Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1416108
  • 博文数量: 264
  • 博客积分: 5810
  • 博客等级: 大校
  • 技术积分: 3528
  • 用 户 组: 普通用户
  • 注册时间: 2011-03-13 17:15
文章分类

全部博文(264)

文章存档

2011年(264)

分类: 系统运维

2011-04-06 22:22:42

1.puppet里面我们是读一个文件夹获取puppetca -la的内容
其实在func里面也是一样: /var/lib/certmaster/certmaster/certs/
这里面就是当前经过了认证的服务器列表
2./usr/bin/certmaster-request来测试连接 有点像puppet -d的味道即debug模式进行连接
3.将一台主机从认证列表踢掉
certmaster-ca -c "client1.puppet.com"
这样一运行就会将/var/lib/certmaster/certmaster/certs/这里面的这台主机的.cert文件删除掉!
4.查看当前认证的服务器主机列表
certmaster-ca --list-sign
将一台主机从认证踢除:
certmaster-ca -c "client1.puppet.com"
这台主机想要再恢复过来的办法:
1.rm -rf /etc/pki/certmaster/client1.puppet.com.* 这个跟puppet一样rm -rf /var/lib/puppet/ssl
2.重启funcd 好像certmaster不需要重启!
5.在puppet里面服务器与客户端之间想要通讯的一个前提就是能够互ping到对方的fqdn
而在这里面我们就是:
能够func "*" ping  这样来ping测试一下!
总结常用的debug命令:
1.检测客户端的配置是否正常:
func "*" check
func "*" ping        检测是否能够正常连通!
2.查看本机的fqdn值:
python -c "import socket; print socket.getfqdn()"
服务器与客户端之间想要能够正常通讯前提就是能够互ping fqdn
Are both machines able to ping each other by FQDN
(感觉好像)
6.排除掉指定的一些主机
func --exclude="www*" "*.example.org" module.command arg1 arg2
7.组的定义:
vim /etc/func/groups 内容如下
[webservers]
host = http1.example.com; http2.example.com
[mailservers]
host = mail1.example.com; mail2.example.com
组的调用func @webservers module command arg1 arg2
8.设置并发执行
--forks=N
func "*" call --forks="5" command run "date"    允许被多进程所执行的!
9.func-transmit  命令使用
先写段内容如下
# more run.json
   {
            "clients": "*",
            "async": "False",
            "nforks": 1,
            "module": "command",
            "method": "run",
            "parameters": "/bin/echo Hello World"
   }
调用示例“:func-transmit --json < run.json
这个文件的字段内容如下:
    * clients: (Required) list of client you want to call. Could be list,single string or special character ("*").
    * aysnc: (Optional-Default False) boolean that say if you want to call func in async mode (True) or in synch mode (False)
    * nforks: (Optional-Default 1) Number of forks you want to use to execute the calls to your clients. For example, if you have to execute a command on 10 different minions, you can use nforks=2 and each one call and get results on 5 minions.
    * module: (Required**) name of the module you want to call(调用哪个模块)
    * method: (Required) method inside that module to invoke(模块里面的哪个方法)
    * parameters: (Optional-Default None) some additional parameters (带上什么参数)
返回值:{"host1": "result for your call", "host2":"result", ...} 字典类型的数据结构
10.func里面的配置文件
/etc/func/minion.conf is the config file for the func minion and the funcd daemon.
这个配置文件是客户端的即puppet里面的[puppet]内容
Options include:
    * log_level: defaults to debug
    * acl_dir: path to the directory containing minion ACL infomation. Default is /etc/func/minion-acl.d【在配置ACL的时候有用】
    * listen_addr: If the minion has multiple network interfaces or hostnames, this option can be set to force a specific hostname or ip. Default is blank (aka, look up the hostname the normal way)
    * listen_port: Sets which port the funcd daemon listens to. Default is 51234. See Port Info for more details
/etc/func/async_methods.conf
定义了一些常用的默认命令项。即服务器端一运行func的时候就自动跑!
/etc/certmaster/certmaster.conf        配置certmaster服务器的配置文件
    * autosign: If set to yes, the daemon will automatically sign any cert request made to it. The default is no.
    * listen_addr: If the certmaster has multiple network interfaces or hostnames, this option can be set to force a specific hostname or ip. Default is blank (aka, look up the hostname the normal way)
    * listen_port: Sets which port the certmaster daemon listens to. Default is 51235. See Port Info for more details. certmaster_port in /etc/certmaster/minion.conf is the corresponding setting for the minions.
    * ca_dir: The directory that certmaster uses to store the Certificate Authority cert it creates. Default is /etc/pki/certmaster/ca
    * cert_dir: The minions signed cert (HOSTNAME.cert), the private key the cert is signed with (HOSTNAME.pem), the signing request used to generate the cert (HOSTNAME.csr), and the certmasters CA cert (ca.cert) are stored here. Default is /etc/pki/certmaster
    * certroot: where certmaster stores the signed certs created for each minion. Default is /var/lib/certmaster/certs
    * csrroot: where the certmaster stores the CSR from the minions. Default is /var/lib/certmaster/csrs/
    * cert_extension: The suffix used in naming the certficates. Default is "cert". Can be changed if it needs to use certs from another CA system.
    * sync_certs: Determines whether certmaster-sync will run as a post-sign trigger. Default is False. See: MinionToMinion.
    * peerroot: The directory in which to store certificates for peer minions. Default is /var/lib/certmaster/peers/. See: MinionToMinion.
    * peering: If set to True, the minions defined in peerroot are used to resolve minion globs. This is also used by certmaster-sync to determine whether a minion is a candidate for syncing or not. Default is True. See: MinionToMinion.
11.facter 的使用
func "*" call --filter "kernel>=2.4,runlevel=5" service status "httpd"
使用示例:非常类似于django命令
import func.overlord.client as fc
f = fc.Overlord("*")
f.filter(runlevel=5,os__icontains="fedora").echo.run_string("ho ho ")
类似于django里面的filter过滤机制。先过滤找到符合条件的主机再去运行
而且还可以实现类似于and and的操作命令
f = fc.Overlord("*")
f.and_and(runlevel__gte=3,runlevel__lte=6).or_and(os__icontains="fedora",kernel__icontains="2.16").echo.run_string("hey")
Therefore when you need something simple you can use filter and filter_or methods and when need more chaining operations use the 4 methods above.
限制客户端的执行条件。只有当其符合条件的时候才正常执行!
facter里面的关键字:
The current keywords are as follow :

    "","gt","gte","lt","lte",'contains','icontains','iexact','startswith'
12.通过使用yum安装的方式进行安装的func
查看其版本:rpm -q func
13.安装
yum安装的时候如果指定了For EL 5 i386
默认感觉好像是跟着python的版本走的。如果是2.4就是安装了func2.4-E的版本
#rpm -q func
func-0.24-1.el5
来比较一下0.24与0.25版本的差异
1.add support for --timeout command line option and socket_timeout option to /etc/func/overlord.conf
怪不得我老是写-t不行呢!
2.add /etc/func/overlord.conf
3.add "minion_name" config option to specify the hostname the minion should use
4.func --help sh
5.add "minion-to-minion" support
6.add --basic support to "func call"
7.support for setting up vnc in the virt module
8.support for getting/setting libvirt xml directly
9.include a monit config file .
10.add an augeas module
11.add an httpd module
12.add bridge and vlan modules
13.add some support for rhel3
14.if we get a cert request that doesn't match the current key, throw a more useful error message
在master上修改func_timeout.  0.25 版本上加的!
阅读(2147) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~