运维自动化管理之puppet + nginx 部署与配置
一、
关于
Puppet
1.
什么是
Puppet
?
puppet 是一种Linux、Unix平台的集中配置管理系统,使用自有的puppet描述语言,可管理配置文件、用户、cron任务、软件包、系统服务等。 puppet把这些系统实体称之为资源,puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。
puppet 采用C/S星状的结构,所有的客户端和一个或几个服务器交互。每个客户端周期的(默认半个小时)向服务器发送请求,获得其最新的配置信息,保证和该配置信 息同步。每个puppet客户端每半小时(可以设置runinterval=30)连接一次服务器端,下载最新的配置文件,并且严格按照配置文件来配置服 务器. 配置完成以后,puppet客户端可以反馈给服务器端一个消息. 如果出错,也会给服务器端反馈一个消息.
2.
为什么要使用
puppet
?
当你去管理10台服务器,你肯定会说小意思。没有任何压力。
当你去管理100台服务器,你肯定也会说小意思。
当你去管理1000+台服务器呢?你是不是就头痛了,不同的机器,不同的系统,
使用不同的软件版本,配置也不一样。这样为了提升效率。Puppet就派上了大用场。
3.
Puppet
架构
4.
简单地说下工作原理:
Puppet 后台运行的时候默认是半小时执行一次,不是很方便修改。可以考虑不让它
在后台跑而是使用crontab来调用。这样可以精确控制每台客户端的执行时间。分散
执行时间也可以减轻压力
Puppet 的工作细节分成如下几个步骤:
1、客户端puppetd调用facter,facter会探测出这台主机的一些变量如主机名、内
存大小、IP 地址等。然后puppetd把这些信息发送到服务器端。
2、服务器端的puppetmaster检测到客户端的主机名,然后会到manifest里面对应
的node 配置,然后对这段内容进行解析,facter送过来的信息可以作为变量进行处
理的,node 牵涉到的代码才解析,其它的代码不不解析,解析分几个过程:语法检
查、然后会生成一个中间的伪代码,然后再把伪代码发给客户机。
3、客户端接收到伪代码之后就会执行,客户端再把执行结果发送给服务器。
4、服务器再把客户端的执行结果写入日志。
二、
主从服务器安装Puppet (中心端和客户端相同)
1、
更改hostnam
#cat/etc/sysconfig/network
- NETWORKING=yes
- NETWORKING_IPV6=no
- HOSTNAME=puppet.test.com
2、
安装gcc和openssl
- yum -y install *gcc*
- yum -y install openssl
3、
安装ruby
- mkdir -p /fgn/soft/ && cd /fgn/soft/
- wget http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p334.tar.gz
- tar zxvfruby-1.8.7-p334.tar.gz
- cd ruby-1.8.7-p334
- ./configure&& make && make install
4、
需要安装的
ruby
库
- base64
- cgi
- digest/md5
- etc
- fileutils
- ipaddr
- openssl
- strscan
- syslog
- uri
- ebrick
- webrick/https
- xmlrpc/client
- for i in base64cgi digest/md5 etc fileutils ipaddr openssl strscan syslog uri webrick webrick/httpsxmlrpc/client
- do
- /usr/local/bin/ruby-r$i -e "puts:installed"
- done
5、
安装facter
- cd ..
- wget http://downloads.puppetlabs.com/facter/facter-1.5.8.tar.gz
- tar zxvf facter-1.5.8.tar.gz
- cd facter-1.5.8
- ruby install.rb
6、
安装puppet
- cd ..
- wget http://downloads.puppetlabs.com/puppet/puppet-2.6.7.tar.gz
- tar zxvf puppet-2.6.7.tar.gz
- cd puppet-2.6.7
- ruby install.rb --full --bindir=/usr/bin --sbindir=/usr/sbin
puppet
中心端配置:
- if [ -e/etc/SuSE-release ]; then
- cp conf/suse/server.init /etc/init.d/puppetmasterd
- else
- cp conf/redhat/server.init /etc/init.d/puppetmasterd
- fi
- groupadd puppet
- useradd -g puppetpuppet -M
- chmod +x/etc/init.d/puppetmasterd
- mkdir -p /var/lib/puppet/rrd
- chown puppet:puppet /var/lib/puppet/rrd/
- mkdir -p /var/run/puppet/
- chown puppet:puppet /var/run/puppet/
- chkconfig --add puppetmasterd
- chkconfig puppetmasterd on
- /etc/init.d/puppetmasterdstart
客户端配置:
- if [ -e/etc/SuSE-release ]; then
- cp conf/suse/client.init /etc/init.d/puppetd
- else
- cp conf/redhat/client.init /etc/init.d/puppetd
- fi
- cat <<EOF> /etc/puppet/puppet.conf
- [main]
- ssl_client_header =SSL_CLIENT_S_DN
- ssl_client_verify_header= SSL_CLIENT_VERIFY
- [agent]
- listen = true
- report = true
- show_diff=true
- runinterval = 300
- server = puppet.test.com
- ca_port = 8141
- EOF
- cat<<EOF> /etc/puppet/namespaceauth.conf
- [puppetrunner]
- allow cloudcenter.test.net
- EOF
- chmod +x/etc/init.d/puppetd
- chkconfig --add puppetd
- chkconfig puppet on
- ln -sf/usr/local/sbin/puppetd /usr/sbin/puppetd
- /etc/init.d/puppetd restart
- echo "192.168.0.1 puppet.test.com puppet">> /etc/hosts //IP为中心端地址
三、
配置中心端
1、 puppet 结构
|-- puppet.conf #主配置配置文件
|-- fileserver.conf#文件服务器配置文件
|-- auth.conf #认证配置文件
|-- autosign.conf #自动验证配置文件
|-- tagmail.conf #邮件配置文件(将错误信息发送)
|-- manifests #文件存储目录(puppet 会先读取该目录的.PP 文件<site.pp>)
| |--nodes
| ||--puppetclient.pp
| |-- site.pp #定义puppet相关的变量和默认配置。
| |-- modules.pp #加载class类模块文件(include syslog)
|-- modules #定义模块
| |-- syslog #以syslog为例
| |-- file
| |-- manifests
| | |-- init.pp
| |-- templates #模块配置目录
| | |-- syslog.erb#erb 模板
2、 配置文件
- cat<<EOF>/etc/puppet/auth.conf
- path /
- auth no
- allow *
- EOF
- cat<<EOF>/etc/puppet/autosign.conf
- *.test.net
- EOF
- cat <<EOF>/etc/puppet/fileserver.conf
- [files]
- path/etc/puppet/manifests/files
- allow *
- [moudles]
- path/etc/puppet/modules
- allow *.test.net
- EOF
- cat<<EOF> /etc/puppet/puppet.conf
- [main]
- ssl_client_header = SSL_CLIENT_S_DN
- ssl_client_verify_header = SSL_CLIENT_VERIFY
- [master]
- fileserverconfig = /etc/puppet/fileserver.conf
- reports = http
- reporturl = http://192.168.0.1:4000/reports
- masterlog = /var/lib/puppet/log/puppetmaster.log
- logdir = /var/lib/puppet/log
- puppetdlog = /var/lib/puppet/log/puppetd.log
- EOF
- echo "err:[email protected]" > /etc/puppet/tagmail.conf
- mkdir /etc/puppet/modules
四、
用nginx来代理puppetmaster, 支持更多的客户端访问
1、
工作原理图
优点
*性能:nginx因为精简,运行起来非常快速,许多人声称它的比pound更高效。
*日志,调试:在这两个方面,nginx比pound更简洁。
*灵活性:nginx的处理SSL客户端验证是在应用层上实现的,而不会终止SSL连接。
*nginx可以拿来即用, 不需要像pound打补丁,同时配置的语法也很直观。
缺点
*一但在服务端使用puppetca进行sgin以后,无法主动在服务端撤销授权,
*不过你可以在客户端删除ssl目录来取消授权,一般情况下没什么影响。
2、
安装rubygem
- cd /fgn/soft/
- wget http://production.cf.rubygems.org/rubygems/rubygems-1.6.2.tgz
- tar zxvf rubygems-1.6.2.tgz
- cd rubygems-1.6.2
- ruby setup.rb
- gem installmongrel
3、
安装nginx和配置
- cd /fgn/soft/
- wget http://nginx.org/download/nginx-1.0.12.tar.gz
- tar zxvfnginx-1.0.12.tar.gz
- cd nginx-1.0.12
- ./configure--with-http_stub_status_module --with-http_ssl_module
- make && make install
- useradd daemon
主服务器代理配置
cat /usr/local/nginx/conf/nginx.conf
- user daemon daemon;
- worker_processes 4;
- worker_rlimit_nofile 65535;
- error_log /var/log/nginx-puppet.log notice;
- pid /var/run/nginx-puppet.pid;
- events {
- use epoll;
- worker_connections 32768;
- }
- http {
- sendfile on;
- tcp_nopush on;
- keepalive_timeout 300;
- tcp_nodelay on;
- ssl on;
- ssl_session_timeout 5m;
- ssl_certificate /etc/puppet/ssl/certs/puppet.test.com.pem;
- ssl_certificate_key /etc/puppet/ssl/private_keys/puppet.test.com.pem;
- ssl_client_certificate /etc/puppet/ssl/ca/ca_crt.pem;
- ssl_crl /etc/puppet/ssl/ca/ca_crl.pem;
- ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
- ssl_session_cache shared:SSL:8m;
- upstream puppetmaster {
- server 127.0.0.1:18140;
- server 127.0.0.1:18141;
- server 127.0.0.1:18142;
- server 127.0.0.1:18143;
- }
- upstream dashboard {
- server 127.0.0.1:4000;
- }
- log_format download '$remote_addr, $http_x_forwarded_for $remote_user [$time_local] $request_time $host "$request_method $request_uri $server_protocol" $status - $body_bytes_sent $bytes_sent $sent_http_content_length "$sent_http_content_Range" "$http_referer" "$http_user_agent" $sent_http_x_cache $sent_http_content_type' " up_addr:$upstream_addr" " up_resp:$upstream_response_time" "s" " up_status:$upstream_status" ;
- access_log logs/access.log download;
- #+--------------------------------------------------------------------------------------------+
- server {
- listen 8140;
- server_name puppet.test.com;
- ssl_verify_client on;
- root /etc/puppet;
- # Ask the puppetmaster for everything else
- # File sections
- location /production/file_content/files/ {
- types { }
- default_type application/x-raw;
- alias /etc/puppet/manifests/files/;
- }
- # Modules files sections
- location ~ /production/file_content/modules/.+/ {
- root /etc/puppet/modules;
- types { }
- default_type application/x-raw;
- rewrite ^/production/file_content/modules/([^/]+)/(.+)$ /$1/files/$2 break;
- }
- location / {
- proxy_pass http://puppetmaster;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Client-Verify SUCCESS;
- proxy_set_header X-Client-DN $ssl_client_s_dn;
- proxy_set_header X-SSL-Subject $ssl_client_s_dn;
- proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
- proxy_read_timeout 65;
- }
- }#server end
- server {
- listen 8141;
- ssl_verify_client off;
- root /etc/puppet;
- access_log /usr/local/nginx/logs/access-8141.log download;
- # File sections
- location /production/file_content/files/ {
- types { }
- default_type application/x-raw;
- alias /etc/puppet/manifests/files/;
- }
- # Modules files sections
- location ~ /production/file_content/modules/.+/ {
- root /etc/puppet/modules;
- types { }
- default_type application/x-raw;
- rewrite ^/production/file_content/modules/([^/]+)/(.+)$ /$1/files/$2 break;
- }
- location / {
- proxy_pass http://puppetmaster;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Client-Verify FAILURE;
- proxy_set_header X-Client-DN $ssl_client_s_dn;
- proxy_set_header X-SSL-Subject $ssl_client_s_dn;
- proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
- proxy_read_timeout 65;
- }
- }
- }#http end
*注意:puppet.test.com 部分为hostname
4、
配置puppetmaster让它启动多个端口支持
cat /etc/sysconfig/puppetmaster
- # Location of the main manifest
- #PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
- # Where to log general messages to.
- # Specify syslog to send log messages to the system log.
- PUPPETMASTER_LOG=/var/log/puppet/puppetmaster.log
- PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
- PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"
- # You may specify other parameters to the puppetmaster here
- #PUPPETMASTER_EXTRA_OPTS=--noca
重启puppetmasterd和nginx
- /etc/init.d/puppetmasterdrestart
- /usr/local/nginx/sbin/nginx
5、
验证
配置site.pp
- cat<<EOF> /etc/puppet/manifests/site.pp
- node default {
- file {"/tmp/temp1.txt": content => "hello,first puppetmanifest"; }
- }
- EOF
客户端运行:
- puppetd --test --serverpuppet.test.com