Puppet安装以及集成Dashboard手册
Puppet安装以及集成Dashboard手册
Puppet简介
puppet是一种Linux、Unix、windows平台的集中配置管理系统,使用自有的puppet描述语言,可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源,puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。
puppet采用C/S星状的结构,所有的客户端和一个或几个服务器交互。每个客户端周期的(默认半个小时)向服务器发送请求,获得其最新的配置信息,保证和该配置信息同步。每个puppet客户端每半小时(可以设置)连接一次服务器端, 下载最新的配置文件,并且严格按照配置文件来配置服务器. 配置完成以后,puppet客户端可以反馈给服务器端一个消息. 如果出错,也会给服务器端反馈一个消息.
安装前准备
测试机环境
| 系统 |
角色 |
IP |
主机名 |
| CentOS 6.5/CentOS 5.5 都是相同步骤 |
Master |
10.2.180.183 |
app180-183.test.com |
| CentOS 5.5 |
Client |
10.2.180.181 |
app180-181.test.com |
| CentOS 6.4 |
Client |
10.2.180.184 |
app180-184.test.com |
1. 关闭selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config;setenforce 0
2. 关闭iptable
chkconfigiptables off;service iptables stop
3. 时间同步
ntpdatetime.nist.gov;echo '*/10 * * * * ntpdate time.nist.gov' >>/var/spool/cron/root
4. 配置域名解析,或直接在hosts里配置主机名
5. 配置epol及puppet源
Enterprise Linux 6
rpm -ivhhttp://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
rpm -ivhhttp://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Enterprise Linux 5
rpm -ivhhttp://yum.puppetlabs.com/puppetlabs-release-el-5.noarch.rpm
rpm -ivhhttp://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
保留yum下载的rpm包
sed -i s/keepcache=.*/keepcache=1/g /etc/yum.conf
安装master和agent
Master
Puppet Master Server安装,安装时最新版服务端为3.6.1-1
yum-y install puppet-server
更新
puppet resource package puppet-server ensure=latest
配置
chkconfigpuppetmaster on;service puppetmaster start
启动后会自动在/var/lib/puppet/ssl下生成主机名.pem的ca文件。
Nodes
Puppet Agent Nodes 安装,安装时最新版客户端为3.6.1-1
yum-y install puppet
更新
puppet resource package puppet ensure=latest
node配置连接到puppet-master
sed -i 's/#PUPPET_SERVER=puppet/PUPPET_SERVER=app180-183.test.com/g' /etc/sysconfig/puppet
sed -i 's/#PUPPET_PORT=8140/PUPPET_PORT=8140/g' /etc/sysconfig/puppet
sed -i 's/#PUPPET_LOG=\/var\/log\/puppet\/puppet.log/PUPPET_LOG=\/var\/log\/puppet\/puppet.log/g' /etc/sysconfig/puppet
#runinterval = 60 //代表60秒跟服务器同步一次
echo " report = true" >> /etc/puppet/puppet.conf
echo " runinterval = 60" >> /etc/puppet/puppet.conf
chkconfig puppet on;service puppet start
还有一种同步方式节省内存,直接cron方式,定时调用。使用下面语句增加crontab任务
puppet resource cron puppet-agent ensure=present user=root minute=30 command='/usr/bin/puppet agent --onetime --no-daemonize --splay'
crontab -l
启动后会自动在/var/lib/puppet/ssl下生成主机名.pem的ca文件。
CA认证
node
启动agent后会生成主机名.pem的证书文件,自动向master要求签名的。
如果node主机名改变了需要删除原证书文件,并在master上clean原客户端名字,然后重新生成证书并要求签名。
删除证书文件
rm -rf /var/lib/puppet/ssl/*
可以使用调试模式生成证书。
puppet agent --no-daemonize --debug --onetime --verbose --server=app180-183.test.com
master端
列出需要签发的客户端
puppet cert list
签发指定客户端
puppet cert sign app180-181.test.com
签发所有客户端请求
puppet cert sign --all
注销客户端证书
puppet cert revoke app180-181.test.com
清除客户端证书
puppet cert clean app180-181.test.com
master自动签名配置
在服务器端的puppet.conf配置文件里面加上
[main]
autosign = true
或直接建立文件
echo "*.test.com" >> /etc/puppet/autosign.conf
puppet报告系统Dashboard部署
Puppet Dasshboard是由支持Puppet开发的公司Puppetlabs创建的,是Ruby on Rails程序。可以作为一个ENC(外部节点分类器)以及一个报告工具,并且正在逐渐成为一个包含许多Puppet新功能的集成界面,例如审计和资源管理功能。 Puppet Dashboard是一个Ruby on Rails程序,用于显示Puppet master和agent的相关信息。它允许你查看从一个或多个Puppet master汇总的图形和报告数据。它同时从一个或者多个Puppet master上收集来自于Puppet agent的资产数据(主机的Fact和其他信息)。最后,它能作为一个ENC来配置Puppet节点,并指定这些节点上的类和参数。
安装软件包
yum install ruby-mysqlmysql-server puppet-dashboard
配置数据库
chkconfigmysqldon;servicemysqld start
mysqladmin -uroot password 123456
mysql建库脚本
CREATE DATABASE dashboard CHARACTER SET utf8;
CREATE USER 'dashboard'@'localhost' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost';
flush privileges;
优化数据库
[mysqld]
# Allowing 32MB allows an occasional 17MB row with plenty of spare room
max_allowed_packet = 32M
然后重启mysqld
修改dashboard链接数据库配置
vi /usr/share/puppet-dashboard/config/database.yml
把production段改为如下内容,其它段可不用改
建立 Schema
cd /usr/share/puppet-dashboard/
rake gems:refresh_specs #修复什么东西
rake RAILS_ENV=production db:migrate
没有报错的话,数据库就建立完成了。
查看数据库
mysql> show tables;
+------------------------------+
| Tables_in_dashboard |
+------------------------------+
| delayed_job_failures |
| delayed_jobs |
| metrics |
| node_class_memberships |
| node_classes |
| node_group_class_memberships |
| node_group_edges |
| node_group_memberships |
| node_groups |
| nodes |
| old_reports |
| parameters |
| report_logs |
| reports |
| resource_events |
| resource_statuses |
| schema_migrations |
| timeline_events |
+------------------------------+
18 rows in set (0.00 sec)
测试DashBoard是否工作
cd /usr/share/puppet-dashboard/
./script/server -e production
你可以直接使用http://dashboardserver:3000访问.
运行Dashboard(WEBrick方式)
/etc/init.d/puppet-dashboard start
访问http://dashboardserver:3000
这种方式只是测试运行的时候使用,官方不推荐,不支持并发,只适合少量客户端。
安装配置Passenger方式
yum install openssl-develzlib-devel curl-develgcc-c++httpdhttpd-develmod_ssl ruby-develrubygemsgcc
安装Rack/Passenger
Passenger是Apache 2.x的一个扩展,用来在Apache中运行Rails或Rack应用。puppetmaster默认使用WEBrick提供文件服务,如果你的puppet客户端很多,puppetmaster的文件服务性能会很差,为了使puppetmaster更健壮,所以使用Apache提供文件服务。
gem install rack passenger #这个可以本地安装的
通过下面脚本下载
for i in daemon_controller-1.2.0 json-1.5.5 passenger-4.0.43 rack-1.5.2 rake-0.8.7
do
wget http://rubygems.org/downloads/$i.gem
done
然后
gem install --local *.gem
passenger-install-apache2-module
安装Puppet Master Rack Application
mkdir -p /usr/share/puppet/rack/puppetmasterd
mkdir/usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
chownpuppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
创建启用Puppet Master Vhost
配置passenger模块
vi /etc/httpd/conf.d/passenger.conf
LoadModulepassenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.42/buildout/apache2/mod_passenger.so
<IfModulemod_passenger.c>
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.42
PassengerDefaultRuby /usr/bin/ruby
</IfModule>
配置vhost
cp /usr/share/puppet/ext/rack/example-passenger-vhost.conf /etc/httpd/conf.d/passenger-vhost.conf
[root@app180-183 conf.d]# vi passenger-vhost.conf
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
#RackAutoDetect Off
#RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/ca/signed/app180-183.test.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/app180-183.test.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet-dashboard/public
RackBaseURI /
PassengerAppRoot /usr/share/puppet/rack/puppetmasterd
<Directory /usr/share/puppet-dashboard/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Listen 3001
NameVirtualHost *:3001
<VirtualHost *:3001>
DocumentRoot /usr/share/puppet-dashboard/public/
# ErrorLog /var/log/httpd/dashboard_error.log
# CustomLog /var/log/httpd/dashboard_access.log combined
# RailsAutoDetect On
AddDefaultCharset UTF-8
RailsEnv production
<Location "/">
Options None
AllowOverride None
Order allow,deny
allow from all
</Location>
</VirtualHost>
关闭WEBrick,的puppetmaset,并启用 apache替代puppetmaset
chkconfigpuppetmaster off ;service puppetmaster stop
chkconfigpuppet-dashboardoff;service puppet-dashboard stop
chkconfighttpdon;servicehttpd restart
导入报告(方式一)
cd /usr/share/puppet-dashboard/
rake RAILS_ENV=production reports:import #导入已经存在的报告
备注:默认节点报告会在/var/lib/puppet/reports/ 产生,如果路径发生变化,导入报告时需要在后面加上“REPORT_DIR=report路径”,reports更改路径可在puppet.conf中设置参数“reportdir = 新路径”,这种方式不够实时。
配置自动导入汇总(方式二)
Node操作
vim/etc/puppet/puppet.conf
# In the [agent] section
server = puppet #从2.7.0版本开始,报告系统会默认开启,不需要配置
report = true
pluginsync = true
Master操作
[main]
#定义为http报告处理器,除此之外还有store,log,tagmail,rrdgraph等报告处理器
reports = http
#http报告处理器将puppet报告发送到一个HTTP URL和端口(Dashboard位置)。Puppet报告以被转储为HTTP Poort形式的YAML格式进行发送。
reporturl = http://10.2.180.183:3001/reports/upload
开启后台处理报告进程
cd /usr/share/puppet-dashboard/ && rake RAILS_ENV=production jobs:work&
把这条加入/etc/rc.local
修改dashboard时区
Dashboard默认时区为UTC格式,我们这里需要更改为CST(Asia/Shanghai)格式
vim /usr/share/puppet-dashboard/config/settings.yml
time_zone: 'Asia/Shanghai'
**备注**:设置的settings.yml会覆盖掉config/environment.rb中对应的配置项(config.time_zone = 'UTC')
关于puppet3.6.1的备注:
| http://roidelapluie.be/tag/automation.html Puppet 3.6.1 depreciation warningDear puppet users using a yum-based distribution1, once you will upgrade topuppet 3.6.1, you will notice the following warning message each time you use a package type: Warning: The package type's allow_virtual parameter will be changing its
default value from false to true in a future release. If you do not want to
allow virtual packages, please explicitly set allow_virtual to false.
(at /usr/lib/ruby/site_ruby/1.8/puppet/type.rb:816:in `set_default')
There is nothing you can do with that except setting a global parameter in your puppet tree, as stated in the release notes: Package{ allow_virtual=>true, }
I don't see any reason to have such a warning if enough information is given in the release notes. This disturbing behaviour is discussed in issue PUP-2650 and in the mailing list. |
PUPPET bug列表
配置正确的情况下出现报错,可以到下面网址去搜索,就像上面的错误问百度找不到,开google打不开,在bing.com上翻了好多页才找到一条,到下面网址直接就出来了。
https://tickets.puppetlabs.com/browse/PUP