基础守护进程安裝


直接使用官方的rpm包進行安裝,如果根據源碼進行自定制rpm的話,與使用官方rpm包類似


1)指向官方的yum


vim /etc/yum.repos.d/puppetlabs.repo


[puppetlabs-products]

name=Puppet Labs Products 6 - $basearch

baseurl=http://yum.puppetlabs.com/el/6/products/$basearch

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs

enabled=1

gpgcheck=1


[puppetlabs-deps]

name=Puppet Labs Dependencies 6 - $basearch

baseurl=http://yum.puppetlabs.com/el/6/dependencies/$basearch

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs

enabled=1

gpgcheck=1


[puppetlabs-products-source]

name=Puppet Labs Products 6 - $basearch -Source

baseurl=http://yum.puppetlabs.com/el/6/products/SRPMS

gpgkey=file:///yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs

failovermethod=priority

enabled=0

gpgcheck=1


[puppetlabs-deps-source]

name=Puppet Labs Source Dependencies 6 -$basearch - Source

baseurl=http://yum.puppetlabs.com/el/6/dependencies/SRPMS

gpgkey=file:///yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs

enabled=0

gpgcheck=1


2)替换掉签名验证要求

sed -i.bak 's/gpgcheck=1/gpgcheck=0/g'puppetlabs.repo


服務器端:

yum install puppet-server puppet

yum會自動安裝puppet-serverpuppet依賴的包

客戶端:

yum install puppet

yum同樣會自動安裝puppet依賴的包


3)修改server端的配置文件

Vim /etc/puppet/puppet.conf

去掉所有內容,並加入如下內容:

[main]

certname = puppet.chinadba.cc


[agent]


certname = puppet.chinadba.cc


server = puppet.chinadba.cc


runinterval = 600


report = true


4)啟動puppetmaster

/etc/init.d/puppetmaster start


5)修改client端的配置文件

vim /etc/puppet/puppet.conf

去掉所有內容,並加入如下內容:

[main]

[agent]


certname = client1.chinadba.cc


server = puppet.chinadba.cc


runinterval = 600


report = true

6)啟動puppet

/etc/init.d/puppet start


注:

(1)需要DNS或者HOSTS文件中對域名和IP進行對應

(2)啟動puppet後會自動向puppet server進行證書簽名請求


如果有錯誤,請根據/var/log/message進行相應修改


7)服務器端對客戶端進行簽名

puppet cert --sign hostname

或者

Puppet cert –sign –all進行全部簽名

8進行測試


vim /etc/puppet/manifests/site.pp,寫入如下內容:

node default {

file{"/tmp/test.txt":

content=>"hello chinadba"


}

}

在客戶端上執行cat /tmp/test.txt進行查看,如果有錯誤請根據/var/log/message的報錯進行修改。



注:puppetpuppet master本身的進程配置會在下面的文檔中進行逐步補充。

配置管理的文件,會開發PHP程序進行生成,而不用理解puppet晦澀的自有描述語言。

























puppet進行擴展

擴展原因: puppetmaster自帶的webrick性能很差,不能支持更多的客戶端。

目前先進行垂直擴展,後期隨著客戶端的增加,再逐步橫向擴展。



方法:由於puppetmaster的運行實質是走HTTP协议,所以結合apachepassenger進行垂直擴展


yum install httpd.x86_64 httpd-devel.x86_64–y

yum install mod_ssl -y

gem install rack

gem install passenger

passenger-install-apache2-module


注意:在安裝passenger前需要安裝gccmakeautoconfautomake

vim /etc/httpd/conf.d/10_passenger.conf

LoadModule passenger_module/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.18/ext/apache2/mod_passenger.so

PassengerRoot /usr/lib64/ruby/gems/1.8/gems/passenger-3.0.18

PassengerRuby /usr/bin/ruby


PassengerHighPerformance on

PassengerUseGlobalQueue on

# PassengerMaxPoolSize control number ofapplication instances,

# typically 1.5x the number of processorcores.

PassengerMaxPoolSize 6

# Restart ruby process after handlingspecific number of request to resolve MRI memory leak.

PassengerMaxRequests 4000

# Shutdown idle Passenger instances after30 min.

PassengerPoolIdleTime 1800

# End of/etc/httpd/conf.d/10_passenger.conf


接下来我们配置apache虚拟主机,使其监听8140端口,并修改config.ru配置文件

vim /etc/httpd/conf.d/20_puppetmaster.conf

Listen 8140

<VirtualHost *:8140>

SSLEngine on

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuiteALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

# Puppet master should generate initial CAcertificate.

# ensure certs are located in/var/lib/puppet/ssl

# Change puppet.example.com to the fullyqualified domain name of the Puppet master, i.e.

SSLCertificateFile/var/lib/puppet/ssl/certs/puppetmaster1.pem

SSLCertificateKeyFile/var/lib/puppet/ssl/private_keys/puppetmaster1.pem

SSLCertificateChainFile/var/lib/puppet/ssl/certs/ca.pem

SSLCACertificateFile/var/lib/puppet/ssl/ca/ca_crt.pem

# CRL checking should be enabled

# disable next line if Apache complainsabout CRL

SSLCARevocationFile/var/lib/puppet/ssl/ca/ca_crl.pem

# optional to allow CSR request, requiredif certificates distributed to client during

SSLVerifyClient optional

SSLVerifyDepth 1

SSLOptions +StdEnvVars

# The following client headers recordauthentication information for down stream workers.

RequestHeader set X-SSL-Subject%{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-DN%{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-Verify%{SSL_CLIENT_VERIFY}e

RackAutoDetect On

DocumentRoot/etc/puppet/rack/puppetmaster/public/

<Directory/etc/puppet/rack/puppetmaster/>

Options None

AllowOverride None

Order allow,deny

allow from all

</Directory>

</VirtualHost>























安装puppet-dashboard进行报告显示


官方的yum源中没有rpm包形式的puppet-dashboard,所以根据下载源码进程安装。


安装前准备:

MySQL

Yum install mysql mysql-server mysql-develruby-mysql


rubygems

测试发现仅rubygems-1.3.7版本适配最新的puppet,所以需要安装rubygems1.3.7版本

ruby setup.rb


安装


下载puppet-dashboard即可

配置


配置puppet-dashboard

配置分四步:

1)编辑database.yml指定数据库

2)使用rubyrake命令基于编辑好的database.yml创建数据库#rakeRAILS_ENV=production db:create

3)填充数据库# rakeRAILS_ENV=production db:migrate

4)修改settings.yml中的timezone’Beijing’


先使用webrick运行puppet-dashboard测试,然后改用passenger运行dashboard以提高性能(passenger配置前面已有)

./script/server –e production


集成puppetpuppet-dashboard

修改clientpuppet.conf

[agent]

Report = true

修改serverpuppet.conf

[master]

reports = store,http

reporturl = http://puppet.chinadba.cc:80/reports/upload








开发web程序隔离puppet


开发自动管理程序,对使用人员隔离puppet,即仅在web界面中进行操作即可。无需了解puppet的使用及配置的编写。