Cobbler
Cobbler企业级自动化部署工具
安装
试验环境为Centos7 1160
参考文件:http://cobbler.github.io/manuals/quickstart/
配置epel源
[epel]
name=fedora epel
baseurl=https://dl.fedoraproject.org/pub/epel/7Server/x86_64/
gpgcheck=0
安装依赖包
yum groupinstall -y "Development Tools" "Server Platform Development"
yum install cobbler cobbler-web pykickstart debmirror xinetd -y
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl start xinetd.service
vim /etc/selinux/config
selinux=disabled
解决问题
cobbler check
执行以上命令会出现以下问题,下面一一解决
-
The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work. This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.
-
For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.
-
change 'disable' to 'no' in /etc/xinetd.d/tftp
-
Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a recent version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
-
enable and start rsyncd.service with systemctl
-
comment out 'dists' on /etc/debmirror.conf for proper debian support
-
comment out 'arches' on /etc/debmirror.conf for proper debian support
-
The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
-
fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them
解决方案
- 修改/etc/cobbler/settings文件中的server参数的值为提供cobbler服务的主机相应的IP地址或主机名,如172.16.100.15;
- 修改/etc/cobbler/settings文件中的next_server参数的值为提供PXE服务的主机相应的IP地址,如172.16.100.16;
- 如果当前节点可以访问互联网,执行“cobbler get-loaders”命令即可;否则,需要安装syslinux程序包,而后复制/usr/share/syslinux/{pxelinux.0,memu.c32}等文件至/var/lib/cobbler/loaders/目录中;
- 执行"systemctl start rsyncd"," systemctl enable rsyncd"命令即可;
- 注释/etc/debmirror.conf文件中的“@dists="sid";”一行;
- 注释/etc/debmirror.conf文件中的“@arches="i386";”一行;
- 执行“openssl passwd -1 -salt $(openssl rand -hex 4)”生成密码,并用其替换/etc/cobbler/settings文件中default_password_crypted参数的值;
- 执行“yum install cman fence-agents”命令安装相应的程序包即可;
注意: 执行完操作后一定要重启cobbler服务,然后执行cobbler sync
[root@webserver1 ~]# cobbler check
No configuration problems found. All systems go.
这样就好了...
配置独立的dhcp
详细可参考dhcp server搭建
准备在一台centos7的虚拟机上做这个实验,对于vmware来说,它内置的就含有一个dhcp的服务,因此我们在实验前做了这样的实验
- centos7采用的是NAT网络连接模式,关闭vmware内置的dhcp服务,设置centos7的静态IP为172.17.0.4/255.255.255.0,网关是172.17.0.2
- 添加一个新的网卡"ens33:1"在centos7,以centos7的ens33:1作为保留路由IP
ifconfig ens33:1 192.168.10.3 netmask 255.255.255.0 up
- 在centos7上搭建DHCP server
/etc/dhcp/dhcpd.conf
[root@webserver1 dhcp]# cat /etc/dhcp/dhcpd.conf
ddns-update-style none;
ignore client-updates;
default-lease-time 43200;
max-lease-time 86400;
option routers 192.168.10.3;
option domain-name "linuxedu.top";
option domain-name-servers 8.8.8.8,114.114.114.114;
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.10 192.168.10.20;
filename "pxelinux.0";
next-server 172.17.0.4;
}
systemctl restart dhcpd.service #重启dhcpd服务
systemctl status dhcpd.service #查看当前dhcp服务的运行状态
[root@webserver1 dhcp]# systemctl status dhcpd.service
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2017-10-04 22:27:42 CST; 26s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 1158 (dhcpd)
Status: "Dispatching packets..."
CGroup: /system.slice/dhcpd.service
└─1158 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Oct 04 22:27:42 webserver1 dhcpd[1158]: Sending on LPF/ens33:1/00:0c:29:5e:ae:c0/192.168.10.0/24
Oct 04 22:27:42 webserver1 dhcpd[1158]:
Oct 04 22:27:42 webserver1 dhcpd[1158]: No subnet declaration for ens33 (172.17.0.4).
Oct 04 22:27:42 webserver1 dhcpd[1158]: ** Ignoring requests on ens33. If this is not what
Oct 04 22:27:42 webserver1 dhcpd[1158]: you want, please write a subnet declaration
Oct 04 22:27:42 webserver1 dhcpd[1158]: in your dhcpd.conf file for the network segment
Oct 04 22:27:42 webserver1 dhcpd[1158]: to which interface ens33 is attached. **
Oct 04 22:27:42 webserver1 dhcpd[1158]:
Oct 04 22:27:42 webserver1 dhcpd[1158]: Sending on Socket/fallback/fallback-net
Oct 04 22:27:42 webserver1 systemd[1]: Started DHCPv4 Server Daemon.
配置tftp服务
systemctl start tftp.service
配置distro
使cobbler变得可用的第一步为定义distro,其可以通过为其指定外部的安装引导内核及ramdisk文件的方式实现。而如果已经有完整的系统安装树(如CentOS6的安装镜像)则推荐使用import直接导入的方式进行
对于已经挂载至/media/cdrom目录的CentOS 6.5 x86_64的安装镜像,则可以使用类似如下命令进行导入
mount -t iso9660 -o,loop /dev/cdrom /mnt/cdrom #挂载linux操作系统到/mnt/cdrom
cp /mnt/cdrom/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/
cp /usr/share/syslinux//{chain.c32,mboot.c32,menu.c32,memdisk} /var/lib/tftpboot/
cobbler import --name=centos7-x86_64 --path=/media/cdrom #开始导入一个镜像
可使用“cobbler distro list”列出所有的distro。
[root@webserver1 cdrom]# cobbler distro list
centos7-x86_64
如果有kickstart文件,也可以使用“--kickstart=/path/to/kickstart_file”进行导入,因此import会自动为导入的distro生成一个profile
管理profile
cobbler使用profile来为特定的需求类别提供所需要安装配置,即在distro的基础上通过提供kickstart文件来生成一个特定的系统安装配置。distro的profile可以出现在PXE的引导菜单中作为安装的选择之一。
因此,如果需要为前面创建的centos7-x86_64这个distro提供一个可引导安装条目,其用到的kickstart文件为/var/lib/cobbler/kickstarts/centos-6.8.cfg(只提供了最基本的程序包),则可通过如下命令实现。
cobbler使用profile来为特定的需求类别提供所需要安装配置,即在distro的基础上通过提供kickstart文件来生成一个特定的系统安装配置。distro的profile可以出现在PXE的引导菜单中作为安装的选择之一。
因此,如果需要为前面创建的centos-6.8.jason-x86_64这个distro提供一个可引导安装条目,其用到的kickstart文件为/var/lib/cobbler/kickstarts/centos-6.8.cfg(只提供了最基本的程序包),则可通过如下命令实现
[root@webserver1 ~]# cobbler profile list
centos7-x86_64
cp anaconda-ks.cfg centos7-x86_64.cfg
[root@webserver1 ~]# cat centos7-x86_64.cfg | grep network
network - --device=dhcp #改成dhcp
network --hostname=webserver2 #设置主机名
mv centos7-x86_64.cfg /var/lib/cobbler/kickstarts/
cobbler profile add --name=DIYcentos7-x86_64 --distro=centos7-x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7-x86_64.cfg
可使用“cobbler profile list”查看已经创建的profile
cobbler_web
配置cobbler_web的认证功能
cobbler_web支持多种认证方式,如authn_configfile、authn_ldap或authn_pam等,默认为authn_denyall,即拒绝所有用户登录。下面说明两种能认证用户登录cobbler_web的方式
使用authn_pam模块认证cobbler_web用户
首先修改modules中[authentication]段的module参数的值为authn_pam。文件路径为/etc/cobbler/modules.conf
[authentication]
module = authn_pam
接着添加系统用户,用户名和密码按需设定即可,例如下面的命令所示。
useradd xuelong
echo 'admin123' | passwd --stdin xuelong
而后将cblradmin用户添加至cobbler_web的admin组中。修改/etc/cobbler/users.conf文件,将cblradmin用户名添加为admin参数的值即可,如下所示。
[admins]
admin = "xuelong"
最后重启cobblerd服务,通过http://YOUR_COBBLERD_IP/cobbler_web访问即可
使用authn_configfile模块认证cobbler_web用户
首先修改modules.conf中[authentication]段的module参数的值为authn_configfile。
接着创建其认证文件/etc/cobbler/users.digest,并添加所需的用户即可。需要注意的是,添加第一个用户时,需要为htdigest命令使用“-c”选项,后续添加其他用户时不能再使用;另外,cobbler_web的realm只能为Cobbler。如下所示
首先修改modules.conf中[authentication]段的module参数的值为authn_configfile。
接着创建其认证文件/etc/cobbler/users.digest,并添加所需的用户即可。需要注意的是,添加第一个用户时,需要为htdigest命令使用“-c”选项,后续添加其他用户时不能再使用;另外,cobbler_web的realm只能为Cobbler。如下所示。
htdigest -c /etc/cobbler/users.digest Cobbler cblradmin
最后重启cobblerd服务,通过https://YOUR_COBBLERD_IP/cobbler_web访问即可,此处注意一点是https,因为在配置文件中可以看出来
https://172.17.0.4/cobbler_web
cobbler_web的配置文件
[root@webserver1 conf.d]# cat cobbler_web.conf
# This configuration file enables the cobbler web
# interface (django version)
<Directory "/usr/share/cobbler/web/">
<IfModule mod_ssl.c>
SSLRequireSSL
</IfModule>
<IfModule mod_nss.c>
NSSRequireSSL
</IfModule>
SetEnv VIRTUALENV
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/www/cobbler_webui_content/">
<IfModule mod_ssl.c>
SSLRequireSSL
</IfModule>
<IfModule mod_nss.c>
NSSRequireSSL
</IfModule>
Options +Indexes +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>