Puppet

Mcollective 無法設置完整的 SSL 驗證模式錯誤

  • November 30, 2016

根據“Learning Puppet 4”一書中的手冊,我正在嘗試使用 jorhett/puppet-mcollective 模組設置 MCollective。執行“mco ping”、“mco inventory node_name”等後出現以下錯誤。

警告 2016/08/11 07:21:19:activemq.rb:346:in `rescue in ssl_parameters’ 無法設置完整的 SSL 驗證模式,退回到未驗證:RuntimeError:必須提供證書、密鑰和 ca 以進行驗證SSL 模式

這是我的配置:Hiera 主機名/puppetserver.yaml

# hostname/puppetserver.yaml
classes:
- mcollective::middleware
- mcollective::client
# Middleware configuration
mcollective::client_password: 'VpOS62qqpH3NEVEtP8rQsS2tpq6xwgOJEXsABjYDvoI='
mcollective::middleware::keystore_password: 'k7Dj+On3xGmQPX7CuCxgXaOFwHZFdKICeQQFpWlzg6E='
mcollective::middleware::truststore_password: 'k7Dj+On3xGmQPX7CuCxgXaOFwHZFdKICeQQFpWlzg6E='

Hiera common.yaml

---
puppet::status: 'running'
puppet::enabled: true

# every node installs the server
classes:
 - mcollective::server
# The Puppet Server will host the middleware
mcollective::hosts:
 - 'puppet.example.com'
mcollective::collectives:
 - 'mcollective'
mcollective::connector: 'activemq'
mcollective::connector_ssl: true
mcollective::connector_ssl_type: 'anonymous'
# Access passwords
mcollective::server_password: 'h3Vh7JGGkyWxuehCvScXRwZmIZYRHtDDDxuS1W68XAQ='
mcollective::psk_key: 'y2Z2BzcsRFXCBidywQafyJoELH5bIkmZzXGssLLMVsw='
mcollective::facts::cronjob::run_every: 10
mcollective::server::package_ensure: 'latest'
mcollective::plugin::agents:
 puppet:
   version: 'latest'
mcollective::client::unix_group: vagrant
mcollective::client::package_ensure: 'latest'
mcollective::plugin::clients:
 puppet:
   version: 'latest'

集體伺服器.cfg

# /etc/mcollective/server.cfg
libdir = /usr/libexec/mcollective
libdir = /opt/puppetlabs/mcollective/plugins
classesfile = /opt/puppetlabs/puppet/cache/state/classes.txt
daemonize = 1
direct_addressing = 1
main_collective = mcollective
collectives = mcollective                                                       

# ActiveMQ connector settings:
connector = activemq
plugin.activemq.heartbeat_interval = 30
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = puppet.example.com
plugin.activemq.pool.1.port = 61614
plugin.activemq.pool.1.user = server
plugin.activemq.pool.1.password = h3Vh7JGGkyWxuehCvScXRwZmIZYRHtDDDxuS1W68XAQ=
plugin.activemq.pool.1.ssl = true
plugin.activemq.pool.1.ssl.fallback = true

# Send these messages to keep the Stomp connection alive.
# This solves NAT and firewall timeout problems.
registerinterval = 600

# Security provider
securityprovider = psk
plugin.psk = y2Z2BzcsRFXCBidywQafyJoELH5bIkmZzXGssLLMVsw=

# Facts
factsource = yaml
plugin.yaml = /etc/puppetlabs/mcollective/facts.yaml

# Puppet resource control
plugin.puppet.resource_allow_managed_resources = true
plugin.puppet.resource_type_whitelist = none

# Logging
logger_type = syslog
loglevel = info
logfacility = user

Mcollective 客戶端**.cfg**

# Connector
libdir = /usr/libexec/mcollective
libdir = /opt/puppetlabs/mcollective/plugins
direct_addressing = 1
main_collective = mcollective
collectives = mcollective                                                                                                                                       

connector = activemq
plugin.activemq.heartbeat_interval = 30
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = puppet.example.com
plugin.activemq.pool.1.port = 61614
plugin.activemq.pool.1.user = client
plugin.activemq.pool.1.password = VpOS62qqpH3NEVEtP8rQsS2tpq6xwgOJEXsABjYDvoI=
plugin.activemq.pool.1.ssl = true
plugin.activemq.pool.1.ssl.fallback = true

# Security provider
securityprovider = psk
plugin.psk = y2Z2BzcsRFXCBidywQafyJoELH5bIkmZzXGssLLMVsw=
plugin.psk.callertype = uid

# Discovery
default_discovery_method = mc
direct_addressing_threshold = 10
default_discovery_options =

# Miscellaneous settings
color = 1
rpclimitmethod = first

# Performance settings
direct_addressing_threshold = 10
ttl = 60

# Logging
logger_type = console
loglevel = warn

我也遇到了同樣的問題,但我發現在 mcollective/puppet 伺服器上/etc/puppetlabs/mcollective/server.cfg和上添加以下內容(如下所示)解決了我的問題。/etc/puppetlabs/mcollective/client.cfg請務必重新啟動mcollective服務以使效果生效。

我將此添加到client.cfg/server.cfg文件中:

plugin.activemq.pool.1.ssl.key = /etc/puppetlabs/puppet/ssl/private_keys/puppet.esxi.com.pem
plugin.activemq.pool.1.ssl.ca = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
plugin.activemq.pool.1.ssl.cert = /etc/puppetlabs/puppet/ssl/certs/puppet.esxi.com.pem

在我添加條目之前:

[root@puppet ~]# mco ping
warn 2016/11/30 09:02:29: activemq.rb:374:in `rescue in ssl_parameters' Failed to set full SSL verified mode, falling back to u                                                                                                              nverified: RuntimeError: cert, key and ca has to be supplied for verified SSL mode
media.center                             time=13.37 ms
dns1                                     time=53.16 ms
puppet.esxi.com                          time=53.84 ms
keeppass                                 time=54.47 ms
splunk                                   time=55.11 ms
lychee                                   time=55.78 ms
nfs-share                                time=56.41 ms
dns2                                     time=57.09 ms
ansible                                  time=57.68 ms

然後:

[root@puppet ~]# mco ping
media.center                             time=13.44 ms
keeppass                                 time=53.12 ms
nfs-share                                time=54.44 ms
puppet.esxi.com                          time=55.37 ms
dns2                                     time=56.15 ms
ansible                                  time=56.94 ms
dns1                                     time=57.76 ms
splunk                                   time=58.57 ms
lychee                                   time=59.38 ms

引用自:https://serverfault.com/questions/796191