官术网_书友最值得收藏!

The agent's life cycle

In a Puppet-centric workflow, you typically want all changes to the configuration of servers (perhaps even workstations) to originate on the Puppet master and propagate to the agents automatically. Each new machine gets integrated into the Puppet infrastructure with the master at its center, and gets removed during the decommissioning, as shown in the following diagram:

The very first step, generating a key and a certificate signing request is always performed implicitly and automatically at the start of an agent run if no local SSL data exists yet. Puppet creates the required data if no appropriate files are found. There will be a short description on how to trigger this behavior manually later in this section.

The next step is usually the signing of the agent's certificate, which is performed on the master. It is good practice to monitor the pending requests by listing them on the console:

root@puppetmaster# puppet cert list
root@puppetmaster# puppet cert sign '<agent fqdn>'

From this point on, the agent will periodically check with the master to load updated catalogs. The default interval for this is 30 minutes. The agent will perform a run of a catalog each time and check the sync state of all the contained resources. The run is performed for unchanged catalogs as well, because the sync states can change between runs.

Before you manage to sign the certificate, the agent process will query the master at short intervals for a while. This can avoid a 30 minute delay if the certificate is not ready right when the agent starts up.

Launching this background process can be done manually through a simple command:

root@agent# puppet agent

However, it is preferable to do this through the puppet system service.

When an agent machine is taken out of active service, its certificate should be invalidated. As is customary with SSL, this is done through revocation and cleaning the certificate. The master adds the serial number of the certificate to its certificate revocation list. This list, too, is shared with each agent machine. Revocation is initiated on the master through the puppet cert command:

root@puppetmaster# puppet cert revoke agent
The updated CRL is not honored until the master service is restarted. If security is a concern, this step must not be postponed.

The agent can then no longer use its old certificate:

root@agent# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
[...]
主站蜘蛛池模板: 雷山县| 清徐县| 比如县| 吉安县| 淮安市| 沾益县| 靖宇县| 巫溪县| 房产| 徐闻县| 佛学| 荥阳市| 澜沧| 靖安县| 志丹县| 泗水县| 新野县| 夹江县| 西城区| 常熟市| 广南县| 佛教| 通榆县| 农安县| 新丰县| 乐安县| 逊克县| 鞍山市| 石家庄市| 界首市| 海林市| 缙云县| 永州市| 高安市| 河西区| 蒙城县| 酒泉市| 普定县| 都江堰市| 大方县| 喀喇沁旗|