整合puppetmaster · Puppet運維實戰

#### Foreman架構的引入6-整合puppetmaster **注：**以下內容是在**foreman1.6.3+puppet2.6.2**環境下進行操作。更多配置請參考官網[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 安裝好foreman和puppetmaster之后，接下來做的事情就是做整合，目前foreman可以管理puppet的環境、類、類里的變量、報告、facter等信息。接下來會逐一進行介紹。 # 1、首先要保證智能代理已經代理了puppet和puppet CA 代理puppet以及puppetCA，需要在foreman-proxy中開啟。 ~~~ #配置代理puppet [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.d/puppet.yml --- # Puppet management :enabled: true #開啟 :puppet_conf: /etc/puppet/puppet.conf # valid providers: # puppetrun (for puppetrun/kick, deprecated in Puppet 3) # mcollective (uses mco puppet) # puppetssh (run puppet over ssh) # salt (uses salt puppet.run) # customrun (calls a custom command with args) :puppet_provider: mcollective # customrun command details # Set :customrun_cmd to the full path of the script you want to run, instead of /bin/false :customrun_cmd: /bin/false # Set :customrun_args to any args you want to pass to your custom script. The hostname of the # system to run against will be appended after the custom commands. :customrun_args: -ay -f -s # whether to use sudo before the ssh command :puppetssh_sudo: false # the command which will be sent to the host :puppetssh_command: /usr/bin/puppet agent --onetime --no-usecacheonfailure # With which user should the proxy connect #:puppetssh_user: root #:puppetssh_keyfile: /etc/foreman-proxy/id_rsa # Which user to invoke sudo as to run puppet commands :puppet_user: root # URL of the puppet master itself for API requests :puppet_url: https://puppetmaster162.kisspuppet.com:8140 # SSL certificates used to access the puppet master API :puppet_ssl_ca: /var/lib/puppet/ssl/certs/ca.pem :puppet_ssl_cert: /var/lib/puppet/ssl/certs/puppetmaster162.kisspuppet.com.pem :puppet_ssl_key: /var/lib/puppet/ssl/private_keys/puppetmaster162.kisspuppet.com.pem # Override use of Puppet's API to list environments, by default it will use only if # environmentpath is given in puppet.conf, else will look for environments in puppet.conf #:puppet_use_environment_api: true #配置代理puppet ca [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.d/puppetca.yml --- # PuppetCA management :enabled: true :ssldir: /var/lib/puppet/ssl :puppetdir: /etc/puppet ~~~ # 2、管理puppet環境 ### 2.1、配置puppetmaster環境 puppet從2.6版本開始增加了“目錄環境”的功能，更多詳情請訪問官網[https://docs.puppetlabs.com/puppet/latest/reference/environments.html](https://docs.puppetlabs.com/puppet/latest/reference/environments.html) ~~~ [root@puppetmaster162 ~]# cat /etc/puppet/puppet.conf [master] ... environmentpath = /etc/puppet/environments basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules environment_timeout = 2 #多長時間刷新一次 [root@puppetmaster162 ~]# ll /etc/puppet/environments/ total 24 drwxr-xr-x 4 root root 4096 Dec 5 16:46 development drwxr-xr-x 4 root root 4096 Dec 5 16:46 example42 drwxr-xr-x 4 root root 4096 Dec 5 16:39 example_env drwxr-xr-x 5 root root 4096 Dec 5 17:03 production drwxr-xr-x 4 root root 4096 Dec 5 16:46 puppetlabs drwxr-xr-x 7 root root 4096 Dec 5 17:03 temp ~~~ **注意：**從以上配置可以看得出設置了兩個環境。 ### 2.2、foreman上導入puppet環境 # 3、管理puppet類 3.1、配置puppet類注意以下幾點： - puppet.conf中basemodulepath的值所設置的路徑為環境目錄下所有環境的公共環境，里面的所有模塊都會被其他環境搜索到（在沒有配置environment.conf的前提下） - 環境目錄中每個環境目錄里面默認應該包含manifests（存放主配置文件site.pp）目錄和modules（存放模塊）目錄，目錄結構如下。 ~~~ [root@puppetmaster162 environments]# tree production/ production/ ├── environment.conf ├── manifests │ └── site.pp ├── modules │ ├── jenkins │ │ ├── files │ │ │ └── jenkins.repo │ │ ├── manifests │ │ │ ├── init.pp │ │ │ ├── install.pp │ │ │ ├── service.pp │ │ │ └── yum.pp │ │ ├── README │ │ └── templates │ └── motd │ ├── files │ │ └── motd │ ├── manifests │ │ └── init.pp │ └── templates └── system └── ssh ├── files ├── manifests │ ├── backup.pp │ ├── config.pp │ ├── init.pp │ ├── install.pp │ └── service.pp ├── Modulefile ├── README ├── spec │ └── spec_helper.rb ├── templates │ └── sshd_config.erb └── tests └── init.pp 17 directories, 20 files ~~~ - 如果你想在一個環境里包含多個目錄，每個目錄里面又包含模塊，應該添加environment.conf文件 ~~~ [root@puppetmaster162 environments]# ll temp/ total 24 -rw-r--r-- 1 root root 95 Dec 5 17:03 environment.conf #添加環境搜索配置文件 drwxr-xr-x 11 root root 4096 Dec 5 17:02 juhailu drwxr-xr-x 2 root root 4096 Dec 5 16:48 kisspuppet drwxr-xr-x 4 root root 4096 Dec 5 16:56 lin drwxr-xr-x 2 root root 4096 Dec 5 16:48 manifests drwxr-xr-x 5 root root 4096 Dec 5 16:47 puppetlabs [root@puppetmaster162 environments]# ll temp/puppetlabs/ total 12 drwxr-xr-x 5 root root 4096 Dec 5 16:46 propuppet-demoapp drwxr-xr-x 5 root root 4096 Dec 5 16:46 puppetlabs-demoapp drwxr-xr-x 4 root root 4096 Dec 5 16:46 puppet-module-skeleton [root@puppetmaster162 environments]# cat temp/environment.conf #添加搜索路徑 modulepath = $basemodulepath:puppetlabs:modules:lin:modules:juhailu:modules:kisspuppet:modules ~~~ **注意：**添加搜索路徑需要添加`$basemodulepath`，否則不會去搜索默認公共環境路徑。 ### 3.2、Foreman上導入puppet類 # 4、設置ENC ### 4.1、通過節點直接管理模塊 **備注：**添加主類就可以了這樣節點和模塊就關聯上了，相當于在site.pp中添加如下代碼 node puppetmaster162.kisspuppet.com{ include ssh} ### 4.2、通過組繼承模塊 **備注：**如果使用組管理模塊，不建議為某個節點單獨勾選模塊，否則你會發現如果先給節點添加了模塊A，然后再給節點對應的組里添加了模塊A，那么節點的puppet類哪里就會顯示包含的類有兩個同名的模塊。 # 5、組與模塊之間的管理 ### 5.1、添加配置組 **注：**foreman從1.5版本開始增加了“配置組”功能，可以將多個模塊添加到“配置組”，然后給配置組命名，這樣，主機組在勾選模塊的時候，只需要勾選配置組即可集成里面所有的模塊 # 6、查看設置是否成功 ~~~ #可以通過以下方式查看，前提是需要先運行node.rb，可通過"puppet agent"命令或者"node.rb <certname>" 進行觸發。 [root@puppetmaster162 ~]# cat /var/lib/puppet/yaml/foreman/puppetmaster162.kisspuppet.com.yaml --- classes: ssh: parameters: puppetmaster: puppetmaster162.kisspuppet.com hostgroup: prd root_pw: foreman_env: production owner_name: Admin User owner_email: root@kisspuppet.com ~~~ 設置以上信息，可以完成ENC的功能，基本可以保障節點和class之間的勾連。可以在節點通過puppet agent命令進行測試。至于如何在foreman上進行推送，關注后續文章。