环境说明

测试环境是几台云主机，主机名根据项目情况命名（也就是说云主机内网域名解析是不行的）。操作系统没特殊说明那么使用的是 Centos6 。

cu2：服务端master，证书服务器ca
cu1/cu3/cu4/cu5: agent

这里列出来的是部署之前的域名情况。一步步的处理域名代码的麻烦。如果想避免不必要的烦恼，请使用 FQDN 加上域。

服务节点证书重新签名

安装后直接测试，默认连接的服务器是 puppet 。所以要么指定 puppet 对应主机，要么加上 –server 参数。

# 默认的 puppet 服务器找不到对应的主机
[root@cu2 ~]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: getaddrinfo: Name or service not known
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: getaddrinfo: Name or service not known
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: getaddrinfo: Name or service not known
Error: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: getaddrinfo: Name or service not known


# 加上 域 后不通，DNS服务器不识别自定义的主机名
[root@cu2 ~]# cat /etc/resolv.conf 
; generated by /sbin/dhclient-script
search ds.ctyun
nameserver 192.168.0.1
[root@cu2 ~]# puppet agent --server cu2.ds.ctyun --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: getaddrinfo: Name or service not known
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: getaddrinfo: Name or service not known
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: getaddrinfo: Name or service not known
Error: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: getaddrinfo: Name or service not known
[root@cu2 ~]# ping cu2.ds.ctyun
ping: unknown host cu2.ds.ctyun


# 传说中用的 -f 参数没L用
[root@cu2 ~]# hostname -i
192.168.0.x
[root@cu2 ~]# hostname -f
cu2


# 加自定义 域 ，并重新设定 FQDN hostname。 修改主机hostname的步骤可以替换成在 /etc/resolv.conf 加 **domain esw.cn**
[root@cu2 ~]# vi /etc/hosts
192.168.0.x cu1 cu1.esw.cn
192.168.0.x cu2 cu2.esw.cn

192.168.0.x cu3 cu3.esw.cn
192.168.0.x cu4 cu4.esw.cn
192.168.0.x cu5 cu5.esw.cn

[root@cu2 ~]# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=cu2.esw.cn
[root@cu2 ~]# hostname cu2.esw.cn
[root@cu2 ~]# hostname
cu2.esw.cn

# 确认
[root@cu2 ~]# puppet config print certname
cu2.esw.cn

[root@cu2 puppet]# dnsdomainname -v
gethostname()=`cu2.esw.cn'
Resolving `cu2.esw.cn' ...
Result: h_name=`cu2'
Result: h_aliases=`cu2.esw.cn'
Result: h_addr_list=`192.168.0.214'

[root@cu2 puppet]# hostname -f -v
gethostname()=`cu2.esw.cn'
Resolving `cu2.esw.cn' ...
Result: h_name=`cu2'
Result: h_aliases=`cu2.esw.cn'
Result: h_addr_list=`192.168.0.214'
cu2


# 清理已经为本机签发的证书
[root@cu2 ~]# puppet cert list -all
+ "cu2.ds.ctyun" (SHA256) A6:30:6D:80:A8:04:60:56:4C:F3:D5:3C:9A:5C:2A:11:6C:A6:A9:F7:6E:5E:A5:37:59:28:5B:B6:E3:D3:73:D5 (alt names: "DNS:puppet", "DNS:cu2.ds.ctyun")

[root@cu2 ~]# puppet cert clean cu2.ds.ctyun
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate cu2.ds.ctyun at '/etc/puppetlabs/puppet/ssl/ca/signed/cu2.ds.ctyun.pem'
Notice: Removing file Puppet::SSL::Certificate cu2.ds.ctyun at '/etc/puppetlabs/puppet/ssl/certs/cu2.ds.ctyun.pem'
Notice: Removing file Puppet::SSL::Key cu2.ds.ctyun at '/etc/puppetlabs/puppet/ssl/private_keys/cu2.ds.ctyun.pem'


# 由于是server节点的证书变更，重启puppetserver会重新生成/签发证书
[root@cu2 ~]# service puppetserver restart
Stopping puppetserver:                                     [  OK  ]
Starting puppetserver:                                     [  OK  ]

[root@cu2 puppet]# tree /etc/puppetlabs/puppet/ssl
/etc/puppetlabs/puppet/ssl
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   ├── requests
│   ├── serial
│   └── signed
│       └── cu2.esw.cn.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── cu2.esw.cn.pem
├── crl.pem
├── private
├── private_keys
│   └── cu2.esw.cn.pem
└── public_keys
    └── cu2.esw.cn.pem

9 directories, 12 files

[root@cu2 ~]# puppet agent --server cu2.esw.cn --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu2.esw.cn
Info: Applying configuration version '1461149778'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds

Agent 重新签名

涉及到客户端域名错误，需要服务端配合清理签名请求等操作。

# 首先同步 /etc/hosts 到所有agent节点


# cu1 连接 服务器cu2
[root@cu1 ~]# puppet agent --server cu2.esw.cn --test
Info: Creating a new SSL key for cu1.ds.ctyun
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu1.ds.ctyun
Info: Certificate Request fingerprint (SHA256): 4F:D6:DC:25:22:D9:44:E5:70:9F:9B:B1:0F:99:B2:AC:F5:5F:50:CE:B7:C3:AF:65:F4:E2:DF:D5:2D:6F:96:07
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled


# 在没有修改 域 的情况下，已经发送了 ds.ctyun 域 的签名请求
# 修改主机域，再发送请求
[root@cu1 ~]# vi /etc/resolv.conf 
; generated by /sbin/dhclient-script
domain esw.cn
search ds.ctyun
nameserver 192.168.0.1

[root@cu1 ~]#  puppet config print certname
cu1.esw.cn

[root@cu1 ~]# puppet agent --server cu2.esw.cn --test
Info: Creating a new SSL key for cu1.esw.cn
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu1.esw.cn
Info: Certificate Request fingerprint (SHA256): B8:A1:65:B6:FE:02:87:B1:8D:0A:62:2E:FE:30:DD:B3:3B:C9:A2:B2:A1:50:11:D3:FE:03:6A:81:A6:84:C0:6B
Exiting; no certificate found and waitforcert is disabled


# 此时服务端cu2已包括了 cu1 的两个签名请求信息
[root@cu2 puppet]# puppet cert list -all
  "cu1.ds.ctyun"  (SHA256) 4F:D6:DC:25:22:D9:44:E5:70:9F:9B:B1:0F:99:B2:AC:F5:5F:50:CE:B7:C3:AF:65:F4:E2:DF:D5:2D:6F:96:07
  "cu1.esw.cn" (SHA256) B8:A1:65:B6:FE:02:87:B1:8D:0A:62:2E:FE:30:DD:B3:3B:C9:A2:B2:A1:50:11:D3:FE:03:6A:81:A6:84:C0:6B
+ "cu2.esw.cn" (SHA256) 3D:8E:4E:18:45:F4:8C:9B:71:7C:13:45:0D:8A:6F:A5:6E:22:D5:0E:B1:B0:54:29:47:02:AE:95:8B:E6:A6:B7 (alt names: "DNS:puppet", "DNS:cu2.esw.cn")


# 本地清理 无效的签名请求 或者直接删除ssl目录： rm -rf /var/lib/puppet/ssl
[root@cu1 ~]# puppet certificate_request destroy cu1.ds.ctyun
Notice: Removing file Puppet::SSL::CertificateRequest cu1.ds.ctyun at '/etc/puppetlabs/puppet/ssl/certificate_requests/cu1.ds.ctyun.pem'
1


# 服务端清理 特定客户端无效请求
# http://serverfault.com/questions/574976/puppet-trying-to-configure-puppet-client-for-first-use-but-got-some-problems-wi
[root@cu2 puppet]# puppet node clean cu1.ds.ctyun 
Notice: Removing file Puppet::SSL::CertificateRequest cu1.ds.ctyun at '/etc/puppetlabs/puppet/ssl/ca/requests/cu1.ds.ctyun.pem'
cu1.ds.ctyun


# 服务端签名，客户端agent同步manifest
[root@cu2 puppet]# puppet cert sign cu1.esw.cn
Notice: Signed certificate request for cu1.esw.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu1.esw.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu1.esw.cn.pem'

[root@cu1 ~]# puppet agent --server cu2.esw.cn --test
Info: Caching certificate_revocation_list for ca
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu1.esw.cn
Info: Applying configuration version '1461156849'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds

其他修改主机域后统一签名：

[root@cu2 puppet]# puppet cert list 
  "cu3.esw.cn" (SHA256) 16:CB:A3:6D:21:69:78:D0:0D:37:1F:A7:C1:86:2E:55:7F:B1:60:77:05:EC:F5:37:81:12:28:73:61:1A:4F:20
  "cu4.esw.cn" (SHA256) CB:80:64:BD:B8:56:56:43:90:11:D4:B2:A9:7B:D8:DC:E4:0C:8D:5A:71:0B:FF:97:65:20:F5:B4:D7:15:11:B6
  "cu5.esw.cn" (SHA256) D6:9A:B0:93:98:94:D2:D2:E3:A9:55:24:EC:7A:E0:13:48:5B:26:16:6C:5A:B6:11:F5:7C:F2:56:E4:DA:D8:31
[root@cu2 puppet]# puppet cert sign --all
Notice: Signed certificate request for cu5.esw.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu5.esw.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu5.esw.cn.pem'
Notice: Signed certificate request for cu4.esw.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu4.esw.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu4.esw.cn.pem'
Notice: Signed certificate request for cu3.esw.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu3.esw.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu3.esw.cn.pem'


# 最终效果
[root@cu2 puppet]# puppet cert list -all
+ "cu1.esw.cn" (SHA256) 46:69:EE:A8:E5:F9:FB:E3:59:63:C5:FC:52:AF:14:43:70:EF:D0:42:70:C4:0E:D2:14:E4:1C:D9:94:F8:9E:E7
+ "cu2.esw.cn" (SHA256) 3D:8E:4E:18:45:F4:8C:9B:71:7C:13:45:0D:8A:6F:A5:6E:22:D5:0E:B1:B0:54:29:47:02:AE:95:8B:E6:A6:B7 (alt names: "DNS:puppet", "DNS:cu2.esw.cn")
+ "cu3.esw.cn" (SHA256) 58:ED:A3:CC:B9:53:34:4B:64:3C:2A:B4:91:AD:0D:8F:AF:EA:B0:5C:A7:73:06:F1:A7:4B:D2:E2:06:B5:21:39
+ "cu4.esw.cn" (SHA256) DD:A2:B9:86:53:29:DB:12:A3:0C:AA:9C:11:68:72:70:72:E2:16:36:8E:20:AC:E5:48:12:36:E2:80:6C:F0:E6
+ "cu5.esw.cn" (SHA256) EE:E6:FB:D2:1A:04:AD:C3:5B:1F:4F:79:C3:B6:36:15:B5:AC:8B:8B:5D:CB:A4:AA:AF:7B:FB:50:0B:83:7E:38

自动签名配置文件

反正都是学习，在无尽的折腾成长。如果是生产环境最好不要清理服务端的已签名证书，不但客户端要重新签，如果安装了puppetdb等其他程序需要签名都得重新配置签名。

注意：如果已经安装官网的步骤安装 PuppetDB ，清理服务端的证书建议通过命令 puppet cert clean DOMAIN 来清理。否则 PuppetDB 中还有对应的证书缓存信息。

# https://tickets.puppetlabs.com/browse/PUP-1426
# 貌似不支持全部清除已签名证书
[root@cu2 ~]# puppet cert clean --all 
Error: Refusing to revoke all certs, provide an explicit list of certs to revoke

# 直接删掉ssl目录
[root@cu2 ~]# puppet master --configprint ssldir
/etc/puppetlabs/puppet/ssl

[root@cu2 ~]# cd /etc/puppetlabs/puppet
[root@cu2 puppet]# ll
...
drwxrwx--x 8 puppet puppet 4096 Apr 20 15:10 ssl

# 注意ssl目录的权限。这里仅删除目录里面的文件
[root@cu2 puppet]# service puppetserver stop
Stopping puppetserver:                                     [  OK  ]
[root@cu2 puppet]# 
[root@cu2 puppet]# rm -rf ssl/*


# 先启动服务看看原来已签名的再连服务器是什么情况
[root@cu2 puppet]# service puppetserver start
Starting puppetserver:                                     [  OK  ]

[root@cu2 puppet]# tree ssl/
ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── requests
│   ├── serial
│   └── signed
│       └── cu2.esw.cn.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── cu2.esw.cn.pem
├── crl.pem
├── private
├── private_keys
│   └── cu2.esw.cn.pem
└── public_keys
    └── cu2.esw.cn.pem


# agent 再请求，会报错。删除 ssl 后，再签名
[root@cu3 ~]# puppet agent --server cu2.esw.cn --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.esw.cn]

[root@cu3 ~]# puppet agent --configprint ssldir
/etc/puppetlabs/puppet/ssl
[root@cu3 ~]# cd /etc/puppetlabs/puppet
[root@cu3 puppet]# rm -rf ssl/*
[root@cu3 puppet]# puppet agent --server cu2.esw.cn --test
Info: Creating a new SSL key for cu3.esw.cn
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu3.esw.cn
Info: Certificate Request fingerprint (SHA256): 9D:58:14:C0:CA:DD:51:77:0B:3F:EB:09:02:9B:D6:67:04:FD:48:7A:6E:CB:83:43:8D:5B:A9:78:0C:89:90:5B
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

[root@cu2 puppet]# puppet cert list -all
  "cu3.esw.cn" (SHA256) 9D:58:14:C0:CA:DD:51:77:0B:3F:EB:09:02:9B:D6:67:04:FD:48:7A:6E:CB:83:43:8D:5B:A9:78:0C:89:90:5B
+ "cu2.esw.cn" (SHA256) BA:C4:C9:CC:92:6E:45:2E:B1:7F:BC:15:49:0A:2C:BB:5F:C6:B0:73:EB:6C:21:EA:C8:A6:DD:2D:FE:DF:67:70 (alt names: "DNS:puppet", "DNS:cu2.esw.cn")
[root@cu2 puppet]# puppet cert sign --all
Notice: Signed certificate request for cu3.esw.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu3.esw.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu3.esw.cn.pem'

[root@cu3 puppet]# puppet agent --server cu2.esw.cn --test
Info: Caching certificate for cu3.esw.cn
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for cu3.esw.cn
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu3.esw.cn
Info: Applying configuration version '1461205206'
Notice: Applied catalog in 0.01 seconds


# 配置autosign
# https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html
# 在CA的服务器配置的master节点下配置autosign: Naïve Autosigning
[root@cu2 puppet]# vi puppet.conf 
...
autosign = true
# 或者添加配置文件: Basic Autosigning (autosign.conf)
[root@cu2 puppet]# vi autosign.conf
*.esw.cn

[root@cu2 puppet]# service puppetserver restart
Stopping puppetserver:                                     [  OK  ]
Starting puppetserver:                                     [  OK  ]


# agent 自动重新签名
[root@cu1 ~]# cd /etc/puppetlabs/puppet/
[root@cu1 puppet]# rm -rf ssl/*
[root@cu1 puppet]# 
[root@cu1 puppet]# puppet agent --server cu2.esw.cn --test
Info: Creating a new SSL key for cu1.esw.cn
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu1.esw.cn
Info: Certificate Request fingerprint (SHA256): D1:F5:6D:A4:91:57:DF:92:47:98:B7:C6:78:E5:C5:E0:AA:DA:70:90:0D:68:48:09:81:FA:65:98:02:F0:84:A9
Info: Caching certificate for cu1.esw.cn
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu1.esw.cn
Info: Applying configuration version '1461205750'
Notice: Applied catalog in 0.02 seconds

[root@cu2 puppet]# puppet cert list -all
+ "cu1.esw.cn" (SHA256) F9:48:1D:85:A7:44:78:71:AA:44:02:3F:98:20:DB:20:B1:DA:10:EC:3A:6A:AE:85:D4:37:EC:9E:20:AB:84:AA
+ "cu2.esw.cn" (SHA256) BA:C4:C9:CC:92:6E:45:2E:B1:7F:BC:15:49:0A:2C:BB:5F:C6:B0:73:EB:6C:21:EA:C8:A6:DD:2D:FE:DF:67:70 (alt names: "DNS:puppet", "DNS:cu2.esw.cn")
+ "cu3.esw.cn" (SHA256) BA:00:57:50:1D:91:40:0D:7D:E4:C5:99:6F:3F:77:D6:E8:C4:71:5B:8D:8C:AB:FA:D0:D4:5C:36:5D:AB:A7:1B
+ "cu4.esw.cn" (SHA256) 96:64:4A:73:EC:D7:A6:0D:73:37:82:33:2D:0D:B3:BF:A6:A8:6B:9B:D4:05:D0:2C:46:3B:E2:22:6E:43:39:91
+ "cu5.esw.cn" (SHA256) 54:48:34:BF:C9:60:8C:4C:D2:9D:C9:A3:52:2E:EB:29:AC:2E:84:2E:9E:34:F1:A3:30:83:46:0E:BF:A9:5D:9A

autosign 除了使用 autosign.conf 配置，还可以使用 shell/命令来进行适配，具体查看官网文档： https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html

agent执行同步命令每次都要指定server很麻烦，可以修改 puppet.conf 配置，每次执行是从配置文件读取：

[root@cu2 plugins]# vi /etc/puppetlabs/puppet/puppet.conf 
...
[agent]
server = cu2.esw.cn
certname = cu2.esw.cn  # 主机名不确定情况下，可以通过这个来指定当前机器的主机名！！每台机器根据主机单独设置！

命令合集

puppet agent --server cu2.esw.cn --test

puppet cert list -all

puppet node clean cu1.ds.ctyun 
puppet cert clean cu2.ds.ctyun
puppet certificate_request destroy cu1.ds.ctyun

puppet cert sign cu1.esw.cn
puppet cert sign --all

puppet config print certname
puppet master --configprint ssldir
puppet agent --configprint ssldir

–END

Winse Blog

走走停停都是风景, 熙熙攘攘都向最好, 忙忙碌碌都为明朝, 何畏之.

Puppet入门之域名证书

环境说明

服务节点证书重新签名

Agent 重新签名

自动签名配置文件

命令合集

Comments