1. 環境準備
OS:CentOS 6.4
防火牆:必須允許Agent到Master 8140端口的連接
主機名:官方要求每個節點的主機名都要求配置正向或反向的DNS解析。本次不講解DNS的配置,直接通過編輯/etc/hosts實現(默認的puppet master主機名是:puppet)
檢查時間:必須保證所有節點的時間準確,誤差不能太大,否則ssl通信會有問題.
加入計劃任務中:*/5 * * * * ntpdate s2c.time.edu.cn &> /dev/null
虛擬機三臺:
每臺主機的/etc/hosts請根據自身情況綁定 cat >> /etc/hosts <<EOF 192.168.188.20 master.dbsa.cn 192.168.188.21 agent1.dbsa.cn 192.168.188.22 agent2.dbsa.cn EOF
2. 安裝Puppet
安裝yum源:
rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
安裝Puppet Master
yum install puppet-server-3.7.3 -y #/etc/init.d/puppetmaster 啓動腳本,先不要啓動服務
安裝Puppet Agent
yum install puppet-3.7.3 -y #/etc/init.d/puppet 啓動腳本,先不要啓動服務
3. 在一個生產環境中的Puppet Master你需要注意一下幾個事項:
a.)修改Puppetmaster的主機名,然後建立證書.
#可以通過dns_alt_names設置puppet master的主機名列表,以逗號分隔可以配置多個 /etc/puppet/puppet.conf [main] dns_alt_names = puppet,master.dbsa.cn #執行下面的命令將創建puppet master和CA證書 puppet master --verbose --no-daemonize #也可以通過下面的命令單獨創建puppet master證書 puppet cert generate <MASTER'S CERTNAME> --dns_alt_names <ALT NAME 1>,<ALT NAME 2>
b.)一些必要的配置.(參考)
/etc/puppet/puppet.conf (in Master) #log reports = http #log,http,tagmail reporturl = http://localhost:3000/reports/upload # reports = http #enc node_terminus = exec #plain,exec external_nodes = /path/node.rb #node_terminus = exec #puppetdb storeconfigs = true storeconfigs_backend = puppetdb #static catalog_terminus = static_compiler #配置靜態編譯,犧牲一部分的CPU換取,降低catalog apply的時間和https請求量,必須在site.pp中加入filebucket { puppet: path => false; } #ca cert ca = true ca_ttl = 5y autosign = $confdir/autosign.conf #在autosign.conf 寫入可以用正則匹配的Agent證書名稱
/etc/puppet/puppet.conf (in Agent) server = puppet #默認值爲Puppet certname = agent #節點的證書名,默認執行當前主機名 report = true #節點執行完成後,發送Puppet報告 pluginsync = true #開啓同步facter等 runinterval = 30m #當Puppet以守護進程運行時的執行間隔 splay = false #是否啓用一個僞隨機時間執行,避免大量Agent集中地執行 splaylimit = 2m #最大延遲運行的時間間隔 configtimeout = 120 #Agent等待配置檢索的超時時間
當前PuppetMaster的配置如下:
cat > /etc/puppet/puppet.conf <<EOF [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = \$vardir/ssl syslogfacility = local6 [agent] classfile = \$vardir/classes.txt localconfig = \$vardir/localconfig [master] reports = log ca = true dns_alt_names = puppet,master.dbsa.cn autosign = true EOF
當前PuppetAgent的配置如下:
cat > /etc/puppet/puppet.conf <<EOF [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = \$vardir/ssl syslogfacility = local6 [agent] classfile = \$vardir/classes.txt localconfig = \$vardir/localconfig server = master.dbsa.cn report = true configtimeout = 120 EOF
/etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages local6.* /var/log/puppet/puppet.log /etc/init.d/rsyslog restart
上面的配置,Master會自動簽署Agent的證書,Agent會將執行日誌發送到Puppet Master.
配置查看的命令 puppet config print puppet config print --section master puppet config print --section agent 在Master證書管理的命令 puppet cert list --all #查看所有證書 puppet cert clean <name> #刪除指定證書 puppet cert sign <name> #簽署指定證書 puppet cert sign --all #簽署所有證書
c)創建一個簡單的modules和manifests
cat > /etc/puppet/manifests/site.pp <<EOF #default是一個默認的節點,當沒有指定主機時,都會自動匹配到一個default的節點 node default { #加載一個base的模塊 include base } #/agent2/ 這是通過正則的方式定義主機,也可以通過精確匹配'agent2.dbsa.cn' node /agent2/ { #加載一個base的模塊 include base #輸出一個消息 notify { "hello world":} } EOF #創建一個base模塊 mkdir /etc/puppet/modules/base/{manifests,lib,files,templates} -p cat > /etc/puppet/modules/base/manifests/init.pp <<EOF #創建一個base的類,保護一個文件的資源,會在/tmp/test創建一個文件,內容是hello world class base { file { "/tmp/test": owner => root, group => root, mode => 644, content => "hello world"; } } EOF /etc/init.d/puppetmaster restart
Agent執行Puppet
[root@agent1 ~]# puppet agent --verbose --no-daemonize Notice: Starting Puppet client version 3.7.3 Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for agent1.dbsa.cn Info: Applying configuration version '1417016408' Notice: /Stage[main]/Base/File[/tmp/test]/ensure: defined content as '{md5}5eb63bbbe01eeed093cb22bb8f5acdc3' Notice: Finished catalog run in 0.03 seconds [root@agent2 ~]# puppet agent --verbose --no-daemonize Notice: Starting Puppet client version 3.7.3 Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for agent2.dbsa.cn Info: Applying configuration version '1417016408' Notice: /Stage[main]/Base/File[/tmp/test]/ensure: defined content as '{md5}5eb63bbbe01eeed093cb22bb8f5acdc3' Notice: hello world Notice: /Stage[main]/Main/Node[agent2]/Notify[hello world]/message: defined 'message' as 'hello world' Notice: Finished catalog run in 0.06 seconds
d)配置nginx替換默認的Webrick
yum install ruby-devel rubygems gcc gcc-c++ make -y yum install curl-devel openssl-devel zlib-devel pcre-devel -y #更換gem 源爲淘寶的,國內因爲gfw更新可能會失敗並且很慢. gem sources -a https://ruby.taobao.org/ gem sources --remove http://rubygems.org/ gem sources -l gem install rake -v 10.4.0 -V gem install rack -v 1.5.2 -V gem install passenger -v 3.0.19 -V #安裝nginx... cd /tmp wget http://mirrors.sohu.com/nginx/nginx-1.6.2.tar.gz tar xf nginx-1.6.2.tar.gz #使用passenger編譯Nginx passenger-install-nginx-module #選擇1,在選擇2, 然後在分別輸入: /tmp/nginx-1.6.2 /usr/local/nginx 一路回車... #puppet rack mkdir -p /etc/puppet/rack/public cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack chown -R puppet.puppet /etc/puppet/rack
Nginx配置文件:
cat > /usr/local/nginx/conf/nginx.conf <<EOF user root; worker_processes 1; events { worker_connections 1024; } http { passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19; passenger_ruby /usr/bin/ruby; passenger_max_pool_size 32; include mime.types; default_type application/octet-stream; log_format main '\$remote_addr - \$remote_user [$time_local] "\$request" ' '\$status "\$http_referer" ' '"\$http_user_agent" "\$http_x_forwarded_for"' '\$upstream_addr \$upstream_cache_status \$upstream_status'; sendfile on; keepalive_timeout 65; include /usr/local/nginx/conf/puppet.conf; } EOF cat > /usr/local/nginx/conf/puppet.conf <<EOF server { listen 8140 ssl; server_name _; root /etc/puppet/rack/public; access_log /usr/local/nginx/logs/access-8140.log main; passenger_enabled on; passenger_use_global_queue on; passenger_set_cgi_param HTTP_X_CLIENT_DN \$ssl_client_s_dn; passenger_set_cgi_param HTTP_X_CLIENT_VERIFY \$ssl_client_verify; ssl_certificate /var/lib/puppet/ssl/certs/$HOSTNAME.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/$HOSTNAME.pem; ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_prefer_server_ciphers on; ssl_verify_client optional; ssl_session_cache shared:SSL:128m; ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; ssl_session_timeout 5m; ssl off; ssl_verify_depth 1; } EOF
Nginx啓動腳本:
cat > /etc/init.d/nginx <<EOF #!/bin/sh # # nginx - this script starts and stops the nginx daemin # # chkconfig: - 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse \ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /usr/local/nginx/conf/nginx.conf # pidfile: /usr/local/nginx/logs/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "\$NETWORKING" = "no" ] && exit 0 nginx="/usr/local/nginx/sbin/nginx" prog=\$(basename \$nginx) NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" lockfile=/var/lock/subsys/nginx start() { [ -x \$nginx ] || exit 5 [ -f \$NGINX_CONF_FILE ] || exit 6 echo -n \$"Starting \$prog: " daemon \$nginx -c \$NGINX_CONF_FILE retval=\$? echo [ \$retval -eq 0 ] && touch \$lockfile return \$retval } stop() { echo -n \$"Stopping $prog: " killproc \$prog -QUIT retval=\$? echo [ \$retval -eq 0 ] && rm -f $lockfile return \$retval } restart() { configtest || return \$? stop start } reload() { configtest || return \$? echo -n \$"Reloading \$prog: " killproc \$nginx -HUP RETVAL=\$? echo } force_reload() { restart } configtest() { \$nginx -t -c \$NGINX_CONF_FILE } rh_status() { status \$prog } rh_status_q() { rh_status >/dev/null 2>&1 } case "\$1" in start) rh_status_q && exit 0 \$1 ;; stop) rh_status_q || exit 0 \$1 ;; restart|configtest) \$1 ;; reload) rh_status_q || exit 7 \$1 ;; force-reload) force_reload ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 ;; *) echo \$"Usage: \$0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}" exit 2 esac EOF chmod +x /etc/init.d/nginx
e)啓動Puppet Master服務
/etc/init.d/puppetmaster stop /etc/init.d/nginx start chkconfig puppetmaster off chkconfig nginx on