下了决心,好好学习puppet,周末专门去参加一个puppet的培训,难得朋友那么热心,组织大家一起去学习。我就提前做一下功课。
2012年10月29日:参加完两天的培训,深刻体会到puppet的强悍,当然讲Puppet的朋友,还是非常有经验,不只是puppet经验,还有讲课的经验,学习一个新东西的经验。一个最大的收获:官方的文档非常好,把puppet读完,你就差不多。
Contents [hide]
概述
Puppet 是一个客户端/服务器(C/S)架构的配置管理工具,在中央服务器上安装 puppet-server 服务器(puppet master),在需要被管理的目标服务器上安装 puppet 客户端软件(puppet client)。
如果服务器端也安装客户端,那么还可以管理本地机器。简单点说,当你把puppet装好后,你可以利用puppet的管理功能,直接用puppet安装foreman。这是我希望实现的功能。
准备
我直接使用Centos 6.3,puppet官方的yum源,目前puppet版本已经是3.01。对os的要求也很简单
- 关闭selinux
- 关闭iptables,这是为了避免各种麻烦,你可以通过打开端口,而不需要关闭iptables
- 设置host文件,由于puppet需要用FQDN,一般实验环境都是没有dns,所以通过hosts文件设置
- 设置ntp,同步时间,这个也是必须的。
- 设置源,根据你希望使用的版本,设置不同的源.我是启用了EPEL和Puppet官方的源
- node06 为master (10.1.199.6)
- node08 为client (10.1.199.8)
这些设置,大家可以参考 vpsee的puppet文档
安装
Puppet 3.01,对很多以前版本的命令已经去掉,这也让大家看文档的时候,比较混乱。目前pre-2.6的命令,在3.0以后的版本,完全无法使用。这个大家要记住。这样更换后,其实也比较清晰。
服务器端
因为我们采用源安装,所有ruby的依赖关系都是自动解决。装服务器端的时候,其实也同时把客户端装上.
|
1 |
yum -y install puppet-server |
看看依赖的包
启动puppet
|
1 2 3 4 |
chkconfig puppet on chkconfig puppetmaster on service puppetmaster start service puppet start |
Puppet Master 运行在TCP的8140端口。以前iptables的命令打开一个端口很长,很难记忆,现在发现一个好工具 lokkit。打开的端口,重启机器也是不影响,非常方便。
|
1 |
lokkit -p 8140:tcp |
查看打开的端口
|
1 2 3 4 5 6 7 8 9 10 |
# netstat -lpnut Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1476/ruby tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1454/sshd tcp 0 0 :::22 :::* LISTEN 1454/sshd udp 0 0 10.1.199.6:123 0.0.0.0:* 1462/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1462/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1462/ntpd udp 0 0 :::123 :::* 1462/ntpd |
查看证书
|
1 2 3 4 |
# puppet cert list --all + "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41: 32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1: 7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") |
这个时候,已经自动把本机当成客户端,管理起来,证书已经自动签发.
客户端
单独安装一个客户端
|
1 |
yum install puppet |
大家可以看看,比较一下客户端和服务器依赖的包.
启动服务
|
1 2 |
chkconfig puppet on service puppet start |
puppet的基本默认配置,这里面的内容是不需要修改。
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# cat /etc/sysconfig/puppet # The puppetmaster server #PUPPET_SERVER=puppet # If you wish to specify the port to connect to do so here #PUPPET_PORT=8140 # Where to log to. Specify syslog to send log messages to the system log. #PUPPET_LOG=/var/log/puppet/puppet.log # You may specify other parameters to the puppet client here #PUPPET_EXTRA_OPTS=--waitforcert=500 |
上面就是Puppet的默认设置,大家可以去掉注释,进行修改。这也是为啥puppet的agent,默认就到网络找一个puppet的机器,你可以在这里修改。
/var/lib/puppet 目录,是客户端一个比较重要的目录,agent的证书就是放在这个目录下。
|
1 2 3 4 5 6 7 8 9 10 |
]# pwd /var/lib/puppet ]# ll total 24 drwxr-x--- 2 root root 4096 Oct 26 15:35 clientbucket drwxr-x--- 2 root root 4096 Oct 26 15:35 client_data drwxr-x--- 2 root root 4096 Oct 26 15:35 client_yaml drwxr-xr-x 2 root root 4096 Oct 26 15:35 lib drwxrwx--x 7 puppet root 4096 Oct 26 15:35 ssl drwxr-xr-t 3 root root 4096 Oct 26 15:35 state |
Puppet agent 配置文件,是 /etc/puppet/puppet.conf , 基本编辑这个文件可以。
|
1 2 3 4 5 6 7 |
# pwd /etc/puppet # ll total 12 -rw-r--r-- 1 root root 2979 Oct 19 02:07 auth.conf drwxr-xr-x 2 root root 4096 Oct 19 02:07 modules -rw-r--r-- 1 root root 853 Oct 19 02:06 puppet.conf |
对于puppet.conf 来说,里面分成3部分[main], [master], [agent], 外面的文档,有些是把参数添加到[main], 有些是添加到[agent], 用初学者比较困惑,到底那个是正确。对于agent来说,你就在agent里修改就可以。如果你的设置和[main]冲突,就会保留[agent]设置。所以你基本就不需要管[main]设置就可以。
对于puppet 客户端,我们需要编辑 /etc/puppet/puppet.conf, 添加一行,指定master服务器名称。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig server = node06.chenshake.com |
重启agent就可以,这个时候,你就不需要加上服务器地址,就可以连接master。
常用命令
查看puppet版本
|
1 2 |
# puppet --version 3.0.1 |
查看模块位置
|
1 2 |
# puppet config print modulepath /etc/puppet/modules:/usr/share/puppet/modules |
查看报告
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# puppet agent -t --summarize Info: Retrieving plugin Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351737193' Finished catalog run in 0.05 seconds Changes: Events: Resources: Skipped: 6 Total: 7 Time: Filebucket: 0.00 Config retrieval: 0.18 Total: 0.18 Last run: 1351737193 Version: Config: 1351737193 Puppet: 3.0.1 |
证书
Client申请证书
client需要向服务器端发出请求, 让服务器对客户端进行管理. 这其实是一个证书签发的过程. 第一次运行 puppet 客户端的时候会生成一个 SSL 证书并指定发给 Puppet 服务端, 服务器端如果同意管理客户端,就会对这个证书进行签发.
|
1 |
puppet agent |
为了详细了解注册的过程和日后排错,可以增加参数,因为配置文件里
- –no-daemonize 前台输出日志
- –verbose 输入更加详细的日志
- –debug 更加详细的日志,排错的时候使用
- –test 表示测试,就带一个–test参数就可以
|
1 |
puppet agent --server=node06.chenshake.com --no-daemonize --onetime --verbose --debug |
我的服务器端,如果iptables的端口没打开或者iptables没有关闭,你回看到下面错误
|
1 2 3 |
Debug: Finishing transaction 70232051730000 Error: Could not request certificate: No route to host - connect(2) Exiting; failed to retrieve certificate and waitforcert is disabled |
如果一切正常,你回看到下面输出
|
1 2 3 4 5 6 7 8 |
Debug: Finishing transaction 69982568075580 Info: Caching certificate for ca Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9: A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53 Debug: Using cached certificate for ca Debug: Using cached certificate for ca Exiting; no certificate found and waitforcert is disabled |
这个时候,你在服务器端就可以看到请求签发的证书
|
1 2 3 |
# puppet cert list --all "node08.chenshake.com" (SHA256) DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9:A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53 + "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") |
旁边有+ 号的,表示已经签发。
签发证书很简单
|
1 2 |
puppet cert --sign node08.chenshake.com puppet cert --sign --all |
签发证书。
|
1 2 3 4 |
# puppet cert --sign --all Signed certificate request for node08.chenshake.com Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem' |
签发完成后,你再查看,就会发现
|
1 2 3 |
# puppet cert --list --all + "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") + "node08.chenshake.com" (SHA256) A1:80:54:46:03:01:AE:6E:22:B1:39:8F:45:F2:C5:5A:F9:4E:CA:94:DA:A9:BF:85:34:E7:6E:98:07:97:B7:BC |
注销证书
让证书失效,真正操作,我建议使用clean的参数,发现revoke,仅仅是让证书失效。
|
1 2 |
puppet cert revoke node08.chenshake.com Revoked certificate with serial 3 |
这个时候,你查看证书
|
1 2 3 |
# puppet cert list --all + "node06.chenshake.com" (SHA256) 9C:3E:5C:11:03:C9:AA:35:B8:DE:A2:2C:44:79:2F:F2:64:7D:19:1B:75:99:09:2E:43:C0:26:70:6A:24:30:C2 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") - "node08.chenshake.com" (SHA256) CB:15:4A:55:23:1D:AD:08:5F:A6:D8:3C:D8:17:47:6E:E1:42:47:01:2D:D3:1B:55:85:18:65:6E:B2:6C:46:EA (certificate revoked) |
你需要重启puppetmaster服务,才能正式生效,你可以通过客户端连接来测试,没有重启服务前,一切正常,只有重启了master服务后,你再用node08去连接,就会提示下面的错误。
|
1 2 3 4 5 6 7 8 |
Debug: Using cached certificate_revocation_list for ca Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Debug: Value of 'preferred_serialization_format' (pson) is invalid for report, using default (b64_zlib_yaml) Debug: report supports formats: b64_zlib_yaml raw yaml; using b64_zlib_yaml Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked |
删除证书
在master上,清除证书后,需要重启服务才能生效.
|
1 2 3 4 |
# puppet cert --clean node08.chenshake.com Revoked certificate with serial 3 Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/ca/signed/node08.chenshake.com.pem' Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/certs/node08.chenshake.com.pem' |
重启puppetmaster服务,
|
1 |
/etc/init.d/puppetmaster restart |
在client上
|
1 |
rm -f /var/lib/puppet/ssl/certs/node08.chenshake.com.pem |
或者整个目录删除,这样ca的证书,也删除。
|
1 |
rm -rf /var/lib/puppet/ssl |
这个时候,你再申请就可以
|
1 2 3 4 5 |
# puppet agent -t Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): 43:4F:C8:D7:B0:84:D8:89:F6:D9:9C:DE:D4:5B: C0:BF:F1:D6:89:6C:C0:94:7C:02:99:50:98:BA:4C:1C:52:4F Exiting; no certificate found and waitforcert is disabled |
这个时候,你在master就可以正常签发。
自动签发证书
可以设置master自动签发所有的证书,我们只需要在/etc/puppet 目录下创建 autosign.conf 文件。(不需要修改 /etc/puppet/puppet.conf文件,因为我默认的autosign.conf 文件的位置没有修改)
|
1 2 3 |
cat > /etc/puppet/autosign.conf <<EOF *.chenshake.com EOF |
这样就会对所有来自 chenshake.com 的机器的请求,都自动签名。
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@node08 ~]# puppet agent -t Info: Creating a new SSL key for node08.chenshake.com Info: Caching certificate for ca Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): 50:6B:ED:AB:E4:46:49:53:3E:41:6A:DD:93:7F:5F:3F: 00:55:17:25:A0:BB:12:AF:4A:2B:89:88:5D:41:9F:86 Info: Caching certificate for node08.chenshake.com Info: Caching certificate_revocation_list for ca Info: Retrieving plugin Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351497197' Finished catalog run in 0.04 seconds |
Pre-signing 证书
就是提前在服务器端签发证书,把证书复制到客户端,这样可以避免自动签名的危险。不过很麻烦,需要你手工copy证书。创建证书的命令,和以前版本的puppet 2.6有不同,大家注意就可以。
|
1 2 3 4 5 |
# puppet cert generate node08.chenshake.com node08.chenshake.com has a waiting certificate request Signed certificate request for node08.chenshake.com Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem' Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/certificate_requests/node08.chenshake.com.pem' |
客户端操作
|
1 2 3 4 5 |
mkdir -p /var/lib/puppet/ssl/private_keys mkdir -p /var/lib/puppet/ssl/certs scp root@10.1.199.6:/var/lib/puppet/ssl/private_keys/node08.chenshake.com.pem /var/lib/puppet/ssl/private_keys/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/node08.chenshake.com.pem /var/lib/puppet/ssl/certs/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/ |
这时候你就可以在客户端运行
|
1 2 3 4 5 6 |
# puppet agent -t Info: Caching certificate_revocation_list for ca Info: Retrieving plugin Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351735593' Finished catalog run in 0.04 seconds |
Puppet Dashboard
我其实是希望直接使用puppet来安装dashboard,不过目前阶段,我还是搞不定,这个留待日后慢慢挑战。
mysql
|
1 |
yum install -y mysql mysql-devel mysql-server |
优化mysql设置
编辑 /etc/my.cnf, 在[mysqld]字段,增加最后一行.
|
1 2 3 4 5 6 7 8 |
[mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 # Allowing 32MB allows an occasional 17MB row with plenty of spare room max_allowed_packet = 32M |
启动服务
|
1 2 |
/etc/init.d/mysqld start chkconfig mysqld on |
设置mysql密码,我这里使用是密码是password
|
1 |
mysqladmin -u root password 'password' |
创建一个dashboard数据库
|
1 2 3 4 5 6 |
mysql -uroot -ppassword <<EOF CREATE DATABASE dashboard CHARACTER SET utf8; CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost'; FLUSH PRIVILEGES; EOF |
Passenger+Apache+Dashboard
这是让Apache支持ruby,
|
1 |
yum install mod_passenger puppet-dashboard |
看看包的依赖关系
配置Dashboard
编辑 /usr/share/puppet-dashboard/config/database.yml
|
1 2 3 4 5 6 |
production: database: dashboard username: dashboard password: password encoding: utf8 adapter: mysql |
修改时区 /usr/share/puppet-dashboard/config/environment.rb
|
1 2 |
#config.time_zone = 'UTC' config.time_zone = 'Beijing' |
初始化数据库
|
1 2 |
cd /usr/share/puppet-dashboard/ rake RAILS_ENV=production db:migrate |
配置Apache
我们需要整合Passenger和apache
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
cat > /etc/httpd/conf.d/passenger.conf << EOF LoadModule passenger_module modules/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/share/rubygems/gems/passenger-3.0.17 PassengerRuby /usr/bin/ruby PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerStatThrottleRate 120 RailsAutoDetect On </IfModule> <VirtualHost *:80> ServerName node06.chenshake.com DocumentRoot "/usr/share/puppet-dashboard/public/" <Directory "/usr/share/puppet-dashboard/public/"> Options None AllowOverride AuthConfig Order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/node06.chenshake.com_error.log LogLevel warn CustomLog /var/log/httpd/node06.chenshake.com_access.log combined ServerSignature On </VirtualHost> EOF |
重启服务
|
1 2 |
/etc/init.d/httpd start chkconfig httpd on |
打开80端口
|
1 |
lokit -p 80:tcp |
配置puppet
让Dashboard使用Reports,现在默认agent是已经启用Report的功能,所以你就不需要设置agent,你只需要设置Server端就可以.
|
1 2 3 4 |
# puppet.conf (on puppet master) [master] reports = store, http reporturl = http://node06.chenshake.com:80/reports/upload |
重启puppetmaster 服务
|
1 |
/etc/init.d/puppetmaster restart |
这时候就可以直接用 http://ip 访问puppet Dashboard
导入报告
|
1 2 3 4 5 6 |
cd /usr/share/puppet-dashboard # rake RAILS_ENV=production reports:import (in /usr/share/puppet-dashboard) Importing 7 reports from /var/lib/puppet/reports/ in the background Importing: 100% |#########| Time: 00:00:00 7 of 7 reports queued |
这时候你访问Dashboard,可以看到导入的任务.
Delayed Job Workers
这个其实我理解就是一个脚本,用来分析report的。
|
1 |
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m start |
查看启动的job
|
1 |
ps -ef|grep delayed_job|grep -v grep |
停止delay job
|
1 |
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m stop |
这个时候你才能在Dashbaord里看到数据.
Foreman
目前Puppet 3.0和Foreman 1.0还有问题,官方正在解决中
发表评论
要发表评论,您必须先登录。