Puppet集中配置管理系统
实验环境:server6:server端
Server7:client端
须保证server端与client端存在解析,并且时间一致,火墙与selinux关闭
1.安装
Server端:yum install -y puppet-server-3.8.1-1.el6.noarch.rpm
puppet-3.8.1-1.el6.noarch.rpm
facter-2.4.4-1.el6.x86_64.rpm
hiera-1.3.4-1.el6.noarch.rpm
rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm
ruby-augeas-0.4.1-3.el6.x86_64.rpm
rubygems-1.3.7-5.el6.noarch.rpm
/etc/init.d/puppetmaster start
Client端:yum install puppet-3.8.1-1.el6.noarch.rpm
facter-2.4.4-1.el6.x86_64.rpm
facter-2.4.4-1.el6.x86_64.rpm
rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm
ruby-augeas-0.4.1-3.el6.x86_64.rpm
hiera-1.3.4-1.el6.noarch.rpm
ubygems-1.3.7-5.el6.noarch.rpm -y
2.连接认证
手动签证:
Client: puppet agent --server=server6.example.com --no-daemonize -vt
Server: puppet cert list查看等待签证用户
Puppet cert sign server7.example.com为server7用户签证
在server7上再次执行puppet agent --server=server6.example.com --no-daemonize -vt显示签证成功
Puppet cert list --all 显示所用签证用户
自动签证:
Server: vim /etc/puppet/puppet.conf
在【main】下添加autosign = true 允许所有客户端的认证
vim /etc/puppet/autosign.conf
*.example.com 表示允许所有 example.com 域的主机
Client: puppet agent --server=server6.example.com --no-daemonize -vt 自动进行验证
删除验证:
Server:puppet cert --clean server7.example.com
Client: rm -rf /var/lib/puppet/ssl/*
/etc/puppet 配置目录:
组织结构如下:
|-- puppet.conf #主配置配置文件,详细内容可执行puppet --genconfig
|-- fileserver.conf #文件服务器配置文件
|-- auth.conf #认证配置文件
|-- autosign.conf #自动验证配置文件
|-- tagmail.conf #邮件配置文件(将错误信息发送)
|-- manifests #文件存储目录(puppet会先读取该目录的.PP文件<site.pp>)
|--nodes
| puppetclient.pp
|-- site.pp #定义 puppet相关的变量和默认配置。
|-- modules.pp #加载 class类模块文件(include syslog)
|-- modules #定义模块
|-- syslog #以syslog 为例
|-- file
|-- manifests
|-- init.pp #class 类配置
|-- templates #模块配置目录
|-- syslog.erb #erb 模板
puppet 资源定义
以下资源均定义在/etc/puppet/manifest/site.pp文件中,在没有指定节点的情况下,对所有
已经经过验证的 client 都生效。
1创建文件
#######同步后在指定目录创建内容为test的testfile文件
File{ “/opt/testfile”:
Content => “test”
}
#######同步files目录下的文件
文件存放位置:
Mkdir /etc/puppet/files
Cp /etc/passwd /etc/puppet/files/
#######配置文件
Vim /etc/puppet/fileserver.conf
[files]
Path /etc/puppet/files
Allow *.example.com
/etc/init.d/puppetmaster reload
######将passwd文件同步
File{
“/mnt/passwd”:
Source => “puppet:///files/passwd”此目录指定的真实目录为(/etc/puppet/files)
}
2软件包定义
Package {
“httpd”:
Ensure => present; ###此处应注意语法格式,服务之间用;隔开 一个服务若含有多条语句每一行需要用,隔开
“vsftpd”:
Ensure => absent ###present :安装 absent:卸载
}
3 服务定义
Service {
“httpd”:
Ensure => running;
“vsftpd”:
Ensure => stopped
}
4 组定义
Group {
“test”:
Gid => 1000
}
5 用户定义
user { "test":
uid => 1000,
gid => 1000,
home => "/home/test",
shell => "/bin/bash" ,
password => westos
}
file { "/home/test":
owner => test,
group => test,
mode => 700,
ensure => directory
}
file { "/home/test/.bash_logout":
source => "/etc/skel/.bash_logout",
owner => test,group => test
}
file { "/home/test/.bash_profile":
source => "/etc/skel/.bash_profile",
owner => test,
group => test
}
file { "/home/test/.bashrc":
source => "/etc/skel/.bashrc",
owner => test,
group => test
}
exec { "echo westos | passwd --stdin test":
path => "/usr/bin:/usr/sbin:/bin", ###调用指令的路径
onlyif => "id test" ###只有在用户test存在是才会执行此条指令
}
6 文件系统挂载
file { "/public":
ensure => directory
}
Mount { “/public”:
device => "172.25.60.5:/var/ftp/pub",
fstype => "nfs",
options => "defaults",
ensure => mounted ###如需卸载 改为absent
}
自动挂载文件系统,并同步fstab 文件
7 crontab任务
cron { echo:
command => "/bin/echo `/bin/date` >> /tmp/echo",
user => root,
hour => ['2-4'],
minute => '*/10'
}
任务会在 client 上/var/spool/cron 目录中生成。
不同节点的定义
1 vim /etc/puppet/manifests/site.pp
Import “nodes/*.pp” ###添加节点 并将旧定义设置为默认节点
Node default {
}
2 Mkdir /etc/puppet/manifests/nodes
vim /etc/puppet/manifests/nodes/server7.pp ###节点文件必须以.pp结尾
node 'server7.example.com' { ###此处必须填写client端主机名
include httpd 导入httpd模块
}
定义httpd模块:
mkdir -p /etc/puppet/modules/httpd/{files,manifests,templates}
cd /etc/puppet/modules/httpd/manifests
vim install.pp ###定义安装内容
class httpd::install {
package { "httpd":
ensure => present
}
}
vim config.pp ######定义配置文件
class httpd::config {
file { "/etc/httpd/conf/httpd.conf":
ensure => present,
source => "puppet:///modules/httpd/httpd.conf",
#####实际路径在/etc/puppet/modules/httpd/files/httpd.conf
require => Class["httpd::install"],
notify => Class["httpd::service"] ####当配置文件传送后,通知 service重载服务
}
}
vim service.pp #####定义服务
class httpd::service {
service { "httpd":ensure => running,
require => Class["httpd::install","httpd::config"]
}
}
Vim init.pp ####定义class类配置
class httpd {
include httpd::install,httpd::config,httpd::service
}
/etc/init.d/puppetmaster reload
在server7上puppet agent --server=server6.example.com --no-daemonize -vt
使用模板创建虚拟主机
将之前files中的httpd.conf进行修改:将NameVirtualHost *:80虚拟主机功能打开
文件存放在templates中,并以.erb为结尾
vim /etc/puppet/modules/httpd/manifests/init.pp
define httpd::vhost($domainname) {
file { "/etc/httpd/conf.d/${domainname}_vhost.conf":
content => template("httpd/httpd_vhost.conf.erb"),
require => Class["httpd::install",”httpd::config”] ,
notify => Class["httpd::service"]
}
file { "/var/www/$domainname":
ensure => directory
}
file { "/var/www/$domainname/index.html":
content => $domainname
}
}
vim /etc/puppet/modules/httpd/templates/httpd_vhost.conf.erb
<VirtualHost *:80>
ServerName <%= domainname %>
DocumentRoot /var/www/<%= domainname %>
ErrorLog logs/<%= domainname %>_error.log
CustomLog logs/<%= domainname %>_access.log common
</VirtualHost>
vim /etc/puppet/manifests/nodes/server7.pp
node 'server7.example.com' {
include httpd
httpd::vhost { 'server7.example.com':
domainname => "server7.example.com",
}
httpd::vhost { 'www7.example.com':
domainname => "www7.example.com",
}
}
Puppet dashboard 安装 (用以web 方式管理puppet)
安装包以及依赖性:
yum install puppet-dashboard-1.2.23-1.el6.noarch.rpm mysql-server
rubygem-rake-0.8.7-2.1.el6.noarch.rpm
ruby-mysql-2.8.2-1.el6.x86_64.rpm
mysql 5.1 遇到的信息包过大问题 用客户端导入数据的时候,遇到错误代码: 1153 - Got a
packet bigger than 'max_allowed_packet' bytes 终止了数据导入,可以使用如下参数解决:
vim /etc/my.cnf
[mysqld]
max_allowed_packet = 32M ####添加此行
配置数据库:
/etc/init.d/mysqld start
mysql> CREATE DATABASE dashboard_production CHARACTER SET utf8;
mysql> CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'westos';
mysql> GRANT ALL PRIVILEGES ON dashboard_production.* TO 'dashboard'@'localhost';
cd /usr/share/puppet-dashboard/
vim config/database.yml ####只留下生产环境配置
production:
database: dashboard_production
username: dashboard
password: westos
encoding: utf8
adapter: mysql
更改默认时区
vim /usr/share/puppet-dashboard/config/settings.yml
time_zone: 'Beijing'
rake RAILS_ENV=production db:migrate
#建立 dashboard所需的数据库和表 若有报错,按照报错内容执行语句
启动服务 /etc/init.d/puppet-dashboard start
cd /usr/share/puppet-dashboard/log
Chmod 666 production.log
/etc/init.d/puppet-dashboard-workers start
vim /etc/puppet/puppet.conf [main]下添加
Reports = http
Reporturl = http://172.25.60.6:3000/reports
/etc/init.d/puppetmaster restart
在server7上/etc/puppet/puppet.conf [agent]下添加
Report = true
/etc/init.d/puppet start
访问 http://172.25.60.6:3000
在客户端安装完 puppet 后,并且认证完后,我们可以看到效果,那怎样让它自动与服务器同步
呢?默认多少分钟跟服务器同步呢?怎样修改同步的时间呢,这时候我们需要配置客户端:
(1) 配置 puppet相关参数和同步时间:
# vi /etc/sysconfig/puppet
PUPPET_SERVER=puppet.example.com #puppet master 的地址
PUPPET_PORT=8140
#puppet 监听端口
PUPPET_LOG=/var/log/puppet/puppet.log #puppet 本地日志
#PUPPET_EXTRA_OPTS=--waitforcert=500 【默认同步的时间,我这里不修改这行参数】
(2) 默认配置完毕后,客户端会半个小时跟服务器同步一次,我们可以修改这个时间。
(3) # vi /etc/puppet/puppet.conf
[agent]
runinterval = 60
#代表 60秒跟服务器同步一次
重启 puppet 服务
Nginx+passenger:
puppet 默认使用基于 Ruby的 WEBRickHTTP来处理 HTTPS请求,单个服务器使用
Apache/Nginx+Passenger 替换掉 WEBRickHTTP,Passenger 是用于将Ruby 程序进行嵌 入执行的Apache模块,实现对puppet 的负载均衡。
yum install -y gcc gcc-c++ curl-devel zlib-devel openssl-devel ruby-devel
gem install passenger-5.0.15.gem rack-1.6.4.gem
gem list 查看local gems
Json
Passenger
Rack
Rake
tar zxf nginx-1.8.0.tar.gz /mnt
执行Passenger-install-nginx-module
其他选项默认即可,或者根据自己需要调整
关闭puppetmaster服务
Nginx默认安装在/opt/nginx下,修改nginx.conf
#user nobody;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid
logs/nginx.pid;
events {
use epoll;
worker_connections 4096;
}
http {
passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.58;
passenger_ruby /usr/bin/ruby;
include
mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile
tcp_nopush
on;
on;
#keepalive_timeout 0;
keepalive_timeout 65;#gzip on;
server {
listen 8140;
server_name server6.example.com;
Root /etc/puppet/rack/public;
passenger_enabled on;
passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
Ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/server6.example.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/server6.example.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
}
}
注释掉以下行:
cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/
Chown puppet.puppet /etc/puppet/rack/config.ru
/opt/nginx/sbin/nginx -t
/opt/nginx/sbin/nginx
puppetmaster 不需要启动 , nginx启动时会自动调用 puppet
89
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
