OS:CentOS-6.5-x86_64
Puppet 3.7.3
Puppet master: master.fisteam2.com
Puppet clients:node1-5.fisteam2.com
Puppet 要求所有机器有完整的域名(FQDN),如果没有 DNS 服务器提供域名的话,可以在两台机器上设置主机名(注意要先设置主机名再安装 Puppet,因为安装 Puppet 时会把主机名写入证书,客户端和服务端通信需要这个证书),因为我配置了DNS,所以就不用改hosts了,如果没有就需要改hosts文件指定。
1.关闭selinux,iptables,并设置ntp
采用CentOS-6.5-x86_64.iso进行minimal最小化安装
关闭selinux
[iyunv@master ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[iyunv@master ~]# sed -i '/SELINUX/ s/enforcing/disabled/g' /etc/selinux/config
[iyunv@master ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[iyunv@master ~]# setenforce 0
停止iptables
[iyunv@node1 ~]# chkconfig --list |grep tables
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[iyunv@node1 ~]# chkconfig ip6tables off
[iyunv@node1 ~]# chkconfig iptables off
[iyunv@node1 ~]# service ip6tables stop
ip6tables: Setting chains to policy ACCEPT: filter [ OK ]
ip6tables: Flushing firewall rules: [ OK ]
ip6tables: Unloading modules: [ OK ]
[iyunv@node1 ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[iyunv@node1 ~]#
设置ntp
[iyunv@master ~]# ntpdate pool.ntp.org
[iyunv@master ~]# chkconfig --list|grep ntp
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ntpdate 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[iyunv@master ~]# chkconfig ntpd on
[iyunv@master ~]# service ntpd start
Starting ntpd: [ OK ]
[iyunv@master ~]#
2.安装puppet服务
puppet不在CentOS的基本源中,需要加入 PuppetLabs 提供的官方源:
[iyunv@master ~]# wget http://yum.puppetlabs.com/el/6/p ... ease-6-7.noarch.rpm
[iyunv@master ~]# rpm -ivh puppetlabs-release-6-7.noarch.rpm
[iyunv@master ~]#yum update
在 master上安装和启用 puppet 服务:
[iyunv@master ~]# yum install puppet-server
[iyunv@master ~]# chkconfig --list |grep puppet
puppet 0:off 1:off 2:off 3:off 4:off 5:off 6:off
puppetmaster 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[iyunv@master ~]# chkconfig puppet on
[iyunv@master ~]# service puppetmaster start
Starting puppetmaster: [ OK ]
[iyunv@master ~]#
在clients上安装puppet客户端
[iyunv@node1 ~]# yum install puppet
[iyunv@node1 ~]# chkconfig --list |grep puppet
puppet 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[iyunv@node1 ~]# chkconfig puppet on
[iyunv@node1 ~]# chkconfig --list |grep puppet
puppet 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[iyunv@node1 ~]# service puppet start
Starting puppet agent: [ OK ]
[iyunv@node1 ~]#
3.配置puppet
对于puppet 客户端,修改/etc/puppet/puppet.conf,指定master服务器
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = master.fisteam2.com
并重启puppet服务
[iyunv@node1 ~]# service puppet restart
Stopping puppet agent: [ OK ]
Starting puppet agent: [ OK ]
[iyunv@node1 ~]#
4.Client申请证书
服务端自动签发证书设置
设置master自动签发所有的证书,我们只需要在/etc/puppet 目录下创建 autosign.conf 文件。(不需要修改 /etc/puppet/puppet.conf文件,因为我默认的autosign.conf 文件的位置没有修改)
[iyunv@master ~]# ll /etc/puppet/
total 28
-rw-r--r--. 1 root root 4178 Nov 4 06:24 auth.conf
drwxr-xr-x. 3 root root 4096 Dec 29 15:44 environments
-rw-r--r--. 1 root root 1462 Nov 4 06:23 fileserver.conf
drwxr-xr-x. 2 root root 4096 Nov 4 06:24 manifests
drwxr-xr-x. 2 root root 4096 Nov 4 06:24 modules
-rw-r--r--. 1 root root 853 Nov 4 06:23 puppet.conf
[iyunv@master ~]# cat > /etc/puppet/autosign.conf <<eof
> *.fisteam2.com
> EOF
[iyunv@master ~]# service puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
[iyunv@master ~]#
这样就会对所有来自fisteam2.com的机器的请求,都自动签名。
client需要向服务器端发出请求, 让服务器对客户端进行管理. 这其实是一个证书签发的过程. 第一次运行puppet 客户端的时候会生成一个 SSL 证书并指定发给 Puppet 服务端, 服务器端如果同意管理客户端,就会对这个证书进行签发,可以用这个命令来签发证书,由于我们已经在客户端设置了server地址,因此不需要跟服务端地址
[iyunv@master ~]# puppet agent
为了详细了解注册的过程和日后排错,可以增加参数,因为配置文件里
–no-daemonize 前台输出日志
–verbose 输入更加详细的日志
–debug 更加详细的日志,排错的时候使用
–test 表示测试,就带一个–test参数就可以
[iyunv@node1 ~]# puppet agent --no-daemonize --onetime --verbose --debug
就可以申请证书了,由于我配置的自动签发证书,所以直接就签发了,在服务端执行 [iyunv@master ~]# puppet cert list --all
就可以看到所有客户端已经都已签发证书,前面带”+”号的就是签发成功的,如果没有签名的,可以用 [iyunv@master ~]# puppet cert --sign node1.localdomain
即可看到证书已经签发
5.在服务端安装puppet的dashboard
安装mysql [iyunv@master ~]# yum install -y mysql mysql-devel mysql-server优化mysql设置 编辑 /etc/my.cnf, 在[mysqld]字段,增加最后一行 [iyunv@master ~]# vim /etc/my.cnf
启动Mysql服务 [iyunv@master ~]# service mysqld start[iyunv@master ~]# chkconfig mysqld on [iyunv@master ~]# chkconfig --list |grep mysqld mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
设置mysql密码,我这里使用是密码是123456 [iyunv@master ~]# mysqladmin -u root password '123456'
创建一个dashboard数据库 [iyunv@master ~]# mysql -uroot -p123456 < CREATE DATABASE dashboard CHARACTER SET utf8;> CREATE USER 'dashboard'@'localhost' IDENTIFIED BY '123456';> GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost';> FLUSH PRIVILEGES;> EOF[iyunv@master ~]#Passenger+Apache+Dashboard 这是让Apache支持ruby,由于Passenger不在centos官方源里,因此要添加epel的源 [iyunv@master ~]# wget http://dl.fedoraproject.org/pub/ ... ease-6-8.noarch.rpm [iyunv@master ~]# rpm -ivh epel-release-6-8.noarch.rpm [iyunv@master ~]# yum install mod_passenger puppet-dashboard
配置Dashboard [iyunv@master ~]# vim /usr/share/puppet-dashboard/config/database.yml
修改时区 [iyunv@master ~]# vim /usr/share/puppet-dashboard/config/environment.rb
初始化数据库 [iyunv@master ~]# cd /usr/share/puppet-dashboard/[iyunv@master puppet-dashboard]# rake RAILS_ENV=production db:migrate
配置Apache
我们需要整合Passenger和apache [iyunv@master ~]# cat > /etc/httpd/conf.d/passenger.conf << EOF> LoadModule passenger_module modules/mod_passenger.so> > PassengerRoot /usr/share/rubygems/gems/passenger-3.0.17> PassengerRuby /usr/bin/ruby> PassengerHighPerformance on> PassengerMaxPoolSize 12> PassengerPoolIdleTime 1500> PassengerStatThrottleRate 120> RailsAutoDetect On> > > ServerName master.fisteam2.com> DocumentRoot "/usr/share/puppet-dashboard/public/"> > Options None> AllowOverride AuthConfig> Order allow,deny> allow from all> > ErrorLog /var/log/httpd/master.fisteam2.com_error.log> LogLevel warn> CustomLog /var/log/httpd/master.fisteam2.com_access.log combined> ServerSignature On> > EOF[iyunv@master ~]#
启动服务 [iyunv@master ~]# service httpd startStarting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using master.fisteam2.com for ServerName[ OK ][iyunv@master ~]# chkconfig httpd on[iyunv@master ~]# chkconfig --list | grep httpdhttpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
配置puppet
让Dashboard使用Reports,现在默认agent是已经启用Report的功能,所以你就不需要设置agent,你只需要设置Server端就可以 [iyunv@master ~]# vim /etc/puppet/puppet.conf[master]reports = store,httpreporturl = http://master.fisteam2.com:80/reports/upload重启puppetmaster 服务 [iyunv@master ~]# service puppetmaster restart
这时候就可以直接用 http://ip 访问puppet Dashboard 导入报告 [iyunv@master puppet-dashboard]# cd /usr/share/puppet-dashboard/[iyunv@master puppet-dashboard]# rake RAILS_ENV=production reports:import这时候你访问Dashboard,可以看到导入的任务. 4. 执行导入的reports [iyunv@master puppet-dashboard]# cd /usr/share/puppet-dashboard/[iyunv@master puppet-dashboard]# rake jobs:work RAILS_ENV="production"
一个Master,五个node测试效果 文件同步测试 Puppet master: [iyunv@master ~]# vim /etc/puppet/fileserver.conf[fisteam2filesync]path /etc/puppetallow *在下面加一个配置域,名字叫做fisteam2filesync,路径是/etc/puppet [iyunv@master ~]# vim /etc/puppet/manifests/site.ppnode default {file {"/tmp/fisteam2_puppet_testfile.txt":content=>"good,test pass!fisteam2_puppet_testing";}}
上面的代码对默认连入的puppet客户端执行一个操作,在/tmp目录生成一个fisteam2_puppet_testfile.txt文件,内容是good,test pass! 回车换行fisteam2_puppet_testing回车换行.
初次创建pp文件,需要重启puppetmaster [iyunv@master ~]# service puppetmaster restartStopping puppetmaster: [ OK ]Starting puppetmaster: [ OK ]
NODE1~5测试 node1: node2: node3: node4: node5: ===================================================END====================================
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2015-1-4 08:46:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡