Puppet

客户端和服务器端的时间同步非常重要

notify和require要成对使用

如何检查puppet的class文件语法: This is how to do a a syntax check on a file.

puppet parser validate <filename> #e.g. ruby-server.pp
err: Could not parse for environment development: Syntax error at ';'; expected ']'
at /etc/puppet/manifests/classes/ruby-server.pp:2

打印puppet配置文件

puppet agent --configprint all|grep 00
puppet master --configprint libdir

生成相关用户和目录

puppet master --mkusers
puppet agent --mkusers

puppet dashborad

DB初始化

rake RAILS_ENV=production db:migrate

dashboard.conf

Listen 3000
NameVirtualHost *:3000

<VirtualHost *:3000>
  DocumentRoot /usr/share/puppet-dashboard/public/
  ErrorLog /var/log/httpd/dashboard_error.log
  CustomLog /var/log/httpd/dashboard_access.log combined

  RailsAutoDetect On
  AddDefaultCharset UTF-8

  RailsEnv production

  <Location "/">
    Order           deny,allow
    Deny from       all
    Allow from      all
  </Location>
</VirtualHost>

puppetmaster.conf

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /etc/puppet/ssl/certs/jack94202.mobcon.inside.pem
        SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/jack94202.mobcon.inside.pem
        SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /etc/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

        DocumentRoot /etc/puppet/rack/puppetmaster/public/
        RackBaseURI /
        <Directory /etc/puppet/rack/puppetmaster>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

※config.ru必须为puppet权限

#ls
puppet puppet 1136 1016 20:08 /usr/share/puppet/rack/puppetmasterd/config.ru

passenger.conf

# The passenger module path should match ruby gem version
LoadModule passenger_module /usr/local/lib/ruby/gems/1.8/gems/passenger-2.2.11/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.8/gems/passenger-2.2.11
PassengerRuby /usr/local/bin/ruby

# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

foreman.conf

Listen 3001
NameVirtualHost *:3001

<virtualhost *:3001>
  DocumentRoot /usr/share/foreman/public

  RailsAutoDetect On
  AddDefaultCharset UTF-8

  RailsEnv production

  ErrorLog /var/log/httpd/foreman_error.log
  CustomLog /var/log/httpd/foreman_access.log combined

  <Location "/">
    Order           deny,allow
    Deny from       all
    Allow from      all
  </Location>
</virtualhost>

从github安装后初始化

# bundle install --without postgresql sqlite test development --path vendor
#RAILS_ENV=production bundle exec rake db:migrate

导入现有机器配置

rake puppet:import:hosts_and_facts RAILS_ENV=production

导入已有日志

rake reports:expire days=7 RAILS_ENV="production"

注意ポイント foreman 0.5 developバージョンからインストールすると

mysql-5.1.62
 
foremanのDB adapterはmysql2が必要となる
 
<code>
===== gem相关依赖包 =====
<code>
 
gem list --local
 
*** LOCAL GEMS ***
 
abstract (1.0.0)
actionmailer (2.3.12, 2.3.5)
actionpack (2.3.12, 2.3.5)
activemodel (3.0.9)
activerecord (3.0.9, 2.3.12, 2.3.5)
activeresource (3.0.9, 2.3.12, 2.3.5)
activesupport (3.0.9, 2.3.12, 2.3.5)
amqp (0.7.3)
arel (2.0.10)
bluecloth (2.1.0)
builder (2.1.2)
bundler (1.0.15)
daemon_controller (0.2.6)
erubis (2.6.6)
eventmachine (0.12.10)
facter (1.6.0)
fastthread (1.0.7)
gli (1.3.2)
i18n (0.5.0)
json (1.5.3)
mail (2.2.19)
mime-types (1.16)
mocha (0.9.12)
mysql (2.8.1)
nokogiri (1.5.0)
passenger (2.2.11)
polyglot (0.3.2)
puppet (2.7.1)
puppet-module (0.3.3)
rack (1.1.0)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (2.3.12, 2.3.5)
railties (3.0.9)
rake (0.9.2)
rdoc (3.9.1)
rest-client (1.4.0)
ruby-shadow (2.1.2)
rubygems-update (1.6.2)
showoff (0.4.2)
sinatra (1.2.6)
stomp (1.1.9)
term-ansicolor (1.0.5)
thor (0.14.6)
tilt (1.3.2)
treetop (1.4.10)
tzinfo (0.3.29)

facter rpm安装包

cp: cannot stat `COPYING': No such file or directory
cp: cannot stat `README': No such file or directory

从facter.spec中注释掉

puppet.conf

[main]
        confdir = /etc/puppet
        vardir = /var/lib/puppet
        logdir = $vardir/log
        rundir = /var/run/puppet
        pluginsync = true
        #自动同步modules中的lib到agente服务器下「/var/lib/puppet/lib/」
 
[master]
        ssl_client_header = SSL_CLIENT_S_DN
        ssl_client_verify_header = SSL_CLIENT_VERIFY
        autosign = true
        reports = http, foreman
        sendmail = /usr/lib/sendmail
        reportfrom = puppetmaster@mobcon.inside
        smtpserver = localhost
        reporturl = http://jack94202.mobcon.inside:3000/reports/upload
        report = true
        reportdir = /var/lib/puppet/reports
        rrddir = /var/lib/puppet/rrd
        runinterval = 1800
        storeconfigs = true
        dbadapter = mysql
        dbuser = puppet
        dbpassword = puppet
        dbserver = localhost
        dbsocket = /var/lib/mysql/mysql.sock
        rrddir = /var/lib/puppet/rrd
        rrdgraph = true
        masterlog = /var/lib/puppet/log/puppetmaster.log
        node_terminus = exec
        external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://localhost:3000 /usr/share/puppet-dashboard/bin/external_node
 
[agent]
        pidfile = /var/lib/puppet/run/agent.pid
        classfile = $vardir/state/classes.txt
        localconfig = $vardir/localconfig
        server = puppet.mobcon.inside
        report = true
        listen = true
        runinterval = 60

auth.conf

# This is an example auth.conf file, it mimics the puppetmasterd defaults
#
# The ACL are checked in order of appearance in this file.
#
# Supported syntax:
# This file supports two different syntax depending on how
# you want to express the ACL.
#
# Path syntax (the one used below):
# ---------------------------------
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The path is matched as a prefix. That is /file match at
# the same time /file_metadat and /file_content.
#
# Regex syntax:
# -------------
# This one is differenciated from the path one by a '~'
#
# path ~ regex
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The regex syntax is the same as ruby ones.
#
# Ex:
# path ~ .pp$
# will match every resource ending in .pp (manifests files for instance)
#
# path ~ ^/path/to/resource
# is essentially equivalent to path /path/to/resource
#
# environment:: restrict an ACL to a specific set of environments
# method:: restrict an ACL to a specific set of methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
 
### Authenticated ACL - those applies only when the client
### has a valid certificate and is thus authenticated
 
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
 
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
 
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
 
# allow all nodes to store their reports
path /report
method save
allow *
 
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
 
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate
 
# allow access to the master CA
path /certificate/ca
auth no
method find
allow *
 
path /certificate/
auth no
method find
allow *
 
path /certificate_request
auth no
method find, save
allow *
 
# add by zhou start
path /run
auth any
method save
allow *
 
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

shadow

openssl passwd -1
/var/lib/openshift/bccd8eac1968476490eaee9ced33c7bf/app-root/runtime/repo/php/data/pages/puppet.txt · 最后更改: 2013/04/12 02:40 由 admin
到顶部
CC Attribution-Noncommercial-Share Alike 3.0 Unported
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0