puppet代碼與版本控制系統的結合 · Puppet運維實戰

#### Puppet擴展篇7-puppet代碼與版本控制系統的結合 # 一、介紹通過安裝部署Puppet C/S模型，實現Puppet Server端管理所有被控制機的整個生命周期：從初始化到軟件升級、從配置文件創建到測試部署、從系統維護到服務器遷移等。Puppet能夠持續化的與被控制機進行交互，從而實現配置文件的及時檢測更新。結合SVN版本控制系統，puppet可在更新之前將當前正在運行的環境以版本的方式保存到SVN版本控制系統中，方便以后通過puppet更新出錯或者需要回滾到之前的某一個環境時快速恢復。 # 二、環境介紹 ~~~ 序號服務器類型版本/IP參數 1 PuppetMaster RHEL6.4 x86_64（192.168.100.110） 2 PuppetAgent RHEL5.8 x86_64（192.168.100.111）和RHEL5.7 x86_64（192.168.100.112） 3 SVN Service端 RHEL6.4 x86_64（192.168.100.110） 4 SVN Service端 RHEL6.4 x86_64（192.168.100.110）和Windows 8.1 x86_64(192.168.100.2) 編號類型主機名/軟件名稱系統/軟件版本其他信息 1 Software Subversion 1.6.11-7 rpm package 2 Software TortoiseSVN 1.8.2.24708-x64-svn-1.8.3 msi ~~~ # 三、部署流程 ### 1 SVN Server端部署 **1.1 安裝相關軟件包** ~~~ [root@puppetserver ~]# yum install subversion [root@puppetserver ~]# svnserve –version #通過查看版本驗證安裝是否成功 svnserve, version 1.6.11 (r934486) compiled Apr 12 2012, 11:09:11 Copyright (C) 2000-2009 CollabNet. Subversion is open source software, see http://subversion.tigris.org/ This product includes software developed by CollabNet (http://www.Collab.Net/). The following repository back-end (FS) modules are available: * fs_base : Module for working with a Berkeley DB repository. * fs_fs : Module for working with a plain file (FSFS) repository. Cyrus SASL authentication is available. ~~~ **1.2 創建第一個版本庫** ~~~ [root@puppetserver ~]# mkdir /svndata [root@puppetserver ~]# svnadmin create /svndata/puppet [root@puppetserver ~]# ll /svndata/puppet/ total 24 drwxr-xr-x 2 root root 4096 Oct 22 13:29 conf drwxr-sr-x 6 root root 4096 Oct 22 13:29 db -r--r--r-- 1 root root 2 Oct 22 13:29 format drwxr-xr-x 2 root root 4096 Oct 22 13:29 hooks drwxr-xr-x 2 root root 4096 Oct 22 13:29 locks -rw-r--r-- 1 root root 229 Oct 22 13:29 README.txt ~~~ ### 2 通過Apache+ssl安全認證訪問SVN服務器 **2.1 安裝相關軟件包** ~~~ [root@puppetserver ~]# yum install httpd httpd-devel mod_dav_svn ~~~ **2.2 創建SVN虛擬主機** ~~~ [root@puppetserver svndata]# vim /etc/httpd/conf.d/subversion.conf LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so Listen 8142 <VirtualHost *:8142> <Location /svndata> DAV svn SVNListParentPath on SVNPath "/svndata/puppet" AuthType Basic AuthName "Subversion repository" AuthUserFile "/svndata/puppet/conf/authfile" #AuthzSVNAccessFile /svndata/puppet/conf/svn-acl-conf Require valid-user SVNAutoversioning on ModMimeUsePathInfo on </Location> </VirtualHost> ~~~ **2.3 創建svn權限配置文件** ~~~ [root@puppetserver svndata]# vim puppet/conf/authz [groups] admin = puppet [admin:/] @admin = rw [/] * = r [$name:/] test = rw">>/svndata/puppet/conf/authz 2.4 創建用戶名及密碼并設置相應權限 [root@puppetserver ~]# /usr/bin/htpasswd -c /svndata/puppet/conf/authfile puppet #創建SVN服務器賬戶puppet密碼為redhat New password: redhat Re-type new password: redhat Adding password for user puppet [root@puppetserver ~]# chown apache /svndata/puppet -R [root@puppetserver ~]# echo "puppet = redhat" >>/svndata/puppet/conf/passwd ~~~ **2.5 配置SVN服務信息** ~~~ [root@puppetserver svndata]# vim /svndata/puppet/conf/svnserve.conf [general] anon-access = none auth-access = write password-db = /svndata/puppet/conf/passwd authz-db = /svndata/puppet/conf/authz realm = puppet Repository ~~~ **2.6 通過瀏覽器測試訪問** ~~~ [root@puppetserver svndata]# /etc/rc.d/init.d/httpd restart #重啟httpd服務 http://192.168.100.110:8142/svndata/ ~~~ **2.7 通過其他linux節點訪問測試** ~~~ [root@agent1 ~]# svn checkout http://192.168.100.110:8142/svndata/ /mnt/ Authentication realm: <http://192.168.100.110:8142> Puppet Subversion repository Password for 'root': Authentication realm: <http://192.168.100.110:8142> Puppet Subversion repository Username: puppet Password for 'puppet': ----------------------------------------------------------------------- ATTENTION! Your password for authentication realm: <http://192.168.100.110:8142> Puppet Subversion repository can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/root/.subversion/servers'. ----------------------------------------------------------------------- Store password unencrypted (yes/no)? no Checked out revision 0. ~~~ **2.8 通過Windows客戶端TortoiseSVN訪問測試** **備注：**由于還為import版本，所以查看的內容為空 ### 3 整合puppet server端 **3.1 將puppet server模塊目錄導入到版本庫中** ~~~ [root@puppetserver ~]# svn import /etc/puppet/environments/testing http://192.168.100.110:8142/svndata/puppet -m "Puppet Initial repository" Authentication realm: <http://192.168.100.110:8142> Puppet Subversion repository Password for 'root': Authentication realm: <http://192.168.100.110:8142> Puppet Subversion repository Username: puppet Password for 'puppet': Adding /etc/puppet/environments/testing/groups Adding /etc/puppet/environments/testing/groups/modules Adding /etc/puppet/environments/testing/groups/modules/grub Adding /etc/puppet/environments/testing/groups/modules/grub/files Adding /etc/puppet/environments/testing/groups/modules/grub/manifests … Committed revision 1. ~~~ **備注：**由于SVN服務器端和puppetserver在同一臺服務器上，也可以通過以下方式進行導入 ~~~ [root@puppetserver ~]# svn import /etc/puppet/environments/testing file:///svndata/puppet -m "Puppet Initial repository" ~~~ **3.2 通過IE瀏覽器訪問SVN服務器** **3.3 通過Windows客戶端TortoiseSVN checkout最新的版本庫到本地** **3.4 刪除puppetserver端testing目錄，并將版本庫中的數據導出** ~~~ [root@puppetserver ~]# cd /etc/puppet/environments/testing/ [root@puppetserver testing]# rm -rf * #刪除之前建議備份 [root@puppetserver testing]# svn checkout http://192.168.100.110:8142/svndata/puppet /etc/puppet/environments/testing Authentication realm: <http://192.168.100.110:8142> Puppet Subversion repository Password for 'puppet': Please type 'yes' or 'no': no A groups A groups/modules A groups/modules/grub A groups/modules/grub/files A groups/modules/grub/manifests Checked out revision 1. [root@puppetserver testing]# ls -a . .. agents environment groups manifests .svn [root@puppetserver testing]# ls .svn/ #每個目錄下面都會生成.svn隱藏目錄，用于保存當前版本的信息 all-wcprops entries prop-base props text-base tmp 備注：checkout之后，在/etc/puppet/environments/testing目錄下就會有一份SVN服務器上最新版本的副本。 ~~~ ### 4 部署SVN hooks **4.1 設置pre-commit** 設置pre-commit鉤子可以提交文件到SNV服務器之前對puppet語法進行檢查，語法通過則提交成功，語法錯誤則提交失敗。 ~~~ [root@puppetserver hooks]# chmod 774 pre-commit^C [root@puppetserver hooks]# cp pre-commit.tmpl pre-commit [root@puppetserver hooks]# chmod 774 pre-commit [root@puppetserver hooks]# vim pre-commit #!/bin/sh # SVN pre-commit hook to check Puppet syntax for .pp files # Modified from http://mail.madstop.com/pipermail/puppet-users/2007-March/002034.html # Access http://projects.puppetlabs.com/projects/1/wiki/puppet_version_control REPOS="$1" TXN="$2" tmpfile=`mktemp` export HOME=/ SVNLOOK=/usr/bin/svnlook $SVNLOOK changed -t "$TXN" "$REPOS" | awk '/^[^D].*\.pp$/ {print $2}' | while read line do $SVNLOOK cat -t "$TXN" "$REPOS" "$line" > $tmpfile if [ $? -ne 0 ] then echo "Warning: Failed to checkout $line" >&2 fi # puppet --color=false --confdir=/etc/puppet --vardir=/var/lib/puppet --parseonly --ignoreimport $tmpfile >>/var/log/puppet/svn_pre-commit.log 2>&1 puppet --color=false --confdir=/etc/puppet --vardir=/var/lib/puppet --parser --ignoreimport $tmpfile >>/var/log/puppet/svn_pre-commit.log 2>&1 if [ $? -ne 0 ] then echo "Puppet syntax error in $line." >>/var/log/puppet/svn_pre-commit.log 2>&1 exit 2 fi done res=$? rm -f $tmpfile if [ $res -ne 0 ] then exit $res fi ~~~ **4.2 設置post-commit** 設置post-commit鉤子可以在正確提交文件至SVN服務器之后，puppetmaster的模塊目錄`/etc/puppet/environments/testing`會自動從SNV服務器上update最新的版本庫到本地。 ~~~ #!/bin/sh # POST-COMMIT HOOK REPOS="$1" REV="$2" #mailer.py commit "$REPOS" "$REV" /path/to/mailer.conf export LANG=en_US.UTF-8 SVN=/usr/bin/svn PUPPET_DIR=/etc/puppet #/usr/bin/svn up /etc/puppet -non-interactive $SVN update $PUPPET_DIR --username puppet --password 123.com >>/var/log/puppet/svn_post-commit.log ~~~ ### 5 SVN Client端部署測試 **5.1 本地測試** 1）導出版本數據庫文件到本地 ~~~ [root@puppetserver ~]# svn checkout file:///svndata/puppet /puppet/puppet ~~~ 2）、創建并添加新的目錄及文件 ~~~ [root@puppetserver puppet]# svn add ssh ~~~ 3）、將修改后的文件提交到SVN服務器，此時版本庫版本加1 ~~~ [root@puppetserver .svn]# svn commit -m "add ssh modules" /puppet/puppet/* ~~~ **5.2 遠程測試（Linux）** ~~~ [root@agent1 svndata]# svn checkout http://172.16.200.100/svndata/ /mnt/ ~~~ **5.3 客戶端TortoiseSVN測試（Windows）**