|
|
本帖最后由 786yr 于 2014-7-22 10:24 编辑
在描述之前,先把流程图给大家,希望能使大家清楚流程:
整体流程如下:
1、运维人员在修改监控系统的时候,需要先登录svn服务器里修改监控的配置;
2、在svn里修改完监控的配置,选择更新的时候,会触发svn的hook里post-commit里的内容,根据脚本里的内容,会在puppet master服务器里的/usr/local/monitor/shell目录里留下最新svn的副本;
3、由于puppet client设置的连接puppet master的时间间隔为300秒,所以在300秒后能发现puppet client会从puppet master获得最新的配置,并更新自己本机的配置。
这样一个自动化的监控系统部署更新就完成了。
下面是是svn与puppet部分的详细说明
一、svn部分
安装svn主要是为了进行监控脚本的版本控制,如果不进行版本控制的话,比如我要修改甘肃web的配置的某个部分配置,过几天又修改了这个配置,在过2周呢?我还能记住之前修改什么了吗?我估计我是记不住了,而且我负责的平台过多,直接维护的服务器超过100+,平台更新的次数很频繁,而且根据用户的需求,修改的内容也不尽相同,所以进行版本控制是十分有必要了,废话不说,现在开始svn的配置。
svn服务端的安装我就不再说明
我的svn主要是为了配置我之前发布是“运维自动化之使用PHP+MYSQL+SHELL打造私有监控系统”这篇博文的shell脚本部分与下面的puppet配置部分,使用svn的hook(post-commit)功能,在svn更新的时候,就出发钩子,然后更新到我知道的目录,之后puppet会从这个里取得配置配置,在设置puppet的客户端连接服务端获取连接为300秒,也就是5分钟,这样的话,只有我一更新我的svn,那么puppet的客户端就会爱5分钟的时候,更新配置,减少人工操作,还能版本控制。
下面是我的svn里hook的post-commit的配置
REPOS="$1"
REV="$2"
export LANG=zh_CN.UTF-8
exec /usr/bin/svn update /usr/local/monitor/shell --username *** --password ** --no-auth-cache
echo "please check client config after in the 300s"|/bin/mail -s "svn has been update" denglei@ctfo.com
现在展示一下我的svn界面与内容
在看看我的更新记录
这个svn由于是新建立的,所以更新的日志比较少。
二、puppet部分
为了安装最新的puppe,如果您想使用yum安装的话,需要在主机上添加epel库
如果此源失效,可以使用
下面开始安装puppet服务端与客户端
1、在服务端
(1)使用yum安装puppet
- yum -y install puppet-server openssl*
(2)开启puppet服务端的服务
- service puppetmaster start
(3)添加到开机启动
- chkconfig --level 345 puppet on
- chkconfig --level 345 puppetmaster on
(4)在hosts里添加包含本身以及需要自动化的客户端机器主机名与ip地址
(5)接下来需要去客户端安装puppet、启动服务与进行认证了
2、在客户端
- yum -y install puppet openssl*
- service puppet start
- chkconfig --level 345 puppet on
然后在与服务端进行认证
- puppetd --server master --test
3、接下来在服务端进行允许认证
这样就完成了认证,之后就可以在puppet的client里进行获取服务端的配置,并自动的在本机更新了。
下面是我的配置,提供给大家参考(我已经贵州的puppet为例)
贵州的puppet结构为:
贵州备用为puppetmaster服务端
贵州web、贵州引擎、贵州引擎、贵州备用为客户端(主要贵州备用既为服务端与客户端是没有问题)
先看一下我的puppet服务端贵州备用的文件结构
- [iyunv@beiyong /]# tree /etc/puppet/
- /etc/puppet/
- |-- auth.conf
- |-- fileserver.conf #puppet文件服务器配置文件
- |-- manifests #puppet主文件所在目录
- | |-- guizhou_beiyong.pp #该模块对应的文件资源,可能是要发送给slave的配置文件等
- | |-- guizhou_jiaohuan.pp
- | |-- guizhou_web.pp
- | |-- guizhou_yinqing.pp
- | `-- site.pp #puppet主文件(入口文件)
- `-- puppet.conf
- 1 directory, 8 files
客户端连接的顺序:site.pp=》*.pp
比如贵州web的接收顺序为:site.pp=》guizhou_web.pp
首先,slave向发起master连接请求,进行证书验证;
接着,证书验证通过后,master会直接找到入口文件manifests目录下的site.pp文件,该文件可能包含一些全局变量,参数缺省值(当各个模块没有设置这些参数时,它们的缺省值)以及其它pp文件的调用(在该例子中,会调用manifests下的各个pp文件);
然后,master通过manifests下的各个pp文件定位到该slave要执行的模块(site.pp是各个模块的入口),汇总这些模块代码返回给slave;
最后,slave根据master发过来的manifest,配置信息。
注意:在配置之前一定要求的服务端与客户端的时间一致,并且hosts里都加入了对方的ip与主机名,并且能互相ping通,最好在改好hosts文件后重启服务器,同时selinux与iptables关闭。
4、先看一下我fileserver的设置
- [iyunv@beiyong /]# cat /etc/puppet/fileserver.conf
- # This file consists of arbitrarily named sections/modules
- # defining where files are served from and to whom
- # Define a section 'files'
- # Adapt the allow/deny settings to your needs. Order
- # for allow/deny does not matter, allow always takes precedence
- # over deny
- # [files]
- # path /var/lib/puppet/files
- # allow *.example.com
- # deny *.evil.example.com
- # allow 192.168.0.0/24
- [puppet]
- path /usr/local/monitor/shell
- allow 172.16.6.0/24
这个path就是puppet master的配置文件里从哪里获得需要给客户端传输程序的地址,同时也是svn的hook里post-commit更新的地址。
allow后面的网段是我服务器网卡的ip段,也就是需要我这个网段的ip能从这个path里或者程序。
5、贵州web的配置
- [iyunv@beiyong /]# cat /etc/puppet/manifests/guizhou_web.pp
- node web {
- file { "/usr/local/monitor/shell/GuiZhou_alter80.sh":
- source=>"puppet:///puppet/GuiZhou_web/GuiZhou_web_alter80.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_alter90.sh":
- source=>"puppet:///puppet/GuiZhou_web/GuiZhou_web_alter90.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_web_check.sh":
- source=>"puppet:///puppet/GuiZhou_web/GuiZhou_web_check.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/web_tomcat.sh":
- source=>"puppet:///puppet/GuiZhou_web/web_tomcat.sh",
- mode=>755,
- owner=>"lbs",
- group=>"lbs",
- }
- file { "/usr/local/monitor/shell/web_yz_tomcat.sh":
- source=>"puppet:///puppet/GuiZhou_web/web_yz_tomcat.sh",
- mode=>755,
- owner=>"lbs",
- group=>"lbs",
- }
- cron { GuiZhou_web_alert80_check:
- command=>"/usr/local/monitor/shell/GuiZhou_web_alter80.sh",
- hour=>'*/6',
- minute=>0,
- }
- cron { GuiZhou_web_alert90_check:
- command=>"/usr/local/monitor/shell/GuiZhou_web_alter90.sh",
- hour=>'*/1',
- minute=>0,
- }
- cron { GuiZhou_web_check:
- command=>"/usr/local/monitor/shell/GuiZhou_web_check.sh",
- minute=>'*/3',
- }
- cron { GuiZhou_web_sendmail_restart:
- command=>"/etc/init.d/sendmail restart",
- hour=>'23',
- minute=>'00',
- }
- }
6、贵州交换的配置
- [iyunv@beiyong /]# cat /etc/puppet/manifests/guizhou_jiaohuan.pp
- node jiaohuan {
- file { "/usr/local/monitor/shell/GuiZhou_jiaohuan_alter80.sh":
- source=>"puppet:///puppet/GuiZhou_jiaohuan/GuiZhou_jiaohuan_alter80.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_jiaohuan_alter90.sh":
- source=>"puppet:///puppet/GuiZhou_jiaohuan/GuiZhou_jiaohuan_alter90.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_jiaohuan_check.sh":
- source=>"puppet:///puppet/GuiZhou_jiaohuan/GuiZhou_jiaohuan_check.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_jiaohuan_ping.sh":
- source=>"puppet:///puppet/GuiZhou_jiaohuan/GuiZhou_jiaohuan_ping.sh",
- mode=>755,
- }
- cron { GuiZhou_jiaohuan_alert80_check:
- command=>"/usr/local/monitor/shell/GuiZhou_jiaohuan_alter80.sh",
- hour=>'*/6',
- minute=>0,
- }
- cron { GuiZhou_jiaohuan_alert90_check:
- command=>"/usr/local/monitor/shell/GuiZhou_jiaohuan_alter90.sh",
- hour=>'*/1',
- minute=>0,
- }
- cron { GuiZhou_jiaohuan_check:
- command=>"/usr/local/monitor/shell/GuiZhou_jiaohuan_check.sh",
- minute=>'*/3',
- }
- cron { GuiZhou_jiaohuan_ping:
- command=>"/usr/local/monitor/shell/GuiZhou_jiaohuan_ping.sh",
- minute=>'*/15',
- }
- cron { GuiZhou_jiaohuan_sendmail_restart:
- command=>"/etc/init.d/sendmail restart",
- hour=>'23',
- minute=>'00',
- }
- }
7、贵州引擎的配置
- [iyunv@beiyong /]# cat /etc/puppet/manifests/guizhou_yinqing.pp
- node savecenter {
- file { "/usr/local/monitor/shell/GuiZhou_yinqing_alter80.sh":
- source=>"puppet:///puppet/GuiZhou_yinqing/GuiZhou_yinqing_alter80.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_yinqing_alter90.sh":
- source=>"puppet:///puppet/GuiZhou_yinqing/GuiZhou_yinqing_alter90.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_yinqing_check.sh":
- source=>"puppet:///puppet/GuiZhou_yinqing/GuiZhou_yinqing_check.sh",
- mode=>755,
- owner=>lbs,
- group=>lbs,
- }
- cron { GuiZhou_yinqing_alert80_check:
- command=>"/usr/local/monitor/shell/GuiZhou_yinqing_alter80.sh",
- hour=>'*/6',
- minute=>0,
- }
- cron { GuiZhou_yinqing_alert90_check:
- command=>"/usr/local/monitor/shell/GuiZhou_yinqing_alter90.sh",
- hour=>'*/1',
- minute=>0,
- }
- cron { GuiZhou_yinqing_check:
- command=>"/usr/local/monitor/shell/GuiZhou_yinqing_check.sh",
- user=>lbs,
- minute=>'*/3',
- }
- cron { GuiZhou_yinqing_sendmail_restart:
- command=>"/etc/init.d/sendmail restart",
- hour=>'23',
- minute=>'00',
- }
- }
8、贵州备用的配置
- [iyunv@beiyong /]# cat /etc/puppet/manifests/guizhou_beiyong.pp
- node beiyong {
- file { "/usr/local/monitor/shell/GuiZhou_beiyong_alter80.sh":
- source=>"puppet:///puppet/GuiZhou_beiyong/GuiZhou_beiyong_alter80.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_beiyong_alter90.sh":
- source=>"puppet:///puppet/GuiZhou_beiyong/GuiZhou_beiyong_alter90.sh",
- mode=>755,
- }
- file { "/usr/local/monitor/shell/GuiZhou_beiyong_check.sh":
- source=>"puppet:///puppet/GuiZhou_beiyong/GuiZhou_beiyong_check.sh",
- mode=>755,
- }
- cron { GuiZhou_beiyong_alert80_check:
- command=>"/usr/local/monitor/shell/GuiZhou_beiyong_alter80.sh",
- hour=>'*/6',
- minute=>0,
- }
- cron { GuiZhou_beiyong_alert90_check:
- command=>"/usr/local/monitor/shell/GuiZhou_beiyong_alter90.sh",
- hour=>'*/1',
- minute=>0,
- }
- cron { GuiZhou_beiyong_check:
- command=>"/usr/local/monitor/shell/GuiZhou_beiyong_check.sh",
- minute=>'*/3',
- }
- cron { GuiZhou_beiyong_sendmail_restart:
- command=>"/etc/init.d/sendmail restart",
- hour=>'23',
- minute=>'00',
- }
- }
9、在查看一个site.pp的配置
- [iyunv@beiyong /]# cat /etc/puppet/manifests/site.pp
- import "guizhou_web.pp"
- import "guizhou_jiaohuan.pp"
- import "guizhou_yinqing.pp"
- import "guizhou_beiyong.pp"
现在服务端的配置已经展现完成,在去客户端查看一下配置是否生效
1、贵州web
- [iyunv@web puppet]# crontab -l
- # HEADER: This file was autogenerated at Fri Oct 12 15:59:14 +0800 2012 by puppet.
- # HEADER: While it can still be managed manually, it is definitely not recommended.
- # HEADER: Note particularly that the comments starting with 'Puppet Name' should
- # HEADER: not be deleted, as doing so could cause duplicate cron jobs.
- # Puppet Name: GuiZhou_web_sendmail_restart
- 0 23 * * * /etc/init.d/sendmail restart
- # Puppet Name: GuiZhou_web_alert90_check
- 0 */1 * * * /usr/local/monitor/shell/GuiZhou_web_alter90.sh
- # Puppet Name: GuiZhou_web_alert80_check
- #0 */6 * * * /usr/local/monitor/shell/GuiZhou_web_alter80.sh
- # Puppet Name: GuiZhou_web_check
- */3 * * * * /usr/local/monitor/shell/GuiZhou_web_check.sh
2、贵州交换
- [iyunv@jiaohuan ~]# crontab -l
- # HEADER: This file was autogenerated at Fri Oct 12 16:03:24 +0800 2012 by puppet.
- # HEADER: While it can still be managed manually, it is definitely not recommended.
- # HEADER: Note particularly that the comments starting with 'Puppet Name' should
- # HEADER: not be deleted, as doing so could cause duplicate cron jobs.
- # Puppet Name: GuiZhou_jiaohuan_sendmail_restart
- 0 23 * * * /etc/init.d/sendmail restart
- # Puppet Name: GuiZhou_jiaohuan_alert80_check
- 0 */6 * * * /usr/local/monitor/shell/GuiZhou_jiaohuan_alter80.sh
- # Puppet Name: GuiZhou_jiaohuan_alert90_check
- 0 */1 * * * /usr/local/monitor/shell/GuiZhou_jiaohuan_alter90.sh
- # Puppet Name: GuiZhou_jiaohuan_ping
- #*/15 * * * * /usr/local/monitor/shell/GuiZhou_jiaohuan_ping.sh
- # Puppet Name: GuiZhou_jiaohuan_check
- */3 * * * * /usr/local/monitor/shell/GuiZhou_jiaohuan_check.sh
3、贵州引擎
由于贵州引擎有root账号与lbs用户的配置,所以我们先查看root用户的
- [iyunv@savecenter ~]# crontab -l
- # HEADER: This file was autogenerated at Fri Oct 12 16:16:41 +0800 2012 by puppet.
- # HEADER: While it can still be managed manually, it is definitely not recommended.
- # HEADER: Note particularly that the comments starting with 'Puppet Name' should
- # HEADER: not be deleted, as doing so could cause duplicate cron jobs.
- # Puppet Name: GuiZhou_yinqing_sendmail_restart
- 0 23 * * * /etc/init.d/sendmail restart
- # Puppet Name: GuiZhou_yinqing_alert80_check
- 0 */6 * * * /usr/local/monitor/shell/GuiZhou_yinqing_alter80.sh
- # Puppet Name: GuiZhou_yinqing_alert90_check
- 0 */1 * * * /usr/local/monitor/shell/GuiZhou_yinqing_alter90.sh
在查看lbs用户的
- [iyunv@savecenter ~]# crontab -u lbs -l
- # HEADER: This file was autogenerated at Fri Oct 12 16:16:41 +0800 2012 by puppet.
- # HEADER: While it can still be managed manually, it is definitely not recommended.
- # HEADER: Note particularly that the comments starting with 'Puppet Name' should
- # HEADER: not be deleted, as doing so could cause duplicate cron jobs.
- #MIN HOUR DAY MONTH DAYOFWEEK COMMAND
- # Puppet Name: GuiZhou_yinqing_check
- */3 * * * * /usr/local/monitor/shell/GuiZhou_yinqing_check.sh
4、贵州备用
- [iyunv@beiyong /]# crontab -l
- # HEADER: This file was autogenerated at Fri Oct 12 16:03:37 +0800 2012 by puppet.
- # HEADER: While it can still be managed manually, it is definitely not recommended.
- # HEADER: Note particularly that the comments starting with 'Puppet Name' should
- # HEADER: not be deleted, as doing so could cause duplicate cron jobs.
- # Puppet Name: GuiZhou_beiyong_check
- */3 * * * * /usr/local/monitor/shell/GuiZhou_beiyong_check.sh
- # Puppet Name: GuiZhou_beiyong_sendmail_restart
- 0 23 * * * /etc/init.d/sendmail restart
- # Puppet Name: GuiZhou_beiyong_alert90_check
- 0 */1 * * * /usr/local/monitor/shell/GuiZhou_beiyong_alter90.sh
- # Puppet Name: GuiZhou_beiyong_alert80_check
- 0 */6 * * * /usr/local/monitor/shell/GuiZhou_beiyong_alter80.sh
现在puppet的配置已经完成,当前的配置已经在我们的生产服务器里部署。
如果大家想要在客户端的puppe设置一个时间来连接puppetmaster获取文件?
可以再客户端里的/etc/puppet/puppet.conf文件里加上:
默认是30分钟,可以修改此处的值,单位为秒。
修改后需要重启服务。
需要注意的:
1、在客户端申请证书的时候,建议把客户端与服务器的时间与时区调整为一样的,可以使用ntpdate 210.72.145.44来更新;
2、在/etc/resolv.conf里,一定要把#search localdomain这一行给注销,否则在申请证书的时候,会带有.localdomain,在证书申请完成,服务端给予授权的时候,你在获得资源的时候,会出现hostname not match with the server certificate错误。
在hosts里添加包含本身以及需要自动化的服务端机器主机名与ip地址
3、大家可能发现我写的puppet里的资源配置非常的简单,没有那么花哨、各个模块依赖的,对于这个我的解释是:简单的配置大家都能看懂,运行的时候如果出现问题,那么我们排错的话,也很简单,只有能够顺利的运行,就是一个好的资源配置。
4、主机名使用,建议使用FQDN方式
5、每次生成证书的id均不相同。
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2014-7-22 10:22:12
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡