- Puppet 5 Essentials(Third Edition)
- Martin Alfke Felix Frank
- 430字
- 2021-07-02 18:22:25
The agent's life cycle
In a Puppet-centric workflow, you typically want all changes to the configuration of servers (perhaps even workstations) to originate on the Puppet master and propagate to the agents automatically. Each new machine gets integrated into the Puppet infrastructure with the master at its center, and gets removed during the decommissioning, as shown in the following diagram:
The very first step, generating a key and a certificate signing request is always performed implicitly and automatically at the start of an agent run if no local SSL data exists yet. Puppet creates the required data if no appropriate files are found. There will be a short description on how to trigger this behavior manually later in this section.
The next step is usually the signing of the agent's certificate, which is performed on the master. It is good practice to monitor the pending requests by listing them on the console:
root@puppetmaster# puppet cert list
root@puppetmaster# puppet cert sign '<agent fqdn>'
From this point on, the agent will periodically check with the master to load updated catalogs. The default interval for this is 30 minutes. The agent will perform a run of a catalog each time and check the sync state of all the contained resources. The run is performed for unchanged catalogs as well, because the sync states can change between runs.
Launching this background process can be done manually through a simple command:
root@agent# puppet agent
However, it is preferable to do this through the puppet system service.
When an agent machine is taken out of active service, its certificate should be invalidated. As is customary with SSL, this is done through revocation and cleaning the certificate. The master adds the serial number of the certificate to its certificate revocation list. This list, too, is shared with each agent machine. Revocation is initiated on the master through the puppet cert command:
root@puppetmaster# puppet cert revoke agent
The agent can then no longer use its old certificate:
root@agent# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]