PUPPET-Linux域機器證書錯誤

Question

在我的工作場所，我們有一些計算機實驗室。 在這些實驗室中，每台計算機都有Windows和Linux操作系統。 這兩個系統都在我們的AD域中。

我做了一個測試實驗室，並且有一個功能齊全的木偶服務器。 當我運行puppet agent -t時，我將一些節點/代理設置為root，並且一切運行正常。

問題：

當我在Linux計算機上以域用戶（例如：xiru）登錄並運行puppet agent -t命令時，會生成一個新證書，但是會出現一條錯誤消息，警告它與服務器的證書不匹配。

對於域用戶，the會在以下路徑上創建新證書：/ /home/<user>/.puppetlabs/etc/puppet/ssl puppet/ /home/<user>/.puppetlabs/etc/puppet/ssl

測試中的Linux機器名稱：

• mint-client.mycompany.intra
• ubuntu-client.mycompany.intra

我嘗試在人偶conf上設置certname變量，但錯誤仍然存​​在。

[main]
certname = mint-client.mycompany.intra

[agent]
server = puppet.mycompany.intra

我該如何解決這個問題，並始終使用通過root用戶配置的同一證書進行設置？

Answer 1

我認為您必須設置您的環境以接受非root用戶。

運行它時，您使用sudo還是用戶在sudoers上？

如果不是這樣，在puppet docs上有一些技巧可以以非root用戶身份運行...

安裝與配置

要正確配置非root用戶代理訪問，您需要：

 Install a monolithic PE master Install and configure PE agents, disable the puppet service on all nodes, and create non-root users Verify the non-root configuration 

安裝和配置單片母版

 As a root user, install and configure a monolithic PE master. Use the web-based installer or the text-mode installer. Use the PE console to make sure no new agents can get added to the MCollective group. a. In the console, click Nodes > Classification, and in the PE Infrastructure group, select the PE MCollective group. b. On the Rules tab, under Fact, locate aio_agent_version and click Remove. c. Commit changes. 

安裝和配置PE代理並創建非root用戶

 1. On each agent node, install a PE agent while logged in as a root user. Refer to the instructions for installing agents. 2. As a root user, log in to an agent node, and add the non-root user with puppet resource user <UNIQUE NON-ROOT USERNAME> ensure=present managehome=true. Note: Each and every non-root user must have a unique name. 3. As a root user, still on the agent node, set the non-root user's password. For example, on most *nix systems run passwd 

 4. By default, the puppet service runs automatically as a root user, so it needs to be disabled. As a root user on the agent node, stop the service by running puppet resource service puppet ensure=stopped enable=false. 5. Disable the MCollective service on the agent node. As a root user, run puppet resource service mcollective ensure=stopped enable=false. 6. Disable the PXP agent. a. In the console, click Nodes > Classification* and in the PE Infrastructure group, select the PE Agent group. b. On the Classes tab, select the puppet_enterprise::profile::agent class, and set the parameter pxp_enabled to false. 7. Change to the non-root user. Tip: If you wish to use su - <NON-ROOT USERNAME> to switch between accounts, make sure to use the - (-l in some unix variants) argument so that full login privileges are correctly granted. Otherwise you may see “permission denied” errors when trying to apply a catalog. 8. As the non-root user, generate and submit the cert for the agent node. From the agent node, execute the following command: puppet agent -t --certname "<UNIQUE NON-ROOT USERNAME.HOSTNAME>" --server "<PUPPET MASTER HOSTNAME>" This Puppet run submits a cert request to the master and creates a ~/.puppet directory structure in the non-root user's home directory. 9. As an admin user, log into the console, navigate to the pending node requests, and accept the requests from non-root user agents. Note: It is possible to also sign the root user certificate in order to allow that user to also manage the node. However, you should do so only with great caution as this introduces the possibility of unwanted behavior and potential security issues. For example, if your site.pp has no default node configuration, running agent as non-admin could lead to unwanted node definitions getting generated using alt hostnames, which is a potential security issue. In general, if you deploy this scenario, you should ensure that the root and non-root users never try to manage the same resources,ensure that they have clear-cut node definitions, and ensure that classes scope correctly. As the non-root user, run puppet config set certname <UNIQUE NON-ROOT USERNAME.HOSTNAME> --section agent. 10. As the non-root user, run puppet config set server <PUPPET MASTER HOSTNAME> --section agent. Steps 7 and 8 create and set the configuration for the non-root agent's puppet.conf, created in /.puppetlabs/etc/puppet/ in the non-root user's home directory. [main] certname = <UNIQUE NON-ROOT USERNAME.HOSTNAME> server = <PUPPET MASTER HOSTNAME> 11. You can now connect the non-root agent node to the master and get PE to configure it. Log into the agent node as the non-root user and run puppet agent -t. 

資料來源： https : //puppet.com/docs/pe/2017.1/deploy_nonroot-agent.html

Answer 2

檢查權限。 要使其正常工作，您可以為存儲證書的文件夾提供相關權限，以便域用戶對證書具有權限。