1. 環境準備
OS:CentOS 6.4
關閉selinux和iptables
部署Puppet:1.0 Puppet 3.7部署
2. 安裝相關軟件包
Master安裝:
yum install mcollective-client activemq activemq-info-provider mcollective-filemgr-client mcollective-facter-facts mcollective-iptables-client mcollective-logstash-audit mcollective-nettest-client mcollective-package-client mcollective-puppet-client mcollective-service-client mcollective-sysctl-data java-1.7.0-openjdk cat > /etc/mcollective/client.cfg <<EOF # No additional subcollectives: main_collective = mcollective collectives = mcollective #Logging: type => file,console logger_type = file loglevel = info logfile = /var/log/mcollective.log keeplogs = 5 max_log_size = 2097152 logfacility = user # Platform Defaults libdir = /usr/libexec/mcollective # PSK plugin settings: securityprovider = psk plugin.psk = test # Connector settings (required): connector = activemq direct_addressing = 1 # ActiveMQ connector settings: plugin.activemq.pool.size = 2 plugin.activemq.pool.1.host = 192.168.188.20 plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = secret plugin.activemq.pool.1.ssl = 0 plugin.activemq.pool.2.host = 192.168.188.21 plugin.activemq.pool.2.port = 61613 plugin.activemq.pool.2.user = mcollective plugin.activemq.pool.2.password = secret plugin.activemq.pool.2.ssl = 0 plugin.activemq.heartbeat_interval=30 plugin.activemq.initial_reconnect_delay = 0.01 plugin.activemq.max_reconnect_delay = 30.0 plugin.activemq.use_exponential_back_off = true plugin.activemq.back_off_multiplier = 2 plugin.activemq.max_reconnect_attempts = 0 plugin.activemq.randomize = false plugin.activemq.timeout = -1 # Discovery settings: default_discovery_method = mc direct_addressing_threshold = 10 ttl = 60 color = 1 rpclimitmethod = first # Facts factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml EOF service activemq start chkconfig activemq on
Agent安裝:
yum install mcollective mcollective-filemgr-agent mcollective-facter-facts mcollective-iptables-agent mcollective-logstash-audit mcollective-nettest-agent mcollective-package-agent mcollective-puppet-agent mcollective-service-agent mcollective-sysctl-data cat > /etc/mcollective/server.cfg <<EOF # Platform defaults: libdir = /usr/libexec/mcollective daemonize = 1 # No additional subcollectives: main_collective = mcollective collectives = mcollective # Facts, identity, and classes (recommended) identity = \$HOSTNAME factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml classesfile = /var/lib/puppet/classes.txt fact_cache_time = 300 # PSK plugin settings: securityprovider = psk plugin.psk = test # Connector settings (required): connector = activemq direct_addressing = 1 # ActiveMQ connector settings: plugin.activemq.pool.size = 2 plugin.activemq.pool.1.host = 192.168.188.20 plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = secret plugin.activemq.pool.1.ssl = 0 plugin.activemq.pool.2.host = 192.168.188.21 plugin.activemq.pool.2.port = 61613 plugin.activemq.pool.2.user = mcollective plugin.activemq.pool.2.password = secret plugin.activemq.pool.2.ssl = 0 plugin.activemq.heartbeat_interval=3 plugin.activemq.initial_reconnect_delay = 0.01 plugin.activemq.max_reconnect_delay = 30.0 plugin.activemq.use_exponential_back_off = true plugin.activemq.back_off_multiplier = 2 plugin.activemq.max_reconnect_attempts = 0 plugin.activemq.randomize = false plugin.activemq.timeout = -1 # Registration (recommended): registerinterval = 600 registration = agentlist registration_collective = mcollective # Auditing (optional): rpcaudit = 1 rpcauditprovider = logfile plugin.rpcaudit.logfile = /var/log/mcollective-audit.log # Logging: logger_type = file loglevel = debug logfile = /var/log/mcollective.log keeplogs = 5 max_log_size = 2097152 logfacility = user EOF service mcollective start chkconfig mcollective on
測試mco
mco ping
3. SSL加密和權限管理..
創建SSL證書
在Master上創建所有的證書..
cd /etc/mcollective/ssl #生成mco server的證書. openssl genrsa -out server-private.pem 1024 openssl rsa -in server-private.pem -out server-public.pem -outform PEM -pubout #生成mco client的證書 openssl genrsa -out $HOSTNAME-private.pem 1024 openssl rsa -in $HOSTNAME-private.pem -out $HOSTNAME.pem -outform PEM -pubout cp $HOSTNAME.pem clients/
配置權限管理插件
修改配置啓用權限管理
#Client 配置 sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/client.cfg cat >> /etc/mcollective/client.cfg <<EOF # ssl auth securityprovider = ssl plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem plugin.ssl_client_private = /etc/mcollective/ssl/$HOSTNAME-private.pem plugin.ssl_client_public = /etc/mcollective/ssl/$HOSTNAME.pem EOF #Server 配置 sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/server.cfg cat >> /etc/mcollective/server.cfg <<EOF # authorization rpcauthorization = 1 rpcauthprovider = action_policy plugin.actionpolicy.allow_unconfigured = 1 # ssl auth securityprovider = ssl plugin.ssl_server_private = /etc/mcollective/ssl/server-private.pem plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients/ EOF #重啓server的服務 service mcollective restart #Agent創建的語法,如下: mkdir /etc/mcollective/policies cat > /etc/mcollective/policies/package.policy <<EOF policy default deny allow cert=master.dbsa.cn * * * EOF
配置Puppet Master,將SSL證書和權限管理插件同步到Agent。下面的代碼僅提供一個思路.
mkdir /etc/puppet/modules/base/{manifests,templates,files,lib} -p mkdir /etc/puppet/modules/base/files/etc/mcollective/{ssl,policies} -p mkdir /etc/puppet/modules/base/files/etc/mcollective/ssl/clients -p #如果plicies規則也寫在Puppet,就在Server的policies目錄寫吧。 cp /etc/mcollective/ssl/server-p* /etc/puppet/modules/base/files/etc/mcollective/ssl/ cp /etc/mcollective/ssl/clients/* /etc/puppet/modules/base/files/etc/mcollective/ssl/clients/ cat > /etc/puppet/modules/base/manifests/init.pp <<EOF class base { file { "/etc/mcollective/ssl": owner => root, group => root, mode => 644, purge => true, recurse => true, force => true, source => "puppet:///base/etc/mcollective/ssl", notify => Service['mcollective']; "/etc/mcollective/policies": owner => root, group => root, mode => 644, purge => true, recurse => true, force => true, source => "puppet:///base/etc/mcollective/policies", notify => Service['mcollective']; "/etc/mcollective/facts.yaml": owner => root, group => root, mode => 644, content => inline_template("<%= scope.to_hash.reject{ |k,v| k.to_s =~ /(uptime_seconds|timestamp|free)/ }.to_yaml %>"); } service { "mcollective": enable => true, ensure => true; } } EOF
4. Mco常用命令
#管理Puppet mco puppet runonce * 所有主機運行一次 mco puppet runonce -I test 指定主機運行一次 mco puppet runonce --tag one,two,three 指定主機編譯指定的標籤 mco puppet runonce --tags one,two,three 指定主機編譯指定的標籤 mco puppet runonce --server XX --environment XX 指定連接的Server和環境 mco puppet summary 查看Puppet運行的狀態 mco find -S "resource().total_time>50" 可以查看運行資源超過50秒的所有主機 #管理包 mco rpc package install package=nano mco package puppet install 安裝指定軟件包 mco package puppet uninstall 卸載指定軟件包 mco package puppet purge 乾淨卸載指定軟件包 mco package puppet update 升級指定軟件包 mco package puppet status 查看已安裝軟件包信息 #管理服務 mco rpc service status service=crond mco service crond status 查看服務運行狀態 mco service crond start 指定服務啓動 mco service crond stop 指定服務停止 mco service crond restart 指定服務重啓 #文件管理 mco rpc filemgr status file=/etc/puppet/puppet.conf mco filemgr status --file /etc/puppet/puppet.conf #查看幫助 mco plugin doc #查找匹配內核參數的主機 mco find -S "sysctl('net.ipv4.conf.all.forwarding').value=0" #過濾功能 -F 基於facter過濾 -C 基於class過濾 -W 基於facter或class過濾 -A 基於安裝的插件過濾 -I 基於主機名稱過濾 -S 組合過濾 #一些組合使用的例子 #在運行puppet的主機上重啓httpd服務 mco rpc service restart service=httpd -S "puppet().enabled=true" #在最近有發生資源變化的主機上重啓httpd服務 mco rpc service restart service=httpd -S "resource().changed_resources>10" # 在最近發送失敗資源的主機上重啓httpd服務 mco rpc service restart service=httpd -S "resource().failed_resources>0" #組合facter過濾 mco ping -S "((virtual=vmware and selinux=true) or osfamily=RedHat)" mco ping -S "virtual=vmware and ! selinux=false" mco ping -S "virtual=vmware and not selinux=false"
5. Shell插件的下載.
下載插件放在對應的目錄裏即可
https://github.com/phobos182/mcollective-plugins/blob/master/agent/
#mcollective-client端 [root@master ~]# ll /usr/libexec/mcollective/mcollective/application/ | grep shell -rw-r--r-- 1 root root 1601 Aug 6 06:36 shell.rb [root@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell -rw-r--r-- 1 root root 1017 Aug 6 06:36 shell.ddl -rw-r--r-- 1 root root 862 Aug 6 06:36 shell.rb #mcollective-server端 [root@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell -rw-r--r-- 1 root root 1017 Aug 6 06:36 shell.ddl -rw-r--r-- 1 root root 862 Aug 6 06:36 shell.rb #下載完成後記的server重啓服務 service mcollective restart
在client端查看mco支持的插件..
[root@master agent]# mco The Marionette Collective version 2.6.1 usage: /usr/bin/mco command <options> Known commands: completion facts filemgr find help inventory iptables nettest package ping plugin puppet rpc service shell Type '/usr/bin/mco help' for a detailed list of commands and '/usr/bin/mco help command' to get detailed help for a command
執行shell命令..
[root@master agent]# mco shell 'w' Do you really want to send this command unfiltered? (y/n): y Discovering hosts using the mc method for 2 second(s) .... 1 Host: agent1.dbsa.cn Statuscode: 0 Output: 01:17:00 up 11:26, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/1 192.168.188.1 Mon00 5.00s 0.52s 0.52s -bash [root@master agent]#