Puppet: удаленные клиенты не обновляются puppetmaster [дубликат]
На этот вопрос уже есть ответ здесь:
Я начну с того, что я новичок в Puppet, у меня есть 2 серверы; один называется puppetmaster, а другой - puppetclient. Я установил puppet-3.2.2 и создал несколько базовых файлов node.pp, файл nodes.pp включает настройки как для puppetmaster, так и для puppetclient. {{1 }} Когда я применяю соответствующий манифест, изменения затрагивают только мастера марионеток, но не клиента. На сервере я вижу следующую ошибку:
[root@puppetmaster puppet]# puppet apply manifests/nodes.pp
hostname: Unknown host
dnsdomainname: Unknown host
hostname: Unknown host
dnsdomainname: Unknown host
hostname: Unknown host
dnsdomainname: Unknown host
Notice: Finished catalog run in 0.71 seconds
[root@puppetmaster puppet]#
Даже если DNS-сервер настроен на / и т. Д. / sysconfig / network-scripts / ifcfg-eth0 и в /etc/resolv.conf .
При проверке журнала puppetmaster я вижу следующую ошибку:
[2013-08-08 11:03:00] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:34:in `accept'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:34:in `listen'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `call'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:32:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `initialize'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `new'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:28:in `synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:28:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:92:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:104:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:137:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:215:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:165:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:456:in `plugin_hook'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:504:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:132:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:86:in `execute'
/usr/bin/puppet:4
[root@puppetmaster ~]#
The puppet log на клиенте пусто. Я немного исследовал Интернет и обнаружил, что в старой версии есть команда под названием puppetca , но, похоже, она не является частью версии 3.2.2.
Кто-нибудь знает, как получить это работать?
Firstly, you should be using the PuppetLabs Yum repositories - details here.
Secondly, you should either be using Passenger or Mongel behind Apache - WEbrick is a very basic web-server and will not scale well beyond one or two nodes. Using Passenger is the most scalable option and is relatively easy to set up, so it should save you bundles of time in the long-run. Take a look at the PuppetLabs Passenger docs for more details.
Your DNS should be set up so that the CNAME puppet.mydomain (replacing mydomain with your FQDN) should point to your master - this is how nodes will automatically discover your master. If they cannot find puppet.mydomain and no further configuration is provided on either the CLI or in /etc/puppet/puppet.conf, the nodes will not be able to contact the master.
When running Puppet on the master, you can use puppet apply --modulepath=/etc/puppet/modules /etc/puppet/manifests/site.pp to bootstrap your master's configuration (Puppet can - and ideally should - be used to configure the master itself), and subsequent runs can be run by invoking either puppet agent --test or the puppet apply command above.
Thirdly, you should be using Puppet modules instead of adding configuration to manifests/nodes.pp. Take this example:
manifests/nodes.pp:
node mynode {
include mymodule
}
modules/mymodule/init.pp:
class mymodule {
file { '/path/to/some/file':
ensure => file,
owner => 'myuser',
group => 'mygroup',
mode => '0755',
source => 'puppet:///modules/mymodule/myfile',
}
}
In this example, your module will deploy the file, and your node definition within your manifest uses include to import the module into that node's manifest.
The puppetca command has been superceded by puppet cert. Once you have your master configured, you will need to use this command to sign your nodes' certificates. Example:
On node:puppet agent --test (generate the SSL certificate and ship it to the master)
On master: puppet cert list (to list the outstanding unsigned certificates)
On master: puppet cert sign mynode.myfqdn (to sign the node's certificate)
On node: puppet agent --test (to re-run Puppet, now that your node's certificate has been signed)