Puppet 自動化部署 – 安裝初始化

2016-12-16 Puppet

在 DevOps 中 Puppet 是一個自動化佈署 (Configuration Management) 的角色,在目前市場上 DevOps 頗為流行,在目前動不動就是幾百、幾千甚至是萬台 Server 的狀況根本就無法使用對等的 Server 人員進行管理,尤其在這個技術環境發展這麼快的時代,技術人員是越來越缺乏,更無法使用對等的人力去維護這些伺服器。

 

對於 DevOps 小弟認為這是技術時代的變遷,如果你不跟著提升就等著被淘汰,尤其在目前要成為一位”工程師”,其實技術門檻非常低,在這個極競爭的產業對於一位系統管理者,自動化佈署絕對是一個提供自己價值的方式,不僅加速工作上的效率,也讓工作上增加更多空檔,讓我們一起提早下班吧

 

目前主流的自動化佈署方案有幾個主流 Puppet、Chet、Ansible、Salt … etc,都有其好處,主要是能夠因應目前的環境選擇最適當的工具,小弟選擇 Puppet,其原因是身在的環境實在太過於複雜,Puppet 的優勢在於幾乎所有 OS 都有辦法處理,並且相容性非常好,安裝簡單,相對的對於你的佈署計畫(manifests)的價值比重就更高!

 

本篇將會以 Puppet 4 為主,由於 Puppet 3 and 4 版本的差異很大,Puppet 4 的 Server 是以 Java 寫的,但是 Agent 是用 Ruby 寫的,module 寫法也不盡相同,目錄架構也大幅改變,所以在使用務必先確認要使用哪一版,module 使用前也須注意可相容的 Puppet version

Note: Puppet 4 changed the locations for many of the most important files and directories. If you’re familiar with Puppet 3 and earlier, read a summary of the changes and refer to the full specification of Puppet directories.

 

在本篇將會以 Ubuntu 16.04 作為 Puppet Master,而 Puppet Agent(Client) 也是以 Ubuntu 16.04 作為範例,但不是絕對使用 Ubuntu。

 

首先我們必須先定義以下環境

Puppet Master:

Operating system : Ubuntu 16.04

IP Address : 192.168.10.10

HostName/Domain : master.puppet.com

 

Puppet Agent:

Operating system:Ubuntu 16.04

IP Address : 192.168.10.11

HostName/Domain : agent.puppet.com

 

Puppet Master install

Step.1 進行 Puppet 環境必要的設定

Puppet 官方寫到:

Name resolution: Every node must have a unique hostname. Forward and reverse DNS must both be configured correctly. (Instructions for configuring DNS are beyond the scope of this guide. If your site lacks DNS, you must write an /etc/hosts file on each node.)

Note: The default Puppet master hostname is puppet. Your agent nodes can be ready sooner if this hostname resolves to your Puppet master.

Puppet 針對所有的主機皆須定義為 Domain,如果是使用 LAB 可以用 hosts 指定。

$ vim /etc/hosts

192.168.10.10 master.puppet.com
192.168.10.11 agent.puppet.com

 

Puppet 有同步的時間概念,所以時間必須準確效時

#校準時間
$ sudo apt-get install sysv-rc-conf chrony
$ sudo service chrony start
$ sudo sysv-rc-conf chrony on

#校準時區
$ sudo timedatectl set-timezone Asia/Taipei

 

Step.2 安裝 Puppet master

$ wget https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
$ sudo dpkg -i puppetlabs-release-pc1-xenial.deb
$ sudo apt-get update
$ sudo apt-get install puppetserver

我這邊下載的 repo 是 Ubuntu 16.04 的版本,如果你不是這個版本會安裝失敗,請到 apt.puppetlabs.com 去安裝對應的 release 版本

# if use CentOS 7:

# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm

# if use CentOS 6:

$ rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-6.noarch.rpm

$ yum install puppetserver

 

 

Step.3 Puppet master Memory 調整,預設為 2G

$ sudo vim /etc/default/puppetserver
JAVA_ARGS="-Xms256m -Xmx256m -XX:MaxPermSize=256m"

# if use CentOS config in /etc/sysconfig/puppetserver

 

Step.4 設定 puppet master 的 puppet.conf

$ sudo vim /etc/puppetlabs/puppet/puppet.conf

[main]
  vardir = /opt/puppetlabs/server/data/puppetserver
  logdir = /var/log/puppetlabs/puppetserver
  rundir = /var/run/puppetlabs/puppetserver
  pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
  codedir = /etc/puppetlabs/code
  certname = master.puppet.com
  server = master.puppet.com
  environment = production
  runinterval = 1h
  strict_variables = true

[master]
  dns_alt_names = master.puppet.com
  ssl_client_header = SSL_CLIENT_S_DN
  ssl_client_verify_header = SSL_CLIENT_VERIFY
  • certname:這個有關於證書的名稱
  • server:是 puppet master 的位址
  • environment:可以指定目前所在的環境,可以區隔不同環境所使用的 manifests / module
  • runinterval:預設為 1 小時,在測試時可以自行調整,單位為秒。
  • dns_alt_names:puppet master 的備用 dns 網域,可以使用逗號分隔

※ puppet.conf 這個檔案 master / agent 都必須擁有與設定,但設定方式不同,詳細可參考 Puppet Server: Differing Behavior in puppet.conf

 

Step.5 建立 puppet softlink 方便使用

$ sudo ln -s /opt/puppetlabs/puppet/bin/puppet /usr/sbin/

 

Step.6 啟動 puppetserver

$ sudo systemctl start puppetserver
$ sudo systemctl enable puppetserver


# check
$ ss -tunlp
tcp  LISTEN  0  50  :::8140  :::*  users:(("java",pid=27312,fd=4))

$ ps ax | grep java
 2819 ?        Sl     3:33 /usr/bin/java -Xms256m -Xmx256m -XX:MaxPermSize=256m -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar clojure.main -m puppetlabs.trapperkeeper.main --config /etc/puppetlabs/puppetserver/conf.d --bootstrap-config /etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/ --restart-file /opt/puppetlabs/server/data/puppetserver/restartcounter
17550 pts/0    S+     0:00 grep --color=auto java

 

Step.7 開啟防火牆 8140 port

$ sudo ufw allow 8140

 

 

OK 到這邊 Puppet master 安裝完成。

 

 

 

Puppet Agent install

Step.1 再來必須在要佈署的 node 安裝 Puppet agent,必須和 master 一樣校正時區/時間

$ wget https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
$ sudo dpkg -i puppetlabs-release-pc1-xenial.deb
$ sudo apt-get update
$ sudo apt-get install puppet-agent

# if use CentOS 7:

# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

# if use CentOS 6:

$ rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

$ yum install puppet

 

Step.2 設定 Puppet agent 的 puppet.conf

$ sudo vim /etc/puppetlabs/puppet/puppet.conf

[main]
  puppetdlog = $logdir/puppetd.log
  rundir = /var/run/puppetlabs/puppet
  server = master.puppet.com
  certname = agent.puppet.com
  report = true
  environment = production
  runinterval = 60

server 這邊必須填上 puppet master 的位址

runinterval 因為 lab 測試,所以我讓 agent 60 秒同步一次 master。

 

Step.3 更改 agent log,預設是寫在 syslog,但不易 debug,所以讓他寫在 /var/log/puppetlabs/puppet/puppetd.log

$ sudo vim /etc/default/puppet
PUPPET_EXTRA_OPTS=--logdest /var/log/puppetlabs/puppet/puppetd.log

在 agent 啟動服務加上 –logdest 參數。

 

Step.4 建立 puppet softlink

$ sudo ln -s /opt/puppetlabs/puppet/bin/puppet /usr/sbin/

 

Step.5 啟動 Agent

$ sudo systemctl start puppet
$ sudo systemctl enable puppet

 

Step.6 當 Agent 啟動之後會去 access master 去取得 SSL 證書,所以必須在 Master 上將 Agent add

# on master, check waiting agent node
$ puppet cert list
"agent.puppet.com" (SHA256) 61:5C:49:DF:34:73:A0:5D:A2:CD:57:94:B5:9D:F0:D2:5A:46:09:15:2F:73:10:97:42:21:5A:15:6F:50:D4:ED

$ puppet cert sign agent.puppet.com

puppet 在第一次安裝的時候有個 bug,就是你使用 puppet cert list 的時候會出現 Notice: Signed certificate request for ca,這是因為預設一開始沒有幫你產生

 

加上 -all 參數可以查看已經 sign 的 node

$ puppet cert list -all
+ "agent.puppet.com"  (SHA256) 64:B1:AF:7B:F8:9F:E7:E3:41:4F:2A:5F:54:67:6B:DB:84:83:17:68:37:F2:00:10:25:7B:03:27:71:AC:34:BE

 

 

Verify the Puppet Client

使用 –test 參數去驗證 agent 的執行狀況

$ puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent.puppet.com
Info: Applying configuration version '1481874601'
Notice: Applied catalog in 0.12 seconds

 

沒有任何錯誤代表 Master and Agent 之間的溝通建立完成。

 

 

** 每次啟動 puppetserver 都會很久,這是因為在啟動的時候會 timeout 60 秒,有在 Bump default-borrow-timeout to something significantly higher 討論中提到:

The macro doesn’t specify a timeout but it calls into a JRuby service function, `borrow-instance`, which makes a call to borrow-from-pool-with-timeout with a timeout value:

https://github.com/puppetlabs/puppet-server/blob/cd659b95ac557502f3bab2eea878fa7e6a131b6f/src/clj/puppetlabs/services/jruby/jruby_puppet_service.clj#L53

That timeout value may derive from the borrow-timeout key in the jruby-puppet configuration section or, if not specified in that section, the default-borrow-timeout, which is 60 seconds.

The code on the stable branch doesn’t have this change. Calls made to the JRuby service to borrow an instance with no timeout, basically any call in a production code path, would effectively use an infinite timeout. The change to fix a timeout on each JRuby borrow request came into the master branch for https://github.com/puppetlabs/puppet-server/pull/329.

Maybe it makes sense to rework this such that calls to the JRubyPuppet service and CI don’t require a timeout.

在 puppetserver 的 source code 中引用了 “borrow-from-pool-with-timeout” 並且設定為 60 秒。

 

 

參考:

Puppet All Configuration Reference

給 Mr. 沙先生一點建議

彙整

分類

展開全部 | 收合全部

License

訂閱 Mr. 沙先生 的文章

輸入你的 email 用於訂閱