Puppet 简明教程

Puppet - File Server

Puppet 遵循客户端和服务器的概念，其中设置中的一台计算机作为服务器计算机运行 Puppet 服务器软件，而其他计算机作为客户端运行 Puppet 代理软件。文件服务器的此功能有助于在多台计算机之间复制文件。Puppet 中的文件服务功能的此功能是作为中央 Puppet daemon 的一部分提供的。Puppetmasterd 和客户端功能在作为文件对象采购文件属性时扮演着关键角色。

Puppet follows the concept of client and server where one machine in a setup works as the server machine with Puppet server software running on it and the remaining works as the client with Puppet agent software running on it. This feature of the file server helps in copying the files around multiple machines. This feature of file serving function in Puppet comes as a part of central Puppet daemon. Puppetmasterd and the client function plays a key role in sourcing file attributes as the file object.

class { 'java':
   package               => 'jdk-8u25-linux-x64',
   java_alternative      => 'jdk1.8.0_25',
   java_alternative_path => '/usr/java/jdk1.8.0_25/jre/bin/java'
}

在上面的代码片段中，Puppet 的文件服务函数通过支持文件服务模块抽象了本地文件系统拓扑。我们将以以下方式指定文件服务模块。

As in the above code snippet, Puppet’s file serving functions abstracts the local filesystem topology by supporting the file service module. We will specify the file serving module in the following manner.

“puppet://server/modules/module_name/sudoers”

File Format

在 Puppet 目录结构中，默认情况下文件服务器配置位于 /etc/puppet/fileserver.config 目录下，如果用户希望更改此默认配置文件路径，可以使用 new config 标志 puppetmasterd 来完成。配置文件类似于 INI 文件，但并不完全相同。

In Puppet directory structure, by default the file server configuration is located under /etc/puppet/fileserver.config directory, if the user wishes to change this default configuration file path, it can be done using the new config flag to puppetmasterd. The configuration file resembles INI files but is not exactly the same.

[module]
path /path/to/files
allow *.domain.com
deny *.wireless.domain.com

如上所示的代码片段中，所有三个选项在配置文件中表示。模块名称以某种方式位于括号中。路径是唯一必需的选项。默认安全选项是拒绝所有访问，因此如果没有指定允许行，则将配置的模块可供任何人使用。

As shown in the above code snippet, all the three options are represented in the configuration file. The module name somewhat goes in the brackets. The path is the only required option. Default security option is to deny all the access, so if no allow lines are specified, the module which will be configured will be available to anyone.

路径可以包含任意或全部 %d、%h 和 %H，这些内容会动态替换为其域名、其主机名和完全限定的主机名。所有内容都取自客户端的 SSL 证书（因此，如果主机名与证书名称不匹配，请小心）。当在模块中创建每个客户端的文件完全分开时，这非常有用。例如，用于私有主机密钥。

The path can contain any or all of the %d, %h and %H which are dynamically replaced by its domain name, its host name, and fully qualified host name. All are taken from the client’s SSL certificate (so be careful if one has a mismatch in hostname and certificate name). This is useful is creating modules where the files of each client are kept completely separately. Example, for private host keys.

[private]
path /data/private/%h
allow *

在上面的代码片段中，代码尝试从客户端 client1.vipin.com 中搜索文件/private/file.txt。它将在 /data/private/client1/file.txt 中查找它，而对 client2.vipin.com 的相同请求将尝试在文件服务器上检索文件 /data/private/client2/file.txt。

In the above code snippet, the code is trying to search for file /private/file.txt from the client client1.vipin.com. It will look for it in /data/private/client1/file.txt, while the same request for client2.vipin.com will try to retrieve the file /data/private/client2/file.txt on the file server.

Security

Puppet 支持两种保护 Puppet 文件服务器上文件的基本概念。通过允许访问特定文件并拒绝访问不需要的文件来实现此目的。默认情况下，Puppet 不允许访问任何文件。需要显式定义。可以在文件中使用允许或拒绝访问的格式通过使用 IP 地址、名称或全局允许来定义。

Puppet supports the two basic concepts of securing file on the Puppet file server. This is achieved by allowing access to specific files and denying access to the ones which are not required. By default, Puppet does not allow access to any of the files. It needs to be defined explicitly. The format which can be used in the files to allow or deny access is by using IP address, name, or global allow.

如果客户端没有直接连接到 Puppet 文件服务器，例如使用反向代理和 Mongrel，那么文件服务器将看到所有连接都来自代理服务器，而不是 Puppet 客户端。在上述情况下，根据主机名限制主机名是最佳做法。

If the client is not connected to the Puppet file server directly, for example using a reverse proxy and Mongrel, then the file server will see all the connections as coming from the proxy server and not the Puppet client. In the above cases, restricting the host name on the base of hostname is the best practice.

定义文件结构时需要注意的一个关键点是，所有拒绝声明都在允许声明之前被解析。因此，如果任何拒绝声明与主机匹配，则该主机将被拒绝，并且如果在即将到来的文件中没有写入允许声明，则该主机将被拒绝。此功能有助于设置任何特定网站的优先级。

One key point to be noted while defining the file structure is, all the deny statements are parsed before the allow statement. Hence, if any deny statement matches a host, then that host will be denied and if no allow statement is written in the upcoming files, then the host will be denied. This feature helps in setting priority of any particular site.

Host Name

在任何文件服务器配置中，文件主机名可以通过两种方式指定，一种是使用完整主机名，另一种是使用 * 通配符指定整个域名，如下例所示。

In any file server configuration, file hostname can be specified in two ways either by using a complete hostname or specifying an entire domain name using the * wildcard as shown in the following example.

[export]
path /usr
allow brcleprod001.brcl.com
allow *.brcl.com
deny brcleprod002.brcl.com

IP Address

在任何文件服务器配置中，文件地址都可以指定为类似于主机名，使用完整的 IP 地址或通配符地址。还可以使用 CIDR 系统表示法。

In any file server configuration, the file address can be specified as similar to the host names, using either complete IP address or wildcard address. One can also use CIDR system notation.

[export]
path /usr
allow 127.0.0.1
allow 172.223.30.*
allow 172.223.30.0/24

Global Allow

当用户希望每个人都可以访问特定模块时，可以使用全局允许。为此，一个通配符有助于让每个人都可以访问该模块。

Global allow is used when the user wants that everyone can access a particular module. To do this, a single wildcard helps in letting everyone access the module.

[export]
path /export
allow *