Puppet--sudo和ssh自动化管理
Puppet自动化管理—sudo和ssh一.sudo自动化配置
模块化管理
管理员将类似的配置组合成模块,比如webserver里面就包含了web服务器的所有相关设置。使用模块可以将puppet代码重用和共享。
模块的目录路径
默认路径:/etc/puppet/modules或者使用modulepath变量设置路径
检查默认的module路径
[*]# puppet --genconfig|grep modulepath
[*]
[*]modulepath = /etc/puppet/modules:/usr/share/puppet/modules
创建sudo模块对应目录
[*]# mkdir -p /etc/puppet/modules/sudo/{files,templates,manifests}
[*]
[*]# touch /etc/puppet/modules/sudo/manifests/init.pp
模块目录中的manifests目录包含有init.pp和其他配置文件,init.pp文件是模块配置的核心文件,每个模块都必须包含init.pp文件。files目录包含有用于传输的文件,比如应用的默认配置文件。Templates目录包含有模块可能会用到的配置文件的模板。
编辑init.pp文件,内容如下
[*]# vim /etc/puppet/modules/sudo/manifests/init.pp
[*]
[*] class sudo {
[*]
[*] package {sudo:
[*]
[*] ensure=>present,
[*]
[*] }
[*]
[*]
[*]
[*] if $operatingsystem == "Ubuntu" {
[*]
[*] package {"sudo-ldap":
[*]
[*] ensure=>present,
[*]
[*] require=>Package["sudo"],
[*]
[*] }
[*]
[*] }
[*]
[*]
[*]
[*] file {"/etc/sudoers":
[*]
[*] owner=>"root",
[*]
[*] group=>"root",
[*]
[*] mode=>0440,
[*]
[*] source=>"puppet://$puppetserver/modules/sudo/etc/sudoers",
[*]
[*] require=>Package["sudo"],
[*]
[*] }
[*]
[*]}
在files目录中创建etc目录,并复制一份sudoer文件到该目录下
[*]# mkdir -p /etc/puppet/modules/sudo/files/etc
[*]
[*]# cp /etc/sudoers/etc/puppet/modules/sudo/files/etc/
编辑nodes.pp文件,将sudo模块应用到相应的节点
[*]# vim /etc/puppet/manifests/nodes.pp
[*]
[*]
[*]
[*] node 'client1.centos' {
[*]
[*] include sudo
[*]
[*] }
当然在site.pp文件中需要包含node.pp文件,并设置$puppetserver变量
[*]# vim /etc/puppet/manifests/site.pp
[*]
[*] import 'nodes.pp'
[*]
[*] $puppetserver="master.puppet"
应该刚刚只针对了client1.centos应用了sudo模块,所以需要到该节点上验证是否成功
[*]# puppetd --servermaster.puppet --test
[*]
[*]notice: Ignoring --listen on onetime run
[*]
[*]info: Caching catalog for client1.centos
[*]
[*]info: Applying configuration version '1330047901'
[*]
[*]notice: /Stage/Sudo/Package/ensure: created
[*]
[*]notice: Finished catalog run in 26.30 seconds
[*]
[*]You have new mail in /var/spool/mail/root
将master上files目录下的sudoers文件稍作修改后,在client1.centos节点上再次验证
[*]# puppetd --servermaster.puppet --test
[*]
[*]notice: Ignoring --listen on onetime run
[*]
[*]info: Caching catalog for client1.centos
[*]
[*]info: Applying configuration version '1330047901'
[*]
[*]notice: /Stage/Sudo/File/ensure: defined content as '{md5}4093e52552d97099d003c645f15f9372'
[*]
[*]notice: Finished catalog run in 0.37 seconds
配置客户端自动运行的时间,客户端增加配置runinterval
[*]
[*]
[*] # The file in which puppetd stores a list of the classes
[*]
[*] # associated with the retrieved configuratiion.Can be loaded in
[*]
[*] # the separate ``puppet`` executable using the ``--loadclasses``
[*]
[*] # option.
[*]
[*] # The default value is '$confdir/classes.txt'.
[*]
[*] classfile = $vardir/classes.txt
[*]
[*]
[*]
[*] # Where puppetd caches the local configuration.An
[*]
[*] # extension indicating the cache format is added automatically.
[*]
[*] # The default value is '$confdir/localconfig'.
[*]
[*] localconfig = $vardir/localconfig
[*]
[*]
[*]
[*] server=master.puppet
[*]
[*] report=true
[*]
[*] listen=true
[*]
[*]runinterval=3600
Node的定义
相同功能的node可以一起定义
[*]node 'web1.example.com', 'web2.example.com', 'web3.example.com' { }
定义node也支持正则表达式
[*]node /^web\d+\.example\.com$/ { }
Base node是基本的node,每个节点都会应用的设置可以放在base里面
[*]node base {
[*]
[*]…
[*]
[*]}
Node的定义支持继承
[*]node webserver inherits base {
[*]
[*]…
[*]
[*]}
[*]
[*]node 'web.example.com' inherits webserver {
[*]
[*]…
[*]
[*]}
二.SSH自动化管理
创建ssh模块相应的目录和文件
[*]# mkdir -p /etc/puppet/modules/ssh/{manifests,templetes,files}
前面sudo模块的时候,所有相关的设置都是在init.pp文件中,但再SSH模块中我们尝试着将配置分为init.pp,install.pp,config.pp,service.pp,params.pp。
创建配置相应文件
[*]# touch /etc/puppet/modules/ssh/manifests/{install.pp,config.pp,service.pp}
配置params.pp文件,该文件主要是配置模块的参数
[*]# vim /etc/puppet/modules/ssh/manifests/params.pp
[*]
[*] class ssh::params {
[*]
[*] case $operatingsystem {
[*]
[*] Solaris: {
[*]
[*] $ssh_package_name ='openssh'
[*]
[*] $ssh_service_config='/etc/ssh/sshd_config'
[*]
[*] $ssh_service_name='sshd'
[*]
[*] }
[*]
[*]
[*]
[*] /(Ubuntu|Debian)/: {
[*]
[*] $ssh_package_name='openssh-server'
[*]
[*] $ssh_service_config='/etc/ssh/sshd_config'
[*]
[*] $ssh_service_name='sshd'
[*]
[*] }
[*]
[*]
[*]
[*] /(RedHat|CentOS|Fedora)/: {
[*]
[*] $ssh_package_name='openssh-server'
[*]
[*] $ssh_service_config='/etc/ssh/sshd_config'
[*]
[*] $ssh_service_name='sshd'
[*]
[*] }
[*]
[*] }
[*]
[*]}
编辑ssh模块的init.pp文件
[*]# vim /etc/puppet/modules/ssh/manifests/init.pp
[*]
[*]
[*]
[*] class ssh{
[*]
[*] include ssh::params,ssh::install,ssh::config,ssh::service
[*]
[*] }
编辑install.pp
[*]# vim /etc/puppet/modules/ssh/manifests/install.pp
[*]
[*] class ssh::install {
[*]
[*] package {"$ssh::params::ssh_package_name":
[*]
[*] ensure=>installed,
[*]
[*] }
[*]
[*] }
编辑config.pp
[*]# vim /etc/puppet/modules/ssh/manifests/config.pp
[*]
[*] class ssh::config{
[*]
[*] file { $ssh::params::ssh_service_config:
[*]
[*] ensure=>present,
[*]
[*] owner=>'root',
[*]
[*] group=>'root',
[*]
[*] mode=>0600,
[*]
[*] source=>"puppet://$puppetserver/modules/ssh/sshd_config",
[*]
[*] require=>Class["ssh::install"],
[*]
[*] notify=>Class["ssh::service"],
[*]
[*] }
[*]
[*] }
Notify在这里是发出通知到对应的类,即如果ssh:config改变了,就notify通知ssh::service类。
编辑service.pp
[*]# vim /etc/puppet/modules/ssh/manifests/service.pp
[*]
[*]
[*]
[*] class ssh::service{
[*]
[*] service{ $ssh::params::ssh_service_name:
[*]
[*] ensure=>running,
[*]
[*] hasstatus=>true,
[*]
[*] hasrestart=>true,
[*]
[*] enable=>true,
[*]
[*] require=>Class["ssh::config"],
[*]
[*] }
[*]
[*] }
设置hasstatus告诉puppet该服务支持status命令,即类似service sshd status
设置hasrestart告诉puppet该服务支持restart命令,即类似service sshd restart
复制默认的sshd_config文件到模块的files目录下
[*]# cp /etc/ssh/sshd_config /etc/puppet/modules/ssh/files/
Ssh模块设置完成,下面是将该模块应用到节点上
编辑nodes.pp
[*]# vim /etc/puppet/manifests/nodes.pp
[*]
[*]
[*]
[*] class base {
[*]
[*] include sudo,ssh
[*]
[*] }
[*]
[*]
[*]
[*] node 'client1.centos' {
[*]
[*] include base
[*]
[*] }
[*]
[*]
[*]
[*] node 'client2.centos' {
[*]
[*] includebase
[*]
[*] }
到节点上验证配置是否正确
[*]# puppetd --servermaster.puppet --test
[*]
[*]notice: Ignoring --listen on onetime run
[*]
[*]info: Caching catalog for client1.centos
[*]
[*]info: Applying configuration version '1330052716'
[*]
[*]--- /etc/ssh/sshd_config 2011-12-08 04:25:10.000000000 +0800
[*]
[*]+++ /tmp/puppet-file20120224-27947-1eierk0-0 2012-02-24 11:06:15.203891553 +0800
[*]
[*]@@ -1,3 +1,4 @@
[*]
[*]+# puppet auto configuration
[*]
[*] # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
[*]
[*]
[*]
[*] # This is the sshd server system-wide configuration file.See
[*]
[*]info: FileBucket adding {md5}853a26a0f4b8a7fc8529e45ed57fe67b
[*]
[*]info: /Stage/Ssh::Config/File: Filebucketed /etc/ssh/sshd_config to puppet with sum 853a26a0f4b8a7fc8529e45ed57fe67b
[*]
[*]notice: /Stage/Ssh::Config/File/content: content changed '{md5}853a26a0f4b8a7fc8529e45ed57fe67b' to '{md5}4a860a0861932b44d8af13e64d953b39'
[*]
[*]info: /Stage/Ssh::Config/File: Scheduling refresh of Service
[*]
[*]notice: /Stage/Ssh::Service/Service: Triggered 'refresh' from 1 events
[*]
[*]notice: Finished catalog run in 0.81 seconds
页:
[1]