Puppet安装以及集成Dashboard手册.docx

Puppet安装以及集成Dashboard手册Puppet简介puppet是一种Linux、Unix、windows平台的集中配置管理系统，使用自有的puppet描述语言，可管理配置文件、用户、cron任务、软件包、系统服务等。puppet把这些系统实体称之为资源，puppet的设计目标是简化对这些资源的管理以及妥善处理资源间的依赖关系。puppet采用C/S星状的结构，所有的客户端和一个或几个服务器交互。每个客户端周期的（默认半个小时）向服务器发送请求，获得其最新的配置信息，保证和该配置信息同步。每个puppet客户端每半小时(可以设置)连接一次服务器端, 下载最新的配置文件,并且严格按照配置文件来配置服务器. 配置完成以后,puppet客户端可以反馈给服务器端一个消息. 如果出错,也会给服务器端反馈一个消息.安装前准备测试机环境系统角色IP主机名CentOS 6.5MCentOS 5.5CCentOS 6.4C1. 关闭selinuxsed -i /SELINUX/s/enforcing/disabled/ /etc/selinux/config; setenforce 02. 关闭iptablechkconfig iptables off; service iptables stop3. 时间同步ntpdate ;echo */10 * * * * ntpdate /var/spool/cron/root4. 配置域名解析，或直接在hosts里配置主机名5. 配置epol及puppet源Enterprise Linux 6rpm -ivh /puppetlabs-release-el-6.noarch.rpmrpm -ivh /pub/epel/6/i386/epel-release-6-8.noarch.rpmEnterprise Linux 5rpm -ivh /puppetlabs-release-el-5.noarch.rpmrpm -ivh /pub/epel/5/i386/epel-release-5-4.noarch.rpm保留yum下载的rpm包 sed -i s/keepcache=.*/keepcache=1/g /etc/yum.conf安装master和agentMasterPuppet Master Server安装,安装时最新版服务端为 3.6.1-1yum -y install puppet-server更新puppet resource package puppet-server ensure=latest配置chkconfig puppetmaster on; service puppetmaster start启动后会自动在/var/lib/puppet/ssl下生成 主机名.pem的ca文件。NodesPuppet Agent Nodes 安装, 安装时最新版客户端为 3.6.1-1yum -y install puppet更新puppet resource package puppet ensure=latestnode配置连接到puppet-mastersed -i s/#PUPPET_SERVER=puppet/PUPPET_SERVER=/g /etc/sysconfig/puppetsed -i s/#PUPPET_PORT=8140/PUPPET_PORT=8140/g /etc/sysconfig/puppetsed -i s/#PUPPET_LOG=/var/log/puppet/puppet.log/PUPPET_LOG=/var/log/puppet/puppet.log/g /etc/sysconfig/puppet#runinterval = 60 /代表60秒跟服务器同步一次 echo report = true /etc/puppet/puppet.confecho runinterval = 60 /etc/puppet/puppet.confchkconfig puppet on; service puppet start还有一种同步方式节省内存，直接cron方式，定时调用。使用下面语句增加crontab任务puppet resource cron puppet-agent ensure=present user=root minute=30 command=/usr/bin/puppet agent -onetime -no-daemonize -splaycrontab -l启动后会自动在/var/lib/puppet/ssl下生成 主机名.pem的ca文件。CA认证node启动agent后会生成 主机名.pem 的证书文件，自动向master要求签名的。如果node主机名改变了需要删除原证书文件，并在master上clean原客户端名字，然后重新生成证书并要求签名。删除证书文件 rm -rf /var/lib/puppet/ssl/*可以使用调试模式生成证书。puppet agent -no-daemonize -debug -onetime -verbose -server= master端列出需要签发的客户端puppet cert list签发指定客户端puppet cert sign 签发所有客户端请求puppet cert sign -all注销客户端证书puppet cert revoke 清除客户端证书puppet cert clean master自动签名配置在服务器端的puppet.conf配置文件里面加上mainautosign = true或直接建立文件echo *. /etc/puppet/autosign.confpuppet报告系统Dashboard部署PuppetDasshboard是由支持Puppet开发的公司Puppetlabs创建的，是RubyonRails程序。可以作为一个ENC（外部节点分类器）以及一个报告工具，并且正在逐渐成为一个包含许多Puppet新功能的集成界面，例如审计和资源管理功能。PuppetDashboard是一个RubyonRails程序，用于显示Puppetmaster和agent的相关信息。它允许你查看从一个或多个Puppetmaster汇总的图形和报告数据。它同时从一个或者多个Puppetmaster上收集来自于Puppetagent的资产数据（主机的Fact和其他信息）。最后，它能作为一个ENC来配置Puppet节点，并指定这些节点上的类和参数。安装软件包yum install ruby-mysql mysql-server puppet-dashboard配置数据库chkconfig mysqld on;service mysqld startmysqladmin -uroot password 123456mysql 建库脚本CREATE DATABASE dashboard CHARACTER SET utf8;CREATE USER dashboardlocalhost IDENTIFIED BY 123456;GRANT ALL PRIVILEGES ON dashboard.* TO dashboardlocalhost;flush privileges;优化数据库mysqld# Allowing 32MB allows an occasional 17MB row with plenty of spare room max_allowed_packet = 32M 然后重启mysqld修改dashboard链接数据库配置vi /usr/share/puppet-dashboard/config/database.yml把production段改为如下内容，其它段可不用改建立 Schemacd/usr/share/puppet-dashboard/rake gems:refresh_specs #修复什么东西rake RAILS_ENV=production db:migrate没有报错的话,数据库就建立完成了。查看数据库mysql show tables;+-+| Tables_in_dashboard |+-+| delayed_job_failures | delayed_jobs | metrics | node_class_memberships | node_classes | node_group_class_memberships | node_group_edges | node_group_memberships | node_groups | nodes | old_reports | parameters | report_logs | reports | resource_events | resource_statuses | schema_migrations | timeline_events |+-+18 rows in set (0.00 sec)测试DashBoard是否工作cd/usr/share/puppet-dashboard/./script/server -e production你可以直接使用 http:/dashboardserver:3000访问.运行Dashboard（WEBrick方式）/etc/init.d/puppet-dashboard start访问http:/dashboardserver:3000这种方式只是测试运行的时候使用，官方不推荐，不支持并发，只适合少量客户端。安装配置Passenger方式yum install openssl-devel zlib-devel curl-devel gcc-c+ httpd httpd-devel mod_ssl ruby-devel rubygems gcc安装Rack/PassengerPassenger是Apache 2.x的一个扩展，用来在Apache中运行Rails或Rack应用。puppetmaster默认使用WEBrick提供文件服务，如果你的puppet客户端很多，puppetmaster的文件服务性能会很差，为了使puppetmaster更健壮，所以使用Apache提供文件服务。gem install rack passenger #这个可以本地安装的通过下面脚本下载for i in daemon_controller-1.2.0 json-1.5.5 passenger-4.0.43 rack-1.5.2 rake-0.8.7dowget /downloads/$i.gemdone然后gem install -local *.gempassenger-install-apache2-module安装Puppet Master Rack Applicationmkdir -p /usr/share/puppet/rack/puppetmasterdmkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmpcp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru创建启用Puppet Master Vhost配置passenger模块vi /etc/httpd/conf.d/passenger.conf LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.42/buildout/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.42 PassengerDefaultRuby /usr/bin/ruby 配置vhostcp /usr/share/puppet/ext/rack/example-passenger-vhost.conf /etc/httpd/conf.d/passenger-vhost.confrootapp180-183 conf.d# vi passenger-vhost.conf # This Apache 2 virtual host config shows how to use Puppet as a Rack# application via Passenger. See# /guides/passenger.html for more information.# You can also use the included config.ru file to run Puppet with other Rack# servers instead of Passenger.# you probably want to tune these settingsPassengerHighPerformance onPassengerMaxPoolSize 12PassengerPoolIdleTime 1500# PassengerMaxRequests 1000PassengerStatThrottleRate 120#RackAutoDetect Off#RailsAutoDetect OffListen 8140 SSLEngine on SSLProtocol ALL -SSLv2 SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/ca/signed/.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/.pemSSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pemSSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended.SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 # The ExportCertData option is needed for agent certificate expiration warnings SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %SSL_CLIENT_S_DNe RequestHeader set X-Client-DN %SSL_CLIENT_S_DNe RequestHeader set X-Client-Verify %SSL_CLIENT_VERIFYe DocumentRoot /usr/share/puppet-dashboard/public RackBaseURI /PassengerAppRoot /usr/share/puppet/rack/puppetmasterd Options None AllowOverride None Order allow,deny allow from all Listen 3001NameVirtualHost *:3001 DocumentRoot /usr/share/puppet-dashboard/public/# ErrorLog /var/log/httpd/dashboard_error.log# CustomLog /var/log/httpd/dashboard_access.log combined# RailsAutoDetect On AddDefaultCharset UTF-8 RailsEnv production Options None AllowOverride None Order allow,deny allow from all 关闭WEBrick，的puppetmaset,并 启用 apache替代puppetmasetchkconfig puppetmaster off ;service puppetmaster stopchkconfig puppet-dashboard off;service puppet-dashboard stopchkconfig httpd on;service httpd restart导入报告(方式一)cd /usr/share/puppet-dashboard/rake RAILS_ENV=production reports:import #导入已经存在的报告备注：默认节点报告会在/var/lib/puppet/reports/ 产生，如果路径发生变化，导入报告时需要在后面加上“REPORT_DIR=report路径”，reports更改路径可在puppet.conf中设置参数“reportdir = 新路径”，这种方式不够实时。配置自动导入汇总(方式二)Node操作vim /etc/puppet/puppet.conf# In the agent sectionserver = puppet #从2.7.0版本开始，报告系统会默认开启，不需要配置report = truepluginsync = trueMaster操作main #定义为http报告处理器，除此之外还有store，log，tagmail，rrdgraph等报告处理器 reports = http #http报告处理器将puppet报告发送到一个HTTP URL和端口（Dashboard位置）。Puppet报告以被转储为HTTP Poort形式的YAML格式进行发送。reporturl = 83:3001/reports/upload开启后台处理报告进程cd /usr/share/puppet-dashboard/ & rake RAILS_ENV=production jobs:work &把这条加入/etc/rc.local修改dashboard时区 Dashboard默认时区为UTC格式，我们这里需要更改为CST（Asia/Shanghai）格式vim /usr/share/puppet-dashboard/config/settings.ymltime_zone: Asia/Shanghai *备注*：设置的settings.yml会覆盖掉config/environment.rb中对应的配置项（config.time_zone = UTC）关于puppet3.6.1的备注：http:/ro