木偶大师没有将代理主机名/ fqdn传递给enc脚本

Question

Puppet version: 3.6.2

In order to simplify the management of ssl certificates, our puppet agents use the same certname , certname=agent.puppet.com

When puppet master gets request from agent (hostname: web00.xxx.com) , it executes Enc script with certname as parameter.

node_terminus = exec
external_nodes = /home/ocean/puppet/conf/bce_puppet_bns

puppet.log:

2015-05-06 09:55:34 +0800 Puppet (debug): Executing '/home/ocean/puppet/conf/bce_puppet_bns agent.puppet.com'

How do I configure to make puppet master pass agent's real hostname/FQDN to Enc script like:

/home/ocean/puppet/conf/bce_puppet_bns web00.xxx.com

Or how can I get the agent's hostname/FQDN in Enc script ?

Answer 1

Don't.

Don't use any info other than $clientcert passed from the agent.

Don't share certificates among different agents.

There are deeply rooted assumptions in Puppet that each agent node has an individual certificate. You will wreak havoc in your infrastructure by trying such stunts.

For example, PuppetDB data is usually grouped by owning agents' certnames . This data will become inconsistent quickly with all agents calling themselves the same, but being quite different of course.

Answer 2

ensure puppetmaster says this

 [master]
   node_name = facter

alter auth.conf so that all the sections have the "agent.puppet.com" cert like this

# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
allow agent.puppet.com

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
allow agent.puppet.com

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
allow agent.puppet.com

That's just puppetmaster <=> client, Felix is right that if you are using puppetdb that would have to be altered too