一、功能說明
Marionette Collective(MCollective)是一個與Puppet關係密切的服務運行框架。
MC依賴Ruby1.9.3或1.8.7,通過Stomp協議通信,因此依賴rubygem 1.2.2+
在puppet客戶端上安裝Mcollective服務端
在puppet服務端上安裝Mcollective客戶端
在puppet服務端或單獨安裝MQ中間件
參考官方文檔:https://docs.puppetlabs.com/mcollective/deploy/standard.html
二、安裝ActiveMQ
1. 說明
RabbitMQ是一個實現了高級消息排隊協議(AMQP)的消息隊列服務。 RabbitMQ基於OTP(Open Telecom Platform,開發電信平臺)進行構建, 並使用Erlang語言和運行時環境來實現。
ActiveMQ 是Apache出品,最流行的,能力強勁的開源消息總線。 ActiveMQ 是一個完全支持JMS1.1和J2EE 1.4規範的 JMS Provider實現
如果是單獨安裝需要設置主機名、HOSTS、puppet認證,這裏是安裝在puppet服務端。
2. 安裝
[root@puppet ~]# yum install -y tanukiwrapper activemq-info-provider [root@puppet ~]# yum install -y activemq
下載慢,失敗了幾次,多試試
3. 配置
修改配置前最好備份下,並啓動服務查看下進程是否運行
[root@puppet ~]# cp /etc/activemq/activemq.xml /etc/activemq/activemq.xml.bak [root@puppet ~]# vi /etc/activemq/activemq.xml #<>標籤要按字母順序排列,在標籤<persistenceAdapter>後添加 <plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="admin" password="admin@123" groups="mcollective,admins,everyone"/> #賬號"mcollective"將用於mc客戶端配置 <authenticationUser username="mcollective" password="mcopwd123" groups="mcollective,everyone"/> </users> </simpleAuthenticationPlugin> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" write="admins" read="admins" admin="admins" /> <authorizationEntry topic=">" write="admins" read="admins" admin="admins" /> <authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> <authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> <authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins> #修改連接端口標籤,只保留需要的即可(另外要注意的是註釋附號內部不能包含註釋符號) <transportConnectors> <transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/> </transportConnectors>
Reloading httpd: not reloading due to configuration syntax error
自動生成的httpd配置會導致httpd啓動報錯,proxy配置不對,可以不用這個配置也能訪問
[root@puppet ~]# mv /etc/httpd/conf.d/activemq-httpd.conf /etc/httpd/conf.d/activemq-httpd.conf.bak
4. 啓動
[root@puppet ~]# service activemq restart [root@puppet ~]# chkconfig activemq on [root@puppet ~]# netstat -tnlp |grep java tcp 0 0 :::61613 :::* LISTEN 5644/java tcp 0 0 :::47248 :::* LISTEN 5644/java tcp 0 0 :::8161 :::* LISTEN 5644/java [root@puppet ~]# tailf /var/log/activemq/activemq.log [root@puppet ~]# iptables -I INPUT -p tcp --dport 8161 -j ACCEPT [root@puppet ~]# iptables -I INPUT -p tcp --dport 61613 -j ACCEPT [root@puppet ~]# service iptables save
5. 訪問
http://IP:8161/admin/
三、安裝MC客戶端
1. 安裝
安裝在puppetmaster服務器上,使用root賬號運行MC相關命令,採用puppetmaster的證書
MC客戶端不需要啓動進程
[root@puppet ~]# yum -y install mcollective-*
2. 配置
修改配置前備份下配置文件
[root@puppet ~]# mv /etc/mcollective/client.cfg /etc/mcollective/client.cfg.bak
這裏不使用ssl連接activemq,因爲生成keystory.jks證書時失敗,待解決
[root@puppet ~]# vi /etc/mcollective/client.cfg
main_collective = mcollective collectives = mcollective libdir = /usr/libexec/mcollective logfile = /var/log/mcollective.log loglevel = info daemonize = 1 #Active MQ connector settings: connector = activemq direct_addressing = 1 plugin.activemq.pool.size = 1 #activemq服務器地址、端口、用戶賬號 plugin.activemq.pool.1.host = puppetmaster.ewin.com plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = mcopwd123 #啓用ssl連接activemq,使用MC服務器的puppet證書 #plugin.activemq.pool.1.ssl = 1 #plugin.activemq.pool.1.ssl.ca = /var/lib/puppet/ssl/certs/ca.pem #plugin.activemq.pool.1.ssl.cert = /var/lib/puppet/ssl/certs/puppetmaster.ewin.com.pem #plugin.activemq.pool.1.ssl.key = /var/lib/puppet/ssl/private_keys/puppetmaster.ewin.com.pem #plugin.activemq.pool.1.ssl.fallback = 0 #SSL seurity plugin settings 安全插件默認爲PSK: securityprovider = ssl plugin.ssl_server_public = /var/lib/puppet/ssl/certs/mcollective-servers.pem plugin.ssl_client_public = /var/lib/puppet/ssl/certs/puppetmaster.ewin.com.pem plugin.ssl_client_private = /var/lib/puppet/ssl/private_keys/puppetmaster.ewin.com.pem # Facts factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml
mcollective-servers.pem證書在下一步中生成。
將文件中的puppet服務器主機名修改成你自己的:
:%s/puppetmaster.ewin.com/puppet.yourdomain.cn/g
四、安裝MC服務端
說明:既然有puppet了,就不必一臺一臺來安裝MC服務端了,這裏寫個mcollective模塊推送到puppet agent。
I、Linux系統
1、 創建目錄
在puppet master服務器中創建mcollective模塊需要的目錄
[root@puppet ~]# mkdir -p /etc/puppet/modules/mcollective/{manifests,templates,files}
[root@puppet ~]# mkdir -p /etc/puppet/modules/mcollective/files/pem/clients2、 創建類
[root@puppet ~]# vi /etc/puppet/modules/mcollective/manifests/init.pp
class mcollective{
#/etc/activemq/activemq.xml中配置的mcollective用戶的密碼,變量會傳遞到erb模塊中
$activemq_server = "puppetmaster.ewin.com"
$mcollective_password = "mcopwd123"
package { ['mcollective','mcollective-puppet-agent','mcollective-service-agent']:
ensure => installed,
}
service { 'mcollective':
ensure => running,
enable => true,
require => Package['mcollective'],
}
#通過SVN提交的,需要過濾.svn目錄
file { '/etc/mcollective':
ensure => directory,
source => 'puppet:///modules/mcollective/pem',
ignore => '.svn',
owner => root,
group => root,
mode => '0640',
recurse => remote,
notify => Service['mcollective'],
}
file { '/etc/mcollective/server.cfg':
ensure => file,
owner => root,
group => root,
mode => 400,
content => template("mcollective/server.cfg.erb"),
notify => Service['mcollective'],
}
}3、 創建配置文件模板
[root@puppet ~]# vi /etc/puppet/modules/mcollective/templates/server.cfg.erb
main_collective = mcollective collectives = mcollective libdir = /usr/libexec/mcollective logfile = /var/log/mcollective.log loglevel = info daemonize = 1 connector = activemq direct_addressing = 1 plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = <%= @activemq_server %> plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = <%= @mcollective_password %> securityprovider = ssl plugin.ssl_client_cert_dir = /etc/mcollective/clients plugin.ssl_server_private = /etc/mcollective/server_private.pem plugin.ssl_server_public = /etc/mcollective/server_public.pem #plugin.puppet.resource_allow_managed_resources = true #plugin.puppet.resource_type_whitelist = exec,file factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml registerinterval = 600
4、 生成證書
生成共享證書,將會同步給節點
[root@puppet ~]# puppet cert generate mcollective-servers Notice: mcollective-servers has a waiting certificate request Notice: Signed certificate request for mcollective-servers Notice: Removing file Puppet::SSL::CertificateRequest mcollective-servers at '/var/lib/puppet/ssl/ca/requests/mcollective-servers.pem' Notice: Removing file Puppet::SSL::CertificateRequest mcollective-servers at '/var/lib/puppet/ssl/certificate_requests/mcollective-servers.pem' [root@puppet ~]# cp /var/lib/puppet/ssl/private_keys/mcollective-servers.pem /etc/puppet/modules/mcollective/files/pem/server_private.pem [root@puppet ~]# cp /var/lib/puppet/ssl/public_keys/mcollective-servers.pem /etc/puppet/modules/mcollective/files/pem/server_public.pem [root@puppet ~]# chmod 644 /etc/puppet/modules/mcollective/files/pem/server_*
將MC客戶端(puppetmaster)證書同步給節點
[root@puppet ~]# cp /var/lib/puppet/ssl/certs/puppetmaster.ewin.com.pem /etc/puppet/modules/mcollective/files/pem/clients/ [root@puppet ~]# chmod 644 /etc/puppet/modules/mcollective/files/pem/clients/*
5、 節點更新
(1)、未安裝foreman
[root@puppet ~]# vi /etc/puppet/manifests/puppetagent.pp
node "puppetagent.ewin.com" {
include mcollective
}
[root@puppet ~]# vi /etc/puppet/manifests/site.pp
import "puppetagent.pp"
[root@puppet ~]# vi /etc/puppet/puppet.conf
[agent]
report = true
server = puppetmaster.ewin.com節點上Puppet agent進程需要關閉, 會導致agent不主動同步master, 需要在master設置crontab定期執行mco puppet runonce
[root@puppet ~]# service puppet stop [root@puppet ~]# chkconfig puppet off [root@puppet ~]# puppet agent -t
(2)、已安裝foreman
如果事先部署了foreman,需要在foreman頁面->配置->Puppet類-從Puppet-Proxy導入->選擇聯接的環境->主機中編輯puppetagent->類標籤中添加mcollective模塊->在節點上執行puppet agent -t
[root@puppet ~]# service puppet stop [root@puppet ~]# chkconfig puppet off [root@puppet ~]# puppet agent -t
II、Windows系統
1、 軟件說明
(1)、 ruby
windows上需要安裝ruby來運行mcollective
下載rubyinstaller-1.9.3-p551.exe
(2)、 mcollective
mcollective本身並沒有相應的windows服務端安裝包
http://repo.mornati.net/mcollective/
下載2.3.2下的mcollective_2_3_2_Setup.exe
先安裝ruby才能運行bat腳本安裝gem包和安裝服務
(3)、 puppet插件
https://github.com/puppetlabs/mcollective-puppet-agent/releases
1.7.1版本無法正常加載puppet agent,插件 1.6.1就沒問題
解壓後將裏面的文件複製粘貼到c:\mcollective\plugins\mcollective,提示替換時同意替換
(4)、 ssl密鑰
密鑰文件將被上傳到客戶端的以下路徑
c:\mcollective\etc\ssl\clients\puppetmaster.ewin.com.pem
c:\mcollective\etc\ssl\server_private.pem
c:\mcollective\etc\ssl\server_public.pem
2、 win-mcollective模塊
(1)、模塊目錄結構
在puppet的module下創建win-mcollective模塊目錄:
在files目錄下還有兩個程序沒有在上圖顯示:
mcollective_2_3_2_Setup.exe
rubyinstaller-1.9.3-p551.exe
(2)、 files
下載ruby、mcollective程序,以及解壓後的mcollective-puppet-agent插件。
將puppet服務端證書文件存放在files下的相應位置。
(3)、 manifests
init.pp
class win-mcollective{
$activemq_server = "puppetmaster.ewin.com"
$mcollective_password = "mcopwd123"
$mcollective_path = "C:\Program Files\mcollective"
include win-mcollective::install,win-mcollective::config,win-mcollective::service
}install.pp
class win-mcollective::install {
if $operatingsystem == "windows" {
$filepath = "C:/Users/Administrator/Downloads"
$installdir = "C:/Program Files"
Exec{ path => ["${installdir}/Ruby193/bin","C:/Windows/system32","${installdir}/Puppet Labs/Puppet/bin" ] }
#安裝ruby
file { 'ruby':
path => "${filepath}/rubyinstaller-1.9.3-p551.exe",
ensure => file,
owner => 'Administrator',
mode => '0755',
group => 'Administrators',
source => 'puppet:///modules/win-mcollective/rubyinstaller-1.9.3-p551.exe',
}
exec { 'ruby':
command => 'cmd.exe /c Start "puppet-install" /w "C:/Users/Administrator/Downloads/rubyinstaller-1.9.3-p551.exe" /SILENT /DIR="C:/Program Files/Ruby193"',
provider => 'windows',
creates => "${installdir}/Ruby193/bin/ruby.exe",
require=> File['ruby'],
}
#安裝mcollective
file { 'mcollective':
path => "${filepath}/mcollective_2_3_2_Setup.exe",
ensure => file,
owner => 'Administrator',
mode => '0755',
group => 'Administrators',
source => 'puppet:///modules/win-mcollective/mcollective_2_3_2_Setup.exe',
}
exec { 'mcollective':
command => 'cmd.exe /c Start "puppet-install" /w "C:/Users/Administrator/Downloads/mcollective_2_3_2_Setup.exe" /SILENT /DIR="C:/Program Files/mcollective"',
provider => 'windows',
creates => "${installdir}/mcollective/bin/mco.bat",
require => File['mcollective'],
}
# 安裝gem包
exec { 'install_gems':
command => 'cmd.exe /c gem install -l -f "C:/Program Files/mcollective/gems/*.gem"',
provider => 'windows',
unless => 'cmd.exe /c gem list --local | findstr win32-dir',
require => [Exec['ruby'],Exec['mcollective']],
}
# 安裝服務
exec { 'install_service':
command => 'cmd.exe /c C:/Progra~1/mcollective/bin/register_service.bat',
provider => 'windows',
unless => 'cmd.exe /c net start | find "The Marionette Collective"',
require => Exec['install_gems'],
}
#puppet插件和aq連接認證文件
file { "${installdir}/mcollective/plugins/mcollective":
ensure => directory,
ignore => '.svn',
source_permissions => ignore,
source => 'puppet:///modules/win-mcollective/mcollective-puppet-agent-1.6.1',
recurse => true,
require => Exec['mcollective'],
}
file { "${installdir}/mcollective/etc/ssl":
ensure => directory,
ignore => '.svn',
source_permissions => ignore,
source => 'puppet:///modules/win-mcollective/pem',
recurse => true,
require => Exec['mcollective'],
}
}
}config.pp
class win-mcollective::config {
file { 'C:\\Progra~1\\mcollective\\etc\\server.cfg':
ensure => present,
content => template("win-mcollective/server.cfg.erb"),
notify => Class['win-mcollective::service'],
require => Class['win-mcollective::install'],
}
}service.pp
class win-mcollective::service {
service { 'mcollectived':
ensure => running,
enable => true,
require => Class['win-mcollective::config'],
}
}(3)、 templates
server.cfg.erb
main_collective = mcollective collectives = mcollective libdir = <%= @mcollective_path %>\plugins;C:\Program Files\Puppet Labs\Puppet\puppet\lib;C:\Program Files\Puppet Labs\Puppet\facter\lib logfile = <%= @mcollective_path %>\mcollective.log loglevel = info daemonize = 1 securityprovider = ssl plugin.ssl_client_cert_dir = <%= @mcollective_path %>\etc\ssl\clients plugin.ssl_server_private = <%= @mcollective_path %>\etc\ssl\server_private.pem plugin.ssl_server_public = <%= @mcollective_path %>\etc\ssl\server_public.pem connector = activemq plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = <%= @activemq_server %> plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = <%= @mcollective_password %> plugin.puppet.command = "C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat" agent plugin.puppet.config = C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf factsource = yaml plugin.yaml = <%= @mcollective_path %>\etc\facts.yaml
小結:以上完成後就可以使用MCO命令了,詳見下一編文章。
五、整合Foreman
1、 說明
要求:Mcollective+ActiveMQ部署完成,且mco puppet -v runonce命令運行成功
實現:在foreman上通過mcollective觸發puppet agent命令
2、 設置
在foreman頁面上設置puppetrun爲true
3、 配置
[root@puppet ~]# vi /etc/foreman-proxy/settings.d/puppet.yml
:enabled: true :puppet_conf: /etc/puppet/puppet.conf :puppet_provider: mcollective
[root@puppet ~]# chmod u+w /etc/sudoers.d/foreman-proxy [root@puppet ~]# vi /etc/sudoers.d/foreman-proxy
foreman-proxy ALL = NOPASSWD : /usr/bin/puppet cert *, /usr/bin/mco puppet runonce * Defaults:foreman-proxy !requiretty
重啓服務
[root@puppet ~]# /etc/init.d/foreman-proxy restart
4、 計劃
前文提到要關閉agent的puppet服務,需要使用計劃來執行mco命令,執行同步
[root@puppet ~]# crontab -e
SHELL=/bin/bash */1 * * * * /usr/bin/mco puppet runonce *
測試下每分鐘執行命令; 正常後改爲*/30每半小時
[root@puppet ~]# service crond reload
查看計劃日誌
[root@puppet ~]# tailf -n 3 /var/log/cron
Apr 25 16:22:01 puppetmaster CROND[11613]: (root) CMD (/usr/bin/mco puppet runonce *) Apr 25 16:23:01 puppetmaster CROND[11713]: (root) CMD (/usr/bin/mco puppet runonce *) Apr 25 16:24:01 puppetmaster CROND[11823]: (root) CMD (/usr/bin/mco puppet runonce *)
查看foreman報告
5、 測試
foreman頁面上-主機-選擇執行-運行puppet:(不選擇主機時,“選擇執行”下拉菜單不會顯示)
查看日誌
[root@puppet ~]# tailf /var/log/foreman-proxy/proxy.log 10.188.1.53 - - [23/Apr/2015 16:19:19] "POST /run HTTP/1.1" 200 - 0.5008
開啓debug模式,顯示更詳細的信息,排錯的時候使用
[root@puppet ~]# vi /etc/foreman-proxy/settings.yml :log_level: DEBUG
六、遇到過的錯誤
1、 activemq啓動不了
activemq not runnin
[root@puppet ~]#
沒有裝java工具tanukiwrapper
2、節點連接activemq失敗
[root@puppetagent ~]# tailf /var/log/mcollective.log I, [2015-04-23T14:21:44.337723 #11451] INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp://[email protected]:61613 failed on attempt 9
puppet模塊mcollective中類定義裏的activemq_server值寫錯了
3、mco命令執行失敗
/etc/activemq/activemq.xml和 /etc/mcollective/client.cfg中的用戶密碼必須一致
4、運行PUPPET失敗排錯
(1)、查看日誌
[root@puppet ~]# t
這是由於在puppetmaster上應用了puppet模塊,把puppet.conf配置沖掉了
WARN -- : Non-null exit code when executing '/usr/bin/sudo/usr/bin/mcopuppetrunonce-It-search01-55.ewin.com'
http://www.pythian.com/blog/some-observations-of-puppetrun-with-foreman/
(2)、檢查puppetmaster
mcollective mcollective-common 是否安裝
foreman-proxy 是否正常啓動
activemq 是否連接正常
mco ping 是否檢測到客戶端
mco puppet runonce -I agent.ewin.com 是否成功執行
mco inventory puppetagent.ewin.com 是否成功安裝puppet插件
(3)、檢查puppetagent
mcollective-puppet mcollective-client 是否安裝
/var/log/mcollective.log 查看日誌是否有錯誤信息
系統時間是否正常