puppetmaster 主机名puppet.zhouml.com
slave1主机名 slave.puppet1.com
slave2主机名 logserver-SW
安装服务器端(master)
rpm -ivh epel-release-5-4.noarch.rpm
yum install -y puppet puppet-server facter
服务器端hosts
[root@logserver-MO files]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 puppet.zhouml.com puppet
::1 localhost6.localdomain6 localhost6
192.168.188.132 slave.puppet2.com
192.168.188.135 slave.puppet1.com
puppet 服务器端目录树
|-- auth.conf
|-- fileserver.conf
|-- manifests
| |-- nodes
| | |-- 1.pp
| | `-- 2.pp
| |-- nodes.pp
| |-- site.pp
| |-- site.pp.back
| |-- site.pp.new
| `-- zhouml.pp
|-- modules
| |-- mediaserver
| | |-- files
| | | `-- home
| | | `-- mediaserver
| | |-- manifests
| | | `-- init.pp
| | `-- templates
| |-- sudo
| | |-- files
| | | `-- etc
| | | `-- sudoers
| | |-- manifests
| | | `-- init.pp
| | `-- templates
| |-- svn
| | `-- templates
| `-- system
| |-- files
| | `-- puppet.conf
| |-- manifests
| | |-- init.pp
| | `-- puppet_client.pp
| `-- templates
`-- puppet.conf
服务器端/etc/puppet/puppet.conf 配置文件
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[master]
certname=puppet.zhouml.com
server=puppet.zhouml.com
推送mediaserver为例子
入口文件site.pp
import 'nodes/1.pp'
include mediaserver
$puppetserver = 'puppet.zhouml.com'
注:此处'nodes/1.pp' 可支持通配符'nodes/*.pp'
节点定义
nodes下的1.pp
node 'slave.puppet1.com' {
}
2.pp
node 'logserver-SW' {
}
模块定义
|-- mediaserver
| |-- files
| | `-- home
| | `-- mediaserver
| |-- manifests
| | `-- init.pp
| `-- templates
|-- sudo
| |-- files
| | `-- etc
| | `-- sudoers
| |-- manifests
| | `-- init.pp
| `-- templates
|-- svn
| `-- templates
`-- system
|-- files
| `-- puppet.conf
|-- manifests
| |-- init.pp
| `-- puppet_client.pp
`-- templates
mediaserver 模块
init.pp
class mediaserver {
# package { mediaserver:
# ensure => present,
#}
file { "/home/mediaserver":
owner => "root",
group => "root",
mode => 755,
source => "puppet://$puppetserver/modules/mediaserver/home/mediaserver",
# require => Package["mediaserver"],
}
}
file文件夹下
`-- home
`-- mediaserver
安装客户端(slave)
rpm -ivh epel-release-5-4.noarch.rpm
yum install -y puppet facter
客户端hosts
[root@slave home]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 slave.puppet1.com localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.188.142 puppet.zhouml.com
puppet目录树结构
|-- auth.conf
|-- namespaceauth.conf
|-- puppet.conf
`-- ssl
|-- certificate_requests
|-- certs
| |-- ca.pem
| `-- slave.puppet1.com.pem
|-- private
|-- private_keys
| `-- slave.puppet1.com.pem
`-- public_keys
`-- slave.puppet1.com.pem
规则文件auth.conf
path ~ ^/catalog/([^/]+)$
method find
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
allow *
namespaceauth.conf
# This is an example namespaceauth.conf file,
# which you'll need if you want to start a client
# in --listen mode.
[fileserver]
allow *.domain.com
[puppetmaster]
allow *.zhouml.com
[puppetrunner]
allow puppet.zhouml.com
[puppetbucket]
allow *.domain.com
[puppetreports]
allow *.domain.com
[resource]
allow server.domain.com
客户端puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
listen=true
/etc/sysconfig/puppet文件
# The puppetmaster server
PUPPET_SERVER=puppet.zhouml.com
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
#PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500
PUPPET客户端测试命令
puppetd --server=puppet.zhouml.com --no-daemonize --verbose
puppet服务器端推送命令
puppetrun slave.puppet1.com
puppetca --list 查询请求主机
puppetca -s -a 允许所有请求主机申请
puppetca -l -a 查询已合法主机列表
puppet + nginx
在/etc/sysconfig/puppetmaster 末尾添加2行 开启多端口支持
PUPPETMASTER_PORTS=( 18141 18142 18143 18144 )
PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"
nginx配置
wget -c http://nginx.org/download/nginx-1.2.4.tar.gz
tar xzf nginx-1.2.4.tgz && cd nginx-1.2.4 &&./configure --prefix=/usr/local/nginx --with-http_ssl_module &&make &&make install
nginx配置文件
/usr/local/nginx/conf/nginx.conf
user daemon daemon;
worker_processes 4;
worker_rlimit_nofile 65535;
error_log /var/log/nginx-puppet.log notice;
pid /var/run/nginx-puppet.pid;
events {
use epoll;
worker_connections 32768;
}
http {
sendfile on;
tcp_nopush on;
keepalive_timeout 300;
tcp_nodelay on;
upstream puppetmaster {
server 127.0.0.1:18140;
server 127.0.0.1:18141;
server 127.0.0.1:18142;
server 127.0.0.1:18143;
}
server {
listen 8140;
root /etc/puppet;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.zhouml.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.zhouml.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
# File sections
location /production/file_content/files/ {
types { }
default_type application/x-raw;
alias /etc/puppet/manifests/files/;
}
# Modules files sections
location ~ /production/file_content/modules/.+/ {
root /etc/puppet/modules;
types { }
default_type application/x-raw;
rewrite ^/production/file_content/modules/([^/]+)/(.+)$ /$1/files/$2 break;
}
# Ask the puppetmaster for everything else
location / {
proxy_pass http://puppetmaster;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
}
}#server end
}#http end
PUPPET-DASHBOARD
升级ruby到1.8.7
tar -zxvf ruby-1.8.7.tar.gz
./configure
make -j5 && make install
在/etc/profile中加入环境变量
export PATH=/usr/local/ruby/bin/:$PATH
yum install -y mysql mysql-devel mysql-server ruby ruby-devel ruby-irb ruby-mysql ruby-rdoc ruby-ri
安装rubygems
tar -zxvf rubygems-1.3.5.tgz
cd rubygems-1.3.5
ruby setup.rb
gem uninstall rake -v=10.0.3 删除高版本
gem install rake -v=0.8.7
rake -V 版本
[root@puppetmaster puppet-dashboard]# vi /usr/share/puppet-dashboard/Rakefile +10
# Add your own tasks in files placed in lib/tasks ending in .rake,
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
require(File.join(File.dirname(__FILE__), 'config', 'boot'))
require 'thread'
require 'rake'
require 'rake/testtask'
#require 'rake/rdoctask'
require 'rdoc/task'
require 'tasks/rails'
gem install rdoc
rpm -ivh puppet-dashboard-1.1.1-1.noarch.rpm
安装在/usr/share/puppet-dashboard下
config 下的cp database.yml.example database.yml
development:
database: dashboard
username: dashboard
password:
encoding: utf8
adapter: mysql
重启mysqld puppetmaster
在/usr/share/puppet-dashboard下
rake RAILS_ENV=production db:create
rake RAILS_ENV=production db:create && rake db:migrate
解决 Access denied for user ''@'localhost' to database 'mysql'
/usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
启动 ./script/server -p 3000 -d
/etc/init.d/puppet-dashboard启动脚本
#!/bin/bash
#
# Init script for puppet-dashboard
#
# chkconfig: - 85 15
# description: Init script for puppet-dashboard
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/puppet-dashboard ]; then
. /etc/sysconfig/puppet-dashboard
fi
DASHBOARD_HOME=${DASHBOARD_HOME:-/usr/share/puppet-dashboard}
DASHBOARD_USER=${DASHBOARD_USER:-puppet-dashboard}
DASHBOARD_RUBY=${DASHBOARD_RUBY:-/usr/bin/ruby}
DASHBOARD_ENVIRONMENT=${DASHBOARD_ENVIRONMENT:-production}
DASHBOARD_IFACE=${DASHBOARD_IFACE:-0.0.0.0}
DASHBOARD_PORT=${DASHBOARD_PORT:-3000}
PIDFILE=/var/run/puppet-dashboard.pid
RETVAL=0
check_status() {
pidofproc -p ${PIDFILE} ${DASHBOARD_RUBY} > /dev/null
}
start() {
echo -n $"Starting Puppet Dashboard: "
# Don't start it twice.
check_status
RETVAL=$?
if [ $RETVAL = 0 ]; then
echo -n "Already running"
echo_success
echo
return 0
fi
# This is a dirty, dirty hack, but it's rather difficult to get
# script/server to daemonize in any way, and still give us useful
# debugging output (or a real exit code) if it fails to start.
# Also: We don't have reliable access to start-stop-daemon.
su -s /bin/sh -c "${DASHBOARD_RUBY} ${DASHBOARD_HOME}/script/server -e ${DASHBOARD_ENVIRONMENT} -p ${DASHBOARD_PORT} -b ${DASHBOARD_IFACE}" ${DASHBOARD_USER} &
local PID=$!
echo $PID > ${PIDFILE}
sleep 5
check_status
RETVAL=$?
if [ $RETVAL = 0 ]; then
echo_success
else
echo_failure
fi
echo
return $RETVAL
}
stop() {
echo -n $"Stopping Puppet Dashboard: "
killproc -p ${PIDFILE} puppet-dashboard
RETVAL=$?
if [ $RETVAL = 0 ]; then
echo_success
else
echo_failure
fi
echo
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
exit $?
;;
stop)
stop
exit $?
;;
restart)
stop && start
exit $?
;;
status)
echo -n 'Puppet Dashboard is '
pidofproc -p ${PIDFILE} ${DASHBOARD_RUBY} > /dev/null
RETVAL=$?
if [ $RETVAL = 0 ]; then
echo 'running'
else
echo 'stopped'
fi
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit $RETVAL
################导入现有报告##############
在/usr/share/puppet-dashboard目录下
rake RAILS_ENV=production reports:import
2.6版本后客户端打开
[agent]
report = true
master上
[master]
reports = http
reporturl = http://dashboard.example.com:80/reports
http://dashboard.com可写IP地址
外部节点分类器
[master]
node_terminus = exec
external_nodes = /usr/share/puppet-dashboard/bin/external_node
puppet agent --configprint runinterval 检查客户端同步周期时间
Puppet在同步时遇到以下错误: 1 notice: Run of Puppet configuration client already in progress; skipping 删除puppetdlock重试解决: 1 rm /var/lib/puppet/state/puppetdlock
客户端修改 hostname firewall puppet ntp rm -rf /var/lib/puppet/ssl
/sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT
转个puppet报错修复连接http://blog.chinaunix.net/uid-11915773-id-3059902.html