扩展Puppet – 建立Puppet CA集群

扩展Puppet – 建立Puppet CA集群

 (1 votes, average: 5.00 out of 5)

588 views 2012 年 3 月 4 日Puppet、运维ca、master、puppet、集群jsxubar

扩展Puppet的一种方式是将Puppet Master的CA功能分离出去，建立Puppet CA集群，集中处理CA的任务，从而提高整个Puppet系统的吞吐量。

本教程是上一个教程:扩展Puppet – 建立Puppet Master集群的继续。

我们要实现这样一种架构:

Request --> Load Balancer ---> Puppet CA 1  ---> Puppet Master Worker
			  ---> Puppet CA 2

与上个教程类似,我们将CA 1和CA 2先放在8142和18142端口

目录 [隐藏]

• 相同主机不同端口建立Puppet CA集群
  • 建立虚拟主机配置
  • 建立虚拟主机目录
  • 复制ca目录
  • 修改Load Balancer配置
  • 重启httpd服务,测试
• 不同主机相同端口建立Puppet CA集群
  • 在/etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf文件添加以下行:
  • 建立虚拟主机配置
  • 建立虚拟目录
  • 使用rsync同步ca.standby目录
  • 重启httpd服务
• 参考文章

相同主机不同端口建立Puppet CA集群

建立虚拟主机配置

sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.conf
sed s/8141/18142/ 8141_puppetmaster_worker.conf >18142_puppetmaster_worker.conf

建立虚拟主机目录

rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/
rsync -avxH /etc/puppet/rack/{,18142_}puppetmaster/

复制ca目录

rsync -axH /var/lib/puppet/ssl/ca{,.standby}/

并将/etc/puppet/18142_puppetmaster/config.ru修改为:

$0 = "master"
# if you want debugging:
# ARGV << "--debug"
ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"  # add this line
ARGV << "--rack"
require 'puppet/application/master'
run Puppet::Application[:master].run

修改Load Balancer配置

# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf
# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf
# Available back-end worker virtual hosts
# NOTE the use of cleartext unencrypted HTTP.
<Proxy balancer://puppetmaster>
  BalancerMember http://127.0.0.1:8141
  BalancerMember http://192.168.254.184:8141
</Proxy> 

<Proxy balancer://puppetmasterca>
  # Puppet CA Active Worker
  BalancerMember http://127.0.0.1:8142
  # Puppet CA Hot Standby
  BalancerMember http://127.0.0.1:18142 status=+H
#  BalancerMember http://192.168.254.184:8142 status=+H
</Proxy>
Listen 8140
<VirtualHost *:8140>
SSLEngine on
# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in /var/lib/puppet/ssl
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled
# disable next line if Apache complains about CRL
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# optional to allow CSR request, required if certificates distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars 

# The following client headers record authentication information for down stream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e 

<Location />
  SetHandler balancer-manager
  Order allow,deny
  Allow from all
</Location> 

# Ordering of ProxyPass directives is important
# Direct all Puppet agent CA requests to a specific set of workers.
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
# Direct all other Puppet agent requests to the default set of workers.
ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On

# The load balancer log
ErrorLog /var/log/httpd/balancer_error.log
CustomLog /var/log/httpd/balancer_access.log combined
CustomLog /var/log/httpd/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

</VirtualHost>

# BalancerMember http://127.0.0.1:18142 status=+H +H表示在主机没响应时再使用备机
# 只有一个在工作

重启httpd服务,测试

不同主机相同端口建立Puppet CA集群

将18142转移到mailtest的8142端口

在/etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf文件添加以下行:

BalancerMember http://192.168.254.184:8142 status=+H

下面步骤在mailtest.example.com上进行

建立虚拟主机配置

sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.conf

建立虚拟目录

rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/

与前面类似,同样的,config.ru文件添加以下行:

ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"

使用rsync同步ca.standby目录

rsync -axH root@192.168.254.181:/var/lib/puppet/ssl/ca.standby/ /var/lib/puppet/ssl/ca.standby/

重启httpd服务

测试发现,如果一个新主机申请证书,而请求已经到了CA 1,但是没有签署,这时CA 1出问题了,将CA 1的ca目录同步到CA 2,然后就可以在CA 2上进行签署了。

注意此处的CA处理的只是第一次请求证书时的证书签署工作,并不处理签署过的证书的验证工作.也就是说已经签署证书的主机运行puppet agent时并不需要CA 1和CA 2的处理。

参考文章

文章含有html标签，而wordpress本身会解析html标签，因此博客可能显示错误。下载word版本，下载地址：

• 扩展Puppet – 建立Puppet CA集群.doc

相关内容:

1. 扩展Puppet – 建立Puppet Master集群
2. 扩展Puppet – 迁移Puppet Master到apache
3. mcollective Caught TERM; calling stop
4. puppet dashboard 添加认证
5. puppet存储配置