在我的工作场所,我们有一些计算机实验室。在这些实验室中,每台计算机都有操作系统窗口和Linux。这两个系统都在我们的AD域中。
我做了一个测试实验室,我有一个功能木偶服务器。我将一些节点/代理设置为root,并且当我运行puppet agent -t时,一切正常。
问题:
当我在linux机器上使用域用户(例如:xiru)登录并运行puppet agent -t命令时,会生成一个新证书,但会发生错误警告它与服务器不匹配'证书。
对于域用户,puppet在路径上创建新证书:/home/<user>/.puppetlabs/etc/puppet/ssl
测试中的Linux机器名称:
我尝试在puppet conf上设置certname变量,但错误仍然存在。
[main]
certname = mint-client.mycompany.intra
[agent]
server = puppet.mycompany.intra
如何解决这个问题,并使用与我通过root用户配置的相同证书进行处理?
答案 0 :(得分:0)
我认为您必须设置您的环境以接受非root用户。
当你运行它时,你是使用sudo还是sudoers上有用户?
如果不是,在puppet docs上有一些提示以非root用户身份运行它......
安装和配置
要正确配置非root代理访问,您需要:
Install a monolithic PE master Install and configure PE agents, disable the puppet service on all nodes, and create non-root users Verify the non-root configuration安装并配置单片母版
As a root user, install and configure a monolithic PE master. Use the web-based installer or the text-mode installer. Use the PE console to make sure no new agents can get added to the MCollective group. a. In the console, click Nodes > Classification, and in the PE Infrastructure group, select the PE MCollective group. b. On the Rules tab, under Fact, locate aio_agent_version and click Remove. c. Commit changes.安装和配置PE代理并创建非root用户
1. On each agent node, install a PE agent while logged in as a root user. Refer to the instructions for installing agents. 2. As a root user, log in to an agent node, and add the non-root user with puppet resource user <UNIQUE NON-ROOT USERNAME> ensure=present managehome=true. Note: Each and every non-root user must have a unique name. 3. As a root user, still on the agent node, set the non-root user’s password. For example, on most *nix systems run passwd
4. By default, the puppet service runs automatically as a root user, so it needs to be disabled. As a root user on the agent node, stop the service by running puppet resource service puppet ensure=stopped enable=false. 5. Disable the MCollective service on the agent node. As a root user, run puppet resource service mcollective ensure=stopped enable=false. 6. Disable the PXP agent. a. In the console, click Nodes > Classification* and in the PE Infrastructure group, select the PE Agent group. b. On the Classes tab, select the puppet_enterprise::profile::agent class, and set the parameter pxp_enabled to false. 7. Change to the non-root user. Tip: If you wish to use su - <NON-ROOT USERNAME> to switch between accounts, make sure to use the - (-l in some unix variants) argument so that full login privileges are correctly granted. Otherwise you may see “permission denied” errors when trying to apply a catalog. 8. As the non-root user, generate and submit the cert for the agent node. From the agent node, execute the following command: puppet agent -t --certname "<UNIQUE NON-ROOT USERNAME.HOSTNAME>" --server "<PUPPET MASTER HOSTNAME>" This Puppet run submits a cert request to the master and creates a ~/.puppet directory structure in the non-root user’s home directory. 9. As an admin user, log into the console, navigate to the pending node requests, and accept the requests from non-root user agents. Note: It is possible to also sign the root user certificate in order to allow that user to also manage the node. However, you should do so only with great caution as this introduces the possibility of unwanted behavior and potential security issues. For example, if your site.pp has no default node configuration, running agent as non-admin could lead to unwanted node definitions getting generated using alt hostnames, which is a potential security issue. In general, if you deploy this scenario, you should ensure that the root and non-root users never try to manage the same resources,ensure that they have clear-cut node definitions, and ensure that classes scope correctly. As the non-root user, run puppet config set certname <UNIQUE NON-ROOT USERNAME.HOSTNAME> --section agent. 10. As the non-root user, run puppet config set server <PUPPET MASTER HOSTNAME> --section agent. Steps 7 and 8 create and set the configuration for the non-root agent’s puppet.conf, created in /.puppetlabs/etc/puppet/ in the non-root user’s home directory. [main] certname = <UNIQUE NON-ROOT USERNAME.HOSTNAME> server = <PUPPET MASTER HOSTNAME> 11. You can now connect the non-root agent node to the master and get PE to configure it. Log into the agent node as the non-root user and run puppet agent -t.
来源:https://puppet.com/docs/pe/2017.1/deploy_nonroot-agent.html
答案 1 :(得分:0)
检查权限。要使其正常工作,您可以为存储证书的文件夹提供相关权限,以便域用户对证书具有权限。