puppet自动化部署
主机环境:
server(master)端:172.25.7.1(server1.example.com)
client(agent)端:172.25.7.2 172.25.7.3
实验前提:server端和client端互相有主机名解析(当主机数很多时可以在dns服务器上完成主机名解析),时间一致
注意在做实验时不要打开client端的puppet服务!
(一)装包
server端:puppet-server-3.8.1-1.el6.noarch.rpm
依赖性:puppet-3.8.1-1.el6.noarch.rpm facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm rubygems-1.3.7-5.el6.noarch.rpm
客户端:puppet-3.8.1-1.el6.noarch.rpm
依赖性:facter-2.4.4-1.el6.x86_64.rpm hiera-1.3.4-1.el6.noarch.rpm rubygem-json-1.5.5-3.el6.x86_64.rpm ruby-shadow-2.2.0-2.el6.x86_64.rpm ruby-augeas-0.4.1-3.el6.x86_64.rpm rubygems-1.3.7-5.el6.noarch.rpm
联网时,把以下条目加入yum仓库:
[puppet]
name=puppet
baseurl=http://yum.puppetlabs.com/el/6Server/products/x86_64/
gpgcheck=0
[ruby]
name=ruby
baseurl=http://yum.puppetlabs.com/el/6Server/dependencies/x86_64/
gpgcheck=0
(二)启动服务
server端:
/etc/init.d/puppetmaster start
侦听TCP/8140端口
lient端:
不能启动puppet服务,否则会将进程打到后台,看不到报错,所以在实验时不要打开puppet服务,用以下两条任一条命令测试:
puppet agent --server server1.example.com --test
测试,让客户端连接到puppet master,client向master发出证书验证请求,然后等待master签名并返回证书。参数--server 指定了需要连接的 puppet master 的名字或是地址,默认连接名为“puppet”的主机如要修改默认连接主机可以修改/etc/sysconfig/puppet 文件中的PUPPET_SERVER=puppet 选项参数--no-daemonize 是 puppet 客户端运行在前台参数--verbose 使客户端输出详细的日志
puppet agent --server server1.example.com --no-deamonize --verbose
手工签名
puppet cert list ##显示所有等待签名的证书
# puppet cert list --all
# puppet cert sign server2.example.com ##给server2签名证书
如要同时签名所有证书,执行以下命令:
# puppet cert sign --all
自动签名
vim /etc/puppet/puppet.conf
1 [main]
2 autosign = true ##打开自动签名功能
vim /etc/puppet/autosign.conf ##此文件自行创建
1 *.example.com
/etc/init.d/puppetmaster reload
(三)puppet资源定义
/etc/pupppet配置目录结构:
├── auth.conf
├── autosign.conf
├── environments
│ └── example_env
│ ├── manifests
│ ├── modules
│ └── README.environment
├── files
│ └── vsftpd.conf
├── fileserver.conf
├── manifests #节点的存储目录(puppet会首先加载site.pp)文件
│ ├── nodes
│ │ ├── server4.pp
│ │ └── server5.pp
│ └── site.pp
├── modules #模块的配置目录
│
│ └── nginx
│ ├── files
│ │ ├── nginx-1.6.2.tar.gz
│ │ ├── nginx.conf
│ │ └── nginx-install.sh
│ └── manifests #模块的主配置文件,定义类的相关信息
│ ├── config.pp
│ ├── init.pp
│ ├── install.pp
│ ├── nginx.install
│ └── service.pp
└── puppet.conf puppet的主配置文件
puppet的第一个执行的代码是在/etc/pupppet/manifest/site.pp,因策这个文件必须存在,且其他的代码也要通过该文件来调用
以下资源均定义在/etc/puppet/manifests/site.pp文件中,在没有指定节点的情况下,对所有已经验证的client都生效
创建目录/文件
在client端创建文件且输入内容
server端:
vim /etc/puppet/manifests/site.pp
1 file {
2 "/tmp/testfile":
3 content => "hahahaha" ##默认就是创建文件
4 }
向client端创建目录
server端:
vim /etc/puppet/manifests/site.pp
1 file {
2 "/mnt/haha":
3 ensure => "directory" ##创建目录
4 }
不同节点布置资源
vim /etc/puppet/manifests/site.pp
1 import "nodes/*.pp"
mkdir /etc/puppet/manifests/nodes
vim /etc/puppet/manifests/nodes/server3.pp
1 node 'server3.example.com' {
2 file {
3 "/tmp/lala":
4 content => "lalala~~~~
"
5 }
6 }
client端:
编写模块(以httpd服务为例)
mkdir -p /etc/puppet/modules/httpd/{files,manifests,templates}
httpd的部署包括下载软件包,配置,开启服务
vim /etc/puppet/modules/httpd/manifests/init.pp ##加载httpd模块读取的文件
1 class httpd {
2 include httpd::install,httpd::config,httpd::service
3 }
vim /etc/puppet/modules/httpd/manifests/install.pp
1 class httpd::install {
2 package {
3 "httpd":
4 ensure => present
5 }
6 {
vim /etc/puppet/modules/httpd/manifests/config.pp
1 class httpd::config {
2 file {
3 "/etc/httpd/conf/httpd.conf":
4 source => "puppet:///modules/httpd/httpd.conf",
require => Class["httpd::install"],
6 notify => Class["httpd::service"]
7 }
8 }
etc/puppet/modules/httpd/files/httpd.conf文件要在本机存在
vim /etc/puppet/modules/httpd/manifests/service.pp
1 class httpd::service {
2 service {
3 "httpd":
4 ensure => running
5 }
6 }
让server3执行此模块:
vim /etc/puppet/manifests/nodes/server3.pp
1 node 'server3.example.com' {
2 include httpd
3 }
client端:
模版应用
添加虚拟主机配置:文件存放在templates目录中,以*.erb结尾
vim /etc/puppet/modules/httpd/templates/vhost.erb
1 <VirtualHost *:80>
2 ServerName <%= domainname %>
3 DocumentRoot /var/www/<%= domainname %>
4 ErrorLog logs/<%= domainname %>_error.log
5 CustomLog logs/<%= domainname %>_access.log common
6 </VirtualHost>
注意上传的配置文件:
vim /etc/puppet/modules/httpd/files/httpd.conf
Listen 80
NameVirtualHost *:80 ##使用虚拟主机所要打开的参数
vim /etc/puppet/modules/httpd/manifests/init.pp
1 class httpd {
2 include httpd::install,httpd::config,httpd::service
3 }
4 define httpd::vhost($domainname) {
5 file {
6 "/etc/httpd/conf.d/${domainname}_vhost.conf":
7 content => template("httpd/vhost.erb"),
8 require => Class["httpd::install"],
9 notify => Class["httpd::service"]
10 }
11 file {
12 "/var/www/$domainname":
13 ensure => directory
14 }
15 file {
16 "/var/www/$domainname/index.html":
17 content => $domainname
18 }
19 }
将模块添加到server3节点上:
vim /etc/puppet/manifests/nodes/server3.pp
1 node 'server3.example.com' {
2 include httpd
3 httpd::vhost {
4 'server3.example.com':
5 domainname => "server3.example.com"
6 }
7 httpd::vhost {
8 'www.example.com':
9 domainname => "www.example.com"
10 }
11 }
client端(server3上):
puppet agent --server server1.example.com --test
验证一下
puppet dashboard安装(以web方式管理puppet)
在server端:
安装包:puppet-dashboard-1.2.23-1.el6.noarch.rpm
依赖性:ruby-mysql-2.8.2-1.el6.x86_64.rpm rubygem-rake-0.8.7-2.1.el6.noarch.rpm
json (1.5.5)
rake (0.8.7)
gem install passenger-5.0.15.gem rack-1.6.4.gem
vim /usr/share/puppet-dashboard/config/add.sql
1 CREATE DATABASE dashboard_production CHARACTER SET utf8;
2 CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'dashboard';
3 GRANT ALL PRIVILEGES ON dashboard_production.* TO 'dashboard'@'localhost';
yum install -y mysql-server
/etc/init.d/mysqld start
mysql_secure_installation
mysql -predhat < /usr/share/puppet-dashboard/config/add.sql
vim d/usr/share/puppet-dashboard/config/database.yml ##只留下生产环境配置,此时和开发环境删掉
46 production:
47 database: dashboard_production
48 username: dashboard
49 password: dashboard
50 encoding: utf8
51 adapter: mysql
rake gems:refresh_specs
rake time:zones:local
puppet默认时区不正确,需要修改:
vim /usr/share/puppet-dashboard/config/settings.yml
65 time_zone: 'Beijing'
rake RAILS_ENV=production db:migrate ##建立dashboard所需的数据库和表
chmod 666 /usr/share/puppet-dashboard/log/production.log
/etc/init.d/puppet-dashboard start
/etc/init.d/puppet-dashboard-workers start
vim /etc/puppet/puppet.conf
1 [main]
2 autosign = true
3 reports = http
4 reporturl = http://172.25.7.1:3000/reports
/etc/init.d/puppetmaster reload
在客户端安装完 puppet 后,并且认证完后,我们可以看到效果,那怎样让它自动与服务器同步
呢?默认多少分钟跟服务器同步呢?怎样修改同步的时间呢,这时候我们需要配置客户端:
(1) 配置 puppet 相关参数和同步时间:
vi /etc/sysconfig/puppet
PUPPET_SERVER=puppet.example.com puppet master 的地址
PUPPET_PORT=8140
puppet 监听端口
PUPPET_LOG=/var/log/puppet/puppet.log puppet 本地日志
PUPPET_EXTRA_OPTS=--waitforcert=500 【默认同步的时间,我这里不修改这行参数】
(2) 默认配置完毕后,客户端会半个小时跟服务器同步一次,我们可以修改这个时间。
/etc/puppet/puppet.conf
[agent]
runinterval = 60
代表 60 秒跟服务器同步一次
client端:
server2上:
vim /etc/sysconfig/puppet
2 PUPPET_SERVER=server1.example.com
5 PUPPET_PORT=8140
8 PUPPET_LOG=/var/log/puppet/puppet.log
vim /etc/puppet/puppet.conf
14 [agent]
15 report = true
16 runinterval = 300 ##设置更新时间为300s;server3上可以将更新时间与server2叉开如 runinterval = 600,降低master的访问压力
/etc/init.d/puppet start ##做好一切配置后启动puppet服务
结果验证:
3000端口并发只有20个,作测试用
http://172.25.7.1:3000
看日志:
【nginx+passenger】提高并发量
puppet 默认使用基于 Ruby 的 WEBRickHTTP 来处理 HTTPS 请求,单个服务器使用Apache/Nginx+Passenger 替换掉 WEBRickHTTP,Passenger 是用于将 Ruby 程序进行嵌入执行的Apache 模块,实现对 puppet 的负载均衡。
参考:https://docs.puppetlabs.com/guides/passenger.html
server端:
> get nginx-1.8.0.tar.gz
tar zxf nginx-1.8.0.tar.gz
passenger-config --root
/usr/lib/ruby/gems/1.8/gems/passenger-5.0.15
解决依赖性:
yum install -y gcc gcc-c++ curl-devel openssl-devel zlib-devel ruby-devel pcre-devel
passenger-install-nginx-module
脚本会自动安装 nginx 支持,按提示操作,基本就是一路回车。
nginx 默认安装在/opt/nginx 目录:
vim /opt/nginx/conf/nginx.conf
1 #user nobody;
2 worker_processes 1;
3
4 #error_log logs/error.log;
5 #error_log logs/error.log notice;
6 #error_log logs/error.log info;
7
8 #pid logs/nginx.pid;
9
10
11 events {
12 use epoll;
13 worker_connections 1024;
14 }
15
16
17 http {
18 passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-5.0.15;
19 passenger_ruby /usr/bin/ruby;
20
21 include mime.types;
22 default_type application/octet-stream;
23
24 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
25 # '$status $body_bytes_sent "$http_referer" '
26 # '"$http_user_agent" "$http_x_forwarded_for"';
27
28 #access_log logs/access.log main;
29
30 sendfile on;
31 #tcp_nopush on;
32
33 #keepalive_timeout 0;
34 keepalive_timeout 65;
35
36 #gzip on;
37 server {
38 listen 8140;
39 server_name server1.example.com;
40
41 root /etc/puppet/rack/public;
42
43 passenger_enabled on;
44 passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
45 passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
46 ssl on;
47 ssl_session_timeout 5m;
48 ssl_certificate /var/lib/puppet/ssl/certs/server1.example.com.pem;
49 ssl_certificate_key /var/lib/puppet/ssl/private_keys/server1.example .com.pem;
50 ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
51 ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
52 ssl_verify_client optional;
53 ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
54 ssl_prefer_server_ciphers on;
55 ssl_verify_depth 1;
56 ssl_session_cache shared:SSL:128m;
57 }
58 }
# /opt/nginx/sbin/nginx -t
# /opt/nginx/sbin/nginx
# mkdir /etc/puppet/rack/{public,tmp} -p
# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/# chown puppet.puppet /etc/puppet/rack/config.ru
# chkconfig puppetmaster off
# service puppetmaster stop
# /opt/nginx/sbin/nginx -t
# /opt/nginx/sbin/nginx
#检测 nginx
puppetmaster 不需要启动 , nginx 启动时会自动调用 puppet。