puppet 横向扩展(三)
Table of Contents
概述
横向扩展实验之三 – 将CA 认证服务和 puppetmaster 分开
实验环境
master 和 node 都是 debian 7.7 i686 系统
2个 puppet master 在机器A 上, 都是 apache 虚拟主机
1个 CA 认证服务在 机器B 上.
实验步骤
机器B 的配置
# 清除 ca-1 上的既有证书
root@ca-1:~# rm -rf /var/lib/puppet/ssl/
# 在机器A 上认证 ca-1
# 补充: master-1 的IP就是 192.168.1.100
# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf
root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100
Info: Creating a new SSL key for ca-1.puppet.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ca-1.puppet.com
Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@ca-1:/var/lib/puppet# puppet agent --test
Info: Caching certificate for ca-1.puppet.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca-1.puppet.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for ca-1.puppet.com
Info: Applying configuration version '1420697839'
Notice: Finished catalog run in 0.01 seconds
# 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)
root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/
root@192.168.1.101's password:
sending incremental file list
ca/
ca/ca_crl.pem
1202 100% 0.00kB/s 0:00:00 (xfer#1, to-check=12/14)
ca/ca_crt.pem
1968 100% 1.88MB/s 0:00:00 (xfer#2, to-check=11/14)
ca/ca_key.pem
3243 100% 3.09MB/s 0:00:00 (xfer#3, to-check=10/14)
ca/ca_pub.pem
800 100% 781.25kB/s 0:00:00 (xfer#4, to-check=9/14)
ca/inventory.txt
611 100% 596.68kB/s 0:00:00 (xfer#5, to-check=8/14)
ca/serial
4 100% 3.91kB/s 0:00:00 (xfer#6, to-check=7/14)
ca/private/
ca/private/ca.pass
20 100% 19.53kB/s 0:00:00 (xfer#7, to-check=3/14)
ca/requests/
ca/signed/
ca/signed/ca-1.puppet.com.pem
1956 100% 1.87MB/s 0:00:00 (xfer#8, to-check=2/14)
ca/signed/master-1.puppet.com.pem
2041 100% 1.95MB/s 0:00:00 (xfer#9, to-check=1/14)
ca/signed/node-1.puppet.com.pem
1960 100% 1.87MB/s 0:00:00 (xfer#10, to-check=0/14)
sent 10898 bytes received 218 bytes 1170.11 bytes/sec
total size is 13805 speedup is 1.24
# 修改 ca-1 上默认的 puppetmaster 配置
root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
#!!! RequestHeader 相关内容都要注释掉
#RequestHeader unset X-Forwarded-For
#RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
机器A 的配置
就用 puppet横向扩展(一) 中所使用的环境就行
机器B 配置好之后, 修改 apache 的配置, 使之将 CA认证服务指向机器B上的 ca-1
重要的地方, 我加了 #!!! 的注释
# 完整的 proxy 配置如下: 192.168.1.101 就是ca-1 的IP
root@master-1:~# cat /etc/apache2/sites-available/puppetmaster_proxy.conf
# Available back-end worker virtual hosts
# NOTE the use of cleartext unencrypted HTTP.
<Proxy balancer://puppetmasterca>
BalancerMember https://192.168.1.101:8140 #!!! 这里是 https
</Proxy>
<Proxy balancer://puppetmaster>
BalancerMember http://127.0.0.1:18140
BalancerMember http://127.0.0.1:18141
</Proxy>
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProxyEngine on #!!! 这句很重要, 否则无法代理 https 的请求
# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
#SSLProtocol ALL -SSLv2
#SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in /var/lib/puppet/ssl
SSLCertificateFile /var/lib/puppet/ssl/certs/master-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# optional to all CSR request, required if certificates distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers record authentication information for downstream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On
# log settings
ErrorLog /var/log/apache2/balancer_error.log
CustomLog /var/log/apache2/balancer_access.log combined
CustomLog /var/log/apache2/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
ca 的服务也配置成负载均衡的模式了, 方便追加新的 ca 服务器
测试配置结果
# master-1 上, 清理log, 重启 apache服务
root@master-1:~# rm -f /var/log/apache2/*
root@master-1:~# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .
# ca-1 上, 清理log, 重启 apache服务
root@ca-1:~# rm -f /var/log/apache2/*
root@ca-1:~# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .
# 新建 agent 发送请求, 注意这个agent 不能是已经认证过的, 否则不会请求 ca-1
root@node-2:~# puppet agent --test
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for node-2.puppet.com
Info: Certificate Request fingerprint (SHA256): E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
# master-1 上没有生成证书请求
root@master-1:~# puppet cert list --all
+ "ca-1.puppet.com" (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99
+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
+ "node-1.puppet.com" (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA
# ca-1 上生成了证书请求, 说明证书服务确实转移到 ca-1 上来处理了, node-2 就是新的agent 请求的证书
root@ca-1:~# puppet cert list --all
"node-2.puppet.com" (SHA256) E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1
+ "ca-1.puppet.com" (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99
+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
+ "node-1.puppet.com" (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AApuppet 横向扩展(三)的更多相关文章
- puppet 横向扩展(二)
Table of Contents 1. 概述 2. 实验环境 3. 实验步骤 3.1. 机器B 的环境 3.1.1. 安装puppetmaster 以及 apache passenger 3.1.2 ...
- puppet 横向扩展(一)
目录 1. 概述 2. 实验环境 3. 实验步骤 3.1. 创建puppetmaster的rack环境 3.2. 配置文件设置 3.3. 补充说明 3.4. 测试配置结果 3.4.1. 默认的负载均衡 ...
- presto的动态化应用(一):presto节点的横向扩展与伸缩
一.presto动态化概述 近年来,基于hadoop的sql框架层出不穷,presto也是其中的一员.从2012年发展至今,依然保持年轻的活力(版本迭代依然很快),presto的相关介绍,我们就不赘述 ...
- elasticsearch介绍集群,模拟横向扩展节点、节点宕机、改变分片
出处:[http://www.cnblogs.com/dennisit/p/4133131.html] ,防楼主删博,故保留一份! elasticsearch用于构建高可用和可扩展的系统.扩展 ...
- SignalR学习笔记(五) 横向扩展之SQL Server
当一个Web应用程序达到一台服务器能力限制,即请求处理数量限制之后,有2种解决方案:纵向扩展和横向扩展. 纵向扩展即用更强的服务器(或虚拟机),或为当前的服务器添加更多的内存,CPU等 横向扩展即添加 ...
- 转mysql横向扩展和纵向扩展
Scale-up(纵向扩展)和Scale-out(横向扩展)的解释 谈到系统的可伸缩性,Scale-up(纵向扩展)和Scale-out(横向扩展)是两个常见的术语,对于初学者来说,很容易搞迷糊这两个 ...
- SQL Server横向扩展:设计,实现与维护(2)- 分布式分区视图
为了使得朋友们对分布式分区视图有个概念,也为了方便后面的内容展开,我们先看看下面一个图: 讲述分布式分区视图之前,很有必要将之与我们常常熟悉的分区表和索引进行区别. 首先,分布式分区视图是一个 ...
- Ceph如何实现文件系统的横向扩展
前言 在跟一个朋友聊天的时候,聊到一个技术问题,他们的一个环境上面小文件巨多,是我目前知道的集群里面规模算非常大的了,但是目前有个问题,一方面会进行一倍的硬件的扩容,而文件的数量也在剧烈的增长着,所以 ...
- 在 Windows Azure 网站中进行纵向扩展和横向扩展
编辑人员注释:本文章由 Windows Azure 网站团队的项目经理 Byron Tardif 撰写. 当您开始一个新的 Web 项目,或者刚刚开始开发一般的网站和应用程序时,您可能希望从小处着手. ...
随机推荐
- systemd服务详解-技术流ken
简介 在centos5中生成和管理用户空间中的进程以及完成系统的初始化使用的是init,并且是依次启动.在centos6中则是使用的upstart,在一定程度上实现了并行启动,但是仍然存在依赖关系,到 ...
- [转]MySQL-死锁查询
本文转自:https://blog.csdn.net/qq105319914/article/details/50562783 1.查询是否锁表 show OPEN TABLES where In_u ...
- WPF Grid布局
本节讲述布局,顺带加点样式给大家看看~单纯学布局,肯定是枯燥的~哈哈 那如上界面,该如何设计呢? 1.一些布局元素经常用到.Grid StackPanel Canvas WrapPanel等.如上这种 ...
- https创建请求UrL报错: 未能为 SSL/TLS 安全通道建立信任关系
1.项目中异常报错如下: 2.百度结果:原来是 网站没有使用SSL证书或者是SSl证书失效了的缘故. 3.具体解决方案如下: )导入命名空间 using System.Net.Security; us ...
- C# 使用 PerformanceCounter 获取 CPU 和 硬盘的使用率
C# 使用 PerformanceCounter 获取 CPU 和 硬盘的使用率: 先看界面: 建一个 Windows Form 桌面程序,代码如下: using System; using Sys ...
- es6 语法 (set 和 map)
{ let list = new Set(); list.add(5); list.add(7); console.log('size', list, list.size); //{5, 7} 2 } ...
- mysql安装完成之后为root用户添加密码
编辑MySql的配置文件:my.ini(在MySql安装目录下). 打开配置文件,在文件最后一行添加:skip-grant-tables,然后保存退出. 意思为就是在启mysql时不启动grant-t ...
- Link Between SAP SD, MM & FI
Link Between SAP SD, MM & FI 1. In SAP you will always get integration with other modules. SD wi ...
- 13.Odoo产品分析 (二) – 商业板块(6) –采购(3)
接上一篇 查看Odoo产品分析系列--目录 接上一篇Odoo产品分析 (二) – 商业板块(6) –采购(2) 7. 仓库 仓库是在安装采购管理模块时出现的菜单.用于管理工厂库存,包括已经在手的货物 ...
- Android沉浸式状态栏的简单实现
随着卡片式设计在Android系统的上越来越流行,比如现在早已经烂大街的沉浸式状态栏,几乎所有的主流的APP都支持沉浸式状态栏,如QQ.UC浏览器等等.所以觉得有必要学习一下,找了点资料,总结了一下, ...