一、功能说明 Marionette Collective(MCollective)是一个与Puppet关系密切的服务运行框架 MC依赖Ruby1.9.3或1.8.7,通过Stomp协议通信,因此依赖rubygem 1.2.2+。
在puppet客户端上安装Mcollective服务端 在puppet服务端上安装Mcollective客户端 在puppet服务端或单独安装MQ中间件参考官方文档:https://docs.puppetlabs.com/mcollective/deploy/standard.html
二、安装ActiveMQ1. 说明RabbitMQ是一个实现了高级消息排队协议(AMQP)的消息队列服务 RabbitMQ基于OTP(Open Telecom Platform,开发电信平台)进行构建, 并使用Erlang语言和运行时环境来实现。
ActiveMQ 是Apache出品,最流行的,能力强劲的开源消息总线 ActiveMQ 是一个完全支持JMS1.1和J2EE 1.4规范的 JMS Provider实现如果是单独安装需要设置主机名、HOSTS、puppet认证,这里是安装在puppet服务端。
2. 安装12[root@puppet ~]# yum install -y tanukiwrapper activemq-info-provider[root@puppet ~]# yum install -y activemq
下载慢,失败了几次,多试试3. 配置修改配置前最好备份下,并启动服务查看下进程是否运行123456789101112131415161718192021222324252627282930[root@puppet ~]# cp /etc/activemq/activemq.xml /etc/activemq/activemq.xml.bak
[root@puppet ~]# vi /etc/activemq/activemq.xml#<>标签要按字母顺序排列,在标签后添加
#账号”mcollective”将用于mc客户端配置
” write=”admins” read=”admins” admin=”admins” />
” write=”admins” read=”admins” admin=”admins” /> ” write=”mcollective” read=”mcollective” admin=”mcollective” />
” write=”mcollective” read=”mcollective” admin=”mcollective” />
” read=”everyone” write=”everyone” admin=”everyone”/>
#修改连接端口标签,只保留需要的即可(另外要注意的是注释附号内部不能包含注释符号)
Reloading httpd: not reloading due to configuration syntax error自动生成的httpd配置会导致httpd启动报错,proxy配置不对,可以不用这个配置也能访问
1[root@puppet ~]# mv /etc/httpd/conf.d/activemq-httpd.conf /etc/httpd/conf.d/activemq-httpd.conf.bak4. 启动
12345678910[root@puppet ~]# service activemq restart[root@puppet ~]# chkconfig activemq on[root@puppet ~]# netstat -tnlp |grep java
tcp 0 0 :::61613 :::* LISTEN 5644/javatcp 0 0 :::47248 :::* LISTEN 5644/java
tcp 0 0 :::8161 :::* LISTEN 5644/java[root@puppet ~]# tailf /var/log/activemq/activemq.log
[root@puppet ~]# iptables -I INPUT -p tcp –dport 8161 -j ACCEPT[root@puppet ~]# iptables -I INPUT -p tcp –dport 61613 -j ACCEPT
[root@puppet ~]# service iptables save5. 访问http://IP:8161/admin/
三、安装MC客户端1. 安装安装在puppetmaster服务器上,使用root账号运行MC相关命令,采用puppetmaster的证书MC客户端不需要启动进程1[root@puppet ~]# yum -y install mcollective-*
2. 配置修改配置前备份下配置文件1[root@puppet ~]# mv /etc/mcollective/client.cfg /etc/mcollective/client.cfg.bak这里不使用ssl连接activemq,因为生成keystory.jks证书时失败,待解决
1[root@puppet ~]# vi /etc/mcollective/client.cfg1234567891011121314151617181920212223242526272829main_collective = mcollective
collectives = mcollectivelibdir = /usr/libexec/mcollectivelogfile = /var/log/mcollective.logloglevel = info
daemonize = 1#Active MQ connector settings:connector = activemqdirect_addressing = 1plugin.activemq.pool.size = 1
#activemq服务器地址、端口、用户账号plugin.activemq.pool.1.host = puppetmaster.ewin.complugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollectiveplugin.activemq.pool.1.password = mcopwd123#启用ssl连接activemq,使用MC服务器的puppet证书
#plugin.activemq.pool.1.ssl = 1#plugin.activemq.pool.1.ssl.ca = /var/lib/puppet/ssl/certs/ca.pem#plugin.activemq.pool.1.ssl.cert = /var/lib/puppet/ssl/certs/puppetmaster.ewin.com.pem
#plugin.activemq.pool.1.ssl.key = /var/lib/puppet/ssl/private_keys/puppetmaster.ewin.com.pem#plugin.activemq.pool.1.ssl.fallback = 0
#SSL seurity plugin settings 安全插件默认为PSK:securityprovider = sslplugin.ssl_server_public = /var/lib/puppet/ssl/certs/mcollective-servers.pem
plugin.ssl_client_public = /var/lib/puppet/ssl/certs/puppetmaster.ewin.com.pemplugin.ssl_client_private = /var/lib/puppet/ssl/private_keys/puppetmaster.ewin.com.pem
# Factsfactsource = yamlplugin.yaml = /etc/mcollective/facts.yamlmcollective-servers.pem证书在下一步中生成将文件中的puppet服务器主机名修改成你自己的:。
1:%s/puppetmaster.ewin.com/puppet.yourdomain.cn/g四、安装MC服务端说明:既然有puppet了,就不必一台一台来安装MC服务端了,这里写个mcollective模块推送到puppet agent。
I、Linux系统1、 创建目录在puppet master服务器中创建mcollective模块需要的目录12[root@puppet ~]# mkdir -p /etc/puppet/modules/mcollective/{manifests,templates,files}
[root@puppet ~]# mkdir -p /etc/puppet/modules/mcollective/files/pem/clients2、 创建类1[root@puppet ~]# vi /etc/puppet/modules/mcollective/manifests/init.pp
123456789101112131415161718192021222324252627282930313233class mcollective{ #/etc/activemq/activemq.xml中配置的mcollective用户的密码,变量会传递到erb模块中
$activemq_server = “puppetmaster.ewin.com” $mcollective_password = “mcopwd123” package { [mcollective,mcollective-puppet-agent,mcollective-service-agent]:
ensure => installed, } service { mcollective: ensure => running, enable => true,
require => Package[mcollective], } #通过SVN提交的,需要过滤.svn目录 file { /etc/mcollective: ensure => directory,
source => puppet:///modules/mcollective/pem, ignore => .svn, owner => root,
group => root, mode => 0640, recurse => remote, notify => Service[mcollective],
} file { /etc/mcollective/server.cfg: ensure => file, owner => root, group => root,
mode => 400, content => template(“mcollective/server.cfg.erb”), notify => Service[mcollective],
}}3、 创建配置文件模板1[root@puppet ~]# vi /etc/puppet/modules/mcollective/templates/server.cfg.erb12345
678910111213141516171819202122main_collective = mcollectivecollectives = mcollectivelibdir = /usr/libexec/mcollective
logfile = /var/log/mcollective.logloglevel = infodaemonize = 1connector = activemqdirect_addressing = 1
plugin.activemq.pool.size = 1plugin.activemq.pool.1.host = plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollectiveplugin.activemq.pool.1.password =
securityprovider = sslplugin.ssl_client_cert_dir = /etc/mcollective/clientsplugin.ssl_server_private = /etc/mcollective/server_private.pem
plugin.ssl_server_public = /etc/mcollective/server_public.pem#plugin.puppet.resource_allow_managed_resources = true
#plugin.puppet.resource_type_whitelist = exec,filefactsource = yamlplugin.yaml = /etc/mcollective/facts.yaml
registerinterval = 6004、 生成证书生成共享证书,将会同步给节点12345678[root@puppet ~]# puppet cert generate mcollective-servers
Notice: mcollective-servers has a waiting certificate requestNotice: Signed certificate request for mcollective-servers
Notice: Removing file Puppet::SSL::CertificateRequest mcollective-servers at /var/lib/puppet/ssl/ca/requests/mcollective-servers.pem
Notice: Removing file Puppet::SSL::CertificateRequest mcollective-servers at /var/lib/puppet/ssl/certificate_requests/mcollective-servers.pem
[root@puppet ~]# cp /var/lib/puppet/ssl/private_keys/mcollective-servers.pem /etc/puppet/modules/mcollective/files/pem/server_private.pem
[root@puppet ~]# cp /var/lib/puppet/ssl/public_keys/mcollective-servers.pem /etc/puppet/modules/mcollective/files/pem/server_public.pem
[root@puppet ~]# chmod 644 /etc/puppet/modules/mcollective/files/pem/server_*将MC客户端(puppetmaster)证书同步给节点
12[root@puppet ~]# cp /var/lib/puppet/ssl/certs/puppetmaster.ewin.com.pem /etc/puppet/modules/mcollective/files/pem/clients/
[root@puppet ~]# chmod 644 /etc/puppet/modules/mcollective/files/pem/clients/*5、 节点更新(1)、未安装foreman1
2345678910[root@puppet ~]# vi /etc/puppet/manifests/puppetagent.ppnode “puppetagent.ewin.com” { include mcollective
}[root@puppet ~]# vi /etc/puppet/manifests/site.ppimport “puppetagent.pp”[root@puppet ~]# vi /etc/puppet/puppet.conf
[agent]report = trueserver = puppetmaster.ewin.com节点上Puppet agent进程需要关闭, 会导致agent不主动同步master, 需要在master设置crontab定期执行mco puppet runonce
123[root@puppet ~]# service puppet stop[root@puppet ~]# chkconfig puppet off[root@puppet ~]# puppet agent -t
(2)、已安装foreman如果事先部署了foreman,需要在foreman页面->配置->Puppet类-从Puppet-Proxy导入->选择联接的环境->主机中编辑puppetagent->类标签中添加mcollective模块->在节点上执行puppet agent -t
123[root@puppet ~]# service puppet stop[root@puppet ~]# chkconfig puppet off[root@puppet ~]# puppet agent -t
II、Windows系统1、 软件说明(1)、 rubywindows上需要安装ruby来运行mcollectivehttp://rubyinstaller.org/下载rubyinstaller-1.9.3-p551.exe
(2)、 mcollectivemcollective本身并没有相应的windows服务端安装包http://repo.mornati.net/mcollective/下载2.3.2下的mcollective_2_3_2_Setup.exe
先安装ruby才能运行bat脚本安装gem包和安装服务(3)、 puppet插件https://github.com/puppetlabs/mcollective-puppet-agent/releases
1.7.1版本无法正常加载puppet agent,插件 1.6.1就没问题https://codeload.github.com/puppetlabs/mcollective-puppet-agent/zip/1.6.1/mcollective-puppet-agent-1.6.1.zip
解压后将里面的文件复制粘贴到c:\mcollective\plugins\mcollective,提示替换时同意替换(4)、 ssl密钥密钥文件将被上传到客户端的以下路径c:\mcollective\etc\ssl\clients\puppetmaster.ewin.com.pem
c:\mcollective\etc\ssl\server_private.pemc:\mcollective\etc\ssl\server_public.pem2、 win-mcollective模块
(1)、模块目录结构在puppet的module下创建win-mcollective模块目录:
在files目录下还有两个程序没有在上图显示:mcollective_2_3_2_Setup.exerubyinstaller-1.9.3-p551.exe(2)、 files下载ruby、mcollective程序,以及解压后的mcollective-puppet-agent插件。
将puppet服务端证书文件存放在files下的相应位置(3)、 manifestsinit.pp123456class win-mcollective{ $activemq_server = “puppetmaster.ewin.com”。
$mcollective_password = “mcopwd123” $mcollective_path = “C:\Program Files\mcollective” include win-mcollective::install,win-mcollective::config,win-mcollective::service
}install.pp1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950
515253545556575859606162636465666768697071class win-mcollective::install { if $operatingsystem == “windows” {
$filepath = “C:/Users/Administrator/Downloads” $installdir = “C:/Program Files” Exec{ path => [“${installdir}/Ruby193/bin”,”C:/Windows/system32″,”${installdir}/Puppet Labs/Puppet/bin” ] }
#安装ruby file { ruby: path => “${filepath}/rubyinstaller-1.9.3-p551.exe”,
ensure => file, owner => Administrator, mode => 0755, group => Administrators,
source => puppet:///modules/win-mcollective/rubyinstaller-1.9.3-p551.exe, } exec { ruby:
command => cmd.exe /c Start “puppet-install” /w “C:/Users/Administrator/Downloads/rubyinstaller-1.9.3-p551.exe” /SILENT /DIR=”C:/Program Files/Ruby193″,
provider => windows, creates => “${installdir}/Ruby193/bin/ruby.exe”, require=> File[ruby],
} #安装mcollective file { mcollective: path => “${filepath}/mcollective_2_3_2_Setup.exe”,
ensure => file, owner => Administrator, mode => 0755, group => Administrators,
source => puppet:///modules/win-mcollective/mcollective_2_3_2_Setup.exe, } exec { mcollective:
command => cmd.exe /c Start “puppet-install” /w “C:/Users/Administrator/Downloads/mcollective_2_3_2_Setup.exe” /SILENT /DIR=”C:/Program Files/mcollective”,
provider => windows, creates => “${installdir}/mcollective/bin/mco.bat”, require => File[mcollective],
} # 安装gem包 exec { install_gems: command => cmd.exe /c gem install -l -f “C:/Program Files/mcollective/gems/*.gem”,
provider => windows, unless => cmd.exe /c gem list –local | findstr win32-dir,
require => [Exec[ruby],Exec[mcollective]], } # 安装服务 exec { install_service:
command => cmd.exe /c C:/Progra~1/mcollective/bin/register_service.bat, provider => windows,
unless => cmd.exe /c net start | find “The Marionette Collective”, require => Exec[install_gems],
} #puppet插件和aq连接认证文件 file { “${installdir}/mcollective/plugins/mcollective”: ensure => directory,
ignore => .svn, source_permissions => ignore, source => puppet:///modules/win-mcollective/mcollective-puppet-agent-1.6.1,
recurse => true, require => Exec[mcollective], } file { “${installdir}/mcollective/etc/ssl”:
ensure => directory, ignore => .svn, source_permissions => ignore, source => puppet:///modules/win-mcollective/pem,
recurse => true, require => Exec[mcollective], } }}config.pp12345678
class win-mcollective::config { file { C:\\Progra~1\\mcollective\\etc\\server.cfg: ensure => present,
content => template(“win-mcollective/server.cfg.erb”), notify => Class[win-mcollective::service],
require => Class[win-mcollective::install], }}service.pp1234567class win-mcollective::service {
service { mcollectived: ensure => running, enable => true, require => Class[win-mcollective::config],
}}(3)、 templatesserver.cfg.erb1234567891011121314151617181920main_collective = mcollectivecollectives = mcollective
libdir = \plugins;C:\Program Files\Puppet Labs\Puppet\puppet\lib;C:\Program Files\Puppet Labs\Puppet\facter\lib
logfile = \mcollective.logloglevel = infodaemonize = 1securityprovider = sslplugin.ssl_client_cert_dir = \etc\ssl\clients
plugin.ssl_server_private = \etc\ssl\server_private.pemplugin.ssl_server_public = \etc\ssl\server_public.pem
connector = activemqplugin.activemq.pool.size = 1plugin.activemq.pool.1.host =
plugin.activemq.pool.1.port = 61613plugin.activemq.pool.1.user = mcollectiveplugin.activemq.pool.1.password =
plugin.puppet.command = “C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat” agentplugin.puppet.config = C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf
factsource = yamlplugin.yaml = \etc\facts.yaml小结:以上完成后就可以使用MCO命令了,详见下一编文章五、整合Foreman。
1、 说明要求:Mcollective+ActiveMQ部署完成,且mco puppet -v runonce命令运行成功实现:在foreman上通过mcollective触发puppet agent命令
2、 设置在foreman页面上设置puppetrun为true
3、 配置1[root@puppet ~]# vi /etc/foreman-proxy/settings.d/puppet.yml123:enabled: true:puppet_conf: /etc/puppet/puppet.conf
:puppet_provider: mcollective12[root@puppet ~]# chmod u+w /etc/sudoers.d/foreman-proxy[root@puppet ~]# vi /etc/sudoers.d/foreman-proxy
12foreman-proxy ALL = NOPASSWD : /usr/bin/puppet cert *, /usr/bin/mco puppet runonce *Defaults:foreman-proxy !requiretty
重启服务1[root@puppet ~]# /etc/init.d/foreman-proxy restart4、 计划前文提到要关闭agent的puppet服务,需要使用计划来执行mco命令,执行同步
1[root@puppet ~]# crontab -e1SHELL=/bin/bash */1 * * * * /usr/bin/mco puppet runonce *测试下每分钟执行命令; 正常后改为*/30每半小时
1[root@puppet ~]# service crond reload查看计划日志1[root@puppet ~]# tailf -n 3 /var/log/cron123Apr 25 16:22:01 puppetmaster CROND[11613]: (root) CMD (/usr/bin/mco puppet runonce *)
Apr 25 16:23:01 puppetmaster CROND[11713]: (root) CMD (/usr/bin/mco puppet runonce *)Apr 25 16:24:01 puppetmaster CROND[11823]: (root) CMD (/usr/bin/mco puppet runonce *)
查看foreman报告
5、 测试foreman页面上-主机-选择执行-运行puppet:(不选择主机时,“选择执行”下拉菜单不会显示)
查看日志12[root@puppet ~]# tailf /var/log/foreman-proxy/proxy.log10.188.1.53 – – [23/Apr/2015 16:19:19] “POST /run HTTP/1.1” 200 – 0.5008
开启debug模式,显示更详细的信息,排错的时候使用12[root@puppet ~]# vi /etc/foreman-proxy/settings.yml:log_level: DEBUG六、遇到过的错误
1、 activemq启动不了activemq not runnin1[root@puppet ~]#没有装java工具tanukiwrapper2、节点连接activemq失败12[root@puppetagent ~]# tailf /var/log/mcollective.log
I, [2015-04-23T14:21:44.337723 #11451] INFO — : activemq.rb:129:in `on_connectfail TCP Connection to stomp://mcollective@puppetmaster.ewin.com:61613 failed on attempt 9
puppet模块mcollective中类定义里的activemq_server值写错了3、mco命令执行失败
/etc/activemq/activemq.xml和 /etc/mcollective/client.cfg中的用户密码必须一致4、运行PUPPET失败排错(1)、查看日志1[root@puppet ~]# t
这是由于在puppetmaster上应用了puppet模块,把puppet.conf配置冲掉了1WARN — : Non-null exit code when executing /usr/bin/sudo/usr/bin/mcopuppetrunonce-It-search01-55.ewin.com
http://www.pythian.com/blog/some-observations-of-puppetrun-with-foreman/(2)、检查puppetmastermcollective mcollective-common 是否安装
foreman-proxy 是否正常启动activemq 是否连接正常mco ping 是否检测到客户端mco puppet runonce -I agent.ewin.com 是否成功执行
mco inventory puppetagent.ewin.com 是否成功安装puppet插件(3)、检查puppetagentmcollective-puppet mcollective-client 是否安装
/var/log/mcollective.log 查看日志是否有错误信息系统时间是否正常