Puppet – 3. 主从之间建立安全连接

Puppet主从之间建立安全连接的过程如下:

  • Puppet从机请求Puppet主机提供证书。
  • 一旦Puppet主机发送了它的证书,Puppet从机就会生成自己的证书。
  • 然后,Puppet从机请求Puppet主机签署从机证书。
  • 一旦Puppet主机签署了此证书,就在Puppet主机和Puppet从机之间建立了安全连接。

3.1 生成Puppet主机证书

生成证书

为了生成CA证书,Puppet主机中执行以下命令:

执行以下命令(主机):

sudo -u puppet puppet master --no-daemonize --verbose

该命令将创建Puppet主机证书。该命令不会主动退出,一旦显示了Puppet的版本,使用ctrl+c退出命令,因为现在无法启动Puppet主机。

命令执行详情:

[root@qikegu ~]# sudo -u puppet puppet master --no-daemonize --verbose
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 87:B4:AB:B9:ED:ED:DD:05:38:AE:F9:93:48:AC:38:37:C7:6B:CF:28:21:A2:31:09:3E:AD:69:BE:21:C9:2D:DE
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for qikegu
Info: csr_attributes file loading from /var/lib/puppet/.puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for qikegu
Info: Certificate Request fingerprint (SHA256): BE:26:4D:3B:02:B3:9F:37:CC:CB:65:46:89:2F:C6:54:2E:B8:87:4B:8E:C5:5C:75:CB:A0:93:60:8E:D5:F3:FD
Notice: qikegu has a waiting certificate request
Notice: Signed certificate request for qikegu
Notice: Removing file Puppet::SSL::CertificateRequest qikegu at '/var/lib/puppet/.puppet/ssl/ca/requests/qikegu.pem'
Notice: Removing file Puppet::SSL::CertificateRequest qikegu at '/var/lib/puppet/.puppet/ssl/certificate_requests/qikegu.pem'
Notice: Starting Puppet master version 3.8.7

启动Puppet主机

现在启动Puppet主机。

执行以下命令(主机):

puppet resource service puppetmaster ensure=running

命令执行详情:

[root@qikegu ~]# puppet resource service puppetmaster ensure=running
Notice: /Service[puppetmaster]/ensure: ensure changed 'stopped' to 'running'
service { 'puppetmaster':
  ensure => 'running',
}

3.2 从机请求Puppet主机签署从机证书

执行以下命令(从机):

puppet agent -t

命令执行详情:

[root@qikegu2 ~]# puppet agent -t
Exiting; no certificate found and waitforcert is disabled

3.3 Puppet主机签署从机证书

Puppet主机响应从机请求,签署从机证书。

首先需要获得证书列表,执行以下命令(主机):

puppet cert list

命令执行详情:

[root@qikegu ~]# puppet cert list
  "qikegu2" (SHA256) 74:19:B9:F9:CB:9F:ED:24:BD:62:B0:67:63:D7:DF:AD:32:64:F2:35:D1:16:84:CF:ED:5F:24:AD:99:E6:86:2F

可以看到,有一个名为qikegu2(从机所在的虚拟机名称)的证书签名请求挂起。

为了签署证书,执行以下命令(主机):

puppet cert sign qikegu2

命令执行详情:

[root@qikegu ~]# puppet cert sign qikegu2
Notice: Signed certificate request for qikegu2
Notice: Removing file Puppet::SSL::CertificateRequest qikegu2 at '/var/lib/puppet/ssl/ca/requests/qikegu2.pem'

这里的证书签名请求是由Puppet从机(3.2章节)发送的,我们已经签署了那个特定的证书。

3.4 更新Puppet从机

首先启动Puppet从机。

执行以下命令(从机):

puppet resource service puppet ensure=running

命令执行详情:


[root@qikegu2 ~]# puppet resource service puppet ensure=running Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running' service { 'puppet': ensure => 'running', }

更新Puppet从机。因为Puppet主机最近已经签署了证书,所以它将更新证书。

执行以下命令(从机):

puppet agent -t

命令执行详情:


[root@qikegu2 ~]# puppet agent -t Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for qikegu2 Info: Applying configuration version '1567426258'

现在,我们在Puppet主机与Puppet从机之间建立了一个安全的连接。



浙ICP备17015664号 浙公网安备 33011002012336号 联系我们 网站地图  
@2019 qikegu.com 版权所有,禁止转载