puppet 横向扩展(三)

mingk

# 清除 ca-1 上的既有证书　　root@ca-1:~# rm -rf /var/lib/puppet/ssl/
　　
　　# 在机器A 上认证 ca-1
　　# 补充: master-1 的IP就是 192.168.1.100
　　# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf
　　root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100
　　Info: Creating a new SSL key for ca-1.puppet.com
　　Info: Caching certificate for ca
　　Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
　　Info: Creating a new SSL certificate request for ca-1.puppet.com
　　Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94
　　Info: Caching certificate for ca
　　Exiting; no certificate found and waitforcert is disabled
　　root@ca-1:/var/lib/puppet# puppet agent --test
　　Info: Caching certificate for ca-1.puppet.com
　　Info: Caching certificate_revocation_list for ca
　　Info: Caching certificate for ca-1.puppet.com
　　Info: Retrieving pluginfacts
　　Info: Retrieving plugin
　　Info: Caching catalog for ca-1.puppet.com
　　Info: Applying configuration version '1420697839'
　　Notice: Finished catalog run in 0.01 seconds
　　
　　# 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)
　　root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/
　　root@192.168.1.101's password:
　　sending incremental file list
　　ca/
　　ca/ca_crl.pem
　　1202 100%    0.00kB/s    0:00:00 (xfer#1, to-check=12/14)
　　ca/ca_crt.pem
　　1968 100%    1.88MB/s    0:00:00 (xfer#2, to-check=11/14)
　　ca/ca_key.pem
　　3243 100%    3.09MB/s    0:00:00 (xfer#3, to-check=10/14)
　　ca/ca_pub.pem
　　800 100%  781.25kB/s    0:00:00 (xfer#4, to-check=9/14)
　　ca/inventory.txt
　　611 100%  596.68kB/s    0:00:00 (xfer#5, to-check=8/14)
　　ca/serial
　　4 100%    3.91kB/s    0:00:00 (xfer#6, to-check=7/14)
　　ca/private/
　　ca/private/ca.pass
　　20 100%   19.53kB/s    0:00:00 (xfer#7, to-check=3/14)
　　ca/requests/
　　ca/signed/
　　ca/signed/ca-1.puppet.com.pem
　　1956 100%    1.87MB/s    0:00:00 (xfer#8, to-check=2/14)
　　ca/signed/master-1.puppet.com.pem
　　2041 100%    1.95MB/s    0:00:00 (xfer#9, to-check=1/14)
　　ca/signed/node-1.puppet.com.pem
　　1960 100%    1.87MB/s    0:00:00 (xfer#10, to-check=0/14)
　　
　　sent 10898 bytes  received 218 bytes  1170.11 bytes/sec

　　total>　　
　　# 修改 ca-1 上默认的 puppetmaster 配置
　　root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster
　　# This Apache 2 virtual host config shows how to use Puppet as a Rack
　　# application via Passenger. See
　　# http://docs.puppetlabs.com/guides/passenger.html for more information.
　　
　　# You can also use the included config.ru file to run Puppet with other Rack
　　# servers instead of Passenger.
　　
　　# you probably want to tune these settings
　　PassengerHighPerformance on
　　PassengerMaxPoolSize 12
　　PassengerPoolIdleTime 1500
　　# PassengerMaxRequests 1000
　　PassengerStatThrottleRate 120
　　RackAutoDetect Off
　　RailsAutoDetect Off
　　
　　Listen 8140
　　
　　
　　SSLEngine on
　　SSLProtocol             ALL -SSLv2 -SSLv3
　　SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
　　SSLHonorCipherOrder     on
　　
　　SSLCertificateFile      /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem
　　SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem
　　SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
　　SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
　　# If Apache complains about invalid signatures on the CRL, you can try disabling
　　# CRL checking by commenting the next line, but this is not recommended.
　　SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
　　# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
　　# which effectively disables CRL checking; if you are using Apache 2.4+ you must
　　# specify 'SSLCARevocationCheck chain' to actually use the CRL.
　　# SSLCARevocationCheck chain
　　SSLVerifyClient optional
　　SSLVerifyDepth  1
　　# The `ExportCertData` option is needed for agent certificate expiration warnings
　　SSLOptions +StdEnvVars +ExportCertData
　　
　　# This header needs to be set if using a loadbalancer or proxy
　　#!!! RequestHeader 相关内容都要注释掉
　　#RequestHeader unset X-Forwarded-For
　　
　　#RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
　　#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
　　#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
　　
　　DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
　　RackBaseURI /
　　
　　Options None
　　AllowOverride None
　　Order allow,deny
　　allow from all