puppetca 高可用性以及负载均衡配置
[导读]
本文是接着上一篇关于puppet loadbalance配置,在一篇中,我们学习了使用Apache和Passenger来扩展puppetmaster,并实现puppetmaster负载均衡.
原文可以参阅:http://www.mysqlops.com/2012/04/10/apache-passenger.html. 接下来我们是配置puppetca 认证的集群,实现高可用性,以及负载
均衡.此文是参考puppet pro pdf文档而写,如对原文感兴趣可以参阅puppet pro 原版,loadbalancer章节.
再次说明,如果你没有看明白Apache+Passenger,可能会不知道所云,建议看完这两篇在实践中去体会.
[正文]
(一):puppetCA loadbalancer 实现方案
采用apache虚拟主机多端口,即反向代理proxy.实现负载均衡.
(二):puppetCA loadbalancer 实现要点
1.同步ssl证书到各个puppetmaster上 证书目录.
2. 1台puppetmaster作为 active puppet CA. 另一台puppetmaster作备份的backup puppet CA.即standby ,
实现puppetca 认证的高可用性.
puppet loadblancer 实现架构图:
puppetmaster ca HA架构图:
(三) puppetmaster CA 高可用性 配置
a.创建两个虚拟主机,监听18142,18143端口.
1
2
3
4
5
6
7 |
sed s /18140/18142/ 40_puppetmaster_worker_18140.conf \ > 42_puppetmaster_worker_18142.conf # rsync -axH /etc/puppet/rack/puppetmaster{,_18142}/ # sed s/18140/18143/ 40_puppetmaster_worker_18140.conf \ > 43_puppetmaster_worker_18143.conf # rsync -axH /etc/puppet/rack/puppetmaster{,_18143}/ |
b. 备份现有的puppetmaster CA证书到备用puppetmaster主机的 ssl证书目录.
1
2
3
4
5
6
7
8
9
10
11 |
# rsync -axH /var/lib/puppet/ssl/ca{,.standby}/ # vim /etc/puppet/rack/puppetmaster_18143/config.ru #修改配置文件 0 = "master" # if you want debugging: # ARGV << "--debug" ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby" ##备份证书的路径 ARGV << "--rack" require 'puppet/application/master' run Puppet::Application[:master].run |
c.修改apache的配置文件,设置18413端口为puppetmaster备份的ssl 认证端口
1
2
3
4
5
6
7 |
# vim 30_puppetmaster_frontend_8140.conf <Proxy balancer: //puppetmasterca > # Puppet CA Active Worker BalancerMember http: //127 .0.0.1:18142 # Puppet CA Hot Standby BalancerMember http: //127 .0.0.1:18143 status=+H < /Proxy > |
d.修改apache的配置文件,将所有的ssl证书请求交由puppetmasterca 去处理,即proxy到ca认证的两个端口上.
1
2
3
4
5
6
7
8 |
# Ordering of ProxyPass directives is important # Direct all Puppet agent CA requests to a specific set of workers. ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer: //puppetmasterca ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer: //puppetmasterca # Direct all other Puppet agent requests to the default set of workers. ProxyPass / balancer: //puppetmaster/ ProxyPassReverse / balancer: //puppetmaster/ ProxyPreserveHost On |
f. 重启http
service httpd restart
puppetmaster ca 认证高可用性就配置完成,我们接下来测试puppetca:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119 |
root@client1 ~] # puppet agent --test --server puppetmaster1 ##客户端请求ssl认证 info: Creating a new SSL key for client1. test .com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for client1. test .com info: Certificate Request fingerprint (md5): 78:13:CD:92:DD:46:50:8E:15:B7:1D:41:01:04:98:E1 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled [root@puppet1 conf.d] #cat /var/log/httpd/puppetmaster_worker_access_18142.log ##查看puppetmaster 日志 127.0.0.1 - - [23 /Mar/2012 :16:50:04 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-" 127.0.0.1 - - [23 /Mar/2012 :16:50:06 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-" 127.0.0.1 - - [23 /Mar/2012 :16:50:06 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-" [root@puppet1 conf.d] #puppetca --sign client1.test.com ## 给client1.test.com进行ssl签名 notice: Signed certificate request for client1. test .com notice: Removing file Puppet::SSL::CertificateRequest client1. test .com at '/var/lib/puppet/ssl/ca/requests/client1.test.com.pem' [root@client1 ~] # puppet agent --test --server puppetmaster1 ##client 再次请求puppetmaster1 warning: peer certificate won't be verified in this SSL session info: Caching certificate for client1. test .com info: Caching certificate_revocation_list for ca info: Caching catalog for client1. test .com info: Applying configuration version '1332493513' notice: puppet1 notice: /Stage [main] //Notify [puppet1] /message : defined 'message' as 'puppet1' notice: Finished catalog run in 0.12 seconds [root@puppet1 conf.d] # tail -2 /var/log/httpd/puppetmaster_worker_access_18142.log ##再次验证puppetmaster 日志 127.0.0.1 - - [23 /Mar/2012 :17:05:05 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 200 863 "-" "-" 127.0.0.1 - - [23 /Mar/2012 :17:05:08 +0800] "GET /production/certificate_revocation_list/ca HTTP/1.1" 200 443 "-" "-" [root@puppet1 conf.d] # cadir=$(puppet master --configprint cadir) ##获取当前puppetca 的目录 [root@puppet1 conf.d] # rsync -avxH --delete ${cadir}{,.standby}/ ##同步puppetmasterca 证书到备用puppetmaster的ssl 证书目录 building file list ... done deleting requests /client1 . test .com.pem deleting requests /client1 .pem ./ inventory.txt serial requests/ signed/ signed /client1 .pem signed /client1 . test .com.pem signed /puppet1 .pem sent 4665 bytes received 148 bytes 9626.00 bytes /sec total size is 10816 speedup is 2.25 [root@puppet1 conf.d] # iptables -I INPUT -i lo -p tcp --dport 18142 -j REJECT --reject-with icmp-host-prohibited #设置防火墙,将所有目的端口为18142的请求都drop掉. [root@puppet1 conf.d] # curl --silent -o /dev/null -D /dev/stdout -q -k -H "Accept: s" https://puppetmaster1:8140/production/certificate/ca ##请求ca证书 HTTP /1 .1 200 OK Date: Fri, 23 Mar 2012 09:16:02 GMT Server: Apache /2 .2.3 (CentOS) X-Powered-By: Phusion Passenger (mod_rails /mod_rack ) 3.0.11 Content-Length: 830 Status: 200 Content-Type: text /plain ; charset=UTF-8 Connection: close [root@puppet1 conf.d] # tail -n2 /var/log/httpd/balancer_error_log ## 查看日志 [Fri Mar 23 17:15:50 2012] [error] (113)No route to host: proxy: HTTP: attempt to connect to 127.0.0.1:18142 (127.0.0.1) failed [Fri Mar 23 17:15:50 2012] [error] ap_proxy_connect_backend disabling worker for (127.0.0.1) [root@puppet1 conf.d] # tail -n1 /var/log/httpd/puppetmaster_worker_access_18143.log ##查看日志 127.0.0.1 - - [23 /Mar/2012 :17:16:02 +0800] "GET /production/certificate/ca HTTP/1.1" 200 830 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5" [root@puppet1 conf.d] # puppet agent --certname test.test.com --test --noop ##采用试运行模式,生成新的证书 info: Creating a new SSL key for test . test .com warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for test . test .com info: Certificate Request fingerprint (md5): 12:A9:35:2E:D6:8F:9B:FA:42:E5:04:4E:05:4C:24:D7 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled [root@puppet1 conf.d] # puppet cert --cadir /var/lib/puppet/ssl/ca.standby --list ## 查看证书请求 test . test .com (12:A9:35:2E:D6:8F:9B:FA:42:E5:04:4E:05:4C:24:D7) [root@puppet1 conf.d] # puppet agent --certname test.test.com --test --noop --server puppetmaster1# 再次请求puppetmaster1 info: Caching catalog for test .example.lan info: Applying configuration version '1332494601' notice: /Stage [main] //Notify [puppet1] /message : current_value absent, should be puppet1 (noop) notice: Class[Main]: Would have triggered 'refresh' from 1 events notice: Stage[main]: Would have triggered 'refresh' from 1 events notice: Finished catalog run in 0.14 seconds [root@puppet1 conf.d] # rsync -avxH --delete /var/lib/puppet/ssl/ca{.standby,}/ ##再次同步ssl证书目录 building file list ... done ./ inventory.txt serial requests/ signed/ signed /test . test .com.pem sent 2982 bytes received 104 bytes 6172.00 bytes /sec total size is 12277 speedup is 3.98 [root@puppet1 conf.d] # iptables -L INPUT -n -v --line-number ##查看防火墙 Chain INPUT (policy ACCEPT 6418 packets, 1186K bytes) num pkts bytes target prot opt in out source destination 1 8 480 REJECT tcp -- lo * 0.0.0.0 /0 0.0.0.0 /0 tcp dpt:18142 reject-with icmp-host-prohibited 2 0 0 REJECT tcp -- lo * 0.0.0.0 /0 0.0.0.0 /0 tcp dpt:18142 reject-with icmp-net-unreachable [root@puppet1 conf.d] # iptables -D INPUT 1 ##删除规则1 [root@puppet1 conf.d] # iptables -D INPUT 2 ##删除规则2 [root@puppet1 conf.d] # time curl -v -H "Accept: pson, yaml" \ ##查看请求证书的时间 -H "X-Client-DN: /CN=test.example.com" \ -H "X-Client-Verify: SUCCESS" \ |
[总结]
这一篇文档也是前阵子做实验的.puppet pro pdf 文档里已经说得够明白了,看到这里,大家应该可以明白,实现puppeptmaster的高可用性,不仅包括puppetmaster的压力进行负载均衡,还要考虑到puppet 认证puppetca的负载均衡.实现方案比较简单,但有很强的参考意义,也给我们实现puppetmaster cluster的思路. 最近一直在看puppet,有部分同学问,最近怎么都没有写puppet 文档,这里说下,因为有太多东西,发现有好多东西不懂,期待大家一起交流进步,此文档会同步更新至puppet 中文社区,欢迎大家前往!再次说明:puppet pro pdf文档里有详细资料,如还没有puppet pro pdf文档的同学,可以搜索下载,或者发mail到107214359@qq.com,或者留下邮箱,
sky发通过电邮会送给大家!
建议继续学习:
- 解析nginx负载均衡 (阅读:14452)
- 使用HAProxy对MySQL进行负载均衡和状态监控 (阅读:5566)
- 趣图三幅:负载均衡算法需要改进 (阅读:3845)
- 基于MySQL的高可用可扩展架构探讨 (阅读:3706)
- 服务框架演变过程 (阅读:3644)
- 超级负载均衡 (阅读:3646)
- “集群和负载均衡”的通俗版解释 (阅读:3482)
- 利用MySQL Cluster 7.0 + LVS 搭建高可用环境 (阅读:3363)
- “集群和负载均衡”在实战当中的运用技巧 (阅读:3335)
- 寻找适合你的MySQL高可用解决方案 (阅读:2959)
扫一扫订阅我的微信号:IT技术博客大学习
- 作者:sky 来源: MySQLOPS 数据库与运维自动化技术分享
- 标签: puppetca 负载均衡 高可用
- 发布时间:2012-04-22 14:56:22
- [70] Go Reflect 性能
- [68] 如何拿下简短的域名
- [65] Oracle MTS模式下 进程地址与会话信
- [63] 图书馆的世界纪录
- [62] IOS安全–浅谈关于IOS加固的几种方法
- [61] 【社会化设计】自我(self)部分――欢迎区
- [59] android 开发入门
- [54] 视觉调整-设计师 vs. 逻辑
- [49] 界面设计速成
- [48] 读书笔记-壹百度:百度十年千倍的29条法则