概述

横向扩展实验之三 – 将CA 认证服务和 puppetmaster 分开

实验环境

master 和 node 都是 debian 7.7 i686 系统

2个 puppet master 在机器A 上, 都是 apache 虚拟主机

1个 CA 认证服务在 机器B 上.

实验步骤

机器B 的配置

# 清除 ca-1 上的既有证书

root@ca-1:~# rm -rf /var/lib/puppet/ssl/

# 在机器A 上认证 ca-1

# 补充: master-1 的IP就是 192.168.1.100

# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf

root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100

Info: Creating a new SSL key for ca-1.puppet.com

Info: Caching certificate for ca

Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for ca-1.puppet.com

Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94

Info: Caching certificate for ca

Exiting; no certificate found and waitforcert is disabled

root@ca-1:/var/lib/puppet# puppet agent --test

Info: Caching certificate for ca-1.puppet.com

Info: Caching certificate_revocation_list for ca

Info: Caching certificate for ca-1.puppet.com

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Caching catalog for ca-1.puppet.com

Info: Applying configuration version '1420697839'

Notice: Finished catalog run in 0.01 seconds

# 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)

root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/

root@192.168.1.101's password:

sending incremental file list

ca/

ca/ca_crl.pem

        1202 100%    0.00kB/s    0:00:00 (xfer#1, to-check=12/14)

ca/ca_crt.pem

        1968 100%    1.88MB/s    0:00:00 (xfer#2, to-check=11/14)

ca/ca_key.pem

        3243 100%    3.09MB/s    0:00:00 (xfer#3, to-check=10/14)

ca/ca_pub.pem

         800 100%  781.25kB/s    0:00:00 (xfer#4, to-check=9/14)

ca/inventory.txt

         611 100%  596.68kB/s    0:00:00 (xfer#5, to-check=8/14)

ca/serial

           4 100%    3.91kB/s    0:00:00 (xfer#6, to-check=7/14)

ca/private/

ca/private/ca.pass

          20 100%   19.53kB/s    0:00:00 (xfer#7, to-check=3/14)

ca/requests/

ca/signed/

ca/signed/ca-1.puppet.com.pem

        1956 100%    1.87MB/s    0:00:00 (xfer#8, to-check=2/14)

ca/signed/master-1.puppet.com.pem

        2041 100%    1.95MB/s    0:00:00 (xfer#9, to-check=1/14)

ca/signed/node-1.puppet.com.pem

        1960 100%    1.87MB/s    0:00:00 (xfer#10, to-check=0/14)

sent 10898 bytes  received 218 bytes  1170.11 bytes/sec

total size is 13805  speedup is 1.24

# 修改 ca-1 上默认的 puppetmaster 配置

root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster

# This Apache 2 virtual host config shows how to use Puppet as a Rack

# application via Passenger. See

# http://docs.puppetlabs.com/guides/passenger.html for more information.

# You can also use the included config.ru file to run Puppet with other Rack

# servers instead of Passenger.

# you probably want to tune these settings

PassengerHighPerformance on

PassengerMaxPoolSize 12

PassengerPoolIdleTime 1500

# PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>

        SSLEngine on

        SSLProtocol             ALL -SSLv2 -SSLv3

        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem

        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem

        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem

        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem

        # If Apache complains about invalid signatures on the CRL, you can try disabling

        # CRL checking by commenting the next line, but this is not recommended.

        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem

        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none

        # which effectively disables CRL checking; if you are using Apache 2.4+ you must

        # specify 'SSLCARevocationCheck chain' to actually use the CRL.

        # SSLCARevocationCheck chain

        SSLVerifyClient optional

        SSLVerifyDepth  1

        # The `ExportCertData` option is needed for agent certificate expiration warnings

        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy

        #!!! RequestHeader 相关内容都要注释掉

        #RequestHeader unset X-Forwarded-For

        #RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

        #RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

        #RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/

        RackBaseURI /

        <Directory /usr/share/puppet/rack/puppetmasterd/>

                Options None

                AllowOverride None

                Order allow,deny

                allow from all

        </Directory>

</VirtualHost>

机器A 的配置

就用 puppet横向扩展(一) 中所使用的环境就行

机器B 配置好之后, 修改 apache 的配置, 使之将 CA认证服务指向机器B上的 ca-1

重要的地方, 我加了 #!!! 的注释

# 完整的 proxy 配置如下: 192.168.1.101 就是ca-1 的IP

root@master-1:~# cat /etc/apache2/sites-available/puppetmaster_proxy.conf

# Available back-end worker virtual hosts

# NOTE the use of cleartext unencrypted HTTP.

<Proxy balancer://puppetmasterca>

  BalancerMember https://192.168.1.101:8140    #!!! 这里是 https

</Proxy>

<Proxy balancer://puppetmaster>

  BalancerMember http://127.0.0.1:18140

  BalancerMember http://127.0.0.1:18141

</Proxy>

Listen 8140

<VirtualHost *:8140>

  SSLEngine on

  SSLProxyEngine on     #!!! 这句很重要, 否则无法代理 https 的请求

  # SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

  SSLProtocol ALL +SSLv3 +TLSv1

  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

  #SSLProtocol ALL -SSLv2

  #SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP

  # Puppet master should generate initial CA certificate.

  # ensure certs are located in /var/lib/puppet/ssl

  SSLCertificateFile /var/lib/puppet/ssl/certs/master-1.puppet.com.pem

  SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem

  SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem

  SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

  SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem

  # optional to all CSR request, required if certificates distributed to client during provisioning.

  SSLVerifyClient optional

  SSLVerifyDepth 1

  SSLOptions +StdEnvVars

  # The following client headers record authentication information for downstream workers.

  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

  <Location />

    SetHandler balancer-manager

    Order allow,deny

    Allow from all

  </Location>

  ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca

  ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca

  ProxyPass / balancer://puppetmaster/

  ProxyPassReverse / balancer://puppetmaster/

  ProxyPreserveHost On

  # log settings

  ErrorLog /var/log/apache2/balancer_error.log

  CustomLog /var/log/apache2/balancer_access.log combined

  CustomLog /var/log/apache2/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

ca 的服务也配置成负载均衡的模式了, 方便追加新的 ca 服务器

测试配置结果

# master-1 上, 清理log, 重启 apache服务

root@master-1:~# rm -f /var/log/apache2/*

root@master-1:~# service apache2 restart

[ ok ] Restarting web server: apache2 ... waiting .

# ca-1 上, 清理log, 重启 apache服务

root@ca-1:~# rm -f /var/log/apache2/*

root@ca-1:~# service apache2 restart

[ ok ] Restarting web server: apache2 ... waiting .

# 新建 agent 发送请求, 注意这个agent 不能是已经认证过的, 否则不会请求 ca-1

root@node-2:~# puppet agent --test

Info: Caching certificate for ca

Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for node-2.puppet.com

Info: Certificate Request fingerprint (SHA256): E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1

Info: Caching certificate for ca

Exiting; no certificate found and waitforcert is disabled

#  master-1 上没有生成证书请求

root@master-1:~# puppet cert list --all

+ "ca-1.puppet.com"     (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99

+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")

+ "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

# ca-1 上生成了证书请求, 说明证书服务确实转移到 ca-1 上来处理了, node-2 就是新的agent 请求的证书

root@ca-1:~# puppet cert list --all

  "node-2.puppet.com"   (SHA256) E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1

+ "ca-1.puppet.com"     (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99

+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")

+ "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

puppet 横向扩展(三)的更多相关文章

  1. puppet 横向扩展(二)

    Table of Contents 1. 概述 2. 实验环境 3. 实验步骤 3.1. 机器B 的环境 3.1.1. 安装puppetmaster 以及 apache passenger 3.1.2 ...

  2. puppet 横向扩展(一)

    目录 1. 概述 2. 实验环境 3. 实验步骤 3.1. 创建puppetmaster的rack环境 3.2. 配置文件设置 3.3. 补充说明 3.4. 测试配置结果 3.4.1. 默认的负载均衡 ...

  3. presto的动态化应用(一):presto节点的横向扩展与伸缩

    一.presto动态化概述 近年来,基于hadoop的sql框架层出不穷,presto也是其中的一员.从2012年发展至今,依然保持年轻的活力(版本迭代依然很快),presto的相关介绍,我们就不赘述 ...

  4. elasticsearch介绍集群,模拟横向扩展节点、节点宕机、改变分片

        出处:[http://www.cnblogs.com/dennisit/p/4133131.html] ,防楼主删博,故保留一份! elasticsearch用于构建高可用和可扩展的系统.扩展 ...

  5. SignalR学习笔记(五) 横向扩展之SQL Server

    当一个Web应用程序达到一台服务器能力限制,即请求处理数量限制之后,有2种解决方案:纵向扩展和横向扩展. 纵向扩展即用更强的服务器(或虚拟机),或为当前的服务器添加更多的内存,CPU等 横向扩展即添加 ...

  6. 转mysql横向扩展和纵向扩展

    Scale-up(纵向扩展)和Scale-out(横向扩展)的解释 谈到系统的可伸缩性,Scale-up(纵向扩展)和Scale-out(横向扩展)是两个常见的术语,对于初学者来说,很容易搞迷糊这两个 ...

  7. SQL Server横向扩展:设计,实现与维护(2)- 分布式分区视图

    为了使得朋友们对分布式分区视图有个概念,也为了方便后面的内容展开,我们先看看下面一个图:     讲述分布式分区视图之前,很有必要将之与我们常常熟悉的分区表和索引进行区别. 首先,分布式分区视图是一个 ...

  8. Ceph如何实现文件系统的横向扩展

    前言 在跟一个朋友聊天的时候,聊到一个技术问题,他们的一个环境上面小文件巨多,是我目前知道的集群里面规模算非常大的了,但是目前有个问题,一方面会进行一倍的硬件的扩容,而文件的数量也在剧烈的增长着,所以 ...

  9. 在 Windows Azure 网站中进行纵向扩展和横向扩展

    编辑人员注释:本文章由 Windows Azure 网站团队的项目经理 Byron Tardif 撰写. 当您开始一个新的 Web 项目,或者刚刚开始开发一般的网站和应用程序时,您可能希望从小处着手. ...

随机推荐

  1. Perl文件测试操作和stat函数

    在shell中通过test命令或者中括号[]可以进行文件测试以及其它类型的测试,例如判断文件是否存在,比较操作是否为真等等.perl作为更强大的文本处理语言,它也有文件测试类表达式,而且和shell的 ...

  2. ife2018 零基础学院 day 3

    ife2018 零基础学院 第三天:让简历有点色彩 什么是CSS,CSS是如何工作的! 摘自CSS如何工作 什么是CSS CSS是一种用于向用户指定文档如何呈现的语言 - 它们如何被指定样式.布局等. ...

  3. 阿里云IoT

    阿里云IoT: https://iot.aliyun.com/

  4. 从零开始学安全(四)●Vmware CentOS 7 添加静态ip联网

    一.虚拟网络编辑器配置 1.VMnet8设置(不需要改动) 2.NAT设置(不需要改动) 3.DHCP设置(CentOS IP地址段设置,不需要改动) 二.虚拟机设置(网络适配器选择NAT模式) 三. ...

  5. c# 接口的协变和逆变

    如果派生类只是用于输出值,那么这种结构化的委托有效性之间的常数关系叫做协变 就是创建一个派生类委托对象 让派生类赋值给基类对象 协变关键字out 对期望传入基类时允许传入派生对象的特性叫逆变  逆变关 ...

  6. 易宝支付Demo,生产中封装成简洁的代付接口,不用request如何获取项目运行时的真实路径

    最近项目在做融360引流,涉及到了易宝支付的代扣和代付.易宝官方给出的demo只能简单运行,而且都是通过form表单的形式提交,返回XML格式.同时接口代码都写在了JSP中看起来不友好.项目在生成中想 ...

  7. Docker 系列七(Dubbo 微服务部署实践).

    一.前言 之前我们公司部署服务,就是大家都懂的那一套(安装JDK.Tomcat —> 编译好文件或者打war包上传 —> 启动Tomcat),这种部署方式一直持续了很久,带来的问题也很多: ...

  8. 应用分类&练手项目计划

    应用分类 练手项目 [应用] 通讯录 xx管理 聊天室 [组件] web容器 db 中间件

  9. 2017 ACM-ICPC西安网赛B-Coin

    B-Coin Bob has a not even coin, every time he tosses the coin, the probability that the coin's front ...

  10. laravel框架详解

    一.基础篇 1.概念 Laravel是一个有着美好前景的年轻框架,它的社区充满着活力,同时提供了完整而清晰的文档,而且为快速.安全地开发现代应用提供了必要的功能.2011年,Taylor Otwell ...