Puppet學習筆記(CentOS6.3+Puppet3.01)
Oct262012
下了決心,好好學習puppet,週末專門去參加一個puppet的培訓,可貴朋友那麼熱心,組織你們一塊兒去學習。我就提早作一下功課。php
2012年10月29日:參加完兩天的培訓,深入體會到puppet的強悍,固然講Puppet的朋友,仍是很是有經驗,不僅是puppet經驗,還有講課的經驗,學習一個新東西的經驗。一個最大的收穫:官方的文檔很是好,把puppet讀完,你就差很少。html
Contents [hide]node
概述
Puppet 是一個客戶端/服務器(C/S)架構的配置管理工具,在中央服務器上安裝 puppet-server 服務器(puppet master),在須要被管理的目標服務器上安裝 puppet 客戶端軟件(puppet client)。python
若是服務器端也安裝客戶端,那麼還能夠管理本地機器。簡單點說,當你把puppet裝好後,你能夠利用puppet的管理功能,直接用puppet安裝foreman。這是我但願實現的功能。mysql
準備
我直接使用Centos 6.3,puppet官方的yum源,目前puppet版本已是3.01。對os的要求也很簡單linux
- 關閉selinux
- 關閉iptables,這是爲了不各類麻煩,你能夠經過打開端口,而不須要關閉iptables
- 設置host文件,因爲puppet須要用FQDN,通常實驗環境都是沒有dns,因此經過hosts文件設置
- 設置ntp,同步時間,這個也是必須的。
- 設置源,根據你但願使用的版本,設置不一樣的源.我是啓用了EPEL和Puppet官方的源
- node06 爲master (10.1.199.6)
- node08 爲client (10.1.199.8)
這些設置,你們能夠參考 vpsee的puppet文檔ios
安裝
Puppet 3.01,對不少之前版本的命令已經去掉,這也讓你們看文檔的時候,比較混亂。目前pre-2.6的命令,在3.0之後的版本,徹底沒法使用。這個你們要記住。這樣更換後,其實也比較清晰。git
服務器端
由於咱們採用源安裝,全部ruby的依賴關係都是自動解決。裝服務器端的時候,其實也同時把客戶端裝上.sql
yum -y install puppet-server
看看依賴的包數據庫
啓動puppet
chkconfig puppet on chkconfig puppetmaster on service puppetmaster start service puppet start
Puppet Master 運行在TCP的8140端口。之前iptables的命令打開一個端口很長,很難記憶,如今發現一個好工具 lokkit。打開的端口,重啓機器也是不影響,很是方便。
lokkit -p 8140:tcp
查看打開的端口
# netstat -lpnut Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1476/ruby tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1454/sshd tcp 0 0 :::22 :::* LISTEN 1454/sshd udp 0 0 10.1.199.6:123 0.0.0.0:* 1462/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1462/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1462/ntpd udp 0 0 :::123 :::* 1462/ntpd
查看證書
# puppet cert list --all
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:
32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:
7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
這個時候,已經自動把本機當成客戶端,管理起來,證書已經自動簽發.
客戶端
單獨安裝一個客戶端
yum install puppet
你們能夠看看,比較一下客戶端和服務器依賴的包.
啓動服務
chkconfig puppet on service puppet start
puppet的基本默認配置,這裏面的內容是不須要修改。
# cat /etc/sysconfig/puppet
# The puppetmaster server
#PUPPET_SERVER=puppet
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
#PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500
上面就是Puppet的默認設置,你們能夠去掉註釋,進行修改。這也是爲啥puppet的agent,默認就到網絡找一個puppet的機器,你能夠在這裏修改。
/var/lib/puppet 目錄,是客戶端一個比較重要的目錄,agent的證書就是放在這個目錄下。
]# pwd /var/lib/puppet ]# ll total 24 drwxr-x--- 2 root root 4096 Oct 26 15:35 clientbucket drwxr-x--- 2 root root 4096 Oct 26 15:35 client_data drwxr-x--- 2 root root 4096 Oct 26 15:35 client_yaml drwxr-xr-x 2 root root 4096 Oct 26 15:35 lib drwxrwx--x 7 puppet root 4096 Oct 26 15:35 ssl drwxr-xr-t 3 root root 4096 Oct 26 15:35 state
Puppet agent 配置文件,是 /etc/puppet/puppet.conf , 基本編輯這個文件能夠。
# pwd /etc/puppet # ll total 12 -rw-r--r-- 1 root root 2979 Oct 19 02:07 auth.conf drwxr-xr-x 2 root root 4096 Oct 19 02:07 modules -rw-r--r-- 1 root root 853 Oct 19 02:06 puppet.conf
對於puppet.conf 來講,裏面分紅3部分[main], [master], [agent], 外面的文檔,有些是把參數添加到[main], 有些是添加到[agent], 用初學者比較困惑,到底那個是正確。對於agent來講,你就在agent裏修改就能夠。若是你的設置和[main]衝突,就會保留[agent]設置。因此你基本就不須要管[main]設置就能夠。
對於puppet 客戶端,咱們須要編輯 /etc/puppet/puppet.conf, 添加一行,指定master服務器名稱。
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig server = node06.chenshake.com
重啓agent就能夠,這個時候,你就不須要加上服務器地址,就能夠鏈接master。
經常使用命令
查看puppet版本
# puppet --version 3.0.1
查看模塊位置
# puppet config print modulepath /etc/puppet/modules:/usr/share/puppet/modules
查看報告
# puppet agent -t --summarize
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com
Info: Applying configuration version '1351737193' Finished catalog run in 0.05 seconds Changes: Events: Resources: Skipped: 6 Total: 7 Time: Filebucket: 0.00 Config retrieval: 0.18 Total: 0.18 Last run: 1351737193 Version: Config: 1351737193 Puppet: 3.0.1
證書
Client申請證書
client須要向服務器端發出請求, 讓服務器對客戶端進行管理. 這實際上是一個證書籤發的過程. 第一次運行 puppet 客戶端的時候會生成一個 SSL 證書並指定發給 Puppet 服務端, 服務器端若是贊成管理客戶端,就會對這個證書進行簽發.
puppet agent
爲了詳細瞭解註冊的過程和往後排錯,能夠增長參數,由於配置文件裏
- –no-daemonize 前臺輸出日誌
- –verbose 輸入更加詳細的日誌
- –debug 更加詳細的日誌,排錯的時候使用
- –test 表示測試,就帶一個–test參數就能夠
puppet agent --server=node06.chenshake.com --no-daemonize --onetime --verbose --debug
個人服務器端,若是iptables的端口沒打開或者iptables沒有關閉,你回看到下面錯誤
Debug: Finishing transaction 70232051730000
Error: Could not request certificate: No route to host - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
若是一切正常,你回看到下面輸出
Debug: Finishing transaction 69982568075580
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9: A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53 Debug: Using cached certificate for ca Debug: Using cached certificate for ca Exiting; no certificate found and waitforcert is disabled
這個時候,你在服務器端就能夠看到請求籤發的證書
# puppet cert list --all
"node08.chenshake.com" (SHA256) DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9:A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
旁邊有+ 號的,表示已經簽發。
簽發證書很簡單
puppet cert --sign node08.chenshake.com puppet cert --sign --all
簽發證書。
# puppet cert --sign --all
Signed certificate request for node08.chenshake.com
Removing file Puppet::SSL::CertificateRequest
node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem'
簽發完成後,你再查看,就會發現
# puppet cert --list --all
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") + "node08.chenshake.com" (SHA256) A1:80:54:46:03:01:AE:6E:22:B1:39:8F:45:F2:C5:5A:F9:4E:CA:94:DA:A9:BF:85:34:E7:6E:98:07:97:B7:BC
註銷證書
讓證書失效,真正操做,我建議使用clean的參數,發現revoke,僅僅是讓證書失效。
puppet cert revoke node08.chenshake.com Revoked certificate with serial 3
這個時候,你查看證書
# puppet cert list --all
+ "node06.chenshake.com" (SHA256) 9C:3E:5C:11:03:C9:AA:35:B8:DE:A2:2C:44:79:2F:F2:64:7D:19:1B:75:99:09:2E:43:C0:26:70:6A:24:30:C2 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") - "node08.chenshake.com" (SHA256) CB:15:4A:55:23:1D:AD:08:5F:A6:D8:3C:D8:17:47:6E:E1:42:47:01:2D:D3:1B:55:85:18:65:6E:B2:6C:46:EA (certificate revoked)
你須要重啓puppetmaster服務,才能正式生效,你能夠經過客戶端鏈接來測試,沒有重啓服務前,一切正常,只有重啓了master服務後,你再用node08去鏈接,就會提示下面的錯誤。
Debug: Using cached certificate_revocation_list for ca
Error: Failed to apply catalog: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Debug: Value of 'preferred_serialization_format' (pson) is invalid for report, using default (b64_zlib_yaml) Debug: report supports formats: b64_zlib_yaml raw yaml; using b64_zlib_yaml Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
刪除證書
在master上,清除證書後,須要重啓服務才能生效.
# puppet cert --clean node08.chenshake.com
Revoked certificate with serial 3
Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/ca/signed/node08.chenshake.com.pem'
Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/certs/node08.chenshake.com.pem'
重啓puppetmaster服務,
/etc/init.d/puppetmaster restart
在client上
rm -f /var/lib/puppet/ssl/certs/node08.chenshake.com.pem
或者整個目錄刪除,這樣ca的證書,也刪除。
rm -rf /var/lib/puppet/ssl
這個時候,你再申請就能夠
# puppet agent -t
Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): 43:4F:C8:D7:B0:84:D8:89:F6:D9:9C:DE:D4:5B: C0:BF:F1:D6:89:6C:C0:94:7C:02:99:50:98:BA:4C:1C:52:4F Exiting; no certificate found and waitforcert is disabled
這個時候,你在master就能夠正常簽發。
自動簽發證書
能夠設置master自動簽發全部的證書,咱們只須要在/etc/puppet 目錄下建立 autosign.conf 文件。(不須要修改 /etc/puppet/puppet.conf文件,由於我默認的autosign.conf 文件的位置沒有修改)
cat > /etc/puppet/autosign.conf <<EOF *.chenshake.com EOF
這樣就會對全部來自 chenshake.com 的機器的請求,都自動簽名。
[root@node08 ~]# puppet agent -t
Info: Creating a new SSL key for node08.chenshake.com Info: Caching certificate for ca Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): 50:6B:ED:AB:E4:46:49:53:3E:41:6A:DD:93:7F:5F:3F: 00:55:17:25:A0:BB:12:AF:4A:2B:89:88:5D:41:9F:86 Info: Caching certificate for node08.chenshake.com Info: Caching certificate_revocation_list for ca Info: Retrieving plugin Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351497197' Finished catalog run in 0.04 seconds
Pre-signing 證書
就是提早在服務器端簽發證書,把證書複製到客戶端,這樣能夠避免自動簽名的危險。不過很麻煩,須要你手工copy證書。建立證書的命令,和之前版本的puppet 2.6有不一樣,你們注意就能夠。
# puppet cert generate node08.chenshake.com
node08.chenshake.com has a waiting certificate request
Signed certificate request for node08.chenshake.com
Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem' Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/certificate_requests/node08.chenshake.com.pem'
客戶端操做
mkdir -p /var/lib/puppet/ssl/private_keys mkdir -p /var/lib/puppet/ssl/certs scp root@10.1.199.6:/var/lib/puppet/ssl/private_keys/node08.chenshake.com.pem /var/lib/puppet/ssl/private_keys/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/node08.chenshake.com.pem /var/lib/puppet/ssl/certs/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/
這時候你就能夠在客戶端運行
# puppet agent -t
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351735593' Finished catalog run in 0.04 seconds
Puppet Dashboard
我實際上是但願直接使用puppet來安裝dashboard,不過目前階段,我仍是搞不定,這個留待往後慢慢挑戰。
mysql
yum install -y mysql mysql-devel mysql-server
優化mysql設置
編輯 /etc/my.cnf, 在[mysqld]字段,增長最後一行.
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Allowing 32MB allows an occasional 17MB row with plenty of spare room
max_allowed_packet = 32M
啓動服務
/etc/init.d/mysqld start chkconfig mysqld on
設置mysql密碼,我這裏使用是密碼是password
mysqladmin -u root password 'password'
建立一個dashboard數據庫
mysql -uroot -ppassword <<EOF
CREATE DATABASE dashboard CHARACTER SET utf8;
CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost'; FLUSH PRIVILEGES; EOF
Passenger+Apache+Dashboard
這是讓Apache支持ruby,
yum install mod_passenger puppet-dashboard
看看包的依賴關係
配置Dashboard
編輯 /usr/share/puppet-dashboard/config/database.yml
production: database: dashboard username: dashboard password: password encoding: utf8 adapter: mysql
修改時區 /usr/share/puppet-dashboard/config/environment.rb
#config.time_zone = 'UTC'
config.time_zone = 'Beijing'
初始化數據庫
cd /usr/share/puppet-dashboard/ rake RAILS_ENV=production db:migrate
配置Apache
咱們須要整合Passenger和apache
cat > /etc/httpd/conf.d/passenger.conf << EOF
LoadModule passenger_module modules/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/share/rubygems/gems/passenger-3.0.17
PassengerRuby /usr/bin/ruby
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RailsAutoDetect On
</IfModule>
<VirtualHost *:80>
ServerName node06.chenshake.com
DocumentRoot "/usr/share/puppet-dashboard/public/"
<Directory "/usr/share/puppet-dashboard/public/"> Options None AllowOverride AuthConfig Order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/node06.chenshake.com_error.log LogLevel warn CustomLog /var/log/httpd/node06.chenshake.com_access.log combined ServerSignature On </VirtualHost> EOF
重啓服務
/etc/init.d/httpd start chkconfig httpd on
打開80端口
lokit -p 80:tcp
配置puppet
讓Dashboard使用Reports,如今默認agent是已經啓用Report的功能,因此你就不須要設置agent,你只須要設置Server端就能夠.
# puppet.conf (on puppet master)
[master]
reports = store, http
reporturl = http://node06.chenshake.com:80/reports/upload
重啓puppetmaster 服務
/etc/init.d/puppetmaster restart
這時候就能夠直接用 http://ip 訪問puppet Dashboard
導入報告
cd /usr/share/puppet-dashboard
# rake RAILS_ENV=production reports:import
(in /usr/share/puppet-dashboard)
Importing 7 reports from /var/lib/puppet/reports/ in the background Importing: 100% |#########| Time: 00:00:00 7 of 7 reports queued
這時候你訪問Dashboard,能夠看到導入的任務.
Delayed Job Workers
這個其實我理解就是一個腳本,用來分析report的。
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m start
查看啓動的job
ps -ef|grep delayed_job|grep -v grep
中止delay job
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m stop
這個時候你才能在Dashbaord裏看到數據.
Foreman
目前Puppet 3.0和Foreman 1.0還有問題,官方正在解決中
6 Responses to 「Puppet學習筆記(CentOS6.3+Puppet3.01)」
Leave a Reply
相關文章
- 1. puppet學習筆記
- 2. puppet語法筆記
- 3. Puppet 2.7 學習-1
- 4. Puppet 2.7 學習-2
- 5. puppet學習之puppet證書驗證
- 6. puppet筆記-agent鏈接
- 7. 【1】puppet筆記 - file資源
- 8. puppet學習筆記之node/package/service/file/user/group/cron/exec管理
- 9. puppet學習筆記之安裝與配置
- 10. 「學習筆記」學習筆記合集
- 更多相關文章...
- • 您已經學習了 XML Schema,下一步學習什麼呢? - XML Schema 教程
- • 我們已經學習了 SQL,下一步學習什麼呢? - SQL 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • 適用於PHP初學者的學習線路和建議
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
hi,陳老師,你好,我看了你的不少有關雲技術的博文,我如今也在作這方面的工做,從最簡單的如何用devstack搭建環境,或者單獨搭建某些雲服務,還研究過puppet,jenkins等等,但願有時間多跟你請教請教。如今咱們有個需求,要搭建https://jenkins.openstack.org 這麼一個測試框架,可是我看了看他整合了好多東東在裏邊,好比gate-nova-python26這條case,他用到openstack-ci-puppet工程,可是run的這些腳本/usr/local/jenkins/slave_scripts/gerrit-git-prep.sh review.openstack.org 是如何安裝上去,從哪裏來的,我真實一頭霧水,但願能跟你交流下,能給下你的Email嗎?
[...] 上篇說了下在ubuntu12.04上安裝puppet,安裝的版本爲puppet2.7.11版本,今天嘗試了下在CentOS6.4系統上安裝puppet 3.1.1版本,本文參考chenshake的文章 [...]
我在http://docs.puppetlabs.com/guides/platforms.html#ruby-versions 文檔裏面看的是這樣的包依賴關係,請問你也是安裝的puppet3 怎麼能夠用ruby1.8.5呢??
Ruby version Puppet 2.6 Puppet 2.7 Puppet 3.x
1.8.5* Supported Supported No
1.8.7 Supported Supported Supported
2.0.0** No No Supported (3.2 and higher)
1.9.3** No No Supported
陳老師好,個人環境是x64 centos6.4,rdo安裝的openstack(packstack –allinone安裝),腳本執行過程當中報以錯誤說 httpd服務沒有啓動,(猜測是我安裝以前沒有停用iptables和selinux引發的 由於我運行 service httpd status 發現是running狀態)而後發現個人dashboard和nagios是能正常登錄的(沒有節點的信息) 我想問這個影響到什麼嗎,有什麼建議 望指正,謝謝
應該是不會的,你反覆屢次就能夠。rdo是徹底支持selinux和iptables。確保你按照個人步驟。
陳老師好,我想請問puppet如何使用puppet kick推送到puppet客戶端?我嘗試根據puppet的官方文檔去配置,第一次推送成功,可是第二次推送的時候返回下面的字段
Getting status
status is running
Host test is already running
test finished with exit code 3
Failed: test
我在客戶端查看了已經監聽了8139端口,不明白爲何說Host test is already running,是否是要每次推送都要關閉puppet客戶端?