PUPPET安装配置MCollective+ActiveMQ——文档附录
来源:互联网 发布:初级软件开发面试 编辑:程序博客网 时间:2024/05/21 05:19
序:
本篇仅对照博客中的《PUPPET安装配置MCollective+ActiveMQ——实际部署案例》篇章
PUPPET安装配置MCollective+ActiveMQ的实际部署中,针对文件修改的地方进行黄颜色标记。
附录
keystores.pp文件
# /etc/puppet/modules/activemq/manifests/keystores.pp
class activemq::keystores (
$keystore_password ='puppet', # required
# User must put these files in the module, or provide other URLs
$ca = 'puppet:///modules/activemq/ca.pem',
$cert = 'puppet:///modules/activemq/cert.pem',
$private_key = 'puppet:///modules/activemq/private_key.pem',
$activemq_confdir = '/etc/activemq',
$activemq_user = 'activemq',
) {
# ----- Restart ActiveMQ if the SSL credentials ever change -----
# ----- Uncomment if you are fully managing ActiveMQ with Puppet. -----
# Package['activemq'] -> Class[$title]
# Java_ks['activemq_cert:keystore'] ~> Service['activemq']
# Java_ks['activemq_ca:truststore'] ~> Service['activemq']
# ----- Manage PEM files -----
File {
owner => root,
group => root,
mode => 0600,
}
file {"${activemq_confdir}/ssl_credentials":
ensure => directory,
mode => 0700,
}
file {"${activemq_confdir}/ssl_credentials/activemq_certificate.pem":
ensure => file,
source => $cert,
}
file {"${activemq_confdir}/ssl_credentials/activemq_private.pem":
ensure => file,
source => $private_key,
}
file {"${activemq_confdir}/ssl_credentials/ca.pem":
ensure => file,
source => $ca,
}
# ----- Manage Keystore Contents -----
# Each keystore should have a dependency on the PEM files it relies on.
# Truststore with copy of CA cert
java_ks { 'activemq_ca:truststore':
ensure => latest,
certificate => "${activemq_confdir}/ssl_credentials/ca.pem",
target => "${activemq_confdir}/truststore.jks",
password => $keystore_password,
trustcacerts => true,
require => File["${activemq_confdir}/ssl_credentials/ca.pem"],
}
# Keystore with ActiveMQ cert and private key
java_ks { 'activemq_cert:keystore':
ensure => latest,
certificate => "${activemq_confdir}/ssl_credentials/activemq_certificate.pem",
private_key => "${activemq_confdir}/ssl_credentials/activemq_private.pem",
target => "${activemq_confdir}/keystore.jks",
password => $keystore_password,
require => [
File["${activemq_confdir}/ssl_credentials/activemq_private.pem"],
File["${activemq_confdir}/ssl_credentials/activemq_certificate.pem"]
],
}
# ----- Manage Keystore Files -----
# Permissions only.
# No ensure, source, or content.
file {"${activemq_confdir}/keystore.jks":
owner => $activemq_user,
group => $activemq_user,
mode => 0600,
require => Java_ks['activemq_cert:keystore'],
}
file {"${activemq_confdir}/truststore.jks":
owner => $activemq_user,
group => $activemq_user,
mode => 0600,
require => Java_ks['activemq_ca:truststore'],
}
}
activemq.xml文件
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd
http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-spring.xsd">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<value>file:${activemq.base}/conf/credentials.properties</value>
</property>
</bean>
<!--
For more information about what MCollective requires in this file,
see http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html
-->
<!--
WARNING: The elements that are direct children of <broker> MUST BE IN
ALPHABETICAL ORDER. This is fixed in ActiveMQ 5.6.0, but affects
previous versions back to 5.4.
https://issues.apache.org/jira/browse/AMQ-3570
-->
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" useJmx="true" schedulePeriodForDestinationPurge="60000">
<!--
MCollective generally expects producer flow control to be turned off.
It will also generate a limitless number of single-use reply queues,
which should be garbage-collected after about five minutes to conserve
memory.
For more information, see:
http://activemq.apache.org/producer-flow-control.html
-->
<destinationPolicy>
<policyMap>
<policyEntries>
<policyEntry topic=">" producerFlowControl="false"/>
<policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" />
</policyEntries>
</policyMap>
</destinationPolicy>
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<plugins>
<statisticsBrokerPlugin/>
<!--
This configures the users and groups used by this broker. Groups
are referenced below, in the write/read/admin attributes
of each authorizationEntry element.
-->
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="mcollective" password="Guosir@eu2015" groups="mcollective,everyone"/>
<authenticationUser username="admin" password="Guosir@eu2015" groups="mcollective,admins,everyone"/>
</users>
</simpleAuthenticationPlugin>
<!--
Configure which users are allowed to read and write where. Permissions
are organized by group; groups are configured above, in the
authentication plugin.
With the rules below, both servers and admin users belong to group
mcollective, which can both issue and respond to commands. For an
example that splits permissions and doesn't allow servers to issue
commands, see:
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#detailed-restrictions
-->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
<authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
<!--
The advisory topics are part of ActiveMQ, and all users need access to them.
The "everyone" group is not special; you need to ensure every user is a member.
-->
<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
<!--
The systemUsage controls the maximum amount of space the broker will
use for messages. For more information, see:
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#memory-and-temp-usage-for-messages-systemusage
-->
<systemUsage>
<systemUsage>
<memoryUsage>
<memoryUsage limit="20 mb"/>
</memoryUsage>
<storeUsage>
<storeUsage limit="1 gb" name="foo"/>
</storeUsage>
<tempUsage>
<tempUsage limit="100 mb"/>
</tempUsage>
</systemUsage>
</systemUsage>
<sslContext>
<sslContext
keyStore="/etc/activemq/keystore.jks" keyStorePassword="puppet"
trustStore="/etc/activemq/truststore.jks" trustStorePassword="puppet"
/>
</sslContext>
<!--
The transport connectors allow ActiveMQ to listen for connections over
a given protocol. MCollective uses Stomp, and other ActiveMQ brokers
use OpenWire. You'll need different URLs depending on whether you are
using TLS. For more information, see:
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#transport-connectors
-->
<transportConnectors>
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
<!-- <transportConnector name="stomp+nio" uri="stomp+nio://0.0.0.0:61613"/> -->
<!-- If using TLS, uncomment this and comment out the previous connector: -->
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
</transportConnectors>
</broker>
<!--
Enable web consoles, REST and Ajax APIs and demos.
It also includes Camel (with its web console); see ${ACTIVEMQ_HOME}/conf/camel.xml for more info.
See ${ACTIVEMQ_HOME}/conf/jetty.xml for more details.
-->
<import resource="jetty.xml"/>
</beans>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd
http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-spring.xsd">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<value>file:${activemq.base}/conf/credentials.properties</value>
</property>
</bean>
<!--
For more information about what MCollective requires in this file,
see http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html
-->
<!--
WARNING: The elements that are direct children of <broker> MUST BE IN
ALPHABETICAL ORDER. This is fixed in ActiveMQ 5.6.0, but affects
previous versions back to 5.4.
https://issues.apache.org/jira/browse/AMQ-3570
-->
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" useJmx="true" schedulePeriodForDestinationPurge="60000">
<!--
MCollective generally expects producer flow control to be turned off.
It will also generate a limitless number of single-use reply queues,
which should be garbage-collected after about five minutes to conserve
memory.
For more information, see:
http://activemq.apache.org/producer-flow-control.html
-->
<destinationPolicy>
<policyMap>
<policyEntries>
<policyEntry topic=">" producerFlowControl="false"/>
<policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" />
</policyEntries>
</policyMap>
</destinationPolicy>
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<plugins>
<statisticsBrokerPlugin/>
<!--
This configures the users and groups used by this broker. Groups
are referenced below, in the write/read/admin attributes
of each authorizationEntry element.
-->
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="mcollective" password="Guosir@eu2015" groups="mcollective,everyone"/>
<authenticationUser username="admin" password="Guosir@eu2015" groups="mcollective,admins,everyone"/>
</users>
</simpleAuthenticationPlugin>
<!--
Configure which users are allowed to read and write where. Permissions
are organized by group; groups are configured above, in the
authentication plugin.
With the rules below, both servers and admin users belong to group
mcollective, which can both issue and respond to commands. For an
example that splits permissions and doesn't allow servers to issue
commands, see:
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#detailed-restrictions
-->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
<authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
<!--
The advisory topics are part of ActiveMQ, and all users need access to them.
The "everyone" group is not special; you need to ensure every user is a member.
-->
<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
<!--
The systemUsage controls the maximum amount of space the broker will
use for messages. For more information, see:
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#memory-and-temp-usage-for-messages-systemusage
-->
<systemUsage>
<systemUsage>
<memoryUsage>
<memoryUsage limit="20 mb"/>
</memoryUsage>
<storeUsage>
<storeUsage limit="1 gb" name="foo"/>
</storeUsage>
<tempUsage>
<tempUsage limit="100 mb"/>
</tempUsage>
</systemUsage>
</systemUsage>
<sslContext>
<sslContext
keyStore="/etc/activemq/keystore.jks" keyStorePassword="puppet"
trustStore="/etc/activemq/truststore.jks" trustStorePassword="puppet"
/>
</sslContext>
<!--
The transport connectors allow ActiveMQ to listen for connections over
a given protocol. MCollective uses Stomp, and other ActiveMQ brokers
use OpenWire. You'll need different URLs depending on whether you are
using TLS. For more information, see:
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#transport-connectors
-->
<transportConnectors>
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
<!-- <transportConnector name="stomp+nio" uri="stomp+nio://0.0.0.0:61613"/> -->
<!-- If using TLS, uncomment this and comment out the previous connector: -->
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
</transportConnectors>
</broker>
<!--
Enable web consoles, REST and Ajax APIs and demos.
It also includes Camel (with its web console); see ${ACTIVEMQ_HOME}/conf/camel.xml for more info.
See ${ACTIVEMQ_HOME}/conf/jetty.xml for more details.
-->
<import resource="jetty.xml"/>
</beans>
server.cfg.erb文件
<% ssldir = '/var/lib/puppet/ssl' %>
# /etc/mcollective/server.cfg
# ActiveMQ connector settings:
connector = activemq
direct_addressing = 1
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = puppetmaster.puppet.com
plugin.activemq.pool.1.port = 61614
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = Guosir@eu2015
plugin.activemq.pool.1.ssl = 1
plugin.activemq.pool.1.ssl.ca = <%= ssldir %>/certs/ca.pem
plugin.activemq.pool.1.ssl.cert = <%= ssldir %>/certs/<%= scope.lookupvar('::clientcert') %>.pem
plugin.activemq.pool.1.ssl.key = <%= ssldir %>/private_keys/<%= scope.lookupvar('::clientcert') %>.pem
plugin.activemq.pool.1.ssl.fallback = 0
# SSL security plugin settings:
securityprovider = ssl
plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients
plugin.ssl_server_private = /etc/mcollective/ssl/server_private.pem
plugin.ssl_server_public = /etc/mcollective/ssl/server_public.pem
# Facts, identity, and classes:
identity = <%= scope.lookupvar('::fqdn') %>
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
classesfile = /var/lib/puppet/state/classes.txt
# No additional subcollectives:
collectives = mcollective
main_collective = mcollective
# Registration:
# We don't configure a listener, and only send these messages to keep the
# Stomp connection alive. This will use the default "agentlist" registration
# plugin.
registerinterval = 600
# Auditing (optional):
# If you turn this on, you must arrange to rotate the log file it creates.
rpcaudit = 1
rpcauditprovider = logfile
plugin.rpcaudit.logfile = /var/log/mcollective-audit.log
# Authorization:
# If you turn this on now, you won't be able to issue most MCollective
# commands, although `mco ping` will work. You should deploy the
# ActionPolicy plugin before uncommenting this; see "Deploy Plugins" below.
# rpcauthorization = 1
# rpcauthprovider = action_policy
# plugin.actionpolicy.allow_unconfigured = 1
# Logging:
logger_type = file
loglevel = info
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user
# Platform defaults:
# These settings differ based on platform; the default config file created by
# the package should include correct values. If you are managing settings as
# resources, you can ignore them, but with a template you'll have to account
# for the differences.
<% if scope.lookupvar('::osfamily') == 'RedHat' -%>
libdir = /usr/libexec/mcollective
daemonize = 1
<% elsif scope.lookupvar('::osfamily') == 'Debian' -%>
libdir = /usr/share/mcollective/plugins
daemonize = 1
<% else -%>
# INSERT PLATFORM-APPROPRIATE VALUES FOR LIBDIR AND DAEMONIZE
<% end %>
<% ssldir = '/var/lib/puppet/ssl' %>
# /etc/mcollective/server.cfg
# ActiveMQ connector settings:
connector = activemq
direct_addressing = 1
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = puppetmaster.puppet.com
plugin.activemq.pool.1.port = 61614
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = Guosir@eu2015
plugin.activemq.pool.1.ssl = 1
plugin.activemq.pool.1.ssl.ca = <%= ssldir %>/certs/ca.pem
plugin.activemq.pool.1.ssl.cert = <%= ssldir %>/certs/<%= scope.lookupvar('::clientcert') %>.pem
plugin.activemq.pool.1.ssl.key = <%= ssldir %>/private_keys/<%= scope.lookupvar('::clientcert') %>.pem
plugin.activemq.pool.1.ssl.fallback = 0
# SSL security plugin settings:
securityprovider = ssl
plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients
plugin.ssl_server_private = /etc/mcollective/ssl/server_private.pem
plugin.ssl_server_public = /etc/mcollective/ssl/server_public.pem
# Facts, identity, and classes:
identity = <%= scope.lookupvar('::fqdn') %>
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
classesfile = /var/lib/puppet/state/classes.txt
# No additional subcollectives:
collectives = mcollective
main_collective = mcollective
# Registration:
# We don't configure a listener, and only send these messages to keep the
# Stomp connection alive. This will use the default "agentlist" registration
# plugin.
registerinterval = 600
# Auditing (optional):
# If you turn this on, you must arrange to rotate the log file it creates.
rpcaudit = 1
rpcauditprovider = logfile
plugin.rpcaudit.logfile = /var/log/mcollective-audit.log
# Authorization:
# If you turn this on now, you won't be able to issue most MCollective
# commands, although `mco ping` will work. You should deploy the
# ActionPolicy plugin before uncommenting this; see "Deploy Plugins" below.
# rpcauthorization = 1
# rpcauthprovider = action_policy
# plugin.actionpolicy.allow_unconfigured = 1
# Logging:
logger_type = file
loglevel = info
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user
# Platform defaults:
# These settings differ based on platform; the default config file created by
# the package should include correct values. If you are managing settings as
# resources, you can ignore them, but with a template you'll have to account
# for the differences.
<% if scope.lookupvar('::osfamily') == 'RedHat' -%>
libdir = /usr/libexec/mcollective
daemonize = 1
<% elsif scope.lookupvar('::osfamily') == 'Debian' -%>
libdir = /usr/share/mcollective/plugins
daemonize = 1
<% else -%>
# INSERT PLATFORM-APPROPRIATE VALUES FOR LIBDIR AND DAEMONIZE
<% end %>
.mcollective文件
# ~/.mcollective
# or
# /etc/mcollective/client.cfg
# ActiveMQ connector settings:
connector = activemq
direct_addressing = 1
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = puppetmaster.puppet.com
plugin.activemq.pool.1.port = 61614
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = Guosir@eu2015
plugin.activemq.pool.1.ssl = 1
plugin.activemq.pool.1.ssl.ca = /var/lib/padmin/.mcollective.d/padmin_cacert.pem
plugin.activemq.pool.1.ssl.cert = /var/lib/padmin/.mcollective.d/padmin_cert.pem
plugin.activemq.pool.1.ssl.key = /var/lib/padmin/.mcollective.d/padmin_private.pem
plugin.activemq.pool.1.ssl.fallback = 0
# SSL security plugin settings:
securityprovider = ssl
plugin.ssl_server_public = /var/lib/padmin/.mcollective.d/server_public.pem
plugin.ssl_client_private = /var/lib/padmin/.mcollective.d/padmin_private.pem
plugin.ssl_client_public = /var/lib/padmin/.mcollective.d/padmin_public.pem
# Interface settings:
default_discovery_method = mc
direct_addressing_threshold = 10
ttl = 60
color = 1
rpclimitmethod = first
# No additional subcollectives:
collectives = mcollective
main_collective = mcollective
# Platform defaults:
# These settings differ based on platform; the default config file created
# by the package should include correct values or omit the setting if the
# default value is fine.
libdir = /usr/libexec/mcollective
helptemplatedir = /etc/mcollective
# Logging:
logger_type = console
loglevel = warn
- PUPPET安装配置MCollective+ActiveMQ——文档附录
- PUPPET安装配置MCollective+ActiveMQ——详细指导
- PUPPET安装配置MCollective+ActiveMQ——实际部署案例
- puppet结合Mcollective + activemq
- puppet 安装文档—Ubuntu
- puppet 安装文档—RedHat
- puppet安装配置文档for ubuntu
- 通过部署MCollective+ActiveMQ模块更安全高效的触发puppet更新
- 记录puppet mcollective 构建过程
- Puppet安装文档
- puppet安装配置
- puppet 安装配置
- puppet 安装配置
- puppet安装配置
- Puppet 安装配置
- puppet 安装与配置
- PUPPET安装及PUPPET KICK 配置
- ActiveMQ—安装配置及使用
- 《Java 源码分析》:Java NIO 之 SelectionKey
- Node.js构建HTTPS+服务集群
- 利用map()函数,把用户输入的不规范的英文名字,变为首字母大写,其他小写的规范名字
- OP_PUSHDATA1, OP_PUSHDATA2 和 OP_PUSHDATA4
- 声明、定义、语句
- PUPPET安装配置MCollective+ActiveMQ——文档附录
- Flume、Kafka与Storm实现日志处理
- 386. Lexicographical Number
- Android三种菜单介绍
- 欧拉工程第22题 文件中所有名字的得分之和是多少
- Android ANR日志
- 进程
- opengl库中gl glu glut glaux的区别
- 排序算法四 直接选择排序