概述

横向扩展实验之三 – 将CA 认证服务和 puppetmaster 分开

实验环境

master 和 node 都是 debian 7.7 i686 系统

2个 puppet master 在机器A 上, 都是 apache 虚拟主机

1个 CA 认证服务在 机器B 上.

实验步骤

机器B 的配置

# 清除 ca-1 上的既有证书
root@ca-1:~# rm -rf /var/lib/puppet/ssl/ # 在机器A 上认证 ca-1
# 补充: master-1 的IP就是 192.168.1.100
# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf
root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100
Info: Creating a new SSL key for ca-1.puppet.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ca-1.puppet.com
Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@ca-1:/var/lib/puppet# puppet agent --test
Info: Caching certificate for ca-1.puppet.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca-1.puppet.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for ca-1.puppet.com
Info: Applying configuration version '1420697839'
Notice: Finished catalog run in 0.01 seconds # 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)
root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/
root@192.168.1.101's password:
sending incremental file list
ca/
ca/ca_crl.pem
1202 100% 0.00kB/s 0:00:00 (xfer#1, to-check=12/14)
ca/ca_crt.pem
1968 100% 1.88MB/s 0:00:00 (xfer#2, to-check=11/14)
ca/ca_key.pem
3243 100% 3.09MB/s 0:00:00 (xfer#3, to-check=10/14)
ca/ca_pub.pem
800 100% 781.25kB/s 0:00:00 (xfer#4, to-check=9/14)
ca/inventory.txt
611 100% 596.68kB/s 0:00:00 (xfer#5, to-check=8/14)
ca/serial
4 100% 3.91kB/s 0:00:00 (xfer#6, to-check=7/14)
ca/private/
ca/private/ca.pass
20 100% 19.53kB/s 0:00:00 (xfer#7, to-check=3/14)
ca/requests/
ca/signed/
ca/signed/ca-1.puppet.com.pem
1956 100% 1.87MB/s 0:00:00 (xfer#8, to-check=2/14)
ca/signed/master-1.puppet.com.pem
2041 100% 1.95MB/s 0:00:00 (xfer#9, to-check=1/14)
ca/signed/node-1.puppet.com.pem
1960 100% 1.87MB/s 0:00:00 (xfer#10, to-check=0/14) sent 10898 bytes received 218 bytes 1170.11 bytes/sec
total size is 13805 speedup is 1.24 # 修改 ca-1 上默认的 puppetmaster 配置
root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information. # You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger. # you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off Listen 8140 <VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy
#!!! RequestHeader 相关内容都要注释掉
#RequestHeader unset X-Forwarded-For #RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

机器A 的配置

就用 puppet横向扩展(一) 中所使用的环境就行

机器B 配置好之后, 修改 apache 的配置, 使之将 CA认证服务指向机器B上的 ca-1

重要的地方, 我加了 #!!! 的注释

# 完整的 proxy 配置如下: 192.168.1.101 就是ca-1 的IP
root@master-1:~# cat /etc/apache2/sites-available/puppetmaster_proxy.conf
# Available back-end worker virtual hosts
# NOTE the use of cleartext unencrypted HTTP.
<Proxy balancer://puppetmasterca>
BalancerMember https://192.168.1.101:8140 #!!! 这里是 https
</Proxy> <Proxy balancer://puppetmaster>
BalancerMember http://127.0.0.1:18140
BalancerMember http://127.0.0.1:18141
</Proxy> Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProxyEngine on #!!! 这句很重要, 否则无法代理 https 的请求
# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
#SSLProtocol ALL -SSLv2
#SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in /var/lib/puppet/ssl
SSLCertificateFile /var/lib/puppet/ssl/certs/master-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# optional to all CSR request, required if certificates distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars # The following client headers record authentication information for downstream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location> ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On # log settings
ErrorLog /var/log/apache2/balancer_error.log
CustomLog /var/log/apache2/balancer_access.log combined
CustomLog /var/log/apache2/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>

ca 的服务也配置成负载均衡的模式了, 方便追加新的 ca 服务器

测试配置结果

# master-1 上, 清理log, 重启 apache服务
root@master-1:~# rm -f /var/log/apache2/*
root@master-1:~# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting . # ca-1 上, 清理log, 重启 apache服务
root@ca-1:~# rm -f /var/log/apache2/*
root@ca-1:~# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting . # 新建 agent 发送请求, 注意这个agent 不能是已经认证过的, 否则不会请求 ca-1
root@node-2:~# puppet agent --test
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for node-2.puppet.com
Info: Certificate Request fingerprint (SHA256): E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled # master-1 上没有生成证书请求
root@master-1:~# puppet cert list --all
+ "ca-1.puppet.com" (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99
+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
+ "node-1.puppet.com" (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA # ca-1 上生成了证书请求, 说明证书服务确实转移到 ca-1 上来处理了, node-2 就是新的agent 请求的证书
root@ca-1:~# puppet cert list --all
"node-2.puppet.com" (SHA256) E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1
+ "ca-1.puppet.com" (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99
+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
+ "node-1.puppet.com" (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

puppet 横向扩展(三)的更多相关文章

  1. puppet 横向扩展(二)

    Table of Contents 1. 概述 2. 实验环境 3. 实验步骤 3.1. 机器B 的环境 3.1.1. 安装puppetmaster 以及 apache passenger 3.1.2 ...

  2. puppet 横向扩展(一)

    目录 1. 概述 2. 实验环境 3. 实验步骤 3.1. 创建puppetmaster的rack环境 3.2. 配置文件设置 3.3. 补充说明 3.4. 测试配置结果 3.4.1. 默认的负载均衡 ...

  3. presto的动态化应用(一):presto节点的横向扩展与伸缩

    一.presto动态化概述 近年来,基于hadoop的sql框架层出不穷,presto也是其中的一员.从2012年发展至今,依然保持年轻的活力(版本迭代依然很快),presto的相关介绍,我们就不赘述 ...

  4. elasticsearch介绍集群,模拟横向扩展节点、节点宕机、改变分片

        出处:[http://www.cnblogs.com/dennisit/p/4133131.html] ,防楼主删博,故保留一份! elasticsearch用于构建高可用和可扩展的系统.扩展 ...

  5. SignalR学习笔记(五) 横向扩展之SQL Server

    当一个Web应用程序达到一台服务器能力限制,即请求处理数量限制之后,有2种解决方案:纵向扩展和横向扩展. 纵向扩展即用更强的服务器(或虚拟机),或为当前的服务器添加更多的内存,CPU等 横向扩展即添加 ...

  6. 转mysql横向扩展和纵向扩展

    Scale-up(纵向扩展)和Scale-out(横向扩展)的解释 谈到系统的可伸缩性,Scale-up(纵向扩展)和Scale-out(横向扩展)是两个常见的术语,对于初学者来说,很容易搞迷糊这两个 ...

  7. SQL Server横向扩展:设计,实现与维护(2)- 分布式分区视图

    为了使得朋友们对分布式分区视图有个概念,也为了方便后面的内容展开,我们先看看下面一个图:     讲述分布式分区视图之前,很有必要将之与我们常常熟悉的分区表和索引进行区别. 首先,分布式分区视图是一个 ...

  8. Ceph如何实现文件系统的横向扩展

    前言 在跟一个朋友聊天的时候,聊到一个技术问题,他们的一个环境上面小文件巨多,是我目前知道的集群里面规模算非常大的了,但是目前有个问题,一方面会进行一倍的硬件的扩容,而文件的数量也在剧烈的增长着,所以 ...

  9. 在 Windows Azure 网站中进行纵向扩展和横向扩展

    编辑人员注释:本文章由 Windows Azure 网站团队的项目经理 Byron Tardif 撰写. 当您开始一个新的 Web 项目,或者刚刚开始开发一般的网站和应用程序时,您可能希望从小处着手. ...

随机推荐

  1. Go标准库:Go template用法详解

    本文只介绍template的语法和用法,关于template包的函数.方法.template的结构和原理,见:深入剖析Go template. 入门示例 以下为test.html文件的内容,里面使用了 ...

  2. shell编程基础(三): 位置参数与shell脚本的输入输出

    一.位置参数和特殊变量 有很多特殊变量是被Shell自动赋值的,我们已经遇到了$?和$1,现在总结一下: 常用的位置参数和特殊变量: $0 相当于C语言main函数的argv[0] $1.$2... ...

  3. lua的table元类

    Lua中提供的元表是用于帮助Lua数据变量完成某些非预定义功能的个性化行为,如两个table的相加.假设a和b都是table,通过元表可以定义如何计算表达式a+b.当Lua试图将两个table相加时, ...

  4. js如何获取url参数

    匹配URL参数的正则是: var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)", ...

  5. 第一册:lesson twenty five。

    原文:Mrs.smith's kitchen. Mrs.smith's kitchen is small. There is a refrigerator in the kitchen. The re ...

  6. .Net EF6+Mysql 环境搭建

    由于一直使用的数据库是mysql,之前所用的orm都是轻量级的例如 dapper 这些的,然后想用ef配置一下mysql,总共时间花了差不多2天,才将坑填完,写个博客将流程记录一下 给后来者少掉点坑. ...

  7. 从零开始学安全(二十三)●用PHP编写留言板

    <?php include("test.php"); ?> <!DOCTYPE html> <html> <head> <me ...

  8. Hibernate入门(十)inverse

    双向关联产生多余的SQL语句 /** * 添加一个订单到id为6的客户中 */ @Test public void fun1(){ Session session = HibernateUtils.g ...

  9. spring boot之hello

    自己使用springboot也已经写过一段时间的代码,但是对springboot真正运行的流程还是有点模糊,今天写出自己对springboot的认识,如有不对,还请各位大佬不吝赐教,话不多说,直接上代 ...

  10. 多线程编程CompletableFuture与parallelStream

    一.简介 平常在页面中我们会使用异步调用$.ajax()函数,如果是多个的话他会并行执行相互不影响,实际上Completable我理解也是和它类似,是java 8里面新出的异步实现类,Completa ...