基礎守護進程安裝
直接使用官方的rpm包進行安裝,如果根據源碼進行自定製rpm的話,與使用官方rpm包類似
1)指向官方的yum源
vim /etc/yum.repos.d/puppetlabs.repo
[puppetlabs-products]
name=Puppet Labs Products 6 - $basearch
baseurl=http://yum.puppetlabs.com/el/6/products/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
enabled=1
gpgcheck=1
[puppetlabs-deps]
name=Puppet Labs Dependencies 6 - $basearch
baseurl=http://yum.puppetlabs.com/el/6/dependencies/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
enabled=1
gpgcheck=1
[puppetlabs-products-source]
name=Puppet Labs Products 6 - $basearch -Source
baseurl=http://yum.puppetlabs.com/el/6/products/SRPMS
gpgkey=file:///yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs
failovermethod=priority
enabled=0
gpgcheck=1
[puppetlabs-deps-source]
name=Puppet Labs Source Dependencies 6 -$basearch - Source
baseurl=http://yum.puppetlabs.com/el/6/dependencies/SRPMS
gpgkey=file:///yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs
enabled=0
gpgcheck=1
2)替換掉簽名驗證要求
sed -i.bak 's/gpgcheck=1/gpgcheck=0/g'puppetlabs.repo
服務器端:
yum install puppet-server puppet
yum會自動安裝puppet-server及puppet依賴的包
客戶端:
yum install puppet
yum同樣會自動安裝puppet依賴的包
3)修改server端的配置文件
Vim /etc/puppet/puppet.conf
去掉所有內容,並加入如下內容:
[main]
certname = puppet.chinadba.cc
[agent]
certname = puppet.chinadba.cc
server = puppet.chinadba.cc
runinterval = 600
report = true
4)啟動puppetmaster
/etc/init.d/puppetmaster start
5)修改client端的配置文件
vim /etc/puppet/puppet.conf
去掉所有內容,並加入如下內容:
[main]
[agent]
certname = client1.chinadba.cc
server = puppet.chinadba.cc
runinterval = 600
report = true
6)啟動puppet
/etc/init.d/puppet start
注:
(1)需要DNS或者HOSTS文件中對域名和IP進行對應
(2)啟動puppet後會自動向puppet server進行證書簽名請求
如果有錯誤,請根據/var/log/message進行相應修改
7)服務器端對客戶端進行簽名
puppet cert --sign hostname
或者
Puppet cert –sign –all進行全部簽名
8進行測試
vim /etc/puppet/manifests/site.pp,寫入如下內容:
node default {
file{"/tmp/test.txt":
content=>"hello chinadba"
}
}
在客戶端上執行cat /tmp/test.txt進行查看,如果有錯誤請根據/var/log/message的報錯進行修改。
注:puppet及puppet master本身的進程配置會在下面的文檔中進行逐步補充。
配置管理的文件,會開發PHP程序進行生成,而不用理解puppet晦澀的自有描述語言。
對puppet進行擴展
擴展原因: puppetmaster自帶的webrick性能很差,不能支持更多的客戶端。
目前先進行垂直擴展,後期隨著客戶端的增加,再逐步橫向擴展。
方法:由於puppetmaster的運行實質是走HTTP協議,所以結合apache及passenger進行垂直擴展
yum install httpd.x86_64 httpd-devel.x86_64–y
yum install mod_ssl -y
gem install rack
gem install passenger
passenger-install-apache2-module
注意:在安裝passenger前需要安裝gcc、make、autoconf、automake
vim /etc/httpd/conf.d/10_passenger.conf
LoadModule passenger_module/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib64/ruby/gems/1.8/gems/passenger-3.0.18
PassengerRuby /usr/bin/ruby
PassengerHighPerformance on
PassengerUseGlobalQueue on
# PassengerMaxPoolSize control number ofapplication instances,
# typically 1.5x the number of processorcores.
PassengerMaxPoolSize 6
# Restart ruby process after handlingspecific number of request to resolve MRI memory leak.
PassengerMaxRequests 4000
# Shutdown idle Passenger instances after30 min.
PassengerPoolIdleTime 1800
# End of/etc/httpd/conf.d/10_passenger.conf
接下來我們配置apache虛擬主機,使其監聽8140端口,並修改config.ru配置文件
vim /etc/httpd/conf.d/20_puppetmaster.conf
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuiteALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# Puppet master should generate initial CAcertificate.
# ensure certs are located in/var/lib/puppet/ssl
# Change puppet.example.com to the fullyqualified domain name of the Puppet master, i.e.
SSLCertificateFile/var/lib/puppet/ssl/certs/puppetmaster1.pem
SSLCertificateKeyFile/var/lib/puppet/ssl/private_keys/puppetmaster1.pem
SSLCertificateChainFile/var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile/var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled
# disable next line if Apache complainsabout CRL
SSLCARevocationFile/var/lib/puppet/ssl/ca/ca_crl.pem
# optional to allow CSR request, requiredif certificates distributed to client during
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers recordauthentication information for down stream workers.
RequestHeader set X-SSL-Subject%{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN%{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify%{SSL_CLIENT_VERIFY}e
RackAutoDetect On
DocumentRoot/etc/puppet/rack/puppetmaster/public/
<Directory/etc/puppet/rack/puppetmaster/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
安裝puppet-dashboard進行報告顯示
官方的yum源中沒有rpm包形式的puppet-dashboard,所以根據下載源碼進程安裝。
安裝前準備:
MySQL
Yum install mysql mysql-server mysql-develruby-mysql
rubygems
測試發現僅rubygems-1.3.7版本適配最新的puppet,所以需要安裝rubygems的1.3.7版本
ruby setup.rb
安裝
下載puppet-dashboard即可
配置
配置puppet-dashboard
配置分四步:
1)編輯database.yml指定數據庫
2)使用ruby的rake命令基於編輯好的database.yml創建數據庫#rakeRAILS_ENV=production db:create
3)填充數據庫# rakeRAILS_ENV=production db:migrate
4)修改settings.yml中的timezone爲’Beijing’
先使用webrick運行puppet-dashboard測試,然後改用passenger運行dashboard以提高性能(passenger配置前面已有)
./script/server –e production
集成puppet及puppet-dashboard
修改client端puppet.conf
[agent]
Report = true
修改server端puppet.conf
[master]
reports = store,http
reporturl = http://puppet.chinadba.cc:80/reports/upload
開發web程序隔離puppet
開發自動管理程序,對使用人員隔離puppet,即僅在web界面中進行操作即可。無需瞭解puppet的使用及配置的編寫。