假设有两个虚拟机,一个用于 puppetmaster,一个用于 puppetclient。

tag-icon tag-icon puppet
假设有两个虚拟机,一个用于 puppetmaster,一个用于 puppetclient。

我正在尝试在 Ubuntu Mate 15.10 vm 上运行 puppetmaster 和 agent。

我的/etc/hosts包含以下相关条目

127.0.0.1   localhost
127.0.1.1   ubuntu
127.0.1.1   ubuntu.localdomain

我的/etc/puppet/puppet.conf包含以下条目

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
dns_alt_names=puppet,ubuntu.localdomain
server=ubuntu.localdomain

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

我正在发出以下命令

ps -ef|grep puppet
    [kill both master and agent if running]
sudo rm -rf /var/lib/puppet/ssl
sudo service puppetmaster start
sudo service puppet restart
sudo puppet agent -t

最后一个命令返回

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ubuntu.localdomain
Info: Applying configuration version '1453930694'
Notice: Finished catalog run in 0.01 seconds

现在如果我运行sudo puppet cert list它,它不会显示任何内容。此外,sudo puppet cert sign ubuntu.localdomain它还会引发以下错误

Error: Could not find certificate request for ubuntu.localdomain

我做错了什么?顺便说一句,我使用的是 puppet 3.7.2 并hostname -f返回 ubuntu。但在 puppet.conf 中使用此主机名会引发一些错误,因此我将其附加为 .localdomain

答案1

经过一番折腾,我终于找到了一系列可行的步骤。我试了几次,每次都有效,所以我发布了在两个单独的虚拟机上创建一个 Puppet Master 和一个 Agent 的步骤,以供参考。

假设有两个虚拟机,一个用于 puppetmaster,一个用于 puppetclient。

服务器

sudo apt-get update
sudo sed -i 's/ubuntu/puppetmaster/g' /etc/hostname
sudo nano /etc/network/interfaces                                               //If no ip for puppetmaster is present, copy from 'ifconfig'
#ADD CLIENT AND SERVER IP'S TO /ETC/HOSTS
sudo nano /etc/hosts                                                            //Add client, server entries. Add puppetclient.localdomain as client
sudo apt-get install -y puppetmaster
sudo service puppetmaster stop
sudo rm -r /var/lib/puppet/ssl
sudo puppet cert list -a                                                        //Regenerate the CA. Should see "Notice: Signed certificate request for ca"
sudo puppet master --no-daemonize --verbose                                     //Generate the Puppet master’s new certs. When you see "Notice: Starting Puppet master <your Puppet version>", type CTRL + C.
sudo service puppetmaster start

客户

sudo apt-get update
sudo sed -i 's/ubuntu/puppetclient/g' /etc/hostname
sudo nano /etc/network/interfaces                                               //If no ip for puppetclient is present, copy from 'ifconfig'
sudo reboot
#ADD CLIENT AND SERVER IP'S TO /ETC/HOSTS                                       //Add client, server entries. Add puppetmaster.localdomain as master
sudo nano /etc/hosts
sudo apt-get install -y puppet
sudo nano /etc/puppet/puppet.conf                                               //See below for sample entry in conf file 
#sudo sed -i 's/no/yes/g' /etc/default/puppet                                   //Don't need
sudo service puppet stop
sudo rm -r /var/lib/puppet/ssl
sudo service puppet restart
sudo puppet agent --server puppetmaster.localdomain --waitforcert 20 --test     //Request for a cert from server

服务器

sudo puppet cert --list                                                         //Should show the client's cert
sudo puppet cert sign puppetclient.localdomain
sudo nano /etc/puppet/manifests/site.pp                                     

#add following to site.pp
file {  '/tmp/Demo':
    content => "Hooray!"
}

客户

sudo puppet agent --test

服务器

#Change content in site.pp and do a 'cat /tmp/Demo' on client. The modified entries in server side should be reflected on client.

全新启动:删除服务器上所有客户端痕迹

sudo puppet node clean puppetclient.localdomain

客户端的 /etc/hosts 示例

127.0.0.1           localhost
127.0.1.1           puppetclient
192.168.112.129     puppetclient
192.168.112.130     puppetmaster.localdomain

服务器的 /etc/hosts 示例

127.0.0.1           localhost
127.0.1.1           puppetmaster
192.168.112.130     puppetmaster
192.168.112.129     puppetclient.localdomain

客户端的示例 /etc/puppet/puppet.conf

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
server = puppetmaster.localdomain
runinterval = 5s

答案2

如果节点能够应用其目录,则意味着证书已经签名。

一个很好的理由可能是您在同一台机器上运行主服务器和代理服务器。

正如 faker 在评论中提到的,你可以通过运行以下命令来检查证书是否已经验证:puppet cert list -a

相关内容