发生不同错误时,如何让Puppet Master对Puppet Agent节点运行清单?
[英]How do I get Puppet Master to run a manifest against a Puppet Agent node when there are different errors?
问题描述
I have set up a puppet master and puppet agent server in one network. 
我已经在一个网络中设置了一个puppet master and puppet agent server 。 I have signed the puppet agent's cert request from the puppet master server. 我已经从人偶主服务器上签名了人偶代理的证书请求。 I am trying to run a manifest from Puppet Master against the Puppet agent server, but it is failing. 我试图对Puppet代理服务器运行来自Puppet Master的清单,但是失败了。 The newManifest.p p on both Puppet Master servers calls the Puppet Agent through its FQDN . 两个Puppet主服务器上的newManifest.p p通过其FQDN调用Puppet代理。 The /etc/hosts file on both servers has the entries of the FQDN of both servers and their IP addresses. 两台服务器上的/etc/hosts文件都具有两台服务器的FQDN条目及其IP地址。 I can ping each server from the other. 我可以互相ping通每个服务器。 I can SSH from each server to the other. 我可以从每个服务器到另一个服务器进行SSH。
All four of these servers in both networks have CentOS 7 as the OS with open source Puppet version 3.8.4 . 这两个网络中的所有这四个服务器都具有CentOS 7作为带有开源Puppet version 3.8.4的操作系统。 The firewalls are turned off on all four machines. 所有四台计算机上的防火墙均已关闭。 These ports are not blocked on any intermediate path: 22, 443, 8140, and 61610 on either network between the Puppet Master and Puppet Agent servers. 这些端口在Puppet主服务器和Puppet代理服务器之间的任何网络上的任何中间路径上均不会被阻塞:22、443、8140和61610。
In network one, I expect manifests to compile. 在网络一中,我希望清单可以编译。 They never have. 他们从来没有。
I tried this with sshd_config` to use ports 22, 443, 8140, and 61610 on both the Puppet Master and Puppet agent. 我尝试使用sshd_config`在Puppet Master和Puppet代理上使用端口22、443、8140和61610。 When I use this from the puppet master: 当我从木偶大师那里使用它时:
puppet agent -t newManifest.pp --server='foobar.acme.com'
I get an error: 我收到一个错误:
Unable to fetch my node definition, but the agent will continue: Warning: Connection refused - connect(2).
I tried again with sshdconfig to not use any ports specifically. 我再次尝试使用sshdconfig不专门使用任何端口。 I recycled the sshdconfig services. 我回收了sshdconfig服务。 I run the same command: 我运行相同的命令:
puppet agent -t newManifest.pp --server='foobar.acme.com'
I get a different error: 我收到另一个错误:
Unable to fetch my node definition, but the agent run will continue: connection refused - connect(2).
I then tried this command (with no explicit server designation): 然后,我尝试了以下命令(没有明确的服务器名称):
puppet agent -t newManifest.pp
This time, I get this error: 这次,我得到这个错误:
Unable to fetch my node definition, but the agent will continue: Network is unreachable.
In network two, I expect manifests to work. 在网络二中,我希望清单可以工作。 They never have. 他们从来没有。
I tried this with sshd_config to use ports 22, 443, 8140, and 61610 on both the Puppet Master and Puppet agent. 我使用sshd_config尝试了此操作,以在Puppet Master和Puppet代理上使用端口22、443、8140和61610。 When I use this from the puppet master: 当我从木偶大师那里使用它时:
puppet agent -t newManifest.pp --server='foobar.acme.com'
I get a different error: 我收到另一个错误:
Unable to fetch my node definition, but the agent run will continue: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol.
I tried again with sshdconfig to not use any ports specifically. 我再次尝试使用sshdconfig不专门使用任何端口。 I recycled the sshdconfig services. 我回收了sshdconfig服务。 I run the same command: 我运行相同的命令:
puppet agent -t newManifest.pp --server='foobar.acme.com'
I get a different error: 我收到另一个错误:
Unable to fetch my node definition, but the agent run will continue: connection refused - connect(2).
I then tried this command (with no explicit server designation): 然后,我尝试了以下命令(没有明确的服务器名称):
puppet agent -t newManifest.pp
This time, I get this error: 这次,我得到这个错误:
Unable to fetch my node definition, but the agent will continue: No route to host - connect(2).
The errors between network one and two are different except when sshd_config is not using any specific ports and the command to compile the manifest explicitly sets the FQDN. 网络1和网络2之间的错误是不同的,除了sshd_config不使用任何特定端口并且用于编译清单的命令显式设置FQDN时。 Why is this? 为什么是这样? What is wrong? 怎么了? I have tried to set up Puppet twice just to fix the first instance. 我试图两次设置Puppet只是为了修复第一个实例。 I cannot completely reproduce the specific problems in the first network. 我无法完全重现第一个网络中的特定问题。
How do I get the Puppet Master server to compile a manifest? 如何获取Puppet Master服务器来编译清单? The puppet agents have signed certificates. 木偶特工已签署证书。 I don't understand why the compilation of the manifests always fails. 我不明白为什么清单编译总是失败。
1 个解决方案
解决方案1
0 2016-02-03 21:26:39
You have at least two entirely separate groups of problems. 您至少有两个完全独立的问题组。
First, as @daxelrod commented, the Puppet agent just doesn't work like that. 首先,正如@daxelrod所说,Puppet代理不能那样工作。 The point of master / agent mode is that the master decides what the node's configuration is supposed to be. 主机/代理模式的要点是, 主机决定节点的配置应该是什么。 Furthermore, the master does not serve manifest files to agents; 此外,主服务器不将清单文件提供给代理。 rather, it evaluates whatever manifests and data are necessary for it to build a "catalog" of resources for the agent to apply. 相反,它会评估为构建要应用的代理构建资源的“目录”所需的所有清单和数据。 It is these catalogs that the master serves. 主服务是这些目录。
If you want the agent to apply only part of its configuration in any given run then you can use the --tags option to direct it to select a specific subset of the resources from its catalog. 如果您希望代理在任何给定的运行中仅应用其配置的一部分,则可以使用--tags选项将其定向以从其目录中选择资源的特定子集。 Tags available for selecting can be specified manually in your manifests, and Puppet automatically tags resources with class name segments based on where they are declared, but this does not break down cleanly along the lines of manifest files. 可以在清单中手动指定可供选择的标签,Puppet会根据声明的位置自动标记带有类名称段的资源,但这不会在清单文件的每一行中清晰地分解。
If you really want to apply specific manifest files to your machines then those manifest files and any data or resources they rely upon must be present on the target machine. 如果您确实想将特定的清单文件应用于您的计算机,则这些清单文件以及它们依赖的任何数据或资源必须存在于目标计算机上。 In that case, you can use puppet apply instead of using the agent, as @daxelrod observed. 在这种情况下,您可以使用puppet apply代替使用代理,如@daxelrod所观察到的。
Second, as for your network problems, if indeed 其次,关于您的网络问题,如果确实存在
The firewalls are turned off on all four machines.
as you say, then about the only other plausible explanation I can see for "connection refused" failures such as the agent reports is that the puppetmaster is not actually running on the machine the agent attempts to connect to, at least not on the port the agent tries to connect on. 正如您所说,关于“连接被拒绝”失败,例如代理报告,我可以看到的唯一其他合理的解释是,puppetmaster并未实际在代理尝试连接的计算机上运行,至少不在端口上代理尝试连接。 That might be because of some kind of name resolution problem (ie "foobar.acme.com" resolves differently than you expect it to do), because the master is configured to listen on a different port than you think, or simply because you did not successfully start it. 这可能是由于某种名称解析问题(例如,“ foobar.acme.com”解析的方式与您预期的不同),因为主服务器配置为侦听与您认为不同的端口,或者仅仅是因为您做了无法成功启动。
The "Network is unreachable" appears simpler to diagnose: if you do not specify a server to the agent via the command line, and you do not configure one in the agent's configuration file, then Puppet tries to connect to a machine named "puppet". “网络不可达”看起来更容易诊断:如果您未通过命令行为代理指定服务器,并且未在代理的配置文件中配置服务器,则Puppet会尝试连接到名为“ puppet”的计算机。 This is resolving for you to an address on an unreachable network. 这为您解决了无法访问的网络上的地址。 (The message would be different if the agent could not resolve the name at all.) (如果代理完全无法解析名称,则消息会有所不同。)
The really interesting error message is the the SSL handshaking error: 真正有趣的错误消息是SSL握手错误:
SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol.
in that case, the client has successfully connected and attempted to start an SSL handshake sequence, but it does not understand the response from the server. 在这种情况下,客户端已成功连接并尝试启动SSL握手序列,但是它不理解来自服务器的响应。 Most likely this means that the server is not speaking SSL back to the client at all, but I'm in no position to guess what it is speaking. 这很可能意味着服务器根本没有在向客户端说SSL,但是我无从猜测它在说什么。
Additionally, you mention sshd_config several times in your question, as if that had something to do with the problem. 此外,您在问题中多次提到sshd_config ,好像与问题有关。 Unless you're doing something very unusual, however, neither sshd nor any of its configuration files has any involvement whatever in Puppet runs. 但是,除非您做的非常不寻常,否则sshd或其任何配置文件都不会参与Puppet运行。
Overall, I'm inclined to think that you are dealing with a combination of incorrect expectations, poor understanding of the main system and support components, and perhaps an overambitious start. 总体而言,我倾向于认为您正在处理以下错误:期望值不正确,对主要系统和支持组件的理解不足,或者开局过于宏大。 Puppet has fairly good documentation, including for system installation . Puppet有相当好的文档,包括有关系统安装的文档。 If you're installing from RPMs (maybe PuppetLabs's ) then that will give you a head start, but you will still need to configure both the master and the agent(s) appropriately . 如果您是从RPM(可能是PuppetLabs的 )中进行安装,那么这将为您提供一个良好的开端,但是您仍然需要适当地配置主服务器和代理 。 I suspect you are falling down somewhere here. 我怀疑你在这里跌倒了。
By all means, do try to do this in smaller bites. 一定要尝试以较小的咬合来做。 One master and one agent, on the same network, is about as simple as you can go for a master / agent configuration. 在同一网络上,一个主服务器和一个代理就和您进行主/代理配置一样简单。 Get that working first. 首先开始工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.