Puppet 三种注册方式

Puppet注册方式基本上有三种:手动注册,自动注册和预签名注册

1.手动注册
手动注册是由Agent端先发起证书申请请求,然后由Puppet server端确认证书方可注册成功,这种注册方式安全系数中等,逐一注册(puppet cert --sign certname)在节点数量较大的情况下是比较麻烦的,效率也低,批量注册(puppet cert --sign --all)效率很高,一次性便可注册所有的Agent的请求,但是这种方式安全系数较低,因为错误的请求也会被注册上。
实例可见http://my.oschina.net/davehe/blog/354626里客户验证.

2.自动注册
这种注册方式简单来讲是通过Puppet master端的ACL列表进行控制的,安全系统较低,也就是说符合预先定义的ACL列表中的所有节点请求不需要确认都会被自动注册上,也就是说你只需要知道ACL列表要求,其次能和PuppetMaster端通信便可轻易注册成功。当然,它的最大优点就是效率非常高.
(1)查询认证情况

[email protected]:puppet# puppet cert --list --all
+ "agent.domain.com"     (SHA256) 3F:8E:AE:B8:04:2B:51:9B:7A:B3:1E:86:C0:21:3E:81:D6:2A:55:A4:17:15:CA:5E:7A:8F:95:EC:D3:83:41:C0
+ "localhost"            (SHA256) E4:F5:F3:A9:99:E9:4D:11:53:87:BE:47:95:4C:98:48:58:2D:3D:80:7E:9C:D9:C2:36:93:56:B2:EA:A0:F1:7B
+ "puppet.domain.com"    (SHA256) 5A:E1:80:AA:76:B6:81:22:55:B7:28:4B:AB:7C:B9:87:A8:DD:7E:3A:31:DF:0C:5A:61:8F:4B:D2:16:A4:B6:BF (alt names: "DNS:puppet", "DNS:puppet.domain.com")

(2)在master上清除客户端已经agent注册信息的证书

[email protected]:puppet# puppet cert --clean agent.domain.com
Notice: Revoked certificate with serial 7
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(3)在agent.domain.com端删除注册过的证书
[email protected]:puppet# puppet cert --clean agent.domain.com
Notice: Revoked certificate with serial 7
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(4)在Puppet master端编写ACL列表
[email protected]:puppet# cat autosign.conf 
*.domain.com
[email protected]:puppet# /etc/init.d/puppetmaster restart
Stopping puppetmaster:                                     [  OK  ]
Starting puppetmaster:                                     [  OK  ]

(5)客户端申请注册证书.

[email protected]:ssl# puppet agent --test
Info: Creating a new SSL key for agent.domain.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent.domain.com
Info: Certificate Request fingerprint (SHA256): FD:70:31:87:C6:44:EC:8D:18:0D:F5:10:E3:CE:5B:DC:EA:31:BD:BC:8C:C7:B2:80:F7:7E:2C:F2:4E:FB:12:90
Info: Caching certificate for agent.domain.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent.domain.com
Info: Applying configuration version '1418292313'
Notice: /Stage[main]/Test/File[/tmp/agent.txt]/ensure: defined content as '{md5}fc3ff98e8c6a0d3087d515c0473f8677'
Notice: Finished catalog run in 0.13 seconds

(6)服务端查看证书.

[email protected]:puppet# puppet cert --list --all
+ "agent.domain.com"  (SHA256) FE:04:96:32:46:A4:54:BF:A9:4F:20:CA:EF:7E:F7:C6:A6:88:34:4A:D9:7E:50:54:FA:C0:10:29:87:F9:1C:6E
+ "client.domain.com" (SHA256) E3:B4:46:90:DF:85:37:77:48:BB:F9:FD:9F:13:DE:52:2F:00:1C:71:A3:BC:C2:E2:A5:34:4F:01:DB:27:02:F5
+ "localhost"         (SHA256) E4:F5:F3:A9:99:E9:4D:11:53:87:BE:47:95:4C:98:48:58:2D:3D:80:7E:9C:D9:C2:36:93:56:B2:EA:A0:F1:7B
+ "puppet.domain.com" (SHA256) 5A:E1:80:AA:76:B6:81:22:55:B7:28:4B:AB:7C:B9:87:A8:DD:7E:3A:31:DF:0C:5A:61:8F:4B:D2:16:A4:B6:BF (alt names: "DNS:puppet", "DNS:puppet.domain.com")


3.预签名认证
预签名注册是在agent端未提出申请的情况下,预先在puppet master端生成agent端的证书,然后复制到节点对应的目录下即可注册成功,这种方式安全系数最高,但是操作麻烦,需要提前预知所有节点服务器的certname名称,其次需要将生成的证书逐步copy到所有节点上去。不过,如果你的系统中安装了kickstart或者cobbler这样的自动化工具,倒是可以将证书部分转换成脚本集成到统一自动化部署中.注:生产环境中建议此方式进行注册,既安全又可靠.

(1)查询认证情况

[email protected]:puppet# puppet cert --list --all
+ "agent.domain.com"     (SHA256) 3F:8E:AE:B8:04:2B:51:9B:7A:B3:1E:86:C0:21:3E:81:D6:2A:55:A4:17:15:CA:5E:7A:8F:95:EC:D3:83:41:C0
+ "localhost"            (SHA256) E4:F5:F3:A9:99:E9:4D:11:53:87:BE:47:95:4C:98:48:58:2D:3D:80:7E:9C:D9:C2:36:93:56:B2:EA:A0:F1:7B
+ "puppet.domain.com"    (SHA256) 5A:E1:80:AA:76:B6:81:22:55:B7:28:4B:AB:7C:B9:87:A8:DD:7E:3A:31:DF:0C:5A:61:8F:4B:D2:16:A4:B6:BF (alt names: "DNS:puppet", "DNS:puppet.domain.com")

(2)在master上清除客户端已经agent注册信息的证书

[email protected]:puppet# puppet cert --clean agent.domain.com
Notice: Revoked certificate with serial 7
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(3)在agent.domain.com端删除注册过的证书
[email protected]:puppet# puppet cert --clean agent.domain.com
Notice: Revoked certificate with serial 7
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/ca/signed/agent.domain.com.pem'
Notice: Removing file Puppet::SSL::Certificate agent.domain.com at '/var/lib/puppet/ssl/certs/agent.domain.com.pem'
(4)puppet server端预先生成agent证书

puppetca --generate  agent.domain.com 

(5)agent节点生成目录结构

puppet agent --test
(6)puppet master端copy证书到agent.domain.com上
[email protected]:puppet#scp /var/lib/puppet/ssl/private_keys/agent.domain.com.pem  agent.domain.com:/var/lib/puppet/ssl/private_keys/
[email protected]:puppet#scp /var/lib/puppet/ssl/certs/agent.domain.com.pem  agent.domain.com:/var/lib/puppet/ssl/certs/
[email protected]:puppet#scp /var/lib/puppet/ssl/certs/ca.pem  agent.domain.com:/var/lib/puppet/ssl/certs/ca.pem





你可能感兴趣的:(puppet,注册方式)