├── LICENSE ├── README.md ├── SUMMARY.md ├── book.json ├── chapter1.md ├── chapter2.md ├── chapter3.md ├── chapter4.md ├── cover.jpg ├── foreman_leaning_1.md ├── foreman_leaning_10.md ├── foreman_leaning_11.md ├── foreman_leaning_12.md ├── foreman_leaning_13.md ├── foreman_leaning_14.md ├── foreman_leaning_15.md ├── foreman_leaning_16.md ├── foreman_leaning_17.md ├── foreman_leaning_18.md ├── foreman_leaning_19.md ├── foreman_leaning_2.md ├── foreman_leaning_3.md ├── foreman_leaning_4.md ├── foreman_leaning_5.md ├── foreman_leaning_6.md ├── foreman_leaning_7.md ├── foreman_leaning_8.md ├── foreman_leaning_9.md ├── puppet_learning_base1.md ├── puppet_learning_base10.md ├── puppet_learning_base2.md ├── puppet_learning_base3.md ├── puppet_learning_base4.md ├── puppet_learning_base5.md ├── puppet_learning_base6.md ├── puppet_learning_base7.md ├── puppet_learning_base8.md ├── puppet_learning_base9.md ├── puppet_learning_ext1.md ├── puppet_learning_ext2.md ├── puppet_learning_ext3.md ├── puppet_learning_ext4.md ├── puppet_learning_ext5.md ├── puppet_learning_ext6.md ├── puppet_learning_ext7.md ├── puppet_learning_ext8.md ├── puppet_learning_mco1.md ├── puppet_learning_mco2.md ├── puppet_learning_mco3.md ├── puppet_learning_mco4.md ├── puppet_learning_mco5.md ├── puppet_learning_mco6.md └── puppet_learning_mco7.md /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Open Source Geek 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 前言 2 | 3 | 本书电子版在线阅读地址: [http://kisspuppet.gitbooks.io/puppet/](http://kisspuppet.gitbooks.io/puppet/) 4 | 5 | #### 为什么要写本书 6 | “循环调用SSH命令不是一个我能接受的解决方案。” 7 | ---Luke Kanies, Puppet开发者 8 | 9 | 《Puppet运维实战》,是书名,亦是本书的写作目标,带领大家了解puppet的工作机理以及它的外围生态系统,并且带领大家一步一步去搭建从简单的C/S架构到带有webui管理的整套自动化运维管理工具。 10 | 11 | #### 读者对象 12 | * 使用puppet的自动化运维人员 13 | * 想对puppet快速入门的运维人员 14 | * 具有一定Linux基础的运维人员 15 | 16 | #### 勘误和支持 17 | 由于作者的水平有限,加之编写时间仓促,书中难免会出现一些错误或者不准确的地方,恳请读者批评指正。有任何问题可以在我的个人博客([http://www.kisspuppet.com](http://www.kisspuppet.com))文章后留言或在puppet中文社区([http://puppetmaster.cn](http://puppetmaster.cn))提问,我一定会在第一时间内给予解答。 18 | 19 | 20 | 21 | #### 结束语 22 | #### version: 0.0.02 23 | 24 | 25 | 「本书结合个人日常运维经验所写,版权归我本人所有,书中主要以实战为主,概念部分相对比较少,我会在后续的版本更新中逐渐完善本书。」 26 | 27 | 希望本书对您有帮助,如果没有帮助,可以默默把它扔垃圾桶,请勿喷。 如果发现任何错误,请告知,大家一起进步,谢谢。 28 | 29 | #### 小额赞助 30 | 赞助方式是绝对赤裸裸的金钱赞助方式:如果您有支付宝,可以直接使用小额付款。 31 | 32 | ![微信公众号](http://kisspuppet.com/img/support_4.jpg) 33 | 34 | 35 | #### 交流方式 36 | 37 | **微信公众号:puppet2014**,可微信搜索加入,也可以扫描以下二维码进行加入 38 | 39 | ![微信公众号](http://kisspuppet.com/img/weixin.jpg) 40 | 41 | **QQ交流群:296934942** 42 | 43 | ![](http://kisspuppet.com/img/contact1.jpg) 44 | 45 | **By 陈刚(KissPuppet) / 2014.12.09** 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | * [序](README.md) 4 | * [Chapter 1:Puppet基础篇](chapter1.md) 5 | * [编写此系列文档的目的](puppet_learning_base1.md) 6 | * [如何学习和使用Puppet](puppet_learning_base2.md) 7 | * [安装Puppet前期的准备工作](puppet_learning_base3.md) 8 | * [安装、配置并使用Puppet](puppet_learning_base4.md) 9 | * [如何建立master和agent之间的认证关系](puppet_learning_base5.md) 10 | * [Puppet更新方式的选型](puppet_learning_base6.md) 11 | * [编写第一个完整测试模块puppet](puppet_learning_base7.md) 12 | * [编写第二个完整测试模块yum](puppet_learning_base8.md) 13 | * [Puppetmaster多环境配置](puppet_learning_base9.md) 14 | * [自定义fact实现的四种方式介绍](puppet_learning_base10.md) 15 | * [Chapter 2:Puppet扩展篇](chapter2.md) 16 | * [自定义fact结合ENC(hirea)的应用实践](puppet_learning_ext1.md) 17 | * [如何使用虚拟资源解决puppet冲突问题](puppet_learning_ext2.md) 18 | * [如何扩展master的SSL传输性能(apache)](puppet_learning_ext3.md) 19 | * [如何扩展master的SSL传输性能(nginx)](puppet_learning_ext4.md) 20 | * [通过多进程增强master的负载均衡能力(nginx+mongrel)](puppet_learning_ext5.md) 21 | * [通过横向扩展puppetmaster增加架构的灵活性](puppet_learning_ext6.md) 22 | * [puppet代码与版本控制系统的结合](puppet_learning_ext7.md) 23 | * [Puppet dashboard的部署及测试](puppet_learning_ext8.md) 24 | * [Chapter 3:MCollective架构篇](chapter3.md) 25 | * [MCollecitve架构的引入](puppet_learning_mco1.md) 26 | * [MCollective+MQ架构的部署](puppet_learning_mco2.md) 27 | * [Puppet插件的部署及测试](puppet_learning_mco3.md) 28 | * [MCollective各种插件的部署及测试](puppet_learning_mco4.md) 29 | * [MCollective安全性设计](puppet_learning_mco5.md) 30 | * [MQ的安全性设计](puppet_learning_mco6.md) 31 | * [多MQ下MCollective高可用部署](puppet_learning_mco7.md) 32 | * [Chapter 4:Foreman架构的引入](chapter4.md) 33 | * [Foreman作为自动化运维工具为什么会如此强大](foreman_leaning_1.md) 34 | * [安装前环境准备](foreman_leaning_2.md) 35 | * [安装Foreman1.5架构(all-in-one)](foreman_leaning_3.md) 36 | * [安装Foreman1.6架构(foreman与puppetmaster分离)](foreman_leaning_4.md) 37 | * [安装Foreman1.7架构(源码,仅测试使用)](foreman_leaning_5.md) 38 | * [整合puppetmaster](foreman_leaning_6.md) 39 | * [Foreman结合mcollective完成push动作](foreman_leaning_7.md) 40 | * [Foreman结合puppetssh完成push动作](foreman_leaning_8.md) 41 | * [Foreman的ENC环境与fact环境的对比](foreman_leaning_9.md) 42 | * [hostgroup如何转换为本地的fact](foreman_leaning_10.md) 43 | * [智能变量与puppet模块参数化类的结合](foreman_leaning_11.md) 44 | * [Foreman报告系统的使用](foreman_leaning_12.md) 45 | * [Foreman-proxy如何做负载均衡](foreman_leaning_13.md) 46 | * [Foreman上如何展现代码及文件内容](foreman_leaning_14.md) 47 | * [Foreman如何和虚拟化管理软件结合](foreman_leaning_15.md) 48 | * [如何借助Foreman完成自动化部署操作系统(一)](foreman_leaning_16.md) 49 | * [如何借助Foreman完成自动化部署操作系统(二)](foreman_leaning_17.md) 50 | * [Foreman CLI(Hammer)工具的使用](foreman_leaning_18.md) 51 | * [Foreman目前的不足之处](foreman_leaning_19.md) 52 | 53 | -------------------------------------------------------------------------------- /book.json: -------------------------------------------------------------------------------- 1 | { 2 | "title": "My Book", 3 | "author": "Author", 4 | "font": { 5 | "size": null, 6 | "family": "Impact", 7 | "color": "#FFF" 8 | }, 9 | "size": { 10 | "w": 1800, 11 | "h": 2360 12 | }, 13 | "background": { 14 | "color": "#09F" 15 | } 16 | } -------------------------------------------------------------------------------- /chapter1.md: -------------------------------------------------------------------------------- 1 | # Chapter1:Puppet基础篇 2 | 3 | 在本章,你会学习到Puppet的一些基础知识,教会大家如何从零开始搭建一个C/S架构的puppet环境,并且通过几个模块测试展示了puppet功能的强大,最后介绍了自定义fact的实现方法。如果你对此非常了解,那么就跳过本章吧。 -------------------------------------------------------------------------------- /chapter2.md: -------------------------------------------------------------------------------- 1 | # Chapter 2:Puppet扩展篇 2 | 3 | 在本章,你会学到C/S架构上扩充的一些功能,比如说ENC、虚拟资源,还会学到puppet的性能以及高可用扩展,最后介绍了与版本控制系统的结合以及puppet原生态dashboard的部署。 -------------------------------------------------------------------------------- /chapter3.md: -------------------------------------------------------------------------------- 1 | # Chapter 3:MCollective架构篇 2 | 3 | 在本章,你会学到mcollective+mq的并行框架,这套框架可以高效的帮你去执行各种命令,当然包括puppet命令。 -------------------------------------------------------------------------------- /chapter4.md: -------------------------------------------------------------------------------- 1 | # Chapter 4:Foreman架构的引入 2 | 3 | 之前的三章都是在黑屏下操作的,对有些不喜欢命令行的朋友来说并不是件好事,本章正式介绍一款高大上的可以管理puppet+mco框架的一个管理工具。 -------------------------------------------------------------------------------- /cover.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kisspuppet/puppetbook/193dc4f9aa1aa987d8618d0a21c7a2e64a6195d3/cover.jpg -------------------------------------------------------------------------------- /foreman_leaning_1.md: -------------------------------------------------------------------------------- 1 | #### foreman架构的引入1-foreman作为自动化运维工具为什么会如此强大 2 | 3 | 4 | 在引入foreman之前,笔者曾经大幅度测试过puppet的另外一个生态圈前端软件,那就是KermIT([kermit.fr](http://kermit.fr)需要墙)。说实话基于KermIT这套架构还是相当不错的,尤其是在于mcollective的各种插件结合上做的很完美,可惜社区太不活跃,软件版本更新超慢,坑超多,最终还是放弃了。不过,他的架构还是值得借鉴的,对于那些想自己在puppet前端做UI的朋友可以多参考参考。 5 | 6 | 本文引入另外一个非常出色的前端管理工具Foreman,什么是foreman呢,官方是这样定义的:Foreman是一个物理和虚拟服务器的完整的生命周期管理工具(Foreman is a complete lifecycle management tool for physical and virtual servers)。 7 | 8 | 9 | 10 | **为什么要引入foreman作为配置管理工具的前端呢?** 11 | 12 | 本文从以下几个方面入手进行剖析 13 | 14 | ## 1、foreman的架构 ## 15 | 16 | A Foreman installation will always contain a central foreman instance that is responsible for providing the Web based GUI, node configurations, initial host configuration files, etc. However, if the foreman installation supports unattended installations then other operations need to be performed to fully automate this process. The smart proxy manages remote services and is generally installed with all Foreman installations to allow for TFTP, DHCP, DNS, and Puppet, and the Puppet CA. 17 | 18 | 以上为官方的定义,我这里在根据日常使用的情况进行一些概括(以目前最新稳定版本1.5.3为例进行说明) 19 | 20 | 1. foreman本身只是一个框架,通过smart-proxy代理各种应用程序完成各项功能。 21 | ![Foreman框架](http://kisspuppet.com/img/foreman_architecture.png) 22 | 23 | 2. foreman通过代理DNS、DHCP、TFTP完成了kickstart、cobbler、jumpstart等各种自动化安装系统工具的图形统一管理窗口,实现的结果是只需要在foreman上定制各种模板(pxe、ks),不同的模板还可以嵌套各种片段(snippet)达到统一、简化的目的。完成之后,便可以添加节点,关联定义的各种模板生成各种的pxe和ks文件实现自动化安装。 24 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_2.png) 25 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_3.png) 26 | 27 | 3. foreman通过代理puppet、puppet CA完成对puppet自动签名、puppet环境、class、变量、facter的管理。 28 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_4.png) 29 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_5.png) 30 | 31 | 4. foreman通过ENC和静态组管理class和node之间的关联。 32 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_6.png) 33 | 34 | 5. foreman通过puppet plugin,可以在UI上完成对节点puppet命令的触发动作,触发的方法可以借助puppetkick(已经被遗弃)、mcollective(借助sudo)、puppetssh(借助sshkey)、salt、customrun等各种工具实现。 35 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_7.png) 36 | 37 | 6. foreman可以收集所有节点运行puppet后的报告、执行情况。 38 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_8.png) 39 | 40 | 7. foreman还提供了各种搜索、报表等功能,能够更好的展现节点的运行状况。 41 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_9.png) 42 | 43 | 8. foreman除了管理裸机外还可以管理各种虚拟化软件,比如RHEV-M、EC2、VMWware和OpenStack等。 44 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_10.png) 45 | 46 | 9. foreman还可以和LDAP以及AD集成。 47 | 10. foreman还提供了强大了用户、权限管理入口,可以建立多个用户、多个用户组、还可以对权限进行角色的定义等。不同的权限用户在UI上所看到的功能以及主机是不一样的。 48 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_11.png) 49 | 50 | 11. foreman还提供了所有在UI上操作的Audits(审计)功能,这样可以保障所有用户的操作都有据可查。 51 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_12.png) 52 | 53 | 除此之外,还有其它很多功能。。。。 54 | 55 | **针对配置管理的不足之处:foreman和mcollective的结合并不是很好,它仅仅是借用了puppetkick的插件集成了mcollective的一条命令而已,这方面后期是否会有改进还需要等待。** 56 | 57 | ## 2、foreman的版本蓝图 ## 58 | 59 | **以下为foreman的版本发展线路图** 60 | 61 | ![Foreman版本发展线路图](http://kisspuppet.com/img/foreman_leaning_1.png) 62 | 63 | 从图中可以看出,foreman的发展是相当的迅速的,无论是版本更替上还是社区的活跃度上都是相当的良好。目前最新稳定版本为**1.5.3**(统计时间2014年10月18号)。 64 | 65 | **版本目前发展和预期线路图:**[http://projects.theforeman.org/rb/releases/foreman](http://projects.theforeman.org/rb/releases/foreman) 66 | 67 | ## 3、foreman的社区活跃度 ## 68 | 69 | **foreman google groups:** 70 | 71 | [https://groups.google.com/forum/#!forum/foreman-users](https://groups.google.com/forum/#!forum/foreman-users) 72 | 73 | [https://groups.google.com/forum/#!forum/foreman-dev](https://groups.google.com/forum/#!forum/foreman-dev) 74 | 75 | **foreman的IRC:** 76 | "#theforeman" 77 | 78 | [http://webchat.freenode.net/](http://webchat.freenode.net/) 79 | 80 | 81 | -------------------------------------------------------------------------------- /foreman_leaning_10.md: -------------------------------------------------------------------------------- 1 | Foreman架构的引入10-hostgroup如何转换为本地的fact 2 | 3 | 4 | 在Foreman上可以根据业务逻辑设置多个主机组(Host Groups),并且可以将不同的节点加入到不同的主机组,这样在每次操作“puppet run”的时候,只需要在搜索按钮里搜索对应的主机组即可找到里面包含的所有节点,如下图所示 5 | 6 | ![Foreman安装](http://kisspuppet.com/img/foreman10-1.png) 7 | 8 | 但是,foreman目前在`puppet run`上对mcollective的集成度很低,基本就是只能运行一条命令。那么如果要在shell终端上通过mco命令去对这些自定义的`Host Groups`进行操作应该如何做呢。答案是转换为facter。 9 | 10 | 11 | 12 | 自定义facter有四种方式,如下:[http://kisspuppet.com/2014/03/30/puppet_learning_base10/](http://kisspuppet.com/2014/03/30/puppet_learning_base10/) 13 | 14 | 这里介绍第三种方式将Foreman上设置的主机组(Host Groups)转换为每个节点自己的facter 15 | 16 | ## 1、首先创建主机组 ## 17 | 18 | ![Foreman安装](http://kisspuppet.com/img/foreman10-2.png) 19 | 20 | 21 | ## 2、查看节点的主机组信息 ## 22 | 23 | 其实相当于自定义了一个外部变量,变量名叫hostgroup,值为节点加入的组名称 24 | 25 | ![Foreman安装](http://kisspuppet.com/img/foreman10-3.png) 26 | 27 | ![Foreman安装](http://kisspuppet.com/img/foreman10-4.png) 28 | 29 | ## 3、编写一个fact模块 ## 30 | 31 | 模块的功能就是将Foreman上的变量“hostgroup”落地到每个节点的/etc/facter/facts.d/${hostname}.txt文件中,内容为fact的标准格式。 32 | 33 | #模块结构 34 | [root@puppetmaster162 modules]# tree fact 35 | fact 36 | ├── files 37 | ├── manifests 38 | │   ├── config.pp 39 | │   ├── fact.pp 40 | │   ├── init.pp 41 | │   └── params.pp 42 | └── templates 43 | └── hostgroup.erb 44 | 45 | 3 directories, 5 files 46 | 47 | #模块主配置文件init.pp 48 | [root@puppetmaster162 modules]# cat fact/manifests/init.pp 49 | class fact { 50 | tag("puppet_env") 51 | require fact::params 52 | $hostgroup_erb = $fact::params::hostgroup_erb 53 | include fact::config 54 | include fact::facter 55 | } 56 | 57 | #创建目录以及文件 58 | [root@puppetmaster162 modules]# cat fact/manifests/config.pp 59 | class fact::config{ 60 | file { '/etc/facter' : 61 | ensure => directory, 62 | owner => 'root', 63 | group => 'root', 64 | mode => '0644', 65 | } 66 | file { '/etc/facter/facts.d' : 67 | ensure => directory, 68 | owner => 'root', 69 | group => 'root', 70 | mode => '0644', 71 | require => File['/etc/facter'] 72 | } 73 | file{ "/etc/facter/facts.d/$hostname.txt": 74 | owner => "root", 75 | group => "root", 76 | mode => 0400, 77 | content => template($fact::hostgroup_erb), 78 | require => File['/etc/facter/facts.d'], 79 | } 80 | } 81 | 82 | #定义变量 83 | [root@puppetmaster162 modules]# cat fact/manifests/params.pp 84 | class fact::params{ 85 | $hostgroup_erb = 'fact/hostgroup.erb' 86 | } 87 | 88 | #定义fact模板(原因可参考http://kisspuppet.com/2013/11/10/mcollective-middleware/) 89 | [root@puppetmaster162 manifests]# cat fact.pp 90 | class fact::facter{ 91 | file{"/etc/mcollective/facts.yaml": 92 | owner => root, 93 | group => root, 94 | mode => 0440, 95 | loglevel => debug, # reduce noise in Puppet reports 96 | content => inline_template('<%= scope.to_hash.reject { |k,v| k.to_s =~ /(uptime.*|path|timestamp|free|.*password.*|.*psk.*|.*key)/ }.to_yaml %>'), 97 | } 98 | } 99 | 100 | #设置文件模板 101 | [root@puppetmaster162 modules]# cat fact/templates/hostgroup.erb 102 | hostgroup=<%= @hostgroup %> 103 | foreman_env=<%= @foreman_env %> 104 | 105 | 106 | ## 4、Foreman上管理主机组和模块fact ## 107 | 108 | 先导入类,然后在主机组里进行关联即可,由于fact模块是针对所有主机的,建议关联到1级主机组,加入的节点会自动继承。关联完成后的效果如下 109 | 110 | ![Foreman安装](http://kisspuppet.com/img/foreman10-5.png) 111 | 112 | ![Foreman安装](http://kisspuppet.com/img/foreman10-6.png) 113 | 114 | 115 | ## 5、在Foreman上对两个节点执行“puppet run”操作 ## 116 | 117 | ![Foreman安装](http://kisspuppet.com/img/foreman10-7.png) 118 | 119 | 120 | ## 6、查看facter信息是否生成 ## 121 | 122 | [root@foreman163 ~]# facter hostgroup 123 | prd 124 | 125 | [root@puppetmaster162 ~]# facter hostgroup 126 | prd/kisspuppet 127 | 128 | ## 7、通过mco命令结合fact进行过滤查看 ## 129 | 130 | [root@puppetmaster162 ~]# mco ping -F hostgroup=prd 131 | foreman163.kisspuppet.com time=98.55 ms 132 | 133 | 134 | ---- ping statistics ---- 135 | 1 replies max: 98.55 min: 98.55 avg: 98.55 136 | [root@puppetmaster162 ~]# mco ping -F hostgroup=prd/kisspuppet 137 | puppetmaster162.kisspuppet.com time=94.14 ms 138 | 139 | 140 | ---- ping statistics ---- 141 | 1 replies max: 94.14 min: 94.14 avg: 94.14 142 | [root@puppetmaster162 ~]# mco puppet -v runonce -F hostgroup=prd/kisspuppet 143 | Discovering hosts using the mc method for 2 second(s) .... 1 144 | 145 | * [ ============================================================> ] 1 / 1 146 | 147 | 148 | puppetmaster162.kisspuppet.com : OK 149 | {:summary=> "Started a Puppet run using the 'puppet agent --test --color=false --splay --splaylimit 30' command"} 150 | 151 | 152 | 153 | ---- rpc stats ---- 154 | Nodes: 1 / 1 155 | Pass / Fail: 1 / 0 156 | Start Time: Thu Dec 18 15:13:09 +0800 2014 157 | Discovery Time: 2004.07ms 158 | Agent Time: 85.19ms 159 | Total Time: 2089.26ms 160 | 161 | **注:**以上方式只是提供了一种思路,更多的方式还需要根据具体的实际环境而改变,总之一点,fact很强大,看你怎么用。 -------------------------------------------------------------------------------- /foreman_leaning_11.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_12.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_13.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_14.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_15.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_16.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_17.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_18.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_19.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待哦... -------------------------------------------------------------------------------- /foreman_leaning_2.md: -------------------------------------------------------------------------------- 1 | #### foreman架构的引入2-安装前环境准备 2 | 3 | 4 | Foreman官网提供了每个版本非常完善的安装步骤,无论是源码安装还是rpm包安装都变得非常方便。而且Foreman通过puppet模块对安装步骤进行了封装并提供了大量的安装参数可以传输,相当的方便。不过由于其体系过大,代理很多软件,安装的软件包超多,安装过程也并非那么简单。 5 | 6 | 7 | 8 | 以下是需要考虑的问题及解决方法 9 | 10 | **特别说明:**接下来的所有的推荐说明、操作和测试都是基于目前最稳定版本1.5.3进行的,而1.6和1.7版本不太稳定,仅做安装介绍。 11 | 12 | 关于Foreman1.5.3版本介绍及安装方法可参考官网 [http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.3](http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.3) 13 | 14 | ## 操作系统的选型 ## 15 | 16 | Foreman官网yum仓库只提供了el6和f19的rpm([http://yum.theforeman.org/](http://yum.theforeman.org/))包,Debian的deb包([http://deb.theforeman.org/](http://deb.theforeman.org/)),并未提供低版本或者其它系统的rpm包。还有源码包的下载方式:`git clone https://github.com/theforeman/foreman.git -b 1.5-stable` 17 | 所以,如果你考虑使用rpm包安装,请使用以下系统及版本: 18 | 19 | RHEL6.* 20 | 21 | CentOS6.* 22 | 23 | Fedora19 24 | 25 | 如果你考虑使用deb包安装,请使用以下系统及版本 26 | 27 | Debian Linux 7.0 (Wheezy) 28 | 29 | Debian Linux 6.0 (Squeeze) 30 | 31 | Ubuntu Linux 14.04 LTS (Trusty Tahr) 32 | 33 | Ubuntu Linux 12.04 LTS (Precise Pangolin) 34 | 35 | 如果你并不打算使用以上系统,比如现在很多金融行业使用的SLES系统等,需要考虑使用源码包安装,源码包安装通过bundle命令完成,不过很难安装,而且即使安装好,接下来走的路还很艰辛。 36 | 37 | ##安装包准备## 38 | 39 | 安装Foreman依赖的包比较多,需要从以下三个网站获取 40 | 41 | **1、Foreman官网:**[ http://yum.theforeman.org/]( http://yum.theforeman.org/) 42 | 43 | **2、EPEL官网:** [http://fedoraproject.org/wiki/EPEL](http://fedoraproject.org/wiki/EPEL) 44 | 45 | **3、PuppetLabs官网:** [http://yum.puppetlabs.com/](http://yum.puppetlabs.com/) 46 | 47 | **4、RabbitMQ官网:**[http://www.rabbitmq.com/download.html](http://www.rabbitmq.com/download.html) 48 | 49 | **思考:**以上四个官网安装包那么多,如果能够获得到安装Foreman的包呢? 50 | 51 | 如果你确实比较懒,可以去我的Github上下载 [https://github.com/kisspuppet/foreman-repo](https://github.com/kisspuppet/foreman-repo) 52 | 53 | 54 | ## 软件包的选型如下: ## 55 | 56 | 57 | - **puppet-server 3.6.2** 58 | - **puppet 3.6.2** 59 | - **facter 2.0.2** 60 | - **mcollective 2.2.4** 61 | - **rabbitmq-server 3.2.4** 62 | - **foreman 1.5.3** 63 | - **foreman-proxy 1.5.4** 64 | 65 | 66 | ##操作系统配置注意事项## 67 | 68 | **1、操作系统版本必须是RHEL6版本以上,建议使用6.4或6.5。** 69 | 70 | **2、主机名必须符合完全合格的FQDN名称,其次必须小写**(大写名称在安装MySQL的时候会提示授权问题不能通过) 71 | eg. foreman.kisspuppet.com 72 | 73 | **3、安装之前,必须先安装puppet客户端,并且和puppetmaster进行签名认证。** 74 | 75 | **4、系统时间和puppetmaster端保持一致,防火墙、selinux记得关闭。** 76 | 77 | -------------------------------------------------------------------------------- /foreman_leaning_3.md: -------------------------------------------------------------------------------- 1 | #### foreman架构的引入3-安装Foreman1.5.3架构(all-in-one) 2 | 3 | 4 | 5 | **注意:**本实验是在离线情况下安装的,所以需要在本地创建自己的yum仓库,创建方法可参考《[如何根据版本制作属于自己的puppet yum源](http://kisspuppet.com/2014/01/26/puppet_create_repo/)》,如何你实在是比较懒或者搞不定rpm包之间的依赖关系,那就去我的github上下载吧:[https://github.com/kisspuppet/foreman-repo](https://github.com/kisspuppet/foreman-repo) 6 | 7 | 更多安装细节请参考官网:[http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.4](http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.4) 8 | 9 | 10 | 11 | 以下all-in-one安装方式跟官方安装的有所区别,官方安装可能只需要一条命令就可以安装成功,在我测试下来发现会出现有时候成功,有时候不成功的现象,所以改成了以下方式安装,而且每次都能成功,条例也比较清晰,为后面拆分puppetmaster能够提供很好的帮助。 12 | 13 | 14 | ## 1、软件包的选型如下: ## 15 | - **puppet-server 3.6.2** 16 | - **puppet 3.6.2** 17 | - **facter 2.0.2** 18 | - **mcollective 2.2.4** 19 | - **rabbitmq-server 3.2.4** 20 | - **foreman 1.5.3** 21 | - **foreman-proxy 1.5.4** 22 | 23 | ## 2、系统环境准备 ## 24 | 25 | **系统版本:** 26 | 27 | [root@foreman02 yum.repos.d]# cat /etc/redhat-release 28 | Red Hat Enterprise Linux Server release 6.5 (Santiago) 29 | 30 | **网络参数:** 31 | 32 | [root@foreman02 yum.repos.d]# ip addr 33 | 1: lo: mtu 16436 qdisc noqueue state UNKNOWN 34 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 35 | inet 127.0.0.1/8 scope host lo 36 | inet6 ::1/128 scope host 37 | valid_lft forever preferred_lft forever 38 | 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 39 | link/ether 00:50:56:a6:5c:70 brd ff:ff:ff:ff:ff:ff 40 | inet 192.168.10.159/24 brd 192.168.10.255 scope global eth0 41 | inet6 fe80::250:56ff:fea6:5c70/64 scope link 42 | valid_lft forever preferred_lft forever 43 | 44 | **主机名称:** 45 | 46 | [root@foreman02 yum.repos.d]# hostname -f 47 | foreman02.kisspuppet.com 48 | [root@foreman02 yum.repos.d]# cat /etc/hosts 49 | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 50 | ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 51 | 192.168.10.159 foreman02.kisspuppet.com foreman02 52 | 53 | **平台环境:** 54 | 55 | [root@foreman02 yum.repos.d]# uname -r 56 | 2.6.32-431.el6.x86_64 57 | 58 | **yum仓库:** 59 | 60 | [root@foreman02 yum.repos.d]# cat foreman153.repo 61 | [foreman] 62 | name=Foreman 63 | baseurl=ftp://192.168.10.254/blog/foreman 64 | enabled=1 65 | gpgcheck=0 66 | 67 | [puppet] 68 | name=puppet 69 | baseurl=ftp://192.168.10.254/blog/puppet-el6 70 | enabled=1 71 | gpgcheck=0 72 | 73 | [rhel] 74 | name=RHEL 75 | baseurl=ftp://192.168.10.254/rhel6.5 76 | enabled=1 77 | gpgcheck=0 78 | 79 | **网络安全环境:** 80 | 81 | [root@foreman02 ~]# /etc/init.d/iptables status 82 | iptables: Firewall is not running. 83 | [root@foreman02 ~]# getenforce 84 | Disabled 85 | 86 | ## 3、安装Foreman ## 87 | 88 | **3.1、安装puppetmaster,并生成CA和证书** 89 | 90 | [root@foreman02 ~]# yum install foreman-installer 91 | [root@foreman02 ~]# yum install puppet-server puppet facter 92 | [root@foreman02 ~]# vim /etc/puppet/puppet.conf 93 | [master] 94 | certname = foreman02.kisspuppet.com 95 | 96 | [root@foreman02 ~]# /etc/init.d/puppetmaster start 97 | Starting puppetmaster: [ OK ] 98 | [root@foreman02 ~]# puppet cert --list --all 99 | + "foreman02.kisspuppet.com" (SHA256) 1D:7E:90:F5:16:7D:01:67:77:37:EE:31:3F:46:AD:0A:47:80:B6:DF:6A:5E:25:A8:DE:BA:78:45:C9:09:D6:BD (alt names: "DNS:foreman02.kisspuppet.com", "DNS:puppet", "DNS:puppet.kisspuppet.com") 100 | [root@foreman02 ~]# /etc/init.d/puppetmaster stop 101 | Stopping puppetmaster: [ OK ] 102 | 103 | **3.2、安装foreman及依赖包** 104 | 105 | [root@foreman02 ~]# yum install foreman mod_passenger mod_ssl ruby193-rubygem-passenger-native mysql mysql-server foreman-mysql2 106 | 107 | **3.3、通过foreman-installer安装foreman** 108 | 109 | foreman默认安装选择的数据库为postgresql,这里选用mysql进行安装。 110 | 111 | [root@foreman02 ~]# foreman-installer --foreman-db-adapter mysql2 --foreman-db-type mysql --no-enable-puppet --no-enable-foreman-proxy --foreman-configure-epel-repo=false 112 | Installing Done [100%] [...................] 113 | Success! 114 | * Foreman is running at https://foreman02.kisspuppet.com 115 | Default credentials are 'admin:changeme' 116 | The full log is at /var/log/foreman-installer/foreman-installer.log 117 | 118 | 安装完成之后,通过火狐或者谷歌浏览器访问看是否安装成功https://192.168.10.159 119 | 120 | ![Foreman安装](http://kisspuppet.com/img/foreman02-1.png) 121 | 122 | ![Foreman安装](http://kisspuppet.com/img/foreman02-2.png) 123 | 124 | 125 | **3.4、安装foreman-proxy及依赖包** 126 | 127 | [root@foreman02 ~]# yum install tftp-server syslinux foreman-proxy 128 | 129 | **3.5、安装foreman-proxy,并通过foreman-installer重新安装foreman和puppetmaster** 130 | 131 | **注意:**以下方式是安装后会代理TFTP, DNS, DHCP, Puppet, and Puppet CA,并且puppetmaster会以apache+passenger的方式安装运行。 132 | 133 | [root@foreman02 ~]# foreman-installer --enable-foreman --enable-foreman-proxy --enable-puppet --puppet-server=true --foreman-proxy-puppetrun=true --foreman-proxy-puppetca=true --foreman-proxy-dhcp=true --foreman-proxy-tftp=true --foreman-proxy-dns=true --foreman-proxy-dns-interface=eth0 --foreman-proxy-dns-zone=kisspuppet.com --foreman-proxy-dns-reverse=10.168.192.in-addr.arpa --foreman-proxy-dns-forwarders=8.8.8.8 --foreman-proxy-dns-forwarders=8.8.4.4 --foreman-configure-epel-repo=false --foreman-proxy-register-in-foreman=false 134 | 135 | Installing Done [100%] [...................] 136 | Success! 137 | * Foreman is running at https://foreman02.kisspuppet.com 138 | Default credentials are 'admin:changeme' 139 | * Foreman Proxy is running at https://foreman02.kisspuppet.com:8443 140 | * Puppetmaster is running at port 8140 141 | The full log is at /var/log/foreman-installer/foreman-installer.log 142 | 143 | 如果只代理puppet和puppetCA,可以通过以下方式安装 144 | 145 | [root@foreman02 ~]# foreman-installer --enable-foreman --enable-foreman-proxy --enable-puppet --puppet-server=true --foreman-proxy-puppetrun=true --foreman-proxy-puppetca=true --foreman-configure-epel-repo=false --foreman-proxy-register-in-foreman=false 146 | 147 | ## 4、检查foreman、foreman-proxy、puppetmaster是否安装成功 ## 148 | 149 | [root@foreman02 ~]# /etc/init.d/httpd status 150 | httpd (pid 25433) is running... 151 | [root@foreman02 ~]# /etc/init.d/foreman-proxy status 152 | foreman-proxy (pid 25605) is running... 153 | 154 | [root@foreman02 ~]# netstat -naltp | grep 8443 155 | tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 25605/ruby 156 | [root@foreman02 ~]# netstat -naltp | grep 80 157 | tcp 0 0 :::80 :::* LISTEN 25433/httpd 158 | [root@foreman02 ~]# netstat -naltp | grep 8140 159 | tcp 0 0 :::8140 :::* LISTEN 25433/httpd 160 | 161 | ## 5、在Foreman上注册foreman-proxy ## 162 | 163 | 如果要管理puppet、puppetca等软件,是需要通过foreman-proxy去代理才能够正常使用的,关于代理的开启和关闭可以修改它的配置文件`/etc/foreman-proxy/settings.yml ` 164 | 165 | 166 | ![Foreman安装](http://kisspuppet.com/img/foreman02-3.png) 167 | 168 | ![Foreman安装](http://kisspuppet.com/img/foreman02-4.png) 169 | 170 | ![Foreman安装](http://kisspuppet.com/img/foreman02-5.png) 171 | 172 | ![Foreman安装](http://kisspuppet.com/img/foreman02-6.png) 173 | 174 | 175 | -------------------------------------------------------------------------------- /foreman_leaning_4.md: -------------------------------------------------------------------------------- 1 | #### foreman架构的引入4-安装Foreman1.6.3架构(foreman与puppetmaster分离) 2 | 3 | 4 | **注意:**本实验是在离线情况下安装的,所以需要在本地创建自己的yum仓库,创建方法可参考《[如何根据版本制作属于自己的puppet yum源](http://kisspuppet.com/2014/01/26/puppet_create_repo/)》,如何你实在是比较懒或者搞不定rpm包之间的依赖关系,那就去我的github上下载吧:[https://github.com/kisspuppet/foreman-repo](https://github.com/kisspuppet/foreman-repo) 5 | 6 | 更多安装细节请参考官网:[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 7 | 8 | 之前讲的all-in-one方式建议只用于测试使用,如果要用于生产环境,建议将foreman和puppetmaster分离安装,更有利于后期的维护和扩展。还有就是之前你已经部署过puppetmaster了,如何单独部署foreman和puppetmaster通信也是值得考虑的问题。 9 | 10 | 11 | 12 | ## 1、软件包的选型如下: ## 13 | - **puppet-server 3.6.2** 14 | - **puppet 3.6.2** 15 | - **facter 2.0.2** 16 | - **mcollective 2.2.4** 17 | - **rabbitmq-server 3.2.4** 18 | - **foreman 1.6.3** 19 | - **foreman-proxy 1.6.3** 20 | 21 | ## 2、系统环境准备 ## 22 | 23 | 24 | | 角色 | 主机名 | 系统版本 | IP | 25 | | -------------|:-----------------------------:| --------------:|-----------------:| 26 | | foreman | foreman163.kisspuppet.com | rhel6.4-x86_64 | 192.168.20.11/24 | 27 | | puppetmaster | pupptmaster162.kisspuppet.com | rhel6.4-x86_64 | 192.168.20.12/24 | 28 | 29 | 30 | ## 3、安装puppetmaster ## 31 | 32 | **3.1、安装puppetmaster,并生成CA和证书** 33 | 34 | [root@puppetmaster162 ~]# yum install puppet puppet-server facter 35 | 36 | [root@puppetmaster162 puppet]# vim /etc/puppet/puppet.conf 37 | [agent] 38 | server = puppetmaster162.kisspuppet.com 39 | pluginsync = false 40 | ... 41 | [master] 42 | certname = puppetmaster162.kisspuppet.com 43 | environmentpath = /etc/puppet/environments 44 | basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules 45 | environment_timeout = 10 46 | 47 | [root@puppetmaster162 ~]# /etc/init.d/puppetmaster start 48 | Starting puppetmaster: [ OK ] 49 | [root@puppetmaster162 ~]# puppet cert --list --all 50 | + "puppetmaster162.kisspuppet.com" (SHA256) 2E:B3:73:4F:CD:EE:0C:64:2C:DF:24:E6:D3:62:F3:1C:AC:A3:28:60:67:1D:0C:8C:C5:CA:68:5B:4B:2F:49:B9 (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster162.kisspuppet.com") 51 | 52 | **3.2、测试puppetmaster是否能够正常使用** 53 | 54 | [root@puppetmaster162 ~]# puppet agent -t 55 | Info: Caching catalog for puppetmaster162.kisspuppet.com 56 | Info: Applying configuration version '1417749612' 57 | Notice: Finished catalog run in 0.04 seconds 58 | 59 | **注:**以上安装方式,puppetmaster工作在Webrick上,性能非常差,需要更换为性能好的web服务器上,如果更换,请参考 [http://kisspuppet.com/2014/10/18/puppet_learning_ext3/](http://kisspuppet.com/2014/10/18/puppet_learning_ext3/) [http://kisspuppet.com/2014/10/20/puppet_learning_ext4/](http://kisspuppet.com/2014/10/20/puppet_learning_ext4/) 60 | 61 | 62 | ## 4、安装Foreman ## 63 | 64 | **4.1、安装puppet客户端并完成认证** 65 | 66 | #安装 67 | [root@foreman163 ~]# yum install puppet facter 68 | [root@foreman163 ~]# vim /etc/puppet/puppet.conf 69 | [main] 70 | ... 71 | privatekeydir = $ssldir/private_keys { group = service } 72 | hostprivkey = $privatekeydir/$certname.pem { mode = 640 } 73 | 74 | [agent] 75 | server = puppetmaster162.kisspuppet.com 76 | pluginsync = false 77 | 78 | #申请认证 79 | [root@foreman163 ~]# puppet agent -t 80 | Info: Creating a new SSL key for foreman163.kisspuppet.com 81 | Info: Caching certificate for ca 82 | Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml 83 | Info: Creating a new SSL certificate request for 84 | Info: Certificate Request fingerprint (SHA256): 35:5D:E5:74:71:E0:FD:D2:67:34:17:92:3D:60:F2:A1:34:26:BA:E5:2D:1F:3A:0E:07:6F:85:38:A8:39:8B:65 85 | Info: Caching certificate for ca 86 | Exiting; no certificate found and waitforcert is disabled 87 | 88 | #授权证书 89 | [root@puppetmaster162 ~]# puppet cert --sign foreman163.kisspuppet.com 90 | Notice: Signed certificate request for foreman163.kisspuppet.com 91 | Notice: Removing file Puppet::SSL::CertificateRequest foreman163.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/foreman163.kisspuppet.com.pem' 92 | 93 | #测试 94 | [root@foreman163 ~]# puppet agent -t 95 | Info: Caching catalog for foreman163.kisspuppet.com 96 | Info: Applying configuration version '1417749612' 97 | Notice: Finished catalog run in 0.05 seconds 98 | 99 | **4.2、通过foreman-installer安装foreman** 100 | 101 | foreman默认安装选择的数据库为postgresql,这里选用mysql进行安装。 102 | 103 | **注意:**openssl版本要升级到1.0.1e版本 104 | 105 | #先安装包 106 | [root@foreman163 ~]# yum install foreman-installer foreman mod_passenger mod_ssl ruby193-rubygem-passenger-native mysql mysql-server foreman-mysql2 openssl 107 | ... 108 | Updated: 109 | openssl.x86_64 0:1.0.1e-15.el6 110 | 111 | Replaced: 112 | ruby193-v8.x86_64 1:3.14.5.10-2.el6 113 | 114 | Complete! 115 | 116 | #然后通过foreman-installer调用puppet进行配置 117 | [root@foreman163 ~]# foreman-installer --foreman-db-adapter mysql2 --foreman-db-type mysql --no-enable-puppet --no-enable-foreman-proxy --foreman-configure-epel-repo=false 118 | Installing Done [100%] [] 119 | Success! 120 | * Foreman is running at https://foreman163.kisspuppet.com 121 | Initial credentials are admin / 2kWcqJsW6cLDwo7m 122 | The full log is at /var/log/foreman-installer/foreman-installer.log 123 | 124 | **注:**以上安装完成之后,默认登录密码为随机密码,这跟之前版本有所不同。 125 | 126 | 安装完成之后,通过火狐或者谷歌浏览器访问看是否安装成功https://192.168.20.11 127 | 128 | ![Foreman安装](http://kisspuppet.com/img/foreman04-2.jpg) 129 | 130 | ![Foreman安装](http://kisspuppet.com/img/foreman04-3.jpg) 131 | 132 | 记得修改默认密码,否则待会忘了又登录不了了。 133 | ![Foreman安装](http://kisspuppet.com/img/foreman04-4.jpg) 134 | 135 | 136 | ## 5、安装Foreman-proxy ## 137 | 138 | **注:**这里的foreman-proxy主要是代理puppet以及puppetca,所以要安装在puppetmaster上。 139 | 140 | **5.1、安装foreman-proxy** 141 | 142 | [root@puppetmaster162 ~]# yum install foreman-installer foreman-proxy tftp-server syslinux 143 | 144 | [root@puppetmaster162 yum.repos.d]# foreman-installer --no-enable-foreman --no-enable-foreman-cli --no-enable-foreman-plugin-bootdisk --no-enable-foreman-plugin-setup --no-enable-puppet --enable-foreman-proxy --foreman-proxy-puppetrun=true --foreman-proxy-puppetrun-provider=mcollective --foreman-proxy-puppetca=true --foreman-proxy-dhcp=false --foreman-proxy-tftp=false --foreman-proxy-dns=false --foreman-proxy-register-in-foreman=false --foreman-configure-epel-repo=false --foreman-configure-scl-repo=false 145 | Installing Done [100%] [] 146 | Success! 147 | * Foreman Proxy is running at https://puppetmaster162.kisspuppet.com:8443 148 | The full log is at /var/log/foreman-installer/foreman-installer.log 149 | 150 | #检测8443端口 151 | [root@puppetmaster162 ~]# netstat -nlatp | grep 8443 152 | tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 4635/ruby 153 | 154 | **5.2、设置ENC** 155 | 156 | #从foreman-installer中获取node.rb(貌似不能用,可以通过all-in-one方式安装后获取) 157 | [root@puppetmaster162 ~]# cp /usr/share/foreman-installer/modules/foreman/files/foreman-report_v2.rb /etc/puppet/node.rb 158 | 159 | [root@puppetmaster162 ~]# chown puppet. /etc/puppet/node.rb #设置属组和属主都为puppet 160 | [root@puppetmaster162 ~]# chmod 550 /etc/puppet/node.rb #设置执行权限 161 | 162 | **5.3、设置report** 163 | 164 | #从foreman-installer中获取foreman.rb 165 | [root@puppetmaster162 ~]# cp /usr/share/foreman-installer/modules/foreman/files/foreman-report_v2.rb /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb 166 | 167 | **5.4、设置连接foreman的信息** 168 | 169 | #这里跟foreman1.5版本(包括1.5版本)不一样,请注意 170 | [root@puppetmaster162 puppet]# vim /etc/puppet/foreman.yaml 171 | --- 172 | :url: "https://foreman163.kisspuppet.com" 173 | :ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" 174 | :ssl_cert: "/var/lib/puppet/ssl/certs/puppetmaster162.kisspuppet.com.pem" 175 | :ssl_key: "/var/lib/puppet/ssl/private_keys/puppetmaster162.kisspuppet.com.pem" 176 | :user: "" 177 | :password: "" 178 | :puppetdir: "/var/lib/puppet" 179 | :puppetuser: "puppet" 180 | :facts: true 181 | :timeout: 10 182 | :threads: null 183 | [root@puppetmaster162 ~]# /etc/init.d/foreman-proxy restart 184 | Stopping foreman-proxy: [ OK ] 185 | Starting foreman-proxy: [ OK ] 186 | 187 | ## 6、注册puppet和puppetca ## 188 | 189 | **6.1、在puppetmaster上添加ENC配置和foreman报告** 190 | 191 | [root@puppetmaster162 ~]# vim /etc/puppet/puppet.conf 192 | [master] 193 | ... 194 | reports = foreman 195 | external_nodes = /etc/puppet/node.rb 196 | node_terminus = exec 197 | #重启生效 198 | [root@puppetmaster162 ~]# /etc/init.d/puppetmaster restart 199 | Stopping puppetmaster: [ OK ] 200 | Starting puppetmaster: [ OK ] 201 | 202 | 203 | **6.2、登录foreman注册foreman-proxy** 204 | 205 | ![Foreman安装](http://kisspuppet.com/img/foreman04-5.jpg) 206 | 207 | **6.3、节点测试** 208 | 209 | [root@foreman163 ~]# puppet agent -t 210 | Info: Caching catalog for foreman163.kisspuppet.com 211 | Info: Applying configuration version '1417762929' 212 | Notice: Finished catalog run in 0.13 seconds 213 | 214 | [root@puppetmaster162 ~]# puppet agent -t 215 | Info: Caching catalog for puppetmaster162.kisspuppet.com 216 | Info: Applying configuration version '1417762858' 217 | Notice: Finished catalog run in 0.14 seconds 218 | 219 | ![Foreman安装](http://kisspuppet.com/img/foreman04-6.jpg) 220 | 221 | **注:**如果测试报错,请将foreman中的puppet插件的enc_environment选项设置为false,具体如何使用后续讲解 222 | 223 | 关于如何设置和使用foreman,请关注后续文章.... -------------------------------------------------------------------------------- /foreman_leaning_5.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_6.md: -------------------------------------------------------------------------------- 1 | #### Foreman架构的引入6-整合puppetmaster 2 | 3 | 4 | **注:**以下内容是在**foreman1.6.3+puppet2.6.2**环境下进行操作。更多配置请参考官网[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 5 | 6 | 安装好foreman和puppetmaster之后,接下来做的事情就是做整合,目前foreman可以管理puppet的环境、类、类里的变量、报告、facter等信息。接下来会逐一进行介绍。 7 | 8 | 9 | # 1、首先要保证智能代理已经代理了puppet和puppet CA # 10 | 11 | ![Foreman安装](http://kisspuppet.com/img/foreman06-1.png) 12 | 13 | 代理puppet以及puppetCA,需要在foreman-proxy中开启。 14 | 15 | #配置代理puppet 16 | [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.d/puppet.yml 17 | --- 18 | # Puppet management 19 | :enabled: true #开启 20 | :puppet_conf: /etc/puppet/puppet.conf 21 | # valid providers: 22 | # puppetrun (for puppetrun/kick, deprecated in Puppet 3) 23 | # mcollective (uses mco puppet) 24 | # puppetssh (run puppet over ssh) 25 | # salt (uses salt puppet.run) 26 | # customrun (calls a custom command with args) 27 | :puppet_provider: mcollective 28 | 29 | # customrun command details 30 | # Set :customrun_cmd to the full path of the script you want to run, instead of /bin/false 31 | :customrun_cmd: /bin/false 32 | # Set :customrun_args to any args you want to pass to your custom script. The hostname of the 33 | # system to run against will be appended after the custom commands. 34 | :customrun_args: -ay -f -s 35 | 36 | # whether to use sudo before the ssh command 37 | :puppetssh_sudo: false 38 | # the command which will be sent to the host 39 | :puppetssh_command: /usr/bin/puppet agent --onetime --no-usecacheonfailure 40 | # With which user should the proxy connect 41 | #:puppetssh_user: root 42 | #:puppetssh_keyfile: /etc/foreman-proxy/id_rsa 43 | 44 | # Which user to invoke sudo as to run puppet commands 45 | :puppet_user: root 46 | 47 | # URL of the puppet master itself for API requests 48 | :puppet_url: https://puppetmaster162.kisspuppet.com:8140 49 | # SSL certificates used to access the puppet master API 50 | :puppet_ssl_ca: /var/lib/puppet/ssl/certs/ca.pem 51 | :puppet_ssl_cert: /var/lib/puppet/ssl/certs/puppetmaster162.kisspuppet.com.pem 52 | :puppet_ssl_key: /var/lib/puppet/ssl/private_keys/puppetmaster162.kisspuppet.com.pem 53 | 54 | # Override use of Puppet's API to list environments, by default it will use only if 55 | # environmentpath is given in puppet.conf, else will look for environments in puppet.conf 56 | 57 | #:puppet_use_environment_api: true 58 | 59 | #配置代理puppet ca 60 | [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.d/puppetca.yml 61 | --- 62 | # PuppetCA management 63 | :enabled: true 64 | :ssldir: /var/lib/puppet/ssl 65 | :puppetdir: /etc/puppet 66 | 67 | # 2、管理puppet环境 # 68 | 69 | ## 2.1、配置puppetmaster环境 ## 70 | puppet从2.6版本开始增加了“目录环境”的功能,更多详情请访问官网[https://docs.puppetlabs.com/puppet/latest/reference/environments.html](https://docs.puppetlabs.com/puppet/latest/reference/environments.html) 71 | 72 | [root@puppetmaster162 ~]# cat /etc/puppet/puppet.conf 73 | [master] 74 | ... 75 | environmentpath = /etc/puppet/environments 76 | basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules 77 | environment_timeout = 2 #多长时间刷新一次 78 | 79 | [root@puppetmaster162 ~]# ll /etc/puppet/environments/ 80 | total 24 81 | drwxr-xr-x 4 root root 4096 Dec 5 16:46 development 82 | drwxr-xr-x 4 root root 4096 Dec 5 16:46 example42 83 | drwxr-xr-x 4 root root 4096 Dec 5 16:39 example_env 84 | drwxr-xr-x 5 root root 4096 Dec 5 17:03 production 85 | drwxr-xr-x 4 root root 4096 Dec 5 16:46 puppetlabs 86 | drwxr-xr-x 7 root root 4096 Dec 5 17:03 temp 87 | 88 | **注意:**从以上配置可以看得出设置了两个环境。 89 | 90 | ## 2.2、foreman上导入puppet环境 ## 91 | 92 | ![Foreman安装](http://kisspuppet.com/img/foreman06-2.png) 93 | 94 | 95 | # 3、管理puppet类 # 96 | 97 | 3.1、配置puppet类 98 | 99 | 注意以下几点: 100 | 101 | - puppet.conf中basemodulepath的值所设置的路径为环境目录下所有环境的公共环境,里面的所有模块都会被其他环境搜索到(在没有配置environment.conf的前提下) 102 | 103 | - 环境目录中每个环境目录里面默认应该包含manifests(存放主配置文件site.pp)目录和modules(存放模块)目录,目录结构如下。 104 | 105 | [root@puppetmaster162 environments]# tree production/ 106 | production/ 107 | ├── environment.conf 108 | ├── manifests 109 | │   └── site.pp 110 | ├── modules 111 | │   ├── jenkins 112 | │   │   ├── files 113 | │   │   │   └── jenkins.repo 114 | │   │   ├── manifests 115 | │   │   │   ├── init.pp 116 | │   │   │   ├── install.pp 117 | │   │   │   ├── service.pp 118 | │   │   │   └── yum.pp 119 | │   │   ├── README 120 | │   │   └── templates 121 | │   └── motd 122 | │   ├── files 123 | │   │   └── motd 124 | │   ├── manifests 125 | │   │   └── init.pp 126 | │   └── templates 127 | └── system 128 | └── ssh 129 | ├── files 130 | ├── manifests 131 | │   ├── backup.pp 132 | │   ├── config.pp 133 | │   ├── init.pp 134 | │   ├── install.pp 135 | │   └── service.pp 136 | ├── Modulefile 137 | ├── README 138 | ├── spec 139 | │   └── spec_helper.rb 140 | ├── templates 141 | │   └── sshd_config.erb 142 | └── tests 143 | └── init.pp 144 | 145 | 17 directories, 20 files 146 | 147 | - 如果你想在一个环境里包含多个目录,每个目录里面又包含模块,应该添加environment.conf文件 148 | 149 | [root@puppetmaster162 environments]# ll temp/ 150 | total 24 151 | -rw-r--r-- 1 root root 95 Dec 5 17:03 environment.conf #添加环境搜索配置文件 152 | drwxr-xr-x 11 root root 4096 Dec 5 17:02 juhailu 153 | drwxr-xr-x 2 root root 4096 Dec 5 16:48 kisspuppet 154 | drwxr-xr-x 4 root root 4096 Dec 5 16:56 lin 155 | drwxr-xr-x 2 root root 4096 Dec 5 16:48 manifests 156 | drwxr-xr-x 5 root root 4096 Dec 5 16:47 puppetlabs 157 | 158 | [root@puppetmaster162 environments]# ll temp/puppetlabs/ 159 | total 12 160 | drwxr-xr-x 5 root root 4096 Dec 5 16:46 propuppet-demoapp 161 | drwxr-xr-x 5 root root 4096 Dec 5 16:46 puppetlabs-demoapp 162 | drwxr-xr-x 4 root root 4096 Dec 5 16:46 puppet-module-skeleton 163 | 164 | [root@puppetmaster162 environments]# cat temp/environment.conf #添加搜索路径 165 | modulepath = $basemodulepath:puppetlabs:modules:lin:modules:juhailu:modules:kisspuppet:modules 166 | 167 | **注意:**添加搜索路径需要添加`$basemodulepath`,否则不会去搜索默认公共环境路径。 168 | 169 | ## 3.2、Foreman上导入puppet类 ## 170 | 171 | ![Foreman安装](http://kisspuppet.com/img/foreman06-3.png) 172 | 173 | 174 | # 4、设置ENC # 175 | 176 | ## 4.1、通过节点直接管理模块 ## 177 | 178 | ![Foreman安装](http://kisspuppet.com/img/foreman06-4.png) 179 | 180 | **备注:**添加主类就可以了 181 | 182 | 这样节点和模块就关联上了,相当于在site.pp中添加如下代码 183 | 184 | node puppetmaster162.kisspuppet.com{ 185 | include ssh 186 | } 187 | 188 | ## 4.2、通过组继承模块 ## 189 | 190 | ![Foreman安装](http://kisspuppet.com/img/foreman06-5.png) 191 | 192 | ![Foreman安装](http://kisspuppet.com/img/foreman06-6.png) 193 | 194 | **备注:**如果使用组管理模块,不建议为某个节点单独勾选模块,否则你会发现如果先给节点添加了模块A,然后再给节点对应的组里添加了模块A,那么节点的puppet类哪里就会显示包含的类有两个同名的模块。 195 | 196 | # 5、组与模块之间的管理 # 197 | 198 | ## 5.1、添加配置组 ## 199 | 200 | **注:**foreman从1.5版本开始增加了“配置组”功能,可以将多个模块添加到“配置组”,然后给配置组命名,这样,主机组在勾选模块的时候,只需要勾选配置组即可集成里面所有的模块 201 | 202 | ![Foreman安装](http://kisspuppet.com/img/foreman06-7.png) 203 | ![Foreman安装](http://kisspuppet.com/img/foreman06-8.png) 204 | 205 | # 6、查看设置是否成功 # 206 | 207 | ![Foreman安装](http://kisspuppet.com/img/foreman06-9.png) 208 | 209 | ![Foreman安装](http://kisspuppet.com/img/foreman06-10.png) 210 | 211 | #可以通过以下方式查看,前提是需要先运行node.rb,可通过"puppet agent"命令或者"node.rb " 进行触发。 212 | [root@puppetmaster162 ~]# cat /var/lib/puppet/yaml/foreman/puppetmaster162.kisspuppet.com.yaml 213 | --- 214 | classes: 215 | ssh: 216 | parameters: 217 | puppetmaster: puppetmaster162.kisspuppet.com 218 | hostgroup: prd 219 | root_pw: 220 | foreman_env: production 221 | owner_name: Admin User 222 | owner_email: root@kisspuppet.com 223 | 224 | 设置以上信息,可以完成ENC的功能,基本可以保障节点和class之间的勾连。可以在节点通过puppet agent命令进行测试。至于如何在foreman上进行推送,关注后续文章。 -------------------------------------------------------------------------------- /foreman_leaning_7.md: -------------------------------------------------------------------------------- 1 | ## foreman架构的引入7-Foreman结合mcollective完成push动作 ## 2 | 3 | **注:**以下内容是在**foreman1.6.3+puppet2.6.2**环境下进行操作。更多配置请参考官网[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 4 | 5 | 在foreman-proxy的1.6.3版本,至少提供了以下五种触发puppet agent命令的工具,默认使用的是puppetrun,不过已经过时,这里介绍如何使用mcollective进行触发,下个章节会介绍如何使用puppetssh触发。 6 | 7 | # puppetrun (for puppetrun/kick, deprecated in Puppet 3) 8 | # mcollective (uses mco puppet) 9 | # puppetssh (run puppet over ssh) 10 | # salt (uses salt puppet.run) 11 | # customrun (calls a custom command with args) 12 | 13 | 14 | 15 | 在整个测试之前,首先要保障你的mco+mq在命令行操作的情况下是OK的。如果没有OK或者不懂什么是mco+mq,请参考之前的文章。 16 | 17 | 如何是OK的?如下: 18 | 19 | [root@puppetmaster162 yum.repos.d]# mco puppet -v runonce 20 | Discovering hosts using the mc method for 2 second(s) .... 1 21 | 22 | * [ ============================================================> ] 1 / 1 23 | 24 | 25 | puppetmaster162.kisspuppet.com : OK 26 | {:summary=> "Started a Puppet run using the 'puppet agent --test --color=false --splay --splaylimit 30' command"} 27 | 28 | 29 | 30 | ---- rpc stats ---- 31 | Nodes: 1 / 1 32 | Pass / Fail: 1 / 0 33 | Start Time: Wed Dec 17 16:22:15 +0800 2014 34 | Discovery Time: 2004.22ms 35 | Agent Time: 71.49ms 36 | Total Time: 2075.70ms 37 | 38 | ## 1、在Foreman中开启puppet插件的puppetrun功能 ## 39 | 40 | ![Foreman安装](http://kisspuppet.com/img/foreman07-1.png) 41 | 42 | ![Foreman安装](http://kisspuppet.com/img/foreman07-2.png) 43 | 44 | 45 | ## 2、配置foreman-proxy代理的puppet的puppet_provider## 46 | 47 | [root@puppetmaster162 ~]# vim /etc/foreman-proxy/settings.d/puppet.yml 48 | --- 49 | # Puppet management 50 | :enabled: true 51 | :puppet_conf: /etc/puppet/puppet.conf 52 | # valid providers: 53 | # puppetrun (for puppetrun/kick, deprecated in Puppet 3) 54 | # mcollective (uses mco puppet) 55 | # puppetssh (run puppet over ssh) 56 | # salt (uses salt puppet.run) 57 | # customrun (calls a custom command with args) 58 | :puppet_provider: mcollective 59 | ... 60 | 61 | ## 3、配置sudoer,添加mco命令 ## 62 | 63 | [root@puppetmaster162 ~]# vim /etc/sudoers.d/foreman-proxy 64 | 65 | foreman-proxy ALL = NOPASSWD : /usr/bin/puppet cert *, /usr/bin/mco puppet runonce * 66 | Defaults:foreman-proxy !requiretty 67 | 68 | [root@puppetmaster162 ~]# /etc/init.d/foreman-proxy restart 69 | Stopping foreman-proxy: [ OK ] 70 | Starting foreman-proxy: [ OK ] 71 | 72 | 73 | ## 4、页面测试puppetrun按钮 ## 74 | 75 | ![Foreman安装](http://kisspuppet.com/img/foreman07-3.png) 76 | 77 | 78 | 成功之后的显示 79 | 80 | ![Foreman安装](http://kisspuppet.com/img/foreman07-4.png) 81 | 82 | 83 | ## 5、查看报告看更详细的信息 ## 84 | 85 | 86 | #可以通过日志查看执行情况 87 | [root@puppetmaster162 yum.repos.d]# tailf /var/log/foreman-proxy/proxy.log 88 | 89 | 90 | 192.168.20.11 - - [17/Dec/2014 16:25:36] "POST /run HTTP/1.1" 200 - 0.5454 91 | 92 | 以上 93 | 94 | [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.yml 95 | ... 96 | :log_file: /var/log/foreman-proxy/proxy.log 97 | # valid options are 98 | # WARN, DEBUG, Error, Fatal, INFO, UNKNOWN 99 | :log_level: DEBUG #开启debug模式,显示更详细的信息,排错的时候使用。1.5版本之前默认是开启的 100 | 101 | 102 | [root@puppetmaster162 yum.repos.d]# tailf /var/log/foreman-proxy/proxy.log 103 | I, [2014-12-17T16:27:43.148519 #24337] INFO -- : 'foreman_proxy' settings were initialized with default values: :enabled: true 104 | W, [2014-12-17T16:27:43.155592 #24337] WARN -- : Couldn't find settings file /etc/foreman-proxy/settings.d/facts.yml. Using default settings. 105 | I, [2014-12-17T16:27:43.155860 #24337] INFO -- : 'facts' settings were initialized with default values: :enabled: true 106 | I, [2014-12-17T16:27:43.163012 #24337] INFO -- : 'dns' module is disabled. 107 | I, [2014-12-17T16:27:43.163513 #24337] INFO -- : 'tftp' module is disabled. 108 | I, [2014-12-17T16:27:43.163933 #24337] INFO -- : 'dhcp' module is disabled. 109 | I, [2014-12-17T16:27:43.579571 #24337] INFO -- : 'puppet' settings were initialized with default values: :puppetdir: /etc/puppet 110 | I, [2014-12-17T16:27:43.583486 #24337] INFO -- : 'bmc' module is disabled. 111 | I, [2014-12-17T16:27:43.583655 #24337] INFO -- : 'chefproxy' module is disabled. 112 | I, [2014-12-17T16:27:43.583934 #24337] INFO -- : 'realm' module is disabled. 113 | D, [2014-12-17T16:28:15.059328 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I puppetmaster162.kisspuppet.com 114 | 192.168.20.11 - - [17/Dec/2014 16:28:15] "POST /run HTTP/1.1" 200 - 0.5468 115 | 116 | 117 | 失败的情况如下: 118 | 119 | ![Foreman安装](http://kisspuppet.com/img/foreman07-5.png) 120 | 121 | [root@puppetmaster162 ~]# tailf /var/log/foreman-proxy/proxy.log 122 | I, [2014-12-17T16:27:43.163933 #24337] INFO -- : 'dhcp' module is disabled. 123 | I, [2014-12-17T16:27:43.579571 #24337] INFO -- : 'puppet' settings were initialized with default values: :puppetdir: /etc/puppet 124 | I, [2014-12-17T16:27:43.583486 #24337] INFO -- : 'bmc' module is disabled. 125 | I, [2014-12-17T16:27:43.583655 #24337] INFO -- : 'chefproxy' module is disabled. 126 | I, [2014-12-17T16:27:43.583934 #24337] INFO -- : 'realm' module is disabled. 127 | D, [2014-12-17T16:28:15.059328 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I puppetmaster162.kisspuppet.com 128 | 192.168.20.11 - - [17/Dec/2014 16:28:15] "POST /run HTTP/1.1" 200 - 0.5468 129 | D, [2014-12-17T16:32:56.924849 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I puppetmaster162.kisspuppet.com 130 | 192.168.20.11 - - [17/Dec/2014 16:32:57] "POST /run HTTP/1.1" 200 - 0.6095 131 | D, [2014-12-17T16:32:57.878231 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I foreman163.kisspuppet.com 132 | W, [2014-12-17T16:33:20.364704 #24344] WARN -- : Non-null exit code when executing '/usr/bin/sudo-uroot/usr/bin/mcopuppetrunonce-Iforeman163.kisspuppet.com' 133 | E, [2014-12-17T16:33:20.368673 #24344] ERROR -- : Failed puppet run: Check Log files 134 | 192.168.20.11 - - [17/Dec/2014 16:33:20] "POST /run HTTP/1.1" 500 34 22.4920 135 | 136 | 137 | **备注:**Foreman在命令执行后的显示这块做的其实很不好的,如何能够将所有节点执行的情况动态或者显示在界面上就更好了! -------------------------------------------------------------------------------- /foreman_leaning_8.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /foreman_leaning_9.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /puppet_learning_base1.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇1-编写此系列文档的目的 2 | 3 | 4 | 在编写《零基础学习Puppet自动化配置管理》系列文档之前,KissPuppet拜读了《pro puppet》、《puppet实战》、《Puppet 2.7 Cookbook RAW》以及目前在读的《Pro Puppet 2nd》等书籍(特别感谢James Turnbull、Jeffrey McCune、John Arundel、刘宇 这几位作者的无私奉献)。同时也将基于Puppet架构的平台部署到多个生产环境中,节点少则100个左右,多则1000+。不同的生产环境由于客户的需求不同,所以部署的方式都略有不同。 5 | 6 | 2013年9月份,为了和大家进行交流和学习,建立了Puppet**QQ交流群296934942**,到目前为止,已经1000多人了。2014年2月份,考虑到微信平台的强大,又建立了微信公众平台“**puppet2014**”,目前加入人数快1500多人。 7 | 8 | 当然,和大家交流的整个过程中,也积累了不少博文于[kisspuppet.com](http://kisspuppet.com),但是,文章的整理上并不适合让一个初学者进行系统的学习,在QQ群交流的过程中得到了很多朋友的反馈,为此,特编写《零基础学习Puppet自动化配置管理》系列博文供大家学习和参考,同时也是为了向资深的大神们学习获取更多的Puppet知识。 9 | 10 | 11 | 整套系列博文包含了四部分,坦白的说并不是很全面,很多不常用的技术并没有包含,更多从实用、快速部署的角度去编写,特别适合零基础或者需要快速部署上线的朋友学习和参考,对于有一定基础的朋友可直接从第二部分开始学习,而对于Puppet经验丰富的大神们,还恳请多指导指导。另外,如果你是想要系统学习Puppet的知识,比如代码编写规范、所有参数含义等,可参考以上提到的书籍或者参考puppet官网等。 12 | 13 | 由于作者并不是一个富二代、也不是一个整体闲来无事的人,他也是要靠工作维持家庭的人。所以,此系列文档更新的时间上可能会出现间歇性,给大家带来不便还请见谅! 另外,由于时间紧以及作者自身学术浅薄等问题,文档的编写上可能会出现很多勘误,还恳请大家多多指出。 14 | 15 | 16 | -------------------------------------------------------------------------------- /puppet_learning_base10.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇10-自定义fact实现的四种方式介绍 2 | 3 | 4 | ## 自定义fact可以让节点增加更多的标签 ## 5 | 6 | 在使用puppet作为配置管理工具的同时,facter是一个非常有用的系统盘点工具,这个工具可以通过一些预先设定好变量定位一台主机,比如可以通过变量lsbdistrelease便可以知道当前系统的版本号,通过osfamily便可以知道系统是RedHat还是SLES,还是其它等等。但是这些预先设定好的变量毕竟有限,在整个自动化运维过程中,由于系统应用的多样性,更多需要通过应用的名称、角色的名称进行标示,这样就需要自定义一些fact并赋值到每个节点上去,相当于给节点打上标签。 7 | 8 | 9 | # 一、自定义(custom)fact的四种方法 # 10 | 11 | ## 1、定义到facter软件本身的lib库中 ## 12 | 13 | 这种方法是直接在安装facter的lib库里面直接创建,相当于扩充facter软件的lib库。 14 | 15 | 可以通过以下方法找到facter包的lib库路径为`/usr/lib/ruby/site_ruby/1.8/facter` 16 | 17 | [root@agent1 facter]# rpm -ql facter 18 | /usr/bin/facter 19 | /usr/lib/ruby/site_ruby/1.8/facter 20 | /usr/lib/ruby/site_ruby/1.8/facter.rb 21 | /usr/lib/ruby/site_ruby/1.8/facter/Cfkey.rb 22 | /usr/lib/ruby/site_ruby/1.8/facter/application.rb 23 | /usr/lib/ruby/site_ruby/1.8/facter/architecture.rb 24 | /usr/lib/ruby/site_ruby/1.8/facter/augeasversion.rb 25 | /usr/lib/ruby/site_ruby/1.8/facter/blockdevices.rb 26 | /usr/lib/ruby/site_ruby/1.8/facter/domain.rb 27 | /usr/lib/ruby/site_ruby/1.8/facter/ec2.rb 28 | /usr/lib/ruby/site_ruby/1.8/facter/facterversion.rb 29 | /usr/lib/ruby/site_ruby/1.8/facter/filesystems.rb 30 | /usr/lib/ruby/site_ruby/1.8/facter/fqdn.rb 31 | /usr/lib/ruby/site_ruby/1.8/facter/hardwareisa.rb 32 | /usr/lib/ruby/site_ruby/1.8/facter/hardwaremodel.rb 33 | 34 | **1.1、在facter的lib库中创建fact,名称为rpms,可以显示当前安装了多少rpm包** 35 | 36 | [root@agent1 ~]# cd /usr/lib/ruby/site_ruby/1.8/facter/ 37 | [root@agent1 facter]# vim rpms.rb 38 | Facter.add(:rpms) do 39 | setcode do 40 | %x{/bin/rpm -qa | wc -l}.chomp #定义一个shell命令 41 | end 42 | end 43 | 44 | **1.2、通过facter命令进行测试** 45 | 46 | [root@agent1 facter]# facter | grep rpms 47 | rpms => 918 48 | [root@agent1 facter]# facter rpms 49 | 918 50 | 51 | **备注:**这种方法相当于给facter软件打补丁,过多的使用可能会破坏facter本身软件的完整性,不建议使用。 52 | 53 | 54 | ## 2、使用环境变量‘FACTERLIB’创建fact ## 55 | 56 | 这种方法也非常简单,在一个目录下定义一个fact,然后export即可,方法如下 57 | 58 | **2.1、在自定义目录里面定义一个fact,列出当前系统登录的用户数** 59 | 60 | [root@agent1 ~]# vim /var/lib/puppet/kiss_fact/users.rb 61 | 62 | Facter.add(:users) do 63 | setcode do 64 | %x{/usr/bin/who |wc -l}.chomp 65 | end 66 | end 67 | [root@agent1 kiss_fact]# facter users #无显示结果,需要设置FACTERLIB 68 | [root@agent1 kiss_fact]# 69 | 70 | **2.2、将自定义fact路径赋值给变量FACTERLIB** 71 | 72 | [root@agent1 kiss_fact]# export FACTERLIB=/var/lib/puppet/kiss_fact 73 | [root@agent1 kiss_fact]# facter users 74 | 2 75 | [root@agent1 kiss_fact]# facter | grep users 76 | users => 2 77 | 78 | **备注:**这种方法是对第一种方法的扩展,可以自己定义目录,不过需要将路径加到变量FACTERLIB中,可以在/etc/profile添加,这样系统启动的时候便可以自动加载。 79 | 80 | ## 3、添加外部的(external)fact ## 81 | 82 | 这种方式支持txt、yaml、json、sh四种格式,内容也比较固定,默认情况下需要在目录/etc/facter/facts.d/下创建,使用也非常方便。 83 | 关于这个路径其实是可以修改的,不过修改起来并不是很方便,需要修改facter软件代码。 84 | 85 | [root@agent1 ~]# vim /usr/lib/ruby/site_ruby/1.8/facter/util/config.rb 86 | 32 def self.external_facts_dirs 87 | 33 if Facter::Util::Root.root? 88 | 34 windows_dir = windows_data_dir 89 | 35 if windows_dir.nil? then 90 | 36 ["/etc/facter/facts.d", "/etc/puppetlabs/facter/facts.d"] #external路径位置 91 | 37 else 92 | 38 [File.join(windows_dir, 'PuppetLabs', 'facter', 'facts.d')] 93 | 39 end 94 | 40 else 95 | 41 [File.expand_path(File.join("~", ".facter", "facts.d"))] 96 | 42 end 97 | 43 end 98 | 99 | 100 | **特殊说明:**只能用于1.7.3版本以上 101 | 102 | **3.1、通过txt文件创建** 103 | 104 | **3.1.1、创建roles.txt文件** 105 | 106 | 文件内容格式必须为“key=value” 107 | 108 | [root@agent1 ~]# mkdir /etc/facter/facts.d -p 109 | [root@agent1 facts.d]# vim roles.txt 110 | web=http 111 | db=mysql 112 | 113 | **3.1.2、测试** 114 | 115 | [root@agent1 facts.d]# facter web1 116 | http1 117 | [root@agent1 facts.d]# facter db1 118 | mysql1 119 | [root@agent1 facts.d]# facter | egrep 'web1|db1' 120 | db1 => mysql1 121 | web1 => http1 122 | 123 | 124 | **3.2、通过yaml文件创建** 125 | 126 | **3.2.1、创建yaml文件** 127 | 128 | [root@agent1 facts.d]# vim roles.yaml 129 | --- 130 | 131 | web2: 132 | - http2 133 | db2: 134 | - mysql2 135 | - 136 | **3.2.2、测试** 137 | 138 | [root@agent1 facts.d]# facter | egrep 'web2|db2' 139 | db2 => mysql2 140 | web2 => http2 141 | 142 | **3.3、通过json文件创建** 143 | 144 | **3.3.1、创建json文件** 145 | 146 | [root@agent1 facts.d]# vim roles.json 147 | { 148 | "web3": "http3", 149 | "db3": "mysql3" 150 | } 151 | 152 | **备注:**提供一个在线编辑json的网站[http://www.bejson.com/go.html?u=http://www.bejson.com/jsonview2/](http://www.bejson.com/go.html?u=http://www.bejson.com/jsonview2/) 153 | 154 | **3.3.2、安装rubygem-json包(json文件需要它的支持)** 155 | 156 | [root@agent1 facts.d]# facter | egrep 'web3|db3' 157 | Cannot parse JSON data file /etc/facter/facts.d/roles.json without the json library. 158 | Suggested next step is `gem install json` to install the json library. #缺少json包 159 | [root@agent1 facts.d]# rpm -ivh rubygem-json-1.5.5-2.el5.x86_64.rpm #安装rubygem-json包,找不到安装包的同志可在群共享里面查找,群号码在文章最后面。 160 | 161 | **3.3.3、测试** 162 | 163 | [root@agent1 facts.d]# facter | egrep 'web3|db3' 164 | db3 => mysql3 165 | web3 => http3 166 | 167 | **3.4、通过sh脚本创建** 168 | 169 | **3.4.1、创建shell脚本** 170 | 171 | [root@agent1 facts.d]# vim roles.sh 172 | #!/bin/bash 173 | echo "web4=http4" 174 | echo "db4=mysql4" 175 | 176 | **3.4.2、设置文件具有可执行权限** 177 | 178 | [root@agent1 facts.d]# chmod a+x roles.sh 179 | 180 | **3.4.3、测试** 181 | 182 | [root@agent1 facts.d]# facter web4 db4 183 | db4 => mysql4 184 | web4 => http4 185 | 186 | **思考:**那么如何做到所有节点批量部署呢,可以看到以上四种方式都是基于文件编辑的,可在puppetmaster端通过file资源实现部署。 187 | 188 | 189 | ## 4、使用pluginsync进行发布 ## 190 | 191 | 这种方法比较特殊,节点factpath目录里除了编写好的rb文件之外,还需要在puppet模块中引用,运行一次之后才会转换成fact。通常在puppetmaster端模块里的lib库中添加,然后在puppet.conf中添加选项pluginsync=true即可,格式为ruby文件。 192 | 193 | **4.1、创建模块facts** 194 | 195 | [root@puppetmaster ~]# cd /etc/puppet/environments/kissprd/environment/modules/ 196 | [root@puppetmaster modules]# tree facts/ #目录结构 197 | facts/ 198 | └── lib 199 | └── facter 200 | └── hwclock.rb 201 | 202 | 2 directories, 1 file 203 | 204 | **备注:**也可以放在其他已经编写好的模块中 205 | 206 | [root@puppetmaster facter]# vim hwclock.rb #自定义fact:hwclock,显示节点硬件时间 207 | Facter.add(:hwclock) do 208 | setcode do 209 | %x{/usr/sbin/hwclock}.chomp 210 | end 211 | end 212 | 213 | **4.2、应用自定义fact至motd模块中** 214 | 215 | [root@puppetmaster kissprd]# vim application/modules/motd/manifests/init.pp 216 | 217 | class motd{ 218 | package{ 'setup': 219 | ensure => present, 220 | } 221 | file{ '/etc/motd': 222 | ensure => present, 223 | owner => 'root', 224 | group => 'root', 225 | mode => '0644', 226 | source => "puppet://$puppetserver/modules/motd/etc/motd", 227 | require => Package['setup'], 228 | } 229 | notify { " Hardware-Clock: ${::hwclock}": } #添加一个通知,这里只是测试,没有实际意义 230 | } 231 | 232 | **4.3、在puppetmaster端的puppet.conf中添加选项pluginsync** 233 | 234 | [root@puppetmaster kissprd]# vim /etc/puppet/puppet.conf 235 | 236 | [main] 237 | logdir = /var/log/puppet 238 | rundir = /var/run/puppet 239 | ssldir = $vardir/ssl 240 | pluginsync = true #添加插件选项 241 | ... 242 | 243 | **4.4、在所有节点puppet.conf中添加pluginsync(通过在puppet模块中添加实现)** 244 | 245 | [root@puppetmaster kissprd]# vim environment/modules/puppet/templates/puppet.conf.erb 246 | ### config by puppet ### 247 | [main] 248 | logdir = /var/log/puppet 249 | rundir = /var/run/puppet 250 | ssldir = $vardir/ssl 251 | pluginsync = true #添加插件选项 252 | [agent] 253 | classfile = $vardir/classes.txt 254 | localconfig = $vardir/localconfig 255 | server = <%= scope.lookupvar('puppet::params::puppetserver') %> 256 | certname = <%= scope.lookupvar('puppet::params::certname') %> 257 | 258 | **4.5、节点运行puppet agent进行测试** 259 | 260 | [root@agent1 ~]# facter -p hwclock #没有这个fact,自定义fact需要加上-p参数才能显示 261 | [root@agent1 ~]# puppet agent -t --environment=kissprd #运行一次 262 | info: Retrieving plugin 263 | notice: /File[/var/lib/puppet/lib/facter/historys.rb]/ensure: removed 264 | notice: /File[/var/lib/puppet/lib/facter/hwclock.rb]/ensure: defined content as '{md5}d8cc9fe2b349a06f087692763c878e28' 265 | info: Loading downloaded plugin /var/lib/puppet/lib/facter/hwclock.rb #下载插件至节点factpath指定的目录 266 | info: Loading facts in /var/lib/puppet/lib/facter/hwclock.rb 267 | info: Caching catalog for agent1_cert.kisspuppet.com 268 | info: Applying configuration version '1396170375' 269 | notice: Hardware-Clock: Sun 30 Mar 2014 05:06:16 PM CST -0.055086 seconds 270 | notice: /Stage[main]/Motd/Notify[ Hardware-Clock: Sun 30 Mar 2014 05:06:16 PM CST -0.055086 seconds]/message: defined 'message' as ' Hardware-Clock: Sun 30 Mar 2014 05:06:16 PM CST -0.055086 seconds' #应用 271 | notice: Finished catalog run in 0.51 seconds 272 | [root@agent1 ~]# facter -p hwclock #自定义的hwclock生效 273 | hwclock => Sun 30 Mar 2014 05:06:25 PM CST -0.567090 seconds 274 | 275 | [root@agent1 ~]# ll /var/lib/puppet/lib/facter/ #插件已经下载到本地 276 | total 4 277 | -rw-r--r-- 1 root root 79 Mar 30 17:06 hwclock.rb 278 | 279 | 关于factpath默认路径可通过以下命令查看,当然也可以在puppet.conf中进行修改 280 | 281 | [root@agent1 ~]# puppet --genconfig | grep factpath 282 | factpath = /var/lib/puppet/lib/facter:/var/lib/puppet/facts 283 | 284 | ## 资料参考: ## 285 | 286 | - 官网 [http://docs.puppetlabs.com/guides/custom_facts.html](http://docs.puppetlabs.com/guides/custom_facts.html) 287 | 288 | - 书籍《pro puppet 2》Chapter10:Extending Facter and Puppet **下载地址:**[http://kisspuppet.com/2014/03/29/propuppet2/](http://kisspuppet.com/2014/03/29/propuppet2/) 289 | 290 | 291 | - 书籍《Puppet 3 Cookbook》Chapter8: External Tools the Puppet Ecosystem **下载地址:**QQ群里已经共享,群号在文章最下面 292 | 293 | 294 | 那么在生产环境当中应当如何应用自定义的fact呢,下一章节会介绍一种方法,结合ENC(hiera)实现节点分类。 295 | 296 | 297 | 298 | 299 | -------------------------------------------------------------------------------- /puppet_learning_base2.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇2-如何学习和使用Puppet 2 | 3 | 4 | 5 | # 既来之,则安之。 # 6 | 对于Puppet的入门学习,其实并不难,很多人都会说Puppet是基于Ruby开发的,是不是必须要懂Ruby才能学好呢?其实并不是这样,不懂Ruby照样能学好Puppet。为什么这么说呢? 7 | 8 | 9 | 1、Puppet虽然是基于Ruby开发的,但是Puppet所有的资源基本上都是基于Puppet自身语言而写的,而Puppet语言相对其他语言来说还是比较简单的,大部分都是A=>B这种格式,稍微复杂点,就加点判断语句,不过你会写一两个套用就可以了。 10 | 11 | 2、Puppet安装也是比较简单的,官方配备了详细的yum源,依赖包也很全,可以访问[http://yum.puppetlabs.com/](http://yum.puppetlabs.com/)下载系统对应的yum包puppetlabs-release-el,通过yum命令安装即可获得对应的repo。由于官方源默认安装的是最新版本的puppet版本,而最新版本由于其不稳定性并不是我们想要的,那么如何指定版本进行安装呢,请看这里[http://kisspuppet.com/2014/01/26/puppet_create_repo/](http://kisspuppet.com/2014/01/26/puppet_create_repo/),如果你比较懒,不想自己做yum源,那就去下载KissPuppet准备的yum源吧,更全,更强大[http://kisspuppet.com/2013/12/05/puppet_repo_pak/](http://http://kisspuppet.com/2013/12/05/puppet_repo_pak/) 12 | 13 | **这里给点建议:**官方yum源已经做的很到位了,如果条件允许,尽量通过rpm包安装而不是源码安装,至于原因自己想去。 14 | 15 | 3、通过puppet管理资源是需要写模块呢,有些人并不喜欢写模块,可以去[http://forge.puppetlabs.com/](http://forge.puppetlabs.com/)下载你需要的模块,如何下载安装呢,请点击这里[http://kisspuppet.com/2014/01/14/puppet_forge_modules/](http://kisspuppet.com/2014/01/14/puppet_forge_modules/) 16 | 17 | 4、日常学习当中,如何去查找puppet相关资料或者询问呢,这里教你9种方法去获取[http://kisspuppet.com/2014/02/10/puppet_irc/](http://kisspuppet.com/2014/02/10/puppet_irc/) 18 | 19 | 5、学习当中可别忘了看书哦,以下书籍是值得学习的 20 | 21 | - 《pro puppet》第一版和第二版,中文版叫《精通puppet配置管理工具》,不过只有第一版,第二版只有英文版,相信不久的将来第二版也会被翻译成中文版,英语不错的童鞋可直接看英文版。 22 | - 《Puppet 2.7 Cookbook RAW》第一版和第二版,第一版已经被翻译成中文,第二版基于3.x编写的,听说马上翻译完成了哦。 23 | - 《puppet实战》去年年底新书,刚发布,由中国人刘宇编写,内容还是比较详细的,可系统学习。 24 | - 《Managing Infrastructure with Puppet》,没怎么看过,呵呵! 25 | 26 | **注:**以上书籍除了《puppet实战》外,QQ群里都有共享的pdf,可去下载 27 | 28 | 6、除此之外,KissPuppet还收集了一些有关puppet技术的网址,可直接点击查看,无需查找,节省时间,需要的点击这里[http://kisspuppet.com/2013/11/09/puppet-resource/](http://kisspuppet.com/2013/11/09/puppet-resource/) 29 | 30 | 31 | 说了这么多,真的就不需要去学ruby了么?其实并不是这样,谁都知道如果想要学到一款软件的精髓,还是要看其源代码的,至少有以下几个地方可能需要你懂点ruby 32 | 33 | 1、puppet模块中的erb模块部分,需要了解一些简单的ruby语句。 34 | 35 | 2、结合mcollecitve的plugins部分,如果需要修改或者添加新的plugin,需要懂一些ruby知识。 36 | 37 | 3、代码调试需要懂ruby 38 | 39 | 4、新的资源开发需要懂ruby 40 | 41 | ... 42 | 43 | 接下来我会带着大家一步一步搭建属于自己的Puppet架构,特别适合零基础学习的人。 44 | 45 | 46 | -------------------------------------------------------------------------------- /puppet_learning_base3.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇3-安装Puppet前期的准备工作 2 | 3 | 4 | # 工欲善其事必先利其器 # 5 | 6 | 在安装Puppet之前是需要做很多预备工作的,比如网络地址规范、主机名、certname名、时间等等,也只有这些准备好了,才不至于在安装好puppet之后发现问题而后悔莫及。 7 | **说明:**接下来的整套文档体系都是以本篇文档规范方案进行设计和扩充的,同样也是也是按照准生产的标准进行编写。 8 | 9 | 10 | ## 一、网络地址规范 ## 11 | 12 | 【HOSTNAME】 【IP】 【certname】 【operatingsystem】 13 | puppetmaster.kisspuppet.com 192.168.100.110/24 puppetmaster_cert.kisspuppet.com RHEL6.4 14 | agent1.kisspuppet.com 192.168.100.111/24 agent1_cert.kisspuppet.com RHEL5.7 15 | agent2.kisspuppet.com 192.168.100.112/24 agent2_cert.kisspuppet.com RHEL5.8 16 | agent3.kisspuppet.com 192.168.100.123/24 agent3_cert.kisspuppet.com RHEL6.4 17 | 18 | **注:**192.168.100.*/24的网关为192.168.100.110 所有服务器的DNS1为192.168.100.110 19 | 20 | **1、设置主机名** 21 | 22 | [root@puppetmaster ~]# vim /etc/sysconfig/network 23 | NETWORKING=yes 24 | HOSTNAME=puppetmaster.kisspuppet.com 25 | [root@agent1 ~]# vim /etc/sysconfig/network 26 | NETWORKING=yes 27 | NETWORKING_IPV6=no 28 | HOSTNAME=agent1.kisspuppet.com 29 | 30 | **注:**agent2~agent3同上 31 | 32 | **2、设置IP地址** 33 | 34 | 可通过`system-config-network`命令进行配置好后在进入配置文件进行修改 35 | 36 | [root@puppetmaster ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 37 | DEVICE=eth0 38 | TYPE=Ethernet 39 | ONBOOT=yes 40 | NM_CONTROLLED=yes 41 | BOOTPROTO=none 42 | IPADDR=192.168.100.110 43 | NETMASK=255.255.255.0 44 | GATEWAY=192.168.100.110 45 | DNS1=192.168.100.110 46 | IPV6INIT=no 47 | USERCTL=no 48 | 49 | **注:**node1~node3同上 50 | 51 | **3、关闭NetworkManager服务** 52 | 53 | NetworkManager服务是RHEL图形界面管理网卡的服务,由于其开启会对网络造成影响,RHEL6默认是开启的,建议关闭。 54 | 55 | [root@puppetmaster ~]# /etc/init.d/NetworkManager stop 56 | Stopping NetworkManager daemon: [ OK ] 57 | [root@puppetmaster ~]# chkconfig NetworkManager off 58 | 59 | **注:**node1~node3同上 60 | 61 | **4、关闭防火墙** 62 | 63 | 本实验主要是为了测试整个架构的功能,如果要测试防火墙,请另行解决。 64 | 65 | [root@puppetmaster ~]# /etc/init.d/iptables stop 66 | iptables: Flushing firewall rules: [ OK ] 67 | iptables: Setting chains to policy ACCEPT: filter [ OK ] 68 | iptables: Unloading modules: [ OK ] 69 | [root@puppetmaster ~]# chkconfig iptables off 70 | 71 | **注:**node1~node3同上 72 | 73 | **5、关闭selinux** 74 | 75 | [root@puppetmaster ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config 76 | 77 | **注:**node1~node3同上 78 | 79 | **6、设置key** 80 | 为了操作方便,设置公钥私钥,可通过puppetmaster端统一部署 81 | 82 | [root@puppetmaster ~]# ssh-keygen 83 | Generating public/private rsa key pair. 84 | Enter file in which to save the key (/root/.ssh/id_rsa): 85 | Enter passphrase (empty for no passphrase): 86 | Enter same passphrase again: 87 | Your identification has been saved in /root/.ssh/id_rsa. 88 | Your public key has been saved in /root/.ssh/id_rsa.pub. 89 | The key fingerprint is: 90 | ff:55:8d:31:34:b4:b3:6a:70:3b:aa:09:76:12:5b:8d root@puppetmaster.kisspuppet.com 91 | The key's randomart image is: 92 | +--[ RSA 2048]----+ 93 | | .+ | 94 | | . o | 95 | | = | 96 | | o *.| 97 | | . E o . o o| 98 | | + . o o . | 99 | | = . . = . | 100 | | . + . + o | 101 | | o.. . | 102 | +-----------------+ 103 | [root@puppetmaster ~]# for i in {1..3}; do ssh-copy-id -i 192.168.100.11$i; done 104 | The authenticity of host '192.168.100.111 (192.168.100.111)' can't be established. 105 | RSA key fingerprint is ae:db:c5:0c:0e:3f:8c:62:ea:a1:26:e2:09:63:18:32. 106 | Are you sure you want to continue connecting (yes/no)? yes 107 | Warning: Permanently added '192.168.100.111' (RSA) to the list of known hosts. 108 | root@192.168.100.111's password: 109 | Now try logging into the machine, with "ssh '192.168.100.111'", and check in: 110 | 111 | .ssh/authorized_keys 112 | 113 | to make sure we haven't added extra keys that you weren't expecting. 114 | ... 115 | 116 | 117 | **7、设置hosts文件** 118 | 119 | puppet通信的前提是agent和master必须能够互相解析主机名。 120 | 当然,也可以设置DNS,在第四部分搭建kermit架构的时候会搭建DNS服务,现在先暂时通过hosts文件进行解析,可先设置好puppetmaster后,统一copy到所有节点上 121 | 122 | [root@puppetmaster ~]# vim /etc/hosts 123 | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 124 | ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 125 | 192.168.100.110 puppetmaster.kisspuppet.com puppetmaster 126 | 192.168.100.111 agent1.kisspuppet.com agent1 127 | 192.168.100.112 agent2.kisspuppet.com agent2 128 | 192.168.100.113 agent3.kisspuppet.com agent3 129 | [root@puppetmaster ~]# for i in {1..3}; do scp /etc/hosts 192.168.100.11$i:/etc/; done 130 | hosts 100% 354 0.4KB/s 00:00 131 | hosts 100% 354 0.4KB/s 00:00 132 | hosts 100% 354 0.4KB/s 00:00 133 | 134 | [root@agent1 ~]# ping puppetmaster.kisspuppet.com #设置完成之后记得测试下 135 | PING puppetmaster.kisspuppet.com (192.168.100.110) 56(84) bytes of data. 136 | 64 bytes from puppetmaster.kisspuppet.com (192.168.100.110): icmp_seq=1 ttl=64 time=0.327 ms 137 | 64 bytes from puppetmaster.kisspuppet.com (192.168.100.110): icmp_seq=2 ttl=64 time=0.996 ms 138 | 64 bytes from puppetmaster.kisspuppet.com (192.168.100.110): icmp_seq=3 ttl=64 time=1.00 ms 139 | 140 | --- puppetmaster.kisspuppet.com ping statistics --- 141 | 3 packets transmitted, 3 received, 0% packet loss, time 1999ms 142 | rtt min/avg/max/mdev = 0.327/0.774/1.000/0.317 ms 143 | 144 | **注意:**设置完网络后,可以通过类似**Xshell**这样的工具进行登录,方便操作 145 | 146 | **二、配置本地光盘yum源** 147 | 148 | 由于我这边是vmware虚拟机操作,所以光盘是可以直接挂载到某一个目录里面,如果是物理机,建议将光盘里的文件全部copy到指定的一个目录里面,然后beaeurl指向它既可。 149 | 150 | [root@puppetmaster ~]# mkdir /media/cdrom 151 | [root@puppetmaster ~]# mount /dev/cdrom /media/cdrom/ 152 | mount: block device /dev/sr0 is write-protected, mounting read-only 153 | 154 | [root@puppetmaster ~]# cp /etc/yum.repos.d/rhel-source.repo /etc/yum.repos.d/rhel-base.repo 155 | [root@puppetmaster ~]# vim /etc/yum.repos.d/rhel-base.repo 156 | [rhel-base] 157 | name=Red Hat Enterprise Linux $releasever - $basearch - Source 158 | baseurl=file:///media/cdrom 159 | enabled=1 160 | gpgcheck=0 161 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 162 | 163 | [root@puppetmaster ~]# yum clean all 164 | Loaded plugins: product-id, refresh-packagekit, security, subscription-manager 165 | This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. 166 | Cleaning repos: rhel-base 167 | Cleaning up Everything 168 | [root@puppetmaster ~]# yum install tree lrzsz #测试 169 | Loaded plugins: product-id, refresh-packagekit, security, subscription-manager 170 | This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. 171 | rhel-base | 3.9 kB 00:00 ... 172 | rhel-base/primary_db | 3.1 MB 00:01 ... 173 | Setting up Install Process 174 | Resolving Dependencies 175 | ... 176 | 177 | **注:**node1~node3同上 178 | 179 | **说明:**RHEL5的report在Server目录,所以在配置repo文件的时候参数 `baseurl=file:///media/cdrom/Server` 180 | 181 | ## 三、设置NTP服务器 ## 182 | 183 | **1、配置NTP服务器** 184 | 设置ntp服务器和本地进行同步,当然如果联网也可以和外部服务器同步,这里只需要保证所有服务器时间一致。 185 | 原因是因为,puppetmaster和agent之间时间相差不得超过10分钟(好像是),而后期配置的mcollecitve服务端和客户端之间不能相差60秒 186 | 187 | [root@puppetmaster ~]# rpm -qa | grep ntp 188 | fontpackages-filesystem-1.41-1.1.el6.noarch 189 | ntpdate-4.2.4p8-3.el6.x86_64 #默认已经安装 190 | ntp-4.2.4p8-3.el6.x86_64 #默认已经安装 191 | [root@puppetmaster ~]# cp /etc/ntp.conf{,.bak} 192 | 193 | [root@puppetmaster ~]# vim /etc/ntp.conf 194 | driftfile /var/lib/ntp/drift 195 | logfile /var/log/ntp.log 196 | Broadcastdelay 0.008 197 | restrict default kod nomodify notrap nopeer noquery 198 | restrict -6 default kod nomodify notrap nopeer noquery 199 | restrict default ignore 200 | restrict 127.0.0.1 201 | restrict -6 ::1 202 | restrict 192.168.100.0 mask 255.255.255.0 notrap nomodify 203 | server 127.127.1.0 # local clock 204 | fudge 127.127.1.0 stratum 10 refid NIST 205 | includefile /etc/ntp/crypto/pw 206 | keys /etc/ntp/keys 207 | 208 | [root@puppetmaster ~]# /etc/init.d/ntpd start 209 | Starting ntpd: [ OK ] 210 | [root@puppetmaster ~]# chkconfig ntpd on 211 | 212 | 213 | **2、节点测试并设置crontab** 214 | 215 | [root@agent1 ~]# ntpdate puppetmaster.kisspuppet.com 216 | 7 Mar 06:08:30 ntpdate[16411]: adjust time server 192.168.100.110 offset 0.049448 sec 217 | 218 | [root@agent1 ~]# crontab -l #可通过croutab -e命令设置 219 | */30 * * * * /usr/sbin/ntpdate puppetmaster.kisspuppet.com >>/root/ntdate.log 2>&1 && /sbin/clock --systohc 220 | [root@agent1 ~]# /etc/init.d/crond reload 221 | Reloading cron daemon configuration: [ OK ] 222 | 223 | 224 | ## 四、制作本地yum仓库 ## 225 | 226 | 本实验大部分包来自于[http://yum.puppetlabs.com](http://yum.puppetlabs.com),部分包来自于EPEL和Gems官网,rabbitmq官方等,关于如何制作yum仓库,之前有文章写道[http://kisspuppet.com/2014/01/26/puppet_create_repo/](http://kisspuppet.com/2014/01/26/puppet_create_repo/),这里在简单操作一下 227 | 228 | [root@puppetmaster RHEL6U4]# yum install createrepo #安装制作软件包的软件 229 | [root@puppetmaster RHEL6U4]# createrepo . #将本目录以及子目录下所有rpm包生产repodata 230 | Spawning worker 0 with 105 pkgs 231 | Workers Finished 232 | Gathering worker results 233 | 234 | Saving Primary metadata 235 | Saving file lists metadata 236 | Saving other metadata 237 | Generating sqlite DBs 238 | Sqlite DBs complete 239 | 240 | **注:**RHEL5的repodata必须在RHEL5环境下运行createrpo命令生成 241 | 242 | ## 五、配置FTP服务器 ## 243 | 244 | **1、安装并配置FTP服务器** 245 | 246 | 搭建FTP服务器的目的只要是为自定义yum仓库做准备 247 | 248 | [root@puppetmaster ~]# yum install vsftpd 249 | Loaded plugins: product-id, refresh-packagekit, security, subscription-manager 250 | This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. 251 | rhel-base | 3.9 kB 00:00 ... 252 | Setting up Install Process 253 | Resolving Dependencies 254 | --> Running transaction check 255 | ---> Package vsftpd.x86_64 0:2.2.2-11.el6 will be installed 256 | --> Finished Dependency Resolution 257 | ... 258 | 259 | [root@puppetmaster ~]# cp /etc/vsftpd/vsftpd.conf{,.bak} 260 | [root@puppetmaster ~]# vim /etc/vsftpd/vsftpd.conf 261 | anonymous_enable=YES 262 | local_enable=YES 263 | write_enable=YES 264 | local_umask=022 265 | anon_upload_enable=YES 266 | anon_root=/puppet #匿名访问的目录 267 | anon_mkdir_write_enable=YES 268 | anon_other_write_enable=YES 269 | dirmessage_enable=YES 270 | xferlog_enable=YES 271 | connect_from_port_20=YES 272 | xferlog_file=/var/log/xferlog 273 | xferlog_std_format=YES 274 | listen=YES 275 | 276 | pam_service_name=vsftpd 277 | userlist_enable=YES 278 | tcp_wrappers=YES 279 | 280 | [root@puppetmaster ~]# /etc/init.d/vsftpd start 281 | Starting vsftpd for vsftpd: [ OK ] 282 | [root@puppetmaster ~]# chkconfig vsftpd on 283 | 284 | **2、在FTP共享目录里制作yum仓库** 285 | 286 | 将生成好的yum源copy到FTP共享目录中 287 | 288 | [root@puppetmaster ~]# ll /puppet/ 289 | total 12 290 | drwxr-xr-x 4 root root 4096 Mar 7 06:21 RHEL5U7 291 | drwxr-xr-x 4 root root 4096 Mar 7 06:21 RHEL5U8 292 | drwxr-xr-x 6 root root 4096 Mar 7 06:21 RHEL6U4 293 | 294 | [root@puppetmaster ~]# ll /puppet/RHEL6U4/ 295 | total 16600 296 | -rw-r--r-- 1 root root 87643 Mar 7 06:21 facter-1.7.3-1.el5.x86_64.rpm 297 | -rw-r--r-- 1 root root 87440 Mar 7 06:21 facter-1.7.3-1.el6.x86_64.rpm 298 | drwxr-xr-x 2 root root 4096 Mar 7 06:21 gem 299 | -rw-r--r-- 1 root root 634944 Mar 7 06:21 GeoIP-1.4.8-1.el6.x86_64.rpm 300 | -rw-r--r-- 1 root root 151654 Mar 7 06:21 keepalived-1.2.7-1.1.x86_64.rpm 301 | -rw-r--r-- 1 root root 10924 Mar 7 06:21 mcollective-2.2.4-1.el6.noarch.rpm 302 | -rw-r--r-- 1 root root 24596 Mar 7 06:21 mcollective-client-2.2.4-1.el6.noarch.rpm 303 | -rw-r--r-- 1 root root 759300 Mar 7 06:21 mcollective-common-2.2.4-1.el6.noarch.rpm 304 | drwxr-xr-x 3 root root 4096 Mar 7 06:21 mcollective-plugins 305 | drwxr-xr-x 2 root root 4096 Mar 7 06:21 mq 306 | -rw-r--r-- 1 root root 406588 Mar 7 06:21 nginx-1.0.15-5.el6.x86_64.rpm 307 | -rw-r--r-- 1 root root 1128352 Mar 7 06:21 puppet-2.7.23-1.el6.noarch.rpm 308 | -rw-r--r-- 1 root root 4509032 Mar 7 06:21 puppet-dashboard-1.2.23-1.el6.noarch.rpm 309 | -rw-r--r-- 1 root root 25596 Mar 7 06:21 puppet-server-2.7.23-1.el6.noarch.rpm 310 | -rw-r--r-- 1 root root 3729988 Mar 7 06:21 rabbitmq-server-3.1.5-1.el6.noarch.rpm 311 | drwxr-xr-x 2 root root 4096 Mar 7 06:21 repodata 312 | ... 313 | 314 | ## 六、配置远程yum仓库 ## 315 | 316 | [root@puppetmaster ~]# vim /etc/yum.repos.d/rhel-puppet.repo 317 | [rhel-puppet] 318 | name=puppetlabs epel gems for rhel 319 | baseurl=ftp://puppetmaster.kisspuppet.com/RHEL6U4 #指向FTP服务器地址 320 | enabled=1 321 | gpgcheck=0 322 | 323 | [root@puppetmaster ~]# yum list | grep puppet-server #测试 324 | puppet-server.noarch 2.7.25-1.el6 rhel-puppet 325 | 326 | **注:**node1~node3同上 327 | 328 | ## 七、重要软件版本选型 ## 329 | 330 | 目前puppet最成熟的版本为2.7.和3.3版本,两个版本都可以,本实验采用2.7版本。 331 | 332 | puppet-server 2.7.25-1 来自puppetlabs 333 | puppet 2.7.25-1 来自puppetlabs 334 | facter 1.7.5 来自puppetlabs 335 | puppet-dashboar 1.2.23 来自puppetlabs 336 | ruby 1.8.* 系统自带 337 | mcollective 2.2.4 来自puppetlabs 338 | activemq 5.5.0 来自puppetlabs 339 | rabbitmq-server 3.1.5 来自rabbitmq官网 340 | kermit-webui 1.2-1 来自kermit官网 341 | ... 342 | 343 | 344 | 345 | -------------------------------------------------------------------------------- /puppet_learning_base4.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇4-安装、配置并使用Puppet 2 | 3 | 4 | Puppet前期环境(网络、解析、yum源、NTP)在上一章节已经准备就绪,接下来我们就开始安装Puppet了,安装Puppet其实很简单,官方已经提供了yum源,只需要自己将所需要的安装包下载下来然后做成本地yum源即可使用。 5 | **注意:**本实验完全采用自定义的certname名,如果不设置默认会使用系统变量hostname的值。 6 | 7 | 8 | ## 一、安装Puppetmaster ## 9 | **1、安装Puppet-server、puppet和facter** 10 | 11 | [root@puppetmaster ~]# yum install puppet puppet-server facter -y #系统会自己安装一些ruby依赖包环境 12 | 13 | **2、配置puppet.conf** 14 | **注意:**这个里面配置了两个certname名称,其中[master]中配置的certname是为所有节点认证用的master名称,[agent]中配置的certname是他本身agent的名称,当然不配置默认是和master的名称是一样的。 15 | 16 | [root@puppetmaster ~]# cp /etc/puppet/puppet.conf{,.bak} #备份 17 | [root@puppetmaster ~]# vim /etc/puppet/puppet.conf #注释已经删除 18 | [main] 19 | logdir = /var/log/puppet #默认日志存放路径 20 | rundir = /var/run/puppet #pid存放路径 21 | ssldir = $vardir/ssl #证书存放目录,默认$vardir为/var/lib/puppet 22 | [agent] 23 | classfile = $vardir/classes.txt 24 | localconfig = $vardir/localconfig 25 | server = puppetmaster.kisspuppet.com #设置agent认证连接master端的服务器名称,注意这个名字必须能够被节点解析 26 | certname = puppetmaster_cert.kisspuppet.com #设置agent端certname名称 27 | [master] 28 | certname = puppetmaster.kisspuppet.com puppetmaster.kisspuppet.com #设置puppetmaster认证服务器名 29 | 30 | **3、创建site.pp文件** 31 | site.pp文件是puppet读取所有模块pp文件的开始,在3.0版本以前必须设置,否则服务无法启动。 32 | 33 | [root@puppetmaster ~]# touch /etc/puppet/manifests/site.pp 34 | 35 | **4、启动puppetmaster服务** 36 | 37 | [root@puppetmaster ~]# /etc/init.d/puppetmaster start 38 | Starting puppetmaster: 39 | [ OK ] 40 | [root@puppetmaster ~]# chkconfig puppetmaster on #设置开机启动 41 | 42 | **5、查看本地证书情况** 43 | puppetmaster第一次启动会自动生成证书自动注册自己 44 | 45 | [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ 46 | /var/lib/puppet/ssl/ 47 | ├── ca 48 | │   ├── ca_crl.pem 49 | │   ├── ca_crt.pem 50 | │   ├── ca_key.pem 51 | │   ├── ca_pub.pem 52 | │   ├── inventory.txt 53 | │   ├── private 54 | │   │   └── ca.pass 55 | │   ├── requests 56 | │   ├── serial 57 | │   └── signed 58 | │   └── puppetmaster.kisspuppet.com.pem #已注册 59 | ├── certificate_requests 60 | ├── certs 61 | │   ├── ca.pem 62 | │   └── puppetmaster.kisspuppet.com.pem 63 | ├── crl.pem 64 | ├── private 65 | ├── private_keys 66 | │   └── puppetmaster.kisspuppet.com.pem 67 | └── public_keys 68 | └── puppetmaster.kisspuppet.com.pem 69 | 70 | 9 directories, 13 files 71 | [root@puppetmaster ~]# puppet cert --list --all #带+标示已经注册成功 72 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 73 | 74 | **6、查看监听状态** 75 | puppetmaster服务开启后,默认监听TCP 8140端口 76 | 77 | [root@puppetmaster ~]# netstat -nlatp | grep 8140 78 | tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1976/ruby 79 | [root@puppetmaster ~]# lsof -i:8140 80 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 81 | puppetmas 1976 puppet 5u IPv4 14331 0t0 TCP *:8140 (LISTEN) 82 | 83 | 84 | ## 二、安装Agent ## 85 | 以agent1为例 86 | 87 | **1、安装puppet和facter** 88 | 89 | [root@agent1 ~]# yum install puppet facter #系统会自己安装一些ruby依赖包环境 90 | 91 | **2、配置puppet.conf** 92 | 93 | [root@agent1 ~]# cp /etc/puppet/puppet.conf{,.bak} 94 | [root@agent1 ~]# vim /etc/puppet/puppet.conf 95 | [main] 96 | logdir = /var/log/puppet 97 | rundir = /var/run/puppet 98 | ssldir = $vardir/ssl 99 | 100 | [agent] 101 | classfile = $vardir/classes.txt 102 | localconfig = $vardir/localconfig 103 | server = puppetmaster.kisspuppet.com #指向puppetmaster端 104 | certname = agent1_cert.kisspuppet.com #设置自己的certname名 105 | 106 | **3、通过调试模式启动节点向Puppetmaster端发起认证** 107 | 108 | [root@agent1 ~]# puppet agent --test 109 | info: Creating a new SSL key for agent1_cert.kisspuppet.com 110 | info: Caching certificate for ca 111 | info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com 112 | info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9 113 | Exiting; no certificate found and waitforcert is disabled 114 | 115 | 116 | **4、服务器端确定认证** 117 | 118 | [root@puppetmaster ~]# puppet cert --list --all #查看认证情况 119 | "agent1_cert.kisspuppet.com" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未认证 120 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 121 | 122 | [root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #注册agent1 123 | notice: Signed certificate request for agent1_cert.kisspuppet.com 124 | notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' 125 | 126 | [root@puppetmaster ~]# puppet cert --list --all #再次查看认证情况 127 | + "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) 128 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 129 | 130 | [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式 131 | /var/lib/puppet/ssl/ 132 | ├── ca 133 | │   ├── ca_crl.pem 134 | │   ├── ca_crt.pem 135 | │   ├── ca_key.pem 136 | │   ├── ca_pub.pem 137 | │   ├── inventory.txt 138 | │   ├── private 139 | │   │   └── ca.pass 140 | │   ├── requests 141 | │   ├── serial 142 | │   └── signed 143 | │   ├── agent1_cert.kisspuppet.com.pem #已经注册成功 144 | │   └── puppetmaster.kisspuppet.com.pem 145 | ├── certificate_requests 146 | ├── certs 147 | │   ├── ca.pem 148 | │   └── puppetmaster.kisspuppet.com.pem 149 | ├── crl.pem 150 | ├── private 151 | ├── private_keys 152 | │   └── puppetmaster.kisspuppet.com.pem 153 | └── public_keys 154 | └── puppetmaster.kisspuppet.com.pem 155 | 156 | 9 directories, 14 files 157 | 158 | **5、其它节点一起认证** 159 | 160 | [root@puppetmaster ~]# puppet agent --test #puppetmaster自己申请agent认证 161 | info: Creating a new SSL key for puppetmaster_cert.kisspuppet.com 162 | info: Creating a new SSL certificate request for puppetmaster_cert.kisspuppet.com 163 | info: Certificate Request fingerprint (md5): 7D:AC:F7:97:04:2B:E4:C5:74:4A:16:05:DB:F6:6A:98 164 | Exiting; no certificate found and waitforcert is disabled 165 | 166 | [root@puppetmaster ~]# puppet cert --sign --all #注册所有请求的节点 167 | notice: Signed certificate request for puppetmaster_cert.kisspuppet.com 168 | notice: Removing file Puppet::SSL::CertificateRequest puppetmaster_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/puppetmaster_cert.kisspuppet.com.pem' 169 | notice: Signed certificate request for agent2_cert.kisspuppet.com 170 | notice: Removing file Puppet::SSL::CertificateRequest agent2_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent2_cert.kisspuppet.com.pem' 171 | notice: Signed certificate request for agent3_cert.kisspuppet.com 172 | notice: Removing file Puppet::SSL::CertificateRequest agent3_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent3_cert.kisspuppet.com.pem' 173 | 174 | [root@puppetmaster ~]# puppet cert --list --all #查看所有节点认证 175 | + "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) 176 | + "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) 177 | + "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) 178 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 179 | + "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) 180 | 181 | ## 三、编写简单的motd模块 ## 182 | **1、创建模块目录结构** 183 | **注意:**再未指定modulepath搜索路径的情况下,会有默认搜索路径的,可通过以下方式查看到 184 | 185 | [root@puppetmaster ~]# puppet master --genconfig >/etc/puppet/puppet.conf.out 186 | [root@puppetmaster ~]# cat /etc/puppet/puppet.conf.out | grep modulepath 187 | modulepath = /etc/puppet/modules:/usr/share/puppet/modules 188 | 189 | [root@puppetmaster modules]# tree /etc/puppet/modules/ 190 | /etc/puppet/modules/ 191 | └── motd 192 | ├── files #存放文件目录 193 | │   └── etc 194 | │   └── motd 195 | ├── manifests #存放模块pp配置文件目录 196 | │   └── init.pp 197 | └── templates #存放模板目录 198 | 199 | 5 directories, 2 files 200 | 201 | **2、编写pp文件** 202 | 203 | [root@puppetmaster modules]# vim motd/manifests/init.pp 204 | class motd{ #定义一个类叫motd 205 | package{ 'setup': #定义package资源 206 | ensure => present, #要求setup这个包处于被安装状态 207 | } 208 | file{ '/etc/motd': #定义file资源 209 | ensure => present, #要求file文件处于存在状态 210 | owner => 'root', #要求file文件属主为root 211 | group => 'root', #要求file文件属组为root 212 | mode => '0644', #要求file文件权限为644 213 | source => "puppet://$puppetserver/modules/motd/etc/motd", #要求file文件从puppetmaster端服务器下载 214 | require => Package['setup'], #要求文件被配置之前先执行package资源 215 | } 216 | } 217 | 218 | [root@puppetmaster modules]# cat motd/files/etc/motd 219 | -- -- 220 | --------puppet test--------- 221 | -- -- 222 | 223 | **3、编写site.pp文件** 224 | 225 | [root@puppetmaster ~]# vim /etc/puppet/manifests/site.pp 226 | 227 | $puppetserver = 'puppetmaster.kisspuppet.com' #设置全局变量 228 | node 'puppetmaster_cert.kisspuppet.com'{ 229 | include motd 230 | } 231 | node 'agent1_cert.kisspuppet.com'{ 232 | include motd 233 | } 234 | 235 | node 'agent2_cert.kisspuppet.com'{ 236 | include motd 237 | } 238 | 239 | node 'agent3_cert.kisspuppet.com'{ 240 | include motd 241 | } 242 | 243 | 244 | ## 四、测试motd模块 ## 245 | 246 | [root@agent1 ~]# puppet agent --test #测试节点agent1 247 | info: Caching catalog for agent1_cert.kisspuppet.com 248 | info: Applying configuration version '1394304542' 249 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 250 | --- /etc/motd 2000-01-13 07:18:52.000000000 +0800 251 | +++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09 02:51:47.000000000 +0800 252 | @@ -0,0 +1,3 @@ 253 | +-- -- 254 | +--------puppet test--------- 255 | +-- -- 256 | 257 | info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e 258 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 259 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 260 | notice: Finished catalog run in 0.40 seconds 261 | 262 | [root@agent1 ~]# cat /etc/motd 263 | -- -- 264 | --------puppet test--------- 265 | -- -- 266 | [root@agent1 ~]# 267 | 268 | 269 | [root@puppetmaster ~]# puppet agent -t #测试节点puppetmaster 270 | info: Caching catalog for puppetmaster_cert.kisspuppet.com 271 | info: Applying configuration version '1394305371' 272 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 273 | --- /etc/motd 2010-01-12 21:28:22.000000000 +0800 274 | +++ /tmp/puppet-file20140309-3102-1gadon0-0 2014-03-09 03:02:51.966998294 +0800 275 | @@ -0,0 +1,3 @@ 276 | +-- -- 277 | +--------puppet test--------- 278 | +-- -- 279 | 280 | info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e 281 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 282 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 283 | info: Creating state file /var/lib/puppet/state/state.yaml 284 | notice: Finished catalog run in 0.52 seconds 285 | [root@puppetmaster ~]# cat /etc/motd 286 | -- -- 287 | --------puppet test--------- 288 | -- -- 289 | 290 | 291 | -------------------------------------------------------------------------------- /puppet_learning_base5.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇5-如何建立master和agent之间的认证关系 2 | 3 | 4 | Puppet注册方式基本上有三种:自动注册、手动注册和预签名注册,在《[Puppet基础篇4-安装、配置并使用Puppet](http://kisspuppet.com/2014/03/08/puppet_learning_base4/)》采用的是手动注册,不同的注册方式决定了注册的难易程度,当然安全性也会不一样。 5 | 6 | 7 | ## 一、手动注册 ## 8 | 手动注册是由Agent端先发起证书申请请求,然后由Puppetserver端确认证书方可注册成功,这种注册方式安全系数中等,逐一注册(`puppet cert --sign certnmame`)在节点数量较大的情况下是比较麻烦的,效率也低,批量注册(`puppet cert --sign --all`)效率很高,一次性便可注册所有的Agent的请求,但是这种方式安全系数较低,因为错误的请求也会被注册上。 9 | 10 | **1、节点申请注册** 11 | 12 | [root@agent1 ~]# puppet agent --test 13 | info: Creating a new SSL key for agent1_cert.kisspuppet.com 14 | info: Caching certificate for ca 15 | info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com 16 | info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9 17 | Exiting; no certificate found and waitforcert is disabled 18 | 19 | **2、服务器端确定认证** 20 | 21 | [root@puppetmaster ~]# puppet cert --list --all #查看认证情况 22 | "agent1_cert.kisspuppet.com" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未认证 23 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 24 | 25 | [root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #注册agent1 26 | notice: Signed certificate request for agent1_cert.kisspuppet.com #将请求的证书正式注册 27 | notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' #删除请求 28 | 29 | [root@puppetmaster ~]# puppet cert --list --all #再次查看认证情况 30 | + "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5) 31 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 32 | 33 | [root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式 34 | /var/lib/puppet/ssl/ 35 | ├── ca 36 | │   ├── ca_crl.pem 37 | │   ├── ca_crt.pem 38 | │   ├── ca_key.pem 39 | │   ├── ca_pub.pem 40 | │   ├── inventory.txt 41 | │   ├── private 42 | │   │   └── ca.pass 43 | │   ├── requests 44 | │   ├── serial 45 | │   └── signed 46 | │   ├── agent1_cert.kisspuppet.com.pem #已经注册成功 47 | │   └── puppetmaster.kisspuppet.com.pem 48 | ├── certificate_requests 49 | ├── certs 50 | │   ├── ca.pem 51 | │   └── puppetmaster.kisspuppet.com.pem 52 | ├── crl.pem 53 | ├── private 54 | ├── private_keys 55 | │   └── puppetmaster.kisspuppet.com.pem 56 | └── public_keys 57 | └── puppetmaster.kisspuppet.com.pem 58 | 59 | 9 directories, 14 files 60 | 61 | 62 | **3、motd模块测试** 63 | 64 | [root@agent1 ~]# puppet agent --test #测试节点agent1 65 | info: Caching catalog for agent1_cert.kisspuppet.com 66 | info: Applying configuration version '1394304542' 67 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 68 | --- /etc/motd 2000-01-13 07:18:52.000000000 +0800 69 | +++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09 02:51:47.000000000 +0800 70 | @@ -0,0 +1,3 @@ 71 | +-- -- 72 | +--------puppet test--------- 73 | +-- -- 74 | 75 | info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e 76 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 77 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 78 | notice: Finished catalog run in 0.40 seconds 79 | 80 | ## 二、自动注册 ## 81 | 这种注册方式简单来讲是通过Puppetmaster端的ACL列表进行控制的,安全系统较低,也就是说符合预先定义的ACL列表中的所有节点请求不需要确认都会被自动注册上,也就是说你只需要知道ACL列表要求,其次能和PuppetMaster端通信便可轻易注册成功。当然,它的最大优点就是效率非常高。 82 | **1、清除PuppetMaster端已经注册的agent1的证书** 83 | 84 | [root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com 85 | notice: Revoked certificate with serial 3 86 | notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem' 87 | notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem' 88 | 89 | [root@puppetmaster ~]# puppet cert --list --all #agent1证书已经删除 90 | + "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) 91 | + "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) 92 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 93 | + "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) 94 | 95 | **2、在agent1端删除注册过的证书** 96 | 97 | [root@agent1 ~]# rm -rf /var/lib/puppet/ssl/* 98 | 99 | **3、在Puppetmaster端编写ACL列表** 100 | 101 | [root@puppetmaster ~]# vim /etc/puppet/autosign.conf 102 | *.kisspuppet.com 103 | [root@puppetmaster ~]# /etc/init.d/puppetmaster restart 104 | Stopping puppetmaster: [ OK ] 105 | Starting puppetmaster: [ OK ] 106 | [root@puppetmaster ~]# puppet cert --list --all 107 | 108 | **4、自动注册** 109 | 110 | [root@agent1 ~]# puppet agent --test #申请证书 111 | info: Creating a new SSL key for agent1_cert.kisspuppet.com 112 | info: Caching certificate for ca 113 | info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com 114 | info: Certificate Request fingerprint (md5): ED:C9:C7:DF:F1:0E:53:1C:D3:73:5D:B7:D3:94:1F:60 115 | info: Caching certificate for agent1_cert.kisspuppet.com 116 | info: Caching certificate_revocation_list for ca 117 | info: Caching catalog for agent1_cert.kisspuppet.com 118 | info: Applying configuration version '1394359075' 119 | notice: Finished catalog run in 1.39 seconds 120 | [root@agent1 ~]# cat /etc/motd 121 | -- -- 122 | --------puppet test--------- 123 | -- -- 124 | 125 | **5、服务器端查看** 126 | 127 | [root@puppetmaster ~]# puppet cert --list --all #agent1已经自动注册成功 128 | + "agent1_cert.kisspuppet.com" (9E:1A:2B:48:26:7D:26:8D:1D:F5:5E:34:A1:6B:13:5F) 129 | + "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) 130 | + "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) 131 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 132 | + "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) 133 | 134 | **6、节点测试** 135 | 136 | [root@agent1 ~]# >/etc/motd #删除文件内容 137 | [root@agent1 ~]# puppet agent --test 138 | info: Caching catalog for agent1_cert.kisspuppet.com 139 | info: Applying configuration version '1394359075' 140 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 141 | --- /etc/motd 2014-03-09 17:59:02.000000000 +0800 142 | +++ /tmp/puppet-file20140309-3678-15tazyj-0 2014-03-09 17:59:06.000000000 +0800 143 | @@ -0,0 +1,3 @@ 144 | +-- -- 145 | +--------puppet test--------- 146 | +-- -- 147 | 148 | info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e 149 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 150 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 151 | notice: Finished catalog run in 0.42 seconds 152 | [root@agent1 ~]# cat /etc/motd #文件内容已经生成 153 | -- -- 154 | --------puppet test--------- 155 | -- -- 156 | 157 | 158 | ## 三、预签名注册 ## 159 | 预签名注册是在agent端未提出申请的情况下,预先在puppetmaster端生成agent端的证书,然后复制到节点对应的目录下即可注册成功,这种方式安全系数最高,但是操作麻烦,需要提前预知所有节点服务器的certname名称,其次需要将生成的证书逐步copy到所有节点上去。不过,如果你的系统中安装了kickstart或者cobbler这样的自动化工具,倒是可以将证书部分转换成脚本集成到统一自动化部署中 160 | **注:**生产环境中建议此方式进行注册,既安全又可靠! 161 | 162 | **1、清除PuppetMaster端已经注册的agent1的证书** 163 | 164 | [root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com 165 | notice: Revoked certificate with serial 3 166 | notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem' 167 | notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem' 168 | 169 | [root@puppetmaster ~]# puppet cert --list --all #agent1证书已经删除 170 | + "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7) 171 | + "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0) 172 | + "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com") 173 | + "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB) 174 | 175 | **2、在agent1端删除注册的所有信息,包括证书** 176 | 177 | [root@agent1 ~]# rm -rf /var/lib/puppet/* 178 | 179 | **3、删除自动注册ACL列表** 180 | 181 | [root@puppetmaster ~]# mv /etc/puppet/autosign.conf{,.bak} 182 | 183 | **4、puppetserver端预先生成agent1证书** 184 | 185 | [root@puppetmaster ~]# puppetca --generate agent1_cert.kisspuppet.com 186 | notice: agent1_cert.kisspuppet.com has a waiting certificate request 187 | notice: Signed certificate request for agent1_cert.kisspuppet.com 188 | notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' 189 | notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certificate_requests/agent1_cert.kisspuppet.com.pem' 190 | 191 | **5、节点生成目录结构** 192 | 193 | [root@agent1 ~]# puppet agent --test --server=abc.com #随便指定server端,生成目录结构 194 | info: Creating a new SSL key for agent1_cert.kisspuppet.com 195 | err: Could not request certificate: getaddrinfo: Temporary failure in name resolution 196 | Exiting; failed to retrieve certificate and waitforcert is disabled 197 | [root@agent1 ~]# tree /var/lib/puppet/ssl/ 198 | /var/lib/puppet/ssl/ 199 | |-- certificate_requests 200 | |-- certs 201 | |-- private 202 | |-- private_keys 203 | | `-- agent1_cert.kisspuppet.com.pem 204 | `-- public_keys 205 | `-- agent1_cert.kisspuppet.com.pem 206 | 207 | 5 directories, 2 files 208 | 209 | **6、puppetmaster端copy证书到agent1上** 210 | 211 | [root@puppetmaster ~]# scp /var/lib/puppet/ssl/private_keys/agent1_cert.kisspuppet.com.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/private_keys/ 212 | agent1_cert.kisspuppet.com.pem 100% 3243 3.2KB/s 00:00 213 | [root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/ 214 | agent1_cert.kisspuppet.com.pem 100% 1944 1.9KB/s 00:00 215 | [root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/ca.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/ 216 | ca.pem 100% 1915 1.9KB/s 00:00 217 | [root@puppetmaster ~]# 218 | 219 | 220 | **7、agent1测试** 221 | 222 | [root@agent1 ~]# >/etc/motd 223 | [root@agent1 ~]# puppet agent --test 224 | info: Caching certificate_revocation_list for ca 225 | info: Caching catalog for agent1_cert.kisspuppet.com 226 | info: Applying configuration version '1394359075' 227 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 228 | --- /etc/motd 2014-03-09 18:18:10.000000000 +0800 229 | +++ /tmp/puppet-file20140309-4071-1gypudk-0 2014-03-09 18:18:17.000000000 +0800 230 | @@ -0,0 +1,3 @@ 231 | +-- -- 232 | +--------puppet test--------- 233 | +-- -- 234 | 235 | info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e 236 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 237 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 238 | info: Creating state file /var/lib/puppet/state/state.yaml 239 | notice: Finished catalog run in 0.41 seconds 240 | [root@agent1 ~]# cat /etc/motd 241 | -- -- 242 | --------puppet test--------- 243 | -- -- 244 | 245 | 246 | -------------------------------------------------------------------------------- /puppet_learning_base6.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇6-Puppet更新方式的选型 2 | 3 | 4 | 基于C/S架构的Puppet更新方式一般有两种,一种是Agent端设置同步时间主动去PuppetMaster端拉取配置,另一种是通过PuppetMaster端使用`puppet kick`命令或者借助mcollctive触发更新配置,两种方式适应不同的生产环境,各具特色。 5 | 6 | 7 | ## 一、主动更新 ## 8 | 9 | 主动更新就是节点运行的puppet守护进程到预设的时候后自动去和puppetmaster进行交互直至更新完成的过程。 10 | 这种更新方式不易控制,主要表现在以下几个方面: 11 | 12 | **优点:** 13 | 14 | - 节点定期主动更新,无论是谁将节点被puppet管理的配置更改了,都会在规定的时间内自动修复,无须管理员登录查看。 15 | 16 | - 环境搭建简单,不需要很复杂的架构,puppet本身C/S架构便可以完成。 17 | 18 | ... 19 | 20 | 21 | **缺点:** 22 | 23 | - 节点数量过大的情况下同时会向puppetmaster端发起更新请求,会造成puppetmaster性能瓶颈。当然,也有一些解决方案比如设置任务计划,节点分批进行更新。 24 | 25 | - 由于节点会定期向puppetmaster端提取配置进行更新,这要求puppetmaster端的环境要足够的安全。否则,任何人上去修改puppet模板都会造成节点同步更新,如果有人写了可执行资源“rm -rf /”,那损失就大了。 26 | 27 | - 不能手动控制那些服务器需要更新,那些不需要更新。 28 | 29 | ... 30 | 31 | 32 | 自动更新方式配置很简单的,只需要在节点配置文件puppet.conf添加runinterval字段即可实现自动更新,以下步骤简单测试下 33 | 34 | **注:**默认情况下,puppet.conf配置文件中是没有runinterval字段的,如果不配置,默认是每隔30分钟自动同步一次。 35 | 36 | **1、添加runinterval字段** 37 | 38 | 为了方便测试,可设置为10秒 39 | 40 | [root@agent1 ~]# vim /etc/puppet/puppet.conf 41 | [main] 42 | logdir = /var/log/puppet 43 | rundir = /var/run/puppet 44 | ssldir = $vardir/ssl 45 | 46 | [agent] 47 | classfile = $vardir/classes.txt 48 | localconfig = $vardir/localconfig 49 | server = puppetmaster.kisspuppet.com 50 | certname = agent1_cert.kisspuppet.com 51 | runinterval = 10 #设置同步的间隔时间,单位为秒 52 | 53 | **2、启动puppetagent服务** 54 | 55 | [root@agent1 ~]# /etc/init.d/puppet start 56 | Starting puppet: [ OK ] 57 | 58 | **3、打开message日志查看同步状态** 59 | 可以看到日志里面每隔10秒钟agent1向puppetmaster同步一次 60 | 61 | [root@agent1 ~]# tailf /var/log/messages 62 | Mar 11 23:39:42 agent1 kernel: ide: failed opcode was: 0xec 63 | Mar 11 23:39:42 agent1 smartd[3110]: Device: /dev/hdc, not ATA, no IDENTIFY DEVICE Structure 64 | Mar 11 23:39:42 agent1 smartd[3110]: Device: /dev/sda, opened 65 | Mar 11 23:39:42 agent1 smartd[3110]: Device: /dev/sda, IE (SMART) not enabled, skip device Try 'smartctl -s on /dev/sda' to turn on SMART features 66 | Mar 11 23:39:42 agent1 smartd[3110]: Monitoring 0 ATA and 0 SCSI devices 67 | Mar 11 23:39:42 agent1 smartd[3112]: smartd has fork()ed into background mode. New PID=3112. 68 | Mar 11 23:39:42 agent1 avahi-daemon[3076]: Server startup complete. Host name is agent1.local. Local service cookie is 773321440. 69 | Mar 11 23:44:11 agent1 puppet-agent[3210]: Reopening log files 70 | Mar 11 23:44:12 agent1 puppet-agent[3210]: Starting Puppet client version 2.7.25 71 | Mar 11 23:44:16 agent1 puppet-agent[3210]: Finished catalog run in 1.53 seconds 72 | Mar 11 23:44:29 agent1 puppet-agent[3210]: Finished catalog run in 0.96 seconds 73 | Mar 11 23:44:40 agent1 puppet-agent[3210]: Finished catalog run in 0.20 seconds 74 | Mar 11 23:44:51 agent1 puppet-agent[3210]: Finished catalog run in 0.24 seconds 75 | Mar 11 23:45:02 agent1 puppet-agent[3210]: Finished catalog run in 0.21 seconds 76 | Mar 11 23:45:13 agent1 puppet-agent[3210]: Finished catalog run in 0.22 seconds 77 | 78 | **4、通过命令进行测试** 79 | 80 | 同样,每隔10秒会同步一次 81 | 82 | [root@agent1 ~]# /etc/init.d/puppet stop 83 | Stopping puppet: [ OK ] 84 | [root@agent1 ~]# puppet agent --verbose --no-daemonize 85 | notice: Starting Puppet client version 2.7.25 86 | info: Caching catalog for agent1_cert.kisspuppet.com 87 | info: Applying configuration version '1394359075' 88 | notice: Finished catalog run in 0.21 seconds 89 | info: Caching catalog for agent1_cert.kisspuppet.com 90 | info: Applying configuration version '1394359075' 91 | notice: Finished catalog run in 0.20 seconds 92 | info: Caching catalog for agent1_cert.kisspuppet.com 93 | info: Applying configuration version '1394359075' 94 | notice: Finished catalog run in 0.20 seconds 95 | info: Caching catalog for agent1_cert.kisspuppet.com 96 | info: Applying configuration version '1394359075' 97 | notice: Finished catalog run in 0.21 seconds 98 | info: Caching catalog for agent1_cert.kisspuppet.com 99 | info: Applying configuration version '1394359075' 100 | notice: Finished catalog run in 0.21 seconds 101 | 102 | 103 | ## 二、推送更新 ## 104 | 105 | 推送更新就是通过puppet kick或者mcollective来控制节点什么时候向puppetmaster端获取配置变更信息。这种方式比较容易控制,主要表现在以下几个方面: 106 | 107 | **优点:** 108 | 109 | - 非常容易控制节点的更新周期 110 | 111 | - 安全性比较高,每次更新之前可先检查好代码后再更新 112 | 113 | - 可以针对某一个cluster(一组服务器)进行推送更新,灵活性很强。 114 | 115 | - 扩展性很强,可整合各种其他平台 116 | 117 | ... 118 | 119 | **缺点:** 120 | 121 | - 环境搭建比较复杂,需要部署N多东西 122 | 123 | - agent端配置被篡改后,需要手动触发才能够恢复,不能够及时恢复 124 | 125 | ... 126 | 127 | 128 | **1、puppet kick方式** 129 | 130 | puppet kick是是通过puppetmaster端的命令触发的方式进行更新的,由于其锁的问题很难解决外加上主机单元控制不是很灵活,逐渐被抛弃了,puppetlabs也看到了这一点,因此收购了mcollecitve。当然,这种方式在很多企业中还在用,这里给几个大家方式参考: 131 | 132 | [http://purplegrape.blog.51cto.com/1330104/1179358](http://purplegrape.blog.51cto.com/1330104/1179358) 133 | 134 | [http://dreamfire.blog.51cto.com/418026/1279878](http://dreamfire.blog.51cto.com/418026/1279878) 135 | 136 | **2、mcollective触发方式** 137 | 需要搭建mcollective+MQ架构,搭建好了之后通过mco命令将puppet命令传输至MQ分配到一组节点上去,关于mcollective+MQ架构搭建会在第三部分详细讲解,也可以参考之前写的一篇文章 [http://kisspuppet.com/2013/11/10/mcollective-middleware/](http://kisspuppet.com/2013/11/10/mcollective-middleware/) 138 | 139 | [root@webui ~]# mco puppet -v runonce 140 | Discovering hosts using the mc method for 2 second(s) .... 3 141 | 142 | * [ ============================================================> ] 3 / 3 143 | 144 | 145 | node3.rsyslog.org : OK 146 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 147 | 148 | node2.rsyslog.org : OK 149 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 150 | 151 | node1.rsyslog.org : OK 152 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 153 | 154 | 155 | 156 | ---- rpc stats ---- 157 | Nodes: 3 / 3 158 | Pass / Fail: 3 / 0 159 | Start Time: Tue Mar 11 17:40:56 +0800 2014 160 | Discovery Time: 2003.85ms 161 | Agent Time: 1132.44ms 162 | Total Time: 3136.29ms 163 | 164 | **3、封装成WebUI的触发更新** 165 | 166 | Kermit架构--一个非常完美的基于MCollective和Puppet,并结合Django和Rest组成的Web框架(第四部分会讲) 167 | ![kermit架构图](http://kisspuppet.com/img/kermit-MCollective.png) 168 | 169 | 搭建完成之后的操作界面 170 | 171 | 选中puppet插件 172 | ![kermit界面](http://kisspuppet.com/img/kermit-1.jpg) 173 | 174 | 执行puppet推送动作 175 | ![kermit界面](http://kisspuppet.com/img/kermit-2.jpg) 176 | 177 | 执行过程 178 | ![kermit界面](http://kisspuppet.com/img/kermit-3.jpg) 179 | 180 | 显示结果 181 | ![kermit界面](http://kisspuppet.com/img/kermit-4.jpg) 182 | 183 | 184 | 185 | -------------------------------------------------------------------------------- /puppet_learning_base8.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇8-编写第二个完整测试模块yum 2 | 3 | 4 | # 工欲善其事必先利其器 # 5 | 6 | 上一节讲解了puppet基础环境模块puppet,除此之外影响puppet基础环境的还有一个模块叫yum源,当然这个是相对于RedHat系统而言的,如果是SLES系统,就要配置zypper源了,其它Linux系统也是如此。那么配置yum源需要用到哪些资源呢? 7 | 8 | 之前写puppet模块的时候用到了file资源、service资源、package资源,那么这三个资源是否能满足yum模块的配置呢,答案是肯定的。然而官方给出了专用的yumrepo资源,管理可以精确到repo里面的每一行,使用还是非常方便的,接下来,我们使用官方给出的yumrepo资源来配置yum模块。 9 | 10 | **注:**上一节教会大家如何一步步创建一个完整模块,为了避免重复,这一节就直接贴配置了。 11 | 12 | 13 | 14 | ## 一、配置之前需要考虑的问题: ## 15 | 16 | 1、yum包需要被安装; 17 | 18 | 2、yum主配置文件yum.conf需要配置正确; 19 | 20 | 3、每台主机至少有两个repo源,一个指向本地的ISO源,一个指向自定义的puppet源; 21 | 22 | 4、不同系统版本的repo源中的部分参数略有不同,比如baseurl。 23 | 24 | ## 二、创建yum模块 ## 25 | 26 | **1、创建yum模块目录结构** 27 | 28 | [root@puppetmaster modules]# tree yum 29 | yum 30 | ├── files 31 | ├── manifests 32 | └── templates 33 | 34 | 3 directories, 0 files 35 | 36 | **2、创建package资源** 37 | 38 | [root@puppetmaster manifests]# vim install.pp 39 | 40 | class yum::install{ 41 | package { 'yum': 42 | ensure => installed, #要求yum这个包处于安装状态 43 | } 44 | } 45 | 46 | **3、创建params.pp** 47 | 48 | 根据操作系统版本定义repo文件中的各项条目 49 | 50 | eg. 51 | [root@agent1 ~]# facter | grep operatingsystemrelease 系统版本fact 52 | operatingsystemrelease => 5.7 53 | 54 | 由于RedHat存在多个版本,不同版本yum源的指向不同,对应的pki认证文件也不同,因此应当设置一些变量,然后进行引用。以下只定义了系统版本为5.7、5.8、和6.4的变量,如果有其它版本效仿即可。 55 | 56 | [root@puppetmaster manifests]# vim params.pp 57 | class yum::params { 58 | case $operatingsystemrelease{ 59 | 5.7: { 60 | $yum_redhat_descr = 'rhel base rpm packages' #定义redhat光盘源的描述信息 61 | $yum_puppet_descr = 'puppet rpm packages for rhel' #定义puppet源的描述信息 62 | $yum_redhat_pki = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel5' #定义redhat光盘源的pki认证文件位置 63 | $yum_redhat_baseurl = 'file:///media/cdrom/Server' #定义redhat光盘源baseurl的下载位置 64 | $yum_puppet_baseurl = 'ftp://puppetmaster.kisspuppet.com/RHEL5U7' #定义puppet源baseurl的下载位置 65 | $yum_redhat_pki_name = '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel5' #定义puppet源pki认证文件位置 66 | $yum_redhat_pki_download = 'puppet:///modules/yum/PM-GPG-KEY/RPM-GPG-KEY-redhat-release-rhel5' #定义pki文件的服务器下载地址 67 | } 68 | 69 | 5.8: { 70 | $yum_redhat_descr = 'rhel base rpm packages' 71 | $yum_puppet_descr = 'puppet rpm packages for rhel' 72 | $yum_redhat_pki = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel5' 73 | $yum_redhat_baseurl = 'file:///media/cdrom/Server' 74 | $yum_puppet_baseurl = 'ftp://puppetmaster.kisspuppet.com/RHEL5U8' 75 | $yum_redhat_pki_name = '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel5' 76 | $yum_redhat_pki_download = 'puppet:///modules/yum/PM-GPG-KEY/RPM-GPG-KEY-redhat-release-rhel5' 77 | } 78 | 79 | 6.4: { 80 | $yum_redhat_descr = 'rhel base rpm packages' 81 | $yum_puppet_descr = 'puppet rpm packages for rhel' 82 | $yum_redhat_pki = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel6' 83 | $yum_redhat_baseurl = 'file:///media/cdrom' 84 | $yum_puppet_baseurl = 'ftp://puppetmaster.kisspuppet.com/RHEL6U4' 85 | $yum_redhat_pki_name = '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel6' 86 | $yum_redhat_pki_download = 'puppet:///modules/yum/PM-GPG-KEY/RPM-GPG-KEY-redhat-release-rhel6' 87 | } 88 | default: { #定义如果没有以上版本的系统,直接报以下错误,同时也是为了方便调试 89 | fail("Module yum is not supported on ${::operatingsystem}") 90 | } 91 | } 92 | } 93 | 94 | **4、创建config.pp文件** 95 | 96 | config.pp文件用于管理yum主配置文件yum.conf,repo文件的属性,pki文件的属性及下载地址和yumrepo源 97 | 98 | [root@puppetmaster manifests]# vim config.pp 99 | class yum::config{ 100 | include yum::params #引用class yum::params 101 | include yum::config_file,yum::config_key,yum::config_repo 102 | } 103 | 104 | class yum::config_file{ 105 | file { '/etc/yum.conf': #创建file资源管理yum主配置文件yum.conf 106 | ensure => present, #要求文件处于存在状态 107 | owner => 'root', #属主为root 108 | group => 'root', #属组为root 109 | mode => '0644', #文件权限为644 110 | source => 'puppet:///modules/yum/etc/yum.conf', #要求从puppetmaster服务器指定目录去下载 111 | require => Class['yum::install'], #要求在配置之前先安装yum软件包 112 | } 113 | file { '/etc/yum.repos.d/rhel-base.repo': #设置光盘repo的一些属性 114 | ensure => present, 115 | owner => 'root', 116 | group => 'root', 117 | mode => '0644', 118 | require => Class['yum::config_repo'], #要求设置之前yumrepo资源rhel-base必须存在 119 | } 120 | file { '/etc/yum.repos.d/rhel-puppet.repo': #设置puppet repo的一些属性 121 | ensure => present, 122 | owner => 'root', 123 | group => 'root', 124 | mode => '0644', 125 | require => Class['yum::config_repo'], #要求设置之前yumrepo资源puppet必须存在 126 | } 127 | } 128 | class yum::config_key{ #设置pki证书的一些属性及下载位置 129 | file { $yum::params::yum_redhat_pki_name: 130 | ensure => present, 131 | owner => 'root', 132 | group => 'root', 133 | mode => '0644', 134 | source => $yum::params::yum_redhat_pki_download, 135 | } 136 | } 137 | class yum::config_repo{ 138 | yumrepo { rhel-base: #创建yumrepo资源rhel-base 139 | descr => $yum::params::yum_redhat_descr, #设置描述信息 140 | baseurl => $yum::params::yum_redhat_baseurl, #设置yum源下载地址 141 | enabled => 1, #激活yum源 142 | gpgcheck => 1, #设置要求通过pki校验 143 | gpgkey => $yum::params::yum_redhat_pki, #设置pki文件的下载位置 144 | require => Class['yum::config_key'], #要求这个文件必须存在 145 | priority => 1, #设置repo的优先级为1(数字越小优先级越高) 146 | } 147 | yumrepo { rhel-puppet: 148 | descr => $yum::params::yum_puppet_descr, 149 | baseurl => $yum::params::yum_puppet_baseurl, 150 | enabled => 1, 151 | gpgcheck => 0, 152 | priority => 2, 153 | } 154 | } 155 | 156 | **5、创建init.pp文件** 157 | 158 | 由于params.pp文件中设置的变量名称引用太长,这里可以在init.pp中将变量名简化,方便引用。 159 | 160 | class yum( 161 | $yum_redhat_descr = $yum::params::yum_redhat_descr, # 162 | $yum_puppet_descr = $yum::params::yum_puppet_descr, 163 | $yum_redhat_pki = $yum::params::yum_redhat_pki, 164 | $yum_redhat_baseurl = $yum::params::yum_redhat_baseurl, 165 | $yum_puppet_baseurl = $yum::params::yum_puppet_baseurl, 166 | $yum_redhat_pki_name = $yum::params::yum_redhat_pki_name, 167 | $yum_redhat_pki_download = $yum::params::yum_redhat_pki_download 168 | ) inherits yum::params { #设置这些变量依赖于yum::params类 169 | include yum::config,yum::install #包含所有子class 170 | } 171 | 172 | 因此、上面定义的class yum::config_key和yum::config_repo可以写成以下格式 173 | 174 | class yum::config_key{ #设置pki证书的一些属性及下载位置 175 | file { $yum_redhat_pki_name: 176 | ensure => present, 177 | owner => 'root', 178 | group => 'root', 179 | mode => '0644', 180 | source => $yum_redhat_pki_download, 181 | } 182 | } 183 | 184 | class yum::config_repo{ 185 | yumrepo { rhel-base: #创建yumrepo资源rhel-base 186 | descr => $yum_redhat_descr, #设置描述信息 187 | baseurl => $yum_redhat_baseurl, #设置yum源下载地址 188 | enabled => 1, #激活yum源 189 | gpgcheck => 1, #设置要求通过pki校验 190 | gpgkey => $yum_redhat_pki, #设置pki文件的下载位置 191 | require => Class['yum::config_key'], #要求这个文件必须存在 192 | priority => 1, #设置repo的优先级为1(数字越小优先级越高) 193 | } 194 | yumrepo { rhel-puppet: 195 | descr => $yum_puppet_descr, 196 | baseurl => $yum_puppet_baseurl, 197 | enabled => 1, 198 | gpgcheck => 0, 199 | priority => 2, 200 | } 201 | } 202 | 203 | **6、创建puppet.conf和pki文件** 204 | 205 | [root@puppetmaster yum]# tree files 206 | files 207 | ├── etc 208 | │   └── yum.conf #可以从节点/etc/目录下copy一个yum.conf文件进行配置管理 209 | └── PM-GPG-KEY 210 | ├── RPM-GPG-KEY-puppet-release #自己做一个pki文件,如何做,请google 211 | ├── RPM-GPG-KEY-redhat-release-rhel5 #在RHEL5系统/etc/pki/rpm-gpg/目录下面有对应的pki文件,将其命个别名即可 212 | └── RPM-GPG-KEY-redhat-release-rhel6 #在RHEL6系统/etc/pki/rpm-gpg/目录下面有对应的pki文件,将其命个别名即可 213 | 214 | 2 directories, 4 files 215 | 216 | **7、应用到节点上** 217 | 218 | [root@puppetmaster modules]# vim /etc/puppet/manifests/site.pp 219 | 220 | $puppetmaster = 'puppetmaster.kisspuppet.com' 221 | 222 | class environments{ 223 | include motd,puppet,yum 224 | } 225 | 226 | node default{ 227 | include environments 228 | } 229 | 230 | **8、在agent1上进行测试** 231 | 232 | [root@agent1 yum.repos.d]# mv * /tmp/ #将所有的repo文件移动到/tmp目录下 233 | [root@agent1 yum.repos.d]# puppet agent -t #运行一次puppet更新动作,可以通过以下日志看出更新 234 | info: Caching catalog for agent1_cert.kisspuppet.com 235 | info: Applying configuration version '1395696487' 236 | info: create new repo rhel-puppet in file /etc/yum.repos.d/rhel-puppet.repo 237 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-puppet]/descr: descr changed '' to 'puppet rpm packages for rhel' 238 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-puppet]/baseurl: baseurl changed '' to 'ftp://puppetmaster.kisspuppet.com/RHEL5U7' 239 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-puppet]/enabled: enabled changed '' to '1' 240 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-puppet]/gpgcheck: gpgcheck changed '' to '0' 241 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-puppet]/priority: priority changed '' to '2' 242 | info: changing mode of /etc/yum.repos.d/rhel-puppet.repo from 600 to 644 243 | info: create new repo rhel-base in file /etc/yum.repos.d/rhel-base.repo 244 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-base]/descr: descr changed '' to 'rhel base rpm packages' 245 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-base]/baseurl: baseurl changed '' to 'file:///media/cdrom/Server' 246 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-base]/enabled: enabled changed '' to '1' 247 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-base]/gpgcheck: gpgcheck changed '' to '1' 248 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-base]/gpgkey: gpgkey changed '' to 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel5' 249 | notice: /Stage[main]/Yum::Config_repo/Yumrepo[rhel-base]/priority: priority changed '' to '1' 250 | info: changing mode of /etc/yum.repos.d/rhel-base.repo from 600 to 644 251 | notice: Finished catalog run in 0.51 seconds 252 | [root@agent1 yum.repos.d]# ls 253 | rhel-base.repo rhel-puppet.repo 254 | [root@agent1 yum.repos.d]# cat rhel-base.repo #查看更新的光盘源文件 255 | [rhel-base] 256 | name=rhel base rpm packages 257 | baseurl=file:///media/cdrom/Server 258 | enabled=1 259 | gpgcheck=1 260 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release-rhel5 261 | priority=1 262 | [root@agent1 yum.repos.d]# cat rhel-puppet.repo #插件更新的puppet源文件 263 | [rhel-puppet] 264 | name=puppet rpm packages for rhel 265 | baseurl=ftp://puppetmaster.kisspuppet.com/RHEL5U7 266 | enabled=1 267 | gpgcheck=0 268 | priority=2 269 | 270 | 271 | **说明:**关于puppet的资源目前大概有48种,这里就不一一介绍了,详情可访问 [http://docs.puppetlabs.com/references/stable/type.html](http://docs.puppetlabs.com/references/stable/type.html) 272 | 273 | 274 | -------------------------------------------------------------------------------- /puppet_learning_base9.md: -------------------------------------------------------------------------------- 1 | #### Puppet基础篇9-Puppetmaster多环境配置 2 | 3 | 4 | # 扩充现有架构环境是对一个企业成长的见证 # 5 | 6 | 将基础环境模块部署到puppetmaster端之后就可以初始化所有节点了,接下来就是部署应用代码了。众所周知,一个企业中应用代码的编写并不是运维一个人完成的,而且代码的上线也不是一次性完成的。标准的架构应该由开发、测试、生产三个组成,对应到puppetmaster里面应该有3套代码才对。而且每套代码都应该对应到自己的环境中,而代码的变更更应该通过版本控制工具进行管理,比如svn、git等。 7 | 接下来我们为puppetmaster创造3个环境,它们分别是开发环境(kissdev)、测试环境(kissqa)、生产环境(kissprd). 8 | 9 | 10 | ## 1、配置puppet.conf ## 11 | 12 | 在标签[master]中添加environments环境,其次创建对应的环境标签及配置 13 | 14 | [root@puppetmaster ~]# vim /etc/puppet/puppet.conf 15 | [main] 16 | logdir = /var/log/puppet 17 | rundir = /var/run/puppet 18 | ssldir = $vardir/ssl 19 | [agent] 20 | classfile = $vardir/classes.txt 21 | localconfig = $vardir/localconfig 22 | server = puppetmaster.kisspuppet.com 23 | certname = puppetmaster_cert.kisspuppet.com 24 | [master] 25 | certname = puppetmaster.kisspuppet.com 26 | environments = kissdev,kisstmq,kissprd #添加三个环境的标签名称 27 | [kissdev] 28 | modulepath = $confdir/environments/kissdev/environment/modules:$confdir/environments/kissdev/application/modules #设置环境的搜索路径 29 | manifest = $confdir/environments/kissdev/manifests/site.pp #设置环境的site.pp文件位置 30 | fileserverconfig = /etc/puppet/fileserver.conf.kissdev #设置环境的fileserver 31 | 32 | [kissmq] 33 | modulepath = $confdir/environments/kissmq/environment/modules:$confdir/environments/kisstest/application/modules 34 | manifest = $confdir/environments/kisstest/manifests/site.pp 35 | fileserverconfig = /etc/puppet/fileserver.conf.kisstest 36 | 37 | [kissprd] 38 | modulepath = $confdir/environments/kissprd/environment/modules:$confdir/environments/kissprd/application/modules 39 | manifest = $confdir/environments/kissprd/manifests/site.pp 40 | fileserverconfig = /etc/puppet/fileserver.conf.kissprd 41 | 42 | **顺便解释一下:**为什么在每个环境下会有environment和application两个目录,其中environment目录是存放基础环境模块的,比如puppet、yum等;而application目录是存在应用环境模块的,比如apache、mysql等。当然也可以放在同一个目录下,如果应用多的话还可以将application进行拆分,一切都是为了方便管理而考虑。 43 | 44 | ## 2、创建多环境目录结构 ## 45 | 46 | [root@puppetmaster environments]# mkdir kissdev 47 | [root@puppetmaster environments]# mkdir kissdev/{application/modules,environment/modules} -p 48 | [root@puppetmaster environments]# tree . 49 | . 50 | └── kissdev 51 | ├── application 52 | │   └── modules #存放应用的模块 53 | └── environment 54 | └── modules #存放基础环境模块 55 | 56 | 5 directories, 0 files 57 | [root@puppetmaster environments]# cp kissdev kissmq -rp 58 | [root@puppetmaster environments]# cp kissdev kissprd -rp 59 | [root@puppetmaster environments]# tree . 60 | . 61 | ├── kissdev 62 | │   ├── application 63 | │   │   └── modules 64 | │   └── environment 65 | │   └── modules 66 | ├── kissmq 67 | │   ├── application 68 | │   │   └── modules 69 | │   └── environment 70 | │   └── modules 71 | └── kissprd 72 | ├── application 73 | │   └── modules 74 | └── environment 75 | └── modules 76 | 77 | 15 directories, 0 files 78 | 79 | ## 3、移动默认环境modules中的配置到kissprd对应的环境中 ## 80 | 81 | 其中puppet和yum模块属于基础环境模块,motd属于应用环境模块 82 | 83 | [root@puppetmaster environments]# mv /etc/puppet/modules/puppet kissprd/environment/modules/ 84 | [root@puppetmaster environments]# mv /etc/puppet/modules/yum kissprd/environment/modules/ 85 | [root@puppetmaster environments]# mv /etc/puppet/modules/motd kissprd/application/modules/ 86 | 87 | ## 4、复制manifests文件至kissprd环境中 ## 88 | 89 | [root@puppetmaster environments]# cp /etc/puppet/manifests kissprd/ -r 90 | 91 | 复制完成后整个环境如下 92 | 93 | [root@puppetmaster environments]# tree kissprd/ 94 | kissprd/ 95 | ├── application 96 | │   └── modules 97 | │   └── motd 98 | │   ├── files 99 | │   │   └── etc 100 | │   │   └── motd 101 | │   ├── manifests 102 | │   │   └── init.pp 103 | │   └── templates 104 | ├── environment 105 | │   └── modules 106 | │   ├── puppet 107 | │   │   ├── files 108 | │   │   ├── manifests 109 | │   │   │   ├── config.pp 110 | │   │   │   ├── init.pp 111 | │   │   │   ├── install.pp 112 | │   │   │   ├── params.pp 113 | │   │   │   └── service.pp 114 | │   │   └── templates 115 | │   │   └── puppet.conf.erb 116 | │   └── yum 117 | │   ├── files 118 | │   │   ├── etc 119 | │   │   │   └── yum.conf 120 | │   │   └── PM-GPG-KEY 121 | │   │   ├── RPM-GPG-KEY-puppet-release 122 | │   │   ├── RPM-GPG-KEY-redhat-release-rhel5 123 | │   │   └── RPM-GPG-KEY-redhat-release-rhel6 124 | │   ├── manifests 125 | │   │   ├── config.pp 126 | │   │   ├── init.pp 127 | │   │   ├── install.pp 128 | │   │   └── params.pp 129 | │   └── templates 130 | └── manifests 131 | └── site.pp 132 | 133 | 20 directories, 17 files 134 | 135 | ## 5、删除掉默认环境manifests中site.pp文件内容 ## 136 | 137 | 因为模块已经移除,其次默认环境production已经不再使用了。 138 | 139 | [root@puppetmaster environments]# >/etc/puppet/manifests/site.pp 140 | 141 | ## 6、创建fileserverconfig文件 ## 142 | 143 | [root@puppetmaster ~]# cp /etc/puppet/fileserver.conf{,.kissdev} 144 | [root@puppetmaster ~]# cp /etc/puppet/fileserver.conf{,.kissqa} 145 | [root@puppetmaster ~]# cp /etc/puppet/fileserver.conf{,.kissprd} 146 | [root@puppetmaster ~]# ll /etc/puppet/ 147 | total 88 148 | -rw-r--r-- 1 root root 2569 Jan 7 07:51 auth.conf 149 | -rw-r--r-- 1 root root 17 Mar 9 17:54 autosign.conf.bak 150 | drwxr-xr-x 5 root root 4096 Mar 27 22:33 environments 151 | -rw-r--r-- 1 root root 381 Jan 7 07:49 fileserver.conf 152 | -rw-r--r-- 1 root root 381 Mar 27 22:46 fileserver.conf.kissdev #指向kissdev环境 153 | -rw-r--r-- 1 root root 381 Mar 27 22:46 fileserver.conf.kissprd #指向kissmq环境 154 | -rw-r--r-- 1 root root 381 Mar 27 22:46 fileserver.conf.kissqa #指向kissdev环境 155 | drwxr-xr-x 2 root root 4096 Mar 25 05:23 manifests 156 | drwxr-xr-x 2 root root 4096 Mar 27 22:40 modules 157 | -rw-r--r-- 1 root root 1063 Mar 27 21:55 puppet.conf 158 | -rw-r--r-- 1 root root 853 Mar 9 00:48 puppet.conf.bak 159 | -rw-r--r-- 1 root root 42031 Mar 9 03:25 puppet.conf.out 160 | 161 | **7、重启puppetmaster服务** 162 | 163 | [root@puppetmaster ~]# /etc/init.d/puppetmaster restart 164 | Stopping puppetmaster: [ OK ] 165 | Starting puppetmaster: [ OK ] 166 | 167 | **8、节点测试验证** 168 | 169 | [root@agent1 ~]# >/etc/motd 170 | You have new mail in /var/spool/mail/root 171 | [root@agent1 ~]# puppet agent -t #默认请求的是production环境,由于此环境里面没有模块所有不更新 172 | info: Caching catalog for agent1_cert.kisspuppet.com 173 | info: Applying configuration version '1395931884' 174 | notice: Finished catalog run in 0.02 seconds 175 | [root@agent1 ~]# puppet agent -t --environment=kissprd #环境指向kissprd 176 | info: Caching catalog for agent1_cert.kisspuppet.com 177 | info: Applying configuration version '1395931962' 178 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 179 | --- /etc/motd 2014-03-27 22:52:27.000000000 +0800 180 | +++ /tmp/puppet-file20140327-26204-29bst1-0 2014-03-27 22:52:44.000000000 +0800 181 | @@ -0,0 +1,3 @@ 182 | +-- -- 183 | +--------puppet test--------- 184 | +-- -- 185 | 186 | info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e 187 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 188 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 189 | notice: Finished catalog run in 0.68 seconds 190 | [root@agent1 ~]# cat /etc/motd 191 | -- -- 192 | --------puppet test--------- 193 | -- -- 194 | 195 | **9、节点更改环境** 196 | 197 | 如果节点是主动同步的方式,应该在puppet.conf文件中添加environment配置 198 | 199 | [root@agent1 ~]# vim /etc/puppet/puppet.conf 200 | 201 | ### config by puppet ### 202 | [main] 203 | logdir = /var/log/puppet 204 | rundir = /var/run/puppet 205 | ssldir = $vardir/ssl 206 | 207 | [agent] 208 | classfile = $vardir/classes.txt 209 | localconfig = $vardir/localconfig 210 | server = puppetmaster.kisspuppet.com 211 | certname = agent1_cert.kisspuppet.com 212 | runinterval = 10 213 | environment =kissprd #添加默认环境为kissprd 214 | 215 | **10、继续测试** 216 | 217 | [root@agent1 ~]# puppet agent -t 218 | info: Caching catalog for agent1_cert.kisspuppet.com 219 | info: Applying configuration version '1395931962' 220 | notice: /Stage[main]/Motd/File[/etc/motd]/content: 221 | --- /etc/motd 2014-03-27 22:55:43.000000000 +0800 222 | +++ /tmp/puppet-file20140327-30010-8ada2g-0 2014-03-27 22:56:19.000000000 +0800 223 | @@ -0,0 +1,3 @@ 224 | +-- -- 225 | +--------puppet test--------- 226 | +-- -- 227 | 228 | info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e 229 | info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e 230 | notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1' 231 | notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: 232 | --- /etc/puppet/puppet.conf 2014-03-27 22:56:14.000000000 +0800 233 | +++ /tmp/puppet-file20140327-30010-cmjg48-0 2014-03-27 22:56:19.000000000 +0800 234 | @@ -10,4 +10,3 @@ 235 | server = puppetmaster.kisspuppet.com 236 | certname = agent1_cert.kisspuppet.com 237 | runinterval = 10 238 | - environment =kissprd 239 | 240 | info: FileBucket got a duplicate file {md5}43df60b1aa2638c5f10aa7e6be892b77 241 | info: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]: Filebucketed /etc/puppet/puppet.conf to puppet with sum 43df60b1aa2638c5f10aa7e6be892b77 242 | notice: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]/content: content changed '{md5}43df60b1aa2638c5f10aa7e6be892b77' to '{md5}8c67cb8c039bb6436556b91f0c6678c4' 243 | info: /Stage[main]/Puppet::Config/File[/etc/puppet/puppet.conf]: Scheduling refresh of Class[Puppet::Service] 244 | info: Class[Puppet::Service]: Scheduling refresh of Service[puppet] 245 | notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' 246 | notice: /Service[puppet]: Triggered 'refresh' from 1 events 247 | notice: Finished catalog run in 0.68 seconds 248 | [root@agent1 ~]# cat /etc/motd 249 | -- -- 250 | --------puppet test--------- 251 | -- -- 252 | 253 | **备注:** 记得设置puppet模块中的puppet.conf.erb模板,否则会被还原哦。 254 | 255 | ## 后续问题 ## 256 | 257 | 1、puppetmaster端有三套环境,那么如何管理呢,接下来就应该考虑版本控制系统了,这里已经有写了[http://rsyslog.org/2013/11/16/svn-puppet/](http://rsyslog.org/2013/11/16/svn-puppet/) 258 | 259 | 2、后面讲的hiear中关于设置的变量对应到每个环境中是如何解决的。 260 | 261 | 关于多环境的部署有不理解的还可以参考书籍《精通Puppet配置管理工具》或者官网 262 | 263 | 264 | 265 | -------------------------------------------------------------------------------- /puppet_learning_ext2.md: -------------------------------------------------------------------------------- 1 | #### Puppet扩展篇2-如何使用虚拟资源解决puppet冲突问题 2 | 3 | 4 | 虚拟资源是一种用来管理多种配置共同依赖同一资源的方法。如果多个类依赖同一个资源时则可避免写多个资源,也可以解决资源重定义的错误。 5 | 虚拟资源经常用于用户管理中,虚拟资源只会被声明一次,但可以运用一次或多次。 6 | 7 | 8 | 要使用虚拟资源是需要在资源声明开头加上字符“@”来使资源虚拟化。然后再使用下面两种方法之一来实例化虚拟资源: 9 | 10 | - "飞船"语法<||> 11 | - realize函数 12 | 13 | 14 | # 1. 定义两个用户,puppet和root,并将其虚拟化 # 15 | 16 | 注意定义虚拟资源必须在全局作用域或者节点作用域中定义,简单的理解,以下目录中site.pp就是全局作用域,包含nodes目录(site.pp中import了nodes目录),在节点node下定义的虚拟资源属于节点作用域,其他模块中的都属于局部作用域。 17 | 18 | ## 1.1 在全局作用域中创建对应的pp文件 ## 19 | 20 | [root@linuxmaster1poc testing]# tree manifests/ 21 | manifests/ 22 | ├── nodes 23 | │   ├── puppetclient.pp 24 | │   ├── virtual_group.pp 25 | │   └── virtual_user.pp 26 | └── site.pp 27 | 28 | 1 directory, 4 files 29 | 30 | ---- 31 | ## 1.2 创建虚拟用户puppet、root、xiaonuo ## 32 | 33 | [root@linuxmaster1poc testing]# vim manifests/nodes/virtual_user.pp 34 | class alluser{ 35 | include alluser::puppet,alluser::root 36 | } 37 | 38 | class alluser::puppet{ 39 | @user { 'puppet': 40 | ensure => present, 41 | uid => '52', 42 | gid => '52', 43 | home => '/var/lib/puppet', 44 | shell => '/sbin/nologin', 45 | } 46 | } 47 | 48 | class alluser::root{ 49 | @user { 'root': 50 | ensure => present, 51 | uid => '0', 52 | gid => '0', 53 | home => '/root', 54 | shell => '/bin/bash', 55 | } 56 | } 57 | 58 | class alluser::xiaonuo{ 59 | @user { 'xiaonuo': 60 | ensure => present, 61 | uid => '600', 62 | gid => '600', 63 | home => '/home/xiaonuo', 64 | shell => '/sbin/nologin', 65 | } 66 | } 67 | 68 | ------- 69 | ## 1.3 创建虚拟组puppet、root和xiaonuo ## 70 | 71 | [root@linuxmaster1poc testing]# vim manifests/nodes/virtual_group.pp 72 | class allgroup{ 73 | include allgroup::puppet,allgroup::root 74 | } 75 | 76 | class allgroup::puppet{ 77 | @group { 'puppet': 78 | ensure => present, 79 | name => 'puppet', 80 | gid => '52', 81 | allowdupe => false, 82 | members => 'puppet', 83 | } 84 | } 85 | 86 | class allgroup::root{ 87 | @group { 'root': 88 | ensure => present, 89 | name => 'root', 90 | gid => '0', 91 | allowdupe => false, 92 | members => 'root', 93 | } 94 | } 95 | class allgroup::xiaonuo{ 96 | @group { 'xiaonuo': 97 | ensure => present, 98 | name => 'xiaonuo', 99 | gid => '600', 100 | allowdupe => false, 101 | members => 'xiaonuo', 102 | } 103 | } 104 | 105 | # 2. 编写puppet模块,将虚拟资源用户puppet和组puppet实化 # 106 | 107 | ## 2.1 编写pupppet模块 ## 108 | [root@linuxmaster1poc testing]# tree environment/modules/puppet 109 | environment/modules/puppet 110 | ├── files 111 | ├── manifests 112 | │   ├── config.pp 113 | │   ├── init.pp 114 | │   ├── install.pp 115 | │   ├── params.pp 116 | │   └── service.pp 117 | ├── README 118 | └── templates 119 | ├── auth.conf.erb 120 | ├── namespaceauth.conf.erb 121 | └── puppet.conf.erb 122 | 123 | 3 directories, 9 files 124 | 125 | ## 2.2 编写puppet_linux57poc模块 ## 126 | 127 | [root@linuxmaster1poc testing]# tree agents/modules/puppet_linux57poc/ 128 | agents/modules/puppet_linux57poc/ 129 | ├── files 130 | ├── manifests 131 | │   └── init.pp 132 | └── templates 133 | ├── facts.txt.erb 134 | └── motd.erb 135 | 136 | 3 directories, 3 files 137 | 138 | ## 2.3 实例化虚拟资源 ## 139 | 140 | **2.3.1 在puppet模块中实例化** 141 | 142 | [root@linuxmaster1poc testing]# vim environment/modules/puppet/manifests/config.pp 143 | class puppet::config{ 144 | include puppet::params 145 | include puppet::puppet_config,puppet::namespaceauth_config,puppet::auth_config,puppet::user,puppet::group 146 | include alluser,allgroup #必须将节点作用域中的类包含进来 147 | } 148 | 149 | class puppet::puppet_config{ 150 | file { '/etc/puppet/puppet.conf': 151 | ensure => present, 152 | content => template('puppet/puppet.conf.erb'), 153 | owner => 'puppet', 154 | group => 'puppet', 155 | mode => '0644', 156 | backup => main, 157 | require => Class['puppet::install','puppet::user','puppet::group'], 158 | notify => Class['puppet::service'], 159 | } 160 | } 161 | 162 | 163 | class puppet::auth_config{ 164 | file { '/etc/puppet/auth.conf': 165 | ensure => present, 166 | content => template('puppet/auth.conf.erb'), 167 | owner => 'puppet', 168 | group => 'puppet', 169 | mode => '0644', 170 | backup => main, 171 | require => Class['puppet::install','puppet::user','puppet::group'], 172 | notify => Class['puppet::service'], 173 | } 174 | } 175 | 176 | class puppet::namespaceauth_config{ 177 | file { '/etc/puppet/namespaceauth.conf': 178 | ensure => present, 179 | content => template('puppet/namespaceauth.conf.erb'), 180 | owner => 'puppet', 181 | group => 'puppet', 182 | mode => '0644', 183 | backup => main, 184 | require => Class['puppet::install','puppet::user','puppet::group'], 185 | notify => Class['puppet::service'], 186 | } 187 | } 188 | 189 | class puppet::user{ #使用飞船语法实化用户puppet资源 190 | # realize User['puppet'] 191 | User <| title == 'puppet' |> 192 | } 193 | 194 | class puppet::group{ #使用realize函数实化组puppet资源 195 | realize Group['puppet'] 196 | # Group <| title == 'puppet' |> 197 | } 198 | 199 | **2.3.2 在puppet_linux57poc模块中实例化** 200 | 201 | [root@linuxmaster1poc testing]# cat agents/modules/puppet_linux57poc/manifests/init.pp 202 | class puppet_linux57poc{ 203 | include puppet_linux57poc::motd_install,puppet_linux57poc::motd_config,puppet_linux57poc::facts,puppet_linux57poc::user,puppet_linux57poc::group 204 | include alluser,allgroup #必须将节点作用域中的类包含进来 205 | } 206 | 207 | class puppet_linux57poc::motd_install{ 208 | package{ setup: 209 | ensure => present, 210 | } 211 | } 212 | class puppet_linux57poc::motd_config{ 213 | file{ "/etc/motd": 214 | owner => "xiaonuo", 215 | group => "root", 216 | mode => 0440, 217 | content => template("puppet_linux57poc/motd.erb"), 218 | backup => 'main', 219 | require => Class['puppet_linux57poc::motd_install','puppet_linux57poc::user','puppet_linux57poc::group'] 220 | } 221 | } 222 | class puppet_linux57poc::facts{ 223 | file{ "/etc/mcollective/facts.txt": 224 | owner => "root", 225 | group => "root", 226 | mode => 0400, 227 | content => template("puppet_linux57poc/facts.txt.erb"), 228 | backup => 'main', 229 | require => Class['puppet_linux57poc::motd_install','puppet_linux57poc::user','puppet_linux57poc::group'] 230 | } 231 | } 232 | 233 | class puppet_linux57poc::user{ #使用realize函数实化用户xiaonuo和root资源 234 | realize( User['xiaonuo'], 235 | User['root'] ) 236 | } 237 | 238 | class puppet_linux57poc::group{ #使用realize函数实化组xiaonuo和root资源 239 | realize( Group['xiaonuo'], 240 | Group['root'] ) 241 | } 242 | 243 | # 3. 测试 # 244 | 245 | ## 3.1 测试puppet模块(略) ## 246 | 247 | ## 3.2 测试puppet_linux57poc模块 ## 248 | 249 | **3.2.1 查看当前系统是否有xiaonuo用户和组** 250 | 251 | [root@linux57poc puppet]# id xiaonuo 252 | id: xiaonuo: No such user 253 | [root@linux57poc puppet]# cat /etc/group | grep xiaonuo 254 | [root@linux57poc puppet]# 255 | [root@linux57poc puppet]# ll /etc/motd 256 | -rwxrwxrwx 1 puppet puppet 313 Jan 2 06:17 /etc/motd 257 | 258 | **3.2.2 同步puppetmaster** 259 | 260 | [root@linux57poc puppet]# puppet agent -t --environment=testing 261 | info: Retrieving plugin 262 | info: Loading facts in /var/lib/puppet/lib/facter/fact_apply.rb 263 | info: Caching catalog for puppet_linux57poc.dev.shanghaigm.com 264 | info: Applying configuration version '1389555288' 265 | notice: /Stage[main]/Allservice::Lm_sensors_service/Service[lm_sensors]/ensure: ensure changed 'running' to 'stopped' 266 | notice: /Group[xiaonuo]/ensure: created 267 | notice: /Stage[main]/Alluser::Xiaonuo/User[xiaonuo]/ensure: created 268 | ... 269 | info: FileBucket adding {md5}b2090646c444c5ddf1533749743ebd71 270 | info: /Stage[main]/Mcollective::Facter/File[/etc/mcollective/facts.yaml]: Filebucketed /etc/mcollective/facts.yaml to main with sum b2090646c444c5ddf1533749743ebd71 271 | notice: /Stage[main]/Sysctl::Exec/Exec[sysctl -p >/dev/null &]/returns: executed successfully 272 | notice: /Stage[main]/Puppet_linux57poc::Motd_config/File[/etc/motd]/owner: owner changed 'puppet' to 'xiaonuo' 273 | notice: /Stage[main]/Puppet_linux57poc::Motd_config/File[/etc/motd]/group: group changed 'puppet' to 'root' 274 | notice: /Stage[main]/Puppet_linux57poc::Motd_config/File[/etc/motd]/mode: mode changed '0777' to '0440' 275 | notice: /Stage[main]/Allservice::Bluetooth_service/Service[bluetooth]/ensure: ensure changed 'running' to 'stopped' 276 | notice: Finished catalog run in 4.54 seconds 277 | 278 | **3.2.3 验证结果是否正确** 279 | 280 | [root@linux57poc puppet]# id xiaonuo 281 | uid=600(xiaonuo) gid=600(xiaonuo) groups=600(xiaonuo) 282 | [root@linux57poc puppet]# cat /etc/group | grep xiaonuo 283 | xiaonuo:x:600: 284 | [root@linux57poc puppet]# ll /etc/motd 285 | -r--r----- 1 xiaonuo root 313 Jan 2 06:17 /etc/motd 286 | [root@linux57poc puppet]# 287 | 288 | 289 | -------------------------------------------------------------------------------- /puppet_learning_ext3.md: -------------------------------------------------------------------------------- 1 | #### Puppet扩展篇3-如何扩展master的SSL传输性能(apache) 2 | 3 | 4 | 5 | **描述:**puppet使用SSL(https)协议来进行通讯,默认情况下,puppet server端使用基于Ruby的WEBRick HTTP服务器。由于WEBRick HTTP服务器在处理agent端的性能方面并不是很强劲,因此需要扩展puppet,搭建Apache或者其他强劲的web服务器来处理客户的https请求。 6 | 7 | 8 | **需要解决的问题:** 9 | 10 | - 扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。 11 | - 扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。 12 | 13 | 14 | **参考:**[http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger](http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger) 15 | 16 | ## 1 使用Ruby Gem安装Passenger ## 17 | 18 | [root@puppetserver etc]# yum install ruby-devel ruby-libs rubygems libcurl-devel 19 | [root@puppetserver etc]# yum install httpd httpd-devel apr-util-devel apr-devel mod_ssl 20 | [root@puppetserver repos]# gem install --local passenger-4.0.19.gem #自动解决依赖关系,进入gem包目录进行安装 21 | Building native extensions. This could take a while... 22 | Successfully installed rake-10.0.1 23 | Successfully installed daemon_controller-1.1.5 24 | Successfully installed rack-1.5.2 25 | Successfully installed passenger-4.0.19 26 | 27 | ## 2 整合Apache和Passenger ## 28 | 29 | [root@puppetserver rpms]# yum install gcc-c++ gcc openssl-devel #源码包编译安装(安装需要apache gcc gcc-c++ openssl-devel开发包的支持) 30 | [root@puppetserver etc]# passenger-install-apache2-module #按照相关提示解决依赖关系,安装完成之后会显示 31 | … 32 | The Apache 2 module was successfully installed. 33 | Please edit your Apache configuration file, and add these lines: 34 | LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so 35 | PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19 36 | PassengerDefaultRuby /usr/bin/ruby 37 | 38 | After you restart Apache, you are ready to deploy any number of Ruby on Rails 39 | applications on Apache, without any further Ruby on Rails-specific 40 | configuration! 41 | … 42 | 43 | ## 3 配置Apache和Passenger ## 44 | 45 | 创建虚拟主机并加载passenger相关模块,注意证书路径要和puppet实际证书路径对应。虚拟主机配置Apache以监听在8140端口,并且使用SSL和Puppet Master生成的证书对所有通讯进行加密。同时还将配置Passenger来使系统的Ruby解释器并且提供Rack配置文件`config.ru`的路径 46 | 47 | [root@puppetserver conf.d]# vim passenger.conf 48 | LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so 49 | 50 | PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19 51 | PassengerRuby /usr/bin/ruby 52 | PassengerHighPerformance on 53 | PassengerMaxPoolSize 12 54 | PassengerPoolIdleTime 1500 55 | PassengerStatThrottleRate 120 56 | # RailsAutoDetect On 57 | 58 | Listen 8140 #监听TCP 8140端口,这是PuppetMaster服务器的标准端口 59 | 60 | SSLEngine on #开始ssl加密 61 | SSLProtocol -ALL +SSLv3 +TLSv1 62 | SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP #开启ssl加密 63 | 64 | SSLCertificateFile /var/lib/puppet/ssl/certs/puppetserver.kisspuppet.com.pem 65 | SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppetserver.kisspuppet.com.pem 66 | SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem 67 | SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem 68 | SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crt.pem #打开证书撤销功能,当我们颁发或撤销Puppet agent的证书时,Puppet cert命令会自动更关心ca_crl.pem文件 69 | SSLVerifyClient optional 70 | SSLVerifyDepth 1 71 | SSLOptions +StdEnvVars #配置Apache来验证Puppet agent证书的真实性。验证的结果会被保存在这个环境变量中,运行在Passenger中的Puppet master进程会使用这个变量来认证Puppet agent。 72 | 73 | #Puppet agent证书验证的结果会以客户端请求头的形式存放在标准环境中。 74 | RequestHeader unset X-Forwarded-For 75 | RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e 76 | RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e 77 | RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e 78 | 79 | DocumentRoot /etc/puppet/rack/puppetmaster/public/ 80 | RackBaseURI / 81 | #Rack为Web服务器提供了用来和Puppet这样的Ruby HTTP服务交换请求和响应的一些常用API。Rack经常被用于在多台Web服务器上部署如Puppet Dashboad这样的web程序。 82 | #虚拟主机部分 83 | Options None 84 | AllowOverride None 85 | Order allow,deny 86 | allow from all 87 | 88 | 89 | 90 | --- 91 | 92 | [root@c1.inanu.net]# service httpd configtest #检查apache配置语法是否正确 93 | Warning: DocumentRoot [/etc/puppet/rack/puppetmaster/public/] does not exist 94 | Syntax OK 95 | **备注:**有关puppet虚拟主机配置可参考默认配置 96 | 97 | /usr/share/puppet/ext/rack/files/apache2.conf 98 | 99 | ## 4 准备config.ru配置文件 ## 100 | 101 | [root@puppetserver rack]# mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp} #为Rack和Puppet master的rack程序实例创建框架目录。 102 | [root@puppetserver rack]# cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/puppetmaster/ 103 | [root@puppetserver rack]# vim /etc/puppet/rack/puppetmaster/config.ru #默认即可 104 | 105 | # a config.ru, for use with every rack-compatible webserver. 106 | # SSL needs to be handled outside this, though. 107 | 108 | # if puppet is not in your RUBYLIB: 109 | # $:.unshift('/opt/puppet/lib') 110 | 111 | $0 = "master" 112 | 113 | # if you want debugging: 114 | # ARGV << "--debug" 115 | 116 | ARGV << "--rack" 117 | require 'puppet/application/master' 118 | # we're usually running inside a Rack::Builder.new {} block, 119 | # therefore we need to call run *here*. 120 | run Puppet::Application[:master].run 121 | 122 | **备注:** 123 | 如果需要最新的Rack配置文件,可以在Puppet最新发行版的ext目录找到。也可以在[https://github.com/puppetlabs/puppet/tree/master/ext/rack/files](https://github.com/puppetlabs/puppet/tree/master/ext/rack/files)找到。 124 | 125 | [root@puppetserver rack]# chown puppet. /etc/puppet/rack/puppetmaster/config.ru #Rack配置文件config.ru的用户和组应该是puppet。当Apache启动时,Passenger会检查这个文件的所有者,并将其使用的账号从root切换到权限较低的puppet账户。 126 | 127 | ## 5 在Apache中测试PuppetMaster ## 128 | 129 | [root@puppetserver ~]# /etc/rc.d/init.d/puppetmaster stop #停止puppetmaster进程 130 | [root@puppetserver ~]# chkconfig puppetmaster off #防止开机自动启动 131 | [root@puppetserver ~]# /etc/rc.d/init.d/httpd start #启动apache服务 132 | [root@puppetserver ~]# chkconfig httpd off #设置开机自动启动 133 | [root@puppetserver ~]# netstat -nlp | grep 8140 #监听8140端口 134 | tcp 0 0 :::8140 :::* LISTEN 4162/httpd 135 | 136 | **测试一:**通过浏览器(IE版本<9)访问https://172.16.200.100:8140/,出现以下信息,说明配置正确 137 | 138 | ![apache+passenger替代WEBrick](http://kisspuppet.com/img/apache-passenger-1.png) 139 | 140 | **测试二:**在节点上运行puppet程序,在服务器端通过apache访问日志查看是否有puppet的请求,如果返回状态吗`“200”`表明这次请求时成功的。 141 | 142 | [root@puppetserver conf.d]# tailf /var/log/httpd/access_log 143 | 172.16.200.101 - - [22/Jul/2013:10:30:34 +0800] "GET /production/file_metadata/modules/mysql/etc/my.cnf? HTTP/1.1" 200 298 "-" "-" 144 | 172.16.200.101 - - [22/Jul/2013:10:30:34 +0800] "GET /production/file_metadata/modules/motd/etc/motd? HTTP/1.1" 200 295 "-" "-" 145 | 172.16.200.101 - - [22/Jul/2013:10:30:35 +0800] "PUT /production/report/agent1.kisspuppet.com HTTP/1.1" 200 14 "-" "-" 146 | 172.16.200.101 - - [22/Jul/2013:10:30:40 +0800] "POST /production/catalog/agent1.kisspuppet.com HTTP/1.1" 200 8346 "-" "-" 147 | 172.16.200.101 - - [22/Jul/2013:10:30:41 +0800] "GET /production/file_metadata/modules/ssh/etc/ssh/sshd_config? HTTP/1.1" 148 | 149 | -------------------------------------------------------------------------------- /puppet_learning_ext4.md: -------------------------------------------------------------------------------- 1 | #### Puppet扩展篇4-如何扩展master的SSL传输性能(nginx) 2 | 3 | 4 | **描述:**puppet使用SSL(https)协议来进行通讯,默认情况下,puppet server端使用基于Ruby的WEBRick HTTP服务器。由于WEBRick HTTP服务器在处理agent端的性能方面并不是很强劲,因此需要扩展puppet,搭建nginx或者其他强劲的web服务器来处理客户的https请求。 5 | 6 | **需要解决的问题:** 7 | 8 | - 扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。 9 | - 扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。 10 | 11 | 12 | Nginx+Passenger方式: 13 | 14 | ## 1、安装编译nginx所需要的开发包 ## 15 | 16 | [root@TKPUPT-M1 ~]# groupadd -g 3001 nginx 17 | [root@TKPUPT-M1 ~]# useradd -u 3001 -g 3001 nginx 18 | [root@TKPUPT-M1 ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build 19 | 20 | ## 2、安装passenger(将gem软件包copy到本地) ## 21 | 备注:需要先将gem包下载到本地,当然也可以联网安装,会非常慢。 22 | 23 | [root@TKPUPT-M1 gem]# gem install --localhost rake rack passenger --no-rdoc --no-ri 24 | 25 | ## 3、解压nginx、pcre源码包 ## 26 | 27 | [root@TKPUPT-M1 gem]# tar xf pcre-8.32.tar.gz -C /usr/local/src/ 28 | [root@TKPUPT-M1 gem]# tar xf nginx-1.4.2.tar.gz -C /usr/local/src/ 29 | 30 | ## 4、编译并安装nginx ## 31 | 备注:主要是为了将模块passenger-config编译进来。 32 | 33 | [root@TKPUPT-M1 ~]# cd /usr/local/src/nginx-1.4.2/ 34 | [root@TKPUPT-M1 nginx-1.4.2]# ./configure --user=nginx --group=nginx --prefix=/etc/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.32 --add-module=`passenger-config --root`/ext/nginx 35 | [root@TKPUPT-M1 nginx-1.4.2]# make && make install 36 | 37 | ## 5、与passenger结合 ## 38 | 备注:注意config.ru的属主和属组应该为puppet 39 | 40 | [root@TKPUPT-M1 nginx-1.4.2]# mkdir -p /etc/puppet/rack/public 41 | [root@TKPUPT-M1 nginx-1.4.2]# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/ 42 | [root@TKPUPT-M1 nginx-1.4.2]# chown -R puppet. /etc/puppet/rack/ 43 | 44 | ## 6、复制启动脚本到 ## 45 | 46 | [root@TKPUPT-M1 init.d]# cp /root/gem/nginx /etc/init.d/ 47 | [root@TKPUPT-M1 ~]# chmod a+x /etc/init.d/nginx 48 | 49 | ## 7、配置nginx ## 50 | 备注:注意和puppet结合的证书名称及路径 51 | 52 | [root@TKPUPT-M1 gem]# vim /etc/nginx/conf/nginx.conf 53 | user nginx nginx; 54 | worker_processes 1; 55 | pid /var/run/nginx.pid; 56 | 57 | events { 58 | worker_connections 1024; 59 | } 60 | 61 | http { 62 | passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19; 63 | passenger_ruby /usr/bin/ruby; 64 | 65 | include mime.types; 66 | default_type application/octet-stream; 67 | 68 | sendfile on; 69 | keepalive_timeout 65; 70 | 71 | server { 72 | listen 8140 ssl; 73 | server_name puppetmaster; 74 | 75 | passenger_enabled on; 76 | passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; 77 | passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; 78 | proxy_buffer_size 4000k; 79 | proxy_buffering on; 80 | proxy_buffers 32 1280k; 81 | proxy_busy_buffers_size 17680k; 82 | client_max_body_size 10m; 83 | client_body_buffer_size 4096k; 84 | 85 | access_log /var/log/nginx/puppet_access.log; 86 | error_log /var/log/nginx/puppet_error.log; 87 | 88 | root /etc/puppet/rack/public; 89 | 90 | ssl off; 91 | ssl_session_timeout 5m; 92 | ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.pem; 93 | ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.pem; 94 | ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; 95 | ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; 96 | ssl_verify_client optional; 97 | 98 | ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; 99 | ssl_prefer_server_ciphers on; 100 | ssl_verify_depth 1; 101 | ssl_session_cache shared:SSL:128m; 102 | 103 | # File sections 104 | location /production/file_content/files/ { 105 | types { } 106 | default_type application/x-raw; 107 | alias /etc/puppet/files/; 108 | } 109 | } 110 | } 111 | 112 | ## 8、配置puppet.conf ## 113 | 114 | [root@TKPUPT-M1 ~]# vim /etc/puppet/puppet.conf 115 | [master] 116 | certname = puppetmaster 117 | ca = false 118 | ssl_client_verify_header = HTTP_X_CLIENT_VERIFY 119 | ssl_client_header = HTTP_X_CLIENT_DN 120 | 121 | ## 8、启动nginx ## 122 | 123 | [root@TKPUPT-M1 gem]# mkdir /var/log/nginx/ 124 | [root@TKPUPT-M1 nginx-1.4.2]# /etc/init.d/puppetmaster stop 125 | [root@TKPUPT-M1 nginx-1.4.2]# chkconfig puppetmaster off 126 | [root@TKPUPT-M1 nginx-1.4.2]# /etc/init.d/nginx start 127 | [root@TKPUPT-M1 nginx-1.4.2]# chkconfig nginx on 128 | 129 | ## 9、测试 ## 130 | 131 | 在多个节点发起puppet agent -t命令动作,查看nginx日志看nginx+passenger是否代理成功。 132 | 133 | [root@TKPUPT-CA ~]# puppet agent -t 134 | [root@TKPUPT-M1 ~]# tailf /var/log/nginx/puppet_access.log 135 | 136 | 137 | **参考:**[http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger](http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger) 138 | 139 | 140 | -------------------------------------------------------------------------------- /puppet_learning_ext5.md: -------------------------------------------------------------------------------- 1 | #### Puppet扩展篇5-通过多进程增强master的负载均衡能力(nginx+mongrel) 2 | 3 | 4 | 5 | 当puppetmaster管理的主机越来越多时,puppetmaster本身性能会存在性能瓶颈问题,除了增加服务器扩充puppetmaster的数量增加puppetmaster整体性能外,也可以通过单台扩充puppetmaster的进程数来增加puppetmaster的性能。 6 | 7 | 以下是通过nginx+mongrel负载均衡puppetmaster的进程,由nginx向所有puppetagent提供认证服务,除此之外的其他puppetmaster功能的实现由nginx转向puppetmaster其中一个进程去处理即可。而nginx的upstream字段里面所包含的地址填写为127.0.0.1指向puppetmaster进程,提高了安全性。 8 | 9 | 10 | **备注:**nginx+mongrel只支持puppet2.7之前版本(包括2.7版本在内)。 11 | 12 | ## 1、安装相关软件包 ## 13 | 14 | [root@puppetserver yum.repos.d]# yum install rubygem-mongrel nginx 15 | 16 | ## 2、增加puppet端口 ## 17 | 18 | [root@puppetserver yum.repos.d]# vim /etc/sysconfig/puppetmaster 19 | PUPPETMASTER_PORTS=( 18140 18141 18142 18143 ) 20 | PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT" 21 | ## 3、配置nginx服务 ## 22 | 添加upstream字段,注意ssl认证证书的路径 23 | 24 | [root@puppetserver nginx]# vim nginx.conf 25 | user nginx nginx; 26 | worker_processes 4; 27 | error_log /var/log/puppet/nginx-puppet.log notice; 28 | pid /var/run/nginx.pid; 29 | events { 30 | worker_connections 1024; 31 | } 32 | http { 33 | default_type application/octet-stream; 34 | sendfile on; 35 | tcp_nopush on; 36 | keepalive_timeout 65; 37 | tcp_nodelay on; 38 | large_client_header_buffers 16 4k; 39 | proxy_buffers 128 4k; 40 | upstream puppetmaster { 41 | server 127.0.0.1:18140; 42 | server 127.0.0.1:18141; 43 | server 127.0.0.1:18142; 44 | server 127.0.0.1:18143; 45 | } 46 | server { 47 | listen 8140; 48 | root /etc/puppet; 49 | ssl on; 50 | ssl_session_timeout 5m; 51 | ssl_certificate /var/lib/puppet/ssl/certs/puppetserver.kisspuppet.com.pem; 52 | ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetserver.kisspuppet.com.pem; 53 | ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem; 54 | ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; 55 | ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; 56 | ssl_verify_client optional; 57 | location / { 58 | proxy_pass http://puppetmaster; 59 | proxy_redirect off; 60 | proxy_set_header Host $host; 61 | proxy_set_header X-Real-IP $remote_addr; 62 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 63 | proxy_set_header X-Client-Verify $ssl_client_verify; 64 | proxy_set_header X-Client-DN $ssl_client_s_dn; 65 | proxy_set_header X-SSL-Subject $ssl_client_s_dn; 66 | proxy_set_header X-SSL-Issuer $ssl_client_i_dn; 67 | proxy_read_timeout 65; 68 | } 69 | } 70 | } 71 | 72 | ## 4、分别启动nginx服务和puppetmaster服务 ## 73 | 74 | [root@puppetserver1poc ~]# /etc/rc.d/init.d/nginx restart 75 | Stopping nginx: [FAILED] 76 | Starting nginx: [ OK ] 77 | [root@puppetserver1poc ~]# /etc/rc.d/init.d/puppetmaster start 78 | Starting puppetmaster: 79 | Port: 18140 [ OK ] 80 | Port: 18141 [ OK ] 81 | Port: 18142 [ OK ] 82 | Port: 18143 [ OK ] 83 | 84 | ## 5、查看监听端口 ## 85 | 86 | [root@puppetserver1poc ~]# netstat -nlp | grep 814 87 | tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 6224/nginx 88 | tcp 0 0 127.0.0.1:18140 0.0.0.0:* LISTEN 6271/ruby 89 | tcp 0 0 127.0.0.1:18141 0.0.0.0:* LISTEN 6312/ruby 90 | tcp 0 0 127.0.0.1:18142 0.0.0.0:* LISTEN 6351/ruby 91 | tcp 0 0 127.0.0.1:18143 0.0.0.0:* LISTEN 6390/ruby 92 | 3.5.6 通过进程查看运行状况 93 | [root@puppetserver1poc ~]# ps -ef | grep ruby 94 | puppet 5422 1 1 13:58 ? 00:00:22 /usr/bin/ruby /usr/sbin/puppetmasterd 95 | root 6431 1 0 14:10 ? 00:00:01 ruby /usr/sbin/mcollectived --pid=/var/run/mcollectived.pid --config=/etc/mcollective/server.cfg 96 | puppet 7139 1 0 14:25 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT --masterport=18140 --pidfile=/var/run/puppet/puppetmaster.18140.pid 97 | puppet 7171 1 0 14:25 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT --masterport=18141 --pidfile=/var/run/puppet/puppetmaster.18141.pid 98 | puppet 7203 1 0 14:25 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT --masterport=18142 --pidfile=/var/run/puppet/puppetmaster.18142.pid 99 | puppet 7235 1 0 14:25 ? 00:00:00 /usr/bin/ruby /usr/sbin/puppetmasterd --servertype=mongrel --servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT --masterport=18143 --pidfile=/var/run/puppet/puppetmaster.18143.pid 100 | root 7243 3858 0 14:26 pts/3 00:00:00 grep ruby 101 | 102 | ## 6、通过日志查看运行状况 ## 103 | 104 | [root@puppetserver1poc nodes]# tailf /var/log/nginx/access.log 105 | 192.168.100.127 - - [25/Nov/2013:16:42:49 +0800] "POST /production/catalog/agent2.kisspuppet.com HTTP/1.1" 200 570 "-" "-" 106 | 192.168.100.127 - - [25/Nov/2013:16:42:52 +0800] "PUT /production/report/agent2.kisspuppet.com HTTP/1.1" 200 58 "-" "-" 107 | 192.168.100.126 - - [25/Nov/2013:16:42:54 +0800] "GET /production/file_metadatas/plugins?links=manage&checksum_type=md5&&ignore=---+%0A++-+%22.svn%22%0A++-+CVS%0A++-+%22.git%22&recurse=true HTTP/1.1" 404 56 "-" "-" 108 | 192.168.100.126 - - [25/Nov/2013:16:42:54 +0800] "GET /production/file_metadata/plugins? HTTP/1.1" 404 36 "-" "-" 109 | 192.168.100.126 - - [25/Nov/2013:16:42:55 +0800] "POST /production/catalog/agent1.kisspuppet.com HTTP/1.1" 200 570 "-" "-" 110 | 192.168.100.126 - - [25/Nov/2013:16:42:58 +0800] "PUT /production/report/agent1.kisspuppet.com HTTP/1.1" 200 58 "-" "-" 111 | 192.168.100.125 - - [25/Nov/2013:16:43:07 +0800] "GET 112 | 113 | 114 | 115 | -------------------------------------------------------------------------------- /puppet_learning_ext6.md: -------------------------------------------------------------------------------- 1 | **Puppet扩展篇6-通过横向扩展puppetmaster增加架构的灵活性** 2 | 3 | puppetmaster横向扩展将采用以下架构进行部署,也可以参考《puppet实战》第246页的内容。 4 | 5 | ![puppet集群扩展架构图](http://kisspuppet.com/img/puppet_learning_ext1.png) 6 | 7 | 8 | 9 | 主机IP地址信息机用途表 10 | 11 | ![puppet集群扩展架构图](http://kisspuppet.com/img/puppet_learning_ext2.png) 12 | 13 | 14 | 15 | **工作原理:** 16 | 17 | - 客户端通过配置ca_server指定CA服务器,以达到独立CA服务器的目的。 18 | - CA服务器可以部署在多个机房。 19 | - Master集群可以在同一机房配置负载均衡器,也可以使用DNS解析Puppet Master域名到不同机房的多台服务器,通过DNS实现负载均衡。 20 | 21 | ## 1、配置前的准备工作 ## 22 | 23 | **1.1、版本** 24 | 25 | puppet采用版本3.4.3 26 | 负载均衡器采用nginx或haproxy进行测试部署 27 | 28 | **1.2、主机名解析** 29 | 30 | /etc/hosts 31 | 192.168.10.10 kspupt-ca1 32 | 192.168.10.9 kspupt-ca2 33 | 192.168.10.20 kspupt-ca 34 | 192.168.10.13 kspupt-lvs1 35 | 192.168.10.11 kspupt-m1 36 | 192.168.10.12 kspupt-m2 37 | 38 | **1.3、时间统一** 39 | (略) 40 | 41 | ## 2、PuppetCA认证服务器部署 ## 42 | 43 | PuppetCA的唯一目的就是签署和撤销证书。当PuppetCA服务不可用时,新的客户端将不能获得证书,从而会影响使用,而已签发证书的客户端缺不受影响。因此将CA进行独立队架构,这对容错性而言是非常有必要的。 44 | 45 | **2.1 安装软件包** 46 | 47 | [root@kspupt-ca1 ~]# groupadd -g 3000 puppet 48 | [root@kspupt-ca1 ~]# useradd -u 3000 -g 3000 puppet 49 | [root@kspupt-ca1 ~]# yum install puppet puppet-server -y 50 | 51 | **2.2 临时配置VIP地址** 52 | 53 | [root@kspupt-ca1 ~]# ip addr add 192.168.10.20/24 dev eth0 54 | 55 | **注:**后期CA配置成了高可用后,将VIP地址添加到高可用资源中即可,临时先绑定在CA1上。 56 | 57 | **2.3 生成证书** 58 | 59 | 使用puppet cert命令生成CA服务器与服务器域名证书。生成puppetca和puppetmaster两个域名的授权证书文件。 60 | 61 | [root@kspupt-ca1 ~]# puppet cert --generate --dns_alt_names puppetca:puppet puppetca 62 | [root@kspupt-ca1 ~]# puppet cert --generate --dns_alt_names puppetmaster:puppet puppetmaster 63 | [root@kspupt-ca1 ~]# puppet cert --list --all 验证 64 | + "puppetca" (SHA256) 76:1D:C1:90:23:45:43:A2:41:4B:3B:92:32:C4:BE:31:38:61:5B:42:03:D0:22:28:53:5B:6F:5E:99:5A:B8:94 (alt names: "DNS:puppetca", "DNS:puppetca:puppet") 65 | + "puppetmaster" (SHA256) 0A:A2:DC:22:B8:4C:EB:31:B0:52:8F:B0:21:72:DD:EB:C7:B4:05:97:45:B3:EA:19:3A:28:69:29:04:35:0F:E7 (alt names: "DNS:puppetmaster", "DNS:puppetmaster:puppet") 66 | 67 | **2.4 配置puppet.conf,添加标签[master]** 68 | 69 | [root@kspupt-ca1 ~]# vim /etc/puppet/puppet.conf 70 | [master] 71 | confdir = /etc/puppet 72 | certname = puppetca 73 | ca = true #开启CA认证 74 | 75 | **2.5 启动puppetmaster,CA部署完成** 76 | 77 | [root@kspupt-ca1 ssl]# /etc/init.d/puppetmaster start 78 | [root@kspupt-ca1 ssl]# chkconfig puppetmaster on 79 | 80 | **kspupt-ca2配置(略)** 81 | 82 | ## 3、PuppetMaster服务器部署 ## 83 | 84 | PuppetMaster服务器部署可采用默认的WebRick方式,也可以采用apache+passenger或nginx+passenger方式。 85 | 86 | 87 | **3.1 WebRick方式:** 88 | 89 | **3.1.1 安装软件包** 90 | 91 | [root@kspupt-m1 ~]# groupadd -g 3000 puppet 92 | [root@kspupt-m1 ~]# useradd -u 3000 -g 3000 puppet 93 | [root@kspupt-m1 ~]# yum install puppet puppet-server -y 94 | 95 | **3.1.2 设置hosts文件** 96 | 97 | [root@kspupt-m1 ~]# vim /etc/hosts 98 | 192.168.10.20 puppetca 99 | 192.168.10.11 puppetmaster 100 | 101 | **3.1.3 创建证书目录** 102 | 103 | [root@kspupt-m1 ~]# mkdir /var/lib/puppet/ssl/{certs,ca,private_keys} -p 104 | 105 | **3.1.4 将puppetca上生成的puppetmaster公钥、私钥和根证书复制到kspupt-m1** 106 | 107 | [root@kspupt-m1 ssl]# scp -r root@192.168.10.39:/var/lib/puppet/ssl/ca/signed/puppetmaster.pem /var/lib/puppet/ssl/certs/puppetmaster.pem 108 | [root@kspupt-m1 ssl]# scp -r root@192.168.10.39:/var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem 109 | [root@kspupt-m1 ssl]# scp -r root@192.168.10.39:/var/lib/puppet/ssl/private_keys/puppetmaster.pem /var/lib/puppet/ssl/private_keys/puppetmaster.pem 110 | [root@kspupt-m1 gem]# scp -r root@192.168.10.39:/var/lib/puppet/ssl/ca/ca_crl.pem /var/lib/puppet/ssl/ca/ca_crl.pem 111 | 112 | **3.1.5 配置puppet.conf,添加标签[master],关闭ca** 113 | 114 | [root@kspupt-m1 ~]# vim /etc/puppet/puppet.conf 115 | [master] 116 | certname = puppetmaster 117 | ca = false #关闭CA认证 118 | 119 | **3.1.6 配置puppet.conf,修改标签[agent],增加server和ca_server字段** 120 | 121 | [root@kspupt-m1 ~]# vim /etc/puppet/puppet.conf 122 | [agent] 123 | server = puppetmaster 124 | ca_server = puppetca 125 | 126 | **3.1.7 启动puppetmaster服务,Puppetmaster部署完成** 127 | 128 | [root@kspupt-m1 ~]# /etc/init.d/puppetmaster start 129 | 130 | **3.1.8 运行puppet命令进行本地证书申请** 131 | 132 | [root@kspupt-m1 ~]# puppet agent -t 133 | Info: Creating a new SSL key for kspupt-m1 134 | Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml 135 | Info: Creating a new SSL certificate request for kspupt-m1 136 | Info: Certificate Request fingerprint (SHA256): 78:A5:F2:6C:F6:EE:0C:25:0C:EF:96:B8:B4:E6:78:74:A6:AA:67:81:6B:8F:36:AC:B2:37:B5:E0:C1:F0:11:67 137 | Exiting; no certificate found and waitforcert is disabled 138 | 139 | **3.1.9 登录puppetca进行证书签发** 140 | 141 | [root@kspupt-ca ~]# puppet cert --sign kspupt-m1 142 | Notice: Signed certificate request for kspupt-m1 143 | Notice: Removing file Puppet::SSL::CertificateRequest kspupt-m1 at '/var/lib/puppet/ssl/ca/requests/kspupt-m1.pem' 144 | 145 | **3.1.10 再次运行puppet命令进行测试连通性** 146 | 147 | [root@kspupt-m1 ~]# puppet agent -t 148 | Info: Caching certificate for kspupt-m1 149 | Info: Caching certificate_revocation_list for ca 150 | Info: Caching certificate for kspupt-m1 151 | Info: Retrieving pluginfacts 152 | Info: Retrieving plugin 153 | Info: Caching catalog for kspupt-m1 154 | Info: Applying configuration version '1409296030' 155 | Info: Creating state file /var/lib/puppet/state/state.yaml 156 | Notice: Finished catalog run in 0.02 seconds 157 | 158 | **3.1.11 在kspupt-ca上申请本地证书** 159 | 160 | [root@kspupt-ca ~]# vim /etc/puppet/puppet.conf 161 | [agent] 162 | server = puppetmaster 163 | ca_server = puppetca 164 | [root@kspupt-ca ~]# puppet agent -t 165 | [root@kspupt-ca ~]# puppet cert --sign kspupt-ca 166 | [root@kspupt-ca ~]# puppet agent -t 167 | 168 | 169 | ## 3.2 Nginx+Passenger方式: ## 170 | 171 | **注:**可参考 [http://kisspuppet.com/2014/10/20/puppet_learning_ext4/](http://kisspuppet.com/2014/10/20/puppet_learning_ext4/) 172 | 173 | **3.2.1、安装相关开发包** 174 | 175 | [root@kspupt-m1 ~]# groupadd -g 3001 nginx 176 | [root@kspupt-m1 ~]# useradd -u 3001 -g 3001 nginx 177 | [root@kspupt-m1 ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build 178 | 179 | **3.2.2、安装passenger(将gem软件包copy到本地)** 180 | 181 | [root@kspupt-m1 gem]# gem install rake rack passenger --no-rdoc --no-ri 182 | 183 | **3.2.3、解压nginx、pcre源码包** 184 | 185 | [root@kspupt-m1 gem]# tar xf pcre-8.32.tar.gz -C /usr/local/src/ 186 | [root@kspupt-m1 gem]# tar xf nginx-1.4.2.tar.gz -C /usr/local/src/ 187 | 188 | **3.2.4、编译并安装nginx** 189 | 190 | [root@kspupt-m1 ~]# cd /usr/local/src/nginx-1.4.2/ 191 | [root@kspupt-m1 nginx-1.4.2]# ./configure --user=nginx --group=nginx --prefix=/etc/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.32 --add-module=`passenger-config --root`/ext/nginx 192 | [root@kspupt-m1 nginx-1.4.2]# make && make install 193 | 194 | **3.2.5、与passenger结合** 195 | 196 | [root@kspupt-m1 nginx-1.4.2]# mkdir -p /etc/puppet/rack/public 197 | [root@kspupt-m1 nginx-1.4.2]# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/ 198 | [root@kspupt-m1 nginx-1.4.2]# chown -R puppet. /etc/puppet/rack/ 199 | 200 | **3.2.6、复制启动脚本到** 201 | 202 | [root@kspupt-m1 init.d]# cp /root/gem/nginx /etc/init.d/ 203 | [root@kspupt-m1 ~]# chmod a+x /etc/init.d/nginx 204 | 205 | **3.2.7、配置nginx** 206 | 207 | [root@kspupt-m1 gem]# vim /etc/nginx/conf/nginx.conf 208 | user nginx nginx; 209 | worker_processes 1; 210 | pid /var/run/nginx.pid; 211 | 212 | events { 213 | worker_connections 1024; 214 | } 215 | 216 | http { 217 | passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19; 218 | passenger_ruby /usr/bin/ruby; 219 | 220 | include mime.types; 221 | default_type application/octet-stream; 222 | 223 | sendfile on; 224 | keepalive_timeout 65; 225 | 226 | server { 227 | listen 8140 ssl; 228 | server_name puppetmaster; 229 | 230 | passenger_enabled on; 231 | passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; 232 | passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; 233 | proxy_buffer_size 4000k; 234 | proxy_buffering on; 235 | proxy_buffers 32 1280k; 236 | proxy_busy_buffers_size 17680k; 237 | client_max_body_size 10m; 238 | client_body_buffer_size 4096k; 239 | 240 | access_log /var/log/nginx/puppet_access.log; 241 | error_log /var/log/nginx/puppet_error.log; 242 | 243 | root /etc/puppet/rack/public; 244 | 245 | ssl off; 246 | ssl_session_timeout 5m; 247 | ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.pem; 248 | ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.pem; 249 | ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; 250 | ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; 251 | ssl_verify_client optional; 252 | 253 | ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; 254 | ssl_prefer_server_ciphers on; 255 | ssl_verify_depth 1; 256 | ssl_session_cache shared:SSL:128m; 257 | 258 | # File sections 259 | location /production/file_content/files/ { 260 | types { } 261 | default_type application/x-raw; 262 | alias /etc/puppet/files/; 263 | } 264 | } 265 | } 266 | 267 | **3.2.8、配置puppet.conf** 268 | 269 | [root@kspupt-m1 ~]# vim /etc/puppet/puppet.conf 270 | [master] 271 | certname = puppetmaster 272 | ca = false 273 | ssl_client_verify_header = HTTP_X_CLIENT_VERIFY 274 | ssl_client_header = HTTP_X_CLIENT_DN 275 | 276 | **3.2.9、启动nginx** 277 | 278 | [root@kspupt-m1 gem]# mkdir /var/log/nginx/ 279 | [root@kspupt-m1 nginx-1.4.2]# /etc/init.d/puppetmaster stop 280 | [root@kspupt-m1 nginx-1.4.2]# chkconfig puppetmaster off 281 | [root@kspupt-m1 nginx-1.4.2]# /etc/init.d/nginx start 282 | [root@kspupt-m1 nginx-1.4.2]# chkconfig nginx on 283 | 284 | **3.2.10、测试** 285 | 286 | 在多个节点发起puppet agent -t命令动作 287 | 288 | [root@kspupt-ca ~]# puppet agent -t 289 | [root@kspupt-m1 ~]# puppet agent -t 290 | [root@kspupt-m1 ~]# tailf /var/log/nginx/puppet_access.log 291 | 292 | **tkpupt-m2安装(略)** 293 | 294 | ## 4 Puppet LB负载均衡器部署 ## 295 | 296 | **4.1 puppet认证建立** 297 | 298 | **4.1.1、安装软件包** 299 | 300 | [root@kspupt-lvs1 ~]# groupadd -g 3000 puppet 301 | [root@kspupt-lvs1 ~]# useradd -u 3000 -g 3000 puppet 302 | [root@kspupt-lvs1 ~]# yum install puppet 303 | 304 | **4.1.2、编辑hosts文件** 305 | 306 | [root@kspupt-lvs1 ~]# vim /etc/hosts 307 | 192.168.10.20 puppetca 308 | 192.168.10.11 puppetmaster 309 | 192.168.10.13 kspupt-lvs1 310 | 311 | **4.1.3、创建证书目录** 312 | 313 | [root@kspupt-lvs1 ~]# mkdir /var/lib/puppet/ssl/{certs,ca,private_keys} -p 314 | 315 | **4.1.4、将kspupt-ca上生成的puppetmaster公钥、私钥和根证书复制到kspupt-lvs1** 316 | 317 | [root@kspupt-lvs1 ssl]# scp -r root@192.168.10.10:/var/lib/puppet/ssl/ca/signed/puppetmaster.pem /var/lib/puppet/ssl/certs/puppetmaster.pem 318 | [root@kspupt-lvs1 ssl]# scp -r root@192.168.10.10:/var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem 319 | [root@kspupt-lvs1 ssl]# scp -r root@192.168.10.10:/var/lib/puppet/ssl/private_keys/puppetmaster.pem /var/lib/puppet/ssl/private_keys/puppetmaster.pem 320 | [root@kspupt-lvs1 ssl]# scp -r root@192.168.10.10:/var/lib/puppet/ssl/ca/ca_crl.pem /var/lib/puppet/ssl/ca/ 321 | 322 | **4.1.5、配置puppet.conf,修改标签[agent],增加server和ca_server字段** 323 | 324 | [root@kspupt-lvs1 ~]# vim /etc/puppet/puppet.conf 325 | [agent] 326 | server = puppetmaster 327 | ca_server = puppetca 328 | 329 | **4.1.6、运行puppet命令进行本地证书申请** 330 | 331 | [root@kspupt-lvs1 ~]# puppet agent -t 332 | 333 | **4.1.7、登录kspupt-ca进行证书签发** 334 | 335 | [root@kspupt-ca1 ~]# puppet cert --sign kspupt-lvs1 336 | 337 | **4.1.8、再次运行puppet命令进行测试连通性** 338 | 339 | [root@kspupt-lvs1 ~]# puppet agent -t 340 | Info: Retrieving pluginfacts 341 | Info: Retrieving plugin 342 | Info: Caching catalog for kspupt-lvs1 343 | Info: Applying configuration version '1409210667' 344 | 345 | **4.2 安装并配置nginx负载均衡器** 346 | 347 | **4.2.1、安装nginx软件** 348 | 349 | [root@kspupt-lvs1 ~]# groupadd -g 3001 nginx 350 | [root@kspupt-lvs1 ~]# useradd -u 3001 -g 3001 nginx 351 | [root@kspupt-lvs1 ~]# yum install nginx 352 | 353 | **4.2.2、临时设置VIP地址(后面通过高可用软件代替)** 354 | 355 | [root@kspupt-lvs1 ~]# ip addr add 192.168.10.18/24 dev eth0 356 | 357 | 358 | **4.2.3、配置nginx虚拟主机,添加upstrem** 359 | 360 | [root@kspupt-lvs1 ~]# vim /etc/nginx/conf.d/puppetmaster.conf 361 | upstream puppet-master { 362 | server 192.168.10.11:8140; 363 | server 192.168.10.12:8140; 364 | } 365 | server { 366 | listen 8140 ssl; 367 | server_name puppetmaster; 368 | 369 | access_log /var/log/nginx/puppet_access.log; 370 | error_log /var/log/nginx/puppet_error.log; 371 | 372 | ssl_protocols SSLv3 TLSv1; 373 | ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP; 374 | 375 | proxy_set_header X-SSL-Subject $ssl_client_s_dn; 376 | proxy_set_header X-Client-DN $ssl_client_s_dn; 377 | proxy_set_header X-Client-Verify $ssl_client_verify; 378 | client_max_body_size 100m; 379 | client_body_buffer_size 1024k; 380 | proxy_buffer_size 100m; 381 | proxy_buffers 8 100m; 382 | proxy_busy_buffers_size 100m; 383 | proxy_temp_file_write_size 100m; 384 | proxy_read_timeout 500; 385 | 386 | ssl on; 387 | ssl_session_timeout 5m; 388 | ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.pem; 389 | ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.pem; 390 | ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; 391 | ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; 392 | ssl_verify_client optional; 393 | 394 | ssl_prefer_server_ciphers on; 395 | ssl_verify_depth 1; 396 | ssl_session_cache shared:SSL:128m; 397 | location / { 398 | proxy_redirect off; 399 | proxy_pass https://puppet-master; 400 | } 401 | } 402 | 403 | **4.2.4、编辑hosts文件,puppetmaster解析指向VIP** 404 | 405 | [root@kspupt-lvs1 ~]# vim /etc/hosts 406 | 192.168.10.20 puppetca 407 | 192.168.10.18 puppetmaster 408 | 192.168.10.13 kspupt-lvs1 409 | 410 | 411 | **4.2.5、修改kspupt-ca和kspupt-m1的hosts文件puppetmaster解析** 412 | 413 | [root@kspupt-ca1 ~]# vim /etc/hosts 414 | 192.168.10.20 puppetca 415 | 192.168.10.18 puppetmaster 416 | [root@kspupt-m1 ~]# vim /etc/hosts 417 | 192.168.10.20 puppetca 418 | 192.168.10.18 puppetmaster 419 | 420 | **4.2.6、启动nginx服务器** 421 | 422 | [root@kspupt-lvs1 ~]# /etc/init.d/nginx start 423 | 424 | **4.2.7、再次运行puppet命令进行测试连通性** 425 | 426 | [root@kspupt-ca1 ~]# puppet agent -t 427 | [root@kspupt-m1 ~]# puppet agent -t 428 | [root@kspupt-lvs1 ~]# puppet agent -t 429 | [root@kspupt-m1 ~]# tailf /var/log/nginx/puppet_access.log 430 | [root@kspupt-lvs1 ~]# tailf /var/log/nginx/puppet_access.log 431 | 432 | **kspupt-lvs2(略)** 433 | 434 | **4.3 HAproxy负载均衡配置参考** 435 | 436 | [root@kspupt-lvs2 ~]# cat /etc/haproxy/haproxy.cfg 437 | listen admin_stats 438 | bind 0.0.0.0:8080 439 | mode http 440 | stats refresh 5s 441 | stats enable 442 | stats hide-version 443 | stats realm Haproxy\ Statistics 444 | stats uri /haproxy 445 | stats auth admin:password 446 | 447 | listen puppetmaster *:8140 448 | mode tcp 449 | option ssl-hello-chk 450 | # option tcplog 451 | #balance source 452 | # balance roundrobin 453 | balance source 454 | server kspupt-m1 kspupt-m1:8140 check inter 2000 fall 3 455 | server kspupt-m2 kspupt-m2:8140 check inter 2000 fall 3 456 | 457 | 458 | -------------------------------------------------------------------------------- /puppet_learning_ext7.md: -------------------------------------------------------------------------------- 1 | #### Puppet扩展篇7-puppet代码与版本控制系统的结合 2 | 3 | 4 | 5 | # 一、介绍 # 6 | 7 | 通过安装部署Puppet C/S模型,实现Puppet Server端管理所有被控制机的整个生命周期:从初始化到软件升级、从配置文件创建到测试部署、从系统维护到服务器迁移等。Puppet能够持续化的与被控制机进行交互,从而实现配置文件的及时检测更新。结合SVN版本控制系统,puppet可在更新之前将当前正在运行的环境以版本的方式保存到SVN版本控制系统中,方便以后通过puppet更新出错或者需要回滚到之前的某一个环境时快速恢复。 8 | 9 | 10 | 11 | # 二、环境介绍 # 12 | 13 | 序号 服务器类型 版本/IP参数 14 | 1 PuppetMaster RHEL6.4 x86_64(192.168.100.110) 15 | 2 PuppetAgent RHEL5.8 x86_64(192.168.100.111)和RHEL5.7 x86_64(192.168.100.112) 16 | 3 SVN Service端 RHEL6.4 x86_64(192.168.100.110) 17 | 4 SVN Service端 RHEL6.4 x86_64(192.168.100.110)和Windows 8.1 x86_64(192.168.100.2) 18 | 19 | 编号 类型 主机名/软件名称 系统/软件版本 其他信息 20 | 1 Software Subversion 1.6.11-7 rpm package 21 | 2 Software TortoiseSVN 1.8.2.24708-x64-svn-1.8.3 msi 22 | 23 | # 三、部署流程 # 24 | 25 | ## 1 SVN Server端部署 ## 26 | 27 | **1.1 安装相关软件包** 28 | 29 | [root@puppetserver ~]# yum install subversion 30 | [root@puppetserver ~]# svnserve –version #通过查看版本验证安装是否成功 31 | svnserve, version 1.6.11 (r934486) 32 | compiled Apr 12 2012, 11:09:11 33 | 34 | Copyright (C) 2000-2009 CollabNet. 35 | Subversion is open source software, see http://subversion.tigris.org/ 36 | This product includes software developed by CollabNet (http://www.Collab.Net/). 37 | 38 | The following repository back-end (FS) modules are available: 39 | 40 | * fs_base : Module for working with a Berkeley DB repository. 41 | * fs_fs : Module for working with a plain file (FSFS) repository. 42 | 43 | Cyrus SASL authentication is available. 44 | 45 | 46 | **1.2 创建第一个版本库** 47 | 48 | [root@puppetserver ~]# mkdir /svndata 49 | [root@puppetserver ~]# svnadmin create /svndata/puppet 50 | [root@puppetserver ~]# ll /svndata/puppet/ 51 | total 24 52 | drwxr-xr-x 2 root root 4096 Oct 22 13:29 conf 53 | drwxr-sr-x 6 root root 4096 Oct 22 13:29 db 54 | -r--r--r-- 1 root root 2 Oct 22 13:29 format 55 | drwxr-xr-x 2 root root 4096 Oct 22 13:29 hooks 56 | drwxr-xr-x 2 root root 4096 Oct 22 13:29 locks 57 | -rw-r--r-- 1 root root 229 Oct 22 13:29 README.txt 58 | 59 | ## 2 通过Apache+ssl安全认证访问SVN服务器 ## 60 | 61 | **2.1 安装相关软件包** 62 | 63 | [root@puppetserver ~]# yum install httpd httpd-devel mod_dav_svn 64 | 65 | **2.2 创建SVN虚拟主机** 66 | 67 | [root@puppetserver svndata]# vim /etc/httpd/conf.d/subversion.conf 68 | LoadModule dav_svn_module modules/mod_dav_svn.so 69 | LoadModule authz_svn_module modules/mod_authz_svn.so 70 | Listen 8142 71 | 72 | 73 | DAV svn 74 | SVNListParentPath on 75 | SVNPath "/svndata/puppet" 76 | AuthType Basic 77 | AuthName "Subversion repository" 78 | AuthUserFile "/svndata/puppet/conf/authfile" 79 | #AuthzSVNAccessFile /svndata/puppet/conf/svn-acl-conf 80 | Require valid-user 81 | SVNAutoversioning on 82 | ModMimeUsePathInfo on 83 | 84 | 85 | 86 | **2.3 创建svn权限配置文件** 87 | 88 | [root@puppetserver svndata]# vim puppet/conf/authz 89 | [groups] 90 | admin = puppet 91 | [admin:/] 92 | @admin = rw 93 | [/] 94 | * = r 95 | [$name:/] 96 | test = rw">>/svndata/puppet/conf/authz 97 | 98 | 2.4 创建用户名及密码并设置相应权限 99 | [root@puppetserver ~]# /usr/bin/htpasswd -c /svndata/puppet/conf/authfile puppet #创建SVN服务器账户puppet密码为redhat 100 | New password: redhat 101 | Re-type new password: redhat 102 | Adding password for user puppet 103 | [root@puppetserver ~]# chown apache /svndata/puppet -R 104 | [root@puppetserver ~]# echo "puppet = redhat" >>/svndata/puppet/conf/passwd 105 | 106 | **2.5 配置SVN服务信息** 107 | 108 | [root@puppetserver svndata]# vim /svndata/puppet/conf/svnserve.conf 109 | [general] 110 | anon-access = none 111 | auth-access = write 112 | password-db = /svndata/puppet/conf/passwd 113 | authz-db = /svndata/puppet/conf/authz 114 | realm = puppet Repository 115 | 116 | **2.6 通过浏览器测试访问** 117 | 118 | [root@puppetserver svndata]# /etc/rc.d/init.d/httpd restart #重启httpd服务 119 | http://192.168.100.110:8142/svndata/ 120 | 121 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-1.png) 122 | 123 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-2.png) 124 | 125 | **2.7 通过其他linux节点访问测试** 126 | 127 | [root@agent1 ~]# svn checkout http://192.168.100.110:8142/svndata/ /mnt/ 128 | Authentication realm: Puppet Subversion repository 129 | Password for 'root': 130 | Authentication realm: Puppet Subversion repository 131 | Username: puppet 132 | Password for 'puppet': 133 | ----------------------------------------------------------------------- 134 | ATTENTION! Your password for authentication realm: 135 | 136 | Puppet Subversion repository 137 | 138 | can only be stored to disk unencrypted! You are advised to configure 139 | your system so that Subversion can store passwords encrypted, if 140 | possible. See the documentation for details. 141 | 142 | You can avoid future appearances of this warning by setting the value 143 | of the 'store-plaintext-passwords' option to either 'yes' or 'no' in 144 | '/root/.subversion/servers'. 145 | ----------------------------------------------------------------------- 146 | Store password unencrypted (yes/no)? no 147 | Checked out revision 0. 148 | 149 | **2.8 通过Windows客户端TortoiseSVN访问测试** 150 | 151 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-3.png) 152 | 153 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-4.png) 154 | 155 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-5.png) 156 | 157 | **备注:**由于还为import版本,所以查看的内容为空 158 | 159 | ## 3 整合puppet server端 ## 160 | 161 | **3.1 将puppet server模块目录导入到版本库中** 162 | 163 | [root@puppetserver ~]# svn import /etc/puppet/environments/testing 164 | http://192.168.100.110:8142/svndata/puppet -m "Puppet Initial repository" 165 | Authentication realm: Puppet Subversion repository 166 | Password for 'root': 167 | Authentication realm: Puppet Subversion repository 168 | Username: puppet 169 | Password for 'puppet': 170 | Adding /etc/puppet/environments/testing/groups 171 | Adding /etc/puppet/environments/testing/groups/modules 172 | Adding /etc/puppet/environments/testing/groups/modules/grub 173 | Adding /etc/puppet/environments/testing/groups/modules/grub/files 174 | Adding /etc/puppet/environments/testing/groups/modules/grub/manifests 175 | … 176 | Committed revision 1. 177 | 178 | **备注:**由于SVN服务器端和puppetserver在同一台服务器上,也可以通过以下方式进行导入 179 | 180 | [root@puppetserver ~]# svn import /etc/puppet/environments/testing 181 | file:///svndata/puppet -m "Puppet Initial repository" 182 | 183 | **3.2 通过IE浏览器访问SVN服务器** 184 | 185 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-6.png) 186 | 187 | **3.3 通过Windows客户端TortoiseSVN checkout最新的版本库到本地** 188 | 189 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-7.png) 190 | 191 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-8.png) 192 | 193 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-9.png) 194 | 195 | **3.4 删除puppetserver端testing目录,并将版本库中的数据导出** 196 | 197 | [root@puppetserver ~]# cd /etc/puppet/environments/testing/ 198 | [root@puppetserver testing]# rm -rf * #删除之前建议备份 199 | [root@puppetserver testing]# svn checkout 200 | http://192.168.100.110:8142/svndata/puppet /etc/puppet/environments/testing 201 | Authentication realm: Puppet Subversion repository 202 | Password for 'puppet': 203 | Please type 'yes' or 'no': no 204 | A groups 205 | A groups/modules 206 | A groups/modules/grub 207 | A groups/modules/grub/files 208 | A groups/modules/grub/manifests 209 | Checked out revision 1. 210 | [root@puppetserver testing]# ls -a 211 | . .. agents environment groups manifests .svn 212 | [root@puppetserver testing]# ls .svn/ #每个目录下面都会生成.svn隐藏目录,用于保存当前版本的信息 213 | all-wcprops entries prop-base props text-base tmp 214 | 备注:checkout之后,在/etc/puppet/environments/testing目录下就会有一份SVN服务器上最新版本的副本。 215 | 216 | ## 4 部署SVN hooks ## 217 | 218 | **4.1 设置pre-commit** 219 | 220 | 设置pre-commit钩子可以提交文件到SNV服务器之前对puppet语法进行检查,语法通过则提交成功,语法错误则提交失败。 221 | 222 | [root@puppetserver hooks]# chmod 774 pre-commit^C 223 | [root@puppetserver hooks]# cp pre-commit.tmpl pre-commit 224 | [root@puppetserver hooks]# chmod 774 pre-commit 225 | [root@puppetserver hooks]# vim pre-commit 226 | #!/bin/sh 227 | # SVN pre-commit hook to check Puppet syntax for .pp files 228 | # Modified from http://mail.madstop.com/pipermail/puppet-users/2007-March/002034.html 229 | # Access http://projects.puppetlabs.com/projects/1/wiki/puppet_version_control 230 | REPOS="$1" 231 | TXN="$2" 232 | tmpfile=`mktemp` 233 | export HOME=/ 234 | SVNLOOK=/usr/bin/svnlook 235 | $SVNLOOK changed -t "$TXN" "$REPOS" | awk '/^[^D].*\.pp$/ {print $2}' | while read line 236 | do 237 | $SVNLOOK cat -t "$TXN" "$REPOS" "$line" > $tmpfile 238 | if [ $? -ne 0 ] 239 | then 240 | echo "Warning: Failed to checkout $line" >&2 241 | fi 242 | # puppet --color=false --confdir=/etc/puppet --vardir=/var/lib/puppet --parseonly --ignoreimport $tmpfile >>/var/log/puppet/svn_pre-commit.log 2>&1 243 | puppet --color=false --confdir=/etc/puppet --vardir=/var/lib/puppet --parser --ignoreimport $tmpfile >>/var/log/puppet/svn_pre-commit.log 2>&1 244 | if [ $? -ne 0 ] 245 | then 246 | echo "Puppet syntax error in $line." >>/var/log/puppet/svn_pre-commit.log 2>&1 247 | exit 2 248 | fi 249 | done 250 | res=$? 251 | rm -f $tmpfile 252 | if [ $res -ne 0 ] 253 | then 254 | exit $res 255 | fi 256 | 257 | **4.2 设置post-commit** 258 | 259 | 设置post-commit钩子可以在正确提交文件至SVN服务器之后,puppetmaster的模块目录`/etc/puppet/environments/testing`会自动从SNV服务器上update最新的版本库到本地。 260 | 261 | #!/bin/sh 262 | # POST-COMMIT HOOK 263 | REPOS="$1" 264 | REV="$2" 265 | #mailer.py commit "$REPOS" "$REV" /path/to/mailer.conf 266 | export LANG=en_US.UTF-8 267 | SVN=/usr/bin/svn 268 | PUPPET_DIR=/etc/puppet 269 | #/usr/bin/svn up /etc/puppet -non-interactive 270 | $SVN update $PUPPET_DIR --username puppet --password 123.com >>/var/log/puppet/svn_post-commit.log 271 | 272 | ## 5 SVN Client端部署测试 ## 273 | 274 | **5.1 本地测试** 275 | 276 | 1)导出版本数据库文件到本地 277 | 278 | [root@puppetserver ~]# svn checkout file:///svndata/puppet /puppet/puppet 279 | 280 | 2)、创建并添加新的目录及文件 281 | 282 | [root@puppetserver puppet]# svn add ssh 283 | 284 | 3)、将修改后的文件提交到SVN服务器,此时版本库版本加1 285 | 286 | [root@puppetserver .svn]# svn commit -m "add ssh modules" /puppet/puppet/* 287 | 288 | **5.2 远程测试(Linux)** 289 | 290 | [root@agent1 svndata]# svn checkout http://172.16.200.100/svndata/ /mnt/ 291 | 292 | **5.3 客户端TortoiseSVN测试(Windows)** 293 | 294 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-12.png) 295 | 296 | ![svn版本控制测试界面](http://kisspuppet.com/img/svn-puppet-13.png) 297 | 298 | 299 | -------------------------------------------------------------------------------- /puppet_learning_ext8.md: -------------------------------------------------------------------------------- 1 | #### Puppet扩展篇8-Puppet dashboard的部署及测试 2 | 3 | 4 | Puppet Dasshboard是由支持Puppet开发的公司Puppetlabs创建的,是Ruby on Rails程序。可以作为一个ENC(外部节点分类器)以及一个报告工具,并且正在逐渐成为一个包含许多Puppet新功能的集成界面,例如审计和资源管理功能。 5 | Puppet Dashboard是一个Ruby on Rails程序,用于显示Puppet master和agent的相关信息。它允许你查看从一个或多个Puppet master汇总的图形和报告数据。它同时从一个或者多个Puppet master上收集来自于Puppet agent的资产数据(主机的Fact和其他信息)。最后,它能作为一个ENC来配置Puppet节点,并指定这些节点上的类和参数。 6 | 7 | ## 1 前期准备工作 ## 8 | 9 | Puppet Dashboard(1.2.3)程序目前版本只能安装在Ruby 1.8.x(Dashboard还不能工作在1.9.x下或者更新的版本下),只支持MySQL作为数据库后端。 10 | 11 | Rake version 0.8.3 or newer 12 | MySQL database server version 5.x 13 | Ruby-MySQL bindings version 2.7.x or 2.8.x 14 | **备注**:更多详细信息请参考:http://docs.puppetlabs.com/dashboard/ 15 | 16 | ## 2 安装相关软件包 ## 17 | 18 | [root@puppetserver nodes]# yum install ruby-mysql mysql-server puppet-dashboard 19 | ## 3 配置Dashboard(包括与数据库的结合部分) ## 20 | 21 | **3.1 创建管理Dashboard的MySQL数据库账号并授权** 22 | 23 | [root@puppetserver rpms]# /etc/rc.d/init.d/mysqld restart 24 | [root@puppetserver ~]# chkconfig mysqld on 25 | [root@puppetserver rpms]# mysqladmin -uroot password 123.com 26 | [root@puppetserver rpms]# mysql –p123.com 27 | mysql> create database dashboard character set utf8; 28 | mysql> grant all on dashboard.* to 'dashboard'@'localhost' identified by "123.com"; 29 | mysql> flush privileges; 30 | [root@puppetserver rpms]# mysql -udashboard -p123.com #测试账号是否创建成功 31 | … 32 | Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 33 | mysql> 34 | 35 | **3.2 优化数据库配置文件my.cnf** 36 | 37 | [root@puppetserver rpms]# vim /etc/my.cnf 38 | [mysqld] 39 | # Allowing 32MB allows an occasional 17MB row with plenty of spare room 40 | max_allowed_packet = 32M 41 | … 42 | [root@puppetserver rpms]# /etc/rc.d/init.d/mysqld restart #重启MySQL生效 43 | Stopping mysqld: [ OK ] 44 | Starting mysqld: [ OK ] 45 | 46 | **3.3 编辑dashboard YAML配置文件(`database.yml`)来指定数据库** 47 | 48 | [root@puppetserver rpms]# vim /usr/share/puppet-dashboard/config/database.yml 49 | production: 50 | database: dashboard 51 | username: dashboard 52 | password: 123.com 53 | encoding: utf8 54 | adapter: mysql 55 | … 56 | **3.4 填充数据库** 57 | 58 | [root@puppetserver ~]# cd /usr/share/puppet-dashboard/ 59 | [root@puppetserver puppet-dashboard]# rake gems:refresh_specs 60 | [root@puppetserver puppet-dashboard]# rake RAILS_ENV=production db:migrate #环境变量RAILS_ENV=production告诉Ruby on Rails我们工作在生产环境。每次你运行一个rake命令都需要使用合适的环境值来设置RAILS_ENV环境变量 61 | 62 | **3.5 查看是否导入成功** 63 | 64 | [root@puppetserver puppet-dashboard]# mysql -udashboard -p123.com 65 | Welcome to the MySQL monitor. Commands end with ; or \g. 66 | Your MySQL connection id is 5 67 | Server version: 5.1.66 Source distribution 68 | Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. 69 | Oracle is a registered trademark of Oracle Corporation and/or its 70 | affiliates. Other names may be trademarks of their respective 71 | owners. 72 | Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 73 | mysql> use dashboard; 74 | Reading table information for completion of table and column names 75 | You can turn off this feature to get a quicker startup with -A 76 | Database changed 77 | mysql> show tables; 78 | +------------------------------+ 79 | | Tables_in_dashboard | 80 | +------------------------------+ 81 | | delayed_job_failures | 82 | | delayed_jobs | 83 | | metrics | 84 | | node_class_memberships | 85 | | node_classes | 86 | | node_group_class_memberships | 87 | | node_group_edges | 88 | | node_group_memberships | 89 | | node_groups | 90 | | nodes | 91 | | old_reports | 92 | | parameters | 93 | | report_logs | 94 | | reports | 95 | | resource_events | 96 | | resource_statuses | 97 | | schema_migrations | 98 | | timeline_events | 99 | +------------------------------+ 100 | 18 rows in set (0.00 sec) 101 | 102 | ## 4 启动并运行Dashboard(WEBrick方式) ## 103 | 104 | WEBrick有助于快速使用Dashboard,不过它不能很好地进行扩展,并且当有许多Puppet agent向Dashboard进行报告时,它的性能会非常差,因此不推荐使用。 105 | 106 | **4.1 关闭httpd服务** 107 | 108 | [root@puppetserver puppet-dashboard]# /etc/rc.d/init.d/httpd stop #之前配置过使用httpd运行puppetmaster,需要关闭 109 | Stopping httpd: [ OK ] 110 | 111 | **4.2 启动puppetmaster服务** 112 | 113 | [root@puppetserver puppet-dashboard]# /etc/rc.d/init.d/puppetmaster start 114 | Starting puppetmaster: [ OK ] 115 | 116 | **4.3 启动puppet-dashboard服务** 117 | 118 | [root@puppetserver puppet-dashboard]# /etc/rc.d/init.d/puppet-dashboard start #启动dashboard 119 | Starting Puppet Dashboard: => Booting WEBrick 120 | => Rails 2.3.17 application starting on http://0.0.0.0:3000 121 | [ OK ] 122 | **4.4 通过浏览器访问http://192.168.100.110:3000** 123 | 124 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-1.png) 125 | 126 | ## 5 启动并运行Dashboard(Passenger方式) ## 127 | 128 | **5.1 使用Ruby Gem安装Passenger** 129 | 130 | [root@puppetserver etc]# yum install ruby-devel ruby-libs rubygems libcurl-devel 131 | [root@puppetserver etc]# yum install httpd httpd-devel apr-util-devel apr-devel mod_ssl 132 | [root@puppetserver repos]# gem install --local passenger-4.0.19.gem #自动解决依赖关系,进入gem包目录进行安装 133 | Building native extensions. This could take a while... 134 | Successfully installed rake-10.0.1 135 | Successfully installed daemon_controller-1.1.5 136 | Successfully installed rack-1.5.2 137 | Successfully installed passenger-4.0.19 138 | 139 | **5.2 配置虚拟主机和passenger** 140 | 141 | [root@puppetserver puppet-dashboard]# vim /etc/httpd/conf.d/passenger.conf 142 | LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so 143 | 144 | PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19 145 | PassengerRuby /usr/bin/ruby 146 | PassengerHighPerformance on 147 | PassengerMaxPoolSize 12 148 | PassengerPoolIdleTime 1500 149 | PassengerStatThrottleRate 120 150 | # RailsAutoDetect On 151 | 152 | 153 | Listen 8141 154 | 155 | DocumentRoot "/usr/share/puppet-dashboard/public/" 156 | 157 | Options None 158 | AllowOverride AuthConfig 159 | Order allow,deny 160 | allow from all 161 | 162 | ErrorLog /var/log/httpd/dashboard.error.log 163 | LogLevel warn 164 | CustomLog /var/log/httpd/dashboard.access.log combined 165 | 166 | 167 | **5.3 启动相关服务** 168 | 169 | [root@puppetserver ~]# /etc/rc.d/init.d/puppetmaster stop #停掉puppetmaster服务 170 | Stopping puppetmaster: [ OK ] 171 | [root@puppetserver ~]# /etc/rc.d/init.d/httpd restart 172 | 173 | **5.4 通过浏览器访问测试** 174 | 175 | http://192.168.100.110:8141/ 176 | 177 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-2.png) 178 | 179 | ## 6 集成Puppet Dashboard ## 180 | 181 | **6.1 手工导入现有的报告(方式一)** 182 | 183 | [root@puppetserver ~]# cd /usr/share/puppet-dashboard/ 184 | [root@puppetserver puppet-dashboard]# rake RAILS_ENV=production reports:import #导入已经存在的报告 185 | Importing 39 reports from /var/lib/puppet/reports in the background 186 | Importing: 100% |###################################################################################| Time: 00:00:00 187 | 39 of 39 reports queued 188 | **备注:**默认节点报告会在`/var/lib/puppet/reports/` 产生,如果路径发生变化,导入报告时需要在后面加上`“REPORT_DIR=report路径”`,reports更改路径可在`puppet.conf`中设置参数“reportdir = 新路径”,这种方式不够实时。 189 | 190 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-3.png) 191 | 192 | **6.2 配置实施汇总puppet报告(方式二)** 193 | 194 | [root@agent1 ~]# vim /etc/puppet/puppet.conf #配置agent节点自动发送报告 195 | [agent] 196 | report = true #从2.7.0版本开始,报告系统会默认开启,不需要配置 197 | … 198 | [root@puppetserver puppet-dashboard]# vim /etc/puppet/puppet.conf 199 | [main] 200 | reports = http #定义为http报告处理器,除此之外还有store,log,tagmail,rrdgraph等报告处理器 201 | reporturl = http://172.16.200.100:8141/reports #http报告处理器将puppet报告发送到一个HTTP URL和端口(Dashboard位置)。Puppet报告以被转储为HTTP Poort形式的YAML格式进行发送。 202 | … 203 | [root@puppetserver public]# /etc/rc.d/init.d/httpd restart 204 | 205 | **6.3 开启后台处理报告进程** 206 | 207 | [root@puppetserver puppet-dashboard]# rake RAILS_ENV=production jobs:work & #运行“Delayed Job Workers”,使其在后台为我们处理报告日志 208 | [1] 28651 209 | [root@puppetserver puppet-dashboard]# [Worker(host:puppetserver.kisspuppet.com pid:28651)] Starting job worker 210 | [Worker(host:puppetserver.kisspuppet.com pid:28651)] Report.create_from_yaml_file completed after 0.2674 211 | [Worker(host:puppetserver.kisspuppet.com pid:28651)] Report.create_from_yaml_file completed after 0.1725 212 | [Worker(host:puppetserver.kisspuppet.com pid:28651)] Report.create_from_yaml_file completed after 0.1345 213 | [Worker(host:puppetserver.kisspuppet.com pid:28651)] Report.create_from_yaml_file completed after 0.1772 214 | [Worker(host:puppetserver.kisspuppet.com pid:28651)] Report.create_from_yaml_file completed after 0.1397 215 | … 216 | [Worker(host:puppetserver.kisspuppet.com pid:28651)] 42 jobs processed at 5.9487 j/s, 0 failed ... 217 | 218 | **6.4 修改dashboard时区** 219 | 220 | Dashboard默认时区为UTC格式,我们这里需要更改为`CST(Asia/Shanghai`)格式 221 | 222 | [root@puppetserver ~]# vim /usr/share/puppet-dashboard/config/settings.yml 223 | time_zone: 'Asia/Shanghai' 224 | … 225 | **备注**:设置的settings.yml会覆盖掉config/environment.rb中对应的配置项(config.time_zone = 'UTC') 226 | 227 | **6.5 显示报告** 228 | 229 | 通过http://192.168.100.110:8141/ 及时查看节点更新的报告信息,可以看到两个节点agent1和agent2,默认显示时间为CST格式,除此之外还可以看到某一个节点在某一个时刻的更新报告和运行曲线图。 230 | 231 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-4.png) 232 | 233 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-5.png) 234 | 235 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-6.png) 236 | 237 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-7.png) 238 | 239 | **6.6 删除报告** 240 | 241 | 删除一个前的报告 242 | 243 | [root@dashboard puppet-dashboard]# rake RAILS_ENV=production reports:prune upto=1 unit=mon 244 | (in /usr/share/puppet-dashboard) 245 | Deleting reports before 2014-03-18 09:23 UTC... 246 | Deleted 142 reports. 247 | 248 | 删除一天前的报告 249 | 250 | [root@dashboard puppet-dashboard]# rake RAILS_ENV=production reports:prune upto=1 unit=day 251 | (in /usr/share/puppet-dashboard) 252 | Deleting reports before 2014-04-16 09:24 UTC... 253 | Deleted 592 reports. 254 | 255 | 删除效果如下: 256 | 257 | ![puppet dashboard](http://kisspuppet.com/img/dashboard-8.jpg) 258 | 259 | ## 7 自定义报告 ## 260 | 261 | **7.1 编写外部报告处理器** 262 | 263 | 使用现有的被存储的报告,就是那些yaml文件,可以通过设置`puppet.conf`中`reports = store`进行收集。然后编写一个外部的处理器来处理这些信息,例如绘图或者将他们存储在外部数据库。这也是Puppet Dashboard中的报告输入进程的工作原理。这些外部的报告处理器可以很简单地使用Ruby进行编写,以便使用Ruby反序列化YAML文件的能力以及使用生成的对象。你可以使用任何支持导入第三方ymal数据的工具。 264 | 265 | **7.2 编写内部报告处理器** 266 | 267 | 编写自定义报告处理器并将它添加到Puppet。和fact、函数、类型及提供者的插件不同,Puppet没有提供一个自动分发自定义报告的方法。 268 | 269 | **7.2.1 现有报告处理器信息** 270 | 271 | [root@puppetserver ~] # ls /usr/lib/ruby/site_ruby/1.8/puppet/reports 272 | http.rb log.rb rrdgraph.rb store.rb tagmail.rb 273 | [root@puppetserver reports]# cat http.rb #查看http报告处理器内容 274 | require 'puppet' 275 | require 'net/http' 276 | require 'uri' 277 | 278 | Puppet::Reports.register_report(:http) do 279 | 280 | desc <<-DESC 281 | Send report information via HTTP to the `reporturl`. Each host sends 282 | its report as a YAML dump and this sends this YAML to a client via HTTP POST. 283 | The YAML is the body of the request. 284 | DESC 285 | 286 | def process 287 | url = URI.parse(Puppet[:reporturl]) 288 | req = Net::HTTP::Post.new(url.path) 289 | req.body = self.to_yaml 290 | req.content_type = "application/x-yaml" 291 | Net::HTTP.new(url.host, url.port).start {|http| 292 | response = http.request(req) 293 | unless response.kind_of?(Net::HTTPSuccess) 294 | Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}" 295 | end 296 | } 297 | end 298 | end 299 | 300 | **7.2.2 自定义摘要报告处理器** 301 | 302 | **7.2.2.1 进入reports目录编写自定义summary.rb报告处理器** 303 | 304 | [root@puppetserver ~]# cd /usr/lib/ruby/site_ruby/1.8/puppet/reports 305 | [root@puppetserver reports]# vim summary.rb 306 | require 'puppet' 307 | Puppet::Reports.register_report(:summary) do 308 | desc <<-DESC 309 | Send summary report information to the report directory. 310 | DESC 311 | def process 312 | client = self.host 313 | summary = self.summary 314 | dir = File.join(Puppet[:reportdir],client) 315 | client = self.host 316 | file = "summary.txt" 317 | destination = File.join(dir,file) 318 | File.open(destination,"w") do |f| 319 | f.write(summary) 320 | end 321 | end 322 | end 323 | 324 | **7.2.2.2 将报告处理器的名字加入puppet.conf中,并重新启动httpd服务** 325 | 326 | [root@puppetserver ~]# vim /etc/puppet/puppet.conf 327 | [main] 328 | reports = http,summary 329 | … 330 | [root@puppetserver ~]# /etc/rc.d/init.d/httpd restart 331 | Stopping httpd: [ OK ] 332 | Starting httpd: [ OK ] 333 | 334 | **7.2.2.3 使用mco命令触发更新节点agent1** 335 | 336 | [root@puppetserver ~]# mco puppet -v runonce mco facts -v --with-fact hostname='agent1' 337 | Discovering hosts using the mc method for 2 second(s) .... 1 338 | * [ ============================================================> ] 1 / 1 339 | agent1.kisspuppet.com : OK 340 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 341 | ---- rpc stats ---- 342 | Nodes: 1 / 1 343 | Pass / Fail: 1 / 0 344 | Start Time: Fri Oct 04 12:54:50 +0800 2013 345 | Discovery Time: 2005.27ms 346 | Agent Time: 1118.41ms 347 | Total Time: 3123.68ms 348 | 349 | **7.2.2.4 查看新生成的报告信息** 350 | 351 | [root@puppetserver ~]# cd /var/lib/puppet/reports/agent1.kisspuppet.com/ 352 | [root@puppetserver agent1.kisspuppet.com]# cat summary.txt 353 | Changes: 354 | Total: 1 355 | Events: 356 | Total: 1 357 | Success: 1 358 | Resources: 359 | Out of sync: 1 360 | Changed: 1 361 | Total: 15 362 | Skipped: 6 363 | Time: 364 | Filebucket: 0.00 365 | Package: 0.00 366 | File: 0.11 367 | Service: 0.12 368 | Config retrieval: 1.29 369 | Total: 1.52 370 | Last run: 1380861882 371 | Version: 372 | Config: 1380861878 373 | Puppet: 2.7.23 374 | 375 | 在整个报告处理器中,我们定义了一个叫做process的方法来承载处理器的核心逻辑。我们从报告中提取了一些信息:使用`self.host`方式提取了主机名,使用summary方式提取了变更的摘要。还可以使用`self.logs`和`self.metrics`方式来访问报告中的日子以及度量值。 376 | 我们同时还将报告的摘要输出了报告目录下对应的以Puppet agent主机名命名的目录中,报告目录的位置是由reportdir配置的值来指定的,默认在/var/lib/puppet/reports/目录下。 377 | 378 | **备注**:更多报告处理器信息请访问 379 | 380 | 现有报告处理器https://github.com/puppetlabs/puppet/tree/master/lib/puppet/reports 381 | 报告参考 http://docs.puppetlabs.com/references/latest/report.html#http 382 | 报告及报告系统 http://docs.puppetlabs.com/guides/reporting.html 383 | 384 | -------------------------------------------------------------------------------- /puppet_learning_mco1.md: -------------------------------------------------------------------------------- 1 | #### MCollective架构篇1-MCollective架构的引入 2 | 3 | 4 | 5 | Marionette Collective(MCollective)是一个与Puppet关系密切的服务运行框架。Puppet擅长管理系统的状态,但agent默认的30分钟间隔的运行方式使它不合适作为实时管理控制工具使用,而MCollective的功能定位正式面向大规模主机群的实时任务并行处理。它离线消息中间件技术实现检点间的信息传递,大量主机可以基于自身的某些固有属性(元数据)而非主机名进行分组,这意味着用这些信息按照不同标准将集群分为多个群组,任务执行的目标是一个群组,而不是一台主机。 6 | 也可以参考纸飞机的博客关于mcollective的介绍 [http://junqili.com/](http://junqili.com/) 7 | 8 | 9 | 10 | ## MCollective特点: ## 11 | 12 | 能够与小到大型服务器集群交互 13 | 14 | 使用广播范式(broadcast paradigm)来进行请求分发,所有服务器会同时收到请求,而只有与请求所附带的过滤器匹配的服务器才会去执行这些请求。没有中心数据库来进行同步,网络是唯一的真理 15 | 16 | 打破了以往用主机名作为身份验证手段的复杂命名规则。使用每台机器自身提供的丰富的目标数据来定位它们。目标数据来自于:Puppet, Chef, Facter, Ohai 或者自身提供的插件 17 | 18 | 使用命令行调用远程代理 19 | 20 | 能够写自定义的设备报告 21 | 22 | 大量的代理来管理包,服务和其他来自于社区的通用组件 23 | 24 | 允许写 SimpleRPC 风格的代理、客户端和使用 Ruby 实现 Web UIs 25 | 26 | 外部可插件化(pluggable)实现本地需求 27 | 28 | 中间件系统已有丰富的身份验证和授权模型,利用这些作为控制的第一道防线。 29 | 30 | 重用中间件来做集群、路由和网络隔离以实现安全和可扩展安装。 31 | 32 | MCollective 就是一个框架,一个空壳。它除了 MCO 命令之外都可以被替换被自定义。 33 | 34 | **备注:**更多信息请参考http://docs.puppetlabs.com/ 35 | 36 | ## Middleware(RabbitMQ、ActiveMQ)介绍 ## 37 | 38 | RabbitMQ是一个实现了高级消息排队协议(AMQP)的消息队列服务。RabbitMQ基于OTP(Open Telecom Platform,开发电信平台)进行构建,并使用Erlang语言和运行时环境来实现。 ActiveMQ 是Apache出品,最流行的,能力强劲的开源消息总线。ActiveMQ 是一个完全支持JMS1.1和J2EE 1.4规范的 JMS Provider实现 39 | 40 | 备注:MCollective是基于Apache ActiveMQ中间件来进行开发和测试的,然而其对java和XML格式的配置文件的依赖使我们将更多的注意力和兴趣转移到RabbitMQ中间件服务上。如果考虑到性能和扩展性,部署ActivemMQ是一个更好的选择。 41 | 42 | ## 工作原理图 ## 43 | 44 | ![mcollective触发更新图](http://kisspuppet.com/img/mcollective-1.png) 45 | 46 | 备注:更多详细信息请参考 http://docs.puppetlabs.com/mcollective/reference/basic/messageflow.html 47 | 48 | ## 部署介绍 ## 49 | 50 | - MCollective安装分client安装和server端安装,其次需要安装MQ,本实验选择RabbitMQ,安装好之后需要进行相应的设置,然后进行通信。 51 | - 如何和puppet进行整合,需要通过puppet插件实现。 52 | - 本实验采用的版本为 53 | mcollective 2.2.4 54 | rabbitmq 3.1.5 55 | 56 | -------------------------------------------------------------------------------- /puppet_learning_mco2.md: -------------------------------------------------------------------------------- 1 | #### MCollective架构篇2-MCollective+MQ架构的部署 2 | 3 | 4 | # 1 Mcollective介绍 # 5 | 6 | MCollective 是一个构建服务器编排(Server Orchestration)和并行工作执行系统的框架。 首先,MCollective 是一种针对服务器集群进行可编程控制的系统管理解决方案。在这一点上,它的功能类似:Func,Fabric 和 Capistrano。 7 | 8 | 其次,MCollective 的设计打破基于中心存储式系统和像 SSH 这样的工具,不再仅仅痴迷于 SSH 的 For 循环。它使用发布订阅中间件(Publish Subscribe Middleware)这样的现代化 工具和通过目标数据(meta data)而不是主机名(hostnames)来实时发现网络资源这样的现代化理念。提供了一个可扩展的而且迅速的并行执行环境。 9 | 10 | MCollective 工具为命令行界面,但它可与数千个应用实例进行通信,而且传输速度惊人。无论部署的实例位于什么位置,通信都能以线速进行传输,使用的是一个类似多路传送的推送信息系统。MCollective 工具没有可视化用户界面,用户只能通过检索来获取需要应用的实例。Puppet Dashboard 提供有这部分功能。 11 | 12 | 13 | 14 | # 2 安装和配置RabbitMQ # 15 | 16 | ## 2.1 安装和配置RabbitMQ ## 17 | 18 | **2.1.1 安装RabbitMQ** 19 | 20 | [root@puppetserver rpms]# yum install erlang #RabbitMQ依赖erlang语言,需要安装大概65个左右的erlang依赖包 21 | [root@puppetserver rpms]# yum install rabbitmq-server 22 | [root@puppetserver rpms]# ll /usr/lib/rabbitmq/lib/rabbitmq_server-3.1.5/plugins/ #默认已经安装了stomp插件,老版本需要下载安装 23 | -rw-r--r-- 1 root root 242999 Aug 24 17:42 amqp_client-3.1.5.ez 24 | -rw-r--r-- 1 root root 85847 Aug 24 17:42 rabbitmq_stomp-3.1.5.ez 25 | … 26 | 27 | **2.1.2 启动rabbitmq-server** 28 | 29 | [root@puppetserver rpms]# /etc/rc.d/init.d/rabbitmq-server start #启动rabbitmq服务 30 | Starting rabbitmq-server: SUCCESS 31 | rabbitmq-server. 32 | [root@puppetserver rpms]# /etc/rc.d/init.d/rabbitmq-server status #查看rabbitmq状态 33 | Status of node rabbit@puppetserver ... 34 | [{pid,43198}, 35 | {running_applications,[{rabbit,"RabbitMQ","3.1.5"}, 36 | {mnesia,"MNESIA CXC 138 12","4.5"}, 37 | {os_mon,"CPO CXC 138 46","2.2.7"}, 38 | {xmerl,"XML parser","1.2.10"}, 39 | {sasl,"SASL CXC 138 11","2.1.10"}, 40 | {stdlib,"ERTS CXC 138 10","1.17.5"}, 41 | {kernel,"ERTS CXC 138 10","2.14.5"}]}, 42 | {os,{unix,linux}}, 43 | {erlang_version,"Erlang R14B04 (erts-5.8.5) [source] [64-bit] [rq:1] [async-threads:30] [kernel-poll:true]\n"}, 44 | {memory,[{total,27101856}, 45 | {connection_procs,2648}, 46 | {queue_procs,5296}, 47 | {plugins,0}, 48 | {other_proc,9182320}, 49 | {mnesia,57456}, 50 | {mgmt_db,0}, 51 | {msg_index,21848}, 52 | {other_ets,765504}, 53 | {binary,3296}, 54 | {code,14419185}, 55 | {atom,1354457}, 56 | {other_system,1289846}]}, 57 | {vm_memory_high_watermark,0.4}, 58 | {vm_memory_limit,838362726}, 59 | {disk_free_limit,1000000000}, 60 | {disk_free,15992676352}, 61 | {file_descriptors,[{total_limit,924}, 62 | {total_used,3}, 63 | {sockets_limit,829}, 64 | {sockets_used,1}]}, 65 | {processes,[{limit,1048576},{used,122}]}, 66 | {run_queue,0}, 67 | {uptime,4}] 68 | ...done. 69 | [root@puppetserver rpms]# netstat -nlp | grep beam #默认监听端口为5672 70 | tcp 0 0 0.0.0.0:44422 0.0.0.0:* LISTEN 43198/beam 71 | tcp 0 0 :::5672 :::* LISTEN 43198/beam 72 | 73 | **2.1.3 配置RabbitMQ** 74 | 75 | **2.1.3.1 加载amqp_client和rabbit_stomp插件** 76 | 77 | [root@puppetserver sbin]#ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.1.5/sbin/rabbitmq-plugins /usr/sbin/rabbitmq-plugins #创建命令rabbitmq-plugins的软连接 78 | [root@puppetserver sbin]# ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.1.5/sbin/rabbitmq-env /usr/sbin/rabbitmq-env #创建命令rabbitmq-env的软连接 79 | [root@puppetserver sbin]# rabbitmq-plugins enable rabbitmq_stomp #开启rabbitmq_stomp插件 80 | The following plugins have been enabled: 81 | amqp_client 82 | rabbitmq_stomp 83 | Plugin configuration has changed. Restart RabbitMQ for changes to take effect. 84 | [root@puppetserver sbin]# /etc/rc.d/init.d/rabbitmq-server restart 85 | Restarting rabbitmq-server: SUCCESS 86 | rabbitmq-server. 87 | [root@puppetserver rabbitmq]# tailf /var/log/rabbitmq/rabbit\@puppetserver.log #可以从日志看到stomp插件加载成功 88 | =INFO REPORT==== 3-Oct-2013::20:25:18 === 89 | started STOMP TCP Listener on [::]:61613 90 | =INFO REPORT==== 3-Oct-2013::20:25:18 === 91 | Server startup complete; 2 plugins started. 92 | * amqp_client 93 | * rabbitmq_stomp 94 | * 95 | 96 | **2.1.3.2 创建rabbitmq.config配置文件,修改监听端口为61613** 97 | 98 | [root@puppetserver rpms]# vim /etc/rabbitmq/rabbitmq.config 99 | [ 100 | {stomp,[ {tcp_listeners, [61613]} ]} #设置connector为stomp,监听端口为61613 101 | ]. 102 | [root@puppetserver rpms]# /etc/rc.d/init.d/rabbitmq-server restart 103 | Restarting rabbitmq-server: SUCCESS 104 | rabbitmq-server. 105 | [root@puppetserver rpms]# netstat -nlp | grep beam #默认监听端口为61613 106 | tcp 0 0 0.0.0.0:56532 0.0.0.0:* LISTEN 1906/beam.smp 107 | tcp 0 0 :::61613 :::* LISTEN 1906/beam.smp 108 | tcp 0 0 :::5672 :::* LISTEN 1906/beam.smp 109 | 110 | **2.1.3.3 删除默认账户guest,为MCollective创建账户“mcollective”并设置密码为“secret”,然后设置权限。** 111 | 112 | [root@puppetserver rpms]# rabbitmqctl delete_user guest 113 | Deleting user "guest" ... 114 | ...done. 115 | [root@puppetserver rpms]# rabbitmqctl add_user mcollective secret 116 | Creating user "mcollective" ... 117 | ...done. 118 | [root@puppetserver rpms]# rabbitmqctl set_permissions -p "/" mcollective ".*" ".*" ".*" 119 | Setting permissions for user "mcollective" in vhost "/" ... 120 | ...done. 121 | [root@puppetserver sbin]# rabbitmqctl list_users #查看监听用户 122 | Listing users ... 123 | mcollective [] 124 | ...done. 125 | 126 | **备注:**RabbitMQ拥有一个默认的guest账户,它默认对消息队列拥有全部权限。出于安全方面的考虑,建议删除这个账户。 127 | 128 | 更多详细配置信息请参考 http://www.rabbitmq.com/admin-guide.html 129 | 130 | 更多详细配置信息请参考: http://docs.puppetlabs.com/mcollective/reference/plugins/connector_rabbitmq.html 131 | 132 | # 3 安装和配置MCollective # 133 | ## 3.1 安装MCollective ## 134 | 135 | **3.1.1 测试端安装MCollective客户端** 136 | 137 | [root@puppetserver rpms]# yum install mcollective-common mcollective-client #依赖包rubygem-stomp 138 | 139 | **3.1.2 节点安装MCollective服务端** 140 | 141 | [root@agent1 ~]# yum install mcollective mcollective-common #依赖rubygem-stomp、rubygems和ruby相关包 142 | 143 | ## 3.2 配置MCollective ## 144 | 145 | **3.2.1 测试端配置MCollective客户端** 146 | 147 | [root@puppetserver rpms]# vim /etc/mcollective/client.cfg 148 | topicprefix = /topic/ 149 | main_collective = mcollective 150 | collectives = mcollective 151 | libdir = /usr/libexec/mcollective 152 | logger_type = console 153 | loglevel = warn 154 | # Plugins 155 | securityprovider = psk 156 | plugin.psk = a36cd839414370e10fd281b8a38a4f48 #MCollective通信共享密钥,和MCollective服务端保持一致 157 | connector = stomp #通信协议 158 | plugin.stomp.host = 192.168.100.110 #Middleware地址 159 | plugin.stomp.port = 61613 #Middleware监听端口 160 | plugin.stomp.user = mcollective #Middleware通信账号 161 | plugin.stomp.password = secret #Middleware通信密码 162 | # Facts 163 | factsource = yaml 164 | plugin.yaml = /etc/mcollective/facts.yaml 165 | 166 | **3.2.2 节点配置MCollective服务端** 167 | 168 | [root@agent1 rpms]# vim /etc/mcollective/server.cfg 169 | topicprefix = /topic/ 170 | main_collective = mcollective 171 | collectives = mcollective 172 | libdir = /usr/libexec/mcollective #存放plugins的位置 173 | logfile = /var/log/mcollective.log 174 | loglevel = info 175 | daemonize = 1 176 | # Plugins 177 | securityprovider = psk 178 | plugin.psk = a36cd839414370e10fd281b8a38a4f48 #MCollective通信共享密钥,和MCollective客户端保持一致 179 | connector = stomp #通信协议 180 | plugin.stomp.host = 192.168.100.110 #Middleware地址 181 | plugin.stomp.port = 61613 #Middleware监听端口 182 | plugin.stomp.user = mcollective #Middleware通信账号 183 | plugin.stomp.password = secret #Middleware通信密码 184 | # Facts 185 | factsource = yaml 186 | plugin.yaml = /etc/mcollective/facts.yaml 187 | [root@agent1 ~]# /etc/rc.d/init.d/mcollective start 188 | Starting mcollective: [ OK ] 189 | [root@agent1 ~]# chkconfig mcollective on 190 | [root@agent1 ~]# 191 | 192 | ## 3.3 测试Mcollective与Middleware通信 ## 193 | 194 | [root@puppetserver rpms]# mco ping #检查所有存活的节点 195 | agent2.kisspuppet.com time=119.98 ms 196 | agent1.kisspuppet.com time=159.31 ms 197 | ---- ping statistics ---- 198 | 2 replies max: 159.31 min: 119.98 avg: 139.64 199 | [root@puppetserver rpms]# mco find 200 | agent1.kisspuppet.com 201 | agent2.kisspuppet.com 202 | -------------------------------------------------------------------------------- /puppet_learning_mco3.md: -------------------------------------------------------------------------------- 1 | #### MCollective架构篇3-Puppet插件的部署及测试 2 | 3 | 4 | 5 | ## 1 puppet插件的安装及测试 ## 6 | 7 | MCollective可以使用多种方式进行扩展。最普遍的一种扩展MCollective的方式就是重用已经写好的agent插件。这些小的Ruby库可以让MCollective在整个集群中执行自定义的命令。 8 | 9 | 一个agent插件通常包含一个Ruby库,它必须被分发到所有运行MCollective agent的节点上。另外,一个数据定义文件(DDL)提供了插件接受的传入参数的具体描述,整个DDL文件需要放在MCollective客户端系统上。最后,一个使用指定的agent插件运行MCollective的脚步也需要被安装到所有的MCollective客户端系统上。 10 | 11 | **备注:**更多插件可以在https://github.com/puppetlabs/mcollective-plugins找到。 12 | 13 | 14 | 15 | **1.1 安装puppet agent插件** 16 | 17 | MCollective本身并不包含一个可以立即使用的Puppet agent插件,需要安装使用。这一插件可以让操作员在需要时运行Puppet agent。他不需要等待Puppet agent的默认运行间隔,也不需要使用其他工具来开始这些任务 18 | 19 | **1.1.1 安装MCollective的Agent插件** 20 | 21 | [root@agent1 rpms]# yum install mcollective-puppet-agent mcollective-puppet-common 22 | [root@agent1 rpms]# ll /usr/libexec/mcollective/mcollective/agent/ 23 | total 36 24 | -rw-r--r-- 1 root root 1033 May 21 01:34 discovery.rb 25 | -rw-r--r-- 1 root root 8346 May 14 07:28 puppet.ddl 26 | -rw-r--r-- 1 root root 7975 May 14 07:25 puppet.rb 27 | -rw-r--r-- 1 root root 5999 May 21 01:34 rpcutil.ddl 28 | -rw-r--r-- 1 root root 3120 May 21 01:34 rpcutil.rb 29 | [root@puppetserver rpms]# yum install mcollective-puppet-client mcollective-puppet-common 30 | [root@puppetserver rpms]# ll /usr/libexec/mcollective/mcollective/agent/ 31 | total 28 32 | -rw-r--r-- 1 root root 1033 May 21 01:34 discovery.rb 33 | -rw-r--r-- 1 root root 8346 May 14 07:28 puppet.ddl 34 | -rw-r--r-- 1 root root 5999 May 21 01:34 rpcutil.ddl 35 | -rw-r--r-- 1 root root 3120 May 21 01:34 rpcutil.rb 36 | 37 | **1.1.2 载入Agent插件** 38 | 39 | [root@puppetserver rpms]# mco #客户端默认在自动载入 40 | The Marionette Collective version 2.2.4 41 | usage: /usr/bin/mco command 42 | Known commands: 43 | completion facts find 44 | help inventory ping 45 | plugin puppet rpc 46 | Type '/usr/bin/mco help' for a detailed list of commands and '/usr/bin/mco help command' 47 | to get detailed help for a command 48 | [root@agent1 ~]# /etc/rc.d/init.d/mcollective restart 49 | Shutting down mcollective: [ OK ] 50 | Starting mcollective: [ OK ] 51 | 52 | **1.1.3 验证Agent插件是否被载入** 53 | 54 | [root@puppetserver rpms]# mco inventory agent1.kisspuppet.com #查看节点agent1是否已经载入puppet插件 55 | Inventory for agent1.kisspuppet.com: 56 | Server Statistics: 57 | Version: 2.2.4 58 | Start Time: Thu Oct 03 16:09:03 +0800 2013 59 | Config File: /etc/mcollective/server.cfg 60 | Collectives: mcollective 61 | Main Collective: mcollective 62 | Process ID: 8902 63 | Total Messages: 3 64 | Messages Passed Filters: 3 65 | Messages Filtered: 0 66 | Expired Messages: 0 67 | Replies Sent: 2 68 | Total Processor Time: 0.46 seconds 69 | System Time: 0.12 seconds 70 | Agents: 71 | discovery puppet rpcutil 72 | Data Plugins: 73 | agent fstat puppet #已经载入puppet插件 74 | resource 75 | Configuration Management Classes: 76 | No classes applied 77 | Facts: 78 | mcollective => 1 79 | 80 | **1.1.4 从MCollective中运行Puppet** 81 | 82 | 在运行命令之前,可以在节点查看puppet日志和puppetd服务的启停来判断命令是否调用了puppetd进程。 83 | 84 | [root@puppetserver ~]# mco puppet --noop --verbose status #查看节点agent守护进程状态 85 | Discovering hosts using the mc method for 2 second(s) .... 2 86 | * [ ============================================================> ] 2 / 2 87 | agent2.kisspuppet.com: Currently stopped; last completed run 9 hours 35 minutes 36 seconds ago 88 | agent1.kisspuppet.com: Currently stopped; last completed run 9 hours 35 minutes 34 seconds ago 89 | Summary of Applying: 90 | false = 2 91 | Summary of Daemon Running: 92 | stopped = 2 93 | Summary of Enabled: 94 | enabled = 2 95 | [root@puppetserver rpms]# mco puppet -v runonce 96 | Discovering hosts using the mc method for 2 second(s) .... 2 97 | * [ ============================================================> ] 2 / 2 98 | agent1.kisspuppet.com : OK 99 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 100 | agent2.kisspuppet.com : OK 101 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 102 | ---- rpc stats ---- 103 | Nodes: 2 / 2 104 | Pass / Fail: 2 / 0 105 | Start Time: Thu Oct 03 16:12:03 +0800 2013 106 | Discovery Time: 2007.23ms 107 | Agent Time: 3591.72ms 108 | Total Time: 5598.94ms 109 | 110 | 备注:当使用MCollective运行Puppet时,要求在所有被管理的节点上Puppet agent守护进程都需要被关闭。在每次使用mco puppet -v runonce命令调用puppetd agent时,MCollective都会产生一个新的Puppet进程。这个进程会和任何已经运行的Puppet agent守护进程产生功能性的重复。 111 | 112 | 当Puppet使用--runonce参数运行时,agent会在后台运行。所以虽然MCollective成功运行了Puppet,但实际上的Puppet agent运行可能http://kisspuppet.com/2013/11/10/my-fact/并不成功。需要查看Puppet报告来确定每一个Puppet agent运行的结果。MCollective返回的OK值表示MCollective服务器成功地启动了puppetd进程并且没有得到任何输出。 113 | 114 | **1.2 安装facter插件(测试多次发现存在不稳定性)** 115 | 116 | 注意:通过facter插件获取节点facter变量信息不是很稳定,因此可将节点facts信息通过inline_template写入/etc/mcollective/facts.yaml中,并在/etc/mcollective/server.cfg中设置factsource = yaml,这样MCollective客户端只需要每次读取这个文件中的facter变量即可。而且在本地目录/var/lib/puppet/yaml/facts/也会生成一份节点的facter信息,模块部分信息如下: 117 | 118 | class mcollective::facter { 119 | file{"/etc/mcollective/facts.yaml": 120 | owner => root, 121 | group => root, 122 | mode => 0440, 123 | loglevel => debug, # reduce noise in Puppet reports 124 | content => inline_template('<%= scope.to_hash.reject { |k,v| k.to_s =~ /(uptime.*|path|timestamp|free|.*password.*|.*psk.*|.*key)/ }.to_yaml %>'), 125 | } 126 | } 127 | 128 | [root@agent1 ~]# yum install mcollective-facter-facts 129 | [root@agent1 rpms]# ll /usr/libexec/mcollective/mcollective/facts/ 130 | total 12 131 | -rw-r--r-- 1 root root 422 Feb 21 2013 facter_facts.ddl 132 | -rw-r--r-- 1 root root 945 Feb 21 2013 facter_facts.rb 133 | -rw-r--r-- 1 root root 1530 May 21 01:34 yaml_facts.rb 134 | 135 | [root@agent1 ~]# vim /etc/mcollective/server.cfg 136 | … 137 | # Facts 138 | #factsource = yaml #注释掉 139 | factsource = facter 140 | plugin.yaml = /etc/mcollective/facts.yaml 141 | [root@agent1 rpms]# /etc/rc.d/init.d/mcollective restart 142 | Shutting down mcollective: [ OK ] 143 | Starting mcollective: [ OK ] 144 | 145 | [root@puppetserver rpms]# mco inventory agent1.kisspuppet.com #查看节点agent1是否加载了facts插件 146 | Inventory for agent1.kisspuppet.com: 147 | Server Statistics: 148 | Version: 2.2.4 149 | Start Time: Thu Oct 03 16:31:47 +0800 2013 150 | Config File: /etc/mcollective/server.cfg 151 | Collectives: mcollective 152 | Main Collective: mcollective 153 | Process ID: 9485 154 | Total Messages: 37 155 | Messages Passed Filters: 33 156 | Messages Filtered: 4 157 | Expired Messages: 0 158 | Replies Sent: 32 159 | Total Processor Time: 0.74 seconds 160 | System Time: 0.21 seconds 161 | Agents: 162 | discovery puppet rpcutil 163 | Data Plugins: 164 | agent fstat puppet 165 | resource 166 | Configuration Management Classes: 167 | No classes applied 168 | Facts: #可以看到获取的节点facter信息(获取信息需要一些等待时间) 169 | architecture => x86_64 170 | augeasversion => 0.10.0 171 | bios_release_date => 07/02/2012 172 | bios_vendor => Phoenix Technologies LTD 173 | bios_version => 6.00 174 | blockdevice_fd0_size => 4096 175 | … 176 | uptime_days => 0 177 | uptime_hours => 20 178 | uptime_seconds => 74506 179 | uuid => 564DFBAB-CADC-FC69-36CA-955BFDB30F43 180 | virtual => vmware 181 | 182 | [root@puppetserver rpms]# mco facts lsbdistdescription -v #使用mco facts命令对操作系统类型进行显示 183 | Discovering hosts using the mc method for 2 second(s) .... 2 184 | Report for fact: lsbdistdescription 185 | Red Hat Enterprise Linux Server release 5.7 (Tikanga)found 1 times 186 | agent2.kisspuppet.com 187 | Red Hat Enterprise Linux Server release 5.8 (Tikanga)found 1 times 188 | agent1.kisspuppet.com 189 | ---- rpc stats ---- 190 | Nodes: 2 / 2 191 | Pass / Fail: 2 / 0 192 | Start Time: Thu Oct 03 16:59:04 +0800 2013 193 | Discovery Time: 2004.83ms 194 | Agent Time: 67.32ms 195 | Total Time: 2072.15ms 196 | 197 | [root@puppetserver rpms]# mco facts lsbdistdescription #使用mco facts命令对操作系统类型进行统计 198 | Report for fact: lsbdistdescription 199 | Red Hat Enterprise Linux Server release 5.7 (Tikanga)found 1 times 200 | Red Hat Enterprise Linux Server release 5.8 (Tikanga)found 1 times 201 | Finished processing 2 / 2 hosts in 79.15 ms 202 | [root@puppetserver rpms]# mco facts -v --with-fact hostname='agent1' memoryfree #查看主机agent1的剩余内存 203 | Discovering hosts using the mc method for 2 second(s) .... 1 204 | Report for fact: memoryfree 205 | 795.13 MB found 1 times 206 | agent1.kisspuppet.com 207 | ---- rpc stats ---- 208 | Nodes: 1 / 1 209 | Pass / Fail: 1 / 0 210 | Start Time: Thu Oct 03 17:02:13 +0800 2013 211 | Discovery Time: 2005.65ms 212 | Agent Time: 49.37ms 213 | Total Time: 2055.03ms 214 | 215 | **1.3 使用元数据定位主机** 216 | 217 | **1.3.1 使用默认facter元数据定位主机** 218 | 219 | **1.3.1.1 触发所有系统为RedHat,版本为5.7的所有节点puppetd守护进程** 220 | 221 | [root@puppetserver rpms]# mco puppet -v runonce rpc --np -F operatingsystemrelease='5.7' -F operatingsystem='RedHat' 222 | Discovering hosts using the mc method for 2 second(s) .... 1 223 | agent2.kisspuppet.com : OK 224 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 225 | ---- rpc stats ---- 226 | Nodes: 1 / 1 227 | Pass / Fail: 1 / 0 228 | Start Time: Thu Oct 03 17:03:56 +0800 2013 229 | Discovery Time: 2008.09ms 230 | Agent Time: 1187.69ms 231 | Total Time: 3195.78ms 232 | 233 | **1.3.1.2 触发所有系统为RedHat,kernel版本为2.6.18的所有节点puppetd守护进程** 234 | 235 | [root@puppetserver rpms]# mco puppet -v runonce rpc --np -F kernelversion='2.6.18' -F operatingsystem='RedHat' 236 | Discovering hosts using the mc method for 2 second(s) .... 2 237 | agent2.kisspuppet.com : OK 238 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 239 | agent1.kisspuppet.com : OK 240 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 241 | ---- rpc stats ---- 242 | Nodes: 2 / 2 243 | Pass / Fail: 2 / 0 244 | Start Time: Thu Oct 03 17:06:15 +0800 2013 245 | Discovery Time: 2004.32ms 246 | Agent Time: 1308.34ms 247 | Total Time: 3312.66ms 248 | 249 | **1.3.2 使用自定义facter元数据定位主机** 250 | 251 | 备注:使用自定义facter元数据可以更加灵活的定位主机,如何定义fact可参考博文《通过自定义fact增强MCollective推送更新元数据的灵活性》 252 | 253 | **1.3.2.1 在agent1上定义facter my_apply1和my_apply2** 254 | 255 | [root@agent1 mcollective]# facter -p | grep my_apply 256 | my_apply1 => apache 257 | my_apply2 => mysql 258 | 259 | **1.3.2.2 在agent2上定义facter my_apply2和my_apply3** 260 | 261 | [root@agent2 mcollective]# facter -p | grep my_apply 262 | my_apply2 => mysql 263 | my_apply3 => php 264 | 265 | **1.3.2.3 在MCollective客户端测试节点自定义facter是否正确** 266 | 267 | [root@puppetserver facter]# mco inventory agent1.kisspuppet.com | grep my_apply 268 | my_apply1 => apache 269 | my_apply2 => mysql 270 | [root@puppetserver facter]# mco inventory agent2.kisspuppet.com | grep my_apply 271 | my_apply2 => mysql 272 | my_apply3 => php 273 | 274 | **1.3.2.4 通过自定义facter定位主机触发更新** 275 | 276 | [root@puppetserver facter]# mco puppet -v runonce mco facts -v --with-fact my_apply3='php' #筛选节点facter变量my_apply3=php的主机进行触发puppetd守护进程 277 | Discovering hosts using the mc method for 2 second(s) .... 1 278 | * [ ============================================================> ] 1 / 1 279 | agent2.kisspuppet.com : OK 280 | {:summary=> "Started a background Puppet run using the 'puppet agent --onetime --daemonize --color=false --splay --splaylimit 30' command"} 281 | ---- rpc stats ---- 282 | Nodes: 1 / 1 283 | Pass / Fail: 1 / 0 284 | Start Time: Thu Oct 03 23:33:54 +0800 2013 285 | Discovery Time: 2005.35ms 286 | Agent Time: 1078.86ms 287 | Total Time: 3084.21ms 288 | 289 | -------------------------------------------------------------------------------- /puppet_learning_mco5.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... -------------------------------------------------------------------------------- /puppet_learning_mco6.md: -------------------------------------------------------------------------------- 1 | 2 | 即将更新,敬请期待... --------------------------------------------------------------------------------