puppet

基礎守護進程安裝

直接使用官方的rpm包進行安裝，如果根據源碼進行自定製rpm的話，與使用官方rpm包類似

1）指向官方的yum源

vim /etc/yum.repos.d/puppetlabs.repo

[puppetlabs-products]

name=Puppet Labs Products 6 - $basearch

baseurl=http://yum.puppetlabs.com/el/6/products/$basearch

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs

enabled=1

gpgcheck=1

[puppetlabs-deps]

name=Puppet Labs Dependencies 6 - $basearch

baseurl=http://yum.puppetlabs.com/el/6/dependencies/$basearch

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs

enabled=1

gpgcheck=1

[puppetlabs-products-source]

name=Puppet Labs Products 6 - $basearch -Source

baseurl=http://yum.puppetlabs.com/el/6/products/SRPMS

gpgkey=file:///yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs

failovermethod=priority

enabled=0

gpgcheck=1

[puppetlabs-deps-source]

name=Puppet Labs Source Dependencies 6 -$basearch - Source

baseurl=http://yum.puppetlabs.com/el/6/dependencies/SRPMS

gpgkey=file:///yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs

enabled=0

gpgcheck=1

2)替換掉簽名驗證要求

sed -i.bak 's/gpgcheck=1/gpgcheck=0/g'puppetlabs.repo

服務器端：

yum install puppet-server puppet

yum會自動安裝puppet-server及puppet依賴的包

客戶端：

yum install puppet

yum同樣會自動安裝puppet依賴的包

3）修改server端的配置文件

Vim /etc/puppet/puppet.conf

去掉所有內容，並加入如下內容：

[main]

certname = puppet.chinadba.cc

[agent]

certname = puppet.chinadba.cc

server = puppet.chinadba.cc

runinterval = 600

report = true

4）啟動puppetmaster

/etc/init.d/puppetmaster start

5）修改client端的配置文件

vim /etc/puppet/puppet.conf

去掉所有內容，並加入如下內容：

[main]

[agent]

certname = client1.chinadba.cc

server = puppet.chinadba.cc

runinterval = 600

report = true

6）啟動puppet

/etc/init.d/puppet start

注：

（1）需要DNS或者HOSTS文件中對域名和IP進行對應

（2）啟動puppet後會自動向puppet server進行證書簽名請求

如果有錯誤，請根據/var/log/message進行相應修改

7）服務器端對客戶端進行簽名

puppet cert --sign hostname

或者

Puppet cert –sign –all進行全部簽名

8進行測試

vim /etc/puppet/manifests/site.pp，寫入如下內容：

node default {

file{"/tmp/test.txt":

content=>"hello chinadba"

}

}

在客戶端上執行cat /tmp/test.txt進行查看，如果有錯誤請根據/var/log/message的報錯進行修改。

注：puppet及puppet master本身的進程配置會在下面的文檔中進行逐步補充。

配置管理的文件，會開發PHP程序進行生成，而不用理解puppet晦澀的自有描述語言。

對puppet進行擴展

擴展原因： puppetmaster自帶的webrick性能很差，不能支持更多的客戶端。

目前先進行垂直擴展，後期隨著客戶端的增加，再逐步橫向擴展。

方法：由於puppetmaster的運行實質是走HTTP協議，所以結合apache及passenger進行垂直擴展

yum install httpd.x86_64 httpd-devel.x86_64–y

yum install mod_ssl -y

gem install rack

gem install passenger

passenger-install-apache2-module

注意：在安裝passenger前需要安裝gcc、make、autoconf、automake

vim /etc/httpd/conf.d/10_passenger.conf

LoadModule passenger_module/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.18/ext/apache2/mod_passenger.so

PassengerRoot /usr/lib64/ruby/gems/1.8/gems/passenger-3.0.18

PassengerRuby /usr/bin/ruby

PassengerHighPerformance on

PassengerUseGlobalQueue on

# PassengerMaxPoolSize control number ofapplication instances,

# typically 1.5x the number of processorcores.

PassengerMaxPoolSize 6

# Restart ruby process after handlingspecific number of request to resolve MRI memory leak.

PassengerMaxRequests 4000

# Shutdown idle Passenger instances after30 min.

PassengerPoolIdleTime 1800

# End of/etc/httpd/conf.d/10_passenger.conf

接下來我們配置apache虛擬主機,使其監聽8140端口,並修改config.ru配置文件

vim /etc/httpd/conf.d/20_puppetmaster.conf

Listen 8140

<VirtualHost *:8140>

SSLEngine on

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuiteALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

# Puppet master should generate initial CAcertificate.

# ensure certs are located in/var/lib/puppet/ssl

# Change puppet.example.com to the fullyqualified domain name of the Puppet master, i.e.

SSLCertificateFile/var/lib/puppet/ssl/certs/puppetmaster1.pem

SSLCertificateKeyFile/var/lib/puppet/ssl/private_keys/puppetmaster1.pem

SSLCertificateChainFile/var/lib/puppet/ssl/certs/ca.pem

SSLCACertificateFile/var/lib/puppet/ssl/ca/ca_crt.pem

# CRL checking should be enabled

# disable next line if Apache complainsabout CRL

SSLCARevocationFile/var/lib/puppet/ssl/ca/ca_crl.pem

# optional to allow CSR request, requiredif certificates distributed to client during

SSLVerifyClient optional

SSLVerifyDepth 1

SSLOptions +StdEnvVars

# The following client headers recordauthentication information for down stream workers.

RequestHeader set X-SSL-Subject%{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-DN%{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-Verify%{SSL_CLIENT_VERIFY}e

RackAutoDetect On

DocumentRoot/etc/puppet/rack/puppetmaster/public/

<Directory/etc/puppet/rack/puppetmaster/>

Options None

AllowOverride None

Order allow,deny

allow from all

</Directory>

</VirtualHost>

安裝puppet-dashboard進行報告顯示

官方的yum源中沒有rpm包形式的puppet-dashboard，所以根據下載源碼進程安裝。

安裝前準備：

MySQL

Yum install mysql mysql-server mysql-develruby-mysql

rubygems

測試發現僅rubygems-1.3.7版本適配最新的puppet，所以需要安裝rubygems的1.3.7版本

ruby setup.rb

安裝

下載puppet-dashboard即可

配置

配置puppet-dashboard

配置分四步：

1）編輯database.yml指定數據庫

2）使用ruby的rake命令基於編輯好的database.yml創建數據庫#rakeRAILS_ENV=production db:create

3）填充數據庫# rakeRAILS_ENV=production db:migrate

4）修改settings.yml中的timezone爲’Beijing’

先使用webrick運行puppet-dashboard測試,然後改用passenger運行dashboard以提高性能（passenger配置前面已有）

./script/server –e production

集成puppet及puppet-dashboard

修改client端puppet.conf

[agent]

Report = true

修改server端puppet.conf

[master]

reports = store,http

reporturl = http://puppet.chinadba.cc:80/reports/upload

開發web程序隔離puppet

開發自動管理程序，對使用人員隔離puppet，即僅在web界面中進行操作即可。無需瞭解puppet的使用及配置的編寫。