前文我们了解了puppe中模块的使用,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/14086315.html;今天我来了解下puppet的master/agent模型以及站点清单的相关话题;
在说puppet的master/agent模型前,我们要先来回顾下master/agent的工作过程
如上图所示,puppet的master/agent模型的工作过程;首先agent向master发送自己的主机名和facts信息,然后对应的master收到信息后,会根据对应的主机名来查找和agent相关的配置,然后把对应的配置(主要是类和模块中的资源清单内容)编译好,master把编译好的catalog发送给agent;agent收到master发送到catalog后,首先要在本机查找相关资源的状态,如果对应资源的状态和编译好的catalog中的状态一样,则不改变其状态或者跳过;如果对应的资源状态和catalog中的状态不一样,此时agent就会应用catalog,把对应资源强制更改为和catalog中的状态一样;最后agent把应用报告发送给master;此时agent就变成了我们在资源清单中定义的系统状态;这里需要注意一点catalog是一个二进制文件,不能直接查看,这个二进制文件是通过master上定义的模块,或类等资源清单中的内容编译而成;
master和agent的通信
在puppet的master/agent模型中,master和agent通信是以https协议通信;使用https通信就意味着要有证书验证,有证书就会有ca;在puppet的master/agent模型中,它内置了ca,意思就是我们不需要再手动搭建ca;对应master的证书,私钥文件以及ca的证书私钥文件,puppet master都会自动生成;对于agent的私钥和证书签署文件也会由puppet agent自动生成;并且在第一次启动agent时,它默认会把生成的证书签发文件发送给master,等待master签发证书;在master上签发证书,这一步需要人工手动干预;证书签发好以后,master和agent才可以正常通信;默认情况下agent是每30分钟到master上拉取一次相关配置,这也就意味着我们在master端上的资源清单内容最多不超过30分钟就能在对应的agent上得到应用;
站点清单
在上述master/agent模型的工作过程中,agent向master发送主机名和facts,然后对应master把对应主机名的配置进行编译然后发送给对应agent;这里master根据什么来查找对应主机名的对应配置呢?通常情况下如果我们在master端上不定义站点清单,对应的agent就无法获取到对应的配置;也就说站点清单是用来定义哪些agent上,应该跑哪些资源或模块;这个逻辑和我们在使用ansible一样,定义好角色以后,还需要额外的playbook来定义那些主机上应该应用那些角色;对于puppet也是一样,我们定义好模块以后,至于哪些主机应用哪些模块这个是需要我们定义站点清单;
puppet的master/agent模型的搭建
部署master端
配置主机名解析
[root@master ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.16.151 master.test.org master 192.168.16.152 node01.test.org node01 192.168.16.153 node02.test.org node02 [root@master ~]#
提示:除了各服务器之间的主机名解析,我们还需要注意确保各服务器时间同步,关闭selinux,确保iptables是关闭状态;
安装puppet-server包
[root@master ~]# yum install -y puppet-server
提示:在master端安装puppet-server这个包默认会把puppet当作依赖包一并安装;
启动服务
[root@master ~]# systemctl start puppetmaster.service [root@master ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:8140 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 100 [::1]:25 [::]:* [root@master ~]#
提示:puppet master默认会监听在tcp的8140端口,用于接收agent来master获取配置;所以请确保master端的8140端口能够正常处于监听状态;
部署agent端
安装puppet
[root@node01 ~]# yum install -y puppet
编辑配置文件,配置puppet server的地址
提示:编辑/etc/puppet/puppet.conf文件,将server=puppetmaster主机的主机名配置上,如上;如果使用主机名的形式,请确保对应agent能够正常解析;
启动服务
[root@node01 ~]# systemctl start puppet [root@node01 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 100 [::1]:25 [::]:* [root@node01 ~]# ps aux |grep puppet root 1653 0.0 0.0 115404 1436 ? Ss 15:27 0:00 /bin/sh /usr/bin/start-puppet-agent agent --no-daemonize root 1654 26.7 2.2 317640 41888 ? Sl 15:27 0:02 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize root 1680 0.0 0.0 112808 968 pts/0 S+ 15:28 0:00 grep --color=auto puppet [root@node01 ~]#
提示:puppet agent虽然也是一个守护进程工作,但它主要不是对外提供服务,它之所以要工作为守护进程,是因为它要周期性的到master端拉取和自己相关的配置;所以它不会监听任何端口;
在master端查看未签发证书列表
[root@master ~]# puppet cert list "node01.test.org" (SHA256) AD:01:59:E7:6C:97:E7:5E:67:09:B9:52:94:0D:37:89:82:8B:EE:49:BB:4D:FC:E1:51:64:BE:EF:71:47:15:11 "node02.test.org" (SHA256) E1:EC:5B:0C:BF:B7:4C:B9:4F:10:A9:12:34:8B:7A:36:E3:A1:D4:EC:DD:DD:DC:F4:05:48:0B:85:B5:70:AC:28 [root@master ~]#
提示:puppet默认会自己维护一个ca,我们只需要用对应的子命令进行管理即可;以上命令表示列出未签发的证书列表(即收到的agent证书签发文件列表);从上面的信息可以看到现在node01和node02都没有签发证书;
在master端签发证书
[root@master ~]# puppet cert list "node01.test.org" (SHA256) AD:01:59:E7:6C:97:E7:5E:67:09:B9:52:94:0D:37:89:82:8B:EE:49:BB:4D:FC:E1:51:64:BE:EF:71:47:15:11 "node02.test.org" (SHA256) E1:EC:5B:0C:BF:B7:4C:B9:4F:10:A9:12:34:8B:7A:36:E3:A1:D4:EC:DD:DD:DC:F4:05:48:0B:85:B5:70:AC:28 [root@master ~]# puppet cert sign node01.test.org Notice: Signed certificate request for node01.test.org Notice: Removing file Puppet::SSL::CertificateRequest node01.test.org at '/var/lib/puppet/ssl/ca/requests/node01.test.org.pem' [root@master ~]# puppet cert list "node02.test.org" (SHA256) E1:EC:5B:0C:BF:B7:4C:B9:4F:10:A9:12:34:8B:7A:36:E3:A1:D4:EC:DD:DD:DC:F4:05:48:0B:85:B5:70:AC:28 [root@master ~]# puppet cert sign --all Notice: Signed certificate request for node02.test.org Notice: Removing file Puppet::SSL::CertificateRequest node02.test.org at '/var/lib/puppet/ssl/ca/requests/node02.test.org.pem' [root@master ~]# puppet cert list [root@master ~]# puppet cert list --all + "master.test.org" (SHA256) 0C:CC:20:EE:F5:FC:73:21:0B:15:73:EF:A5:0B:3A:F8:01:DB:F7:07:7C:DB:78:87:80:87:FC:F2:BF:E7:2F:30 (alt names: "DNS:master.test.org", "DNS:puppet", "DNS:puppet.test.org") + "node01.test.org" (SHA256) 34:BE:E1:1E:26:15:56:56:C3:A0:0D:FB:7F:01:B1:80:35:EC:1D:07:26:C7:05:CA:6E:19:8C:75:9A:A4:67:4E + "node02.test.org" (SHA256) E7:B6:B0:FD:04:61:A8:87:D9:E5:DA:51:8B:1D:E0:AD:11:F0:A2:65:43:6D:C4:8D:54:C8:75:8B:DF:CC:51:93 [root@master ~]#
提示:签发证书需要用cert sign+对应要签发的证书的主机名;如果不想一个一个指定来签发,也可以使用--all选项来签发所有未签发的证书;到此puppet的master/agent模型就搭建好了;后续我们只需要在master端上定义模块和站点清单即可;
示例:在master上创建redis模块,主要功能是安装启动redis,并让其配置为主从复制模式;
在master端上创建模块目录结构
[root@master ~]# mkdir -pv /etc/puppet/modules/redis/{manifests,files,templates,lib,spec,tests}
mkdir: created directory ‘/etc/puppet/modules/redis’
mkdir: created directory ‘/etc/puppet/modules/redis/manifests’
mkdir: created directory ‘/etc/puppet/modules/redis/files’
mkdir: created directory ‘/etc/puppet/modules/redis/templates’
mkdir: created directory ‘/etc/puppet/modules/redis/lib’
mkdir: created directory ‘/etc/puppet/modules/redis/spec’
mkdir: created directory ‘/etc/puppet/modules/redis/tests’
[root@master ~]# tree /etc/puppet/modules/redis/
/etc/puppet/modules/redis/
├── files
├── lib
├── manifests
├── spec
├── templates
└── tests
6 directories, 0 files
[root@master ~]#
在/etc/puppet/modules/redis/manifests/目录下创建资源清单
[root@master ~]# cat /etc/puppet/modules/redis/manifests/init.pp
class redis{
package{"redis":
ensure => installed,
}
service{"redis":
ensure => running,
enable => true,
hasrestart => true,
restart => 'service redis restart',
}
}
[root@master ~]# cat /etc/puppet/modules/redis/manifests/master.pp
class redis::master($masterport='6379',$masterpass='admin') inherits redis {
file{"/etc/redis.conf":
ensure => file,
content => template('redis/redis-master.conf.erb'),
owner => 'redis',
group => 'root',
mode => '0644',
}
Service["redis"]{
subscribe => File["/etc/redis.conf"],
restart => 'systemctl restart redis'
}
}
[root@master ~]# cat /etc/puppet/modules/redis/manifests/slave.pp
class redis::slave($masterip,$masterport='6379',$masterpass='admin') inherits redis {
file{"/etc/redis.conf":
ensure => file,
content => template('redis/redis-slave.conf.erb'),
owner => 'redis',
group => 'root',
mode => '0644',
}
Service["redis"]{
subscribe => File["/etc/redis.conf"],
restart => 'systemctl restart redis'
}
}
[root@master ~]#
在templates目录创建对应的模版文件
redis-master.conf.erb文件内容
[root@master ~]# cat /etc/puppet/modules/redis/templates/redis-master.conf.erb bind 0.0.0.0 protected-mode yes port <%= @masterport %> tcp-backlog 511 timeout 0 tcp-keepalive 300 daemonize no supervised no pidfile /var/run/redis_6379.pid loglevel notice logfile /var/log/redis/redis.log databases 16 requirepass <%= @masterpass %> save 900 1 save 300 10 save 60 10000 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir /var/lib/redis slave-serve-stale-data yes slave-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-disable-tcp-nodelay no slave-priority 100 appendonly no appendfilename "appendonly.aof" appendfsync everysec no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-load-truncated yes lua-time-limit 5000 slowlog-log-slower-than 10000 slowlog-max-len 128 latency-monitor-threshold 0 notify-keyspace-events "" hash-max-ziplist-entries 512 hash-max-ziplist-value 64 list-max-ziplist-size -2 list-compress-depth 0 set-max-intset-entries 512 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 activerehashing yes client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 hz 10 aof-rewrite-incremental-fsync yes [root@master ~]#