Puppet powinien pracować pracować w architekturze client – serwer, jak do tego doprowadzić?
1. Konfiguracja klienta
W pliku /etc/puppet/puppet.conf Wstawiamy informacje o serwerze:
[main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter templatedir=$confdir/templates prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post server=server.lab2.unix4you.net [master] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY
2. Wygeneruj prośbę o certyfikat
Wygeneruj prośbę o certyfikat wywołując komendę „puppet agent –test”
root@ziutus:/etc/puppet# puppet agent --test warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for ziutus.uh.net.pl info: Certificate Request fingerprint (md5): 93:66:61:BF:6A:0E:1D:73:15:87:83:96:D0:A1:55:00 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled
3. Podpisanie certyfikatu
Sprawdź jakie certyfikaty czekają na podpisanie:
root@server:/etc/puppet# puppet cert list gateway.linuxexpert.pl (93:66:61:BF:6A:0E:1D:73:15:87:83:96:D0:A1:55:B2)
Podpisz certyfikat:
root@server:/etc/puppet# puppet cert sign gateway.linuxexpert.pl notice: Signed certificate request for gateway.linuxexpert.pl notice: Removing file Puppet::SSL::CertificateRequest gateway.linuxexpert.pl at '/var/lib/puppet/ssl/ca/requests/gateway.linuxexpert.pl.pem'
4. Sprawdź połączenie z klienta
root@ziutus:/etc/puppet# puppet agent --test warning: peer certificate won't be verified in this SSL session info: Caching certificate for gateway.linuxexpert.pl info: Caching certificate_revocation_list for ca info: Caching catalog for gateway.linuxexpert.pl info: Applying configuration version '1337757337' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.03 seconds
5. Na serwerze ustalamy manifest, który informuje jakie ustawienia powinny być przypisane do klienta:
ziutus@server:/etc/puppet/manifests$ cat site.pp node "gateway.linuxexpert.pl" { include aliases include knockd include openvpn }