扩展Puppet – 建立Puppet CA集群

yvgoodman

扩展Puppet – 建立Puppet CA集群




http://www.jsxubar.info/wp-content/plugins/wp-postratings/images/stars_crystal/rating_on.gifhttp://www.jsxubar.info/wp-content/plugins/wp-postratings/images/stars_crystal/rating_on.gifhttp://www.jsxubar.info/wp-content/plugins/wp-postratings/images/stars_crystal/rating_on.gifhttp://www.jsxubar.info/wp-content/plugins/wp-postratings/images/stars_crystal/rating_on.gifhttp://www.jsxubar.info/wp-content/plugins/wp-postratings/images/stars_crystal/rating_on.gif (1 votes, average: 5.00 out of 5)
588 views 2012 年 3 月 4 日Puppet、运维ca、master、puppet、集群jsxubar

　　扩展Puppet的一种方式是将Puppet Master的CA功能分离出去，建立Puppet CA集群，集中处理CA的任务，从而提高整个Puppet系统的吞吐量。
　　本教程是上一个教程:扩展Puppet – 建立Puppet Master集群的继续。
　　我们要实现这样一种架构:

Request --> Load Balancer ---> Puppet CA 1  ---> Puppet Master Worker
---> Puppet CA 2
　　与上个教程类似,我们将CA 1和CA 2先放在8142和18142端口



目录 [隐藏]

• 相同主机不同端口建立Puppet CA集群
  
  
  
  • 建立虚拟主机配置
    
  • 建立虚拟主机目录
    
  • 复制ca目录
    
  • 修改Load Balancer配置
    
  • 重启httpd服务,测试
    
  
  
  
• 不同主机相同端口建立Puppet CA集群
  
  
  
  • 在/etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf文件添加以下行:
    
  • 建立虚拟主机配置
    
  • 建立虚拟目录
    
  • 使用rsync同步ca.standby目录
    
  • 重启httpd服务
    
  
  
  
• 参考文章
  

相同主机不同端口建立Puppet CA集群

建立虚拟主机配置

sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.conf
sed s/8141/18142/ 8141_puppetmaster_worker.conf >18142_puppetmaster_worker.conf
建立虚拟主机目录

rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/
rsync -avxH /etc/puppet/rack/{,18142_}puppetmaster/
复制ca目录

rsync -axH /var/lib/puppet/ssl/ca{,.standby}/
　　并将/etc/puppet/18142_puppetmaster/config.ru修改为:

$0 = "master"
# if you want debugging:
# ARGV << "--debug"
ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"  # add this line
ARGV << "--rack"
require 'puppet/application/master'
run Puppet::Application[:master].run
修改Load Balancer配置

# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf
# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf
# Available back-end worker virtual hosts
# NOTE the use of cleartext unencrypted HTTP.
<Proxy balancer://puppetmaster>
BalancerMember http://127.0.0.1:8141
BalancerMember http://192.168.254.184:8141
</Proxy>
<Proxy balancer://puppetmasterca>
# Puppet CA Active Worker
BalancerMember http://127.0.0.1:8142
# Puppet CA Hot Standby
BalancerMember http://127.0.0.1:18142 status=+H
#  BalancerMember http://192.168.254.184:8142 status=+H
</Proxy>
Listen 8140
<VirtualHost *:8140>
SSLEngine on
# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in /var/lib/puppet/ssl
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled
# disable next line if Apache complains about CRL
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# optional to allow CSR request, required if certificates distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers record authentication information for down stream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
# Ordering of ProxyPass directives is important
# Direct all Puppet agent CA requests to a specific set of workers.
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
# Direct all other Puppet agent requests to the default set of workers.
ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On
# The load balancer log
ErrorLog /var/log/httpd/balancer_error.log
CustomLog /var/log/httpd/balancer_access.log combined
CustomLog /var/log/httpd/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
　　# BalancerMember http://127.0.0.1:18142 status=+H +H表示在主机没响应时再使用备机
# 只有一个在工作

重启httpd服务,测试

不同主机相同端口建立Puppet CA集群
　　将18142转移到mailtest的8142端口

在/etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf文件添加以下行:

BalancerMember http://192.168.254.184:8142 status=+H
　　下面步骤在mailtest.example.com上进行

建立虚拟主机配置

sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.conf
建立虚拟目录

rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/
　　与前面类似,同样的,config.ru文件添加以下行:

ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"
使用rsync同步ca.standby目录

rsync -axH root@192.168.254.181:/var/lib/puppet/ssl/ca.standby/ /var/lib/puppet/ssl/ca.standby/
重启httpd服务
　　测试发现,如果一个新主机申请证书,而请求已经到了CA 1,但是没有签署,这时CA 1出问题了,将CA 1的ca目录同步到CA 2,然后就可以在CA 2上进行签署了。
　　注意此处的CA处理的只是第一次请求证书时的证书签署工作,并不处理签署过的证书的验证工作.也就是说已经签署证书的主机运行puppet agent时并不需要CA 1和CA 2的处理。

参考文章
　　文章含有html标签，而wordpress本身会解析html标签，因此博客可能显示错误。下载word版本，下载地址：

• 扩展Puppet – 建立Puppet CA集群.doc
  

　　相关内容:

• 扩展Puppet – 建立Puppet Master集群
  
• 扩展Puppet – 迁移Puppet Master到apache
  
• mcollective Caught TERM; calling stop
  
• puppet dashboard 添加认证
  
• puppet存储配置