选择更安全的方式注册你的puppet节点
1.1Puppet节点注册选型
1.1.1手动注册
[root@puppetserver ~]# puppet cert --list #搜索请求注册的节点
"agent1.rsyslog.org" (3A:6C:C6:30:14:6D:DC:4B:0E:70:79:BE:46:FA:6C:2B)
[root@puppetserver ~]# puppet cert --sign agent1.rsyslog.org #注册节点agent1.rsyslog.org
notice: Signed certificate request for agent1.rsyslog.org
notice: Removing file Puppet::SSL::CertificateRequest agent1.rsyslog.org at '/var/lib/puppet/ssl/ca/requests/agent1.rsyslog.org.pem'
更多操作可通过命令puppet cert –help查看
1.1.2自动注册
[root@puppetserver puppet]# vim autosign.conf #创建并编辑autosign.conf文件,将需要自动注册的主机名写入,后缀名一致可通过通配符*代替
*.rsyslog.org
备注:在这种模式下,从指定域名范围发起的连接都会被自动签名,存在一定的安全性,可根据具体环境而考虑是否使用。
1.1.3预先签署证书
1.1.3.1在puppet server端预先生成节点的证书
[root@puppetserver ~]# puppetca --generate agent1.rsyslog.org
1.1.3.2复制以下证书覆盖到节点对应的目录下
/var/lib/puppet/ssl/private_keys/agent1.rsyslog.org.pem
/var/lib/puppet/ssl/certs/agent1.rsyslog.org.pem
/var/lib/puppet/ssl/certs/ca.pem
备注:复制之前节点需要启动才能够生成/var/lib/puppet/ssl目录结构
1.1.4重新注册
有的时候节点更换主机名,或者重新注册获取新的证书:
1)、在节点上上先删除旧的证书
[root@agent1 ~]# rm -rf /var/lib/puppet/ssl/*
2)、在puppetserver端删除节点的证书
[root@puppetserver ~]# puppetca --clean agent1.rsyslog.org
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate agent1.rsyslog.org at '/var/lib/puppet/ssl/ca/signed/agent1.rsyslog.org.pem'
notice: Removing file Puppet::SSL::Certificate agent1.rsyslog.org at '/var/lib/puppet/ssl/certs/agent1.rsyslog.org.pem'
3)、通过手动、自动或者预先签署证书的方式重新注册,请参看2.6.1、2.6.2和2.6.3
本文转自凌激冰51CTO博客,原文链接:http://blog.51cto.com/dreamfire/1257717,如需转载请自行联系原作者
