首先必須先了解一下 Policy-based autosigning 的運作概念是在 csr 證書中加入參數供認證,由於在 Puppet 的認證關係中是由 Agent 發起,所以在 csr 動手腳的動作就落在 Agent 上面,
在 Master 中開啟 Policy-based autosigning 支援
可以在 puppet.conf 中加入 autosign 參數來開啟 Policy-based autosigning
To enable policy-based autosigning, setautosign = <policy executable file>in the[master]section of the CA Puppet master's puppet.conf.
在這邊必須注意的是 autosign 參數帶的是一個 script 檔,他將會替你執行這個 script 去驗證 Agent 的 csr 資訊。
而且這個 script 必須是 puppet master 有執行的權限,script 必須 return 0 (成功) 或是 1 (失敗),來判別這是否為合法的 Agent。
The policy executable file must be executable by the same user as the Puppet master. If not, it will be treated as a certname whitelist file.
在 Agent 中的 csr 資訊加入認證資訊
可以加入設定檔 csr_attributes.yaml 來替 CSR 添加額外的驗證訊息:
Extra data for the CSR is read from thecsr_attributes.yamlfile in Puppet'sconfdir. (The location of this file can be changed with thecsr_attributessetting.)
# in agent
$ vim /etc/puppetlabs/puppet/csr_attributes.yaml
custom_attributes:
challengePassword: "3c3b8369628dccaef5a107552fba2392"
在官方特別提到,csr_attributes.yaml 必須擁有 custom_attributes 或 extension_requests 其中一個類型的參數,其支援的類型可以參考 CSR attributes and certificate extensions
實作 Policy-based autosigning 工作
在這篇小弟有寫了一個 Policy-based autosigning 工作範例在 github,是採用 custom_attributes 類型中的 challengePassword 進行驗證,從下面這張工作流程圖了解一下在這個示範中的作業流程
在 Master 安裝 autosign script
# in master
$ git clone https://github.com/shazi7804/puppet-autosign
$ cd puppet-autosign
$ chmod +x setup.sh
$ ./setup.sh install
用 setup.sh 的安裝動作會將 autosign script 安裝在 /opt/autosign (預設),並且將 autosign 自動寫入在 puppet.conf
$ cat /etc/puppetlabs/puppet/puppet.conf | grep autosign
autosign = /opt/autosign/bin/autosign-verify
用 autosign 產生 challengePassword 驗證檔案
$ /opt/autosign/bin/autosign -c example.com
會產生一個 example.com 的檔案,裡面的 content 為隨機的 challengePassword 驗證碼,這隻檔案的用意是要給 autosign-verify 進行驗證 agent csr 的
$ cat /opt/autosign/pks/example.com
8e7e3c22ff92fc614e690a1a7c64b414
在 Agent 加入 challengePassword 的認證
# in agent
$ vim /etc/puppetlabs/puppet/csr_attributes.yaml
custom_attributes:
challengePassword: "8e7e3c22ff92fc614e690a1a7c64b414"
然後主動提交測試是否可以驗證成功
$ puppet agent -t
Info: Creating a new SSL key for example.com
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for example.com
Info: Certificate Request fingerprint (SHA256): 70:8E:73:0C:51:5A:0F:D3:1A:D2:7C:8E:5D:9A:D2:F6:A9:B8:90:87:DA:4F:86:49:50:5F:A4:65:71:1B:A8:15
Info: Caching certificate for example.com
Info: Caching certificate for example.com
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for example.com
Info: Applying configuration version '1483296913'
驗證成功,也收到 catalog 佈署完成。
驗證一下 Master,自動 sign certificate 囉
$ less /var/log/puppetlabs/puppetserver/puppetserver.log
2017-01-02 08:40:55,432 INFO [qtp959974316-68] [p.p.certificate-authority] Signed certificate request for example.com
2017-01-02 08:40:55,802 INFO [qtp959974316-69] [puppetserver] Puppet Caching node for example.com
2017-01-02 08:40:58,634 INFO [qtp959974316-70] [puppetserver] Puppet Caching node for example.com
2017-01-02 08:40:58,988 INFO [qtp959974316-70] [puppetserver] Puppet Compiled catalog for example.com in environment production in 0.24 seconds
如何證明真的是使用 Policy-based autosigning 而不是只是在白名單內而已?!
我在 autosign-verify 裡面寫了一段,只要驗證成功,就會刪除在 waiting 中的 example.com 驗證檔案,所以在 /opt/autosign/pks 裡面只會存在尚未驗證的 node
$ ls -l /opt/autosign/pks/
drwxr-xr-x 2 puppet puppet 4096 Jan 2 08:40 .
drwxr-xr-x 5 puppet puppet 4096 Jan 2 02:54 ..
# 因為驗證成功所以被 example.com 被刪除了。
這邊要特別注意,puppet 在進行驗證的時候完全是使用 puppet 的權限去進行動作,所以不管是 create, remove 等動作都必須要有權限,所以都採用 puppet:puppet 的權限。
The policy executable file must be executable by the same user as the Puppet master. If not, it will be treated as a certname whitelist file.
特別標註:
- 要獲得 agent 的 csr stdin 訊息可以用 $(cat) 來取得,若是在測試階段要抓取字串可以用以下指令去擷取,requests 是存放 agent 等待 sign 的 csr 存放位置。
$ openssl req -noout -text -in /etc/puppetlabs/puppet/ssl/ca/requests/example.com.pem
參考資料:
autosigning certificate requests
CSR attributes and certificate extensions
Config files: csr_attributes.yaml
Upgrade to newer version of commons-exec (or switch to zt-exec) when STDIN bug is fixed
Orignal From: 【DevOps】Puppet 4 自動化部署 - 實作 Policy-based autosigning
Good post..Keep on sharing.. DevOps Online Training in Hyderabad
回覆刪除very much helpful to develop new idea. DevOps Training in Bangalore | Certification | Online Training Course institute | DevOps Training in Hyderabad | Certification | Online Training Course institute | DevOps Training in Coimbatore | Certification | Online Training Course institute | DevOps Online Training | Certification | Devops Training Online
回覆刪除The knowledge of technology you have been sharing thorough this post is very much helpful to develop new idea. here by i also want to share this. This is good information and really helpful for the people who need information about this. Thank You so much for your effort in sharing such a wonderful blog with us.
回覆刪除oracle training in chennai
oracle training institute in chennai
oracle training in bangalore
oracle training in hyderabad
oracle training
hadoop training in chennai
hadoop training in bangalore