下了决心,好好学习puppet,周末专门去参加一个puppet的培训,难得朋友那么热心,组织大家一起去学习。我就提前做一下功课。
2012年10月29日:参加完两天的培训,深刻体会到puppet的强悍,当然讲Puppet的朋友,还是非常有经验,不只是puppet经验,还有讲课的经验,学习一个新东西的经验。一个最大的收获:官方的文档非常好,把puppet读完,你就差不多。
Contents [hide]
概述
Puppet 是一个客户端/服务器(C/S)架构的配置管理工具,在中央服务器上安装 puppet-server 服务器(puppet master),在需要被管理的目标服务器上安装 puppet 客户端软件(puppet client)。
如果服务器端也安装客户端,那么还可以管理本地机器。简单点说,当你把puppet装好后,你可以利用puppet的管理功能,直接用puppet安装foreman。这是我希望实现的功能。
准备
我直接使用Centos 6.3,puppet官方的yum源,目前puppet版本已经是3.01。对os的要求也很简单
- 关闭selinux
- 关闭iptables,这是为了避免各种麻烦,你可以通过打开端口,而不需要关闭iptables
- 设置host文件,由于puppet需要用FQDN,一般实验环境都是没有dns,所以通过hosts文件设置
- 设置ntp,同步时间,这个也是必须的。
- 设置源,根据你希望使用的版本,设置不同的源.我是启用了EPEL和Puppet官方的源
- node06 为master (10.1.199.6)
- node08 为client (10.1.199.8)
这些设置,大家可以参考 vpsee的puppet文档
安装
Puppet 3.01,对很多以前版本的命令已经去掉,这也让大家看文档的时候,比较混乱。目前pre-2.6的命令,在3.0以后的版本,完全无法使用。这个大家要记住。这样更换后,其实也比较清晰。
服务器端
因为我们采用源安装,所有ruby的依赖关系都是自动解决。装服务器端的时候,其实也同时把客户端装上.
yum -y install puppet-server
看看依赖的包
启动puppet
chkconfig puppet on chkconfig puppetmaster on service puppetmaster start service puppet start
Puppet Master 运行在TCP的8140端口。以前iptables的命令打开一个端口很长,很难记忆,现在发现一个好工具 lokkit。打开的端口,重启机器也是不影响,非常方便。
lokkit -p 8140:tcp
查看打开的端口
# netstat -lpnut Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 1476/ruby tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1454/sshd tcp 0 0 :::22 :::* LISTEN 1454/sshd udp 0 0 10.1.199.6:123 0.0.0.0:* 1462/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1462/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1462/ntpd udp 0 0 :::123 :::* 1462/ntpd
查看证书
# puppet cert list --all
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:
32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:
7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
这个时候,已经自动把本机当成客户端,管理起来,证书已经自动签发.
客户端
单独安装一个客户端
yum install puppet
大家可以看看,比较一下客户端和服务器依赖的包.
启动服务
chkconfig puppet on service puppet start
puppet的基本默认配置,这里面的内容是不需要修改。
# cat /etc/sysconfig/puppet
# The puppetmaster server
#PUPPET_SERVER=puppet
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
#PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500
上面就是Puppet的默认设置,大家可以去掉注释,进行修改。这也是为啥puppet的agent,默认就到网络找一个puppet的机器,你可以在这里修改。
/var/lib/puppet 目录,是客户端一个比较重要的目录,agent的证书就是放在这个目录下。
]# pwd /var/lib/puppet ]# ll total 24 drwxr-x--- 2 root root 4096 Oct 26 15:35 clientbucket drwxr-x--- 2 root root 4096 Oct 26 15:35 client_data drwxr-x--- 2 root root 4096 Oct 26 15:35 client_yaml drwxr-xr-x 2 root root 4096 Oct 26 15:35 lib drwxrwx--x 7 puppet root 4096 Oct 26 15:35 ssl drwxr-xr-t 3 root root 4096 Oct 26 15:35 state
Puppet agent 配置文件,是 /etc/puppet/puppet.conf , 基本编辑这个文件可以。
# pwd /etc/puppet # ll total 12 -rw-r--r-- 1 root root 2979 Oct 19 02:07 auth.conf drwxr-xr-x 2 root root 4096 Oct 19 02:07 modules -rw-r--r-- 1 root root 853 Oct 19 02:06 puppet.conf
对于puppet.conf 来说,里面分成3部分[main], [master], [agent], 外面的文档,有些是把参数添加到[main], 有些是添加到[agent], 用初学者比较困惑,到底那个是正确。对于agent来说,你就在agent里修改就可以。如果你的设置和[main]冲突,就会保留[agent]设置。所以你基本就不需要管[main]设置就可以。
对于puppet 客户端,我们需要编辑 /etc/puppet/puppet.conf, 添加一行,指定master服务器名称。
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = node06.chenshake.com
重启agent就可以,这个时候,你就不需要加上服务器地址,就可以连接master。
常用命令
查看puppet版本
# puppet --version 3.0.1
查看模块位置
# puppet config print modulepath /etc/puppet/modules:/usr/share/puppet/modules
查看报告
# puppet agent -t --summarize
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com
Info: Applying configuration version '1351737193'
Finished catalog run in 0.05 seconds
Changes:
Events:
Resources:
Skipped: 6
Total: 7
Time:
Filebucket: 0.00
Config retrieval: 0.18
Total: 0.18
Last run: 1351737193
Version:
Config: 1351737193
Puppet: 3.0.1
证书
Client申请证书
client需要向服务器端发出请求, 让服务器对客户端进行管理. 这其实是一个证书签发的过程. 第一次运行 puppet 客户端的时候会生成一个 SSL 证书并指定发给 Puppet 服务端, 服务器端如果同意管理客户端,就会对这个证书进行签发.
puppet agent
为了详细了解注册的过程和日后排错,可以增加参数,因为配置文件里
- –no-daemonize 前台输出日志
- –verbose 输入更加详细的日志
- –debug 更加详细的日志,排错的时候使用
- –test 表示测试,就带一个–test参数就可以
puppet agent --server=node06.chenshake.com --no-daemonize --onetime --verbose --debug
我的服务器端,如果iptables的端口没打开或者iptables没有关闭,你回看到下面错误
Debug: Finishing transaction 70232051730000
Error: Could not request certificate: No route to host - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
如果一切正常,你回看到下面输出
Debug: Finishing transaction 69982568075580
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for node08.chenshake.com
Info: Certificate Request fingerprint (SHA256): DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9:
A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Exiting; no certificate found and waitforcert is disabled
这个时候,你在服务器端就可以看到请求签发的证书
# puppet cert list --all
"node08.chenshake.com" (SHA256) DC:BF:4A:B7:65:9F:8D:80:79:42:B3:1D:94:B6:D9:A7:1B:99:38:EB:49:DA:13:1E:E2:CE:56:5C:78:CC:12:53
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
旁边有+ 号的,表示已经签发。
签发证书很简单
puppet cert --sign node08.chenshake.com puppet cert --sign --all
签发证书。
# puppet cert --sign --all
Signed certificate request for node08.chenshake.com
Removing file Puppet::SSL::CertificateRequest
node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem'
签发完成后,你再查看,就会发现
# puppet cert --list --all
+ "node06.chenshake.com" (SHA256) FF:54:B7:86:11:F7:EA:92:34:A4:E0:53:41:32:5C:8F:C5:5C:DC:03:66:6C:CF:20:9E:11:DE:40:98:D1:7E:F8 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
+ "node08.chenshake.com" (SHA256) A1:80:54:46:03:01:AE:6E:22:B1:39:8F:45:F2:C5:5A:F9:4E:CA:94:DA:A9:BF:85:34:E7:6E:98:07:97:B7:BC
注销证书
让证书失效,真正操作,我建议使用clean的参数,发现revoke,仅仅是让证书失效。
puppet cert revoke node08.chenshake.com Revoked certificate with serial 3
这个时候,你查看证书
# puppet cert list --all
+ "node06.chenshake.com" (SHA256) 9C:3E:5C:11:03:C9:AA:35:B8:DE:A2:2C:44:79:2F:F2:64:7D:19:1B:75:99:09:2E:43:C0:26:70:6A:24:30:C2 (alt names: "DNS:node06.chenshake.com", "DNS:puppet", "DNS:puppet.chenshake.com")
- "node08.chenshake.com" (SHA256) CB:15:4A:55:23:1D:AD:08:5F:A6:D8:3C:D8:17:47:6E:E1:42:47:01:2D:D3:1B:55:85:18:65:6E:B2:6C:46:EA (certificate revoked)
你需要重启puppetmaster服务,才能正式生效,你可以通过客户端连接来测试,没有重启服务前,一切正常,只有重启了master服务后,你再用node08去连接,就会提示下面的错误。
Debug: Using cached certificate_revocation_list for ca
Error: Failed to apply catalog: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Debug: Value of 'preferred_serialization_format' (pson)
is invalid for report, using default (b64_zlib_yaml)
Debug: report supports formats: b64_zlib_yaml raw yaml; using b64_zlib_yaml
Error: Could not send report: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
删除证书
在master上,清除证书后,需要重启服务才能生效.
# puppet cert --clean node08.chenshake.com
Revoked certificate with serial 3
Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/ca/signed/node08.chenshake.com.pem'
Removing file Puppet::SSL::Certificate node08.chenshake.com at '/var/lib/puppet/ssl/certs/node08.chenshake.com.pem'
重启puppetmaster服务,
/etc/init.d/puppetmaster restart
在client上
rm -f /var/lib/puppet/ssl/certs/node08.chenshake.com.pem
或者整个目录删除,这样ca的证书,也删除。
rm -rf /var/lib/puppet/ssl
这个时候,你再申请就可以
# puppet agent -t
Info: Creating a new SSL certificate request for node08.chenshake.com
Info: Certificate Request fingerprint (SHA256): 43:4F:C8:D7:B0:84:D8:89:F6:D9:9C:DE:D4:5B:
C0:BF:F1:D6:89:6C:C0:94:7C:02:99:50:98:BA:4C:1C:52:4F
Exiting; no certificate found and waitforcert is disabled
这个时候,你在master就可以正常签发。
自动签发证书
可以设置master自动签发所有的证书,我们只需要在/etc/puppet 目录下创建 autosign.conf 文件。(不需要修改 /etc/puppet/puppet.conf文件,因为我默认的autosign.conf 文件的位置没有修改)
cat > /etc/puppet/autosign.conf <<EOF *.chenshake.com EOF
这样就会对所有来自 chenshake.com 的机器的请求,都自动签名。
[root@node08 ~]# puppet agent -t
Info: Creating a new SSL key for node08.chenshake.com
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for node08.chenshake.com
Info: Certificate Request fingerprint (SHA256): 50:6B:ED:AB:E4:46:49:53:3E:41:6A:DD:93:7F:5F:3F:
00:55:17:25:A0:BB:12:AF:4A:2B:89:88:5D:41:9F:86
Info: Caching certificate for node08.chenshake.com
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com
Info: Applying configuration version '1351497197'
Finished catalog run in 0.04 seconds
Pre-signing 证书
就是提前在服务器端签发证书,把证书复制到客户端,这样可以避免自动签名的危险。不过很麻烦,需要你手工copy证书。创建证书的命令,和以前版本的puppet 2.6有不同,大家注意就可以。
# puppet cert generate node08.chenshake.com
node08.chenshake.com has a waiting certificate request
Signed certificate request for node08.chenshake.com
Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/ca/requests/node08.chenshake.com.pem'
Removing file Puppet::SSL::CertificateRequest node08.chenshake.com at '/var/lib/puppet/ssl/certificate_requests/node08.chenshake.com.pem'
客户端操作
mkdir -p /var/lib/puppet/ssl/private_keys mkdir -p /var/lib/puppet/ssl/certs scp root@10.1.199.6:/var/lib/puppet/ssl/private_keys/node08.chenshake.com.pem /var/lib/puppet/ssl/private_keys/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/node08.chenshake.com.pem /var/lib/puppet/ssl/certs/ scp root@10.1.199.6:/var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/
这时候你就可以在客户端运行
# puppet agent -t
Info: Caching certificate_revocation_list for ca
Info: Retrieving plugin
Info: Caching catalog for node08.chenshake.com
Info: Applying configuration version '1351735593'
Finished catalog run in 0.04 seconds
Puppet Dashboard
我其实是希望直接使用puppet来安装dashboard,不过目前阶段,我还是搞不定,这个留待日后慢慢挑战。
mysql
yum install -y mysql mysql-devel mysql-server
优化mysql设置
编辑 /etc/my.cnf, 在[mysqld]字段,增加最后一行.
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Allowing 32MB allows an occasional 17MB row with plenty of spare room
max_allowed_packet = 32M
启动服务
/etc/init.d/mysqld start chkconfig mysqld on
设置mysql密码,我这里使用是密码是password
mysqladmin -u root password 'password'
创建一个dashboard数据库
mysql -uroot -ppassword <<EOF
CREATE DATABASE dashboard CHARACTER SET utf8;
CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON dashboard.* TO 'dashboard'@'localhost';
FLUSH PRIVILEGES;
EOF
Passenger+Apache+Dashboard
这是让Apache支持ruby,
yum install mod_passenger puppet-dashboard
看看包的依赖关系
配置Dashboard
编辑 /usr/share/puppet-dashboard/config/database.yml
production: database: dashboard username: dashboard password: password encoding: utf8 adapter: mysql
修改时区 /usr/share/puppet-dashboard/config/environment.rb
#config.time_zone = 'UTC'
config.time_zone = 'Beijing'
初始化数据库
cd /usr/share/puppet-dashboard/ rake RAILS_ENV=production db:migrate
配置Apache
我们需要整合Passenger和apache
cat > /etc/httpd/conf.d/passenger.conf << EOF
LoadModule passenger_module modules/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/share/rubygems/gems/passenger-3.0.17
PassengerRuby /usr/bin/ruby
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RailsAutoDetect On
</IfModule>
<VirtualHost *:80>
ServerName node06.chenshake.com
DocumentRoot "/usr/share/puppet-dashboard/public/"
<Directory "/usr/share/puppet-dashboard/public/">
Options None
AllowOverride AuthConfig
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/httpd/node06.chenshake.com_error.log
LogLevel warn
CustomLog /var/log/httpd/node06.chenshake.com_access.log combined
ServerSignature On
</VirtualHost>
EOF
重启服务
/etc/init.d/httpd start chkconfig httpd on
打开80端口
lokit -p 80:tcp
配置puppet
让Dashboard使用Reports,现在默认agent是已经启用Report的功能,所以你就不需要设置agent,你只需要设置Server端就可以.
# puppet.conf (on puppet master)
[master]
reports = store, http
reporturl = http://node06.chenshake.com:80/reports/upload
重启puppetmaster 服务
/etc/init.d/puppetmaster restart
这时候就可以直接用 http://ip 访问puppet Dashboard
导入报告
cd /usr/share/puppet-dashboard
# rake RAILS_ENV=production reports:import
(in /usr/share/puppet-dashboard)
Importing 7 reports from /var/lib/puppet/reports/ in the background
Importing: 100% |#########| Time: 00:00:00
7 of 7 reports queued
这时候你访问Dashboard,可以看到导入的任务.
Delayed Job Workers
这个其实我理解就是一个脚本,用来分析report的。
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m start
查看启动的job
ps -ef|grep delayed_job|grep -v grep
停止delay job
env RAILS_ENV=production /usr/share/puppet-dashboard/script/delayed_job -p dashboard -n 4 -m stop
这个时候你才能在Dashbaord里看到数据.
Foreman
目前Puppet 3.0和Foreman 1.0还有问题,官方正在解决中
hi,陈老师,你好,我看了你的很多有关云技术的博文,我现在也在做这方面的工作,从最简单的如何用devstack搭建环境,或者单独搭建某些云服务,还研究过puppet,jenkins等等,希望有时间多跟你请教请教。现在我们有个需求,要搭建https://jenkins.openstack.org 这么一个测试框架,但是我看了看他整合了好多东东在里边,比如gate-nova-python26这条case,他用到openstack-ci-puppet工程,但是run的这些脚本/usr/local/jenkins/slave_scripts/gerrit-git-prep.sh review.openstack.org 是如何安装上去,从哪里来的,我真实一头雾水,希望能跟你交流下,能给下你的Email吗?
[...] 上篇说了下在ubuntu12.04上安装puppet,安装的版本为puppet2.7.11版本,今天尝试了下在CentOS6.4系统上安装puppet 3.1.1版本,本文参考chenshake的文章 [...]
我在http://docs.puppetlabs.com/guides/platforms.html#ruby-versions 文档里面看的是这样的包依赖关系,请问你也是安装的puppet3 怎么可以用ruby1.8.5呢??
Ruby version Puppet 2.6 Puppet 2.7 Puppet 3.x
1.8.5* Supported Supported No
1.8.7 Supported Supported Supported
2.0.0** No No Supported (3.2 and higher)
1.9.3** No No Supported
陈老师好,我的环境是x64 centos6.4,rdo安装的openstack(packstack –allinone安装),脚本执行过程中报以错误说 httpd服务没有启动,(猜想是我安装之前没有停用iptables和selinux引起的 因为我运行 service httpd status 发现是running状态)然后发现我的dashboard和nagios是能正常登陆的(没有节点的信息) 我想问这个影响到什么吗,有什么建议 望指正,谢谢
应该是不会的,你反复多次就可以。rdo是完全支持selinux和iptables。确保你按照我的步骤。
陈老师好,我想请问puppet如何使用puppet kick推送到puppet客户端?我尝试根据puppet的官方文档去配置,第一次推送成功,但是第二次推送的时候返回下面的字段
Getting status
status is running
Host test is already running
test finished with exit code 3
Failed: test
我在客户端查看了已经监听了8139端口,不明白为什么说Host test is already running,是不是要每次推送都要关闭puppet客户端?