1. 環境準備
OS:CentOS 6.4
關閉selinux和iptables
部署Puppet:1.0 Puppet 3.7部署
2. 安裝相關軟件包
Master安裝:
yum install mcollective-client activemq activemq-info-provider mcollective-filemgr-client mcollective-facter-facts mcollective-iptables-client mcollective-logstash-audit mcollective-nettest-client mcollective-package-client mcollective-puppet-client mcollective-service-client mcollective-sysctl-data java-1.7.0-openjdk cat > /etc/mcollective/client.cfg <<EOF # No additional subcollectives: main_collective = mcollective collectives = mcollective #Logging: type => file,console logger_type = file loglevel = info logfile = /var/log/mcollective.log keeplogs = 5 max_log_size = 2097152 logfacility = user # Platform Defaults libdir = /usr/libexec/mcollective # PSK plugin settings: securityprovider = psk plugin.psk = test # Connector settings (required): connector = activemq direct_addressing = 1 # ActiveMQ connector settings: plugin.activemq.pool.size = 2 plugin.activemq.pool.1.host = 192.168.188.20 plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = secret plugin.activemq.pool.1.ssl = 0 plugin.activemq.pool.2.host = 192.168.188.21 plugin.activemq.pool.2.port = 61613 plugin.activemq.pool.2.user = mcollective plugin.activemq.pool.2.password = secret plugin.activemq.pool.2.ssl = 0 plugin.activemq.heartbeat_interval=30 plugin.activemq.initial_reconnect_delay = 0.01 plugin.activemq.max_reconnect_delay = 30.0 plugin.activemq.use_exponential_back_off = true plugin.activemq.back_off_multiplier = 2 plugin.activemq.max_reconnect_attempts = 0 plugin.activemq.randomize = false plugin.activemq.timeout = -1 # Discovery settings: default_discovery_method = mc direct_addressing_threshold = 10 ttl = 60 color = 1 rpclimitmethod = first # Facts factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml EOF service activemq start chkconfig activemq on
Agent安裝:
yum install mcollective mcollective-filemgr-agent mcollective-facter-facts mcollective-iptables-agent mcollective-logstash-audit mcollective-nettest-agent mcollective-package-agent mcollective-puppet-agent mcollective-service-agent mcollective-sysctl-data cat > /etc/mcollective/server.cfg <<EOF # Platform defaults: libdir = /usr/libexec/mcollective daemonize = 1 # No additional subcollectives: main_collective = mcollective collectives = mcollective # Facts, identity, and classes (recommended) identity = \$HOSTNAME factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml classesfile = /var/lib/puppet/classes.txt fact_cache_time = 300 # PSK plugin settings: securityprovider = psk plugin.psk = test # Connector settings (required): connector = activemq direct_addressing = 1 # ActiveMQ connector settings: plugin.activemq.pool.size = 2 plugin.activemq.pool.1.host = 192.168.188.20 plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = secret plugin.activemq.pool.1.ssl = 0 plugin.activemq.pool.2.host = 192.168.188.21 plugin.activemq.pool.2.port = 61613 plugin.activemq.pool.2.user = mcollective plugin.activemq.pool.2.password = secret plugin.activemq.pool.2.ssl = 0 plugin.activemq.heartbeat_interval=3 plugin.activemq.initial_reconnect_delay = 0.01 plugin.activemq.max_reconnect_delay = 30.0 plugin.activemq.use_exponential_back_off = true plugin.activemq.back_off_multiplier = 2 plugin.activemq.max_reconnect_attempts = 0 plugin.activemq.randomize = false plugin.activemq.timeout = -1 # Registration (recommended): registerinterval = 600 registration = agentlist registration_collective = mcollective # Auditing (optional): rpcaudit = 1 rpcauditprovider = logfile plugin.rpcaudit.logfile = /var/log/mcollective-audit.log # Logging: logger_type = file loglevel = debug logfile = /var/log/mcollective.log keeplogs = 5 max_log_size = 2097152 logfacility = user EOF service mcollective start chkconfig mcollective on
測試mco
mco ping
3. SSL加密和權限管理..
創建SSL證書
在Master上創建所有的證書..
cd /etc/mcollective/ssl #生成mco server的證書. openssl genrsa -out server-private.pem 1024 openssl rsa -in server-private.pem -out server-public.pem -outform PEM -pubout #生成mco client的證書 openssl genrsa -out $HOSTNAME-private.pem 1024 openssl rsa -in $HOSTNAME-private.pem -out $HOSTNAME.pem -outform PEM -pubout cp $HOSTNAME.pem clients/
配置權限管理插件
修改配置啓用權限管理
#Client 配置 sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/client.cfg cat >> /etc/mcollective/client.cfg <<EOF # ssl auth securityprovider = ssl plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem plugin.ssl_client_private = /etc/mcollective/ssl/$HOSTNAME-private.pem plugin.ssl_client_public = /etc/mcollective/ssl/$HOSTNAME.pem EOF #Server 配置 sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/server.cfg cat >> /etc/mcollective/server.cfg <<EOF # authorization rpcauthorization = 1 rpcauthprovider = action_policy plugin.actionpolicy.allow_unconfigured = 1 # ssl auth securityprovider = ssl plugin.ssl_server_private = /etc/mcollective/ssl/server-private.pem plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients/ EOF #重啓server的服務 service mcollective restart #Agent創建的語法,如下: mkdir /etc/mcollective/policies cat > /etc/mcollective/policies/package.policy <<EOF policy default deny allow cert=master.dbsa.cn * * * EOF
配置Puppet Master,將SSL證書和權限管理插件同步到Agent。下面的代碼僅提供一個思路.
mkdir /etc/puppet/modules/base/{manifests,templates,files,lib} -p
mkdir /etc/puppet/modules/base/files/etc/mcollective/{ssl,policies} -p
mkdir /etc/puppet/modules/base/files/etc/mcollective/ssl/clients -p
#如果plicies規則也寫在Puppet,就在Server的policies目錄寫吧。
cp /etc/mcollective/ssl/server-p* /etc/puppet/modules/base/files/etc/mcollective/ssl/
cp /etc/mcollective/ssl/clients/* /etc/puppet/modules/base/files/etc/mcollective/ssl/clients/
cat > /etc/puppet/modules/base/manifests/init.pp <<EOF
class base {
file {
"/etc/mcollective/ssl":
owner => root, group => root, mode => 644,
purge => true, recurse => true, force => true,
source => "puppet:///base/etc/mcollective/ssl",
notify => Service['mcollective'];
"/etc/mcollective/policies":
owner => root, group => root, mode => 644,
purge => true, recurse => true, force => true,
source => "puppet:///base/etc/mcollective/policies",
notify => Service['mcollective'];
"/etc/mcollective/facts.yaml":
owner => root, group => root, mode => 644,
content => inline_template("<%= scope.to_hash.reject{ |k,v| k.to_s =~ /(uptime_seconds|timestamp|free)/ }.to_yaml %>");
}
service {
"mcollective":
enable => true,
ensure => true;
}
}
EOF4. Mco常用命令
#管理Puppet
mco puppet runonce * 所有主機運行一次
mco puppet runonce -I test 指定主機運行一次
mco puppet runonce --tag one,two,three 指定主機編譯指定的標籤
mco puppet runonce --tags one,two,three 指定主機編譯指定的標籤
mco puppet runonce --server XX --environment XX 指定連接的Server和環境
mco puppet summary 查看Puppet運行的狀態
mco find -S "resource().total_time>50" 可以查看運行資源超過50秒的所有主機
#管理包
mco rpc package install package=nano
mco package puppet install 安裝指定軟件包
mco package puppet uninstall 卸載指定軟件包
mco package puppet purge 乾淨卸載指定軟件包
mco package puppet update 升級指定軟件包
mco package puppet status 查看已安裝軟件包信息
#管理服務
mco rpc service status service=crond
mco service crond status 查看服務運行狀態
mco service crond start 指定服務啓動
mco service crond stop 指定服務停止
mco service crond restart 指定服務重啓
#文件管理
mco rpc filemgr status file=/etc/puppet/puppet.conf
mco filemgr status --file /etc/puppet/puppet.conf
#查看幫助
mco plugin doc
#查找匹配內核參數的主機
mco find -S "sysctl('net.ipv4.conf.all.forwarding').value=0"
#過濾功能
-F 基於facter過濾
-C 基於class過濾
-W 基於facter或class過濾
-A 基於安裝的插件過濾
-I 基於主機名稱過濾
-S 組合過濾
#一些組合使用的例子
#在運行puppet的主機上重啓httpd服務
mco rpc service restart service=httpd -S "puppet().enabled=true"
#在最近有發生資源變化的主機上重啓httpd服務
mco rpc service restart service=httpd -S "resource().changed_resources>10"
#
在最近發送失敗資源的主機上重啓httpd服務
mco rpc service restart service=httpd -S "resource().failed_resources>0"
#組合facter過濾
mco ping -S "((virtual=vmware and selinux=true) or osfamily=RedHat)"
mco ping -S "virtual=vmware and ! selinux=false"
mco ping -S "virtual=vmware and not selinux=false"5. Shell插件的下載.
下載插件放在對應的目錄裏即可
https://github.com/phobos182/mcollective-plugins/blob/master/agent/
#mcollective-client端 [root@master ~]# ll /usr/libexec/mcollective/mcollective/application/ | grep shell -rw-r--r-- 1 root root 1601 Aug 6 06:36 shell.rb [root@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell -rw-r--r-- 1 root root 1017 Aug 6 06:36 shell.ddl -rw-r--r-- 1 root root 862 Aug 6 06:36 shell.rb #mcollective-server端 [root@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell -rw-r--r-- 1 root root 1017 Aug 6 06:36 shell.ddl -rw-r--r-- 1 root root 862 Aug 6 06:36 shell.rb #下載完成後記的server重啓服務 service mcollective restart
在client端查看mco支持的插件..
[root@master agent]# mco The Marionette Collective version 2.6.1 usage: /usr/bin/mco command <options> Known commands: completion facts filemgr find help inventory iptables nettest package ping plugin puppet rpc service shell Type '/usr/bin/mco help' for a detailed list of commands and '/usr/bin/mco help command' to get detailed help for a command
執行shell命令..
[root@master agent]# mco shell 'w' Do you really want to send this command unfiltered? (y/n): y Discovering hosts using the mc method for 2 second(s) .... 1 Host: agent1.dbsa.cn Statuscode: 0 Output: 01:17:00 up 11:26, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/1 192.168.188.1 Mon00 5.00s 0.52s 0.52s -bash [root@master agent]#