详解Linux下自动化部署工具Puppet 的注册方式与常用命令
三种注册方式
puppet注册方式基本上有三种:手动注册,自动注册和预签名注册
1.手动注册
手动注册是由agent端先发起证书申请请求,然后由puppet server端确认证书方可注册成功,这种注册方式安全系数中等,逐一注册(puppet cert --sign certname)在节点数量较大的情况下是比较麻烦的,效率也低,批量注册(puppet cert --sign --all)效率很高,一次性便可注册所有的agent的请求,但是这种方式安全系数较低,因为错误的请求也会被注册上。
2.自动注册
这种注册方式简单来讲是通过puppet master端的acl列表进行控制的,安全系统较低,也就是说符合预先定义的acl列表中的所有节点请求不需要确认都会被自动注册上,也就是说你只需要知道acl列表要求,其次能和puppetmaster端通信便可轻易注册成功。当然,它的最大优点就是效率非常高.
(1)查询认证情况
root@10.1.1.33:puppet# puppet cert --list --all
+ "agent.domain.com" (sha256) 3f:8e:ae:b8:04:2b:51:9b:7a:b3:1e:86:c0:21:3e:81:d6:2a:55:a4:17:15:ca:5e:7a:8f:95:ec:d3:83:41:c0
+ "localhost" (sha256) e4:f5:f3:a9:99:e9:4d:11:53:87:be:47:95:4c:98:48:58:2d:3d:80:7e:9c:d9:c2:36:93:56:b2:ea:a0:f1:7b
+ "puppet.domain.com" (sha256) 5a:e1:80:aa:76:b6:81:22:55:b7:28:4b:ab:7c:b9:87:a8:dd:7e:3a:31:df:0c:5a:61:8f:4b:d2:16:a4:b6:bf (alt names: "dns:puppet", "dns:puppet.domain.com")
(2)在master上清除客户端已经agent注册信息的证书
root@10.1.1.33:puppet# puppet cert --clean agent.domain.com
notice: revoked certificate with serial 7
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(3)在agent.domain.com端删除注册过的证书
root@10.1.1.33:puppet# puppet cert --clean agent.domain.com
notice: revoked certificate with serial 7
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(4)在puppet master端编写acl列表
root@10.1.1.33:puppet# cat autosign.conf
*.domain.com
root@10.1.1.33:puppet# /etc/init.d/puppetmaster restart
stopping puppetmaster: [ ok ]
starting puppetmaster: [ ok ]
(5)客户端申请注册证书.
root@10.1.1.34:ssl# puppet agent --test
info: creating a new ssl key for agent.domain.com
info: caching certificate for ca
info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
info: creating a new ssl certificate request for agent.domain.com
info: certificate request fingerprint (sha256): fd:70:31:87:c6:44:ec:8d:18:0d:f5:10:e3:ce:5b:dc:ea:31:bd:bc:8c:c7:b2:80:f7:7e:2c:f2:4e:fb:12:90
info: caching certificate for agent.domain.com
info: caching certificate_revocation_list for ca
info: caching certificate for ca
info: retrieving pluginfacts
info: retrieving plugin
info: caching catalog for agent.domain.com
info: applying configuration version '1418292313'
notice: /stage[main]/test/file[/tmp/agent.txt]/ensure: defined content as '{md5}fc3ff98e8c6a0d3087d515c0473f8677'
notice: finished catalog run in 0.13 seconds
(6)服务端查看证书.
root@10.1.1.33:puppet# puppet cert --list --all
+ "agent.domain.com" (sha256) fe:04:96:32:46:a4:54:bf:a9:4f:20:ca:ef:7e:f7:c6:a6:88:34:4a:d9:7e:50:54:fa:c0:10:29:87:f9:1c:6e
+ "client.domain.com" (sha256) e3:b4:46:90:df:85:37:77:48:bb:f9:fd:9f:13:de:52:2f:00:1c:71:a3:bc:c2:e2:a5:34:4f:01:db:27:02:f5
+ "localhost" (sha256) e4:f5:f3:a9:99:e9:4d:11:53:87:be:47:95:4c:98:48:58:2d:3d:80:7e:9c:d9:c2:36:93:56:b2:ea:a0:f1:7b
+ "puppet.domain.com" (sha256) 5a:e1:80:aa:76:b6:81:22:55:b7:28:4b:ab:7c:b9:87:a8:dd:7e:3a:31:df:0c:5a:61:8f:4b:d2:16:a4:b6:bf (alt names: "dns:puppet", "dns:puppet.domain.com")
3.预签名认证
预签名注册是在agent端未提出申请的情况下,预先在puppet master端生成agent端的证书,然后复制到节点对应的目录下即可注册成功,这种方式安全系数最高,但是操作麻烦,需要提前预知所有节点服务器的certname名称,其次需要将生成的证书逐步copy到所有节点上去。不过,如果你的系统中安装了kickstart或者cobbler这样的自动化工具,倒是可以将证书部分转换成脚本集成到统一自动化部署中.注:生产环境中建议此方式进行注册,既安全又可靠.
(1)查询认证情况
root@10.1.1.33:puppet# puppet cert --list --all
+ "agent.domain.com" (sha256) 3f:8e:ae:b8:04:2b:51:9b:7a:b3:1e:86:c0:21:3e:81:d6:2a:55:a4:17:15:ca:5e:7a:8f:95:ec:d3:83:41:c0
+ "localhost" (sha256) e4:f5:f3:a9:99:e9:4d:11:53:87:be:47:95:4c:98:48:58:2d:3d:80:7e:9c:d9:c2:36:93:56:b2:ea:a0:f1:7b
+ "puppet.domain.com" (sha256) 5a:e1:80:aa:76:b6:81:22:55:b7:28:4b:ab:7c:b9:87:a8:dd:7e:3a:31:df:0c:5a:61:8f:4b:d2:16:a4:b6:bf (alt names: "dns:puppet", "dns:puppet.domain.com")
(2)在master上清除客户端已经agent注册信息的证书
root@10.1.1.33:puppet# puppet cert --clean agent.domain.com
notice: revoked certificate with serial 7
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(3)在agent.domain.com端删除注册过的证书
root@10.1.1.33:puppet# puppet cert --clean agent.domain.com
notice: revoked certificate with serial 7
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
notice: removing file puppet::ssl::certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(4)puppet server端预先生成agent证书
puppetca --generate agent.domain.com
(5)agent节点生成目录结构
puppet agent --test
(6)puppet master端copy证书到agent.domain.com上
root@10.1.1.33:puppet#scp /var/lib/puppet/ssl/private_keys/agent.domain.com.pem agent.domain.com:/var/lib/puppet/ssl/private_keys/
root@10.1.1.33:puppet#scp /var/lib/puppet/ssl/certs/agent.domain.com.pem agent.domain.com:/var/lib/puppet/ssl/certs/
root@10.1.1.33:puppet#scp /var/lib/puppet/ssl/certs/ca.pem agent.domain.com:/var/lib/puppet/ssl/certs/ca.pem
常用命令
1.puppet master
puppet master 默认是以ruby内建的webrick在后台运行的守护进程,同样也可以采用最常用的web服务器apache和nginx替换webrick以提升性能.puppet master主要功能是编译配置文件,文件,模版,节点的自定义插件.
root@10.1.1.33:nodes# puppet master --help
puppet master [-d|--daemonize|--no-daemonize] [-d|--debug] [-h|--help]
[-l|--logdest syslog|<file>|console] [-v|--verbose] [-v|--version]
[--compile <node-name>]
* --daemonize: #-d发送到后台守护进程,默认选项
* --no-daemonize: #不发送到后台守护进程
* --debug: #完整调试
* --help: #输出帮助
* --logdest: #日志发送方式,默认是syslog
* --verbose: #显示详细信息
* --version: #打印puppet版本
* --compile: #以json的方式输出编译的catalog
使用--getconfig输出默认配置文件
root@10.1.1.33:puppet# puppet master --genconfig > puppet.conf
puppet不启用后台守护进程的方式运行.
root@10.1.1.33:puppet master --no-daemonize --verbose
2.puppet agent
puppet agent 在每个节点以守护进程方式运行,通常每30分钟向master请求一次,以确认新的信息并询问是否有变更.然后负责运行编译好的catalog代码
root@10.1.1.34:tmp# puppet agent --help
puppet agent [--certname <name>] [-d|--daemonize|--no-daemonize]
[-d|--debug] [--detailed-exitcodes] [--digest <digest>] [--disable [message]] [--enable]
[--fingerprint] [-h|--help] [-l|--logdest syslog|eventlog|<file>|console]
[--masterport <port>] [--no-client] [--noop] [-o|--onetime] [-t|--test]
[-v|--verbose] [-v|--version] [-w|--waitforcert <seconds>]
使用"--noop"参数,puppet运行catelog,但不执行配置
root@10.1.1.34:tmp# puppet agent --noop
3.puppet apply
puppet apply 是puppet运行命令,主要在检测manifests时或在没有网络连接的情况下使用.不同于puppet agent,puppet apply在运行时不会连接master
root@10.1.1.34:tmp# puppet apply --help
puppet apply [-h|--help] [-v|--version] [-d|--debug] [-v|--verbose]
[-e|--execute] [--detailed-exitcodes] [-l|--loadclasses]
[-l|--logdest syslog|eventlog|<file>|console] [--noop]
[--catalog <catalog>] [--write-catalog-summary] <file>
(1) 将输出信息输出到日志文件
root@10.1.1.33:manifests# puppet apply -l /tmp/init.pp init.pp
root@10.1.1.33:manifests# cat /tmp/init.pp
fri dec 12 16:17:46 +0800 2014 puppet (notice): compiled catalog for puppet.domain.com in environment production in 0.04 seconds
fri dec 12 16:17:47 +0800 2014 puppet (notice): finished catalog run in 0.04 seconds
4.puppet cert
它用于管理本地证书,查看未签名证书,签署证书,废除证书,清除证书.
puppet cert <action> [-h|--help] [-v|--version] [-d|--debug] [-v|--verbose]
[--digest <digest>] [<host>]
常用操作:
clean #清除证书
fingerprint #打印证书指纹
generate #生成客户端证书
list #查看认证客户端列表
print #打印主机证书的全文信息
revoke #废除已认证的主机
sign #签署认证
verify #验证本地指定的认证
命令参数:
--all #执行所有操作,包括'sign','clean', 'list', and 'fingerprint'
--digest #设置证书指纹加密的方式
--debug #启用完整调试模式|
--verbose #显示详细信息
--version #显示版本
(1)查看请求认证的客户端列表
root@10.1.1.33:nodes# puppet cert list
(2)为主机agent.domin.com签署验证
root@10.1.1.33:nodes# puppet cert sign agent.domain.com
(3)列出所有签名和未签名的证书
root@10.1.1.33:nodes# puppet cert list --all
+ "agent.domain.com" (sha256) 3c:82:6a:e2:9b:8b:8f:8a:ed:c9:83:eb:64:47:6c:91:e5:8e:86:a6:b3:d7:1d:e5:4e:39:4d:04:5a:21:c5:86 #符号+表示已经签署过认证
"client.domain.com" (sha256) e3:b4:46:90:df:85:37:77:48:bb:f9:fd:9f:13:de:52:2f:00:1c:71:a3:bc:c2:e2:a5:34:4f:01:db:27:02:f5
(4)给所有未签署认证的请求颁发认证:
root@10.1.1.33:nodes# puppet cert sign --all
(5)查看所有已签署认证的客户端列表
root@10.1.1.33:nodes# puppet cert list --all
+ "agent.domain.com" (sha256) 3c:82:6a:e2:9b:8b:8f:8a:ed:c9:83:eb:64:47:6c:91:e5:8e:86:a6:b3:d7:1d:e5:4e:39:4d:04:5a:21:c5:86
5.puppet kick
它用于连接到agent客户端主动运行puppet agent --test命令.类似主动触发配置
上一篇: 搞笑骂人宝典