Pupet自動化管理環境部署記錄

時間  2019-11-10
標籤 pupet 自動化 管理 環境 部署 記錄 欄目 測試自動化 简体版
原文   原文鏈接

 

廢話很少說了,下面記錄下Puppet在Centos下的部署過程:html

puppet是什麼
puppet是一種基於ruby語言開發的Lnux、Unix、windows平臺的集中配置管理系統。它使用自有的puppet描述語言,可管理配置文件file、用戶user、cron任務、軟件包、系統服務等系統實體。
puppet把這些系統實體稱之爲資源,puppet設計目標是簡化對這些資源的管理以及妥善處理資源間的依賴關係。
puppet依賴於C/S(客戶端/服務器)的部署架構。它須要在puppet服務器上安裝puppet-server軟件包(如下簡稱master),在須要管理的目標主機上安裝puppet客戶端軟件(如下簡稱agent)。
當agent鏈接上master後,定義在master端的配置文件會被編譯,而後在agent上運行。每一個agent默認30分鐘會鏈接一次master,確認配置信息的更新狀況。可是這種方式在不少場景下不是很符合系統管理員的要求,因此不少系統管理員也會將agent經過crontab(任務計劃)來管理,這樣會更加靈活一些。node

puppet優勢
puppet的語法容許你建立一個單獨的腳本,用來在你全部的目標主機上創建一個用戶。全部的目標主機會依次使用適合本地系統的語法來解釋和執行這個模塊。若是這個配置是在Red Hat服務器上執行的話,創建用戶使用useradd命令,若是這個配置是在FreddBSD服務器上執行的話,則使用adduser命令。
puppet另一個卓越的地方就是它的靈活性。源於開源軟件的天性,你能夠自由地得到puppet的源代碼。若是你遇到問題而且有能力處理的話,你能夠修改或增強puppet的代碼使其適用於你的環境,而後解決這個問題。
puppet也是易於擴展的。定製軟件包的支持功能和特殊的系統環境配置可以快速簡單地添加至puppet的安裝程序中。mysql

1)基本安裝linux

機器信息(centos6.8)
IP地址            主機名           角色
182.48.115.233    Master-node      Master
182.38.115.235    Agent-node1      Agent
182.38.115.235    Agent-node2      Agent
182.38.115.235    Agent-node3      Agent
 
準備工做(在Master和Agent上都要準備的)
1)關閉selinux
2)關閉iptables,這是爲了不各類麻煩,你能夠經過打開端口,而不須要關閉iptables
3)設置host文件,因爲puppet須要用FQDN,通常實驗環境都是沒有dns,因此經過hosts文件設置
4)設置ntp,同步時間,這個也是必須的。
5)設置源,根據你但願使用的版本,設置不一樣的源.我是啓用了EPEL和Puppet官方的源
 
0)關閉selinux和防火牆(Master和Agent都要作)
[root@Master-node ~]# setenforce 0
[root@Master-node ~]# /etc/init.d/iptables stop
  
1)綁定hosts(Master和Agent都要作)
[root@Master-node ~]# cat /etc/hosts
......
182.48.115.233 Master-node
182.48.115.235 Agent-node1
182.48.115.236 Agent-node2
182.48.115.237 Agent-node3
  
[root@Agent-node1 ~]# cat /etc/hosts
182.48.115.235 Agent-node1
182.48.115.233 Master-node
  
[root@Agent-node2 ~]# cat /etc/hosts
182.48.115.235 Agent-node2
182.48.115.233 Master-node
  
[root@Agent-node3 ~]# cat /etc/hosts
182.48.115.235 Agent-node3
182.48.115.233 Master-node
  
2)同步時間(Master和Agent端都要作)
[root@Master-node ~]# yum -y install ntp
[root@Master-node ~]# ntpdate ntp.api.bz
  
3)安裝Puppet
Puppet 不在CentOS的基本源中,須要加入PuppetLabs 提供的官方源(Master和Agent都要操做)
[root@Master-node ~]# wget http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-1.noarch.rpm
[root@Master-node ~]# yum install puppetlabs-release-6-1.noarch.rpm
[root@Master-node ~]# yum update
  
-----------Master端-----------
[root@Master-node ~]# yum install -y ruby facter puppet-server
  
啓動
[root@Master-node ~]# service puppet start
[root@Master-node ~]# service puppetmaster start
  
設爲自動開機
[root@Master-node ~]# chkconfig  puppet on
[root@Master-node ~]# chkconfig  puppetmaster on
  
----------Agent端-----------
  
[root@Agent-node1 ~]# yum install -y ruby facter puppet
  
啓動
[root@Agent-node1 ~]# service puppet start
  
設置開機自啓動
[root@Agent-node1 ~]# chkconfig  puppet on
  
配置puppet
[root@Agent-node1 ~]# vim /etc/puppet/puppet.conf       //底部添加下面一行
.....
server = Master-node          
  
[root@Agent-node1 ~]# /etc/init.d/puppet restart

從日誌中咱們能夠看出第一次啓動master端時,puppet服務會在本地建立認證中心,給本身受權證書和key,這個咱們能夠在/var/lib/puppet/ssl看到那些證書和key。以下:sql

[root@Master-node ~]# tail -f /var/log/messages
......
Jul 25 15:02:13 puppet01 puppet-master[23689]: Signed certificate request for ca
Jul 25 15:02:14 puppet01 puppet-master[23689]: Master-node has a waiting certificate request
Jul 25 15:02:14 puppet01 puppet-master[23689]: Signed certificate request for Master-node
Jul 25 15:02:14 puppet01 puppet-master[23689]: Removing file Puppet::SSL::CertificateRequest Master-node at '/var/lib/puppet/ssl/ca/requests/Master-node.pem'
Jul 25 15:02:14 puppet01 puppet-master[23689]: Removing file Puppet::SSL::CertificateRequest Master-node at '/var/lib/puppet/ssl/certificate_requests/Master-node.pem'
Jul 25 15:02:14 puppet01 puppet-master[23727]: Reopening log files
Jul 25 15:02:14 puppet01 puppet-master[23727]: Starting Puppet master version 3.8.7
Jul 25 15:03:00 puppet01 puppet-master[23727]: puppet02.bkjk.cn has a waiting certificate request

[root@Master-node ~]#  ll /var/lib/puppet/ssl
total 28
drwxr-xr-x 5 puppet puppet 4096 Jul 25 15:02 ca
drwxr-xr-x 2 puppet puppet 4096 Jul 25 15:02 certificate_requests
drwxr-xr-x 2 puppet puppet 4096 Jul 25 15:02 certs
-rw-r--r-- 1 puppet puppet  967 Jul 25 15:02 crl.pem
drwxr-x--- 2 puppet puppet 4096 Jul 25 15:02 private
drwxr-x--- 2 puppet puppet 4096 Jul 25 15:02 private_keys
drwxr-xr-x 2 puppet puppet 4096 Jul 25 15:02 public_keys

這個目錄和/etc/puppet/puppet.conf文件中配置的ssldir路徑有關係
也能夠查看master端給本身受權的證書文件
[root@Master-node ~]# ll /var/lib/puppet/ssl/ca/signed
total 4
-rw-r--r-- 1 puppet puppet 2029 Jul 25 15:02 Master-node.pem

2)創建master和agent之間的認證關係(三種註冊方式)數據庫

Agent須要向服務器端發出請求, 讓服務器對客戶端進行管理. 這實際上是一個證書籤發的過程. 第一次運行puppet客戶端的時候會生成一個SSL證書並指定發給Puppet服務端,
服務器端若是贊成管理客戶端,就會對這個證書進行簽發。
  
Agent在第一次鏈接master的時候會向master申請證書,若是沒有master沒有簽發證書,那麼puppet agent和master的鏈接是否創建成功的,agent會持續等待master簽發證書,
並會每隔2分鐘去檢查master是否簽發證書。
  
Puppet註冊方式基本上有三種:自動註冊、手動註冊和預簽名註冊。
--------------------------------------------------------------------------------------------------------------------------------------
  
1、手動註冊(批量效率高)
手動註冊是由Agent端先發起證書申請請求,而後由Puppetserver端確認認證方可註冊成功,這種註冊方式安全係數中等,逐一註冊(puppet cert --sign certnmame)
在節點數量較大的狀況下是比較麻煩的,效率也低,批量註冊(puppet cert --sign --all)效率很高,一次性即可註冊全部的Agent的請求,可是這種方式安全係數較低,
由於錯誤的請求也會被註冊上。
  
1)須要先在Agent節點申請註冊(三臺Agent節點機都要操做)
因爲已經Agent的puppet.conf文件裏設置了server地址,所以下面向Master請求認證的命令中不須要跟服務端地址。
不然須要在下面的命令中添加Master服務端地址,即添加"--server Master-node"
[root@Agent-node1 ~]# puppet agent --test
Info: Creating a new SSL key for agent-node1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent-node1
Info: Certificate Request fingerprint (SHA256): E0:B4:04:52:46:C0:D4:38:92:7B:EA:90:3A:5E:EF:D8:6E:85:D3:61:77:6A:34:10:24:0F:15:B6:1A:9C:13:EC
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
  
2)Master服務器端肯定認證
  
如今Master服務器端查看認證狀況
[root@Master-node ~]# puppet cert --list
  "agent-node1" (SHA256) E0:B4:04:52:46:C0:D4:38:92:7B:EA:90:3A:5E:EF:D8:6E:85:D3:61:77:6A:34:10:24:0F:15:B6:1A:9C:13:EC
  "agent-node2" (SHA256) FD:FC:10:22:48:BD:17:3C:6E:3E:C5:A1:32:6A:CD:E8:E7:47:33:F9:F2:34:45:C9:59:57:B1:0D:13:10:FE:37
  "agent-node3" (SHA256) 55:C0:CA:EF:F1:1A:3F:E2:53:0D:A8:F6:32:EB:8C:D8:B2:C8:51:9F:0A:4B:4C:0A:78:C5:57:E6:49:02:FC:90
[root@Master-node ~]# puppet cert --list --all           //加--all參數,就能查看到puppet給本身簽發的本地證書了
  "agent-node1" (SHA256) E0:B4:04:52:46:C0:D4:38:92:7B:EA:90:3A:5E:EF:D8:6E:85:D3:61:77:6A:34:10:24:0F:15:B6:1A:9C:13:EC
  "agent-node2" (SHA256) FD:FC:10:22:48:BD:17:3C:6E:3E:C5:A1:32:6A:CD:E8:E7:47:33:F9:F2:34:45:C9:59:57:B1:0D:13:10:FE:37
  "agent-node3" (SHA256) 55:C0:CA:EF:F1:1A:3F:E2:53:0D:A8:F6:32:EB:8C:D8:B2:C8:51:9F:0A:4B:4C:0A:78:C5:57:E6:49:02:FC:90
+ "master-node" (SHA256) DB:81:FB:58:D7:FF:DC:17:3C:C2:4D:7B:2E:DF:35:C2:F5:4D:B8:D2:AE:9D:EF:E0:73:44:11:07:C4:C2:72:23
  
以上結果中:
左邊有+號的,表示已經簽發,puppet首先會給本身簽發一個本地證書;客戶端的證書前沒+號,這就等待服務端簽發。
  
接着Master服務端簽發證書,及註冊Agent節點
[root@Master-node ~]# puppet cert --list agent-node1
[root@Master-node ~]# puppet cert --list agent-node2
[root@Master-node ~]# puppet cert --list agent-node3
[root@Master-node ~]# puppet cert --sign --all    //上面三個命令是分別給單獨的一個Agent頒發證書,效率低下!可使用這個命令代替,表示簽發全部Agent的證書
  
再次查看認證狀況,發現已經都認證了(左邊都有+號了)
[root@Master-node ~]# puppet cert --list --all
+ "agent-node1" (SHA256) 86:61:2A:99:38:54:E3:FD:E0:8F:40:D4:2D:75:83:6F:64:B6:36:E1:B0:97:0D:B5:82:9C:69:95:D2:95:98:92
+ "agent-node2" (SHA256) 63:BF:AA:C2:C5:1E:A6:64:47:72:85:B3:4B:32:3E:07:C3:70:8D:86:D3:86:53:1A:FF:F9:9E:93:46:46:CB:13
+ "agent-node3" (SHA256) 41:B1:A7:3C:E3:7D:47:32:21:4F:25:8A:5E:96:77:1A:E0:FE:45:C3:42:0C:BC:D7:0A:0A:D1:E9:BF:FA:E1:96
+ "master-node" (SHA256) DB:81:FB:58:D7:FF:DC:17:3C:C2:4D:7B:2E:DF:35:C2:F5:4D:B8:D2:AE:9D:EF:E0:73:44:11:07:C4:C2:72:23
  
另外一種查看認證的方法:
[root@Master-node ~]# tree /var/lib/puppet/ssl/                       //可使用"yum install -y tree" 安裝tree命令
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       ├── agent-node1.pem
│       ├── agent-node2.pem
│       ├── agent-node3.pem
│       └── master-node.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── master-node.pem
├── crl.pem
├── private
├── private_keys
│   └── master-node.pem
└── public_keys
    └── master-node.pem
  
最後在Agent端進行motd模塊測試(即客戶端取回經過的證書)
[root@Agent-node1 ~]# puppet agent --test                    //--test也能夠替換爲-t
Info: Caching certificate for agent-node1
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for agent-node1
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: undefined method `include?' for nil:NilClass
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version '1495876267'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.06 seconds
 
-------------------------------------------------------------------------------
也能夠直接使用命令"puppet agent --no-daemonize --onetime --verbose --debug",打印證書申請過程當中的詳細信息
--no-daemonize     前臺輸出日誌
--verbose          輸入更加詳細的日誌
--debug            更加詳細的日誌,排錯的時候使用
--test             表示測試,就帶一個–test參數就能夠
-------------------------------------------------------------------------------
 
-------------------------------證書管理------------------------------
當出現問題須要從新申請證書或從新安裝puppet時使用,須要註銷證書和刪除證書
  
註銷證書既是要證書過時(--revoke)
[root@Master-node ~]# puppet cert --revoke agent-node1      
Notice: Revoked certificate with serial 10
[root@Master-node ~]# puppet cert --list --all          //以下,過時的證書籤名是"-"號
+ "agent-node2" (SHA256) 63:BF:AA:C2:C5:1E:A6:64:47:72:85:B3:4B:32:3E:07:C3:70:8D:86:D3:86:53:1A:FF:F9:9E:93:46:46:CB:13
+ "agent-node3" (SHA256) 41:B1:A7:3C:E3:7D:47:32:21:4F:25:8A:5E:96:77:1A:E0:FE:45:C3:42:0C:BC:D7:0A:0A:D1:E9:BF:FA:E1:96
+ "master-node" (SHA256) DB:81:FB:58:D7:FF:DC:17:3C:C2:4D:7B:2E:DF:35:C2:F5:4D:B8:D2:AE:9D:EF:E0:73:44:11:07:C4:C2:72:23
- "agent-node1" (SHA256) 86:61:2A:99:38:54:E3:FD:E0:8F:40:D4:2D:75:83:6F:64:B6:36:E1:B0:97:0D:B5:82:9C:69:95:D2:95:98:92 (certificate revoked)
  
[root@Master-node ~]# puppet cert --revoke --all          //註銷全部證書
  
上面只是讓證書失效,客戶端鏈接會失敗,並無刪除證書文件。
  
刪除證書(--clean)
[root@Master-node ~]# puppet cert --clean agent-node1       //刪除agent-node1證書
[root@Master-node ~]# puppet cert --clean --all             //刪除全部證書
  
證書籤名的過時或刪除須要重啓puppetmaster服務後才能生效。
[root@Master-node ~]# /etc/init.d/puppetmaster restart
Stopping puppetmaster:                                     [  OK  ]
Starting puppetmaster:                                     [  OK  ]
  
重啓後,puppet會給本身自動簽發一個本地證書
[root@Master-node ~]# puppet cert --list --all
+ "master-node" (SHA256) 25:13:02:B7:01:44:08:E9:A0:C6:66:4F:A9:A9:93:2E:7E:E6:ED:E9:91:85:7B:65:E3:ED:26:FB:C6:7C:B6:56
  
注意刪除證書到從新請求證書的流程:
在Master端刪除證書(puppet cert --clean agent-node1)
在Agent端刪除註冊過的證書文件:rm -rf /var/lib/puppet/ssl/*
在Agent端從新請求證書(puppet agent ----test )
-----------------------------------------------------------------------------------------------------------------------------------------------
  
2、自動註冊(安全係數低,效率高)
這種註冊方式簡單來說是經過Puppetmaster端的ACL列表進行控制的,安全系統較低,也就是說符合預先定義的ACL列表中的全部節點請求不須要確認都會被自動註冊上,
也就是說你只須要知道ACL列表要求,其次能和PuppetMaster端通訊即可輕易註冊成功。固然,它的最大優勢就是效率很是高。
  
1)清除Master端已經註冊的agent的證書
[root@Master-node ~]# puppet cert --clean agent-node1                //能夠一個個的針對單個agent節點進行清除
[root@Master-node ~]# puppet cert --clean --all                      //也能夠清除全部agent節點的證書
  
2)在agent端刪除註冊的全部信息,包括證書。這個很重要!!當在PupperMaster端刪除agent的證書後,必定要登陸對應的agent節點上執行下面的操做:刪除註冊過的證書,
不然再次註冊就會報錯失敗!
[root@Agent-node1 ~]# rm -rf /var/lib/puppet/ssl/*
  
3)在master端編寫ACL列表
設置master自動簽發全部的證書
[root@Master-node ~]# vim /etc/puppet/puppet.conf     //在文件底部添加下面內容
[main]
    autosign = true
    autosign = /etc/puppet/autosign.conf
[root@Master-node ~]# vim /etc/puppet/autosign.conf    //設置下面內容,*表示容許全部域下的主機註冊本Master端的證書
*                      
  
[root@Master-node ~]# /etc/init.d/puppet restart
[root@Master-node ~]# service puppetmaster restart
[root@Master-node ~]# puppet cert --list --all
+ "master-node" (SHA256) 47:D4:F5:FE:73:62:0B:51:BD:E6:BD:A5:1C:7E:04:75:72:80:5C:32:9C:E2:01:46:39:EA:3B:D9:F6:FC:A7:CE
  
接着在全部的Agent節點申請證書
[root@Agent-node1 ~]# puppet agent --test
Info: Creating a new SSL key for agent-node1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent-node1
Info: Certificate Request fingerprint (SHA256): 79:F5:6B:9B:0C:38:68:B7:A6:C3:9E:E4:7E:19:76:8B:61:35:CA:D0:66:E4:81:B4:15:09:DB:24:ED:3F:E2:3F
Info: Caching certificate for agent-node1
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version '1495879417'
Notice: Finished catalog run in 0.05 seconds
  
而後在Master端查看證書是否已經自動註冊上了。以下,發現已經自動註冊了
[root@Master-node ~]# puppet cert --list --all
+ "agent-node1" (SHA256) EE:EE:FE:C8:41:8D:C4:42:59:59:84:FB:A3:CA:F7:20:8A:94:F5:70:5A:2F:1E:A3:D3:48:B4:70:2F:2C:76:AA
+ "agent-node2" (SHA256) 00:C7:14:7D:1B:2F:D9:5D:B9:F5:A1:24:89:FE:65:C2:CF:C7:76:58:CC:61:4F:07:4D:89:22:B2:9B:33:EF:C5
+ "agent-node3" (SHA256) 7C:24:5D:9A:BD:C6:A4:33:04:21:9E:9D:BA:F2:5F:1B:01:84:E1:C4:6C:95:2F:12:A9:7C:BE:3E:E8:48:BD:38
+ "master-node" (SHA256) 99:8A:53:84:A4:BA:38:39:72:77:E5:11:47:1B:C2:29:BE:67:07:03:5D:08:8C:A3:85:49:3F:EF:B4:9A:C4:C3
  
最後在Agent節點測試
[root@Agent-node1 ~]# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version '1495879417'
Notice: Finished catalog run in 0.07 seconds
-----------------------------------------------------------------------------------------------------------------------------------------------
  
3、預簽名註冊(推薦生產環境中使用此方式進行註冊,既安全又可靠!)
預簽名註冊是在agent端未提出申請的狀況下,預先在puppet master端生成agent端的證書,而後把證書複製到agent節點對應的目錄下便可註冊成功,這樣能夠避
免自動簽名的危險。這種方式安全係數最高,可是操做麻煩,須要提早預知全部節點服務器的certname名稱,其次須要將生成的證書逐步copy到全部節點上去。
不過,若是你的系統中安裝了kickstart或者cobbler這樣的自動化工具,卻是能夠將證書部分轉換成腳本集成到統一自動化部署中
  
1)清除Master端已經註冊的agent的證書
[root@Master-node ~]# puppet cert --clean --all            //清除全部註冊過的證書,也能夠指定某個Agent節點的證書清除
[root@Master-node ~]# puppet cert --list --all             //查看證書是否已清除
[root@Master-node ~]# /etc/init.d/puppetmaster restart
  
2)在agent端刪除註冊的全部信息,包括證書。
[root@Agent-node1 ~]# rm -rf /var/lib/puppet/*
  
3)在Master端刪除自動註冊ACL列表
[root@Master-node ~]# mv /etc/puppet/autosign.conf /etc/puppet/autosign.conf.bak
  
4)在Master端預先生成Agent證書(這個只能針對agent端的節點一個個的生成證書了)
[root@Master-node ~]# puppet cert generate agent-node1             //老版本使用命令"puppetca --generate agent-node1"
[root@Master-node ~]# puppet cert generate agent-node2
[root@Master-node ~]# puppet cert generate agent-node3
  
查看證書
[root@Master-node ~]# puppet cert --list --all
+ "agent-node1" (SHA256) E0:57:E4:D4:2A:10:46:68:E7:58:DE:3C:6A:2C:9F:82:7B:5F:BC:6E:F9:84:E7:A2:F3:E3:9D:02:5E:CB:EC:80
+ "agent-node2" (SHA256) F8:6F:55:37:8C:4D:D0:33:A5:EA:5E:2D:1A:EA:3E:52:27:9F:0A:65:E2:81:56:2E:7A:EF:67:8A:F6:37:8D:50
+ "agent-node3" (SHA256) 50:9E:80:75:D8:13:2D:A4:CB:04:6C:2E:70:11:90:53:97:37:07:0D:F0:AB:66:40:60:87:4C:51:74:1A:00:ED
+ "master-node" (SHA256) 2A:EB:D3:60:C4:F6:57:12:9B:2E:7E:E8:3A:B8:11:B6:A4:57:F4:F9:91:7D:E7:E9:25:64:DD:51:C8:26:8E:75
  
6)而後把Master端預先生成的證書copy到agent端的各個節點上
[root@Agent-node1 ~]# mkdir -p /var/lib/puppet/ssl/private_keys
[root@Agent-node1 ~]# mkdir -p /var/lib/puppet/ssl/certs
[root@Agent-node1 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/private_keys/agent-node1.pem /var/lib/puppet/ssl/private_keys/
[root@Agent-node1 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/certs/agent-node1.pem /var/lib/puppet/ssl/certs/
[root@Agent-node1 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/
  
[root@Agent-node2 ~]# mkdir -p /var/lib/puppet/ssl/private_keys
[root@Agent-node2 ~]# mkdir -p /var/lib/puppet/ssl/certs
[root@Agent-node2 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/private_keys/agent-node2.pem /var/lib/puppet/ssl/private_keys/
[root@Agent-node2 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/certs/agent-node2.pem /var/lib/puppet/ssl/certs/
[root@Agent-node2 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/
  
[root@Agent-node3 ~]# mkdir -p /var/lib/puppet/ssl/private_keys
[root@Agent-node3 ~]# mkdir -p /var/lib/puppet/ssl/certs
[root@Agent-node3 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/private_keys/agent-node3.pem /var/lib/puppet/ssl/private_keys/
[root@Agent-node3 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/certs/agent-node3.pem /var/lib/puppet/ssl/certs/
[root@Agent-node3 ~]# rsync -e "ssh -p22" -avpgolr 182.48.115.233:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/
  
最後在各個Agent節點測試
[root@Agent-node1 ~]# puppet agent -t
Info: Caching certificate_revocation_list for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version '1495896021'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.07 seconds

在Master端查看證書狀況
[root@Master-node ~]# tree /var/lib/puppet/ssl/     
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       ├── agent-node1.pem
│       ├── agent-node2.pem
│       ├── agent-node3.pem
│       └── master-node.pem
├── certificate_requests
├── certs
│   ├── agent-node1.pem
│   ├── agent-node2.pem
│   ├── agent-node3.pem
│   ├── ca.pem
│   └── master-node.pem
├── crl.pem
├── private
├── private_keys
│   ├── agent-node1.pem
│   ├── agent-node2.pem
│   ├── agent-node3.pem
│   └── master-node.pem
└── public_keys
    ├── agent-node1.pem
    ├── agent-node2.pem
    ├── agent-node3.pem
    └── master-node.pem

3)Puppet的Dashboard搭建apache

puppet dashboard是GUI(圖形用戶界面)方式管理puppet,能夠分析puppet運行日誌。
 
1)安裝mysql
[root@Master-node ~]# yum install -y mysql mysql-devel mysql-server
[root@Master-node ~]# vim /etc/my.cnf              //在[mysqld]字段,增長下面一行內容
[mysqld]
......
max_allowed_packet = 32M
 
啓動服務
[root@Master-node ~]# /etc/init.d/mysqld start
[root@Master-node ~]# chkconfig mysqld on
 
設置mysql密碼爲"password"
[root@Master-node ~]# mysqladmin -u root password 'password'
 
建立一個dashboard數據庫
[root@Master-node ~]# mysql -ppassword
mysql> CREATE DATABASE dashboard CHARACTER SET utf8;
mysql> CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost';
mysql> FLUSH PRIVILEGES;
 
2)安裝Passenger+Apache+Dashboard
使用Apache+Passenger部署高性能PuppetMaster,代替原來的WEBrick,提升併發性能
 
讓Apache支持ruby。經過ruby gem方式安裝passenger
[root@Master-node ~]# gem install passenger 

如果升級ruby,參考源碼安裝升級:http://www.cnblogs.com/kevingrace/p/5752382.html

3)配置Dashboard
[root@Master-node ~]# vim /usr/share/puppet-dashboard/config/database.yml
........
production:
  database: dashboard
  username: dashboard
  password: password
  encoding: utf8
  adapter: mysql

修改時區
[root@Master-node ~]# vim /usr/share/puppet-dashboard/config/environment.rb
.......
  config.time_zone = 'Beijing'

4)初始化數據庫
[root@Master-node ~]# cd /usr/share/puppet-dashboard/
[root@Master-node puppet-dashboard]# rake RAILS_ENV=production db:migrate            //rake是ruby下自帶的命令,可使用find命令找出

5)配置Apache
配置passenger(選擇http服務軟件):
[root@Master-node ~]# passenger-install-apache2-module

[root@Master-node ~]# find / -name mod_passenger.so
/usr/local/ruby/lib/ruby/gems/2.4.0/gems/passenger-5.1.4/buildout/apache2/mod_passenger.so

[root@Master-node ~]# cp /usr/local/ruby/lib/ruby/gems/2.4.0/gems/passenger-5.1.4/buildout/apache2/mod_passenger.so /etc/httpd/modules/

整合Passenger和apache
[root@Master-node ~]# yum install curl-devel httpd-devel
[root@Master-node ~]# vim /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module modules/mod_passenger.so
<IfModule mod_passenger.c>
   PassengerRoot /usr/share/rubygems/gems/passenger-3.0.17
   PassengerRuby /usr/bin/ruby

   PassengerHighPerformance on
   PassengerMaxPoolSize 12
   PassengerPoolIdleTime 1500
   PassengerStatThrottleRate 120
   RailsAutoDetect On
</IfModule>
    <VirtualHost *:80>
       ServerName huanqiu.puppet.com
       DocumentRoot "/usr/share/puppet-dashboard/public/"
       <Directory "/usr/share/puppet-dashboard/public/">
          Options None
          AllowOverride AuthConfig
          Order allow,deny
          allow from all
       </Directory>
       ErrorLog /var/log/httpd/huanqiu.puppet.com_error.log
       LogLevel warn
       CustomLog /var/log/httpd/huanqiu.puppet.com_access.log combined
       ServerSignature On
    </VirtualHost>

啓動服務
[root@Master-node ~]# /etc/init.d/httpd start
[root@Master-node ~]# chkconfig httpd on

6)配置puppet
讓Dashboard使用Reports,如今默認agent是已經啓用Report的功能,因此就不須要設置agent,只須要設置Server端就能夠!
[root@Master-node ~]# vim /etc/puppet/puppet.conf
.......
[master]
reports = store, http
reporturl = http://huanqiu.puppet.com:80/reports/upload

重啓puppetmaster 服務
[root@Master-node ~]# /etc/init.d/puppetmaster restart

這時候能夠直接用 http://ip 訪問puppet Dashboard
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程