Today, I will continue to introduce you to the relevant knowledge of Linux operation and maintenance. The main content of this article is the automation operation in puppet.
First, puppet client automatic authentication
Earlier we introduced many basic operations of puppet, and we have been able to use puppet to manage downstream devices in batches. However, the level of automation in puppet is not high. In the production environment of large enterprises, what we hope is that after the system is installed through PXE or cobbler, the device will automatically install the puppet client, and then the puppet client will automatically complete the basic software installation and environment configuration without manual participation. To achieve this, the first and foremost is to achieve automatic authentication of the puppet client, without the need to authorize the puppet client on the puppet server.
In order to realize the automatic authentication function of the puppet client, we only need to open the puppet server configuration file /etc/puppet/puppet.conf, and add the following content under the [main] module in the configuration file:
autosign=true
When done, restart the puppet client and execute the command:
systemctl restart puppetmaster
After the execution is completed, we can find a puppet client that has not applied for a certificate and try to apply for a puppet certificate. The results are as follows:
On the server, the results are as follows:
PS: The method of deleting the puppet certificate is in the
previous step. Sometimes there is no existing device that installs the puppet client but has not applied for a certificate. At this time, we can delete the certificate of the puppet client that has applied for the certificate. The deletion steps are as follows:
On the puppet server, execute the command:
puppet cert --clean 【客户端主机名】
On the puppet client, to delete the puppet certificate, execute the command:
rm -rf /var/lib/puppet/ssl/
The device can be restored to the state where the certificate was requested.
2. Automatic synchronization of puppet client
In addition to the hope that the puppet server can perform automatic certificate authentication, we also hope that the puppet client in the production environment can automatically synchronize with the puppet server regularly to obtain its own configuration.
For puppet of version 3.6.2 (the version of puppet installed by default on CentOS7 is 3.6.2), to configure the automatic synchronization function of the puppet client, you need to open the puppet configuration file on the puppet client, and in [agent ] module and write the following:
server=puppet-server
By default, the puppet client will automatically synchronize every half hour. If you want to modify the time, you can write the following under the [agent] module:
runinterval 【自定义时间】
The custom time unit is seconds.
After completing the above configuration, restart the puppet client and execute the command:
systemctl start puppet
I adopted the configuration of synchronizing every 20s. After the above configuration is completed, the synchronization information on the puppet server is as follows:
Third, the puppet server actively pushes
In fact, in addition to allowing the puppet client to actively apply for configuration from the puppet server, puppet also allows the puppet server to actively push data to the puppet client.
To implement the active push function of the puppet server, the puppet client must first listen to a port, so that the puppet client can receive the notification content of the puppet server. By default, the puppet client listens on port 8139. Open the configuration file /etc/pupper/puppet.conf of the puppet client, and add the following content under the [agent] module:
listen=true
Then in the /etc/puppet/ directory, create a new namespaceauth.conf file and write the following content to the file:
[puppetrunner]
allow *
Then open the /etc/puppet/auth.conf file, in the file, write the content in front of path /:
path /run
method save
allow *
Note that the above content must be added to the front of path /, as shown below:
otherwise, an error will be reported, and the error message will be:
Error: Host puppet-client failed: Error 403 on SERVER: Forbidden request: puppet-server(192.168.136.20) access to /run/puppet-client [save] authenticated at :119
is as follows:
After completing the above configuration, restart the puppet client.
On the puppet server, try the active push function of the puppet server and execute the command:
puppet kick -d puppet-client
The execution result is as follows:
PS: Tips
In this step, if the puppet server needs to actively push multiple puppet clients at the same time, you can write the host list of the puppet client into a file, such as puppet_client.txt, and then execute the command:
puppet kick -d `cat puppet_client.txt`
That's it.
Originality is not easy, please indicate the source for reprinting: https://blog.csdn.net/weixin_40228200