的日志
puppet agent --server server1.example.com --no-deamonize --verbose
手工签名

 puppet cert list  ##显示所有等待签名的证书
# puppet cert list --all
# puppet cert sign server2.example.com  ##给server2签名证书
如要同时签名所有证书,执行以下命令:
# puppet cert sign --all

自动签名

vim /etc/puppet/puppet.conf
  1 [main]
  2         autosign = true  ##打开自动签名功能
 vim /etc/puppet/autosign.conf  ##此文件自行创建
  1 *.example.com
/etc/init.d/puppetmaster reload

（三）puppet资源定义

/etc/pupppet配置目录结构：
├── auth.conf
├── autosign.conf
├── environments
│   └── example_env
│       ├── manifests
│       ├── modules
│       └── README.environment
├── files
│   └── vsftpd.conf
├── fileserver.conf
├── manifests   #节点的存储目录（puppet会首先加载site.pp）文件
│   ├── nodes
│   │   ├── server4.pp
│   │   └── server5.pp
│   └── site.pp
├── modules #模块的配置目录
│   
│   └── nginx
│       ├── files
│       │   ├── nginx-1.6.2.tar.gz
│       │   ├── nginx.conf
│       │   └── nginx-install.sh
│       └── manifests #模块的主配置文件，定义类的相关信息
│           ├── config.pp
│           ├── init.pp  
│           ├── install.pp
│           ├── nginx.install
│           └── service.pp
└── puppet.conf puppet的主配置文件

puppet的第一个执行的代码是在/etc/pupppet/manifest/site.pp，因策这个文件必须存在，且其他的代码也要通过该文件来调用
以下资源均定义在/etc/puppet/manifests/site.pp文件中，在没有指定节点的情况下，对所有已经验证的client都生效

创建目录/文件

在client端创建文件且输入内容

server端：

vim /etc/puppet/manifests/site.pp 
  1 file {
  2         "/tmp/testfile":
  3         cOntent=> "hahahaha"  ##默认就是创建文件
  4 }

向client端创建目录

server端：

vim /etc/puppet/manifests/site.pp 
  1 file {
  2         "/mnt/haha":
  3         ensure => "directory"  ##创建目录
  4 }

不同节点布置资源

vim /etc/puppet/manifests/site.pp
  1 import "nodes/*.pp"

mkdir /etc/puppet/manifests/nodes
vim /etc/puppet/manifests/nodes/server3.pp
  1 node 'server3.example.com' {
  2         file {
  3                 "/tmp/lala":
  4                 cOntent=> "lalala~~~~\n"
  5         }
  6 }

client端：

编写模块（以httpd服务为例）

mkdir -p /etc/puppet/modules/httpd/{files,manifests,templates}
httpd的部署包括下载软件包，配置，开启服务

vim /etc/puppet/modules/httpd/manifests/init.pp  ##加载httpd模块读取的文件
  1 class httpd {
  2         include httpd::install,httpd::config,httpd::service
  3 }

vim /etc/puppet/modules/httpd/manifests/install.pp
  1 class httpd::install {
  2         package {
  3                 "httpd":
  4                 ensure => present
  5         }
  6 {

 vim /etc/puppet/modules/httpd/manifests/config.pp 
  1 class httpd::config {
  2         file {
  3                 "/etc/httpd/conf/httpd.conf":
  4                 source => "puppet:///modules/httpd/httpd.conf", 
                    require => Class["httpd::install"],
  6                 notify => Class["httpd::service"]
  7         }
  8 }

etc/puppet/modules/httpd/files/httpd.conf文件要在本机存在

vim /etc/puppet/modules/httpd/manifests/service.pp
  1 class httpd::service {
  2         service {
  3                 "httpd":
  4                 ensure => running
  5         }
  6 }

让server3执行此模块：

vim /etc/puppet/manifests/nodes/server3.pp 
  1 node 'server3.example.com' {
  2         include httpd
  3 }

client端：

模版应用

添加虚拟主机配置：文件存放在templates目录中，以*.erb结尾

vim /etc/puppet/modules/httpd/templates/vhost.erb
  1 
  2 ServerName <%= domainname %>
  3 DocumentRoot /var/www/<%= domainname %>
  4 ErrorLog logs/<%= domainname %>_error.log
  5 CustomLog logs/<%= domainname %>_access.log common
  6 

注意上传的配置文件：

vim /etc/puppet/modules/httpd/files/httpd.conf
  Listen 80
 NameVirtualHost *:80  ##使用虚拟主机所要打开的参数

vim /etc/puppet/modules/httpd/manifests/init.pp
  1 class httpd {
  2         include httpd::install,httpd::config,httpd::service
  3 }
  4 define httpd::vhost($domainname) {
  5         file {
  6                 "/etc/httpd/conf.d/${domainname}_vhost.conf":
  7                 cOntent=> template("httpd/vhost.erb"),
  8                 require => Class["httpd::install"],
  9                 notify => Class["httpd::service"]
 10         }
 11         file {
 12                 "/var/www/$domainname":
 13                 ensure => directory
 14         }
 15         file {
 16                 "/var/www/$domainname/index.html":
 17                 cOntent=> $domainname
 18         }
 19 }

将模块添加到server3节点上：

vim /etc/puppet/manifests/nodes/server3.pp 
  1 node 'server3.example.com' {
  2         include httpd
  3         httpd::vhost {
  4                 'server3.example.com':
  5                 domainname => "server3.example.com"
  6         }
  7         httpd::vhost {
  8                 'www.example.com':
  9                 domainname => "www.example.com"
 10         }
 11 }

client端（server3上）：
puppet agent --server server1.example.com --test
验证一下

puppet dashboard安装（以web方式管理puppet）

在server端：
安装包：puppet-dashboard-1.2.23-1.el6.noarch.rpm
依赖性：ruby-mysql-2.8.2-1.el6.x86_64.rpm rubygem-rake-0.8.7-2.1.el6.noarch.rpm

json (1.5.5)
rake (0.8.7)
gem install passenger-5.0.15.gem rack-1.6.4.gem
 vim /usr/share/puppet-dashboard/config/add.sql
  1 CREATE DATABASE dashboard_production CHARACTER SET utf8;
  2 CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'dashboard';
  3 GRANT ALL PRIVILEGES ON dashboard_production.* TO 'dashboard'@'localhost';
 yum install -y mysql-server
/etc/init.d/mysqld start
mysql_secure_installation
mysql -predhat 

 vim /usr/share/puppet-dashboard/config/settings.yml
 65 time_zone: 'Beijing'
rake RAILS_ENV=production db:migrate  ##建立dashboard所需的数据库和表
chmod 666 /usr/share/puppet-dashboard/log/production.log
 /etc/init.d/puppet-dashboard start
 /etc/init.d/puppet-dashboard-workers start
vim /etc/puppet/puppet.conf 
  1 [main]
  2         autosign = true
  3         reports = http
  4         reporturl = http://172.25.7.1:3000/reports
 /etc/init.d/puppetmaster reload

vi /etc/sysconfig/puppet
PUPPET_SERVER=puppet.example.com puppet master 的地址
PUPPET_PORT=8140
puppet 监听端口
PUPPET_LOG=/var/log/puppet/puppet.log puppet 本地日志
PUPPET_EXTRA_OPTS=--waitforcert=500 【默认同步的时间,我这里不修改这行参数】

/etc/puppet/puppet.conf
[agent]
runinterval = 60
代表 60 秒跟服务器同步一次

 vim /etc/sysconfig/puppet
  2 PUPPET_SERVER=server1.example.com
  5 PUPPET_PORT=8140
  8 PUPPET_LOG=/var/log/puppet/puppet.log
vim /etc/puppet/puppet.conf
 14 [agent]
 15         report = true
 16         runinterval = 300  ##设置更新时间为300s；server3上可以将更新时间与server2叉开如 runinterval = 600，降低master的访问压力
/etc/init.d/puppet start  ##做好一切配置后启动puppet服务

> get nginx-1.8.0.tar.gz
 tar zxf nginx-1.8.0.tar.gz
 passenger-config --root
/usr/lib/ruby/gems/1.8/gems/passenger-5.0.15
解决依赖性：
 yum install -y gcc gcc-c++ curl-devel openssl-devel zlib-devel ruby-devel pcre-devel
 passenger-install-nginx-module

vim /opt/nginx/conf/nginx.conf
  1 #user  nobody;
  2 worker_processes  1;
  3 
  4 #error_log  logs/error.log;
  5 #error_log  logs/error.log  notice;
  6 #error_log  logs/error.log  info;
  7 
  8 #pid        logs/nginx.pid;
  9 
 10 
 11 events {
 12         use epoll;
 13     worker_connections  1024;
 14 }   
 15 
 16 
 17 http {
 18     passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-5.0.15;
 19     passenger_ruby /usr/bin/ruby;
 20     
 21     include       mime.types;
 22     default_type  application/octet-stream;
 23     
 24     #log_format  main  '$remote_addr - $remote_user [$time_local] "$request"     '
 25     #                  '$status $body_bytes_sent "$http_referer" '
 26     #                  '"$http_user_agent" "$http_x_forwarded_for"';
 27 
 28     #access_log  logs/access.log  main;
 29 
 30     sendfile        on;
 31     #tcp_nopush     on;
 32 
 33     #keepalive_timeout  0;
 34     keepalive_timeout  65;
 35 
 36     #gzip  on;
 37 server {
 38         listen 8140;
 39         server_name server1.example.com;
 40 
 41         root    /etc/puppet/rack/public;
 42 
 43         passenger_enabled on;
 44         passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
 45         passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
 46         ssl on;
 47         ssl_session_timeout 5m;
 48         ssl_certificate /var/lib/puppet/ssl/certs/server1.example.com.pem;
 49         ssl_certificate_key /var/lib/puppet/ssl/private_keys/server1.example    .com.pem;
 50         ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
 51         ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
 52         ssl_verify_client optional;
 53         ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
 54         ssl_prefer_server_ciphers on;
 55         ssl_verify_depth 1;
 56         ssl_session_cache shared:SSL:128m;
 57 }
 58 }

# /opt/nginx/sbin/nginx -t
# /opt/nginx/sbin/nginx 
# mkdir /etc/puppet/rack/{public,tmp} -p
# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/# chown puppet.puppet /etc/puppet/rack/config.ru
# chkconfig puppetmaster off
# service puppetmaster stop
# /opt/nginx/sbin/nginx -t
# /opt/nginx/sbin/nginx
#检测 nginx
puppetmaster 不需要启动 , nginx 启动时会自动调用 puppet。