|
|
1. 环境准备
OS:CentOS 6.4
关闭selinux和iptables
部署Puppet:1.0 Puppet 3.7部署
2. 安装相关软件包
Master安装:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| yum install mcollective-client activemq activemq-info-provider mcollective-filemgr-client mcollective-facter-facts mcollective-iptables-client mcollective-logstash-audit mcollective-nettest-client mcollective-package-client mcollective-puppet-client mcollective-service-client mcollective-sysctl-data java-1.7.0-openjdk
cat > /etc/mcollective/client.cfg <<EOF
# No additional subcollectives:
main_collective = mcollective
collectives = mcollective
#Logging: type => file,console
logger_type = file
loglevel = info
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user
# Platform Defaults
libdir = /usr/libexec/mcollective
# PSK plugin settings:
securityprovider = psk
plugin.psk = test
# Connector settings (required):
connector = activemq
direct_addressing = 1
# ActiveMQ connector settings:
plugin.activemq.pool.size = 2
plugin.activemq.pool.1.host = 192.168.188.20
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = secret
plugin.activemq.pool.1.ssl = 0
plugin.activemq.pool.2.host = 192.168.188.21
plugin.activemq.pool.2.port = 61613
plugin.activemq.pool.2.user = mcollective
plugin.activemq.pool.2.password = secret
plugin.activemq.pool.2.ssl = 0
plugin.activemq.heartbeat_interval=30
plugin.activemq.initial_reconnect_delay = 0.01
plugin.activemq.max_reconnect_delay = 30.0
plugin.activemq.use_exponential_back_off = true
plugin.activemq.back_off_multiplier = 2
plugin.activemq.max_reconnect_attempts = 0
plugin.activemq.randomize = false
plugin.activemq.timeout = -1
# Discovery settings:
default_discovery_method = mc
direct_addressing_threshold = 10
ttl = 60
color = 1
rpclimitmethod = first
# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF
service activemq start
chkconfig activemq on
|
Agent安装:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
| yum install mcollective mcollective-filemgr-agent mcollective-facter-facts mcollective-iptables-agent mcollective-logstash-audit mcollective-nettest-agent mcollective-package-agent mcollective-puppet-agent mcollective-service-agent mcollective-sysctl-data
cat > /etc/mcollective/server.cfg <<EOF
# Platform defaults:
libdir = /usr/libexec/mcollective
daemonize = 1
# No additional subcollectives:
main_collective = mcollective
collectives = mcollective
# Facts, identity, and classes (recommended)
identity = \$HOSTNAME
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
classesfile = /var/lib/puppet/classes.txt
fact_cache_time = 300
# PSK plugin settings:
securityprovider = psk
plugin.psk = test
# Connector settings (required):
connector = activemq
direct_addressing = 1
# ActiveMQ connector settings:
plugin.activemq.pool.size = 2
plugin.activemq.pool.1.host = 192.168.188.20
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = secret
plugin.activemq.pool.1.ssl = 0
plugin.activemq.pool.2.host = 192.168.188.21
plugin.activemq.pool.2.port = 61613
plugin.activemq.pool.2.user = mcollective
plugin.activemq.pool.2.password = secret
plugin.activemq.pool.2.ssl = 0
plugin.activemq.heartbeat_interval=3
plugin.activemq.initial_reconnect_delay = 0.01
plugin.activemq.max_reconnect_delay = 30.0
plugin.activemq.use_exponential_back_off = true
plugin.activemq.back_off_multiplier = 2
plugin.activemq.max_reconnect_attempts = 0
plugin.activemq.randomize = false
plugin.activemq.timeout = -1
# Registration (recommended):
registerinterval = 600
registration = agentlist
registration_collective = mcollective
# Auditing (optional):
rpcaudit = 1
rpcauditprovider = logfile
plugin.rpcaudit.logfile = /var/log/mcollective-audit.log
# Logging:
logger_type = file
loglevel = debug
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user
EOF
service mcollective start
chkconfig mcollective on
|
测试mco
3. SSL加密和权限管理..
创建SSL证书
在Master上创建所有的证书..
1
2
3
4
5
6
7
8
9
10
11
12
| cd /etc/mcollective/ssl
#生成mco server的证书.
openssl genrsa -out server-private.pem 1024
openssl rsa -in server-private.pem -out server-public.pem -outform PEM -pubout
#生成mco client的证书
openssl genrsa -out $HOSTNAME-private.pem 1024
openssl rsa -in $HOSTNAME-private.pem -out $HOSTNAME.pem -outform PEM -pubout
cp $HOSTNAME.pem clients/
|
配置权限管理插件
修改配置启用权限管理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| #Client 配置
sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/client.cfg
cat >> /etc/mcollective/client.cfg <<EOF
# ssl auth
securityprovider = ssl
plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
plugin.ssl_client_private = /etc/mcollective/ssl/$HOSTNAME-private.pem
plugin.ssl_client_public = /etc/mcollective/ssl/$HOSTNAME.pem
EOF
#Server 配置
sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/server.cfg
cat >> /etc/mcollective/server.cfg <<EOF
# authorization
rpcauthorization = 1
rpcauthprovider = action_policy
plugin.actionpolicy.allow_unconfigured = 1
# ssl auth
securityprovider = ssl
plugin.ssl_server_private = /etc/mcollective/ssl/server-private.pem
plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients/
EOF
#重启server的服务
service mcollective restart
#Agent创建的语法,如下:
mkdir /etc/mcollective/policies
cat > /etc/mcollective/policies/package.policy <<EOF
policy default deny
allow cert=master.dbsa.cn * * *
EOF
|
配置Puppet Master,将SSL证书和权限管理插件同步到Agent。下面的代码仅提供一个思路.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| mkdir /etc/puppet/modules/base/{manifests,templates,files,lib} -p
mkdir /etc/puppet/modules/base/files/etc/mcollective/{ssl,policies} -p
mkdir /etc/puppet/modules/base/files/etc/mcollective/ssl/clients -p
#如果plicies规则也写在Puppet,就在Server的policies目录写吧。
cp /etc/mcollective/ssl/server-p* /etc/puppet/modules/base/files/etc/mcollective/ssl/
cp /etc/mcollective/ssl/clients/* /etc/puppet/modules/base/files/etc/mcollective/ssl/clients/
cat > /etc/puppet/modules/base/manifests/init.pp <<EOF
class base {
file {
"/etc/mcollective/ssl":
owner => root, group => root, mode => 644,
purge => true, recurse => true, force => true,
source => "puppet:///base/etc/mcollective/ssl",
notify => Service['mcollective'];
"/etc/mcollective/policies":
owner => root, group => root, mode => 644,
purge => true, recurse => true, force => true,
source => "puppet:///base/etc/mcollective/policies",
notify => Service['mcollective'];
"/etc/mcollective/facts.yaml":
owner => root, group => root, mode => 644,
content => inline_template("<%= scope.to_hash.reject{ |k,v| k.to_s =~ /(uptime_seconds|timestamp|free)/ }.to_yaml %>");
}
service {
"mcollective":
enable => true,
ensure => true;
}
}
EOF
|
4. Mco常用命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
| #管理Puppet
mco puppet runonce * 所有主机运行一次
mco puppet runonce -I test 指定主机运行一次
mco puppet runonce --tag one,two,three 指定主机编译指定的标签
mco puppet runonce --tags one,two,three 指定主机编译指定的标签
mco puppet runonce --server XX --environment XX 指定连接的Server和环境
mco puppet summary 查看Puppet运行的状态
mco find -S "resource().total_time>50" 可以查看运行资源超过50秒的所有主机
#管理包
mco rpc package install package=nano
mco package puppet install 安装指定软件包
mco package puppet uninstall 卸载指定软件包
mco package puppet purge 干净卸载指定软件包
mco package puppet update 升级指定软件包
mco package puppet status 查看已安装软件包信息
#管理服务
mco rpc service status service=crond
mco service crond status 查看服务运行状态
mco service crond start 指定服务启动
mco service crond stop 指定服务停止
mco service crond restart 指定服务重启
#文件管理
mco rpc filemgr status file=/etc/puppet/puppet.conf
mco filemgr status --file /etc/puppet/puppet.conf
#查看帮助
mco plugin doc
#查找匹配内核参数的主机
mco find -S "sysctl('net.ipv4.conf.all.forwarding').value=0"
#过滤功能
-F 基于facter过滤
-C 基于class过滤
-W 基于facter或class过滤
-A 基于安装的插件过滤
-I 基于主机名称过滤
-S 组合过滤
#一些组合使用的例子
#在运行puppet的主机上重启httpd服务
mco rpc service restart service=httpd -S "puppet().enabled=true"
#在最近有发生资源变化的主机上重启httpd服务
mco rpc service restart service=httpd -S "resource().changed_resources>10"
#
在最近发送失败资源的主机上重启httpd服务
mco rpc service restart service=httpd -S "resource().failed_resources>0"
#组合facter过滤
mco ping -S "((virtual=vmware and selinux=true) or osfamily=RedHat)"
mco ping -S "virtual=vmware and ! selinux=false"
mco ping -S "virtual=vmware and not selinux=false"
|
5. Shell插件的下载.
下载插件放在对应的目录里即可
https://github.com/phobos182/mco ... /blob/master/agent/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| #mcollective-client端
[iyunv@master ~]# ll /usr/libexec/mcollective/mcollective/application/ | grep shell
-rw-r--r-- 1 root root 1601 Aug 6 06:36 shell.rb
[iyunv@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell
-rw-r--r-- 1 root root 1017 Aug 6 06:36 shell.ddl
-rw-r--r-- 1 root root 862 Aug 6 06:36 shell.rb
#mcollective-server端
[iyunv@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell
-rw-r--r-- 1 root root 1017 Aug 6 06:36 shell.ddl
-rw-r--r-- 1 root root 862 Aug 6 06:36 shell.rb
#下载完成后记的server重启服务
service mcollective restart
|
在client端查看mco支持的插件..
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [iyunv@master agent]# mco
The Marionette Collective version 2.6.1
usage: /usr/bin/mco command <options>
Known commands:
completion facts filemgr
find help inventory
iptables nettest package
ping plugin puppet
rpc service shell
Type '/usr/bin/mco help' for a detailed list of commands and '/usr/bin/mco help command'
to get detailed help for a command
|
执行shell命令..
1
2
3
4
5
6
7
8
9
10
11
12
| [iyunv@master agent]# mco shell 'w'
Do you really want to send this command unfiltered? (y/n): y
Discovering hosts using the mc method for 2 second(s) .... 1
Host: agent1.dbsa.cn
Statuscode: 0
Output:
01:17:00 up 11:26, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 192.168.188.1 Mon00 5.00s 0.52s 0.52s -bash
[iyunv@master agent]#
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2014-12-2 09:52:37
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡