puppet master connect client:
 
 
   client: listen 8139 port
 
1, edit /etc/puppet/
 
[root@aa-test-01 puppet]# vim /etc/puppet/puppet.conf
[agent]
     listen = ture
 
[root@aa-test-01 puppet]# cat /etc/puppet/puppet.conf
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet
 
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet
 
    # Where SSL certificates are kept.
   # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
server=aa-config-01.puppet.com
[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion. Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt
    listen = true
    # Where puppetd caches the local configuration. An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
[root@aa-test-01 puppet]#
 
 
2, auth.conf
 
[root@aa-test-01 puppet]# vim auth.conf
add
path /run
method save
allow aa-config.puppet.com
[root@aa-test-01 puppet]# cat auth.conf
# This is an example auth.conf file, which implements the
# defaults used by the puppet master.
#
# The ACLs are evaluated in top-down order. More general
# stanzas should be towards the bottom of the file and more
# specific ones at the top, otherwise the general rules
# take precedence and later rules will not be evaluated.
#
# Supported syntax:
# Each stanza in auth.conf starts with a path to mach, followed
# by optional modifiers, and finally, a series of allow or deny
# directives.
#
# Example Stanza
# ---------------------------------
# path /path/to/resource     # simple prefix match
# # path ~ regex             # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|backreference|*]
# deny [host|backreference|*]
# allow_ip [ip|cidr|ip_wildcard|*]
# deny_ip [ip|cidr|ip_wildcard|*]
#
# The path match can either be a simple prefix match or a regular
# expression. `path /file` would match both `/file_metadata` and
# `/file_content`. Regex matches allow the use of backreferences
# in the allow/deny directives.
#
# The regex syntax is the same as for Ruby regex, and captures backreferences
# for use in the `allow` and `deny` lines of that stanza
#
# Examples:
# path ~ ^/path/to/resource    # equivalent to `path /path/to/resource`
# allow *
#
# path ~ ^/catalog/([^/]+)$    # permit access only for the
# allow $1                     # node whose cert matches the path
#
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
 
### Authenticated paths - these apply only when the client
### has a valid certificate and is thus authenticated
 
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
 
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
 
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
 
# allow all nodes to store their reports
path /report
method save
allow *
 
# unconditionally allow access to all file services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
 
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.
 
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
 
path /certificate/
auth any
method find
allow *
 
path /certificate_request
auth any
method find, save
allow *
 
path /run
method save
allow aa-config-01.puppet.com
# this one is not stricly necessary, but it has the merit
# of showing the default policy, which is deny everything else
 
path /
auth any
[root@aa-test-01 puppet]#
 
 
 
二 puppetmast
[root@aa-config-01 ~]# puppet kick -d --host aa-test-01.puppet.com
 
 
Debug: /File[/var/lib/puppet/ssl/private_keys/aa-config-01.puppet.com.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys]
Debug: /File[/var/lib/puppet/ssl/public_keys/aa-config-01.puppet.com.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
Debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
Debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
Debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl]
Debug: Finishing transaction 70364485678960
Getting status
status is success
aa-test-01.puppet.com finished with exit code 0
Finished