Puppet学习笔记(CentOS6.3+Puppet3.01)
Oct262012
下了决心,好好学习puppet,周末专门去参加一个puppet的培训,可贵朋友那么热心,组织你们一块儿去学习。我就提早作一下功课。php
2012年10月29日:参加完两天的培训,深入体会到puppet的强悍,固然讲Puppet的朋友,仍是很是有经验,不仅是puppet经验,还有讲课的经验,学习一个新东西的经验。一个最大的收获:官方的文档很是好,把puppet读完,你就差很少。html
Contents [hide]node
概述
Puppet 是一个客户端/服务器(C/S)架构的配置管理工具,在中央服务器上安装 puppet-server 服务器(puppet master),在须要被管理的目标服务器上安装 puppet 客户端软件(puppet client)。python
若是服务器端也安装客户端,那么还能够管理本地机器。简单点说,当你把puppet装好后,你能够利用puppet的管理功能,直接用puppet安装foreman。这是我但愿实现的功能。mysql
准备
我直接使用Centos 6.3,puppet官方的yum源,目前puppet版本已是3.01。对os的要求也很简单linux
- 关闭selinux
- 关闭iptables,这是为了不各类麻烦,你能够经过打开端口,而不须要关闭iptables
- 设置host文件,因为puppet须要用FQDN,通常实验环境都是没有dns,因此经过hosts文件设置
- 设置ntp,同步时间,这个也是必须的。
- 设置源,根据你但愿使用的版本,设置不一样的源.我是启用了EPEL和Puppet官方的源
- node06 为master (10.1.199.6)
- node08 为client (10.1.199.8)
这些设置,你们能够参考 vpsee的puppet文档ios
安装
Puppet 3.01,对不少之前版本的命令已经去掉,这也让你们看文档的时候,比较混乱。目前pre-2.6的命令,在3.0之后的版本,彻底没法使用。这个你们要记住。这样更换后,其实也比较清晰。git
服务器端
由于咱们采用源安装,全部ruby的依赖关系都是自动解决。装服务器端的时候,其实也同时把客户端装上.sql
yum -y install puppet-server
看看依赖的包数据库
启动puppet
chkconfig puppet on chkconfig puppetmaster on service puppetmaster start service puppet start
Puppet Master 运行在TCP的8140端口。之前iptables的命令打开一个端口很长,很难记忆,如今发现一个好工具 lokkit。打开的端口,重启机器也是不影响,很是方便。
lokkit -p 8140:tcp
查看打开的端口
# netstat -lpnut Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1476/ruby tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1454/sshd tcp 0 0 :::22 :::* LISTEN 1454/sshd udp 0 0 10.1.199.6:123 0.0.0.0:* 1462/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1462/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1462/ntpd udp 0 0 :::123 :::* 1462/ntpd
查看证书
# puppet cert list --all
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:
32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:
7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
这个时候,已经自动把本机当成客户端,管理起来,证书已经自动签发.
客户端
单独安装一个客户端
yum install puppet
你们能够看看,比较一下客户端和服务器依赖的包.
启动服务
chkconfig puppet on service puppet start
puppet的基本默认配置,这里面的内容是不须要修改。
# cat /etc/sysconfig/puppet
# The puppetmaster server
#PUPPET_SERVER=puppet
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
#PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500
上面就是Puppet的默认设置,你们能够去掉注释,进行修改。这也是为啥puppet的agent,默认就到网络找一个puppet的机器,你能够在这里修改。
/var/lib/puppet 目录,是客户端一个比较重要的目录,agent的证书就是放在这个目录下。
]# pwd /var/lib/puppet ]# ll total 24 drwxr-x--- 2 root root 4096 Oct 26 15:35 clientbucket drwxr-x--- 2 root root 4096 Oct 26 15:35 client_data drwxr-x--- 2 root root 4096 Oct 26 15:35 client_yaml drwxr-xr-x 2 root root 4096 Oct 26 15:35 lib drwxrwx--x 7 puppet root 4096 Oct 26 15:35 ssl drwxr-xr-t 3 root root 4096 Oct 26 15:35 state
Puppet agent 配置文件,是 /etc/puppet/puppet.conf , 基本编辑这个文件能够。
# pwd /etc/puppet # ll total 12 -rw-r--r-- 1 root root 2979 Oct 19 02:07 auth.conf drwxr-xr-x 2 root root 4096 Oct 19 02:07 modules -rw-r--r-- 1 root root 853 Oct 19 02:06 puppet.conf
对于puppet.conf 来讲,里面分红3部分[main], [master], [agent], 外面的文档,有些是把参数添加到[main], 有些是添加到[agent], 用初学者比较困惑,到底那个是正确。对于agent来讲,你就在agent里修改就能够。若是你的设置和[main]冲突,就会保留[agent]设置。因此你基本就不须要管[main]设置就能够。
对于puppet 客户端,咱们须要编辑 /etc/puppet/puppet.conf, 添加一行,指定master服务器名称。
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig server = node06.chenshake.com
重启agent就能够,这个时候,你就不须要加上服务器地址,就能够链接master。
经常使用命令
查看puppet版本
# puppet --version 3.0.1
查看模块位置
# puppet config print modulepath /etc/puppet/modules:/usr/share/puppet/modules
查看报告
# puppet agent -t --summarize
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com
Info: Applying configuration version '1351737193' Finished catalog run in 0.05 seconds Changes: Events: Resources: Skipped: 6 Total: 7 Time: Filebucket: 0.00 Config retrieval: 0.18 Total: 0.18 Last run: 1351737193 Version: Config: 1351737193 Puppet: 3.0.1
证书
Client申请证书
client须要向服务器端发出请求, 让服务器对客户端进行管理. 这实际上是一个证书签发的过程. 第一次运行 puppet 客户端的时候会生成一个 SSL 证书并指定发给 Puppet 服务端, 服务器端若是赞成管理客户端,就会对这个证书进行签发.
puppet agent
为了详细了解注册的过程和往后排错,能够增长参数,由于配置文件里
- –no-daemonize 前台输出日志
- –verbose 输入更加详细的日志
- –debug 更加详细的日志,排错的时候使用
- –test 表示测试,就带一个–test参数就能够
puppet agent --server=node06.chenshake.com --no-daemonize --onetime --verbose --debug
个人服务器端,若是iptables的端口没打开或者iptables没有关闭,你回看到下面错误
Debug: Finishing transaction 70232051730000
Error: Could not request certificate: No route to host - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
若是一切正常,你回看到下面输出
Debug: Finishing transaction 69982568075580
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9: A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53 Debug: Using cached certificate for ca Debug: Using cached certificate for ca Exiting; no certificate found and waitforcert is disabled
这个时候,你在服务器端就能够看到请求签发的证书
# puppet cert list --all
"node08.chenshake.com" (SHA256) DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9:A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
旁边有+ 号的,表示已经签发。
签发证书很简单
puppet cert --sign node08.chenshake.com puppet cert --sign --all
签发证书。
# puppet cert --sign --all
Signed certificate request for node08.chenshake.com
Removing file Puppet::SSL::CertificateRequest
node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem'
签发完成后,你再查看,就会发现
# puppet cert --list --all
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") + "node08.chenshake.com" (SHA256) A1:80:54:46:03:01:AE:6E:22:B1:39:8F:45:F2:C5:5A:F9:4E:CA:94:DA:A9:BF:85:34:E7:6E:98:07:97:B7:BC
注销证书
让证书失效,真正操做,我建议使用clean的参数,发现revoke,仅仅是让证书失效。
puppet cert revoke node08.chenshake.com Revoked certificate with serial 3
这个时候,你查看证书
# puppet cert list --all
+ "node06.chenshake.com" (SHA256) 9C:3E:5C:11:03:C9:AA:35:B8:DE:A2:2C:44:79:2F:F2:64:7D:19:1B:75:99:09:2E:43:C0:26:70:6A:24:30:C2 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com") - "node08.chenshake.com" (SHA256) CB:15:4A:55:23:1D:AD:08:5F:A6:D8:3C:D8:17:47:6E:E1:42:47:01:2D:D3:1B:55:85:18:65:6E:B2:6C:46:EA (certificate revoked)
你须要重启puppetmaster服务,才能正式生效,你能够经过客户端链接来测试,没有重启服务前,一切正常,只有重启了master服务后,你再用node08去链接,就会提示下面的错误。
Debug: Using cached certificate_revocation_list for ca
Error: Failed to apply catalog: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Debug: Value of 'preferred_serialization_format' (pson) is invalid for report, using default (b64_zlib_yaml) Debug: report supports formats: b64_zlib_yaml raw yaml; using b64_zlib_yaml Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
删除证书
在master上,清除证书后,须要重启服务才能生效.
# puppet cert --clean node08.chenshake.com
Revoked certificate with serial 3
Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/ca/signed/node08.chenshake.com.pem'
Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/certs/node08.chenshake.com.pem'
重启puppetmaster服务,
/etc/init.d/puppetmaster restart
在client上
rm -f /var/lib/puppet/ssl/certs/node08.chenshake.com.pem
或者整个目录删除,这样ca的证书,也删除。
rm -rf /var/lib/puppet/ssl
这个时候,你再申请就能够
# puppet agent -t
Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): 43:4F:C8:D7:B0:84:D8:89:F6:D9:9C:DE:D4:5B: C0:BF:F1:D6:89:6C:C0:94:7C:02:99:50:98:BA:4C:1C:52:4F Exiting; no certificate found and waitforcert is disabled
这个时候,你在master就能够正常签发。
自动签发证书
能够设置master自动签发全部的证书,咱们只须要在/etc/puppet 目录下建立 autosign.conf 文件。(不须要修改 /etc/puppet/puppet.conf文件,由于我默认的autosign.conf 文件的位置没有修改)
cat > /etc/puppet/autosign.conf <<EOF *.chenshake.com EOF
这样就会对全部来自 chenshake.com 的机器的请求,都自动签名。
[root@node08 ~]# puppet agent -t
Info: Creating a new SSL key for node08.chenshake.com Info: Caching certificate for ca Info: Creating a new SSL certificate request for node08.chenshake.com Info: Certificate Request fingerprint (SHA256): 50:6B:ED:AB:E4:46:49:53:3E:41:6A:DD:93:7F:5F:3F: 00:55:17:25:A0:BB:12:AF:4A:2B:89:88:5D:41:9F:86 Info: Caching certificate for node08.chenshake.com Info: Caching certificate_revocation_list for ca Info: Retrieving plugin Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351497197' Finished catalog run in 0.04 seconds
Pre-signing 证书
就是提早在服务器端签发证书,把证书复制到客户端,这样能够避免自动签名的危险。不过很麻烦,须要你手工copy证书。建立证书的命令,和之前版本的puppet 2.6有不一样,你们注意就能够。
# puppet cert generate node08.chenshake.com
node08.chenshake.com has a waiting certificate request
Signed certificate request for node08.chenshake.com
Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem' Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/certificate_requests/node08.chenshake.com.pem'
客户端操做
mkdir -p /var/lib/puppet/ssl/private_keys mkdir -p /var/lib/puppet/ssl/certs scp root@10.1.199.6:/var/lib/puppet/ssl/private_keys/node08.chenshake.com.pem /var/lib/puppet/ssl/private_keys/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/node08.chenshake.com.pem /var/lib/puppet/ssl/certs/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/
这时候你就能够在客户端运行
# puppet agent -t
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com Info: Applying configuration version '1351735593' Finished catalog run in 0.04 seconds
Puppet Dashboard
我实际上是但愿直接使用puppet来安装dashboard,不过目前阶段,我仍是搞不定,这个留待往后慢慢挑战。
mysql
yum install -y mysql mysql-devel mysql-server
优化mysql设置
编辑 /etc/my.cnf, 在[mysqld]字段,增长最后一行.
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Allowing 32MB allows an occasional 17MB row with plenty of spare room
max_allowed_packet = 32M
启动服务
/etc/init.d/mysqld start chkconfig mysqld on
设置mysql密码,我这里使用是密码是password
mysqladmin -u root password 'password'
建立一个dashboard数据库
mysql -uroot -ppassword <<EOF
CREATE DATABASE dashboard CHARACTER SET utf8;
CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost'; FLUSH PRIVILEGES; EOF
Passenger+Apache+Dashboard
这是让Apache支持ruby,
yum install mod_passenger puppet-dashboard
看看包的依赖关系
配置Dashboard
编辑 /usr/share/puppet-dashboard/config/database.yml
production: database: dashboard username: dashboard password: password encoding: utf8 adapter: mysql
修改时区 /usr/share/puppet-dashboard/config/environment.rb
#config.time_zone = 'UTC'
config.time_zone = 'Beijing'
初始化数据库
cd /usr/share/puppet-dashboard/ rake RAILS_ENV=production db:migrate
配置Apache
咱们须要整合Passenger和apache
cat > /etc/httpd/conf.d/passenger.conf << EOF
LoadModule passenger_module modules/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/share/rubygems/gems/passenger-3.0.17
PassengerRuby /usr/bin/ruby
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RailsAutoDetect On
</IfModule>
<VirtualHost *:80>
ServerName node06.chenshake.com
DocumentRoot "/usr/share/puppet-dashboard/public/"
<Directory "/usr/share/puppet-dashboard/public/"> Options None AllowOverride AuthConfig Order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/node06.chenshake.com_error.log LogLevel warn CustomLog /var/log/httpd/node06.chenshake.com_access.log combined ServerSignature On </VirtualHost> EOF
重启服务
/etc/init.d/httpd start chkconfig httpd on
打开80端口
lokit -p 80:tcp
配置puppet
让Dashboard使用Reports,如今默认agent是已经启用Report的功能,因此你就不须要设置agent,你只须要设置Server端就能够.
# puppet.conf (on puppet master)
[master]
reports = store, http
reporturl = http://node06.chenshake.com:80/reports/upload
重启puppetmaster 服务
/etc/init.d/puppetmaster restart
这时候就能够直接用 http://ip 访问puppet Dashboard
导入报告
cd /usr/share/puppet-dashboard
# rake RAILS_ENV=production reports:import
(in /usr/share/puppet-dashboard)
Importing 7 reports from /var/lib/puppet/reports/ in the background Importing: 100% |#########| Time: 00:00:00 7 of 7 reports queued
这时候你访问Dashboard,能够看到导入的任务.
Delayed Job Workers
这个其实我理解就是一个脚本,用来分析report的。
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m start
查看启动的job
ps -ef|grep delayed_job|grep -v grep
中止delay job
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m stop
这个时候你才能在Dashbaord里看到数据.
Foreman
目前Puppet 3.0和Foreman 1.0还有问题,官方正在解决中
6 Responses to “Puppet学习笔记(CentOS6.3+Puppet3.01)”
Leave a Reply
相关文章
- 1. puppet学习笔记
- 2. puppet语法笔记
- 3. Puppet 2.7 学习-1
- 4. Puppet 2.7 学习-2
- 5. puppet学习之puppet证书验证
- 6. puppet笔记-agent链接
- 7. 【1】puppet笔记 - file资源
- 8. puppet学习笔记之node/package/service/file/user/group/cron/exec管理
- 9. puppet学习笔记之安装与配置
- 10. 「学习笔记」学习笔记合集
- 更多相关文章...
- • 您已经学习了 XML Schema,下一步学习什么呢? - XML Schema 教程
- • 我们已经学习了 SQL,下一步学习什么呢? - SQL 教程
- • Tomcat学习笔记(史上最全tomcat学习笔记)
- • 适用于PHP初学者的学习线路和建议
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
hi,陈老师,你好,我看了你的不少有关云技术的博文,我如今也在作这方面的工做,从最简单的如何用devstack搭建环境,或者单独搭建某些云服务,还研究过puppet,jenkins等等,但愿有时间多跟你请教请教。如今咱们有个需求,要搭建https://jenkins.openstack.org 这么一个测试框架,可是我看了看他整合了好多东东在里边,好比gate-nova-python26这条case,他用到openstack-ci-puppet工程,可是run的这些脚本/usr/local/jenkins/slave_scripts/gerrit-git-prep.sh review.openstack.org 是如何安装上去,从哪里来的,我真实一头雾水,但愿能跟你交流下,能给下你的Email吗?
[...] 上篇说了下在ubuntu12.04上安装puppet,安装的版本为puppet2.7.11版本,今天尝试了下在CentOS6.4系统上安装puppet 3.1.1版本,本文参考chenshake的文章 [...]
我在http://docs.puppetlabs.com/guides/platforms.html#ruby-versions 文档里面看的是这样的包依赖关系,请问你也是安装的puppet3 怎么能够用ruby1.8.5呢??
Ruby version Puppet 2.6 Puppet 2.7 Puppet 3.x
1.8.5* Supported Supported No
1.8.7 Supported Supported Supported
2.0.0** No No Supported (3.2 and higher)
1.9.3** No No Supported
陈老师好,个人环境是x64 centos6.4,rdo安装的openstack(packstack –allinone安装),脚本执行过程当中报以错误说 httpd服务没有启动,(猜测是我安装以前没有停用iptables和selinux引发的 由于我运行 service httpd status 发现是running状态)而后发现个人dashboard和nagios是能正常登录的(没有节点的信息) 我想问这个影响到什么吗,有什么建议 望指正,谢谢
应该是不会的,你反复屡次就能够。rdo是彻底支持selinux和iptables。确保你按照个人步骤。
陈老师好,我想请问puppet如何使用puppet kick推送到puppet客户端?我尝试根据puppet的官方文档去配置,第一次推送成功,可是第二次推送的时候返回下面的字段
Getting status
status is running
Host test is already running
test finished with exit code 3
Failed: test
我在客户端查看了已经监听了8139端口,不明白为何说Host test is already running,是否是要每次推送都要关闭puppet客户端?