Puppet — клиент-серверная система, состоящая из управляющего сервера и подчиненных узлов. Сервер хранит описание конечных состояний узлов (который в терминах Puppet называется манифестом) и ждет их подключения. Клиент подключается к серверу, получает от него описание конечного состояния, сверяет его с текущим и, если оно изменилось, производит переконфигурирование системы.
Нам потребуется установленный puppet-master (в моем случае версия 2.7, passenger (в моем случае версия 5.0), nginx с поддержкой passenger (тут либо искать готовый пакет либо компилить из исходников).
Создаем директорию, в которой будут расположены настройки наших окружений и даем группе puppet права на запись:
|
# ls -la /home/puppet/ ... drwxr-xr-x 6 puppet puppet 4096 Sep 1 12:50 configuration ... [root@puppet27centos ~]# ls -la /home/puppet/configuration/ ... drwxr-xr-x 40 puppet puppet 4096 Sep 3 12:22 configs drwxr-xr-x 5 puppet puppet 4096 Sep 1 12:49 environments drwxr-xr-x 3 puppet puppet 4096 Sep 1 12:50 manifests ... |
Конфигурим nginx:
|
# cat /etc/nginx/nginx.conf # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx; worker_processes 4;
error_log /var/log/nginx/error.log; #error_log /var/log/nginx/error.log notice; #error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events { worker_connections 1024; }
http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main;
sendfile on; tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; keepalive_requests 1000; tcp_nodelay on; #gzip on;
index index.html index.htm;
# Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/vhosts/*.conf; } |
|
# cat /etc/nginx/vhosts/passenger.conf passenger_root /usr/lib/ruby/1.8/phusion_passenger/locations.ini; passenger_ruby /usr/bin/ruby; passenger_instance_registry_dir /var/run/passenger-instreg; passenger_max_pool_size 40; passenger_min_instances 40; |
|
# cat /etc/nginx/vhosts/puppet_server.conf server { listen 8140 ssl; server_name puppet27centos.sweb.hostcomm.ru;
passenger_enabled on; passenger_set_header X-Client-DN $ssl_client_s_dn; passenger_set_header X-Client-Verify $ssl_client_verify; passenger_set_header X-SSL-SUBJECT $ssl_client_s_dn; passenger_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
access_log /var/log/nginx/puppet_access.log; error_log /var/log/nginx/puppet_error.log; root /etc/puppet/rack/public; ssl_certificate /var/lib/puppet/ssl/certs/puppet27centos.local.ru.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet27centos.local.ru.pem; ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; ssl_prefer_server_ciphers on; ssl_verify_client optional; ssl_verify_depth 1; ssl_session_cache shared:SSL:128m; ssl_session_timeout 5m; } |
И puppet.conf:
|
# cat /etc/puppet/puppet.conf [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl environments = production server = puppet27centos.local.ru
[agent] report = false runinterval = 300 ssldir = /etc/puppet/ssl server = puppet.infra.hostcomm.ru
[production] modulepath = /home/puppet/configuration/variables:/home/puppet/configuration/environments/production:\ /home/puppet/configuration/manifests
[master] server = puppet27centos.local.ru autosign = false certname = puppet27centos.local.ru manifestdir = /home/puppet/configuration/manifests/ dns_alt_names = puppet27centos,puppet27centos.local.ru |
Проверяем. Читаем логи.