一 Func简介
Func 是由红帽子公司以Fedora统一网络控制器Func(Fedora Unified Network Controller https://fedorahosted.org/func) ,目的是为了解决这一系列统一管理监控问题而设计开发的系统管理基础框架,它是一个能有效的简化我们众多服务器系统管理工作的工具,其具备以下优点
1 容易学习,容易使用,更容易扩展
2 功能强大而且配置简单,
Func 分为master及slave两部分,master为主控端,slave为被控端,func 是基于XMLRPC和SSL 标准协议
环境要求
Linux 内核为2.6.18
Python2.5以上,系统自带的python2.3,2.4 对func支持不好
在内网中如果没有DNS 可以设置hosts 文件
修改master和slave 端的hosts文件
echo “192.168.1.48 master.frank.com”>>/etc/hosts
echo “129.168.1.209 client209.frank.com” >>/etc/hosts
二 master 端安装
1 下载源码包
wget http://pkgs.fedoraproject.org/repo/pkgs/func/func-0.28.tar.gz/332e35c4bf6ac838df3fa8cf00732172/func-0.28.tar.gz
wget http://pkgs.fedoraproject.org/repo/pkgs/certmaster/certmaster-0.28.tar.gz/f5acc9ff1efa34971296e26d794c5b35/certmaster-0.28.tar.gz
wget http://pkgs.fedoraproject.org/repo/pkgs/pyOpenSSL/pyOpenSSL-0.9.tar.gz/5bf282b2d6a03af921920c34079580f2/pyOpenSSL-0.9.tar.gz
wget http://www.python.org/ftp/python/2.5.5/Python-2.5.5.tgz
2 安装
tar xf Python-2.5.5.tgz
#cd Python-2.5.5
#./configure && make && make install
#tar xf pyOpenSSL-0.9.tar.gz
#/usr/local/bin/python setup.py install
#tar xf certmaster-0.28.tar.gz
#/usr/local/bin/python setup.py install
#tar func-0.28.tar.gz
#cd func-0.28
#/usr/bin/python setup.py install
# ln -s /usr/local/bin/certmaster /usr/bin/certmaster
#ln -s /usr/local/bin/certmaster-request /usr/bin/certmaster-request
#ln -s /usr/local/bin/certmaster-ca /usr/bin/certmaster-ca
#ln -s /usr/local/bin/certmaster-sync /usr/bin/certmaster-sync
#ln -s /usr/local/bin/funcd /usr/bin/funcd
#ln -s /usr/local/bin/func /usr/bin/func
#ln -s /usr/local/bin/func-create-module /usr/bin/func-create-module
#ln -s /usr/local/bin/func-inventory /usr/bin/func-inventory
#ln -s /usr/local/bin/func-transmit /usr/bin/func-transmit
#ln -s /usr/local/bin/func-build-map /usr/bin/func-build-map
3 Master 端配置
#cd /etc/certmaster
#vim certmaster.conf
[main]
#自动签发证书,为了安全禁止自动为slave 签发证书
autosign = no
#监听的IP地址
listen_addr =
#监听的端口
listen_port = 1998
cadir = /etc/pki/certmaster/ca
cert_dir = /etc/pki/certmaster
certroot = /var/lib/certmaster/certmaster/certs
csrroot = /var/lib/certmaster/certmaster/csrs
cert_extension = cert
sync_certs = False
#cd /etc/func
#vim minion.conf
[main]
log_level = DEBUG
acl_dir = /etc/func/minion-acl.d
listen_addr =
#(Func通讯端口
listen_port = 1999
minion_name =
启动certmaster 服务
#service certmaster start
三 Slave 端安装
1 下载源码包
wget http://pkgs.fedoraproject.org/repo/pkgs/func/func-0.28.tar.gz/332e35c4bf6ac838df3fa8cf00732172/func-0.28.tar.gz
wget http://pkgs.fedoraproject.org/repo/pkgs/certmaster/certmaster-0.28.tar.gz/f5acc9ff1efa34971296e26d794c5b35/certmaster-0.28.tar.gz
wget http://pkgs.fedoraproject.org/repo/pkgs/pyOpenSSL/pyOpenSSL-0.9.tar.gz/5bf282b2d6a03af921920c34079580f2/pyOpenSSL-0.9.tar.gz
wget http://www.python.org/ftp/python/2.5.5/Python-2.5.5.tgz
2 slave 安装
# tar xf Python-2.5.5.tgz
#cd Python-2.5.5
#./configure && make && make install
#tar xf pyOpenSSL-0.9.tar.gz
#/usr/local/bin/python setup.py install
#tar xf certmaster-0.28.tar.gz
#/usr/local/bin/python setup.py install
#tar func-0.28.tar.gz
#cd func-0.28
#/usr/bin/python setup.py install
#ln -s /usr/local/bin/certmaster /usr/bin/certmaster
#ln -s /usr/local/bin/funcd /usr/bin/funcd
3 配置
#cd /etc/certmaster
[main]
autosign = no
listen_addr =
#监听的端口要与master 端保持一致
listen_port = 1998
cadir = /etc/pki/certmaster/ca
cert_dir = /etc/pki/certmaster
certroot = /var/lib/certmaster/certmaster/certs
csrroot = /var/lib/certmaster/certmaster/csrs
cert_extension = cert
sync_certs = False
#cd /etc/func
#vim minion.conf
[main]
log_level = DEBUG
acl_dir = /etc/func/minion-acl.d
listen_addr =
#要与master 端的func 端口保持一致
listen_port = 1999
#slave 主机名
minion_name = client209.frank.com
启动服务
#service certmaster start
#chkconfig certmaster on
#chkconfig funcd on
#service funcd start
四 Master端常用操作
Master 要为slave 签发证书 ,在slave 上执行
#certmaster-request
在master 端执行certmaster-ca –list 可以查看当前为签名的计算机名称
#certmaster-ca –list
#certmaster-ca –sign client209.frank.com
#certmaster-ca --sign `certmaster-ca --list ` 如证书请求的服务器比较多,可以这样一下子搞定。
#certmaster-ca -c frank209.frank.com 删除该主机证书
如果master 和slave开启了防火墙,需要在slave 主机上对master 开放1998(certmaster),1999(func)端口
Master需要对所有的slave主机开放1998(certmaster)端口
如果master端为slave 端完成了签名,且在master 执行func 命令出现端口拒绝现象
请关闭slave端的certmaster 服务,并重启funcd 服务
参照blog:http://blog.liuts.com/post/186/