Puppet: client i server

Puppet powinien pracować pracować w architekturze client – serwer, jak do tego doprowadzić?

1. Konfiguracja klienta

W pliku /etc/puppet/puppet.conf Wstawiamy informacje o serwerze:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
server=server.lab2.unix4you.net

[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

2. Wygeneruj prośbę o certyfikat
Wygeneruj prośbę o certyfikat wywołując komendę „puppet agent –test”

root@ziutus:/etc/puppet# puppet agent --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for ziutus.uh.net.pl
info: Certificate Request fingerprint (md5): 93:66:61:BF:6A:0E:1D:73:15:87:83:96:D0:A1:55:00
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

3. Podpisanie certyfikatu

Sprawdź jakie certyfikaty czekają na podpisanie:

root@server:/etc/puppet# puppet cert list
  gateway.linuxexpert.pl (93:66:61:BF:6A:0E:1D:73:15:87:83:96:D0:A1:55:B2)

Podpisz certyfikat:

root@server:/etc/puppet# puppet cert sign gateway.linuxexpert.pl
notice: Signed certificate request for gateway.linuxexpert.pl
notice: Removing file Puppet::SSL::CertificateRequest gateway.linuxexpert.pl at '/var/lib/puppet/ssl/ca/requests/gateway.linuxexpert.pl.pem'

4. Sprawdź połączenie z klienta

root@ziutus:/etc/puppet# puppet agent --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for gateway.linuxexpert.pl
info: Caching certificate_revocation_list for ca
info: Caching catalog for gateway.linuxexpert.pl
info: Applying configuration version '1337757337'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.03 seconds

5. Na serwerze ustalamy manifest, który informuje jakie ustawienia powinny być przypisane do klienta:

ziutus@server:/etc/puppet/manifests$ cat site.pp

node "gateway.linuxexpert.pl" {
    include aliases
    include knockd
    include openvpn
}

Dodaj komentarz