官术网_书友最值得收藏!

The agent's life cycle

In a Puppet-centric workflow, you typically want all changes to the configuration of servers (perhaps even workstations) to originate on the Puppet master and propagate to the agents automatically. Each new machine gets integrated into the Puppet infrastructure with the master at its center, and gets removed during the decommissioning, as shown in the following diagram:

The very first step, generating a key and a certificate signing request is always performed implicitly and automatically at the start of an agent run if no local SSL data exists yet. Puppet creates the required data if no appropriate files are found. There will be a short description on how to trigger this behavior manually later in this section.

The next step is usually the signing of the agent's certificate, which is performed on the master. It is good practice to monitor the pending requests by listing them on the console:

root@puppetmaster# puppet cert list
root@puppetmaster# puppet cert sign '<agent fqdn>'

From this point on, the agent will periodically check with the master to load updated catalogs. The default interval for this is 30 minutes. The agent will perform a run of a catalog each time and check the sync state of all the contained resources. The run is performed for unchanged catalogs as well, because the sync states can change between runs.

Before you manage to sign the certificate, the agent process will query the master at short intervals for a while. This can avoid a 30 minute delay if the certificate is not ready right when the agent starts up.

Launching this background process can be done manually through a simple command:

root@agent# puppet agent

However, it is preferable to do this through the puppet system service.

When an agent machine is taken out of active service, its certificate should be invalidated. As is customary with SSL, this is done through revocation and cleaning the certificate. The master adds the serial number of the certificate to its certificate revocation list. This list, too, is shared with each agent machine. Revocation is initiated on the master through the puppet cert command:

root@puppetmaster# puppet cert revoke agent
The updated CRL is not honored until the master service is restarted. If security is a concern, this step must not be postponed.

The agent can then no longer use its old certificate:

root@agent# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
主站蜘蛛池模板: 贡嘎县| 延长县| 淳化县| 沁源县| 温宿县| 黄梅县| 高平市| 辽宁省| 营山县| 通化市| 屯昌县| 湘西| 南靖县| 改则县| 农安县| 婺源县| 麻江县| 克拉玛依市| 固原市| 绍兴市| 广州市| 什邡市| 杨浦区| 盐山县| 五大连池市| 上犹县| 连城县| 定西市| 柳州市| 阆中市| 海口市| 广德县| 满城县| 枣强县| 富源县| 岳西县| 吉木萨尔县| 博野县| 秀山| 筠连县| 沭阳县|