#### Puppet基礎篇5-如何建立master和agent之間的認證關系
Puppet注冊方式基本上有三種:自動注冊、手動注冊和預簽名注冊,在《[Puppet基礎篇4-安裝、配置并使用Puppet](http://kisspuppet.com/2014/03/08/puppet_learning_base4/)》采用的是手動注冊,不同的注冊方式決定了注冊的難易程度,當然安全性也會不一樣。
### 一、手動注冊
手動注冊是由Agent端先發起證書申請請求,然后由Puppetserver端確認證書方可注冊成功,這種注冊方式安全系數中等,逐一注冊(`puppet cert --sign certnmame`)在節點數量較大的情況下是比較麻煩的,效率也低,批量注冊(`puppet cert --sign --all`)效率很高,一次性便可注冊所有的Agent的請求,但是這種方式安全系數較低,因為錯誤的請求也會被注冊上。
**1、節點申請注冊**
~~~
[root@agent1 ~]# puppet agent --test
info: Creating a new SSL key for agent1_cert.kisspuppet.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com
info: Certificate Request fingerprint (md5): 69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9
Exiting; no certificate found and waitforcert is disabled
~~~
**2、服務器端確定認證**
~~~
[root@puppetmaster ~]# puppet cert --list --all #查看認證情況
"agent1_cert.kisspuppet.com" (69:D2:86:E4:7F:00:E0:55:61:19:02:34:9E:9B:AF:F9) #未認證
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
[root@puppetmaster ~]# puppet cert --sign agent1_cert.kisspuppet.com #注冊agent1
notice: Signed certificate request for agent1_cert.kisspuppet.com #將請求的證書正式注冊
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem' #刪除請求
[root@puppetmaster ~]# puppet cert --list --all #再次查看認證情況
+ "agent1_cert.kisspuppet.com" (3E:46:4E:75:34:9A:5A:62:A6:3C:AE:BD:49:EE:C0:F5)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
[root@puppetmaster ~]# tree /var/lib/puppet/ssl/ #另外一種查看認證的方式
/var/lib/puppet/ssl/
├── ca
│ ├── ca_crl.pem
│ ├── ca_crt.pem
│ ├── ca_key.pem
│ ├── ca_pub.pem
│ ├── inventory.txt
│ ├── private
│ │ └── ca.pass
│ ├── requests
│ ├── serial
│ └── signed
│ ├── agent1_cert.kisspuppet.com.pem #已經注冊成功
│ └── puppetmaster.kisspuppet.com.pem
├── certificate_requests
├── certs
│ ├── ca.pem
│ └── puppetmaster.kisspuppet.com.pem
├── crl.pem
├── private
├── private_keys
│ └── puppetmaster.kisspuppet.com.pem
└── public_keys
└── puppetmaster.kisspuppet.com.pem
9 directories, 14 files
~~~
**3、motd模塊測試**
~~~
[root@agent1 ~]# puppet agent --test #測試節點agent1
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394304542'
notice: /Stage[main]/Motd/File[/etc/motd]/content:
--- /etc/motd 2000-01-13 07:18:52.000000000 +0800
+++ /tmp/puppet-file20140309-4571-1vqc18j-0 2014-03-09 02:51:47.000000000 +0800
@@ -0,0 +1,3 @@
+-- --
+--------puppet test---------
+-- --
info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e
info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
notice: Finished catalog run in 0.40 seconds
~~~
### 二、自動注冊
這種注冊方式簡單來講是通過Puppetmaster端的ACL列表進行控制的,安全系統較低,也就是說符合預先定義的ACL列表中的所有節點請求不需要確認都會被自動注冊上,也就是說你只需要知道ACL列表要求,其次能和PuppetMaster端通信便可輕易注冊成功。當然,它的最大優點就是效率非常高。**1、清除PuppetMaster端已經注冊的agent1的證書**
~~~
[root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem'
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem'
[root@puppetmaster ~]# puppet cert --list --all #agent1證書已經刪除
+ "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)
~~~
**2、在agent1端刪除注冊過的證書**
~~~
[root@agent1 ~]# rm -rf /var/lib/puppet/ssl/*
~~~
**3、在Puppetmaster端編寫ACL列表**
~~~
[root@puppetmaster ~]# vim /etc/puppet/autosign.conf
*.kisspuppet.com
[root@puppetmaster ~]# /etc/init.d/puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
[root@puppetmaster ~]# puppet cert --list --all
~~~
**4、自動注冊**
~~~
[root@agent1 ~]# puppet agent --test #申請證書
info: Creating a new SSL key for agent1_cert.kisspuppet.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent1_cert.kisspuppet.com
info: Certificate Request fingerprint (md5): ED:C9:C7:DF:F1:0E:53:1C:D3:73:5D:B7:D3:94:1F:60
info: Caching certificate for agent1_cert.kisspuppet.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394359075'
notice: Finished catalog run in 1.39 seconds
[root@agent1 ~]# cat /etc/motd
-- --
--------puppet test---------
-- --
~~~
**5、服務器端查看**
~~~
[root@puppetmaster ~]# puppet cert --list --all #agent1已經自動注冊成功
+ "agent1_cert.kisspuppet.com" (9E:1A:2B:48:26:7D:26:8D:1D:F5:5E:34:A1:6B:13:5F)
+ "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)
~~~
**6、節點測試**
~~~
[root@agent1 ~]# >/etc/motd #刪除文件內容
[root@agent1 ~]# puppet agent --test
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394359075'
notice: /Stage[main]/Motd/File[/etc/motd]/content:
--- /etc/motd 2014-03-09 17:59:02.000000000 +0800
+++ /tmp/puppet-file20140309-3678-15tazyj-0 2014-03-09 17:59:06.000000000 +0800
@@ -0,0 +1,3 @@
+-- --
+--------puppet test---------
+-- --
info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e
info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
notice: Finished catalog run in 0.42 seconds
[root@agent1 ~]# cat /etc/motd #文件內容已經生成
-- --
--------puppet test---------
-- --
~~~
### 三、預簽名注冊
預簽名注冊是在agent端未提出申請的情況下,預先在puppetmaster端生成agent端的證書,然后復制到節點對應的目錄下即可注冊成功,這種方式安全系數最高,但是操作麻煩,需要提前預知所有節點服務器的certname名稱,其次需要將生成的證書逐步copy到所有節點上去。不過,如果你的系統中安裝了kickstart或者cobbler這樣的自動化工具,倒是可以將證書部分轉換成腳本集成到統一自動化部署中**注:**生產環境中建議此方式進行注冊,既安全又可靠!
**1、清除PuppetMaster端已經注冊的agent1的證書**
~~~
[root@puppetmaster ~]# puppet cert --clean agent1_cert.kisspuppet.com
notice: Revoked certificate with serial 3
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/signed/agent1_cert.kisspuppet.com.pem'
notice: Removing file Puppet::SSL::Certificate agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem'
[root@puppetmaster ~]# puppet cert --list --all #agent1證書已經刪除
+ "agent2_cert.kisspuppet.com" (A0:CE:70:BE:A9:11:BF:F4:C8:EF:25:8E:C2:2C:3B:B7)
+ "agent3_cert.kisspuppet.com" (98:93:F7:0C:ED:94:81:3D:51:14:86:68:2B:F3:F1:A0)
+ "puppetmaster.kisspuppet.com" (C0:E3:6B:76:36:EC:92:93:4D:BF:F0:8F:77:00:91:C8) (alt names: "DNS:puppet", "DNS:puppet.kisspuppet.com", "DNS:puppetmaster.kisspuppet.com")
+ "puppetmaster_cert.kisspuppet.com" (57:A3:D7:3D:64:2F:D6:FD:BC:2A:6C:79:68:73:EA:AB)
~~~
**2、在agent1端刪除注冊的所有信息,包括證書**
~~~
[root@agent1 ~]# rm -rf /var/lib/puppet/*
~~~
**3、刪除自動注冊ACL列表**
~~~
[root@puppetmaster ~]# mv /etc/puppet/autosign.conf{,.bak}
~~~
**4、puppetserver端預先生成agent1證書**
~~~
[root@puppetmaster ~]# puppetca --generate agent1_cert.kisspuppet.com
notice: agent1_cert.kisspuppet.com has a waiting certificate request
notice: Signed certificate request for agent1_cert.kisspuppet.com
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/ca/requests/agent1_cert.kisspuppet.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest agent1_cert.kisspuppet.com at '/var/lib/puppet/ssl/certificate_requests/agent1_cert.kisspuppet.com.pem'
~~~
**5、節點生成目錄結構**
~~~
[root@agent1 ~]# puppet agent --test --server=abc.com #隨便指定server端,生成目錄結構
info: Creating a new SSL key for agent1_cert.kisspuppet.com
err: Could not request certificate: getaddrinfo: Temporary failure in name resolution
Exiting; failed to retrieve certificate and waitforcert is disabled
[root@agent1 ~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
|-- certificate_requests
|-- certs
|-- private
|-- private_keys
| `-- agent1_cert.kisspuppet.com.pem
`-- public_keys
`-- agent1_cert.kisspuppet.com.pem
5 directories, 2 files
~~~
**6、puppetmaster端copy證書到agent1上**
~~~
[root@puppetmaster ~]# scp /var/lib/puppet/ssl/private_keys/agent1_cert.kisspuppet.com.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/private_keys/
agent1_cert.kisspuppet.com.pem 100% 3243 3.2KB/s 00:00
[root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/agent1_cert.kisspuppet.com.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/
agent1_cert.kisspuppet.com.pem 100% 1944 1.9KB/s 00:00
[root@puppetmaster ~]# scp /var/lib/puppet/ssl/certs/ca.pem agent1.kisspuppet.com:/var/lib/puppet/ssl/certs/
ca.pem 100% 1915 1.9KB/s 00:00
[root@puppetmaster ~]#
~~~
**7、agent1測試**
~~~
[root@agent1 ~]# >/etc/motd
[root@agent1 ~]# puppet agent --test
info: Caching certificate_revocation_list for ca
info: Caching catalog for agent1_cert.kisspuppet.com
info: Applying configuration version '1394359075'
notice: /Stage[main]/Motd/File[/etc/motd]/content:
--- /etc/motd 2014-03-09 18:18:10.000000000 +0800
+++ /tmp/puppet-file20140309-4071-1gypudk-0 2014-03-09 18:18:17.000000000 +0800
@@ -0,0 +1,3 @@
+-- --
+--------puppet test---------
+-- --
info: FileBucket adding {md5}d41d8cd98f00b204e9800998ecf8427e
info: /Stage[main]/Motd/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum d41d8cd98f00b204e9800998ecf8427e
notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}87ea3a1af8650395038472457cc7f2b1'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.41 seconds
[root@agent1 ~]# cat /etc/motd
-- --
--------puppet test---------
-- --
~~~
- 序
- 第一章:Puppet基礎篇
- 編寫此系列文檔的目的
- 如何學習和使用Puppet
- 安裝Puppet前期的準備工作
- 安裝、配置并使用Puppet
- 如何建立master和agent之間的認證關系
- Puppet更新方式的選型
- 編寫第一個完整測試模塊puppet
- 編寫第二個完整測試模塊yum
- Puppetmaster多環境配置
- 自定義fact實現的四種方式介紹
- 第二章:Puppet擴展篇
- 自定義fact結合ENC(hirea)的應用實踐
- 如何使用虛擬資源解決puppet沖突問題
- 如何擴展master的SSL傳輸性能(apache)
- 如何擴展master的SSL傳輸性能(nginx)
- 通過多進程增強master的負載均衡能力(nginx+mongrel)
- 通過橫向擴展puppetmaster增加架構的靈活性
- puppet代碼與版本控制系統的結合
- Puppet dashboard的部署及測試
- 第三章:MCollective架構篇
- MCollecitve架構的引入
- MCollective+MQ架構的部署
- Puppet插件的部署及測試
- MCollective各種插件的部署及測試
- MCollective安全性設計
- MQ的安全性設計
- 多MQ下MCollective高可用部署
- 第四章:Foreman架構的引入
- Foreman作為自動化運維工具為什么會如此強大
- 安裝前環境準備
- 安裝Foreman1.5架構(all-in-one)
- 安裝Foreman1.6架構(foreman與puppetmaster分離)
- 安裝Foreman1.7架構(源碼,僅測試使用)
- 整合puppetmaster
- Foreman結合mcollective完成push動作
- Foreman結合puppetssh完成push動作
- Foreman的ENC環境與fact環境的對比
- hostgroup如何轉換為本地的fact
- 智能變量與puppet模塊參數化類的結合
- Foreman報告系統的使用
- Foreman-proxy如何做負載均衡
- Foreman上如何展現代碼及文件內容
- Foreman如何和虛擬化管理軟件結合
- 如何借助Foreman完成自動化部署操作系統(一)
- 如何借助Foreman完成自動化部署操作系統(二)
- Foreman CLI(Hammer)工具的使用
- Foreman目前的不足之處