puppet5 HA haproxy+ucarp+mcollective+rabbitmq install

centos 7.5 

puppet-master-1 9.*.*.60
puppet-master-2 9.*.*.61
puppet-master-3 9.*.*.62
puppet-db 9.*.*.63

puppet-haproxy-1 9.*.*.64
puppet-haproxy-2 9.*.*.65

ucarp vip 9.*.*.66

puppet-client-1 9.*.*.67
puppet-psq 9.*.*.68

vip hostname puppet-master

puppet msater cert name puppet-master
puppet agent cert name puppet-client

master 节点安装

yum install vim net-tools tree ntp -y 
systemctl enable ntpd
systemctl start ntpd
ntpq -p 

sudo rpm -Uvh https://yum.puppet.com/puppet5/puppet5-release-el-7.noarch.rpm
yum install epel-release -y 
yum install puppetserver -y
yum install httpd httpd-devel mod_ssl ruby-devel rubygems gcc -y
gem install rubygems-update
update_rubygems
gem install rack -v 1.6.10
gem install passenger
yum install gcc-c++ libcurl-devel zlib-devel openssl-devel -y
passenger-install-apache2-module

输出结果：
Please edit your Apache configuration file, and add these lines:

   LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.3.4/buildout/apache2/mod_passenger.so
   <IfModule mod_passenger.c>
     PassengerRoot /usr/local/share/gems/gems/passenger-5.3.4
     PassengerDefaultRuby /usr/bin/ruby
   </IfModule>

After you restart Apache, you are ready to deploy any number of web
applications on Apache, with a minimum amount of configuration!

Press ENTER when you are done editing.

--------------------------------------------

Validating installation...

 * Checking whether this Passenger install is in PATH... ✓
 * Checking whether there are no other Passenger installations... ✓
 * Checking whether Apache is installed... ✓
 * Checking whether the Passenger module is correctly configured in Apache... AH00557: httpd: apr_sockaddr_info_get() failed for puppet-master
(!)

   You did not specify 'LoadModule passenger_module' in any of your Apache
   configuration files. Please paste the configuration snippet that this
   installer printed earlier, into one of your Apache configuration files, such
   as /etc/httpd/conf/httpd.conf.

Detected 0 error(s), 1 warning(s).
Press ENTER to continue.

--------------------------------------------

Deploying a web application

To learn how to deploy a web app on Passenger, please follow the deployment
guide:

  https://www.phusionpassenger.com/library/deploy/apache/deploy/

Enjoy Phusion Passenger, a product of Phusion® (www.phusion.nl) :-)
https://www.phusionpassenger.com

Passenger® is a registered trademark of Phusion Holding B.V.
master 节点配置
[root@puppet-master puppet]# cat /etc/puppetlabs/puppet/puppet.conf 
[main]
#certname = puppet-master
server = puppetmaster.cn.ibm.com
environment = production
runinterval = 5m

[master]
vardir = /opt/puppetlabs/server/data/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
storeconfigs = true
storeconfigs_backend = puppetdb
reports = store,puppetdb
[agent]
node_name = facter
node_name_fact = ipaddress_public
#certname = puppet-client.cn.ibm.com

[root@puppetdb ~]# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
server = puppetserver.cn.ibm.com
environment = production
runinterval = 5m
classfile = /var/lib/puppet/state/classes.txt

master提前生成客户端证书
puppet  ca generate puppet-client

client 节点生成目录结构
puppet agent --test --server=abc.com

拷贝证书到client目录
scp certs/ca.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/certs/
scp certs/puppet-client.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/certs/
scp private_keys/puppet-client.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/private_keys/
scp public_keys/puppet-client.pem 9.*.*.67:/etc/puppetlabs/puppet/ssl/public_keys/

client 节点配置
[root@zhaofei-test puppet]# cat puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[agent]
server = puppetserver.cn.ibm.com
node_name = facter
node_name_fact = ipaddress_public
certname = puppet-client.cn.ibm.com
runinterval = 1h

puppetdb 安装配置。

psq 安装：
  
   13  yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm -y
   14  yum install postgresql96* -y
   38  /usr/pgsql-9.6/bin/postgresql96-setup initdb
   39  systemctl start   postgresql-9.6.service 
   41  su - postgres
   9  createuser -DRSP puppetdb
   10  createdb -E utf8 -O puppetdb puppetdb
   15  psql puppetdb -c 'create extension pg_trgm'
   16  cat /var/lib/pgsql/9.6/data/pg_hba.conf
        # "local" is for Unix domain socket connections only
        #local   all             all                                     peer
        # IPv4 local connections:
        #host    all             all             127.0.0.1/32            ident
        # IPv6 local connections:
        #host    all             all             ::1/128                 ident
        # Allow replication connections from localhost, by a user with the
        # replication privilege.
        #local   replication     postgres                                peer
        #host    replication     postgres        127.0.0.1/32            ident
        #host    replication     postgres        ::1/128                 ident
        host    all             all              0.0.0.0/0               md5

   17  cat /var/lib/pgsql/9.6/data/postgresql.conf
        listen_addresses = '*' 修改。

   psql -h 9.*.*.68 puppetdb puppetdb  测试。

puppetdb service 

yum install puppetdb -y

puppetdb ssl-setup -f

[root@puppet-db puppet]# cat /etc/puppetlabs/puppetdb/conf.d/database.ini
            [database]
            #classname = org.postgresql.Driver
            subprotocol = postgresql

            # The database address, i.e. //HOST:PORT/DATABASE_NAME
            subname = //puppet-psq:5432/puppetdb

            # Connect as a specific user
            username = puppetdb

            # Use a specific password
            password = passw0rd

            # How often (in minutes) to compact the database
            # gc-interval = 60

            # Number of seconds before any SQL query is considered 'slow'; offending
            # queries will not be interrupted, but will be logged at the WARN log level.
            log-slow-statements = 10

[root@puppet-db puppet]# cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
            [jetty]
            # IP address or hostname to listen for clear-text HTTP. To avoid resolution
            # issues, IP addresses are recommended over hostnames.
            # Default is `localhost`.
            host = 9.*.*.63

            # Port to listen on for clear-text HTTP.
            port = 8080

            # The following are SSL specific settings. They can be configured
            # automatically with the tool `puppetdb ssl-setup`, which is normally
            # ran during package installation.

            # IP address to listen on for HTTPS connections. Hostnames can also be used
            # but are not recommended to avoid DNS resolution issues. To listen on all
            # interfaces, use `0.0.0.0`.
            ssl-host = 0.0.0.0

            # The port to listen on for HTTPS connections
            ssl-port = 8081

            # Private key path
            ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem

            # Public certificate path
            ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem

            # Certificate authority path
            ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem

            # Access logging configuration path. To turn off access logging
            # comment out the line with `access-log-config=...`
            access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml

systemctl restart puppetdb

puppetdb  master 安装 。

[root@puppet-master puppet]# yum install puppetdb-termini -y

[root@puppetserver ~]# cat /etc/puppetlabs/puppet/puppetdb.conf
[main]
server_urls = https://puppetdb.cn.ibm.com:8081

[root@puppet-master puppet]# puppet master --configprint route_file
/etc/puppetlabs/puppet/routes.yaml

[root@puppetserver ~]# cat /etc/puppetlabs/puppet/routes.yaml
---
master:
  facts:
    terminus: puppetdb
    cache: yaml

puppet apache 

   73  mkdir -p /usr/share/puppet/rack/puppetmasterd
   74  mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
   75  mkdir -p /usr/share/puppet/ext/rack/
   76  vim /usr/share/puppet/ext/rack/config.ru
   77  ip a
   78  cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
   79  history
   80  chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
   81  ip a
   82  cd /etc/httpd/conf.d/
   83  ls
   84  vim puppetmaster.conf
   85  systemctl stop puppetserver
   86  systemctl start httpd
   87  vim /var/log/messages
   88  ls
   89  vim puppetmaster.conf
   90  systemctl start httpd
   91  vim /var/log/messages
   92  history

[root@puppetserver conf.d]# cat /usr/share/puppet/ext/rack/config.ru
#a config.ru, for use with every rack-compatible webserver.
# # SSL needs to be handled outside this, though.
#
# # if puppet is not in your RUBYLIB:
$:.unshift('/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/')
#
$0 = "puppet"
require 'puppet'
#
# if you want debugging:
ARGV << "--debug"
#
ARGV << "--rack"
require 'puppet/application/master'
# # we're usually running inside a Rack::Builder.new {} block,
# # therefore we need to call run *here*.
run Puppet::Application[:master].run

vim puppetmaster.conf

# You'll need to adjust the paths in the Passenger config depending on which OS
# you're using, as well as the installed version of Passenger.

# Debian/Ubuntu:
#LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so
#PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.x
#PassengerRuby /usr/bin/ruby1.8

# RHEL/CentOS:
#LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so
#PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x
#PassengerRuby /usr/bin/ruby

LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.3.4/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
  PassengerRoot /usr/local/share/gems/gems/passenger-5.3.4
  PassengerDefaultRuby /usr/bin/ruby
</IfModule>
# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 12
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600

Listen 8140
<VirtualHost *:8140>
    # Make Apache hand off HTTP requests to Puppet earlier, at the cost of
    # interfering with mod_proxy, mod_rewrite, etc. See note below.
    PassengerHighPerformance On

    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    SSLHonorCipherOrder     on

    SSLCertificateFile      /etc/puppetlabs/puppet/ssl/certs/puppetserver.cn.ibm.com.pem
    SSLCertificateKeyFile   /etc/puppetlabs/puppet/ssl/private_keys/puppetserver.cn.ibm.com.pem
    SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
    SSLCARevocationCheck        chain
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking. If you are using Apache 2.4+ you must
    # specify 'SSLCARevocationCheck chain' to actually use the CRL.

    # These request headers are used to pass the client certificate
    # authentication information on to the Puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public

    <Directory /usr/share/puppet/rack/puppetmasterd/>
      Options None
      AllowOverride None
      # Apply the right behavior depending on Apache version.
      <IfVersion < 2.4>
        Order allow,deny
        Allow from all
      </IfVersion>
      <IfVersion >= 2.4>
        Require all granted
      </IfVersion>
    </Directory>

    ErrorLog /var/log/httpd/puppet-server.example.com_ssl_error.log
    CustomLog /var/log/httpd/puppet-server.example.com_ssl_access.log combined
</VirtualHost>

vip 9.*.*.202

yum install epel-release 

yum install ucarp 

cd /etc/ucarp

cat vip-001.conf
##########  SOURCE_ADDRESS 修改为本机ip
VIP_ADDRESS="9.*.*.202"
ID=001
BIND_INTERFACE="eth0"
SOURCE_ADDRESS="9.*.*.201"
PASSWORD="mysecret"
OPTIONS="–shutdown –preempt"
UPSCRIPT=/usr/libexec/ucarp/vip-up
DOWNSCRIPT=/usr/libexec/ucarp/vip-down

cat /usr/libexec/ucarp/vip-up
#########    /24 为子网掩码
#!/bin/sh
exec 2>/dev/null

/sbin/ip address add "$2"/24 dev "$1"

cat /usr/libexec/ucarp/vip-down
#########    /24 为子网掩码
#!/bin/sh
exec 2>/dev/null

/sbin/ip address del "$2"/24 dev "$1"

cat /usr/lib/systemd/system/ucarp\@.service
 
[Unit]
Description=Common address redundancy protocol daemon, config: vip-%I.conf
After=syslog.target network-online.target

[Service]
PrivateTmp=true
Type=simple
EnvironmentFile=-/etc/ucarp/vip-common.conf
EnvironmentFile=-/etc/ucarp/vip-%I.conf
ExecStart=/usr/sbin/ucarp -i $BIND_INTERFACE -p $PASSWORD -v %I -a $VIP_ADDRESS -s $SOURCE_ADDRESS $OPTIONS -u $UPSCRIPT -d $DOWNSCRIPT
KillMode=control-group
[Install]
WantedBy=multi-user.target

systemctl start ucarp@001
systemctl status ucarp@001

[root@haproxy01 ~]# cat /etc/haproxy/haproxy.cfg
global
        daemon               # 后台方式运行
        nbproc 1
        pidfile /usr/local/haproxy/conf/haproxy.pid

defaults
        mode tcp               #默认的模式mode { tcp|http|health }，tcp是4层，http是7层，health只会返回OK
        retries 2               #两次连接失败就认为是服务器不可用，也可以通过后面设置
        option redispatch       #当serverId对应的服务器挂掉后，强制定向到其他健康的服务器
        option abortonclose     #当服务器负载很高的时候，自动结束掉当前队列处理比较久的链接
        maxconn 4096            #默认的最大连接数
        timeout connect 5000ms  #连接超时
        timeout client 30000ms  #客户端超时
        timeout server 30000ms  #服务器超时
        #timeout check 2000      #=心跳检测超时
        log 127.0.0.1 local0 err #[err warning info debug]

########test1配置#################
listen test1                         #这里是配置负载均衡，test1是名字，可以任意
        bind 0.0.0.0:8140          #这里是监听的IP地址和端口，端口号可以在0-65535之间，要避免端口冲突
        mode tcp                     #连接的协议，这里是tcp协议
        #maxconn 4086
        #log 127.0.0.1 local0 debug
        server s1 9.*.*.60:8140 #负载的机器
        server s2 9.*.*.61:8140 #负载的机器
        server s3 9.*.*.62:8140 #负载的机器

rabbitmq cluster install 

yum install -y rabbitmq-server        

[root@haproxy01 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
9.*.*.66 puppetserver.cn.ibm.com
9.*.*.65 haproxy02.cn.ibm.com haproxy02
9.*.*.64 haproxy01.cn.ibm.com haproxy01

node 1

# vim /etc/rabbitmq/rabbitmq.config
[
  {rabbitmq_stomp, [{tcp_listeners, [61613]}]}
].

77  rabbitmq-plugins list
78  rabbitmq-plugins enable rabbitmq_management
79  rabbitmq-plugins enable rabbitmq_stomp

systemctl restart  rabbitmq-server

scp /var/lib/rabbitmq/.erlang.cookie root@9.*.*.65:/var/lib/rabbitmq/.erlang.cookie

node2 

  107  rabbitmqctl stop_app
  108  rabbitmqctl reset
  109  rabbitmqctl join_cluster rabbit@haproxy01
  110  rabbitmqctl cluster_status
  *  rabbitmqctl start_app
  112  rabbitmqctl cluster_status

        
rabbitmq   mcollective

 342  rabbitmqctl list_users
  343  rabbitmqctl add_user mcollective passw0rd
  344  rabbitmqctl set_permissions -p "/" mcollective  ".*" ".*" ".*"
  345  rabbitmqctl list_users
  346   rabbitmqctl set_user_tags mcollective administrator
  347  rabbitmqctl set_user_tags mcollective administrator
  348  rabbitmqctl list_users
  349  rabbitmqctl add_vhost /mcollective

rabbitmqctl set_permissions -p /mcollective mcollective '.*' '.*' '.*'

rabbitmqctl list_permissions -p "/mcollective"

add exchanges /mcollective

mcollective_broadcast   topic
mcollective_directed    direct

rabbitmqctl list_exchanges -p "/mcollective"

Listing exchanges ...
        direct
amq.direct      direct
amq.fanout      fanout
amq.headers     headers
amq.match       headers
amq.rabbitmq.trace      topic
amq.topic       topic
mcollective_broadcast   topic
mcollective_directed    direct
...done.