centos 7.5
puppet-master-1 9.*.*.60
puppet-master-2 9.*.*.61
puppet-master-3 9.*.*.62
puppet-db 9.*.*.63
puppet-haproxy-1 9.*.*.64
puppet-haproxy-2 9.*.*.65
ucarp vip 9.*.*.66
puppet-client-1 9.*.*.67
puppet-psq 9.*.*.68
vip hostname puppet-master
puppet msater cert name puppet-master
puppet agent cert name puppet-client
master 节点安装
yum install vim net-tools tree ntp -y
systemctl enable ntpd
systemctl start ntpd
ntpq -p
sudo rpm -Uvh https://yum.puppet.com/puppet5/puppet5-release-el-7.noarch.rpm
yum install epel-release -y
yum install puppetserver -y
yum install httpd httpd-devel mod_ssl ruby-devel rubygems gcc -y
gem install rubygems-update
update_rubygems
gem install rack -v 1.6.10
gem install passenger
yum install gcc-c++ libcurl-devel zlib-devel openssl-devel -y
passenger-install-apache2-module
输出结果:
Please edit your Apache configuration file, and add these lines:
LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.3.4/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/local/share/gems/gems/passenger-5.3.4
PassengerDefaultRuby /usr/bin/ruby
</IfModule>
After you restart Apache, you are ready to deploy any number of web
applications on Apache, with a minimum amount of configuration!
Press ENTER when you are done editing.
--------------------------------------------
Validating installation...
* Checking whether this Passenger install is in PATH... ✓
* Checking whether there are no other Passenger installations... ✓
* Checking whether Apache is installed... ✓
* Checking whether the Passenger module is correctly configured in Apache... AH00557: httpd: apr_sockaddr_info_get() failed for puppet-master
(!)
You did not specify 'LoadModule passenger_module' in any of your Apache
configuration files. Please paste the configuration snippet that this
installer printed earlier, into one of your Apache configuration files, such
as /etc/httpd/conf/httpd.conf.
Detected 0 error(s), 1 warning(s).
Press ENTER to continue.
--------------------------------------------
Deploying a web application
To learn how to deploy a web app on Passenger, please follow the deployment
guide:
https://www.phusionpassenger.com/library/deploy/apache/deploy/
Enjoy Phusion Passenger, a product of Phusion® (www.phusion.nl) :-)
https://www.phusionpassenger.com
Passenger® is a registered trademark of Phusion Holding B.V.
master 节点配置
[root@puppet-master puppet]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
#certname = puppet-master
server = puppetmaster.cn.ibm.com
environment = production
runinterval = 5m
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
storeconfigs = true
storeconfigs_backend = puppetdb
reports = store,puppetdb
[agent]
node_name = facter
node_name_fact = ipaddress_public
#certname = puppet-client.cn.ibm.com
[root@puppetdb ~]# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
server = puppetserver.cn.ibm.com
environment = production
runinterval = 5m
classfile = /var/lib/puppet/state/classes.txt
master提前生成客户端证书
puppet ca generate puppet-client
client 节点生成目录结构
puppet agent --test --server=abc.com
拷贝证书到client目录
scp certs/ca.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/certs/
scp certs/puppet-client.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/certs/
scp private_keys/puppet-client.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/private_keys/
scp public_keys/puppet-client.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/public_keys/
client 节点配置
[root@zhaofei-test puppet]# cat puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[agent]
server = puppetserver.cn.ibm.com
node_name = facter
node_name_fact = ipaddress_public
certname = puppet-client.cn.ibm.com
runinterval = 1h
puppetdb 安装配置。
psq 安装:
13 yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm -y
14 yum install postgresql96* -y
38 /usr/pgsql-9.6/bin/postgresql96-setup initdb
39 systemctl start postgresql-9.6.service
41 su - postgres
9 createuser -DRSP puppetdb
10 createdb -E utf8 -O puppetdb puppetdb
15 psql puppetdb -c 'create extension pg_trgm'
16 cat /var/lib/pgsql/9.6/data/pg_hba.conf
# "local" is for Unix domain socket connections only
#local all all peer
# IPv4 local connections:
#host all all 127.0.0.1/32 ident
# IPv6 local connections:
#host all all ::1/128 ident
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident
host all all 0.0.0.0/0 md5
17 cat /var/lib/pgsql/9.6/data/postgresql.conf
listen_addresses = '*' 修改。
psql -h 9.*.*.68 puppetdb puppetdb 测试。
puppetdb service
yum install puppetdb -y
puppetdb ssl-setup -f
[root@puppet-db puppet]# cat /etc/puppetlabs/puppetdb/conf.d/database.ini
[database]
#classname = org.postgresql.Driver
subprotocol = postgresql
# The database address, i.e. //HOST:PORT/DATABASE_NAME
subname = //puppet-psq:5432/puppetdb
# Connect as a specific user
username = puppetdb
# Use a specific password
password = passw0rd
# How often (in minutes) to compact the database
# gc-interval = 60
# Number of seconds before any SQL query is considered 'slow'; offending
# queries will not be interrupted, but will be logged at the WARN log level.
log-slow-statements = 10
[root@puppet-db puppet]# cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
[jetty]
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
host = 9.*.*.63
# Port to listen on for clear-text HTTP.
port = 8080
# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.
# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
ssl-host = 0.0.0.0
# The port to listen on for HTTPS connections
ssl-port = 8081
# Private key path
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
# Public certificate path
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
# Certificate authority path
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
# Access logging configuration path. To turn off access logging
# comment out the line with `access-log-config=...`
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
systemctl restart puppetdb
puppetdb master 安装 。
[root@puppet-master puppet]# yum install puppetdb-termini -y
[root@puppetserver ~]# cat /etc/puppetlabs/puppet/puppetdb.conf
[main]
server_urls = https://puppetdb.cn.ibm.com:8081
[root@puppet-master puppet]# puppet master --configprint route_file
/etc/puppetlabs/puppet/routes.yaml
[root@puppetserver ~]# cat /etc/puppetlabs/puppet/routes.yaml
---
master:
facts:
terminus: puppetdb
cache: yaml
puppet apache
73 mkdir -p /usr/share/puppet/rack/puppetmasterd
74 mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
75 mkdir -p /usr/share/puppet/ext/rack/
76 vim /usr/share/puppet/ext/rack/config.ru
77 ip a
78 cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
79 history
80 chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
81 ip a
82 cd /etc/httpd/conf.d/
83 ls
84 vim puppetmaster.conf
85 systemctl stop puppetserver
86 systemctl start httpd
87 vim /var/log/messages
88 ls
89 vim puppetmaster.conf
90 systemctl start httpd
91 vim /var/log/messages
92 history
[root@puppetserver conf.d]# cat /usr/share/puppet/ext/rack/config.ru
#a config.ru, for use with every rack-compatible webserver.
# # SSL needs to be handled outside this, though.
#
# # if puppet is not in your RUBYLIB:
$:.unshift('/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/')
#
$0 = "puppet"
require 'puppet'
#
# if you want debugging:
ARGV << "--debug"
#
ARGV << "--rack"
require 'puppet/application/master'
# # we're usually running inside a Rack::Builder.new {} block,
# # therefore we need to call run *here*.
run Puppet::Application[:master].run
vim puppetmaster.conf
# You'll need to adjust the paths in the Passenger config depending on which OS
# you're using, as well as the installed version of Passenger.
# Debian/Ubuntu:
#LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so
#PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.x
#PassengerRuby /usr/bin/ruby1.8
# RHEL/CentOS:
#LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so
#PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x
#PassengerRuby /usr/bin/ruby
LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.3.4/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/local/share/gems/gems/passenger-5.3.4
PassengerDefaultRuby /usr/bin/ruby
</IfModule>
# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 12
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
# Make Apache hand off HTTP requests to Puppet earlier, at the cost of
# interfering with mod_proxy, mod_rewrite, etc. See note below.
PassengerHighPerformance On
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/puppetserver.cn.ibm.com.pem
SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/puppetserver.cn.ibm.com.pem
SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking. If you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# These request headers are used to pass the client certificate
# authentication information on to the Puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
ErrorLog /var/log/httpd/puppet-server.example.com_ssl_error.log
CustomLog /var/log/httpd/puppet-server.example.com_ssl_access.log combined
</VirtualHost>
vip 9.*.*.202
yum install epel-release
yum install ucarp
cd /etc/ucarp
cat vip-001.conf
########## SOURCE_ADDRESS 修改为本机ip
VIP_ADDRESS="9.*.*.202"
ID=001
BIND_INTERFACE="eth0"
SOURCE_ADDRESS="9.*.*.201"
PASSWORD="mysecret"
OPTIONS="–shutdown –preempt"
UPSCRIPT=/usr/libexec/ucarp/vip-up
DOWNSCRIPT=/usr/libexec/ucarp/vip-down
cat /usr/libexec/ucarp/vip-up
######### /24 为子网掩码
#!/bin/sh
exec 2>/dev/null
/sbin/ip address add "$2"/24 dev "$1"
cat /usr/libexec/ucarp/vip-down
######### /24 为子网掩码
#!/bin/sh
exec 2>/dev/null
/sbin/ip address del "$2"/24 dev "$1"
cat /usr/lib/systemd/system/ucarp\@.service
[Unit]
Description=Common address redundancy protocol daemon, config: vip-%I.conf
After=syslog.target network-online.target
[Service]
PrivateTmp=true
Type=simple
EnvironmentFile=-/etc/ucarp/vip-common.conf
EnvironmentFile=-/etc/ucarp/vip-%I.conf
ExecStart=/usr/sbin/ucarp -i $BIND_INTERFACE -p $PASSWORD -v %I -a $VIP_ADDRESS -s $SOURCE_ADDRESS $OPTIONS -u $UPSCRIPT -d $DOWNSCRIPT
KillMode=control-group
[Install]
WantedBy=multi-user.target
systemctl start ucarp@001
systemctl status ucarp@001
[root@haproxy01 ~]# cat /etc/haproxy/haproxy.cfg
global
daemon # 后台方式运行
nbproc 1
pidfile /usr/local/haproxy/conf/haproxy.pid
defaults
mode tcp #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
retries 2 #两次连接失败就认为是服务器不可用,也可以通过后面设置
option redispatch #当serverId对应的服务器挂掉后,强制定向到其他健康的服务器
option abortonclose #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
maxconn 4096 #默认的最大连接数
timeout connect 5000ms #连接超时
timeout client 30000ms #客户端超时
timeout server 30000ms #服务器超时
#timeout check 2000 #=心跳检测超时
log 127.0.0.1 local0 err #[err warning info debug]
########test1配置#################
listen test1 #这里是配置负载均衡,test1是名字,可以任意
bind 0.0.0.0:8140 #这里是监听的IP地址和端口,端口号可以在0-65535之间,要避免端口冲突
mode tcp #连接的协议,这里是tcp协议
#maxconn 4086
#log 127.0.0.1 local0 debug
server s1 9.*.*.60:8140 #负载的机器
server s2 9.*.*.61:8140 #负载的机器
server s3 9.*.*.62:8140 #负载的机器
rabbitmq cluster install
yum install -y rabbitmq-server
[root@haproxy01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
9.*.*.66 puppetserver.cn.ibm.com
9.*.*.65 haproxy02.cn.ibm.com haproxy02
9.*.*.64 haproxy01.cn.ibm.com haproxy01
node 1
# vim /etc/rabbitmq/rabbitmq.config
[
{rabbitmq_stomp, [{tcp_listeners, [61613]}]}
].
77 rabbitmq-plugins list
78 rabbitmq-plugins enable rabbitmq_management
79 rabbitmq-plugins enable rabbitmq_stomp
systemctl restart rabbitmq-server
scp /var/lib/rabbitmq/.erlang.cookie root@9.*.*.65:/var/lib/rabbitmq/.erlang.cookie
node2
107 rabbitmqctl stop_app
108 rabbitmqctl reset
109 rabbitmqctl join_cluster rabbit@haproxy01
110 rabbitmqctl cluster_status
* rabbitmqctl start_app
112 rabbitmqctl cluster_status
rabbitmq mcollective
342 rabbitmqctl list_users
343 rabbitmqctl add_user mcollective passw0rd
344 rabbitmqctl set_permissions -p "/" mcollective ".*" ".*" ".*"
345 rabbitmqctl list_users
346 rabbitmqctl set_user_tags mcollective administrator
347 rabbitmqctl set_user_tags mcollective administrator
348 rabbitmqctl list_users
349 rabbitmqctl add_vhost /mcollective
rabbitmqctl set_permissions -p /mcollective mcollective '.*' '.*' '.*'
rabbitmqctl list_permissions -p "/mcollective"
add exchanges /mcollective
mcollective_broadcast topic
mcollective_directed direct
rabbitmqctl list_exchanges -p "/mcollective"
Listing exchanges ...
direct
amq.direct direct
amq.fanout fanout
amq.headers headers
amq.match headers
amq.rabbitmq.trace topic
amq.topic topic
mcollective_broadcast topic
mcollective_directed direct
...done.