- Puppet 5 Essentials(Third Edition)
- Martin Alfke Felix Frank
- 588字
- 2021-07-02 18:22:25
Creating the master manifest
When you used Puppet locally in Chapter 1, Writing Your First Manifests, you specified a manifest file that puppet apply should compile. The master compiles manifests for many machines, but the agent does not get to choose which source file is to be used; this is completely at the master's discretion. The starting point for any compilation by the master is always the site manifest, which can be found in /opt/puppetlabs/code/environments/production/manifests/.
Each connecting agent will use all the manifests found here. Of course, you don't want to manage only one identical set of resources on all your machines. To define a piece of manifest exclusively for a specific agent, put it in a node block. This block's contents will only be considered when the calling agent has a matching common name in its SSL certificate. You can dedicate a piece of the manifest to a machine with the name of agent, for example:
node 'agent' {
$packages = [ 'apache2',
'libapache2-mod-php5',
'libapache2-mod-passenger', ]
package { $packages:
ensure => 'installed',
before => Service['apache2'],
}
service { 'apache2':
ensure => 'running',
enable => true,
}
}
Before you set up and connect your first agent to the master, step back and think about how the master should be addressed. By default, agents will try to resolve the unqualified puppet hostname in order to get the master's address. If you have a default domain that is being searched by your machines, you can use this as a default and add a record for puppet as a subdomain (such as puppet.example.net).
Otherwise, pick a domain name that seems fitting to you, such as master.example.net or adm01.example.net. What's important is the following:
- All your agent machines can resolve the name to an address
- The master process is listening for connections on that address
- The master uses a certificate with the chosen name as CN or DNS Alt Names
The mode of resolution depends on your circumstances; the hosts file on each machine is one ubiquitous possibility. The Puppet server listens on all the available addresses by default.
This leaves the task of creating a suitable certificate, which is simple. Configure the master to use the appropriate certificate name and restart the service. If the certificate does not exist yet, Puppet will take the necessary steps to create it. Put the following setting into your /etc/puppetlabs/puppet/puppet.conf file on the master machine:
[main] certname=puppetmaster.example.net
Upon its next start, the master will use the appropriate certificate for all SSL connections. The automatic proliferation of SSL data is not dangerous, even in an existing setup, except for the certification authority. If the master were to generate a new CA certificate at any point in time, it would break the trust of all existing agents.
- SQL Server 從入門到項目實踐(超值版)
- Building a Game with Unity and Blender
- Apache Spark 2.x Machine Learning Cookbook
- Apache Hive Essentials
- Linux網(wǎng)絡(luò)程序設(shè)計:基于龍芯平臺
- EPLAN實戰(zhàn)設(shè)計
- C和C++游戲趣味編程
- Frank Kane's Taming Big Data with Apache Spark and Python
- Extreme C
- 深入理解C指針
- Apache Camel Developer's Cookbook
- Flask Web開發(fā):基于Python的Web應(yīng)用開發(fā)實戰(zhàn)(第2版)
- 大學計算機基礎(chǔ)實訓教程
- HTML5移動前端開發(fā)基礎(chǔ)與實戰(zhàn)(微課版)
- 大話代碼架構(gòu):項目實戰(zhàn)版