Choose a more secure way to perform your puppet update

In the production environment, the puppet update needs the node to update automatically, there is need to push the update through the puppetmaster, and the node update time is discrete. Here are three ways to update

2.7 Puppet update mode

2.7.1 Node Timing update

[Root@agent1 ~]# vim/etc/puppet/puppet.conf

[Main]

Server=puppetserver.rsyslog.org #指向puppetserver服务器

[Agent]

Runinterval=5 #前期方便测试可采用客户端自动更新的方式, set agent 5 seconds to sync

2.7.2 node discrete update (test required)

Use Puppet's inline_template functionality to execute Agent server-side decentralized updates with cron task scheduling

Cron {"Run-puppet":

Command => "/usr/sbin/puppet agent--server=puppetserver.rsyslog.org--test >/dev/null 2>&1",

Minute => inline_template ("<%= hostname.hash%%>"),

}

Note: The number of nodes in the case, in order to reduce the puppet server end of the same time pressure, you can consider mode two.

How it works: hash tables based on the host name of the client (the hash value generated by each hostname is unique), and as a scheduled task about minutes or hours, each client will run the puppet in different minutes per hour, and this three-column technique is useful for random any cron jobs that raise the likelihood Because they don't interfere with each other. The number generated by the hash can be infinitely large, in the example above only generates 0-60, which limits the maximum value to 60.

2.7.3 service-side push update (puppet kick)

1), modify the agent side of the main configuration file

[Root@agent1 ~]# vim/etc/puppet/puppet.conf

[Agent]

Listen = True

...

2), modify/etc/sysconfig/puppet

[Root@agent1 ~]# Vim/etc/sysconfig/puppet

puppet_server=puppetserver.rsyslog.org

...

3), new namespaceauth.conf file

[Root@agent1 ~]# vim/etc/puppet/namespaceauth.conf

[Puppetrunner]

Allow puppetserver.rsyslog.org

4), modify auth.conf file (add in Path/before)

[Root@agent1 ~]# vim/etc/puppet/auth.conf

Path/run

Method Save

Allow puppetserver.rsyslog.org

Auth any

Path/

Auth any

5), restart the agent end

6), execute puppetrun command test at puppetmaster end

[Root@puppetserver ~]# puppetrun-p--host agent1.rsyslog.org

Triggering agent1.rsyslog.org

Getting status

The status is success

Agent1.rsyslog.org finished with exit code 0

Finished

Note: If there are more hosts, you can create hosts.txt files, add the node hostname that needs to be updated to the Hosts.txt file, and then follow the--host ' cat hosts.txt ' parameter

This article is from the "www.kisspuppet.com" blog, please be sure to keep this source http://kisspuppet.blog.51cto.com/418026/1257718

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/zs/