以前如果在管理 server 時想讓設定一致並減少人工操作,只需要設定好一份,再 sync 到需要的 server 就好,但由於公司的資安規定越來越
目前看起來比較炫的方式好像是用 puppet 統一管理,先裝個簡單版的來玩玩
Server 伺服器配置
OS : CentOS 6.4 x86_64
puppet_master (server)IP : 10.0.0.1
puppet_agent (client) IP : 10.0.0.2
puppet_master (server)IP : 10.0.0.1
puppet_agent (client) IP : 10.0.0.2
事先需求 :
puppet 主機間同步會對時,所以最好所有主機都向樣的 NTP Server 做過對時
安裝 :
人老了變懶了,通通都靠 yum 吧,不過 puppet 沒在預設的 repository 裡,需手動打上
shell> rpm -ivh https://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm
接著安裝 puppet ,在 master 那台執行
shell> yum install puppet-server
在 agent 執行
shell> yum install puppet
就 ... 裝完了 XD
接下來是設定,首先 puppet 不認 IP ,彼此間連繫都是透過 FQDN ,所以至少要在 /etc/hosts 加上兩行
10.0.0.1 puppet_master
10.0.0.2 puppet_agent
10.0.0.2 puppet_agent
編輯 Server 跟 Client 的puppet 設定檔,簡單設定的話兩個都設一樣也OK
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppet_master
report = true
# 若沒plugin目錄下沒任何東西,client 在同步時會報個小錯,但無妨
pluginsync = true
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppet_master
report = true
# 若沒plugin目錄下沒任何東西,client 在同步時會報個小錯,但無妨
pluginsync = true
接著就可以啟動 puppet
Master
shell> /etc/init.d/puppetmaster start
Master 預設會聽在 port 8140,如果防火牆有開著,記著加入這筆設定
Agent
shell> /etc/init.d/puppet start
在啟動 agent 的部份,其他文件都說要先用 shell> puppet agent --no-daemonize --server=puppet_server 的方式做憑証申請的動作,但現在測試 agent好像直接開成daemon模式,master 也會收到 request
在 master 執行下列指令簡查沒有沒收到來自 agent 的request
shell> puppet cert list
"puppet_agent" (SHA256) 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
(11:11... 為範圍,每一台皆不同)"puppet_agent" (SHA256) 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
允許 agent 的申請
shell> puppet cert sign puppet_agent
Notice: Signed certificate request for puppet_agent
Notice: Removing file Puppet::SSL::CertificateRequest km at '/var/lib/puppet/ssl/ca/requests/puppet_agent.pem'
Notice: Signed certificate request for puppet_agent
Notice: Removing file Puppet::SSL::CertificateRequest km at '/var/lib/puppet/ssl/ca/requests/puppet_agent.pem'
查看目前允許申請的 agent 列表
shell> puppet cert list --all
+ "puppet_agent" (SHA256) 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
+ "puppet_master" (SHA256)
11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
+ "puppet_agent" (SHA256) 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
+ "puppet_master" (SHA256)
11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
名稱前的 + 代表申請通過,- 代表未通過
接著就可以做簡單的設定佈署管理,假設我希望所管理的 agent 的設定如下 :
1. /etc/hosts 維持一致
2. 所有用戶登入的預設環境參數一致 => /etc/profile 維持一致
3. root 密碼一致
4. 都有 /home/staff 這個目錄
4. 都有 ywhuang 這個使用者帳號,根目錄在 /home/staff,使用 bash
5. 防火牆都開著
6. 自動更新
2. 所有用戶登入的預設環境參數一致 => /etc/profile 維持一致
3. root 密碼一致
4. 都有 /home/staff 這個目錄
4. 都有 ywhuang 這個使用者帳號,根目錄在 /home/staff,使用 bash
5. 防火牆都開著
6. 自動更新
那我可以在 master 的 /etc/puppet/manifests/site.pp 做以下設定
node default { exec { "yum -y update" } file { "/home/staff" : ensure => directory } file { "/etc/profile" : ensure => file, source => "puppet:///modules/centos/etc.profile" } file { "/etc/hosts" : ensure => file, source => "puppet:///modules/centos/etc.hosts" } user { "root" : ensure =>t present, password => 'PWD_GEN_IN_FOLLOWING_CMD' } user { "ywhuang": ensure => present, password => 'PWD_GEN_IN_FOLLOWING_CMD', home => "/home/staff", comment => "Y.W Huang", shell => "/bin/bash" } service { 'iptables': ensure => running, path => "/etc/init.d" } }
其中要同步的 etc.profile, etc.hosts , 要放在 /etc/puppet/modules/centos/files 下
而 password 可用以下方式產式加密的字串 : (需先安裝 python )
shell> python -c 'import crypt; print crypt.crypt("password", "$6$salt")'
另外有點神奇的是密碼的字串需要用單引號夾起來,用雙引號夾會驗証失敗 @@?接著為了測試,在 agent 先強迫關掉 firewall
shell> /etc/init.d/iptables stop
設定檔同步測試看看
shell> puppet agent --no-daemonize --onetime --verbose --server=puppet_master
會看到類似以下訊息
Notice: /Stage[main]/Main/Node[default]/File[/etc/profile]/content: content changed '{md5}1153c583b1bf1dc7779c66af2e509a2b' to '{md5}b4f64bc64f24e90eb2da4f2e4def6153'
Notice: /Stage[main]/Main/Node[default]/File[/etc/hosts]/content: content changed '{md5}77f5bd65441738400ddcaa3d417ec958' to '{md5}8582d7ddbad4a317d9483f0afc8f0461'
Notice: /Stage[main]/Main/Node[default]/File[/home/staff]/ensure: created
Notice: /Stage[main]/Main/Node[default]/User[ywhuang]/ensure: created
Notice: /Stage[main]/Main/Node[default]/User[root]/password: changed password
Notice: /Stage[main]/Main/Node[default]/Service[iptables]/ensure: ensure changed 'stopped' to 'running'
Notice: /Stage[main]/Main/Node[default]/File[/etc/hosts]/content: content changed '{md5}77f5bd65441738400ddcaa3d417ec958' to '{md5}8582d7ddbad4a317d9483f0afc8f0461'
Notice: /Stage[main]/Main/Node[default]/File[/home/staff]/ensure: created
Notice: /Stage[main]/Main/Node[default]/User[ywhuang]/ensure: created
Notice: /Stage[main]/Main/Node[default]/User[root]/password: changed password
Notice: /Stage[main]/Main/Node[default]/Service[iptables]/ensure: ensure changed 'stopped' to 'running'
再檢查各個檔案、使用者、密碼,應該通通都變成一致的設定,關掉的防火牆也被開回來了
如果都沒問題,就設成長駐的服務吧
Master
shell> chkconfig puppetmaster on
shell> chkconfig puppet on
shell> chkconfig puppet on
Agent
shell> chkconfig puppet on
可以往管理一千部 VM 邁進了 orz
沒有留言:
張貼留言