Erinevus lehekülje "Puppet kasutamine Debianiga" redaktsioonide vahel
Allikas: Kuutõrvaja
(→Puppetmasteri seadistamine) |
(→Apache seadistamine) |
||
| 308. rida: | 308. rida: | ||
====Apache seadistamine==== | ====Apache seadistamine==== | ||
| − | + | Sobib kasutada nt sellist veebiserver seadistusfaili | |
| + | |||
| + | ProxyRequests Off | ||
| + | |||
| + | <Proxy balancer://puppetmaster> | ||
| + | BalancerMember http://127.0.0.1:18140 | ||
| + | </Proxy> | ||
| + | |||
| + | <VirtualHost 10.0.9.227:8140> | ||
| + | SSLEngine on | ||
| + | SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA | ||
| + | SSLCertificateFile /var/lib/puppet/ssl/certs/fai-9-227.loomaaed.pem | ||
| + | SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/fai-9-227.loomaaed.pem | ||
| + | SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem | ||
| + | SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem | ||
| + | SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem | ||
| + | SSLVerifyClient optional | ||
| + | SSLVerifyDepth 3 | ||
| + | SSLOptions +StdEnvVars | ||
| + | |||
| + | RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e | ||
| + | RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e | ||
| + | |||
| + | <Location /balancer-manager> | ||
| + | SetHandler balancer-manager | ||
| + | Order Allow,Deny | ||
| + | Allow from 172.19 | ||
| + | </Location> | ||
| + | |||
| + | <Location /> | ||
| + | SetHandler balancer-manager | ||
| + | Order allow,deny | ||
| + | Allow from all | ||
| + | </Location> | ||
| + | |||
| + | ProxyPass /balancer-manager ! | ||
| + | ProxyPass / balancer://puppetmaster:8140/ | ||
| + | ProxyPassReverse / balancer://puppetmaster:8140/ | ||
| + | ProxyPreserveHost on | ||
| + | |||
| + | </VirtualHost> | ||
Kasulikud lisamaterjalid | Kasulikud lisamaterjalid | ||
Redaktsioon: 6. aprill 2010, kell 15:05
Sisukord
- 1 Sissejuhatus
- 2 Tarkvara paigaldamine
- 3 Puppetmasteri ettevalmistamine
- 4 Puppet kliendi ettevalmistamine
- 5 Kliendi registreerimine
- 6 ralsh
- 7 puppetrun
- 8 Facter
- 9 OpenBSD
- 10 FreeBSD
- 11 Puppetmasteri kasutamine koos Apache veebiserveriga
- 12 Puppetmasteri kasutamine koos LDAP kataloogiga
- 13 Kasulikud lisamaterjalid
Sissejuhatus
Puppet (ingl. k. nukk) http://reductivelabs.com/products/puppet/ võimaldab korraldada arvutite tarkvara ja seadistuste automatiseeritud haldust.
_____
| | puppetmasterd
|_____|
|
|
---|----|-------|------------|---
| | |
__|__ __|__ __|__
| | | | | | puppetd
|_____| |_____| |_____| ....
smtp1 smtp2 squid
puppet kliendid
- Puppetmaster (ingl. k. nukujuht) sisaldab klientide tarkvara ja seadistuste kirjeldust
- Kliendid teavad oma puppetmasteri aadressi
- Puppetmasteri ja klientide andmevahetus toimub üle 8140/tcp pordi.
Tarkvara paigaldamine
Operatsioonisüsteemi paketihaldusest
Puppet serverile ehk puppetmasterile tuleb paigadada pakett puppetmaster
# apt-get install puppetmaster
Puppet kliendile tuleb paigaldada pakett puppet
# apt-get install puppet
Ruby paketihaldusest
# apt-get install rubygems
Gems süsteemi kasutamise kohta näeb näiteid öeldes
# gem help examples
Puppet paigaldamiseks sobib öelda
# gem install puppet
Puppetmasteri ettevalmistamine
Puppetmasteri protsess töötab privilegeerimata kasutajana ja tema tööd juhivad seadistusfailid
- /etc/puppet/puppet.conf
[main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter pluginsync=false [puppetmasterd] templatedir=/var/lib/puppet/templates
- /etc/puppet/fileserver.conf
[files] path /etc/puppet/files allow 192.168.10.0/24
Moodulid
# find /etc/puppet/modules -type f /etc/puppet/modules/sudo/files /etc/puppet/modules/sudo/files/sudoers /etc/puppet/modules/sudo/manifests /etc/puppet/modules/sudo/manifests/init.pp
kus
- /etc/puppet/modules/sudo/files/sudoers fail sisaldab väljajagatava /etc/sudoers faili sisu
- /etc/puppet/modules/sudo/manifests/init.pp sisaldab sudo mooduliga seotud metaandmeid
# /etc/puppet/modules/sudo/manifests/init.pp
class sudo {
package { sudo: ensure => latest }
file { "/etc/sudoers":
owner => "root",
group => "root",
mode => 440,
source => "puppet:///sudo/sudoers",
require => Package["sudo"],
}
}
Puppeti seadistused
Moodulid ja node'id ühendab kokku kolm faili
# find /etc/puppet/manifests -type f /etc/puppet/manifests/modules.pp /etc/puppet/manifests/nodes.pp /etc/puppet/manifests/site.pp
kus
- /etc/puppet/manifests/modules.pp
# /etc/puppet/manifests/modules.pp import "sudo"
- /etc/puppet/manifests/nodes.pp
# /etc/puppet/manifests/nodes.pp
node basenode {
include sudo
}
node 'puppet-1.auul' inherits basenode {
}
- /etc/puppet/manifests/site.pp
# /etc/puppet/manifests/site.pp
import "modules"
import "nodes"
# The filebucket option allows for file backups to the server
filebucket { main: server => 'puppet-master.auul' }
# Set global defaults - including backing up all files to the main filebucket and adds a global path
File { backup => main }
Exec { path => "/usr/bin:/usr/sbin/:/bin:/sbin" }
Puppet kliendi ettevalmistamine
Selleks, et Puppeti kliendi protsess saaks teha vajalikke muudatusi töötab ta juurkasutajana ja tema tööd juhivad sellised failid
- /etc/puppet/puppet.conf
[main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter pluginsync=false server=puppet-master.auul [puppetmasterd] templatedir=/var/lib/puppet/templates
- /etc/puppet/namespaceauth.conf
[fileserver]
allow *
[pelementserver]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
Kliendi registreerimine
# puppetca -l puppet-1.auul
Signeerimiseks tuleb öelda
# puppetca -s puppet-1.auul Signed puppet-1.auul
Puppetmaster ja puppet kliendid hoiavad oma andmeid kataloogis
/var/lib/puppet
Selleks, et klient küsiks puppetmasterilt oma seadistusi
puppet-1:~# ps aux | grep pup root 8161 4.0 10.0 36652 25472 ? Ssl 15:28 0:14 ruby /usr/sbin/puppetd -w 5 puppet-1:~# kill -SIGUSR1 8161
Kliendi eemaldamiseks sobib öelda
# puppetca --clean puppet-1.auul Removing /var/lib/puppet/ssl/ca/signed/puppet-1.auul.pem
ralsh
# ralsh user ntp
user { 'ntp':
password => '*',
shell => '/bin/false',
uid => '106',
home => '/home/ntp',
gid => '110',
ensure => 'present'
}
puppetrun
Selleks, et töötaks, tuleb /usr/sbin/puppetrun failis teha real 240
if Puppet[:node_terminus] = "ldap"
asendus = -> ==
if Puppet[:node_terminus] == "ldap"
# puppetrun -d --host puppet-3.auul Failed to load ruby LDAP library. LDAP functionality will not be available debug: Parsing /etc/puppet/puppet.conf debug: Puppet::Network::Client::Runner: defining puppetrunner.run Triggering puppet-3.auul debug: Calling puppetrunner.run puppet-3.auul finished with exit code 0 Finished
Facter
# facter architecture => amd64 domain => auul facterversion => 1.5.1 fqdn => puppet-1.auul hardwareisa => unknown hardwaremodel => x86_64 hostname => puppet-1 id => root interfaces => eth0 ipaddress => 192.168.10.181 ipaddress_eth0 => 192.168.10.181 kernel => Linux kernelrelease => 2.6.26-2-amd64 kernelversion => 2.6.26 macaddress => 70:01:68:01:01:81 macaddress_eth0 => 70:01:68:01:01:81 ...
OpenBSD
OpenBSD 4.6 jaoks on olemas binaarse paketina Puppet tarkvara v. 0.24.4, mille paigaldamiseks sobib öelda
# pkg_add ruby-puppet ruby-1.8.6.369p0: complete ruby-facter-1.5.0: complete ruby-puppet-0.24.4p1: complete
Tulemusena paigaldatakse
- /etc/puppet - seadistusfailid
- /usr/local/share/examples/ruby-puppet - näited
Ruby Gems süsteemi abil tarkvara paigaldamine
# gem query --local *** LOCAL GEMS *** facter (1.5.7) puppet (0.24.7)
FreeBSD
Üks võimalus on installida ruby-gems pakett /devel/ruby-gems ja anda käsk gem install puppet Kuid kna sellega millegpärast ei tulnud default konfifaile on targem paigaldada see portsudes sysutils/puppets harust
Puppeti startimiseks peale booti tuleb rc.conf'i lisada read
puppetd_enable="YES" puppetmasterd_enable="YES"
konfiguratsioonid nagu puppet.conf näidis asuvad kaustas /usr/local/etc/puppet/
http://reductivelabs.com/trac/puppet/wiki/PuppetFreeBSD
Puppetmasteri kasutamine koos Apache veebiserveriga
Puppetmasterit on mõttekas kasutada koos Apache veebiserveriga sellistel kaalutlustel
- suurem jõudlus
- paindlikum sertifikaatide haldus
- saab moodustada parema käideldavusega süsteemi, nt kasutada mitut puppetmasteri eksemplari
Lisaks Apache veebiserverile tuleb paigaldada Mongrel tarkvara, mis esineb Ruby teekide kujul
# apt-get install apache2 mongrel
Puppetmasteri seadistamine
Erinevalt nö vanilla seadistusega Puppetmasterist tuleb antud juhul teha seadistusfaili /etc/default/puppetmaster kaks täiendust
SERVERTYPE=mongrel PORT=18140
Apache seadistamine
Sobib kasutada nt sellist veebiserver seadistusfaili
ProxyRequests Off <Proxy balancer://puppetmaster> BalancerMember http://127.0.0.1:18140 </Proxy> <VirtualHost 10.0.9.227:8140> SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/fai-9-227.loomaaed.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/fai-9-227.loomaaed.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 3 SSLOptions +StdEnvVars RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location /balancer-manager> SetHandler balancer-manager Order Allow,Deny Allow from 172.19 </Location> <Location /> SetHandler balancer-manager Order allow,deny Allow from all </Location> ProxyPass /balancer-manager ! ProxyPass / balancer://puppetmaster:8140/ ProxyPassReverse / balancer://puppetmaster:8140/ ProxyPreserveHost on </VirtualHost>
Kasulikud lisamaterjalid
Puppetmasteri kasutamine koos LDAP kataloogiga
Kasulikud lisamaterjalid
- http://www.debian-administration.org/articles/526
- http://www.debian-administration.org/articles/528
- http://www.linuxjournal.com/magazine/automate-system-administration-tasks-puppet?page=0,0
- FAI kasutamine Debianiga
- http://projects.puppetlabs.com/projects/puppet/wiki/Certificates_And_Security
- http://projects.puppetlabs.com/projects/puppet/wiki/LDAP_Nodes
