Puppet自動化管理—sudo和ssh

一．sudo自動化配置

模塊化管理

管理員將類似的配置組合成模塊,比如webserver裡面就包含了web伺服器的所有相關設置.使用模塊可以將puppet

代碼重用和共享.

模塊的目錄路徑

默認路徑：/etc/puppet/modules 或者使用modulepath變數設置路徑

檢查默認的

module路徑

[root@master ~]# puppet --genconfig|grep modulepath 
 
modulepath = /etc/puppet/modules:/usr/share/puppet/modules 
 

創建sudo模塊對應目錄

[root@master ~]# mkdir -p /etc/puppet/modules/sudo/{files,templates,manifests} 
 
[root@master ~]# touch /etc/puppet/modules/sudo/manifests/init.pp 

模塊目錄中的manifests目錄包含有init.pp和其他配置文件,init.pp文件是模塊配置的核心文件,每個模塊都包含init.pp文件.files目錄包含有用於傳輸的文件,比如應用的默認配置文件. Templates目錄包含有模塊可能會用到的配置文件的模板.

編輯init.pp文件,內容如下

[root@master ~]# vim /etc/puppet/modules/sudo/manifests/init.pp 
 
 class sudo { 
 
       package {sudo: 
 
           ensure=>present, 
 
       } 
 
   
 
       if $operatingsystem == "Ubuntu" {                      
    
  
 
           package {"sudo-ldap": 
 
               ensure=>present, 
 
               require=>Package["sudo"], 
 
          } 
 
      }   
 
  
 
      file {"/etc/sudoers": 
 
          owner=>"root", 
 
          group=>"root", 
 
          mode=>0440, 
 
          source=>"puppet://$puppetserver/modules/sudo/etc/sudoers", 
 
          require=>Package["sudo"], 
 
      } 
 
  }   

在files

目錄中創建etc目錄,並複製一份sudoer文件到該目錄下

[root@master ~]# mkdir -p /etc/puppet/modules/sudo/files/etc 
 
[root@master ~]# cp /etc/sudoers  /etc/puppet/modules/sudo/files/etc/ 

編輯nodes.pp文件,將

sudo模塊應用到相應的節點

[root@master ~]# vim /etc/puppet/manifests/nodes.pp 
 
  
 
   node 'client1.centos' { 
 
       include sudo 
 
   } 

當然在site.pp文件中需要包含node.pp文件,並設置$puppetserver

變數

[root@master ~]# vim /etc/puppet/manifests/site.pp 
 
   import 'nodes.pp' 
 
   $puppetserver="master.puppet" 

應該剛剛只針對了client1.centos應用了sudo模塊,需要到該節點上驗證是否成功

[root@client1 ~]# puppetd --server master.puppet --test

 
notice: Ignoring --listen on onetime run 
 
info: Caching catalog for client1.centos 
 
info: Applying configuration version '1330047901' 
 
notice: /Stage[main]/Sudo/Package[sudo]/ensure: created 
 
notice: Finished catalog run in 26.30 seconds 
 
You have new mail in /var/spool/mail/root 

將master上files目錄下的

Empire CMS,phome.net

sudoers文件稍作修改後,在client1.centos節點上再次驗證

[root@client1 ~]# puppetd   --server  master.puppet --test 
 
notice: Ignoring --listen on onetime run 
 
info: Caching catalog for client1.centos 
 
info: Applying configuration version '1330047901' 
 
notice: /Stage[main]/Sudo/File[/etc/sudoers]/ensure: defined content as '{md5}4093e52552d97099d003c645f15f9372' 
 
notice: Finished catalog run in 0.37 seconds 

配置客戶端自動運行的時間,客戶端增加配置

runinterval

[agent] 
 
    # The file in which puppetd stores a list of the classes 
 
    # associated with the retrieved configuratiion.  Can be loaded in 
 
    # the separate ``puppet`` executable using the ``--loadclasses`` 
 
    # option. 
 
    # The default value is '$confdir/classes.txt'. 
 
    classfile = $vardir/classes.txt 
 
  
 
    # Where puppetd caches the local configuration.  An 
 
    # extension indicating the cache format is added automatically. 
 
    # The default value is '$confdir/localconfig'. 
 
    localconfig = $vardir/localconfig 
 
  
 
    server=master.puppet 
 
    report=true 
 
    listen=true 
 
                       
    
  
runinterval=3600 

Node的定義

相同功能的node可以一起定義

node 'web1.example.com', 'web2.example.com', 'web3.example.com' { } 

定義

node也支持正則表達式

node /^web\d \.example\.com$/ { } 

Base node是基本的node,每個節點都會應用的設置可以放在base裡面

node base { 
 
… 
 
} 

Node的定義支持繼承

node webserver inherits base { 
 
… 
 
} 
 
node 'web.example.com' inherits webserver { 
 
… 
 
} 

二．SSH自動化管理

創建ssh模塊相應的目錄和文件

[root@master ~]# mkdir -p /etc/puppet/modules/ssh/{manifests,templetes,files} 

前面

sudo模塊的時候,所有相關的設置都是在init.pp文件中,但再SSH模塊中我們嘗試著將配置分為init.pp,install.pp,config.pp, service.pp,params.pp.

創建配置相應文件

[root@master ~]# touch /etc/puppet/modules/ssh/manifests/{install.pp,config.pp,service.pp} 

配置params.pp文件,該文件主要是配置模塊的參數

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/params.pp 
 
 class ssh::params { 
 
       case $operatingsystem { 
 
           Solaris: { 
 
               $ssh_package_name ='openssh' 
 
               $ssh_service_config='/etc/ssh/sshd_config' 
 
               $ssh_service_name='sshd' 
 
           } 
 
           
 
           /(Ubuntu|Debian)/: { 
 
              $ssh_package_name='openssh-server' 
 
              $ssh_service_config='/etc/ssh/sshd_config' 
 
              $ssh_service_name='sshd' 
 
          } 
 
          
 
          /(RedHat|CentOS|Fedora)/: { 
 
              $ssh_package_name='openssh-server'                        
   
 
              $ssh_service_config='/etc/ssh/sshd_config' 
 
              $ssh_service_name='sshd' 
 
          } 
 
      } 
 
  } 

編輯ssh模塊的init.pp文件

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/init.pp 
 
  
 
   class ssh{ 
 
Empire CMS,phome.net
                                include ssh::params,ssh::install,ssh::config,ssh::service 
 
   } 

編輯install.pp

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/install.pp 
 
         class ssh::install { 
 
             package {"$ssh::params::ssh_package_name": 
 
                ensure=>installed, 
 
             } 
 
         } 

編輯config.pp

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/config.pp 
 
      class                          ssh::config{ 
 
          file { $ssh::params::ssh_service_config: 
 
             ensure=>present, 
 
             owner=>'root', 
 
             group=>'root', 
 
             mode=>0600, 
 
             source=>"puppet://$puppetserver/modules/ssh/sshd_config", 
 
             require=>Class["ssh::install"], 
 
             notify=>Class["ssh::service"], 
 
   } 
 
   } 

Notify在這裡是發出通知到對應的類,即如果ssh:config改變了,就

notify通知ssh::service類.

編輯service.pp

[root@master ~]# vim /etc/puppet/modules/ssh/manifests/service.pp 
 
  
 
     class ssh::service{ 
 
         service{ $ssh::params::ssh_service_name: 
 
             ensure=>running, 
 
             hasstatus=>true, 
 
             hasrestart=>true, 
 
             enable=>true,                        
  
 
             require=>Class["ssh::config"], 
 
         } 
 
     } 

設置hasstatus告訴puppet該服務支持status命令,即類似service sshd status

設置

hasrestart告訴puppet該服務支持restart命令,即類似service sshd restart

複製默認的sshd_config文件到模塊的files目錄下

[root@master ~]# cp /etc/ssh/sshd_config   /etc/puppet/modules/ssh/files/ 

Ssh模塊設置完成,下面是將該模塊應用到節點上

編輯nodes.pp

[root@master ~]# vim /etc/puppet/manifests/nodes.pp 
 
  
 
   class base { 
 
       include sudo,ssh 
 
   } 
 
   
 
   node 'client1.centos' { 
 
       include base 
 
   }                        
         
 
   
 
   node 'client2.centos' { 
 
      include  base 
 
 } 

到節點上驗證配置是否正確

[root@client1 ~]# puppetd   --server  master.puppet --test 
 
notice: Ignoring --listen on onetime run 
 
info: Caching catalog for client1.centos 
 
info: Applying configuration version '1330052716' 
 
--- /etc/ssh/sshd_config        2011-12-08 04:25:10.000000000  0800 
 
    /tmp/puppet-file20120224-27947-1eierk0-0                             2012-02-24 11:06:15.203891553  0800 
 
@@ -1,3  1,4 @@ 
 
 # puppet auto configuration 
 
 #      $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ 
 
  
 
 # This is the sshd server system-wide configuration file.  See 
 
info: FileBucket adding {md5}853a26a0f4b8a7fc8529e45ed57fe67b 
 
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Filebucketed /etc/ssh/sshd_config to puppet with sum 853a26a0f4b8a7fc8529e45ed57fe67b 
 
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: content changed '{md5}853a26a0f4b8a7fc8529e45ed57fe67b' to '{md5}4a860a0861932b44d8af13e64d953b39' 
 
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Service[sshd]                          
 
notice: /Stage[main]/Ssh::Service/Service[sshd]: Triggered 'refresh' from 1 events 
 
notice: Finished catalog run in 0.81 seconds 

本文出自 「Waydee的博客」 博客,請務必保留此出處http://waydee.blog.51cto.com/4677242/847134

Tags: linux system 系統