一、简介
二、安装
三、测试
一、简介
什么是Func?
Func是由红帽子公司以Fedora平台构建的统一网络控制器,是为解决集群管理、监控问题而设计开发的系统管理基础框架。它是一个能有效简化多服务器系统管理工作的工具,它易于学习,使用和扩展,功能强大,只需要极少的配置和维护操作。Func分为master和slave两部分,master为主控端,slave为被动端。
Func与Saltstack在主,被控端建立信任机制是一样的,都是采用了证书+签名的方式。
二、安装
2.1 业务环境说明
|
角色 |
主机名 |
IP |
|
Master |
controller |
192.168.128.166 |
|
Minion |
compute |
192.168.128.165 |
系统:CentOS Linux release 7.4.1708 (Core)
2.2 安装Func
1.主控端服务器安装
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[[email protected] ~]# yum install -y func
[[email protected] ~]# systemctl enable certmaster
[[email protected] ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.128.166 controller
192.168.128.165 compute
修改配置文件/etc/certmaster/minion.conf把cermaster改为主控端的主机名
[[email protected] ~]# vim /etc/certmaster/minion.conf
# configuration for minions
[main]
certmaster = controller
certmaster_port = 51235
log_level = DEBUG
cert_dir = /etc/pki/certmaster
启动证书服务:
[[email protected] ~]# service certmaster start
Redirecting to /bin/systemctl start certmaster.service
[[email protected] ~]# ss -lnt|grep 51235
LISTEN 0 5 *:51235 *:*
添加防火墙:
[[email protected] ~]# iptables -I INPUT -s 192.168.128.0/24 -p tcp --dport 51235 -j ACCEPT
[[email protected] ~]# iptables-save
2.被控端服务器安装
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[[email protected] ~]# yum install -y func
[[email protected] ~]# systemctl enable funcd
[[email protected] ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
# controller
192.168.128.166 controller
192.168.128.165 compute
修改配置文件/etc/certmaster/minion.conf把cermaster参数改为主控端的主机名,以便指向证书服务器发出签名请求,建立信任关系。
[[email protected] ~]# vim /etc/certmaster/minion.conf
# configuration for minions
[main]
certmaster = controller
certmaster_port = 51235
log_level = DEBUG
cert_dir = /etc/pki/certmaster
修改/etc/func/minion.conf的minion_name参数,作为被控主机的唯一标识,一般使用主机名,配置如下:
[[email protected] ~]# vim /etc/func/minion.conf
# configuration for minions
[main]
log_level = INFO
acl_dir = /etc/func/minion-acl.d
listen_addr =
listen_port = 51234
minion_name = compute
method_log_dir = /var/log/func/methods/
启动func服务:
[[email protected] ~]# service funcd start
[[email protected] ~]# iptables -I INPUT -s 192.168.128.166 -p tcp --dport 51234 -j ACCEPT
You have new mail in /var/spool/mail/root
[[email protected] ~]# iptables-save
三、测试
3.1证书签名
在主控端运行certmaster-ca –list获取当前请求证书签名的主机清单,如:
[[email protected] ~]# certmaster-ca --list
Compute
证书签名通过certmaster-ca –sign命令完成所有主机的签名操作,如:
[[email protected] ~]# certmaster-ca --sign `certmaster-ca --list`
/var/lib/certmaster/certmaster/csrs/compute.csr signed - cert located at /var/lib/certmaster/certmaster/certs/compute.cert
Func也提供了类似Saltstack自动签名的机制,通过修改autosign来实现,如:
[[email protected] ~]# vim /etc/certmaster/certmaster.conf
# configuration for certmasterd and certmaster-ca
[main]
autosign = yes
使用func '*' list_minions来查看已经完成签名的主机名,如:
[[email protected] ~]# func '*' list_minions
Compute
校验安装、任务签名是否正确,通过func '*' ping命令来测试,如
[[email protected] ~]# func '*' ping
[ ok ... ] compute
删除(注销)签名主机使用certmaster-ca –c hostname
对已经删除的被控端,要重新注册,先删除被控端/etc/pki/certmaster/下的证书文件,再运行certmaster-request进行证书请求,如:
[[email protected] ~]# rm -fr /etc/pki/certmaster/compute.*
[[email protected] ~]# /usr/bin/certmaster-request