一、搭建puppt,对haproxy实现分发
1.搭建 Master 端服务
- 安装软件包
yum会自动按照 ruby 环境
puppet]# ll
total 1704
-rw-r--r-- 1 root root 100420 Aug 20 07:44 facter-2.4.6-1.el7.x86_64.rpm
-rw-r--r-- 1 root root 1615716 Aug 20 07:44 puppet-3.8.7-1.el7.noarch.rpm
-rw-r--r-- 1 root root 23028 Aug 20 07:44 puppet-server-3.8.7-1.el7.noarch.rpm
puppet]# yum install ./*.rpm
=========================================================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================================================
Installing:
facter x86_64 1:2.4.6-1.el7 /facter-2.4.6-1.el7.x86_64 273 k
puppet noarch 3.8.7-1.el7 /puppet-3.8.7-1.el7.noarch 6.3 M
puppet-server noarch 3.8.7-1.el7 /puppet-server-3.8.7-1.el7.noarch 4.9 k
Installing for dependencies:
hiera noarch 1:1.3.4-5.el7 epel 25 k
libselinux-ruby x86_64 2.5-14.1.el7 development 121 k
ruby x86_64 2.0.0.648-33.el7_4 development 71 k
ruby-augeas x86_64 0.5.0-1.el7 epel 23 k
ruby-irb noarch 2.0.0.648-33.el7_4 development 92 k
ruby-libs x86_64 2.0.0.648-33.el7_4 development 2.8 M
ruby-shadow x86_64 1.4.1-23.el7 epel 14 k
rubygem-bigdecimal x86_64 1.2.0-33.el7_4 development 83 k
rubygem-io-console x86_64 0.4.2-33.el7_4 development 54 k
rubygem-json x86_64 1.7.7-33.el7_4 development 79 k
rubygem-psych x86_64 2.0.0-33.el7_4 development 82 k
rubygem-rdoc noarch 4.0.0-33.el7_4 development 322 k
rubygems noarch 2.0.14.1-33.el7_4 development 219 k
- 查看 server 软件包的文件构成
rpm -ql puppet-server
----------------------------------------------------------
/etc/puppet/environments
/etc/puppet/environments/example_env
/etc/puppet/environments/example_env/README.environment
/etc/puppet/environments/example_env/manifests
/etc/puppet/environments/example_env/modules
/etc/puppet/fileserver.conf
/etc/puppet/manifests
/usr/lib/systemd/system/puppetmaster.service
/usr/share/man/man8/puppet-ca.8.gz
/usr/share/man/man8/puppet-master.8.gz
----------------------------------------------------------
- 启动
在前台启动观察 server 端如何工作的,实际使用直接启动服务即可。
puppet master --no-daemonize --verbose
----------------------------------------------------------
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): E3:4F:5C:92:8C:5A:5D:59:65:4B:E3:8A:2B:5E:A7:D8:EF:44:66:18:3C:B8:8B:57:67:89:85:EF:49:CB:CF:33
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for client.ilinux.io
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client.ilinux.io
Info: Certificate Request fingerprint (SHA256): A2:49:F7:93:C7:AA:4D:5F:C6:F0:B5:C1:7C:3C:8B:66:03:67:90:5F:5B:0D:2F:85:DB:9C:E0:1B:9E:4F:9D:F3
Notice: client.ilinux.io has a waiting certificate request
Notice: Signed certificate request for client.ilinux.io
Notice: Removing file Puppet::SSL::CertificateRequest client.ilinux.io at '/var/lib/puppet/ssl/ca/requests/client.ilinux.io.pem'
Notice: Removing file Puppet::SSL::CertificateRequest client.ilinux.io at '/var/lib/puppet/ssl/certificate_requests/client.ilinux.io.pem'
Notice: Starting Puppet master version 3.8.7
----------------------------------------------------------
2.搭建 agent 端服务
- 安装软件包
ll *.rpm
-rw-r--r-- 1 root root 100420 Aug 20 08:40 facter-2.4.6-1.el7.x86_64.rpm
-rw-r--r-- 1 root root 1615716 Aug 20 08:40 puppet-3.8.7-1.el7.noarch.rpm
yum -y install *.rpm
- 配置
这里设置 master 的主机名,不能是 IP 地址。所以需要配置 hosts 文件。
vim /etc/puppet/puppet.conf
--------------------------------------------------------------
[agent]
server = master.ilinux.io
--------------------------------------------------------------
- 启动
systemctl start puppetagent
- 查看 server 端的信息输出
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[^/node/([^/]+)$]: allowing 'method' find
Info: access[^/node/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[^/report/([^/]+)$]: allowing 'method' save
Info: access[^/report/([^/]+)$]: allowing $1 access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication any
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication any
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication any
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/v2.0/environments]: allowing 'method' find
Info: access[/v2.0/environments]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '/status' (auth true) ACL
Info: Not Found: Could not find certificate haproxy.ilinux.io
Info: Not Found: Could not find certificate haproxy.ilinux.io
Info: Not Found: Could not find certificate haproxy.ilinux.io
Info: Not Found: Could not find certificate haproxy.ilinux.io
Info: Not Found: Could not find certificate haproxy.ilinux.io
- 查看当前客户端证书签发请求
puppet cert list
- 确认签发客户端证书
puppet cert sign --all
- 可能遇到的错误 “Server hostname ‘master.ilinux.io’ did not match server certificate”
~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Server hostname 'master.ilinux.io' did not match server certificate; expected one of master.localdomain, DNS:master.localdomain, DNS:puppet, DNS:puppet.localdomain
查看服务器到底是什么主机名签证的,然后修改对应的主机名和/etc/hosts文件都用的主机
~]# puppet cert fingerprint --all
master.localdomain (SHA256) 6A:8C:65:31:65:8C:09:9C:9D:18:A4:02:5A:B5:06:85:5D:08:15:15:93:7A:FE:B4:27:68:A9:A0:97:F0:A2:FF
haproxy.ilinux.io (SHA256) D8:69:EB:AE:9F:0E:3B:20:1C:AB:B6:C7:0A:EB:D1:7A:6A:37:E0:25:13:C4:41:C1:E5:1B:FF:35:48:5C:7C:69
web1.ilinux.io (SHA256) ED:DB:85:C6:34:56:33:A8:ED:1C:BE:CB:56:7A:5A:20:65:4B:8C:C1:2A:48:8B:C2:5A:EA:DB:34:EF:5C:BD:B8
web2.ilinux.io (SHA256) 0C:B0:C1:42:60:35:58:62:EC:FB:F2:AF:B4:25:4C:68:03:9C:2E:10:3D:E9:D7:08:4C:10:13:CA:91:26:E9:BE
~]# cat /etc/hosts
--------------------------------------------------------------
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.30.101 master.localdomain
192.168.30.102 haproxy.ilinux.io
192.168.30.100 web1.ilinux.io
192.168.30.104 web2.ilinux.io
--------------------------------------------------------------
3.Master 端编写 Haproxy 模块
- 配置站点清单
site.pp 文件的作用时:用于站点导航,匹配 Agent 主机能够访问的资源。它还支持模式匹配来匹配主机。
vim /etc/puppet/manifests/site.pp
--------------------------------------
node 'haproxy.ilinux.io' {
include haproxy
}
node /web[12]\.ilinux\.io/ {
include httpd
}
--------------------------------------
- 查看模块的配置目录
]# puppet config print modulepath
--------------------------------------
/etc/puppet/modules:/usr/share/puppet/modules
--------------------------------------
- 构建模块的目录结构
最好是先在本定经过充分测试后,再拷贝到这个目录。
]# cd /etc/puppet/modules
]# mkdir haproxy/{manifests,files,lib,templates,spec,tests} -pv
]# tree
------------------------------
.
└── haproxy
├── files # 静态文件存放目录
├── lib # 插件目录
├── manifests # 站点清单目录
├── spec # 插件的使用帮助和范例存放目录
├── templates # 模板文件目录
└── tests # 当前模块的使用帮助或使用范例文件
------------------------------
- 编写模块实现代码
模块的类名必须和模块名相同
]# vim /etc/puppet/modules/haproxy/manifests/init.pp
------------------------------
class haproxy {
package{'haproxy':
ensure => installed,
}
file{'haproxy.cfg':
path => '/etc/haproxy/haproxy.cfg',
source => 'puppet:///modules/haproxy/haproxy.cfg',
}
service{'haproxy':
ensure => running,
enable => true,
}
Package['haproxy'] -> File['haproxy.cfg'] ~> Service['haproxy']
}
------------------------------
4.编写 httpd 模块
- 构建模块的目录结构
]# cd /etc/puppet/modules
]# mkdir httpd/{manifests,files,lib,templates,spec,tests} -pv
- 编写模块实现代码
]# vim /etc/puppet/modules/httpd/manifests/init.pp
------------------------------
class httpd{
package{'httpd':
ensure => installed,
}
file{'index.html':
path => '/var/www/html/index.html',
source => 'puppet:///modules/httpd/index.html',
}
service{'httpd':
ensure => running,
enable => true,
}
Package['httpd'] -> File['index.html'] ~> Service['httpd']
}
5.测试结果
- 调试运行
puppet apply -d -v --noop --modulepath=/root/puppet/modules -e "include haproxy"
- 拷贝到 模块 目录中
cp -a /root/puppet/modules/* /etc/puppet/modules/
- 客户测试运行
~]# systemctl stop puppetagent
~]# puppet agent --test --noop
- 在浏览器打开网站
- 可能出现的问题
没有定义 site.pp 站点清单文件
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: undefined method `include?' for nil:NilClass
- 时间没有同步发生的问题
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: master.localdomain]