即将更新，敬请期待哦...

即将更新，敬请期待...

即将更新，敬请期待...

即将更新，敬请期待...

即将更新，敬请期待...

即将更新，敬请期待...

即将更新，敬请期待...

即将更新，敬请期待...

即将更新，敬请期待...

Foreman架构的引入10-hostgroup如何转换为本地的fact 在Foreman上可以根据业务逻辑设置多个主机组（Host Groups），并且可以将不同的节点加入到不同的主机组，这样在每次操作“puppet run”的时候，只需要在搜索按钮里搜索对应的主机组即可找到里面包含的所有节点，如下图所示 但是，foreman目前在`puppet run`上对mcollective的集成度很低，基本就是只能运行一条命令。那么如果要在shell终端上通过mco命令去对这些自定义的`Host Groups`进行操作应该如何做呢。答案是转换为facter。 自定义facter有四种方式，如下：[http://kisspuppet.com/2014/03/30/puppet_learning_base10/](http://kisspuppet.com/2014/03/30/puppet_learning_base10/) 这里介绍第三种方式将Foreman上设置的主机组（Host Groups）转换为每个节点自己的facter ### 1、首先创建主机组 ### 2、查看节点的主机组信息 其实相当于自定义了一个外部变量，变量名叫hostgroup，值为节点加入的组名称 ### 3、编写一个fact模块 模块的功能就是将Foreman上的变量“hostgroup”落地到每个节点的/etc/facter/facts.d/${hostname}.txt文件中，内容为fact的标准格式。 ~~~ #模块结构 [root@puppetmaster162 modules]# tree fact fact ├── files ├── manifests │ ├── config.pp │ ├── fact.pp │ ├── init.pp │ └── params.pp └── templates └── hostgroup.erb 3 directories, 5 files #模块主配置文件init.pp [root@puppetmaster162 modules]# cat fact/manifests/init.pp class fact { tag("puppet_env") require fact::params $hostgroup_erb = $fact::params::hostgroup_erb include fact::config include fact::facter } #创建目录以及文件 [root@puppetmaster162 modules]# cat fact/manifests/config.pp class fact::config{ file { '/etc/facter' : ensure => directory, owner => 'root', group => 'root', mode => '0644', } file { '/etc/facter/facts.d' : ensure => directory, owner => 'root', group => 'root', mode => '0644', require => File['/etc/facter'] } file{ "/etc/facter/facts.d/$hostname.txt": owner => "root", group => "root", mode => 0400, content => template($fact::hostgroup_erb), require => File['/etc/facter/facts.d'], } } #定义变量 [root@puppetmaster162 modules]# cat fact/manifests/params.pp class fact::params{ $hostgroup_erb = 'fact/hostgroup.erb' } #定义fact模板（原因可参考http://kisspuppet.com/2013/11/10/mcollective-middleware/） [root@puppetmaster162 manifests]# cat fact.pp class fact::facter{ file{"/etc/mcollective/facts.yaml": owner => root, group => root, mode => 0440, loglevel => debug, # reduce noise in Puppet reports content => inline_template('<%= scope.to_hash.reject { |k,v| k.to_s =~ /(uptime.*|path|timestamp|free|.*password.*|.*psk.*|.*key)/ }.to_yaml %>'), } } #设置文件模板 [root@puppetmaster162 modules]# cat fact/templates/hostgroup.erb hostgroup=<%= @hostgroup %> foreman_env=<%= @foreman_env %> ~~~ ### 4、Foreman上管理主机组和模块fact 先导入类，然后在主机组里进行关联即可，由于fact模块是针对所有主机的，建议关联到1级主机组，加入的节点会自动继承。关联完成后的效果如下 ### 5、在Foreman上对两个节点执行“puppet run”操作 ### 6、查看facter信息是否生成 ~~~ [root@foreman163 ~]# facter hostgroup prd [root@puppetmaster162 ~]# facter hostgroup prd/kisspuppet ~~~ ### 7、通过mco命令结合fact进行过滤查看 ~~~ [root@puppetmaster162 ~]# mco ping -F hostgroup=prd foreman163.kisspuppet.com time=98.55 ms ---- ping statistics ---- 1 replies max: 98.55 min: 98.55 avg: 98.55 [root@puppetmaster162 ~]# mco ping -F hostgroup=prd/kisspuppet puppetmaster162.kisspuppet.com time=94.14 ms ---- ping statistics ---- 1 replies max: 94.14 min: 94.14 avg: 94.14 [root@puppetmaster162 ~]# mco puppet -v runonce -F hostgroup=prd/kisspuppet Discovering hosts using the mc method for 2 second(s) .... 1 * [ ============================================================> ] 1 / 1 puppetmaster162.kisspuppet.com : OK {:summary=> "Started a Puppet run using the 'puppet agent --test --color=false --splay --splaylimit 30' command"} ---- rpc stats ---- Nodes: 1 / 1 Pass / Fail: 1 / 0 Start Time: Thu Dec 18 15:13:09 +0800 2014 Discovery Time: 2004.07ms Agent Time: 85.19ms Total Time: 2089.26ms ~~~ **注：**以上方式只是提供了一种思路，更多的方式还需要根据具体的实际环境而改变，总之一点，fact很强大，看你怎么用。

即将更新，敬请期待...

即将更新，敬请期待...

### foreman架构的引入7-Foreman结合mcollective完成push动作 **注：**以下内容是在**foreman1.6.3+puppet2.6.2**环境下进行操作。更多配置请参考官网[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 在foreman-proxy的1.6.3版本，至少提供了以下五种触发puppet agent命令的工具，默认使用的是puppetrun，不过已经过时，这里介绍如何使用mcollective进行触发，下个章节会介绍如何使用puppetssh触发。 ~~~ # puppetrun (for puppetrun/kick, deprecated in Puppet 3) # mcollective (uses mco puppet) # puppetssh (run puppet over ssh) # salt (uses salt puppet.run) # customrun (calls a custom command with args) ~~~ 在整个测试之前，首先要保障你的mco+mq在命令行操作的情况下是OK的。如果没有OK或者不懂什么是mco+mq，请参考之前的文章。 如何是OK的？如下： ~~~ [root@puppetmaster162 yum.repos.d]# mco puppet -v runonce Discovering hosts using the mc method for 2 second(s) .... 1 * [ ============================================================> ] 1 / 1 puppetmaster162.kisspuppet.com : OK {:summary=> "Started a Puppet run using the 'puppet agent --test --color=false --splay --splaylimit 30' command"} ---- rpc stats ---- Nodes: 1 / 1 Pass / Fail: 1 / 0 Start Time: Wed Dec 17 16:22:15 +0800 2014 Discovery Time: 2004.22ms Agent Time: 71.49ms Total Time: 2075.70ms ~~~ ### 1、在Foreman中开启puppet插件的puppetrun功能 ### 2、配置foreman-proxy代理的puppet的puppet_provider ~~~ [root@puppetmaster162 ~]# vim /etc/foreman-proxy/settings.d/puppet.yml --- # Puppet management :enabled: true :puppet_conf: /etc/puppet/puppet.conf # valid providers: # puppetrun (for puppetrun/kick, deprecated in Puppet 3) # mcollective (uses mco puppet) # puppetssh (run puppet over ssh) # salt (uses salt puppet.run) # customrun (calls a custom command with args) :puppet_provider: mcollective ... ~~~ ### 3、配置sudoer，添加mco命令 ~~~ [root@puppetmaster162 ~]# vim /etc/sudoers.d/foreman-proxy foreman-proxy ALL = NOPASSWD : /usr/bin/puppet cert *, /usr/bin/mco puppet runonce * Defaults:foreman-proxy !requiretty [root@puppetmaster162 ~]# /etc/init.d/foreman-proxy restart Stopping foreman-proxy: [ OK ] Starting foreman-proxy: [ OK ] ~~~ ### 4、页面测试puppetrun按钮 成功之后的显示 ### 5、查看报告看更详细的信息 ~~~ #可以通过日志查看执行情况 [root@puppetmaster162 yum.repos.d]# tailf /var/log/foreman-proxy/proxy.log 192.168.20.11 - - [17/Dec/2014 16:25:36] "POST /run HTTP/1.1" 200 - 0.5454 以上 [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.yml ... :log_file: /var/log/foreman-proxy/proxy.log # valid options are # WARN, DEBUG, Error, Fatal, INFO, UNKNOWN :log_level: DEBUG #开启debug模式，显示更详细的信息，排错的时候使用。1.5版本之前默认是开启的 [root@puppetmaster162 yum.repos.d]# tailf /var/log/foreman-proxy/proxy.log I, [2014-12-17T16:27:43.148519 #24337] INFO -- : 'foreman_proxy' settings were initialized with default values: :enabled: true W, [2014-12-17T16:27:43.155592 #24337] WARN -- : Couldn't find settings file /etc/foreman-proxy/settings.d/facts.yml. Using default settings. I, [2014-12-17T16:27:43.155860 #24337] INFO -- : 'facts' settings were initialized with default values: :enabled: true I, [2014-12-17T16:27:43.163012 #24337] INFO -- : 'dns' module is disabled. I, [2014-12-17T16:27:43.163513 #24337] INFO -- : 'tftp' module is disabled. I, [2014-12-17T16:27:43.163933 #24337] INFO -- : 'dhcp' module is disabled. I, [2014-12-17T16:27:43.579571 #24337] INFO -- : 'puppet' settings were initialized with default values: :puppetdir: /etc/puppet I, [2014-12-17T16:27:43.583486 #24337] INFO -- : 'bmc' module is disabled. I, [2014-12-17T16:27:43.583655 #24337] INFO -- : 'chefproxy' module is disabled. I, [2014-12-17T16:27:43.583934 #24337] INFO -- : 'realm' module is disabled. D, [2014-12-17T16:28:15.059328 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I puppetmaster162.kisspuppet.com 192.168.20.11 - - [17/Dec/2014 16:28:15] "POST /run HTTP/1.1" 200 - 0.5468 ~~~ 失败的情况如下： ~~~ [root@puppetmaster162 ~]# tailf /var/log/foreman-proxy/proxy.log I, [2014-12-17T16:27:43.163933 #24337] INFO -- : 'dhcp' module is disabled. I, [2014-12-17T16:27:43.579571 #24337] INFO -- : 'puppet' settings were initialized with default values: :puppetdir: /etc/puppet I, [2014-12-17T16:27:43.583486 #24337] INFO -- : 'bmc' module is disabled. I, [2014-12-17T16:27:43.583655 #24337] INFO -- : 'chefproxy' module is disabled. I, [2014-12-17T16:27:43.583934 #24337] INFO -- : 'realm' module is disabled. D, [2014-12-17T16:28:15.059328 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I puppetmaster162.kisspuppet.com 192.168.20.11 - - [17/Dec/2014 16:28:15] "POST /run HTTP/1.1" 200 - 0.5468 D, [2014-12-17T16:32:56.924849 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I puppetmaster162.kisspuppet.com 192.168.20.11 - - [17/Dec/2014 16:32:57] "POST /run HTTP/1.1" 200 - 0.6095 D, [2014-12-17T16:32:57.878231 #24344] DEBUG -- : about to execute: /usr/bin/sudo -u root /usr/bin/mco puppet runonce -I foreman163.kisspuppet.com W, [2014-12-17T16:33:20.364704 #24344] WARN -- : Non-null exit code when executing '/usr/bin/sudo-uroot/usr/bin/mcopuppetrunonce-Iforeman163.kisspuppet.com' E, [2014-12-17T16:33:20.368673 #24344] ERROR -- : Failed puppet run: Check Log files 192.168.20.11 - - [17/Dec/2014 16:33:20] "POST /run HTTP/1.1" 500 34 22.4920 ~~~ **备注：**Foreman在命令执行后的显示这块做的其实很不好的，如何能够将所有节点执行的情况动态或者显示在界面上就更好了！

#### Foreman架构的引入6-整合puppetmaster **注：**以下内容是在**foreman1.6.3+puppet2.6.2**环境下进行操作。更多配置请参考官网[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 安装好foreman和puppetmaster之后，接下来做的事情就是做整合，目前foreman可以管理puppet的环境、类、类里的变量、报告、facter等信息。接下来会逐一进行介绍。 # 1、首先要保证智能代理已经代理了puppet和puppet CA 代理puppet以及puppetCA，需要在foreman-proxy中开启。 ~~~ #配置代理puppet [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.d/puppet.yml --- # Puppet management :enabled: true #开启 :puppet_conf: /etc/puppet/puppet.conf # valid providers: # puppetrun (for puppetrun/kick, deprecated in Puppet 3) # mcollective (uses mco puppet) # puppetssh (run puppet over ssh) # salt (uses salt puppet.run) # customrun (calls a custom command with args) :puppet_provider: mcollective # customrun command details # Set :customrun_cmd to the full path of the script you want to run, instead of /bin/false :customrun_cmd: /bin/false # Set :customrun_args to any args you want to pass to your custom script. The hostname of the # system to run against will be appended after the custom commands. :customrun_args: -ay -f -s # whether to use sudo before the ssh command :puppetssh_sudo: false # the command which will be sent to the host :puppetssh_command: /usr/bin/puppet agent --onetime --no-usecacheonfailure # With which user should the proxy connect #:puppetssh_user: root #:puppetssh_keyfile: /etc/foreman-proxy/id_rsa # Which user to invoke sudo as to run puppet commands :puppet_user: root # URL of the puppet master itself for API requests :puppet_url: https://puppetmaster162.kisspuppet.com:8140 # SSL certificates used to access the puppet master API :puppet_ssl_ca: /var/lib/puppet/ssl/certs/ca.pem :puppet_ssl_cert: /var/lib/puppet/ssl/certs/puppetmaster162.kisspuppet.com.pem :puppet_ssl_key: /var/lib/puppet/ssl/private_keys/puppetmaster162.kisspuppet.com.pem # Override use of Puppet's API to list environments, by default it will use only if # environmentpath is given in puppet.conf, else will look for environments in puppet.conf #:puppet_use_environment_api: true #配置代理puppet ca [root@puppetmaster162 ~]# cat /etc/foreman-proxy/settings.d/puppetca.yml --- # PuppetCA management :enabled: true :ssldir: /var/lib/puppet/ssl :puppetdir: /etc/puppet ~~~ # 2、管理puppet环境 ### 2.1、配置puppetmaster环境 puppet从2.6版本开始增加了“目录环境”的功能，更多详情请访问官网[https://docs.puppetlabs.com/puppet/latest/reference/environments.html](https://docs.puppetlabs.com/puppet/latest/reference/environments.html) ~~~ [root@puppetmaster162 ~]# cat /etc/puppet/puppet.conf [master] ... environmentpath = /etc/puppet/environments basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules environment_timeout = 2 #多长时间刷新一次 [root@puppetmaster162 ~]# ll /etc/puppet/environments/ total 24 drwxr-xr-x 4 root root 4096 Dec 5 16:46 development drwxr-xr-x 4 root root 4096 Dec 5 16:46 example42 drwxr-xr-x 4 root root 4096 Dec 5 16:39 example_env drwxr-xr-x 5 root root 4096 Dec 5 17:03 production drwxr-xr-x 4 root root 4096 Dec 5 16:46 puppetlabs drwxr-xr-x 7 root root 4096 Dec 5 17:03 temp ~~~ **注意：**从以上配置可以看得出设置了两个环境。 ### 2.2、foreman上导入puppet环境 # 3、管理puppet类 3.1、配置puppet类 注意以下几点： - puppet.conf中basemodulepath的值所设置的路径为环境目录下所有环境的公共环境，里面的所有模块都会被其他环境搜索到（在没有配置environment.conf的前提下） - 环境目录中每个环境目录里面默认应该包含manifests（存放主配置文件site.pp）目录和modules（存放模块）目录，目录结构如下。 ~~~ [root@puppetmaster162 environments]# tree production/ production/ ├── environment.conf ├── manifests │ └── site.pp ├── modules │ ├── jenkins │ │ ├── files │ │ │ └── jenkins.repo │ │ ├── manifests │ │ │ ├── init.pp │ │ │ ├── install.pp │ │ │ ├── service.pp │ │ │ └── yum.pp │ │ ├── README │ │ └── templates │ └── motd │ ├── files │ │ └── motd │ ├── manifests │ │ └── init.pp │ └── templates └── system └── ssh ├── files ├── manifests │ ├── backup.pp │ ├── config.pp │ ├── init.pp │ ├── install.pp │ └── service.pp ├── Modulefile ├── README ├── spec │ └── spec_helper.rb ├── templates │ └── sshd_config.erb └── tests └── init.pp 17 directories, 20 files ~~~ - 如果你想在一个环境里包含多个目录，每个目录里面又包含模块，应该添加environment.conf文件 ~~~ [root@puppetmaster162 environments]# ll temp/ total 24 -rw-r--r-- 1 root root 95 Dec 5 17:03 environment.conf #添加环境搜索配置文件 drwxr-xr-x 11 root root 4096 Dec 5 17:02 juhailu drwxr-xr-x 2 root root 4096 Dec 5 16:48 kisspuppet drwxr-xr-x 4 root root 4096 Dec 5 16:56 lin drwxr-xr-x 2 root root 4096 Dec 5 16:48 manifests drwxr-xr-x 5 root root 4096 Dec 5 16:47 puppetlabs [root@puppetmaster162 environments]# ll temp/puppetlabs/ total 12 drwxr-xr-x 5 root root 4096 Dec 5 16:46 propuppet-demoapp drwxr-xr-x 5 root root 4096 Dec 5 16:46 puppetlabs-demoapp drwxr-xr-x 4 root root 4096 Dec 5 16:46 puppet-module-skeleton [root@puppetmaster162 environments]# cat temp/environment.conf #添加搜索路径 modulepath = $basemodulepath:puppetlabs:modules:lin:modules:juhailu:modules:kisspuppet:modules ~~~ **注意：**添加搜索路径需要添加`$basemodulepath`，否则不会去搜索默认公共环境路径。 ### 3.2、Foreman上导入puppet类 # 4、设置ENC ### 4.1、通过节点直接管理模块 **备注：**添加主类就可以了 这样节点和模块就关联上了，相当于在site.pp中添加如下代码 node puppetmaster162.kisspuppet.com{ include ssh} ### 4.2、通过组继承模块 **备注：**如果使用组管理模块，不建议为某个节点单独勾选模块，否则你会发现如果先给节点添加了模块A，然后再给节点对应的组里添加了模块A，那么节点的puppet类哪里就会显示包含的类有两个同名的模块。 # 5、组与模块之间的管理 ### 5.1、添加配置组 **注：**foreman从1.5版本开始增加了“配置组”功能，可以将多个模块添加到“配置组”，然后给配置组命名，这样，主机组在勾选模块的时候，只需要勾选配置组即可集成里面所有的模块 # 6、查看设置是否成功 ~~~ #可以通过以下方式查看，前提是需要先运行node.rb，可通过"puppet agent"命令或者"node.rb <certname>" 进行触发。 [root@puppetmaster162 ~]# cat /var/lib/puppet/yaml/foreman/puppetmaster162.kisspuppet.com.yaml --- classes: ssh: parameters: puppetmaster: puppetmaster162.kisspuppet.com hostgroup: prd root_pw: foreman_env: production owner_name: Admin User owner_email: root@kisspuppet.com ~~~ 设置以上信息，可以完成ENC的功能，基本可以保障节点和class之间的勾连。可以在节点通过puppet agent命令进行测试。至于如何在foreman上进行推送，关注后续文章。

即将更新，敬请期待...

#### foreman架构的引入4-安装Foreman1.6.3架构（foreman与puppetmaster分离） **注意：**本实验是在离线情况下安装的，所以需要在本地创建自己的yum仓库，创建方法可参考《[如何根据版本制作属于自己的puppet yum源](http://kisspuppet.com/2014/01/26/puppet_create_repo/)》，如何你实在是比较懒或者搞不定rpm包之间的依赖关系，那就去我的github上下载吧：[https://github.com/kisspuppet/foreman-repo](https://github.com/kisspuppet/foreman-repo) 更多安装细节请参考官网：[http://theforeman.org/manuals/1.6/index.html](http://theforeman.org/manuals/1.6/index.html) 之前讲的all-in-one方式建议只用于测试使用，如果要用于生产环境，建议将foreman和puppetmaster分离安装，更有利于后期的维护和扩展。还有就是之前你已经部署过puppetmaster了，如何单独部署foreman和puppetmaster通信也是值得考虑的问题。 ### 1、软件包的选型如下： - **puppet-server 3.6.2** - **puppet 3.6.2** - **facter 2.0.2** - **mcollective 2.2.4** - **rabbitmq-server 3.2.4** - **foreman 1.6.3** - **foreman-proxy 1.6.3** ### 2、系统环境准备 | 角色 | 主机名 | 系统版本 | IP | |-----|-----|-----|-----| | foreman | foreman163.kisspuppet.com | rhel6.4-x86_64 | 192.168.20.11/24 | | puppetmaster | pupptmaster162.kisspuppet.com | rhel6.4-x86_64 | 192.168.20.12/24 | ### 3、安装puppetmaster **3.1、安装puppetmaster，并生成CA和证书** ~~~ [root@puppetmaster162 ~]# yum install puppet puppet-server facter [root@puppetmaster162 puppet]# vim /etc/puppet/puppet.conf [agent] server = puppetmaster162.kisspuppet.com pluginsync = false ... [master] certname = puppetmaster162.kisspuppet.com environmentpath = /etc/puppet/environments basemodulepath = /etc/puppet/modules:/usr/share/puppet/modules environment_timeout = 10 [root@puppetmaster162 ~]# /etc/init.d/puppetmaster start Starting puppetmaster: [ OK ] [root@puppetmaster162 ~]# puppet cert --list --all + "puppetmaster162.kisspuppet.com" (SHA256) 2E:B3:73:4F:CD:EE:0C:64:2C:DF:24:E6:D3:62:F3:1C:AC:A3:28:60:67:1D:0C:8C:C5:CA:68:5B:4B:2F:49:B9 (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster162.kisspuppet.com") ~~~ **3.2、测试puppetmaster是否能够正常使用** ~~~ [root@puppetmaster162 ~]# puppet agent -t Info: Caching catalog for puppetmaster162.kisspuppet.com Info: Applying configuration version '1417749612' Notice: Finished catalog run in 0.04 seconds ~~~ **注：**以上安装方式，puppetmaster工作在Webrick上，性能非常差，需要更换为性能好的web服务器上，如果更换，请参考 [http://kisspuppet.com/2014/10/18/puppet_learning_ext3/](http://kisspuppet.com/2014/10/18/puppet_learning_ext3/)[http://kisspuppet.com/2014/10/20/puppet_learning_ext4/](http://kisspuppet.com/2014/10/20/puppet_learning_ext4/) ### 4、安装Foreman **4.1、安装puppet客户端并完成认证** ~~~ #安装 [root@foreman163 ~]# yum install puppet facter [root@foreman163 ~]# vim /etc/puppet/puppet.conf [main] ... privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 } [agent] server = puppetmaster162.kisspuppet.com pluginsync = false #申请认证 [root@foreman163 ~]# puppet agent -t Info: Creating a new SSL key for foreman163.kisspuppet.com Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for Info: Certificate Request fingerprint (SHA256): 35:5D:E5:74:71:E0:FD:D2:67:34:17:92:3D:60:F2:A1:34:26:BA:E5:2D:1F:3A:0E:07:6F:85:38:A8:39:8B:65 Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled #授权证书 [root@puppetmaster162 ~]# puppet cert --sign foreman163.kisspuppet.com Notice: Signed certificate request for foreman163.kisspuppet.com Notice: Removing file Puppet::SSL::CertificateRequest foreman163.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/foreman163.kisspuppet.com.pem' #测试 [root@foreman163 ~]# puppet agent -t Info: Caching catalog for foreman163.kisspuppet.com Info: Applying configuration version '1417749612' Notice: Finished catalog run in 0.05 seconds ~~~ **4.2、通过foreman-installer安装foreman** foreman默认安装选择的数据库为postgresql，这里选用mysql进行安装。 **注意：**openssl版本要升级到1.0.1e版本 ~~~ #先安装包 [root@foreman163 ~]# yum install foreman-installer foreman mod_passenger mod_ssl ruby193-rubygem-passenger-native mysql mysql-server foreman-mysql2 openssl ... Updated: openssl.x86_64 0:1.0.1e-15.el6 Replaced: ruby193-v8.x86_64 1:3.14.5.10-2.el6 Complete! #然后通过foreman-installer调用puppet进行配置 [root@foreman163 ~]# foreman-installer --foreman-db-adapter mysql2 --foreman-db-type mysql --no-enable-puppet --no-enable-foreman-proxy --foreman-configure-epel-repo=false Installing Done [100%] [] Success! * Foreman is running at https://foreman163.kisspuppet.com Initial credentials are admin / 2kWcqJsW6cLDwo7m The full log is at /var/log/foreman-installer/foreman-installer.log ~~~ **注：**以上安装完成之后，默认登录密码为随机密码，这跟之前版本有所不同。 安装完成之后，通过火狐或者谷歌浏览器访问看是否安装成功[https://192.168.20.11](https://192.168.20.11) 记得修改默认密码，否则待会忘了又登录不了了。 ### 5、安装Foreman-proxy **注：**这里的foreman-proxy主要是代理puppet以及puppetca，所以要安装在puppetmaster上。 **5.1、安装foreman-proxy** ~~~ [root@puppetmaster162 ~]# yum install foreman-installer foreman-proxy tftp-server syslinux [root@puppetmaster162 yum.repos.d]# foreman-installer --no-enable-foreman --no-enable-foreman-cli --no-enable-foreman-plugin-bootdisk --no-enable-foreman-plugin-setup --no-enable-puppet --enable-foreman-proxy --foreman-proxy-puppetrun=true --foreman-proxy-puppetrun-provider=mcollective --foreman-proxy-puppetca=true --foreman-proxy-dhcp=false --foreman-proxy-tftp=false --foreman-proxy-dns=false --foreman-proxy-register-in-foreman=false --foreman-configure-epel-repo=false --foreman-configure-scl-repo=false Installing Done [100%] [] Success! * Foreman Proxy is running at https://puppetmaster162.kisspuppet.com:8443 The full log is at /var/log/foreman-installer/foreman-installer.log #检测8443端口 [root@puppetmaster162 ~]# netstat -nlatp | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 4635/ruby ~~~ **5.2、设置ENC** ~~~ #从foreman-installer中获取node.rb（貌似不能用，可以通过all-in-one方式安装后获取） [root@puppetmaster162 ~]# cp /usr/share/foreman-installer/modules/foreman/files/foreman-report_v2.rb /etc/puppet/node.rb [root@puppetmaster162 ~]# chown puppet. /etc/puppet/node.rb #设置属组和属主都为puppet [root@puppetmaster162 ~]# chmod 550 /etc/puppet/node.rb #设置执行权限 ~~~ **5.3、设置report** ~~~ #从foreman-installer中获取foreman.rb [root@puppetmaster162 ~]# cp /usr/share/foreman-installer/modules/foreman/files/foreman-report_v2.rb /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb ~~~ **5.4、设置连接foreman的信息** ~~~ #这里跟foreman1.5版本（包括1.5版本）不一样，请注意 [root@puppetmaster162 puppet]# vim /etc/puppet/foreman.yaml --- :url: "https://foreman163.kisspuppet.com" :ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" :ssl_cert: "/var/lib/puppet/ssl/certs/puppetmaster162.kisspuppet.com.pem" :ssl_key: "/var/lib/puppet/ssl/private_keys/puppetmaster162.kisspuppet.com.pem" :user: "" :password: "" :puppetdir: "/var/lib/puppet" :puppetuser: "puppet" :facts: true :timeout: 10 :threads: null [root@puppetmaster162 ~]# /etc/init.d/foreman-proxy restart Stopping foreman-proxy: [ OK ] Starting foreman-proxy: [ OK ] ~~~ ### 6、注册puppet和puppetca **6.1、在puppetmaster上添加ENC配置和foreman报告** ~~~ [root@puppetmaster162 ~]# vim /etc/puppet/puppet.conf [master] ... reports = foreman external_nodes = /etc/puppet/node.rb node_terminus = exec #重启生效 [root@puppetmaster162 ~]# /etc/init.d/puppetmaster restart Stopping puppetmaster: [ OK ] Starting puppetmaster: [ OK ] ~~~ **6.2、登录foreman注册foreman-proxy** **6.3、节点测试** ~~~ [root@foreman163 ~]# puppet agent -t Info: Caching catalog for foreman163.kisspuppet.com Info: Applying configuration version '1417762929' Notice: Finished catalog run in 0.13 seconds [root@puppetmaster162 ~]# puppet agent -t Info: Caching catalog for puppetmaster162.kisspuppet.com Info: Applying configuration version '1417762858' Notice: Finished catalog run in 0.14 seconds ~~~ **注：**如果测试报错，请将foreman中的puppet插件的enc_environment选项设置为false，具体如何使用后续讲解 关于如何设置和使用foreman，请关注后续文章....

#### foreman架构的引入3-安装Foreman1.5.3架构（all-in-one） **注意：**本实验是在离线情况下安装的，所以需要在本地创建自己的yum仓库，创建方法可参考《[如何根据版本制作属于自己的puppet yum源](http://kisspuppet.com/2014/01/26/puppet_create_repo/)》，如何你实在是比较懒或者搞不定rpm包之间的依赖关系，那就去我的github上下载吧：[https://github.com/kisspuppet/foreman-repo](https://github.com/kisspuppet/foreman-repo) 更多安装细节请参考官网：[http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.4](http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.4) 以下all-in-one安装方式跟官方安装的有所区别，官方安装可能只需要一条命令就可以安装成功，在我测试下来发现会出现有时候成功，有时候不成功的现象，所以改成了以下方式安装，而且每次都能成功，条例也比较清晰，为后面拆分puppetmaster能够提供很好的帮助。 ### 1、软件包的选型如下： - **puppet-server 3.6.2** - **puppet 3.6.2** - **facter 2.0.2** - **mcollective 2.2.4** - **rabbitmq-server 3.2.4** - **foreman 1.5.3** - **foreman-proxy 1.5.4** ### 2、系统环境准备 **系统版本：** ~~~ [root@foreman02 yum.repos.d]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5 (Santiago) ~~~ **网络参数：** ~~~ [root@foreman02 yum.repos.d]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:a6:5c:70 brd ff:ff:ff:ff:ff:ff inet 192.168.10.159/24 brd 192.168.10.255 scope global eth0 inet6 fe80::250:56ff:fea6:5c70/64 scope link valid_lft forever preferred_lft forever ~~~ **主机名称：** ~~~ [root@foreman02 yum.repos.d]# hostname -f foreman02.kisspuppet.com [root@foreman02 yum.repos.d]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.159 foreman02.kisspuppet.com foreman02 ~~~ **平台环境：** ~~~ [root@foreman02 yum.repos.d]# uname -r 2.6.32-431.el6.x86_64 ~~~ **yum仓库：** ~~~ [root@foreman02 yum.repos.d]# cat foreman153.repo [foreman] name=Foreman baseurl=ftp://192.168.10.254/blog/foreman enabled=1 gpgcheck=0 [puppet] name=puppet baseurl=ftp://192.168.10.254/blog/puppet-el6 enabled=1 gpgcheck=0 [rhel] name=RHEL baseurl=ftp://192.168.10.254/rhel6.5 enabled=1 gpgcheck=0 ~~~ **网络安全环境：** ~~~ [root@foreman02 ~]# /etc/init.d/iptables status iptables: Firewall is not running. [root@foreman02 ~]# getenforce Disabled ~~~ ### 3、安装Foreman **3.1、安装puppetmaster，并生成CA和证书** ~~~ [root@foreman02 ~]# yum install foreman-installer [root@foreman02 ~]# yum install puppet-server puppet facter [root@foreman02 ~]# vim /etc/puppet/puppet.conf [master] certname = foreman02.kisspuppet.com [root@foreman02 ~]# /etc/init.d/puppetmaster start Starting puppetmaster: [ OK ] [root@foreman02 ~]# puppet cert --list --all + "foreman02.kisspuppet.com" (SHA256) 1D:7E:90:F5:16:7D:01:67:77:37:EE:31:3F:46:AD:0A:47:80:B6:DF:6A:5E:25:A8:DE:BA:78:45:C9:09:D6:BD (alt names: "DNS:foreman02.kisspuppet.com", "DNS:puppet", "DNS:puppet.kisspuppet.com") [root@foreman02 ~]# /etc/init.d/puppetmaster stop Stopping puppetmaster: [ OK ] ~~~ **3.2、安装foreman及依赖包** ~~~ [root@foreman02 ~]# yum install foreman mod_passenger mod_ssl ruby193-rubygem-passenger-native mysql mysql-server foreman-mysql2 ~~~ **3.3、通过foreman-installer安装foreman** foreman默认安装选择的数据库为postgresql，这里选用mysql进行安装。 ~~~ [root@foreman02 ~]# foreman-installer --foreman-db-adapter mysql2 --foreman-db-type mysql --no-enable-puppet --no-enable-foreman-proxy --foreman-configure-epel-repo=false Installing Done [100%] [...................] Success! * Foreman is running at https://foreman02.kisspuppet.com Default credentials are 'admin:changeme' The full log is at /var/log/foreman-installer/foreman-installer.log ~~~ 安装完成之后，通过火狐或者谷歌浏览器访问看是否安装成功[https://192.168.10.159](https://192.168.10.159) **3.4、安装foreman-proxy及依赖包** ~~~ [root@foreman02 ~]# yum install tftp-server syslinux foreman-proxy ~~~ **3.5、安装foreman-proxy，并通过foreman-installer重新安装foreman和puppetmaster** **注意：**以下方式是安装后会代理TFTP, DNS, DHCP, Puppet, and Puppet CA，并且puppetmaster会以apache+passenger的方式安装运行。 ~~~ [root@foreman02 ~]# foreman-installer --enable-foreman --enable-foreman-proxy --enable-puppet --puppet-server=true --foreman-proxy-puppetrun=true --foreman-proxy-puppetca=true --foreman-proxy-dhcp=true --foreman-proxy-tftp=true --foreman-proxy-dns=true --foreman-proxy-dns-interface=eth0 --foreman-proxy-dns-zone=kisspuppet.com --foreman-proxy-dns-reverse=10.168.192.in-addr.arpa --foreman-proxy-dns-forwarders=8.8.8.8 --foreman-proxy-dns-forwarders=8.8.4.4 --foreman-configure-epel-repo=false --foreman-proxy-register-in-foreman=false Installing Done [100%] [...................] Success! * Foreman is running at https://foreman02.kisspuppet.com Default credentials are 'admin:changeme' * Foreman Proxy is running at https://foreman02.kisspuppet.com:8443 * Puppetmaster is running at port 8140 The full log is at /var/log/foreman-installer/foreman-installer.log ~~~ 如果只代理puppet和puppetCA，可以通过以下方式安装 ~~~ [root@foreman02 ~]# foreman-installer --enable-foreman --enable-foreman-proxy --enable-puppet --puppet-server=true --foreman-proxy-puppetrun=true --foreman-proxy-puppetca=true --foreman-configure-epel-repo=false --foreman-proxy-register-in-foreman=false ~~~ ### 4、检查foreman、foreman-proxy、puppetmaster是否安装成功 ~~~ [root@foreman02 ~]# /etc/init.d/httpd status httpd (pid 25433) is running... [root@foreman02 ~]# /etc/init.d/foreman-proxy status foreman-proxy (pid 25605) is running... [root@foreman02 ~]# netstat -naltp | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 25605/ruby [root@foreman02 ~]# netstat -naltp | grep 80 tcp 0 0 :::80 :::* LISTEN 25433/httpd [root@foreman02 ~]# netstat -naltp | grep 8140 tcp 0 0 :::8140 :::* LISTEN 25433/httpd ~~~ ### 5、在Foreman上注册foreman-proxy 如果要管理puppet、puppetca等软件，是需要通过foreman-proxy去代理才能够正常使用的，关于代理的开启和关闭可以修改它的配置文件`/etc/foreman-proxy/settings.yml`

#### foreman架构的引入2-安装前环境准备 Foreman官网提供了每个版本非常完善的安装步骤，无论是源码安装还是rpm包安装都变得非常方便。而且Foreman通过puppet模块对安装步骤进行了封装并提供了大量的安装参数可以传输，相当的方便。不过由于其体系过大，代理很多软件，安装的软件包超多，安装过程也并非那么简单。 以下是需要考虑的问题及解决方法 **特别说明：**接下来的所有的推荐说明、操作和测试都是基于目前最稳定版本1.5.3进行的，而1.6和1.7版本不太稳定，仅做安装介绍。 关于Foreman1.5.3版本介绍及安装方法可参考官网 [http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.3](http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.3) ### 操作系统的选型 Foreman官网yum仓库只提供了el6和f19的rpm（[http://yum.theforeman.org/](http://yum.theforeman.org/)）包，Debian的deb包（[http://deb.theforeman.org/](http://deb.theforeman.org/)），并未提供低版本或者其它系统的rpm包。还有源码包的下载方式：`git clone https://github.com/theforeman/foreman.git -b 1.5-stable`所以，如果你考虑使用rpm包安装，请使用以下系统及版本： RHEL6.* CentOS6.* Fedora19 如果你考虑使用deb包安装，请使用以下系统及版本 Debian Linux 7.0 (Wheezy) Debian Linux 6.0 (Squeeze) Ubuntu Linux 14.04 LTS (Trusty Tahr) Ubuntu Linux 12.04 LTS (Precise Pangolin) 如果你并不打算使用以上系统，比如现在很多金融行业使用的SLES系统等，需要考虑使用源码包安装，源码包安装通过bundle命令完成，不过很难安装，而且即使安装好，接下来走的路还很艰辛。 ### 安装包准备 安装Foreman依赖的包比较多，需要从以下三个网站获取 **1、Foreman官网：**[ http://yum.theforeman.org/](http://yum.theforeman.org/) **2、EPEL官网：**[http://fedoraproject.org/wiki/EPEL](http://fedoraproject.org/wiki/EPEL) **3、PuppetLabs官网：**[http://yum.puppetlabs.com/](http://yum.puppetlabs.com/) **4、RabbitMQ官网：**[http://www.rabbitmq.com/download.html](http://www.rabbitmq.com/download.html) **思考：**以上四个官网安装包那么多，如果能够获得到安装Foreman的包呢？ 如果你确实比较懒，可以去我的Github上下载 [https://github.com/kisspuppet/foreman-repo](https://github.com/kisspuppet/foreman-repo) ### 软件包的选型如下： - **puppet-server 3.6.2** - **puppet 3.6.2** - **facter 2.0.2** - **mcollective 2.2.4** - **rabbitmq-server 3.2.4** - **foreman 1.5.3** - **foreman-proxy 1.5.4** ### 操作系统配置注意事项 **1、操作系统版本必须是RHEL6版本以上，建议使用6.4或6.5。** **2、主机名必须符合完全合格的FQDN名称，其次必须小写**（大写名称在安装MySQL的时候会提示授权问题不能通过）eg. foreman.kisspuppet.com **3、安装之前，必须先安装puppet客户端，并且和puppetmaster进行签名认证。** **4、系统时间和puppetmaster端保持一致，防火墙、selinux记得关闭。**

#### foreman架构的引入1-foreman作为自动化运维工具为什么会如此强大 在引入foreman之前，笔者曾经大幅度测试过puppet的另外一个生态圈前端软件，那就是KermIT（[kermit.fr](http://kermit.fr)需要墙）。说实话基于KermIT这套架构还是相当不错的，尤其是在于mcollective的各种插件结合上做的很完美，可惜社区太不活跃，软件版本更新超慢，坑超多，最终还是放弃了。不过，他的架构还是值得借鉴的，对于那些想自己在puppet前端做UI的朋友可以多参考参考。 本文引入另外一个非常出色的前端管理工具Foreman，什么是foreman呢，官方是这样定义的：Foreman是一个物理和虚拟服务器的完整的生命周期管理工具(Foreman is a complete lifecycle management tool for physical and virtual servers)。 **为什么要引入foreman作为配置管理工具的前端呢？** 本文从以下几个方面入手进行剖析 ### 1、foreman的架构 A Foreman installation will always contain a central foreman instance that is responsible for providing the Web based GUI, node configurations, initial host configuration files, etc. However, if the foreman installation supports unattended installations then other operations need to be performed to fully automate this process. The smart proxy manages remote services and is generally installed with all Foreman installations to allow for TFTP, DHCP, DNS, and Puppet, and the Puppet CA. 以上为官方的定义，我这里在根据日常使用的情况进行一些概括（以目前最新稳定版本1.5.3为例进行说明） 1. foreman本身只是一个框架，通过smart-proxy代理各种应用程序完成各项功能。 1. foreman通过代理DNS、DHCP、TFTP完成了kickstart、cobbler、jumpstart等各种自动化安装系统工具的图形统一管理窗口，实现的结果是只需要在foreman上定制各种模板（pxe、ks），不同的模板还可以嵌套各种片段（snippet）达到统一、简化的目的。完成之后，便可以添加节点，关联定义的各种模板生成各种的pxe和ks文件实现自动化安装。 1. foreman通过代理puppet、puppet CA完成对puppet自动签名、puppet环境、class、变量、facter的管理。 1. foreman通过ENC和静态组管理class和node之间的关联。 1. foreman通过puppet plugin，可以在UI上完成对节点puppet命令的触发动作，触发的方法可以借助puppetkick（已经被遗弃）、mcollective（借助sudo）、puppetssh（借助sshkey）、salt、customrun等各种工具实现。 1. foreman可以收集所有节点运行puppet后的报告、执行情况。 1. foreman还提供了各种搜索、报表等功能，能够更好的展现节点的运行状况。 1. foreman除了管理裸机外还可以管理各种虚拟化软件，比如RHEV-M、EC2、VMWware和OpenStack等。 1. foreman还可以和LDAP以及AD集成。 1. foreman还提供了强大了用户、权限管理入口，可以建立多个用户、多个用户组、还可以对权限进行角色的定义等。不同的权限用户在UI上所看到的功能以及主机是不一样的。 1. foreman还提供了所有在UI上操作的Audits（审计）功能，这样可以保障所有用户的操作都有据可查。 除此之外，还有其它很多功能。。。。 **针对配置管理的不足之处：foreman和mcollective的结合并不是很好，它仅仅是借用了puppetkick的插件集成了mcollective的一条命令而已，这方面后期是否会有改进还需要等待。** ### 2、foreman的版本蓝图 **以下为foreman的版本发展线路图** 从图中可以看出，foreman的发展是相当的迅速的，无论是版本更替上还是社区的活跃度上都是相当的良好。目前最新稳定版本为**1.5.3**（统计时间2014年10月18号）。 **版本目前发展和预期线路图：**[http://projects.theforeman.org/rb/releases/foreman](http://projects.theforeman.org/rb/releases/foreman) ### 3、foreman的社区活跃度 **foreman google groups：** [https://groups.google.com/forum/#!forum/foreman-users](https://groups.google.com/forum/#!forum/foreman-users) [https://groups.google.com/forum/#!forum/foreman-dev](https://groups.google.com/forum/#!forum/foreman-dev) **foreman的IRC:**"#theforeman" [http://webchat.freenode.net/](http://webchat.freenode.net/)

# Chapter 4:Foreman架构的引入 之前的三章都是在黑屏下操作的，对有些不喜欢命令行的朋友来说并不是件好事，本章正式介绍一款高大上的可以管理puppet+mco框架的一个管理工具。