[英]How to use multiple different puppet masters from one puppet agent?
There is the need that one puppet agent contacts some different puppet masters. 需要一个木偶代理联系一些 不同的木偶大师。
Reason: there are different groups that create different and independent sets of manifests. 原因:有不同的组可以创建不同且独立的清单集。
Possible groups and their tasks 可能的组及其任务
Each of these groups should run it's own puppet master - the data (manifests and appropriate data) should be strictly separated. 这些组中的每一组都应该运行它自己的木偶大师 - 数据(清单和适当的数据)应该严格分开。 If it is possible, one group should even not see / have access to the manifests of the others (we are using MAC on the puppet agent OSes).
如果可能,一个组甚至不应该看到/可以访问其他组的清单(我们在木偶代理操作系统上使用MAC)。
Thoughts and ideas that all failed: 所有失败的想法和想法:
Some ways that might be possible but... 一些可能的方法,但......
My questions: 我的问题:
While I think what you are trying to do here is better tackled by incorporating all of your modules and data onto a single master, and that utilizing environments will be effectively the exact same situation (different masters will provide a different set of modules/data) this can be achieved by implementing a standard multi-master infrastructure (one CA master for cert signing, multiple compile masters with certs signed by the same CA master, configured to forward cert traffic elsewhere) and configure each master to have whatever you need. 虽然我认为通过将所有模块和数据合并到一个主服务器上可以更好地解决您在此尝试做的事情,并且利用环境将实际上是完全相同的情况(不同的主服务器将提供不同的模块/数据集)这可以通过实现标准的多主基础结构(一个用于证书签名的CA主服务器,具有由同一CA主服务器签名的证书的多个编译主服务器,配置为在其他位置转发证书流量)并配置每个主服务器来满足您的需要来实现。 You then end up having to specify which master you want to check in to on each run (a cronjob or some other approach), and have the potential for one checkin to change settings set by another (kinda eliminating the hardening/security concept).
然后,您最终必须在每次运行时指定要签入的主服务器(cronjob或其他方法),并且有可能通过一次签入来更改另一个设置(有点消除强化/安全性概念)。 I would urge you to think deeper on how to collaborate your varied aspects (git repos for each division's hiera data and modules that have access control) so that a central master can serve your needs (and access to that master would be the only way to get data/modules from everywhere).
我想请您深入思考如何协作各方面(每个部门的hiera数据和具有访问控制的模块的git repos),以便中央主人可以满足您的需求(并且访问该主人将是唯一的方法从任何地方获取数据/模块)。 This type of setup will be complex to implement, but the end result will be more reliable and maintainable.
这种类型的设置实现起来很复杂,但最终结果将更加可靠和可维护。 Puppet inc.
Puppet inc。 may even be able to do consultation to help you get it right.
甚至可以进行咨询,以帮助您做到正确。
There are likely other approaches too, just fyi. 也有其他方法,只是fyi。
I've often found it convenient to multi-home a puppet agent for development purposes, because with a local puppet server you can instantly test manifest changes - there's no requirement to commit, push and r10k deploy environment
like there is if you're just using directory environments and a single (remote) puppet server. 我经常发现将一个木偶代理多用于开发目的很方便,因为使用本地木偶服务器你可以立即测试清单变化 - 没有要求提交,推送和
r10k deploy environment
就像你只是使用目录环境和单个(远程)木偶服务器。
I've found the best way to do that is to just vary the path configuration (otherwise you run into problems with eg the CA certs failing to verify against the other server) - a form of your "running multiple instances of puppet agents" suggestion. 我发现最好的方法是改变路径配置(否则你会遇到问题,例如CA证书无法与其他服务器进行验证) - 一种形式的“运行多个木偶代理实例”的建议。 (I still run them all privileged, so they can all use apt
package {}
etc.) (我仍然运行它们所有特权,所以他们都可以使用apt
package {}
等。)
For Puppet 3, I'd do this by varying the libdir with --libdir
(because the ssldir was under the libdir), but now (Puppet 4+) it looks more sensible to vary the --confdir
. 对于Puppet 3,我是通过使用
--libdir
改变libdir来实现的(因为ssldir在libdir下),但是现在(Puppet 4+)改变--confdir
看起来更合理。 So, for example: 所以,例如:
$ sudo puppet agent -t # Runs against main puppet server
$ sudo puppet agent -t \
--server=puppet.dev.example.com \
--confdir=/etc/puppetlabs/puppet-dev # Runs against dev puppet server
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.