PUPPET安装配置MCollective+ActiveMQ——文档附录
2016-10-19 21:47
337 查看
序:
本篇仅对照博客中的《PUPPET安装配置MCollective+ActiveMQ——实际部署案例》篇章PUPPET安装配置MCollective+ActiveMQ的实际部署中,针对文件修改的地方进行黄颜色标记。
附录
keystores.pp文件
# /etc/puppet/modules/activemq/manifests/keystores.pp class activemq::keystores ( $keystore_password ='puppet', # required # User must put these files in the module, or provide other URLs $ca = 'puppet:///modules/activemq/ca.pem', $cert = 'puppet:///modules/activemq/cert.pem', $private_key = 'puppet:///modules/activemq/private_key.pem', $activemq_confdir = '/etc/activemq', $activemq_user = 'activemq', ) { # ----- Restart ActiveMQ if the SSL credentials ever change ----- # ----- Uncomment if you are fully managing ActiveMQ with Puppet. ----- # Package['activemq'] -> Class[$title] # Java_ks['activemq_cert:keystore'] ~> Service['activemq'] # Java_ks['activemq_ca:truststore'] ~> Service['activemq'] # ----- Manage PEM files ----- File { owner => root, group => root, mode => 0600, } file {"${activemq_confdir}/ssl_credentials": ensure => directory, mode => 0700, } file {"${activemq_confdir}/ssl_credentials/activemq_certificate.pem": ensure => file, source => $cert, } file {"${activemq_confdir}/ssl_credentials/activemq_private.pem": ensure => file, source => $private_key, } file {"${activemq_confdir}/ssl_credentials/ca.pem": ensure => file, source => $ca, } # ----- Manage Keystore Contents ----- # Each keystore should have a dependency on the PEM files it relies on. # Truststore with copy of CA cert java_ks { 'activemq_ca:truststore': ensure => latest, certificate => "${activemq_confdir}/ssl_credentials/ca.pem", target => "${activemq_confdir}/truststore.jks", password => $keystore_password, trustcacerts => true, require => File["${activemq_confdir}/ssl_credentials/ca.pem"], } # Keystore with ActiveMQ cert and private key java_ks { 'activemq_cert:keystore': ensure => latest, certificate => "${activemq_confdir}/ssl_credentials/activemq_certificate.pem", private_key => "${activemq_confdir}/ssl_credentials/activemq_private.pem", target => "${activemq_confdir}/keystore.jks", password => $keystore_password, require => [ File["${activemq_confdir}/ssl_credentials/activemq_private.pem"], File["${activemq_confdir}/ssl_credentials/activemq_certificate.pem"] ], } # ----- Manage Keystore Files ----- # Permissions only. # No ensure, source, or content. file {"${activemq_confdir}/keystore.jks": owner => $activemq_user, group => $activemq_user, mode => 0600, require => Java_ks['activemq_cert:keystore'], } file {"${activemq_confdir}/truststore.jks": owner => $activemq_user, group => $activemq_user, mode => 0600, require => Java_ks['activemq_ca:truststore'], } } |
activemq.xml文件
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:amq="http://activemq.apache.org/schema/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-spring.xsd"> <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="locations"> <value>file:${activemq.base}/conf/credentials.properties</value> </property> </bean> <!-- For more information about what MCollective requires in this file, see http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html --> <!-- WARNING: The elements that are direct children of <broker> MUST BE IN ALPHABETICAL ORDER. This is fixed in ActiveMQ 5.6.0, but affects previous versions back to 5.4. https://issues.apache.org/jira/browse/AMQ-3570 --> <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" useJmx="true" schedulePeriodForDestinationPurge="60000"> <!-- MCollective generally expects producer flow control to be turned off. It will also generate a limitless number of single-use reply queues, which should be garbage-collected after about five minutes to conserve memory. For more information, see: http://activemq.apache.org/producer-flow-control.html --> <destinationPolicy> <policyMap> <policyEntries> <policyEntry topic=">" producerFlowControl="false"/> <policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" /> </policyEntries> </policyMap> </destinationPolicy> <managementContext> <managementContext createConnector="false"/> </managementContext> <plugins> <statisticsBrokerPlugin/> <!-- This configures the users and groups used by this broker. Groups are referenced below, in the write/read/admin attributes of each authorizationEntry element. --> <simpleAuthenticationPlugin> <users> <authenticationUser username="mcollective" password="Guosir@eu2015" groups="mcollective,everyone"/> <authenticationUser username="admin" password="Guosir@eu2015" groups="mcollective,admins,everyone"/> </users> </simpleAuthenticationPlugin> <!-- Configure which users are allowed to read and write where. Permissions are organized by group; groups are configured above, in the authentication plugin. With the rules below, both servers and admin users belong to group mcollective, which can both issue and respond to commands. For an example that splits permissions and doesn't allow servers to issue commands, see: http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#detailed-restrictions --> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" write="admins" read="admins" admin="admins" /> <authorizationEntry topic=">" write="admins" read="admins" admin="admins" /> <authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> <authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> <!-- The advisory topics are part of ActiveMQ, and all users need access to them. The "everyone" group is not special; you need to ensure every user is a member. --> <authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins> <!-- The systemUsage controls the maximum amount of space the broker will use for messages. For more information, see: http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#memory-and-temp-usage-for-messages-systemusage --> <systemUsage> <systemUsage> <memoryUsage> <memoryUsage limit="20 mb"/> </memoryUsage> <storeUsage> <storeUsage limit="1 gb" name="foo"/> </storeUsage> <tempUsage> <tempUsage limit="100 mb"/> </tempUsage> </systemUsage> </systemUsage> <sslContext> <sslContext keyStore="/etc/activemq/keystore.jks" keyStorePassword="puppet" trustStore="/etc/activemq/truststore.jks" trustStorePassword="puppet" /> </sslContext> <!-- The transport connectors allow ActiveMQ to listen for connections over a given protocol. MCollective uses Stomp, and other ActiveMQ brokers use OpenWire. You'll need different URLs depending on whether you are using TLS. For more information, see: http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#transport-connectors --> <transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <!-- <transportConnector name="stomp+nio" uri="stomp+nio://0.0.0.0:61613"/> --> <!-- If using TLS, uncomment this and comment out the previous connector: --> <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/> </transportConnectors> </broker> <!-- Enable web consoles, REST and Ajax APIs and demos. It also includes Camel (with its web console); see ${ACTIVEMQ_HOME}/conf/camel.xml for more info. See ${ACTIVEMQ_HOME}/conf/jetty.xml for more details. --> <import resource="jetty.xml"/> </beans> |
server.cfg.erb文件
<% ssldir = '/var/lib/puppet/ssl' %> # /etc/mcollective/server.cfg # ActiveMQ connector settings: connector = activemq direct_addressing = 1 plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = puppetmaster.puppet.com plugin.activemq.pool.1.port = 61614 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = Guosir@eu2015 plugin.activemq.pool.1.ssl = 1 plugin.activemq.pool.1.ssl.ca = <%= ssldir %>/certs/ca.pem plugin.activemq.pool.1.ssl.cert = <%= ssldir %>/certs/<%= scope.lookupvar('::clientcert') %>.pem plugin.activemq.pool.1.ssl.key = <%= ssldir %>/private_keys/<%= scope.lookupvar('::clientcert') %>.pem plugin.activemq.pool.1.ssl.fallback = 0 # SSL security plugin settings: securityprovider = ssl plugin.ssl_client_cert_dir = /etc/mcollective/ssl/clients plugin.ssl_server_private = /etc/mcollective/ssl/server_private.pem plugin.ssl_server_public = /etc/mcollective/ssl/server_public.pem # Facts, identity, and classes: identity = <%= scope.lookupvar('::fqdn') %> factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml classesfile = /var/lib/puppet/state/classes.txt # No additional subcollectives: collectives = mcollective main_collective = mcollective # Registration: # We don't configure a listener, and only send these messages to keep the # Stomp connection alive. This will use the default "agentlist" registration # plugin. registerinterval = 600 # Auditing (optional): # If you turn this on, you must arrange to rotate the log file it creates. rpcaudit = 1 rpcauditprovider = logfile plugin.rpcaudit.logfile = /var/log/mcollective-audit.log # Authorization: # If you turn this on now, you won't be able to issue most MCollective # commands, although `mco ping` will work. You should deploy the # ActionPolicy plugin before uncommenting this; see "Deploy Plugins" below. # rpcauthorization = 1 # rpcauthprovider = action_policy # plugin.actionpolicy.allow_unconfigured = 1 # Logging: logger_type = file loglevel = info logfile = /var/log/mcollective.log keeplogs = 5 max_log_size = 2097152 logfacility = user # Platform defaults: # These settings differ based on platform; the default config file created by # the package should include correct values. If you are managing settings as # resources, you can ignore them, but with a template you'll have to account # for the differences. <% if scope.lookupvar('::osfamily') == 'RedHat' -%> libdir = /usr/libexec/mcollective daemonize = 1 <% elsif scope.lookupvar('::osfamily') == 'Debian' -%> libdir = /usr/share/mcollective/plugins daemonize = 1 <% else -%> # INSERT PLATFORM-APPROPRIATE VALUES FOR LIBDIR AND DAEMONIZE <% end %> |
.mcollective文件
# ~/.mcollective # or # /etc/mcollective/client.cfg # ActiveMQ connector settings: connector = activemq direct_addressing = 1 plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = puppetmaster.puppet.com plugin.activemq.pool.1.port = 61614 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = Guosir@eu2015 plugin.activemq.pool.1.ssl = 1 plugin.activemq.pool.1.ssl.ca = /var/lib/padmin/.mcollective.d/padmin_cacert.pem plugin.activemq.pool.1.ssl.cert = /var/lib/padmin/.mcollective.d/padmin_cert.pem plugin.activemq.pool.1.ssl.key = /var/lib/padmin/.mcollective.d/padmin_private.pem plugin.activemq.pool.1.ssl.fallback = 0 # SSL security plugin settings: securityprovider = ssl plugin.ssl_server_public = /var/lib/padmin/.mcollective.d/server_public.pem plugin.ssl_client_private = /var/lib/padmin/.mcollective.d/padmin_private.pem plugin.ssl_client_public = /var/lib/padmin/.mcollective.d/padmin_public.pem # Interface settings: default_discovery_method = mc direct_addressing_threshold = 10 ttl = 60 color = 1 rpclimitmethod = first # No additional subcollectives: collectives = mcollective main_collective = mcollective # Platform defaults: # These settings differ based on platform; the default config file created # by the package should include correct values or omit the setting if the # default value is fine. libdir = /usr/libexec/mcollective helptemplatedir = /etc/mcollective # Logging: logger_type = console loglevel = warn |
相关文章推荐
- PUPPET安装配置MCollective+ActiveMQ——实际部署案例
- PUPPET安装配置MCollective+ActiveMQ——详细指导
- puppet结合Mcollective + activemq
- 通过部署MCollective+ActiveMQ模块更安全高效的触发puppet更新
- puppet安装配置文档for ubuntu
- Oracle11gR2 Aactive DataGuard(手动)安装部署及维护文档(一)之安装配置
- ActiveBPEL2.0安装配置文档
- ActiveMQ+Zookeeper集群配置文档
- Suse 11 sp1下puppet安装配置文档
- 通过部署MCollective+ActiveMQ模块更安全高效的触发puppet更新 推荐
- ActiveBPEL2.0安装配置文档
- activemq linux安装与配置
- bind 安装与简单配置文档
- Rsync服务器端安装配置文档
- ISA2000配置安装文档
- DB2学习文档6——安装后的初步配置
- ActiveMQ XML 配置解析
- ASP.NET 2.0中MemberShip数据库的安装、配置及文档结构(一)
- Red Hat Enterprise Linux 4 JDK1.6+TOMCAT6安装配置文档
- Activemq xmpp配置,Spark测试登入