在CentOS 6上部署Puppet主服务器
时间:2020-01-09 10:38:09 来源:igfitidea点击:
目标
- 部署Puppet Master服务器
安装Puppet
禁用SELinux
- 立即将SELinux置于宽松模式。
setenforce 0
- 上面的命令不是永久性的。下次重新启动时将撤消该操作。要使更改持久化,请在文本编辑器中打开SELinux配置文件。
nano /etc/sysconfig/selinux
- 如下例所示,将SELINUX值从强制更改为允许。
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. ::HL::SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
- 保存更改并退出文本编辑器。
安装Puppet仓库
安装Puppet的最简单方法是将Puppet Labs存储库文件添加到服务器。我们可以使用Puppet Labs提供的免费RPM安装它。
- 下载并安装PuppetLabs的存储库RPM。在撰写本文时,版本6.7已可用。
rpm -ivh http://yum.puppetlabs.com/el/6/products/i386/puppetlabs-release-6-7.noarch.rpm
- 如果一切成功,那么我们现在应该在/etc/yum.repos.d/中有一个名为puppetlabs.repo的填充。
-rw-r--r--. 1 root root 1926 Nov 27 2013 CentOS-Base.repo -rw-r--r--. 1 root root 638 Nov 27 2013 CentOS-Debuginfo.repo -rw-r--r--. 1 root root 630 Nov 27 2013 CentOS-Media.repo -rw-r--r--. 1 root root 3664 Nov 27 2013 CentOS-Vault.repo -rw-r--r--. 1 root root 1250 Apr 12 2013 puppetlabs.repo
安装Puppet大师
Puppet Master是节点从中获取其配置文件的位置。
- 从Puppetlabs存储库安装Puppet Master软件包。
yum install -y puppet-server
- 启动Puppet Master服务。
service puppetmaster start
- 确保Puppet主设备在启动时启动。
puppet resource service puppetmaster ensure=running enable=true
安装用于Puppet代理访问的Web服务器
由Puppet管理的每个服务器都将安装一个代理。默认情况下,代理将尝试使用HTTPS连接连接到Puppet主服务器。我们需要确保主服务器上有可用的Web服务器,以允许我们为客户提供服务。我们可以使用任何Web服务器,但是在本教程中将使用Apache。
- 安装Web服务器和一些其他必需的软件包,例如Ruby。
yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems openssl-devel gcc-c++ curl-devel zlib-devel make automake
- 该Web服务要求旅客处理Puppet使用的Ruby文件。我们使用Ruby的gems安装它。
gem install rack passenger
- 对于旅客,我们需要安装和配置其Apache模块。
passenger-install-apache2-module
准备Puppet的Apache目录
- 创建一个目录。
mkdir -p /usr/share/puppet/rack/puppetmasterd
- 创建文档根目录
mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
- 将Rack配置模板复制到我们的Apache虚拟主机的目录根目录。
cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/
- 将适当的权限应用于配置文件。
chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
为Puppet创建Apache虚拟主机
- 为Apache虚拟主机创建配置文件。
touch /etc/httpd/conf.d/puppetlabs.conf
- 编辑文件并添加以下内容。
# And the passenger performance tuning settings:
PassengerHighPerformance On
#PassengerUseGlobalQueue On
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 6
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.theitroad.intra.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.theitroad.intra.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
#SSLOptions +StdEnvVars +ExportCertData
SSLOptions +StdEnvVars
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
# RackAutoDetect On
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>
- 停止puppetmaster服务。
service puppetmaster stop
- 启动Apache服务。
service httpd on
- 禁用puppetmaster服务,以防止其在系统引导期间启动。
chkconfig puppetmaster off
- 启用Apache服务以在系统引导期间自动启动它。
chkconfig httpd on
