【跟我学Puppet】1.2 Puppet 3.7 Mcollective+SSL加密和权限验证

1. 环境准备
OS：CentOS 6.4
关闭selinux和iptables

部署Puppet：1.0 Puppet 3.7部署

2. 安装相关软件包
Master安装：

yum install mcollective-client activemq activemq-info-provider mcollective-filemgr-client mcollective-facter-facts mcollective-iptables-client mcollective-logstash-audit mcollective-nettest-client mcollective-package-client mcollective-puppet-client mcollective-service-client mcollective-sysctl-data java-1.7.0-openjdk

cat > /etc/mcollective/client.cfg <<EOF
# No additional subcollectives:
main_collective = mcollective
collectives = mcollective

#Logging: type => file,console
logger_type = file
loglevel = info
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user

# Platform Defaults
libdir = /usr/libexec/mcollective

# PSK plugin settings:
securityprovider = psk
plugin.psk = test

# Connector settings (required):
connector = activemq
direct_addressing = 1

# ActiveMQ connector settings:
plugin.activemq.pool.size = 2
plugin.activemq.pool.1.host = 192.168.188.20
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = secret
plugin.activemq.pool.1.ssl = 0

plugin.activemq.pool.2.host = 192.168.188.21
plugin.activemq.pool.2.port = 61613
plugin.activemq.pool.2.user = mcollective
plugin.activemq.pool.2.password = secret
plugin.activemq.pool.2.ssl = 0

plugin.activemq.heartbeat_interval=30
plugin.activemq.initial_reconnect_delay = 0.01
plugin.activemq.max_reconnect_delay = 30.0
plugin.activemq.use_exponential_back_off = true
plugin.activemq.back_off_multiplier = 2
plugin.activemq.max_reconnect_attempts = 0
plugin.activemq.randomize = false
plugin.activemq.timeout = -1

# Discovery settings:
default_discovery_method = mc
direct_addressing_threshold = 10
ttl = 60
color = 1
rpclimitmethod = first

# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF

service activemq start
chkconfig activemq on

Agent安装：

yum install mcollective mcollective-filemgr-agent mcollective-facter-facts mcollective-iptables-agent mcollective-logstash-audit mcollective-nettest-agent mcollective-package-agent mcollective-puppet-agent mcollective-service-agent mcollective-sysctl-data

cat > /etc/mcollective/server.cfg <<EOF
# Platform defaults:
libdir = /usr/libexec/mcollective
daemonize = 1

# No additional subcollectives:
main_collective = mcollective
collectives = mcollective

# Facts, identity, and classes (recommended)
identity = \$HOSTNAME
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
classesfile = /var/lib/puppet/classes.txt
fact_cache_time = 300

# PSK plugin settings:
securityprovider = psk
plugin.psk = test

# Connector settings (required):
connector = activemq
direct_addressing = 1

# ActiveMQ connector settings:
plugin.activemq.pool.size = 2
plugin.activemq.pool.1.host = 192.168.188.20
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = secret
plugin.activemq.pool.1.ssl = 0

plugin.activemq.pool.2.host = 192.168.188.21
plugin.activemq.pool.2.port = 61613
plugin.activemq.pool.2.user = mcollective
plugin.activemq.pool.2.password = secret
plugin.activemq.pool.2.ssl = 0

plugin.activemq.heartbeat_interval=3
plugin.activemq.initial_reconnect_delay = 0.01
plugin.activemq.max_reconnect_delay = 30.0
plugin.activemq.use_exponential_back_off = true
plugin.activemq.back_off_multiplier = 2
plugin.activemq.max_reconnect_attempts = 0
plugin.activemq.randomize = false
plugin.activemq.timeout = -1

# Registration (recommended):
registerinterval = 600
registration = agentlist
registration_collective = mcollective

# Auditing (optional):
rpcaudit = 1
rpcauditprovider = logfile
plugin.rpcaudit.logfile = /var/log/mcollective-audit.log

# Logging:
logger_type = file
loglevel = debug
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user
EOF

service mcollective start
chkconfig mcollective on

测试mco

mco ping

3. SSL加密和权限管理..
创建SSL证书
在Master上创建所有的证书..

cd /etc/mcollective/ssl

#生成mco server的证书.
openssl genrsa -out server-private.pem 1024
openssl rsa -in server-private.pem -out server-public.pem -outform PEM -pubout

#生成mco client的证书
openssl genrsa -out $HOSTNAME-private.pem 1024
openssl rsa -in $HOSTNAME-private.pem -out $HOSTNAME.pem -outform PEM -pubout

cp $HOSTNAME.pem clients/

配置权限管理插件
修改配置启用权限管理

#Client 配置
sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/client.cfg
cat >> /etc/mcollective/client.cfg <<EOF

# ssl auth
securityprovider = ssl
plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
plugin.ssl_client_private = /etc/mcollective/ssl/$HOSTNAME-private.pem
plugin.ssl_client_public = /etc/mcollective/ssl/$HOSTNAME.pem
EOF

#Server 配置
sed -i 's/securityprovider = psk/securityprovider = ssl/' /etc/mcollective/server.cfg
cat >> /etc/mcollective/server.cfg <<EOF

# authorization
rpcauthorization = 1
rpcauthprovider = action_policy
plugin.actionpolicy.allow_unconfigured = 1

# ssl auth
securityprovider = ssl
plugin.ssl_server_private = /etc/mcollective/ssl/server-private.pem
plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients/
EOF

#重启server的服务
service mcollective restart

#Agent创建的语法，如下：
mkdir /etc/mcollective/policies

cat > /etc/mcollective/policies/package.policy <<EOF
policy default deny
allow           cert=master.dbsa.cn            *               *               *
EOF

配置Puppet Master,将SSL证书和权限管理插件同步到Agent。下面的代码仅提供一个思路.

mkdir /etc/puppet/modules/base/{manifests,templates,files,lib} -p
mkdir /etc/puppet/modules/base/files/etc/mcollective/{ssl,policies} -p
mkdir /etc/puppet/modules/base/files/etc/mcollective/ssl/clients -p

#如果plicies规则也写在Puppet，就在Server的policies目录写吧。
cp /etc/mcollective/ssl/server-p* /etc/puppet/modules/base/files/etc/mcollective/ssl/
cp /etc/mcollective/ssl/clients/* /etc/puppet/modules/base/files/etc/mcollective/ssl/clients/

cat > /etc/puppet/modules/base/manifests/init.pp <<EOF
class base {
file {
"/etc/mcollective/ssl":
owner => root, group => root, mode => 644,
purge => true, recurse => true, force => true,
source => "puppet:///base/etc/mcollective/ssl",
notify => Service['mcollective'];

"/etc/mcollective/policies":
owner => root, group => root, mode => 644,
purge => true, recurse => true, force => true,
source => "puppet:///base/etc/mcollective/policies",
notify => Service['mcollective'];

"/etc/mcollective/facts.yaml":
owner => root, group => root, mode => 644,
content => inline_template("<%= scope.to_hash.reject{ |k,v| k.to_s =~ /(uptime_seconds|timestamp|free)/ }.to_yaml %>");
}

service {
"mcollective":
enable => true,
ensure => true;
}
}
EOF

4. Mco常用命令

#管理Puppet
mco puppet runonce *                                           所有主机运行一次
mco puppet runonce -I test                                   指定主机运行一次
mco puppet runonce --tag one,two,three            指定主机编译指定的标签
mco puppet runonce --tags one,two,three          指定主机编译指定的标签
mco puppet runonce --server XX --environment XX  指定连接的Server和环境
mco puppet summary                                            查看Puppet运行的状态
mco find -S "resource().total_time>50"                可以查看运行资源超过50秒的所有主机

#管理包
mco rpc package install package=nano
mco package puppet install                                  安装指定软件包
mco package puppet uninstall                             卸载指定软件包
mco package puppet purge                                 干净卸载指定软件包
mco package puppet update                               升级指定软件包
mco package puppet status                                 查看已安装软件包信息

#管理服务
mco rpc service status service=crond
mco service crond status                                        查看服务运行状态
mco service crond start                                          指定服务启动
mco service crond stop                                          指定服务停止
mco service crond restart                                       指定服务重启

#文件管理
mco rpc filemgr status file=/etc/puppet/puppet.conf
mco filemgr status --file /etc/puppet/puppet.conf

#查看帮助
mco plugin doc

#查找匹配内核参数的主机
mco find -S "sysctl('net.ipv4.conf.all.forwarding').value=0"

#过滤功能
-F      基于facter过滤
-C     基于class过滤
-W    基于facter或class过滤
-A     基于安装的插件过滤
-I      基于主机名称过滤
-S     组合过滤

#一些组合使用的例子
#在运行puppet的主机上重启httpd服务
mco rpc service restart service=httpd -S "puppet().enabled=true"

#在最近有发生资源变化的主机上重启httpd服务
mco rpc service restart service=httpd -S "resource().changed_resources>10"
#
在最近发送失败资源的主机上重启httpd服务
mco rpc service restart service=httpd -S "resource().failed_resources>0"

#组合facter过滤
mco ping -S "((virtual=vmware and selinux=true) or osfamily=RedHat)"
mco ping -S "virtual=vmware and ! selinux=false"
mco ping -S "virtual=vmware and not selinux=false"

5. Shell插件的下载.

下载插件放在对应的目录里即可 https://github.com/phobos182/mcollective-plugins/blob/master/agent/

#mcollective-client端
[root@master ~]# ll /usr/libexec/mcollective/mcollective/application/ | grep shell
-rw-r--r-- 1 root root  1601 Aug  6 06:36 shell.rb
[root@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell
-rw-r--r-- 1 root root 1017 Aug  6 06:36 shell.ddl
-rw-r--r-- 1 root root  862 Aug  6 06:36 shell.rb

#mcollective-server端
[root@agent1 ~]# ll /usr/libexec/mcollective/mcollective/agent/ | grep shell
-rw-r--r-- 1 root root 1017 Aug  6 06:36 shell.ddl
-rw-r--r-- 1 root root  862 Aug  6 06:36 shell.rb

#下载完成后记的server重启服务
service mcollective restart

在client端查看mco支持的插件..

[root@master agent]# mco
The Marionette Collective version 2.6.1

usage: /usr/bin/mco command <options>

Known commands:

completion           facts                filemgr
find                 help                 inventory
iptables             nettest              package
ping                 plugin               puppet
rpc                  service              shell

Type '/usr/bin/mco help' for a detailed list of commands and '/usr/bin/mco help command'
to get detailed help for a command

执行shell命令..

[root@master agent]# mco shell 'w'
Do you really want to send this command unfiltered? (y/n): y
Discovering hosts using the mc method for 2 second(s) .... 1
Host: agent1.dbsa.cn
Statuscode: 0
Output:
01:17:00 up 11:26,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/1    192.168.188.1    Mon00    5.00s  0.52s  0.52s -bash

[root@master agent]#