概述

横向扩展实验之三 – 将CA 认证服务和 puppetmaster 分开

实验环境

master 和 node 都是 debian 7.7 i686 系统

2个 puppet master 在机器A 上, 都是 apache 虚拟主机

1个 CA 认证服务在 机器B 上.

实验步骤

机器B 的配置

# 清除 ca-1 上的既有证书

root@ca-1:~# rm -rf /var/lib/puppet/ssl/

# 在机器A 上认证 ca-1

# 补充: master-1 的IP就是 192.168.1.100

# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf

root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100

Info: Creating a new SSL key for ca-1.puppet.com

Info: Caching certificate for ca

Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for ca-1.puppet.com

Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94

Info: Caching certificate for ca

Exiting; no certificate found and waitforcert is disabled

root@ca-1:/var/lib/puppet# puppet agent --test

Info: Caching certificate for ca-1.puppet.com

Info: Caching certificate_revocation_list for ca

Info: Caching certificate for ca-1.puppet.com

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Caching catalog for ca-1.puppet.com

Info: Applying configuration version '1420697839'

Notice: Finished catalog run in 0.01 seconds

# 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)

root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/

root@192.168.1.101's password:

sending incremental file list

ca/

ca/ca_crl.pem

        1202 100%    0.00kB/s    0:00:00 (xfer#1, to-check=12/14)

ca/ca_crt.pem

        1968 100%    1.88MB/s    0:00:00 (xfer#2, to-check=11/14)

ca/ca_key.pem

        3243 100%    3.09MB/s    0:00:00 (xfer#3, to-check=10/14)

ca/ca_pub.pem

         800 100%  781.25kB/s    0:00:00 (xfer#4, to-check=9/14)

ca/inventory.txt

         611 100%  596.68kB/s    0:00:00 (xfer#5, to-check=8/14)

ca/serial

           4 100%    3.91kB/s    0:00:00 (xfer#6, to-check=7/14)

ca/private/

ca/private/ca.pass

          20 100%   19.53kB/s    0:00:00 (xfer#7, to-check=3/14)

ca/requests/

ca/signed/

ca/signed/ca-1.puppet.com.pem

        1956 100%    1.87MB/s    0:00:00 (xfer#8, to-check=2/14)

ca/signed/master-1.puppet.com.pem

        2041 100%    1.95MB/s    0:00:00 (xfer#9, to-check=1/14)

ca/signed/node-1.puppet.com.pem

        1960 100%    1.87MB/s    0:00:00 (xfer#10, to-check=0/14)

sent 10898 bytes  received 218 bytes  1170.11 bytes/sec

total size is 13805  speedup is 1.24

# 修改 ca-1 上默认的 puppetmaster 配置

root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster

# This Apache 2 virtual host config shows how to use Puppet as a Rack

# application via Passenger. See

# http://docs.puppetlabs.com/guides/passenger.html for more information.

# You can also use the included config.ru file to run Puppet with other Rack

# servers instead of Passenger.

# you probably want to tune these settings

PassengerHighPerformance on

PassengerMaxPoolSize 12

PassengerPoolIdleTime 1500

# PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>

        SSLEngine on

        SSLProtocol             ALL -SSLv2 -SSLv3

        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem

        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem

        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem

        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem

        # If Apache complains about invalid signatures on the CRL, you can try disabling

        # CRL checking by commenting the next line, but this is not recommended.

        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem

        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none

        # which effectively disables CRL checking; if you are using Apache 2.4+ you must

        # specify 'SSLCARevocationCheck chain' to actually use the CRL.

        # SSLCARevocationCheck chain

        SSLVerifyClient optional

        SSLVerifyDepth  1

        # The `ExportCertData` option is needed for agent certificate expiration warnings

        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy

        #!!! RequestHeader 相关内容都要注释掉

        #RequestHeader unset X-Forwarded-For

        #RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

        #RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

        #RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/

        RackBaseURI /

        <Directory /usr/share/puppet/rack/puppetmasterd/>

                Options None

                AllowOverride None

                Order allow,deny

                allow from all

        </Directory>

</VirtualHost>

机器A 的配置

就用 puppet横向扩展(一) 中所使用的环境就行

机器B 配置好之后, 修改 apache 的配置, 使之将 CA认证服务指向机器B上的 ca-1

重要的地方, 我加了 #!!! 的注释

# 完整的 proxy 配置如下: 192.168.1.101 就是ca-1 的IP

root@master-1:~# cat /etc/apache2/sites-available/puppetmaster_proxy.conf

# Available back-end worker virtual hosts

# NOTE the use of cleartext unencrypted HTTP.

<Proxy balancer://puppetmasterca>

  BalancerMember https://192.168.1.101:8140    #!!! 这里是 https

</Proxy>

<Proxy balancer://puppetmaster>

  BalancerMember http://127.0.0.1:18140

  BalancerMember http://127.0.0.1:18141

</Proxy>

Listen 8140

<VirtualHost *:8140>

  SSLEngine on

  SSLProxyEngine on     #!!! 这句很重要, 否则无法代理 https 的请求

  # SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

  SSLProtocol ALL +SSLv3 +TLSv1

  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

  #SSLProtocol ALL -SSLv2

  #SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP

  # Puppet master should generate initial CA certificate.

  # ensure certs are located in /var/lib/puppet/ssl

  SSLCertificateFile /var/lib/puppet/ssl/certs/master-1.puppet.com.pem

  SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem

  SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem

  SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

  SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem

  # optional to all CSR request, required if certificates distributed to client during provisioning.

  SSLVerifyClient optional

  SSLVerifyDepth 1

  SSLOptions +StdEnvVars

  # The following client headers record authentication information for downstream workers.

  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

  <Location />

    SetHandler balancer-manager

    Order allow,deny

    Allow from all

  </Location>

  ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca

  ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca

  ProxyPass / balancer://puppetmaster/

  ProxyPassReverse / balancer://puppetmaster/

  ProxyPreserveHost On

  # log settings

  ErrorLog /var/log/apache2/balancer_error.log

  CustomLog /var/log/apache2/balancer_access.log combined

  CustomLog /var/log/apache2/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

ca 的服务也配置成负载均衡的模式了, 方便追加新的 ca 服务器

测试配置结果

# master-1 上, 清理log, 重启 apache服务

root@master-1:~# rm -f /var/log/apache2/*

root@master-1:~# service apache2 restart

[ ok ] Restarting web server: apache2 ... waiting .

# ca-1 上, 清理log, 重启 apache服务

root@ca-1:~# rm -f /var/log/apache2/*

root@ca-1:~# service apache2 restart

[ ok ] Restarting web server: apache2 ... waiting .

# 新建 agent 发送请求, 注意这个agent 不能是已经认证过的, 否则不会请求 ca-1

root@node-2:~# puppet agent --test

Info: Caching certificate for ca

Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for node-2.puppet.com

Info: Certificate Request fingerprint (SHA256): E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1

Info: Caching certificate for ca

Exiting; no certificate found and waitforcert is disabled

#  master-1 上没有生成证书请求

root@master-1:~# puppet cert list --all

+ "ca-1.puppet.com"     (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99

+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")

+ "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

# ca-1 上生成了证书请求, 说明证书服务确实转移到 ca-1 上来处理了, node-2 就是新的agent 请求的证书

root@ca-1:~# puppet cert list --all

  "node-2.puppet.com"   (SHA256) E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1

+ "ca-1.puppet.com"     (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99

+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")

+ "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

puppet 横向扩展(三)的更多相关文章

  1. puppet 横向扩展(二)

    Table of Contents 1. 概述 2. 实验环境 3. 实验步骤 3.1. 机器B 的环境 3.1.1. 安装puppetmaster 以及 apache passenger 3.1.2 ...

  2. puppet 横向扩展(一)

    目录 1. 概述 2. 实验环境 3. 实验步骤 3.1. 创建puppetmaster的rack环境 3.2. 配置文件设置 3.3. 补充说明 3.4. 测试配置结果 3.4.1. 默认的负载均衡 ...

  3. presto的动态化应用(一):presto节点的横向扩展与伸缩

    一.presto动态化概述 近年来,基于hadoop的sql框架层出不穷,presto也是其中的一员.从2012年发展至今,依然保持年轻的活力(版本迭代依然很快),presto的相关介绍,我们就不赘述 ...

  4. elasticsearch介绍集群,模拟横向扩展节点、节点宕机、改变分片

        出处:[http://www.cnblogs.com/dennisit/p/4133131.html] ,防楼主删博,故保留一份! elasticsearch用于构建高可用和可扩展的系统.扩展 ...

  5. SignalR学习笔记(五) 横向扩展之SQL Server

    当一个Web应用程序达到一台服务器能力限制,即请求处理数量限制之后,有2种解决方案:纵向扩展和横向扩展. 纵向扩展即用更强的服务器(或虚拟机),或为当前的服务器添加更多的内存,CPU等 横向扩展即添加 ...

  6. 转mysql横向扩展和纵向扩展

    Scale-up(纵向扩展)和Scale-out(横向扩展)的解释 谈到系统的可伸缩性,Scale-up(纵向扩展)和Scale-out(横向扩展)是两个常见的术语,对于初学者来说,很容易搞迷糊这两个 ...

  7. SQL Server横向扩展:设计,实现与维护(2)- 分布式分区视图

    为了使得朋友们对分布式分区视图有个概念,也为了方便后面的内容展开,我们先看看下面一个图:     讲述分布式分区视图之前,很有必要将之与我们常常熟悉的分区表和索引进行区别. 首先,分布式分区视图是一个 ...

  8. Ceph如何实现文件系统的横向扩展

    前言 在跟一个朋友聊天的时候,聊到一个技术问题,他们的一个环境上面小文件巨多,是我目前知道的集群里面规模算非常大的了,但是目前有个问题,一方面会进行一倍的硬件的扩容,而文件的数量也在剧烈的增长着,所以 ...

  9. 在 Windows Azure 网站中进行纵向扩展和横向扩展

    编辑人员注释:本文章由 Windows Azure 网站团队的项目经理 Byron Tardif 撰写. 当您开始一个新的 Web 项目,或者刚刚开始开发一般的网站和应用程序时,您可能希望从小处着手. ...

随机推荐

  1. IdentityServer4 中文文档 -13- (快速入门)切换到混合流并添加 API 访问

    IdentityServer4 中文文档 -13- (快速入门)切换到混合流并添加 API 访问 原文:http://docs.identityserver.io/en/release/quickst ...

  2. “每日一道面试题”.Net中GC的运行机制

    GC 也就是垃圾回收,经常遇到的面试题,关于GC 感觉可以写一本书,我们要做的也就是简单理解,如果有意愿,可以深入研究 所谓的垃圾回收,也就是清理回收托管堆上不再被使用的对象内存,并且移动仍在被使用的 ...

  3. frp 初探

    条件: (1) 服务器端要有公网 IP (2) 客户端能上网,能够访问服务器的公网 IP 下载 https://github.com/fatedier/frp/releases 根据服务器和客户端的操 ...

  4. XAML: 在 MVVM 模式中,关于绑定的几处技巧

    以下会提到三个绑定的技巧,分别是 在 ListView 中为 ListViewItem 的 MenuFlyout 绑定 Command: 在 ListView 的 事件中绑定所选择项目,即其 Sele ...

  5. Android Studio(IDEA)快速代码模版使用

    驼峰命名法删除和移动光标快捷键 Android Studio(IDEA)默认没有开启驼峰命名法的删除和移动光标,我们需要设置一下快捷键keymap,按照下面的两张图进行设置 Ctrl+Delete 删 ...

  6. Js 控制随机数概率

    如: 取 1~10 之间的随机数,那么他们的取值范围是: 整数 区间 概率 1 [0,1) 0.1 2 [1,2) 0.1 3 [2,3) 0.1 4 [3,4) 0.1 5 [4,5) 0.1 6 ...

  7. js实现本地图片文件拖拽效果

    如何拖拽图片到指定位置,具体方法如下 在从本地上传图片的时候,如果使用拖拽效果,想想应该是更加的高大上,下面直接上js代码 完整代码: ? 1 2 3 4 5 6 7 8 9 10 11 12 13 ...

  8. VS2013 添加控制台程序

    一.打开vs2013

  9. 真实世界的脉络].(英)戴维.多伊奇.pdf

    [真实世界的脉络].(英)戴维.多伊奇.pdf 宇宙.时间.生命.等等,如果用量子物理学.计算机科学.进化论.认识论将这些最基本而又复杂的问题纠缠在一起时,那将会是一幅什么样的图景呢?也许,我们穷尽一 ...

  10. bootstrap table 获取数据后的前台页面(后台怎么传就不必详细说明了吧)

    <%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ t ...