|
|
1. 环境准备
OS:CentOS 6.4
防火墙:必须允许Agent到Master 8140端口的连接
主机名:官方要求每个节点的主机名都要求配置正向或反向的DNS解析。本次不讲解DNS的配置,直接通过编辑/etc/hosts实现(默认的puppet master主机名是:puppet)
检查时间:必须保证所有节点的时间准确,误差不能太大,否则ssl通信会有问题.
1
| 加入计划任务中:*/5 * * * * ntpdate s2c.time.edu.cn &> /dev/null
|
虚拟机三台:
1
2
3
4
5
6
| 每台主机的/etc/hosts请根据自身情况绑定
cat >> /etc/hosts <<EOF
192.168.188.20 master.dbsa.cn
192.168.188.21 agent1.dbsa.cn
192.168.188.22 agent2.dbsa.cn
EOF
|
2. 安装Puppet
安装yum源:
安装Puppet Master
1
2
| yum install puppet-server-3.7.3 -y
#/etc/init.d/puppetmaster 启动脚本,先不要启动服务
|
安装Puppet Agent
1
2
| yum install puppet-3.7.3 -y
#/etc/init.d/puppet 启动脚本,先不要启动服务
|
3. 在一个生产环境中的Puppet Master你需要注意一下几个事项:
a.)修改Puppetmaster的主机名,然后建立证书.
1
2
3
4
5
6
7
8
9
| #可以通过dns_alt_names设置puppet master的主机名列表,以逗号分隔可以配置多个
/etc/puppet/puppet.conf
[main]
dns_alt_names = puppet,master.dbsa.cn
#执行下面的命令将创建puppet master和CA证书
puppet master --verbose --no-daemonize
#也可以通过下面的命令单独创建puppet master证书
puppet cert generate <MASTER'S CERTNAME> --dns_alt_names <ALT NAME 1>,<ALT NAME 2>
|
b.)一些必要的配置.(参考)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| /etc/puppet/puppet.conf (in Master)
#log
reports = http #log,http,tagmail
reporturl = http://localhost:3000/reports/upload # reports = http
#enc
node_terminus = exec #plain,exec
external_nodes = /path/node.rb #node_terminus = exec
#puppetdb
storeconfigs = true
storeconfigs_backend = puppetdb
#static
catalog_terminus = static_compiler #配置静态编译,牺牲一部分的CPU换取,降低catalog apply的时间和https请求量,必须在site.pp中加入filebucket { puppet: path => false; }
#ca cert
ca = true
ca_ttl = 5y
autosign = $confdir/autosign.conf #在autosign.conf 写入可以用正则匹配的Agent证书名称
|
1
2
3
4
5
6
7
8
9
10
| /etc/puppet/puppet.conf (in Agent)
server = puppet #默认值为Puppet
certname = agent #节点的证书名,默认执行当前主机名
report = true #节点执行完成后,发送Puppet报告
pluginsync = true #开启同步facter等
runinterval = 30m #当Puppet以守护进程运行时的执行间隔
splay = false #是否启用一个伪随机时间执行,避免大量Agent集中地执行
splaylimit = 2m #最大延迟运行的时间间隔
configtimeout = 120 #Agent等待配置检索的超时时间
|
当前PuppetMaster的配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| cat > /etc/puppet/puppet.conf <<EOF
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = \$vardir/ssl
syslogfacility = local6
[agent]
classfile = \$vardir/classes.txt
localconfig = \$vardir/localconfig
[master]
reports = log
ca = true
dns_alt_names = puppet,master.dbsa.cn
autosign = true
EOF
|
当前PuppetAgent的配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
| cat > /etc/puppet/puppet.conf <<EOF
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = \$vardir/ssl
syslogfacility = local6
[agent]
classfile = \$vardir/classes.txt
localconfig = \$vardir/localconfig
server = master.dbsa.cn
report = true
configtimeout = 120
EOF
|
1
2
3
4
5
| /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages
local6.* /var/log/puppet/puppet.log
/etc/init.d/rsyslog restart
|
上面的配置,Master会自动签署Agent的证书,Agent会将执行日志发送到Puppet Master.
1
2
3
4
5
6
7
8
9
10
11
| 配置查看的命令
puppet config print
puppet config print --section master
puppet config print --section agent
在Master证书管理的命令
puppet cert list --all #查看所有证书
puppet cert clean <naee> #删除指定证书
puppet cert sign <name> #签署指定证书
puppet cert sign --all #签署所有证书
|
c)创建一个简单的modules和manifests
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| cat > /etc/puppet/manifests/site.pp <<EOF
#default是一个默认的节点,当没有指定主机时,都会自动匹配到一个default的节点
node default {
#加载一个base的模块
include base
}
#/agent2/ 这是通过正则的方式定义主机,也可以通过精确匹配'agent2.dbsa.cn'
node /agent2/ {
#加载一个base的模块
include base
#输出一个消息
notify { "hello world":}
}
EOF
#创建一个base模块
mkdir /etc/puppet/modules/base/{manifests,lib,files,templates} -p
cat > /etc/puppet/modules/base/manifests/init.pp <<EOF
#创建一个base的类,保护一个文件的资源,会在/tmp/test创建一个文件,内容是hello world
class base {
file {
"/tmp/test":
owner => root, group => root, mode => 644,
content => "hello world";
}
}
EOF
/etc/init.d/puppetmaster restart
|
Agent执行Puppet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| [iyunv@agent1 ~]# puppet agent --verbose --no-daemonize
Notice: Starting Puppet client version 3.7.3
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent1.dbsa.cn
Info: Applying configuration version '1417016408'
Notice: /Stage[main]/Base/File[/tmp/test]/ensure: defined content as '{md5}5eb63bbbe01eeed093cb22bb8f5acdc3'
Notice: Finished catalog run in 0.03 seconds
[iyunv@agent2 ~]# puppet agent --verbose --no-daemonize
Notice: Starting Puppet client version 3.7.3
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent2.dbsa.cn
Info: Applying configuration version '1417016408'
Notice: /Stage[main]/Base/File[/tmp/test]/ensure: defined content as '{md5}5eb63bbbe01eeed093cb22bb8f5acdc3'
Notice: hello world
Notice: /Stage[main]/Main/Node[agent2]/Notify[hello world]/message: defined 'message' as 'hello world'
Notice: Finished catalog run in 0.06 seconds
|
d)配置nginx替换默认的Webrick
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| yum install ruby-devel rubygems gcc gcc-c++ make -y
yum install curl-devel openssl-devel zlib-devel pcre-devel -y
gem install rake -v 10.4.0 -V
gem install rack -v 1.5.2 -V
gem install passenger -v 3.0.19 -V
#更换gem 源为淘宝的,国内因为gfw更新可能会失败并且很慢.
gem sources -a
gem sources --remove http://rubygems.org/
gem sources -l
#安装nginx...
cd /tmp
wget http://mirrors.sohu.com/nginx/nginx-1.6.2.tar.gz
tar xf nginx-1.6.2.tar.gz
#使用passenger编译Nginx
passenger-install-nginx-module
#选择1,在选择2,
然后在分别输入:
/tmp/nginx-1.6.2
/usr/local/nginx
一路回车...
#puppet rack
mkdir -p /etc/puppet/rack/public
cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack
chown -R puppet.puppet /etc/puppet/rack
|
Nginx配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| cat > /usr/local/nginx/conf/nginx.conf <<EOF
user root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19;
passenger_ruby /usr/bin/ruby;
passenger_max_pool_size 32;
include mime.types;
default_type application/octet-stream;
log_format main '\$remote_addr - \$remote_user [$time_local] "\$request" '
'\$status "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"'
'\$upstream_addr \$upstream_cache_status \$upstream_status';
sendfile on;
keepalive_timeout 65;
include /usr/local/nginx/conf/puppet.conf;
}
EOF
cat > /usr/local/nginx/conf/puppet.conf <<EOF
server {
listen 8140 ssl;
server_name puppet.lb.sina.com.cn;
root /etc/puppet/rack/public;
access_log /usr/local/nginx/logs/access-8140.log main;
passenger_enabled on;
passenger_use_global_queue on;
passenger_set_cgi_param HTTP_X_CLIENT_DN \$ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY \$ssl_client_verify;
ssl_certificate /var/lib/puppet/ssl/certs/\$HOSTNAME.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/\$HOSTNAME.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_session_cache shared:SSL:128m;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_session_timeout 5m;
ssl off;
ssl_verify_depth 1;
}
EOF
|
Nginx启动脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
| cat > /etc/init.d/nginx <<EOF
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemin
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "\$NETWORKING" = "no" ] && exit 0
nginx="/usr/local/nginx/sbin/nginx"
prog=\$(basename \$nginx)
NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
lockfile=/var/lock/subsys/nginx
start() {
[ -x \$nginx ] || exit 5
[ -f \$NGINX_CONF_FILE ] || exit 6
echo -n \$"Starting \$prog: "
daemon \$nginx -c \$NGINX_CONF_FILE
retval=\$?
echo
[ \$retval -eq 0 ] && touch \$lockfile
return \$retval
}
stop() {
echo -n \$"Stopping $prog: "
killproc \$prog -QUIT
retval=\$?
echo
[ \$retval -eq 0 ] && rm -f $lockfile
return \$retval
}
restart() {
configtest || return \$?
stop
start
}
reload() {
configtest || return \$?
echo -n \$"Reloading \$prog: "
killproc \$nginx -HUP
RETVAL=\$?
echo
}
force_reload() {
restart
}
configtest() {
\$nginx -t -c \$NGINX_CONF_FILE
}
rh_status() {
status \$prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "\$1" in
start)
rh_status_q && exit 0
\$1
;;
stop)
rh_status_q || exit 0
\$1
;;
restart|configtest)
\$1
;;
reload)
rh_status_q || exit 7
\$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo \$"Usage: \$0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
EOF
chmod +x /etc/init.d/nginx
|
e)启动Puppet Master服务
1
2
3
4
| /etc/init.d/puppetmaster stop
/etc/init.d/nginx start
chkconfig puppetmaster off
chkconfig nginx on
|
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2014-12-2 09:51:38
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡