puppetmaster client configuration
2013-03-19 11:24
99 查看
[align=left]puppet master connect client:[/align]
[align=left] [/align]
[align=left] [/align]
[align=left]一 client: listen 8139 port[/align]
[align=left] [/align]
[align=left]1, edit /etc/puppet/[/align]
[align=left] [/align]
[align=left][root@aa-test-01 puppet]# vim /etc/puppet/puppet.conf[/align]
[align=left][agent][/align]
[align=left] listen = ture[/align]
[align=left] [/align]
[align=left][root@aa-test-01 puppet]# cat /etc/puppet/puppet.conf[/align]
[align=left][main][/align]
[align=left] # The Puppet log directory.[/align]
[align=left] # The default value is '$vardir/log'.[/align]
[align=left] logdir = /var/log/puppet[/align]
[align=left] [/align]
[align=left] # Where Puppet PID files are kept.[/align]
[align=left] # The default value is '$vardir/run'.[/align]
[align=left] rundir = /var/run/puppet[/align]
[align=left] [/align]
[align=left] # Where SSL certificates are kept.[/align]
[align=left] # The default value is '$confdir/ssl'.[/align]
[align=left] ssldir = $vardir/ssl[/align]
[align=left]server=aa-config-01.puppet.com[/align]
[align=left][agent][/align]
[align=left] # The file in which puppetd stores a list of the classes[/align]
[align=left] # associated with the retrieved configuratiion. Can be loaded in[/align]
[align=left] # the separate ``puppet`` executable using the ``--loadclasses``[/align]
[align=left] # option.[/align]
[align=left] # The default value is '$confdir/classes.txt'.[/align]
[align=left] classfile = $vardir/classes.txt[/align]
[align=left] listen = true[/align]
[align=left] # Where puppetd caches the local configuration. An[/align]
[align=left] # extension indicating the cache format is added automatically.[/align]
[align=left] # The default value is '$confdir/localconfig'.[/align]
[align=left] localconfig = $vardir/localconfig[/align]
[align=left][root@aa-test-01 puppet]#[/align]
[align=left] [/align]
[align=left] [/align]
[align=left]2, auth.conf[/align]
[align=left] [/align]
[align=left][root@aa-test-01 puppet]# vim auth.conf[/align]
[align=left]add[/align]
[align=left]path /run[/align]
[align=left]method save[/align]
[align=left]allow aa-config.puppet.com[/align]
[align=left][root@aa-test-01 puppet]# cat auth.conf[/align]
[align=left]# This is an example auth.conf file, which implements the[/align]
[align=left]# defaults used by the puppet master.[/align]
[align=left]#[/align]
[align=left]# The ACLs are evaluated in top-down order. More general[/align]
[align=left]# stanzas should be towards the bottom of the file and more[/align]
[align=left]# specific ones at the top, otherwise the general rules[/align]
[align=left]# take precedence and later rules will not be evaluated.[/align]
[align=left]#[/align]
[align=left]# Supported syntax:[/align]
[align=left]# Each stanza in auth.conf starts with a path to mach, followed[/align]
[align=left]# by optional modifiers, and finally, a series of allow or deny[/align]
[align=left]# directives.[/align]
[align=left]#[/align]
[align=left]# Example Stanza[/align]
[align=left]# ---------------------------------[/align]
[align=left]# path /path/to/resource # simple prefix match[/align]
[align=left]# # path ~ regex # alternately, regex match[/align]
[align=left]# [environment envlist][/align]
[align=left]# [method methodlist][/align]
[align=left]# [auth[enthicated] {yes|no|on|off|any}][/align]
[align=left]# allow [host|backreference|*][/align]
[align=left]# deny [host|backreference|*][/align]
[align=left]# allow_ip [ip|cidr|ip_wildcard|*][/align]
[align=left]# deny_ip [ip|cidr|ip_wildcard|*][/align]
[align=left]#[/align]
[align=left]# The path match can either be a simple prefix match or a regular[/align]
[align=left]# expression. `path /file` would match both `/file_metadata` and[/align]
[align=left]# `/file_content`. Regex matches allow the use of backreferences[/align]
[align=left]# in the allow/deny directives.[/align]
[align=left]#[/align]
[align=left]# The regex syntax is the same as for Ruby regex, and captures backreferences[/align]
[align=left]# for use in the `allow` and `deny` lines of that stanza[/align]
[align=left]#[/align]
[align=left]# Examples:[/align]
[align=left]# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`[/align]
[align=left]# allow *[/align]
[align=left]#[/align]
[align=left]# path ~ ^/catalog/([^/]+)$ # permit access only for the[/align]
[align=left]# allow $1 # node whose cert matches the path[/align]
[align=left]#[/align]
[align=left]# environment:: restrict an ACL to a comma-separated list of environments[/align]
[align=left]# method:: restrict an ACL to a comma-separated list of HTTP methods[/align]
[align=left]# auth:: restrict an ACL to an authenticated or unauthenticated request[/align]
[align=left]# the default when unspecified is to restrict the ACL to authenticated requests[/align]
[align=left]# (ie exactly as if auth yes was present).[/align]
[align=left]#[/align]
[align=left] [/align]
[align=left]### Authenticated paths - these apply only when the client[/align]
[align=left]### has a valid certificate and is thus authenticated[/align]
[align=left] [/align]
[align=left]# allow nodes to retrieve their own catalog[/align]
[align=left]path ~ ^/catalog/([^/]+)$[/align]
[align=left]method find[/align]
[align=left]allow $1[/align]
[align=left] [/align]
[align=left]# allow nodes to retrieve their own node definition[/align]
[align=left]path ~ ^/node/([^/]+)$[/align]
[align=left]method find[/align]
[align=left]allow $1[/align]
[align=left] [/align]
[align=left]# allow all nodes to access the certificates services[/align]
[align=left]path /certificate_revocation_list/ca[/align]
[align=left]method find[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]# allow all nodes to store their reports[/align]
[align=left]path /report[/align]
[align=left]method save[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]# unconditionally allow access to all file services[/align]
[align=left]# which means in practice that fileserver.conf will[/align]
[align=left]# still be used[/align]
[align=left]path /file[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]### Unauthenticated ACL, for clients for which the current master doesn't[/align]
[align=left]### have a valid certificate; we allow authenticated users, too, because[/align]
[align=left]### there isn't a great harm in letting that request through.[/align]
[align=left] [/align]
[align=left]# allow access to the master CA[/align]
[align=left]path /certificate/ca[/align]
[align=left]auth any[/align]
[align=left]method find[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]path /certificate/[/align]
[align=left]auth any[/align]
[align=left]method find[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]path /certificate_request[/align]
[align=left]auth any[/align]
[align=left]method find, save[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]path /run[/align]
[align=left]method save[/align]
[align=left]allow aa-config-01.puppet.com[/align]
[align=left]# this one is not stricly necessary, but it has the merit[/align]
[align=left]# of showing the default policy, which is deny everything else[/align]
[align=left] [/align]
[align=left]path /[/align]
[align=left]auth any[/align]
[align=left][root@aa-test-01 puppet]#[/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left]二 puppetmast[/align]
[align=left][root@aa-config-01 ~]# puppet kick -d --host aa-test-01.puppet.com[/align]
[align=left] [/align]
[align=left] [/align]
[align=left]Debug: /File[/var/lib/puppet/ssl/private_keys/aa-config-01.puppet.com.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys][/align]
[align=left]Debug: /File[/var/lib/puppet/ssl/public_keys/aa-config-01.puppet.com.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys][/align]
[align=left]Debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet][/align]
[align=left]Debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet][/align]
[align=left]Debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl][/align]
[align=left]Debug: Finishing transaction 70364485678960[/align]
[align=left]Getting status[/align]
[align=left]status is success[/align]
[align=left]aa-test-01.puppet.com finished with exit code 0[/align]
[align=left]Finished[/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left]一 client: listen 8139 port[/align]
[align=left] [/align]
[align=left]1, edit /etc/puppet/[/align]
[align=left] [/align]
[align=left][root@aa-test-01 puppet]# vim /etc/puppet/puppet.conf[/align]
[align=left][agent][/align]
[align=left] listen = ture[/align]
[align=left] [/align]
[align=left][root@aa-test-01 puppet]# cat /etc/puppet/puppet.conf[/align]
[align=left][main][/align]
[align=left] # The Puppet log directory.[/align]
[align=left] # The default value is '$vardir/log'.[/align]
[align=left] logdir = /var/log/puppet[/align]
[align=left] [/align]
[align=left] # Where Puppet PID files are kept.[/align]
[align=left] # The default value is '$vardir/run'.[/align]
[align=left] rundir = /var/run/puppet[/align]
[align=left] [/align]
[align=left] # Where SSL certificates are kept.[/align]
[align=left] # The default value is '$confdir/ssl'.[/align]
[align=left] ssldir = $vardir/ssl[/align]
[align=left]server=aa-config-01.puppet.com[/align]
[align=left][agent][/align]
[align=left] # The file in which puppetd stores a list of the classes[/align]
[align=left] # associated with the retrieved configuratiion. Can be loaded in[/align]
[align=left] # the separate ``puppet`` executable using the ``--loadclasses``[/align]
[align=left] # option.[/align]
[align=left] # The default value is '$confdir/classes.txt'.[/align]
[align=left] classfile = $vardir/classes.txt[/align]
[align=left] listen = true[/align]
[align=left] # Where puppetd caches the local configuration. An[/align]
[align=left] # extension indicating the cache format is added automatically.[/align]
[align=left] # The default value is '$confdir/localconfig'.[/align]
[align=left] localconfig = $vardir/localconfig[/align]
[align=left][root@aa-test-01 puppet]#[/align]
[align=left] [/align]
[align=left] [/align]
[align=left]2, auth.conf[/align]
[align=left] [/align]
[align=left][root@aa-test-01 puppet]# vim auth.conf[/align]
[align=left]add[/align]
[align=left]path /run[/align]
[align=left]method save[/align]
[align=left]allow aa-config.puppet.com[/align]
[align=left][root@aa-test-01 puppet]# cat auth.conf[/align]
[align=left]# This is an example auth.conf file, which implements the[/align]
[align=left]# defaults used by the puppet master.[/align]
[align=left]#[/align]
[align=left]# The ACLs are evaluated in top-down order. More general[/align]
[align=left]# stanzas should be towards the bottom of the file and more[/align]
[align=left]# specific ones at the top, otherwise the general rules[/align]
[align=left]# take precedence and later rules will not be evaluated.[/align]
[align=left]#[/align]
[align=left]# Supported syntax:[/align]
[align=left]# Each stanza in auth.conf starts with a path to mach, followed[/align]
[align=left]# by optional modifiers, and finally, a series of allow or deny[/align]
[align=left]# directives.[/align]
[align=left]#[/align]
[align=left]# Example Stanza[/align]
[align=left]# ---------------------------------[/align]
[align=left]# path /path/to/resource # simple prefix match[/align]
[align=left]# # path ~ regex # alternately, regex match[/align]
[align=left]# [environment envlist][/align]
[align=left]# [method methodlist][/align]
[align=left]# [auth[enthicated] {yes|no|on|off|any}][/align]
[align=left]# allow [host|backreference|*][/align]
[align=left]# deny [host|backreference|*][/align]
[align=left]# allow_ip [ip|cidr|ip_wildcard|*][/align]
[align=left]# deny_ip [ip|cidr|ip_wildcard|*][/align]
[align=left]#[/align]
[align=left]# The path match can either be a simple prefix match or a regular[/align]
[align=left]# expression. `path /file` would match both `/file_metadata` and[/align]
[align=left]# `/file_content`. Regex matches allow the use of backreferences[/align]
[align=left]# in the allow/deny directives.[/align]
[align=left]#[/align]
[align=left]# The regex syntax is the same as for Ruby regex, and captures backreferences[/align]
[align=left]# for use in the `allow` and `deny` lines of that stanza[/align]
[align=left]#[/align]
[align=left]# Examples:[/align]
[align=left]# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`[/align]
[align=left]# allow *[/align]
[align=left]#[/align]
[align=left]# path ~ ^/catalog/([^/]+)$ # permit access only for the[/align]
[align=left]# allow $1 # node whose cert matches the path[/align]
[align=left]#[/align]
[align=left]# environment:: restrict an ACL to a comma-separated list of environments[/align]
[align=left]# method:: restrict an ACL to a comma-separated list of HTTP methods[/align]
[align=left]# auth:: restrict an ACL to an authenticated or unauthenticated request[/align]
[align=left]# the default when unspecified is to restrict the ACL to authenticated requests[/align]
[align=left]# (ie exactly as if auth yes was present).[/align]
[align=left]#[/align]
[align=left] [/align]
[align=left]### Authenticated paths - these apply only when the client[/align]
[align=left]### has a valid certificate and is thus authenticated[/align]
[align=left] [/align]
[align=left]# allow nodes to retrieve their own catalog[/align]
[align=left]path ~ ^/catalog/([^/]+)$[/align]
[align=left]method find[/align]
[align=left]allow $1[/align]
[align=left] [/align]
[align=left]# allow nodes to retrieve their own node definition[/align]
[align=left]path ~ ^/node/([^/]+)$[/align]
[align=left]method find[/align]
[align=left]allow $1[/align]
[align=left] [/align]
[align=left]# allow all nodes to access the certificates services[/align]
[align=left]path /certificate_revocation_list/ca[/align]
[align=left]method find[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]# allow all nodes to store their reports[/align]
[align=left]path /report[/align]
[align=left]method save[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]# unconditionally allow access to all file services[/align]
[align=left]# which means in practice that fileserver.conf will[/align]
[align=left]# still be used[/align]
[align=left]path /file[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]### Unauthenticated ACL, for clients for which the current master doesn't[/align]
[align=left]### have a valid certificate; we allow authenticated users, too, because[/align]
[align=left]### there isn't a great harm in letting that request through.[/align]
[align=left] [/align]
[align=left]# allow access to the master CA[/align]
[align=left]path /certificate/ca[/align]
[align=left]auth any[/align]
[align=left]method find[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]path /certificate/[/align]
[align=left]auth any[/align]
[align=left]method find[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]path /certificate_request[/align]
[align=left]auth any[/align]
[align=left]method find, save[/align]
[align=left]allow *[/align]
[align=left] [/align]
[align=left]path /run[/align]
[align=left]method save[/align]
[align=left]allow aa-config-01.puppet.com[/align]
[align=left]# this one is not stricly necessary, but it has the merit[/align]
[align=left]# of showing the default policy, which is deny everything else[/align]
[align=left] [/align]
[align=left]path /[/align]
[align=left]auth any[/align]
[align=left][root@aa-test-01 puppet]#[/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left]二 puppetmast[/align]
[align=left][root@aa-config-01 ~]# puppet kick -d --host aa-test-01.puppet.com[/align]
[align=left] [/align]
[align=left] [/align]
[align=left]Debug: /File[/var/lib/puppet/ssl/private_keys/aa-config-01.puppet.com.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys][/align]
[align=left]Debug: /File[/var/lib/puppet/ssl/public_keys/aa-config-01.puppet.com.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys][/align]
[align=left]Debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet][/align]
[align=left]Debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet][/align]
[align=left]Debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl][/align]
[align=left]Debug: Finishing transaction 70364485678960[/align]
[align=left]Getting status[/align]
[align=left]status is success[/align]
[align=left]aa-test-01.puppet.com finished with exit code 0[/align]
[align=left]Finished[/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- MYSQL出现" Client does not support authentication "的解决方法
- hadoop client与datanode的通信协议分析
- Oracle数据库 client配置
- Oracle instant client的使用
- eclipse subclipse unable load default svn client的解决办法
- VTP实验
- Lync2010快速部署(三)---客户端登录测试
- 为Toad配置Instant client
- PPPoE Client配置实例
- The Forefront Client Security management console snap-in unavailable
- Check Point Client Authentication 结合Radius
- vtp-server,client, transparent三种模式实验
- 批量配置LDAP客户端
- zabbix 2.2节点批量安装
- 新朋友vSphere Web Client
- Win7运行 VMware vSphere Client,Host Update Utility 4.0出错
- citrix web Interface5.3 访问WEB网站时,下载本地客户端 推荐