概述

横向扩展实验之三 – 将CA 认证服务和 puppetmaster 分开

实验环境

master 和 node 都是 debian 7.7 i686 系统

2个 puppet master 在机器A 上, 都是 apache 虚拟主机

1个 CA 认证服务在 机器B 上.

实验步骤

机器B 的配置

# 清除 ca-1 上的既有证书
root@ca-1:~# rm -rf /var/lib/puppet/ssl/ # 在机器A 上认证 ca-1
# 补充: master-1 的IP就是 192.168.1.100
# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf
root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100
Info: Creating a new SSL key for ca-1.puppet.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ca-1.puppet.com
Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@ca-1:/var/lib/puppet# puppet agent --test
Info: Caching certificate for ca-1.puppet.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca-1.puppet.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for ca-1.puppet.com
Info: Applying configuration version '1420697839'
Notice: Finished catalog run in 0.01 seconds # 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)
root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/
root@192.168.1.101's password:
sending incremental file list
ca/
ca/ca_crl.pem
1202 100% 0.00kB/s 0:00:00 (xfer#1, to-check=12/14)
ca/ca_crt.pem
1968 100% 1.88MB/s 0:00:00 (xfer#2, to-check=11/14)
ca/ca_key.pem
3243 100% 3.09MB/s 0:00:00 (xfer#3, to-check=10/14)
ca/ca_pub.pem
800 100% 781.25kB/s 0:00:00 (xfer#4, to-check=9/14)
ca/inventory.txt
611 100% 596.68kB/s 0:00:00 (xfer#5, to-check=8/14)
ca/serial
4 100% 3.91kB/s 0:00:00 (xfer#6, to-check=7/14)
ca/private/
ca/private/ca.pass
20 100% 19.53kB/s 0:00:00 (xfer#7, to-check=3/14)
ca/requests/
ca/signed/
ca/signed/ca-1.puppet.com.pem
1956 100% 1.87MB/s 0:00:00 (xfer#8, to-check=2/14)
ca/signed/master-1.puppet.com.pem
2041 100% 1.95MB/s 0:00:00 (xfer#9, to-check=1/14)
ca/signed/node-1.puppet.com.pem
1960 100% 1.87MB/s 0:00:00 (xfer#10, to-check=0/14) sent 10898 bytes received 218 bytes 1170.11 bytes/sec
total size is 13805 speedup is 1.24 # 修改 ca-1 上默认的 puppetmaster 配置
root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information. # You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger. # you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off Listen 8140 <VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy
#!!! RequestHeader 相关内容都要注释掉
#RequestHeader unset X-Forwarded-For #RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

机器A 的配置

就用 puppet横向扩展(一) 中所使用的环境就行

机器B 配置好之后, 修改 apache 的配置, 使之将 CA认证服务指向机器B上的 ca-1

重要的地方, 我加了 #!!! 的注释

# 完整的 proxy 配置如下: 192.168.1.101 就是ca-1 的IP
root@master-1:~# cat /etc/apache2/sites-available/puppetmaster_proxy.conf
# Available back-end worker virtual hosts
# NOTE the use of cleartext unencrypted HTTP.
<Proxy balancer://puppetmasterca>
BalancerMember https://192.168.1.101:8140 #!!! 这里是 https
</Proxy> <Proxy balancer://puppetmaster>
BalancerMember http://127.0.0.1:18140
BalancerMember http://127.0.0.1:18141
</Proxy> Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProxyEngine on #!!! 这句很重要, 否则无法代理 https 的请求
# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
#SSLProtocol ALL -SSLv2
#SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in /var/lib/puppet/ssl
SSLCertificateFile /var/lib/puppet/ssl/certs/master-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# optional to all CSR request, required if certificates distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars # The following client headers record authentication information for downstream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location> ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On # log settings
ErrorLog /var/log/apache2/balancer_error.log
CustomLog /var/log/apache2/balancer_access.log combined
CustomLog /var/log/apache2/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>

ca 的服务也配置成负载均衡的模式了, 方便追加新的 ca 服务器

测试配置结果

# master-1 上, 清理log, 重启 apache服务
root@master-1:~# rm -f /var/log/apache2/*
root@master-1:~# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting . # ca-1 上, 清理log, 重启 apache服务
root@ca-1:~# rm -f /var/log/apache2/*
root@ca-1:~# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting . # 新建 agent 发送请求, 注意这个agent 不能是已经认证过的, 否则不会请求 ca-1
root@node-2:~# puppet agent --test
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for node-2.puppet.com
Info: Certificate Request fingerprint (SHA256): E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled # master-1 上没有生成证书请求
root@master-1:~# puppet cert list --all
+ "ca-1.puppet.com" (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99
+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
+ "node-1.puppet.com" (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA # ca-1 上生成了证书请求, 说明证书服务确实转移到 ca-1 上来处理了, node-2 就是新的agent 请求的证书
root@ca-1:~# puppet cert list --all
"node-2.puppet.com" (SHA256) E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1
+ "ca-1.puppet.com" (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99
+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
+ "node-1.puppet.com" (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

puppet 横向扩展(三)的更多相关文章

  1. puppet 横向扩展(二)

    Table of Contents 1. 概述 2. 实验环境 3. 实验步骤 3.1. 机器B 的环境 3.1.1. 安装puppetmaster 以及 apache passenger 3.1.2 ...

  2. puppet 横向扩展(一)

    目录 1. 概述 2. 实验环境 3. 实验步骤 3.1. 创建puppetmaster的rack环境 3.2. 配置文件设置 3.3. 补充说明 3.4. 测试配置结果 3.4.1. 默认的负载均衡 ...

  3. presto的动态化应用(一):presto节点的横向扩展与伸缩

    一.presto动态化概述 近年来,基于hadoop的sql框架层出不穷,presto也是其中的一员.从2012年发展至今,依然保持年轻的活力(版本迭代依然很快),presto的相关介绍,我们就不赘述 ...

  4. elasticsearch介绍集群,模拟横向扩展节点、节点宕机、改变分片

        出处:[http://www.cnblogs.com/dennisit/p/4133131.html] ,防楼主删博,故保留一份! elasticsearch用于构建高可用和可扩展的系统.扩展 ...

  5. SignalR学习笔记(五) 横向扩展之SQL Server

    当一个Web应用程序达到一台服务器能力限制,即请求处理数量限制之后,有2种解决方案:纵向扩展和横向扩展. 纵向扩展即用更强的服务器(或虚拟机),或为当前的服务器添加更多的内存,CPU等 横向扩展即添加 ...

  6. 转mysql横向扩展和纵向扩展

    Scale-up(纵向扩展)和Scale-out(横向扩展)的解释 谈到系统的可伸缩性,Scale-up(纵向扩展)和Scale-out(横向扩展)是两个常见的术语,对于初学者来说,很容易搞迷糊这两个 ...

  7. SQL Server横向扩展:设计,实现与维护(2)- 分布式分区视图

    为了使得朋友们对分布式分区视图有个概念,也为了方便后面的内容展开,我们先看看下面一个图:     讲述分布式分区视图之前,很有必要将之与我们常常熟悉的分区表和索引进行区别. 首先,分布式分区视图是一个 ...

  8. Ceph如何实现文件系统的横向扩展

    前言 在跟一个朋友聊天的时候,聊到一个技术问题,他们的一个环境上面小文件巨多,是我目前知道的集群里面规模算非常大的了,但是目前有个问题,一方面会进行一倍的硬件的扩容,而文件的数量也在剧烈的增长着,所以 ...

  9. 在 Windows Azure 网站中进行纵向扩展和横向扩展

    编辑人员注释:本文章由 Windows Azure 网站团队的项目经理 Byron Tardif 撰写. 当您开始一个新的 Web 项目,或者刚刚开始开发一般的网站和应用程序时,您可能希望从小处着手. ...

随机推荐

  1. 【转载】 Sqlserver中DateAdd()函数

    在Sqlserver数据库中,DATEADD() 函数在日期中添加或减去指定的时间间隔.例如计算当前时间往后一天的时刻以及往前1天的时刻时间即可使用DateAdd()函数来操作,DateAdd()函数 ...

  2. mongodb遇到的问题

    安装好mongodb之后,服务里默认增加了一个mongodb service的服务,但是服务打不开,右键选择其属性,看他的执行路径执行的是cfg配置文件,看了配置文件里的东西,发现和自己想要的差不多, ...

  3. ASP.NET资源大全-知识分享

    API 框架 NancyFx:轻量.用于构建 HTTP 基础服务的非正式(low-ceremony)框架,基于.Net 及 Mono 平台.官网 ASP.NET WebAPI:快捷创建 HTTP 服务 ...

  4. php常用函数搜集

    搜集了几个php常用函数方法....相信项目中肯定会用到吧... <?php /** * @param $arr * @param $key_name * @return array * 将数据 ...

  5. Java学习笔记之——多态、抽象

    1. 多态 多态:同一种事物调用同一个方法有不同的表现行为.(同一类型操作,作用于某一类对象,可以有不同的解释,产生不同的执行结果) 应用场景;当你定义一个功能性的方法可以使用多态的概念 前提:子类继 ...

  6. 修改tomcat命令黑窗口的名字

    一.为什么要修改tomcat黑窗口的名字 同时启动多个tomcat时,不好区分,而给tomcat的命令窗口取名区分是个不错的选择,例如下面这个效果. 二.修改的方法 1.找到tomcat的bin目录下 ...

  7. Springboot使用Filter以及踩过的坑

    Springboot使用Filter以及踩过的坑 在Springboot中使用Filter有两种方式,注解方式,注册bean方式 一.注解@WebFilter 1.实现Filter接口(javax.s ...

  8. 微信小程序性能优化技巧

    摘要: 如果小程序不够快,还要它干嘛? 原文:微信小程序性能优化方案--让你的小程序如此丝滑 作者:杜俊成要好好学习 Fundebug经授权转载,版权归原作者所有. 微信小程序如果想要优化性能,有关键 ...

  9. vue的data的数据进行指定赋值,用于筛选条件的清空,或者管理系统添加成功后给部分数据赋值为空

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  10. 聊聊找AI算法岗工作

    https://blog.csdn.net/weixin_42137700/article/details/81628028 首先,本文不是为了增加大家的焦虑感,而是站在一名学生的角度聊聊找AI算法岗 ...