Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use the registration method and common commands of the automatic deployment tool Puppet under Linux", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn how to use the registration method and common commands of Puppet, an automated deployment tool under Linux.

Three ways of registration

There are basically three ways to register Puppet: manual registration, automatic registration and pre-signed registration.

1. Manual registration

Manual registration means that the Agent side initiates the certificate application request, and then the Puppet server side confirms the certificate before the registration is successful. This registration method has a medium safety factor. Puppet cert-sign certname is troublesome and inefficient when the number of nodes is large. Batch registration (puppet cert-sign-all) is very efficient, and all Agent requests can be registered at once, but the security factor of this method is low. Because the wrong request will also be registered.

two。 Automatic registration

To put it simply, this registration method is controlled through the ACL list on the Puppet master side, and the security system is low, that is to say, all node requests in the predefined ACL list will be automatically registered without confirmation, that is, you only need to know the ACL list requirements, and then you can easily register successfully by communicating with PuppetMaster. Of course, its greatest advantage is that it is very efficient.

(1) inquire about authentication

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-list-all

+ "agent.domain.com" (SHA256) 3F:8E:AE:B8:04:2B:51:9B:7A:B3:1E:86:C0:21:3E:81:D6:2A:55:A4:17:15:CA:5E:7A:8F:95:EC:D3:83:41:C0

+ "localhost" (SHA256) E4:F5:F3:A9:99:E9:4D:11:53:87:BE:47:95:4C:98:48:58:2D:3D:80:7E:9C:D9:C2:36:93:56:B2:EA:A0:F1:7B

+ "puppet.domain.com" SHA256) 5A:E1:80:AA:76:B6:81:22:55:B7:28:4B:AB:7C:B9:87:A8:DD:7E:3A:31:DF:0C:5A:61:8F:4B:D2:16:A4:B6:BF (alt names: "DNS:puppet", "DNS:puppet.domain.com")

(2) clear the certificate in which the client has registered with agent on master

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-clean agent.domain.com

Notice: Revoked certificate with serial 7

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/certs/agent.domain.com.pem'

(3) Delete the registered certificate on agent.domain.com

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-clean agent.domain.com

Notice: Revoked certificate with serial 7

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/certs/agent.domain.com.pem'

(4) write the ACL list on the Puppet master side

The code is as follows:

Root@10.1.1.33:puppet# cat autosign.conf

* .domain.com

Root@10.1.1.33:puppet# / etc/init.d/puppetmaster restart

Stopping puppetmaster: [OK]

Starting puppetmaster: [OK]

(5) the client applies for a certificate of registration.

The code is as follows:

Root@10.1.1.34:ssl# puppet agent-test

Info: Creating a new SSL key for agent.domain.com

Info: Caching certificate for ca

Info: csr_attributes file loading from / etc/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for agent.domain.com

Info: Certificate Request fingerprint (SHA256): FD:70:31:87:C6:44:EC:8D:18:0D:F5:10:E3:CE:5B:DC:EA:31:BD:BC:8C:C7:B2:80:F7:7E:2C:F2:4E:FB:12:90

Info: Caching certificate for agent.domain.com

Info: Caching certificate_revocation_list for ca

Info: Caching certificate for ca

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Caching catalog for agent.domain.com

Info: Applying configuration version '1418292313'

Notice: / stage [main] / Test/ File [/ tmp/agent.txt] / ensure: defined content as'{md5} fc3ff98e8c6a0d3087d515c0473f8677'

Notice: Finished catalog run in 0.13 seconds

(6) the server looks at the certificate.

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-list-all

+ "agent.domain.com" (SHA256) FE:04:96:32:46:A4:54:BF:A9:4F:20:CA:EF:7E:F7:C6:A6:88:34:4A:D9:7E:50:54:FA:C0:10:29:87:F9:1C:6E

+ "client.domain.com" (SHA256) E3:B4:46:90:DF:85:37:77:48:BB:F9:FD:9F:13:DE:52:2F:00:1C:71:A3:BC:C2:E2:A5:34:4F:01:DB:27:02:F5

+ "localhost" (SHA256) E4:F5:F3:A9:99:E9:4D:11:53:87:BE:47:95:4C:98:48:58:2D:3D:80:7E:9C:D9:C2:36:93:56:B2:EA:A0:F1:7B

+ "puppet.domain.com" SHA256) 5A:E1:80:AA:76:B6:81:22:55:B7:28:4B:AB:7C:B9:87:A8:DD:7E:3A:31:DF:0C:5A:61:8F:4B:D2:16:A4:B6:BF (alt names: "DNS:puppet", "DNS:puppet.domain.com")

3. Pre-signature authentication

Pre-signed registration means that the certificate of the puppet master side is generated in advance on the puppet master side, and then copied to the corresponding directory of the node to register successfully. This method has the highest security factor, but it is troublesome to operate. You need to know the certname names of all the node servers in advance, and then you need to gradually copy the generated certificates to all nodes. However, if you have automation tools such as kickstart or cobbler installed on your system, you can convert the certificate part into a script and integrate it into a unified automation deployment. Note: this way of registration is recommended in the production environment, which is safe and reliable.

(1) inquire about authentication

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-list-all

+ "agent.domain.com" (SHA256) 3F:8E:AE:B8:04:2B:51:9B:7A:B3:1E:86:C0:21:3E:81:D6:2A:55:A4:17:15:CA:5E:7A:8F:95:EC:D3:83:41:C0

+ "localhost" (SHA256) E4:F5:F3:A9:99:E9:4D:11:53:87:BE:47:95:4C:98:48:58:2D:3D:80:7E:9C:D9:C2:36:93:56:B2:EA:A0:F1:7B

+ "puppet.domain.com" SHA256) 5A:E1:80:AA:76:B6:81:22:55:B7:28:4B:AB:7C:B9:87:A8:DD:7E:3A:31:DF:0C:5A:61:8F:4B:D2:16:A4:B6:BF (alt names: "DNS:puppet", "DNS:puppet.domain.com")

(2) clear the certificate in which the client has registered with agent on master

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-clean agent.domain.com

Notice: Revoked certificate with serial 7

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/certs/agent.domain.com.pem'

(3) Delete the registered certificate on agent.domain.com

The code is as follows:

Root@10.1.1.33:puppet# puppet cert-clean agent.domain.com

Notice: Revoked certificate with serial 7

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'

Notice: Removing file Puppet::SSL::Certificate agent.domain.com at'/ var/lib/puppet/ssl/certs/agent.domain.com.pem'

(4) the puppet server end generates the agent certificate in advance.

The code is as follows:

Puppetca-generate agent.domain.com

(5) agent node generates directory structure

The code is as follows:

Puppet agent-test

(6) copy certificate on puppet master side to agent.domain.com

The code is as follows:

Root@10.1.1.33:puppet#scp / var/lib/puppet/ssl/private_keys/agent.domain.com.pem agent.domain.com:/var/lib/puppet/ssl/private_keys/

Root@10.1.1.33:puppet#scp / var/lib/puppet/ssl/certs/agent.domain.com.pem agent.domain.com:/var/lib/puppet/ssl/certs/

Root@10.1.1.33:puppet#scp / var/lib/puppet/ssl/certs/ca.pem agent.domain.com:/var/lib/puppet/ssl/certs/ca.pem

Common command

1.puppet master

Puppet master default to Ruby built-in WEBRick to run in the background daemon, you can also use the most commonly used Web servers apache and nginx to replace WEBRick to improve performance. the main function of puppet master is to compile configuration files, files, templates, node custom plug-ins.

The code is as follows:

Root@10.1.1.33:nodes# puppet master-help

Puppet master [- D |-- daemonize |-- no-daemonize] [- d |-- debug] [- h |-- help]

[- l |-- logdest syslog | | console] [- v |-- verbose] [- V |-- version]

[--compile]

*-- daemonize: #-D is sent to the background daemon. Default option

*-- no-daemonize: # do not send to the background daemon

*-- debug: # complete debugging

*-- help: # output help

*-- logdest: # Log sending method. Default is syslog.

*-- verbose: # display details

*-- version: # print the puppet version

*-- compile: # output compiled catalog as JSON

Use-- getconfig to output the default profile

The code is as follows:

Root@10.1.1.33:puppet# puppet master-- genconfig > puppet.conf

Puppet runs without enabling background daemons.

The code is as follows:

Root@10.1.1.33:puppet master-no-daemonize-verbose

2.puppet agent

Puppet agent runs as a daemon on each node, usually requesting master every 30 minutes to confirm new information and ask if there are any changes. Then responsible for running the compiled catalog code

The code is as follows:

Root@10.1.1.34:tmp# puppet agent-help

Puppet agent [--certname] [- D |-- daemonize |-- no-daemonize]

[- d |-- debug] [--detailed-exitcodes] [--digest] [--disable [MESSAGE]] [--enable]

[--fingerprint] [- h |-- help] [- l |-- logdest syslog | eventlog | | console]

[--masterport] [--no-client] [--noop] [- o |-- onetime] [- t |-- test]

[- v |-- verbose] [- V |-- version] [- w |-- waitforcert]

Using the "--noop" parameter, puppet runs catelog but does not perform configuration

Root@10.1.1.34:tmp# puppet agent-noop

3.puppet apply

Puppet apply is a puppet run command that is mainly used when detecting manifests or when there is no network connection. Unlike puppet agent,puppet apply, it does not connect to master at run time.

The code is as follows:

Root@10.1.1.34:tmp# puppet apply-help

Puppet apply [- h |-- help] [- V |-- version] [- d |-- debug] [- v |-- verbose]

[- e |-- execute] [--detailed-exitcodes] [- L |-- loadclasses]

[- l |-- logdest syslog | eventlog | | console] [--noop]

[--catalog] [--write-catalog-summary]

(1) output information to a log file

The code is as follows:

Root@10.1.1.33:manifests# puppet apply-l / tmp/init.pp init.pp

Root@10.1.1.33:manifests# cat / tmp/init.pp

Fri Dec 12 16:17:46 + 0800 2014 Puppet (notice): Compiled catalog for puppet.domain.com in environment production in 0.04 seconds

Fri Dec 12 16:17:47 + 0800 2014 Puppet (notice): Finished catalog run in 0.04 seconds

4.puppet cert

It is used to manage local certificates, view unsigned certificates, sign certificates, revoke certificates, and clear certificates.

The code is as follows:

Puppet cert [- h |-- help] [- V |-- version] [- d |-- debug] [- v |-- verbose]

[--digest] []

Common actions:

Clean # clear Certificate

Fingerprint # print certificate fingerprint

Generate # generate client certificate

List # View the list of certified clients

Print # print the full text information of the host certificate

Revoke # abolish authenticated hosts

Sign # signature Certification

Verify # verify locally specified authentication

Command parameters:

-- all # performs all operations, including 'sign','clean',' list', and 'fingerprint'

-- digest # sets the method of certificate fingerprint encryption

-- debug # enable full debug mode |

-- verbose # displays details

-- version # display version

(1) View the list of clients requesting authentication

The code is as follows:

Root@10.1.1.33:nodes# puppet cert list

(2) sign and verify for the host agent.domin.com

The code is as follows:

Root@10.1.1.33:nodes# puppet cert sign agent.domain.com

(3) list all signed and unsigned certificates

The code is as follows:

Root@10.1.1.33:nodes# puppet cert list-all

+ "agent.domain.com" (SHA256) 3C:82:6A:E2:9B:8B:8F:8A:ED:C9:83:EB:64:47:6C:91:E5:8E:86:A6:B3:D7:1D:E5:4E:39:4D:04:5A:21:C5:86 # symbol + indicates that the certificate has been signed

"client.domain.com" (SHA256) E3:B4:46:90:DF:85:37:77:48:BB:F9:FD:9F:13:DE:52:2F:00:1C:71:A3:BC:C2:E2:A5:34:4F:01:DB:27:02:F5

(4) to issue certification to all requests that have not signed the certification:

The code is as follows:

Root@10.1.1.33:nodes# puppet cert sign-all

(5) View the list of all clients that have signed the authentication

The code is as follows:

Root@10.1.1.33:nodes# puppet cert list-all

+ "agent.domain.com" (SHA256) 3C:82:6A:E2:9B:8B:8F:8A:ED:C9:83:EB:64:47:6C:91:E5:8E:86:A6:B3:D7:1D:E5:4E:39:4D:04:5A:21:C5:86

5.puppet kick

It is used to connect to the agent client and actively run the puppet agent-test command. Similar to active trigger configuration

At this point, I believe you have a deeper understanding of "how to use the registration and common commands of the automated deployment tool Puppet under Linux". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.