技术头条 - 一个快速在微博传播文章的方式     搜索本站
您现在的位置首页 --> 系统架构 --> puppetca 高可用性以及负载均衡配置

puppetca 高可用性以及负载均衡配置

浏览:2032次  出处信息

[导读]

本文是接着上一篇关于puppet loadbalance配置,在一篇中,我们学习了使用Apache和Passenger来扩展puppetmaster,并实现puppetmaster负载均衡.

原文可以参阅:http://www.mysqlops.com/2012/04/10/apache-passenger.html. 接下来我们是配置puppetca 认证的集群,实现高可用性,以及负载

均衡.此文是参考puppet pro pdf文档而写,如对原文感兴趣可以参阅puppet pro  原版,loadbalancer章节.

再次说明,如果你没有看明白Apache+Passenger,可能会不知道所云,建议看完这两篇在实践中去体会.

[正文]

(一):puppetCA loadbalancer 实现方案
采用apache虚拟主机多端口,即反向代理proxy.实现负载均衡.

(二):puppetCA loadbalancer 实现要点

1.同步ssl证书到各个puppetmaster上 证书目录.
2. 1台puppetmaster作为 active puppet CA. 另一台puppetmaster作备份的backup puppet CA.即standby ,

实现puppetca 认证的高可用性.

puppet loadblancer 实现架构图:

puppetmaster loadbalance

puppetmaster 集群架构图

puppetmaster  ca HA架构图:

puppetca loadbalance

puppetca 集群,puppetmaster 集群

(三) puppetmaster CA 高可用性 配置

a.创建两个虚拟主机,监听18142,18143端口.

?
1
2
3
4
5
6
7
sed s/18140/18142/ 40_puppetmaster_worker_18140.conf \
> 42_puppetmaster_worker_18142.conf
# rsync -axH /etc/puppet/rack/puppetmaster{,_18142}/
  
# sed s/18140/18143/ 40_puppetmaster_worker_18140.conf \
> 43_puppetmaster_worker_18143.conf
# rsync -axH /etc/puppet/rack/puppetmaster{,_18143}/

b. 备份现有的puppetmaster CA证书到备用puppetmaster主机的 ssl证书目录.

?
1
2
3
4
5
6
7
8
9
10
11
# rsync -axH /var/lib/puppet/ssl/ca{,.standby}/
  
# vim /etc/puppet/rack/puppetmaster_18143/config.ru #修改配置文件
  
0 = "master"
# if you want debugging:
# ARGV << "--debug"
ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"  ##备份证书的路径
ARGV << "--rack"
require 'puppet/application/master'
run Puppet::Application[:master].run

c.修改apache的配置文件,设置18413端口为puppetmaster备份的ssl 认证端口

?
1
2
3
4
5
6
7
# vim 30_puppetmaster_frontend_8140.conf
<Proxy balancer://puppetmasterca>
# Puppet CA Active Worker
BalancerMember http://127.0.0.1:18142
# Puppet CA Hot Standby
BalancerMember http://127.0.0.1:18143 status=+H
</Proxy>

d.修改apache的配置文件,将所有的ssl证书请求交由puppetmasterca 去处理,即proxy到ca认证的两个端口上.

?
1
2
3
4
5
6
7
8
# Ordering of ProxyPass directives is important
# Direct all Puppet agent CA requests to a specific set of workers.
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
# Direct all other Puppet agent requests to the default set of workers.
ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On

f. 重启http

service httpd restart


puppetmaster ca 认证高可用性就配置完成,我们接下来测试puppetca:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
root@client1 ~]# puppet agent --test --server puppetmaster1 ##客户端请求ssl认证
info: Creating a new SSL key for client1.test.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client1.test.com
info: Certificate Request fingerprint (md5): 78:13:CD:92:DD:46:50:8E:15:B7:1D:41:01:04:98:E1
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
  
[root@puppet1 conf.d]#cat  /var/log/httpd/puppetmaster_worker_access_18142.log ##查看puppetmaster  日志
127.0.0.1 - - [23/Mar/2012:16:50:04 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-"
127.0.0.1 - - [23/Mar/2012:16:50:06 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-"
127.0.0.1 - - [23/Mar/2012:16:50:06 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-"
  
[root@puppet1 conf.d]#puppetca --sign client1.test.com ## 给client1.test.com进行ssl签名
notice: Signed certificate request for client1.test.com
notice: Removing file Puppet::SSL::CertificateRequest client1.test.com
at '/var/lib/puppet/ssl/ca/requests/client1.test.com.pem'
  
[root@client1 ~]# puppet agent --test --server puppetmaster1  ##client 再次请求puppetmaster1
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client1.test.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client1.test.com
info: Applying configuration version '1332493513'
notice: puppet1
notice: /Stage[main]//Notify[puppet1]/message: defined 'message' as 'puppet1'
notice: Finished catalog run in 0.12 seconds
  
[root@puppet1 conf.d]# tail -2 /var/log/httpd/puppetmaster_worker_access_18142.log  ##再次验证puppetmaster 日志
127.0.0.1 - - [23/Mar/2012:17:05:05 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 200 863 "-" "-"
127.0.0.1 - - [23/Mar/2012:17:05:08 +0800] "GET /production/certificate_revocation_list/ca HTTP/1.1" 200 443 "-" "-"
  
[root@puppet1 conf.d]# cadir=$(puppet master --configprint cadir) ##获取当前puppetca 的目录
  
[root@puppet1 conf.d]# rsync -avxH --delete ${cadir}{,.standby}/ ##同步puppetmasterca 证书到备用puppetmaster的ssl 证书目录
building file list ... done
deleting requests/client1.test.com.pem
deleting requests/client1.pem
./
inventory.txt
serial
requests/
signed/
signed/client1.pem
signed/client1.test.com.pem
signed/puppet1.pem
  
sent 4665 bytes  received 148 bytes  9626.00 bytes/sec
total size is 10816  speedup is 2.25
  
[root@puppet1 conf.d]# iptables -I INPUT -i lo -p tcp --dport 18142 -j REJECT --reject-with icmp-host-prohibited #设置防火墙,将所有目的端口为18142的请求都drop掉.
  
[root@puppet1 conf.d]# curl --silent  -o /dev/null -D /dev/stdout -q -k -H "Accept: s" https://puppetmaster1:8140/production/certificate/ca ##请求ca证书
HTTP/1.1 200 OK
Date: Fri, 23 Mar 2012 09:16:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11
Content-Length: 830
Status: 200
Content-Type: text/plain; charset=UTF-8
Connection: close
  
[root@puppet1 conf.d]# tail -n2 /var/log/httpd/balancer_error_log ## 查看日志
[Fri Mar 23 17:15:50 2012] [error] (113)No route to host: proxy: HTTP: attempt to connect to 127.0.0.1:18142 (127.0.0.1) failed
[Fri Mar 23 17:15:50 2012] [error] ap_proxy_connect_backend disabling worker for (127.0.0.1)
  
[root@puppet1 conf.d]#  tail -n1 /var/log/httpd/puppetmaster_worker_access_18143.log ##查看日志
127.0.0.1 - - [23/Mar/2012:17:16:02 +0800] "GET /production/certificate/ca HTTP/1.1" 200 830 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
  
[root@puppet1 conf.d]# puppet agent --certname test.test.com --test --noop ##采用试运行模式,生成新的证书
info: Creating a new SSL key for test.test.com
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for test.test.com
info: Certificate Request fingerprint (md5): 12:A9:35:2E:D6:8F:9B:FA:42:E5:04:4E:05:4C:24:D7
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
  
[root@puppet1 conf.d]#  puppet cert --cadir /var/lib/puppet/ssl/ca.standby --list ## 查看证书请求
  test.test.com (12:A9:35:2E:D6:8F:9B:FA:42:E5:04:4E:05:4C:24:D7)
[root@puppet1 conf.d]# puppet agent --certname test.test.com --test --noop --server puppetmaster1# 再次请求puppetmaster1
info: Caching catalog for test.example.lan
info: Applying configuration version '1332494601'
notice: /Stage[main]//Notify[puppet1]/message: current_value absent, should be puppet1 (noop)
notice: Class[Main]: Would have triggered 'refresh' from 1 events
notice: Stage[main]: Would have triggered 'refresh' from 1 events
notice: Finished catalog run in 0.14 seconds
  
[root@puppet1 conf.d]# rsync -avxH --delete /var/lib/puppet/ssl/ca{.standby,}/ ##再次同步ssl证书目录
building file list ... done
./
inventory.txt
serial
requests/
signed/
signed/test.test.com.pem
  
sent 2982 bytes  received 104 bytes  6172.00 bytes/sec
total size is 12277  speedup is 3.98
  
[root@puppet1 conf.d]#  iptables -L INPUT -n -v --line-number ##查看防火墙
Chain INPUT (policy ACCEPT 6418 packets, 1186K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        8   480 REJECT     tcp  --  lo     *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18142 reject-with icmp-host-prohibited
2        0     0 REJECT     tcp  --  lo     *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18142 reject-with icmp-net-unreachable
  
[root@puppet1 conf.d]# iptables -D INPUT 1 ##删除规则1
[root@puppet1 conf.d]# iptables -D INPUT 2 ##删除规则2
  
[root@puppet1 conf.d]# time curl -v -H "Accept: pson, yaml" \  ##查看请求证书的时间
-H "X-Client-DN: /CN=test.example.com" \
-H "X-Client-Verify: SUCCESS" \

[总结]

这一篇文档也是前阵子做实验的.puppet pro pdf 文档里已经说得够明白了,看到这里,大家应该可以明白,实现puppeptmaster的高可用性,不仅包括puppetmaster的压力进行负载均衡,还要考虑到puppet 认证puppetca的负载均衡.实现方案比较简单,但有很强的参考意义,也给我们实现puppetmaster cluster的思路. 最近一直在看puppet,有部分同学问,最近怎么都没有写puppet 文档,这里说下,因为有太多东西,发现有好多东西不懂,期待大家一起交流进步,此文档会同步更新至puppet 中文社区,欢迎大家前往!再次说明:puppet pro pdf文档里有详细资料,如还没有puppet pro pdf文档的同学,可以搜索下载,或者发mail到107214359@qq.com,或者留下邮箱,

sky发通过电邮会送给大家!

建议继续学习:

  1. 解析nginx负载均衡    (阅读:14452)
  2. 使用HAProxy对MySQL进行负载均衡和状态监控    (阅读:5566)
  3. 趣图三幅:负载均衡算法需要改进    (阅读:3845)
  4. 基于MySQL的高可用可扩展架构探讨    (阅读:3706)
  5. 服务框架演变过程    (阅读:3644)
  6. 超级负载均衡    (阅读:3646)
  7. “集群和负载均衡”的通俗版解释    (阅读:3482)
  8. 利用MySQL Cluster 7.0 + LVS 搭建高可用环境    (阅读:3363)
  9. “集群和负载均衡”在实战当中的运用技巧    (阅读:3335)
  10. 寻找适合你的MySQL高可用解决方案    (阅读:2959)
QQ技术交流群:445447336,欢迎加入!
扫一扫订阅我的微信号:IT技术博客大学习
<< 前一篇:初识PhoneGap
后一篇:系统设计黄金法则 简单之美 >>
文章信息
© 2009 - 2024 by blogread.cn 微博:@IT技术博客大学习

京ICP备15002552号-1