Puppet基础篇5-如何建立master和agent之间的认证关系

零基础学习Puppet自动化配置管理系列文档

Puppet注册方式基本上有三种:自动注册、手动注册和预签名注册,在《Puppet基础篇4-安装、配置并使用Puppet》采用的是手动注册,不同的注册方式决定了注册的难易程度,当然安全性也会不一样。

一、手动注册

手动注册是由Agent端先发起证书申请请求,然后由Puppetserver端确***方可注册成功,这种注册方式安全系数中等,逐一注册(puppet cert --sign certnmame)在节点数量较大的情况下是比较麻烦的,效率也低,批量注册(puppet cert --sign --all)效率很高,一次性便可注册所有的Agent的请求,但是这种方式安全系数较低,因为错误的请求也会被注册上。

1、节点申请注册

[root@agent1 ~]# puppet agent --test
info: Creating a new SSL key for agent1_cert.kisspuppet.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com
info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9
Exiting; no certificate found and waitforcert is disabled

2、服务器端确定认证

[root@puppetmaster ~]# puppet cert --list --all #查看认证情况"agent1_cert.kisspuppet.com"  (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未认证
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
[root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #注册agent1
notice: Signed certificate request for agent1_cert.kisspuppet.com #将请求的证书正式注册
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' #删除请求
[root@puppetmaster ~]# puppet cert --list --all #再次查看认证情况
+ "agent1_cert.kisspuppet.com"  (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
[root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一种查看认证的方式
/var/lib/puppet/ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   │   └── ca.pass
│   ├── requests
│   ├── serial
│   └── signed
│       ├── agent1_cert.kisspuppet.com.pem  #已经注册成功
│       └── puppetmaster.kisspuppet.com.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── puppetmaster.kisspuppet.com.pem
├── crl.pem
├── private
├── private_keys
│   └── puppetmaster.kisspuppet.com.pem
└── public_keys└── puppetmaster.kisspuppet.com.pem
9 directories, 14 files

3、motd模块测试

[root@agent1 ~]# puppet agent --test  #测试节点agent1
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394304542'
notice: /Stage[main]/Motd/File[/etc/motd]/content:
--- /etc/motd    2000-01-13 07:18:52.000000000 +0800
+++ /tmp/puppet-file20140309-4571-1vqc18j-0    2014-03-09 02:51:47.000000000 +0800
@@ -0,0 +1,3 @@
+--                       --
+--------puppet test---------
+--                       --
info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e
info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
notice: Finished catalog run in 0.40 seconds

二、自动注册

这种注册方式简单来讲是通过Puppetmaster端的ACL列表进行控制的,安全系统较低,也就是说符合预先定义的ACL列表中的所有节点请求不需要确认都会被自动注册上,也就是说你只需要知道ACL列表要求,其次能和PuppetMaster端通信便可轻易注册成功。当然,它的最大优点就是效率非常高。
1、清除PuppetMaster端已经注册的agent1的证书

[root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem'
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem'
[root@puppetmaster ~]# puppet cert --list  --all #agent1证书已经删除
+ "agent2_cert.kisspuppet.com"       (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com"       (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com"      (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)

2、在agent1端删除注册过的证书

[root@agent1 ~]# rm -rf /var/lib/puppet/ssl/*

3、在Puppetmaster端编写ACL列表

[root@puppetmaster ~]# vim /etc/puppet/autosign.conf
*.kisspuppet.com
[root@puppetmaster ~]# /etc/init.d/puppetmaster restart
Stopping puppetmaster:                                     [  OK  ]
Starting puppetmaster:                                     [  OK  ]
[root@puppetmaster ~]# puppet cert --list  --all

4、自动注册

[root@agent1 ~]# puppet agent --test #申请证书
info: Creating a new SSL key for agent1_cert.kisspuppet.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com
info: Certificate Request fingerprint (md5): ED:C9:C7:DF:F1:0E:53:1C:D3:73:5D:B7:D3:94:1F:60
info: Caching certificate for agent1_cert.kisspuppet.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394359075'
notice: Finished catalog run in 1.39 seconds
[root@agent1 ~]# cat /etc/motd
--                       --
--------puppet test---------
--                       --

5、服务器端查看

[root@puppetmaster ~]# puppet cert --list  --all  #agent1已经自动注册成功
+ "agent1_cert.kisspuppet.com"       (9E:1A:2B:48:26:7D:26:8D:1D:F5:5E:34:A1:6B:13:5F)
+ "agent2_cert.kisspuppet.com"       (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com"       (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com"      (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)

6、节点测试

[root@agent1 ~]# >/etc/motd #删除文件内容
[root@agent1 ~]# puppet agent --test
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394359075'
notice: /Stage[main]/Motd/File[/etc/motd]/content:
--- /etc/motd    2014-03-09 17:59:02.000000000 +0800
+++ /tmp/puppet-file20140309-3678-15tazyj-0    2014-03-09 17:59:06.000000000 +0800
@@ -0,0 +1,3 @@
+--                       --
+--------puppet test---------
+--                       --
info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e
info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
notice: Finished catalog run in 0.42 seconds
[root@agent1 ~]# cat /etc/motd #文件内容已经生成
--                       --
--------puppet test---------
--                       --

三、预签名注册

预签名注册是在agent端未提出申请的情况下,预先在puppetmaster端生成agent端的证书,然后复制到节点对应的目录下即可注册成功,这种方式安全系数最高,但是操作麻烦,需要提前预知所有节点服务器的certname名称,其次需要将生成的证书逐步copy到所有节点上去。不过,如果你的系统中安装了kickstart或者cobbler这样的自动化工具,倒是可以将证书部分转换成脚本集成到统一自动化部署中
注:生产环境中建议此方式进行注册,既安全又可靠!

1、清除PuppetMaster端已经注册的agent1的证书

[root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem'
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem'
[root@puppetmaster ~]# puppet cert --list  --all #agent1证书已经删除
+ "agent2_cert.kisspuppet.com"       (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com"       (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com"      (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)

2、在agent1端删除注册的所有信息,包括证书

[root@agent1 ~]# rm -rf /var/lib/puppet/*

3、删除自动注册ACL列表

[root@puppetmaster ~]# mv /etc/puppet/autosign.conf{,.bak}

4、puppetserver端预先生成agent1证书

[root@puppetmaster ~]# puppetca --generate agent1_cert.kisspuppet.com
notice: agent1_cert.kisspuppet.com has a waiting certificate request
notice: Signed certificate request for agent1_cert.kisspuppet.com
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certificate_requests/agent1_cert.kisspuppet.com.pem'

5、节点生成目录结构

[root@agent1 ~]# puppet agent --test --server=abc.com #随便指定server端,生成目录结构
info: Creating a new SSL key for agent1_cert.kisspuppet.com
err: Could not request certificate: getaddrinfo: Temporary failure in name resolution
Exiting; failed to retrieve certificate and waitforcert is disabled
[root@agent1 ~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
|-- certificate_requests
|-- certs
|-- private
|-- private_keys
|   `-- agent1_cert.kisspuppet.com.pem
`-- public_keys`-- agent1_cert.kisspuppet.com.pem
5 directories, 2 files

6、puppetmaster端copy证书到agent1上

[root@puppetmaster ~]# scp /var/lib/puppet/ssl/private_keys/agent1_cert.kisspuppet.com.pem  agent1.kisspuppet.com:/var/lib/puppet/ssl/private_keys/
agent1_cert.kisspuppet.com.pem                                                         100% 3243     3.2KB/s   00:00
[root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem  agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/
agent1_cert.kisspuppet.com.pem                                                         100% 1944     1.9KB/s   00:00
[root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/ca.pem  agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/
ca.pem                                                                                 100% 1915     1.9KB/s   00:00
[root@puppetmaster ~]#

7、agent1测试

[root@agent1 ~]# >/etc/motd
[root@agent1 ~]# puppet agent --test
info: Caching certificate_revocation_list for ca
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394359075'
notice: /Stage[main]/Motd/File[/etc/motd]/content:
--- /etc/motd    2014-03-09 18:18:10.000000000 +0800
+++ /tmp/puppet-file20140309-4071-1gypudk-0    2014-03-09 18:18:17.000000000 +0800
@@ -0,0 +1,3 @@
+--                       --
+--------puppet test---------
+--                       --
info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e
info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.41 seconds
[root@agent1 ~]# cat /etc/motd
--                       --
--------puppet test---------
--                       --

返回主目录

交流方式:

微信公众号:puppet2014,可微信搜索加入,也可以扫描以下二维码进行加入

微信公众号

QQ交流群:296934942

Puppet_Learning
puppet基础知识, puppet学习, puppet资料, puppet架构

Puppet基础篇5-如何建立master和agent之间的认证关系相关推荐

  1. Puppet基础篇9-Puppetmaster多环境配置

    Puppet基础篇9-Puppetmaster多环境配置 零基础学习Puppet自动化配置管理系列文档 扩充现有架构环境是对一个企业成长的见证 将基础环境模块部署到puppetmaster端之后就可以 ...

  2. puppet基础篇(练习篇)

    puppet基础篇(练习篇) 本文分为两部分:一.安装配置及命令用法:二.puppet资源基础练习 1.安装配置及命令用法 #在epel仓库安装 yum install ./facter-2.4.6- ...

  3. Puppet基础篇7-编写第一个完整测试模块puppet

    Puppet基础篇7-编写第一个完整测试模块puppet 零基础学习Puppet自动化配置管理系列文档 将Puppet部署到生产中第一个要编写的模块就是puppet本身,虽然puppet可以运行其它所 ...

  4. Puppet基础篇6-Puppet更新方式的选型

    Puppet基础篇6-Puppet更新方式的选型 零基础学习Puppet自动化配置管理系列文档 基于C/S架构的Puppet更新方式一般有两种,一种是Agent端设置同步时间主动去PuppetMast ...

  5. Puppet基础篇3-安装Puppet前期的准备工作

    零基础学习Puppet自动化配置管理系列文档 工欲善其事必先利其器 原文地址: http://kisspuppet.com/2014/03/06/puppet_learning_base3/ 在安装P ...

  6. puppet 基础篇

    puppet [TOC] 1.什么是puppet 很多公司经常情况下会遇到这么一个问题,新应用开发完成之后,运维人员耗费了大量的时间在测试环境上完成了项目的部署,而迁移到线上环境依旧需要逐字逐句的变更 ...

  7. puppet中master和agent之间实现通信

    puppet master和agent实现通信 1 安装puppet 1)master端 192.168.196.183     master.example.com agent端     192.1 ...

  8. 建立linux两用户之间的信任关系

    有a和b两台机器,现要将a机器的user1用户添加到b机器的user2用户信任列表里,使a机器的user1用户可以直接ssh到b机器的user2用户 步骤: 1,进入a机器/home/user1/.s ...

  9. Puppet扩展篇1-自定义fact结合ENC(hirea)的应用实践

    零基础学习Puppet自动化配置管理系列文档 在大量节点加入Puppet之后,你至少会面临两个比较大的问题: 1.由于节点数的增多,site.pp文件必然会编写更多的节点条目,以及节点包含的类.假设你 ...

最新文章

  1. centos 7--LNMP环境部署
  2. 【管理】舍KPI取OKR,Google的管理方法
  3. Android的下载,编译, 运行
  4. asp.net操作Excel总结
  5. 前端学习(1887)vue之电商管理系统电商系统之通过路由的形式显示用户列表
  6. linux桌面变成黑白,用虚拟机装了linux后开启为什么界面是黑色的呢?
  7. 10个你可能没用过的linux命令
  8. nts包如何下周 php_windows下PHP7安装方法(ts版和nts版)
  9. mysql三高讲解(二):2.8 mysql视图相关概念
  10. 测者的测试技术手册:AI的自动化单元测试
  11. 如何解决xp进系统的时候需要按enter键
  12. 学习c语言编程用什么软件_用C编程
  13. 3种团队分组适应项目_分组团队竞赛活动方案
  14. 【嵌入式模块】DS1302 时钟定时芯片
  15. Android push到/system/app下,导致找不到so文件,抛出java.lang.UnsatisfiedLinkError的原因分析和解决方案
  16. 为什么巡检在工业生产中如此重要?
  17. SocialBook帮你扫除网红营销乱象
  18. Unity基于YooAssets资源管理1
  19. python实现多重排序(多级排序)
  20. c语言阶乘编程题,C语言编程题:阶乘计算

热门文章

  1. apache kafka系列之server.properties配置文件参数说明
  2. iOS各个版本的新特性介绍
  3. ansible之安装与简单使用
  4. 流行的JavaScript库 ——jQuery
  5. ORACLE11g“空表”无法导出的深入分析
  6. [Android] 环境优化配置Android Studio发展NDK
  7. magento paypal付款实现前台切换货币付款
  8. eclipse New菜单项的显示问题
  9. Python[8] :paramiko模块多进程批量管理主机
  10. React开发环境搭建