- Puppet 5 Essentials(Third Edition)
- Martin Alfke Felix Frank
- 430字
- 2021-07-02 18:22:25
The agent's life cycle
In a Puppet-centric workflow, you typically want all changes to the configuration of servers (perhaps even workstations) to originate on the Puppet master and propagate to the agents automatically. Each new machine gets integrated into the Puppet infrastructure with the master at its center, and gets removed during the decommissioning, as shown in the following diagram:
The very first step, generating a key and a certificate signing request is always performed implicitly and automatically at the start of an agent run if no local SSL data exists yet. Puppet creates the required data if no appropriate files are found. There will be a short description on how to trigger this behavior manually later in this section.
The next step is usually the signing of the agent's certificate, which is performed on the master. It is good practice to monitor the pending requests by listing them on the console:
root@puppetmaster# puppet cert list
root@puppetmaster# puppet cert sign '<agent fqdn>'
From this point on, the agent will periodically check with the master to load updated catalogs. The default interval for this is 30 minutes. The agent will perform a run of a catalog each time and check the sync state of all the contained resources. The run is performed for unchanged catalogs as well, because the sync states can change between runs.
Launching this background process can be done manually through a simple command:
root@agent# puppet agent
However, it is preferable to do this through the puppet system service.
When an agent machine is taken out of active service, its certificate should be invalidated. As is customary with SSL, this is done through revocation and cleaning the certificate. The master adds the serial number of the certificate to its certificate revocation list. This list, too, is shared with each agent machine. Revocation is initiated on the master through the puppet cert command:
root@puppetmaster# puppet cert revoke agent
The agent can then no longer use its old certificate:
root@agent# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
- Advanced Splunk
- 微服務與事件驅動架構
- Vue.js 3.0源碼解析(微課視頻版)
- Hands-On GPU:Accelerated Computer Vision with OpenCV and CUDA
- The Complete Coding Interview Guide in Java
- 區塊鏈架構之美:從比特幣、以太坊、超級賬本看區塊鏈架構設計
- 監控的藝術:云原生時代的監控框架
- Android Studio開發實戰:從零基礎到App上線 (移動開發叢書)
- Go語言入門經典
- Mastering Android Studio 3
- Applied Deep Learning with Python
- Java Script從入門到精通(第5版)
- Expert Cube Development with SSAS Multidimensional Models
- Visual C++ 2017網絡編程實戰
- Advanced Analytics with R and Tableau