[导读]
本文是接着上一篇关于puppet loadbalance配置,在一篇中,我们学习了使用Apache和Passenger来扩展puppetmaster,并实现puppetmaster负载均衡.
原文可以参阅:http://www.mysqlops.com/2012/04/10/apache-passenger.html. 接下来我们是配置puppetca 认证的集群,实现高可用性,以及负载
均衡.此文是参考puppet pro pdf文档而写,如对原文感兴趣可以参阅puppet pro 原版,loadbalancer章节.
再次说明,如果你没有看明白Apache+Passenger,可能会不知道所云,建议看完这两篇在实践中去体会.
[正文]
(一):puppetCA loadbalancer 实现方案
采用apache虚拟主机多端口,即反向代理proxy.实现负载均衡.
(二):puppetCA loadbalancer 实现要点
1.同步ssl证书到各个puppetmaster上 证书目录.
2. 1台puppetmaster作为 active puppet CA. 另一台puppetmaster作备份的backup puppet CA.即standby ,
实现puppetca 认证的高可用性.
puppet loadblancer 实现架构图:
puppetmaster 集群架构图
puppetmaster ca HA架构图:
puppetca 集群,puppetmaster 集群
(三) puppetmaster CA 高可用性 配置
a.创建两个虚拟主机,监听18142,18143端口.
|
1
2
3
4
5
6
7 |
sed s/18140/18142/ 40_puppetmaster_worker_18140.conf \ > 42_puppetmaster_worker_18142.conf # rsync -axH /etc/puppet/rack/puppetmaster{,_18142}/ # sed s/18140/18143/ 40_puppetmaster_worker_18140.conf \ > 43_puppetmaster_worker_18143.conf # rsync -axH /etc/puppet/rack/puppetmaster{,_18143}/ |
b. 备份现有的puppetmaster CA证书到备用puppetmaster主机的 ssl证书目录.
|
1
2
3
4
5
6
7
8
9
10
11 |
# rsync -axH /var/lib/puppet/ssl/ca{,.standby}/ # vim /etc/puppet/rack/puppetmaster_18143/config.ru #修改配置文件 0 = "master"# if you want debugging: # ARGV << "--debug" ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby" ##备份证书的路径 ARGV << "--rack"require 'puppet/application/master'run Puppet::Application[:master].run |
c.修改apache的配置文件,设置18413端口为puppetmaster备份的ssl 认证端口
|
1
2
3
4
5
6
7 |
# vim 30_puppetmaster_frontend_8140.conf <Proxy balancer://puppetmasterca> # Puppet CA Active Worker BalancerMember http://127.0.0.1:18142 # Puppet CA Hot Standby BalancerMember http://127.0.0.1:18143 status=+H </Proxy> |
d.修改apache的配置文件,将所有的ssl证书请求交由puppetmasterca 去处理,即proxy到ca认证的两个端口上.
|
1
2
3
4
5
6
7
8 |
# Ordering of ProxyPass directives is important # Direct all Puppet agent CA requests to a specific set of workers. ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmastercaProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca# Direct all other Puppet agent requests to the default set of workers. ProxyPass / balancer://puppetmaster/ProxyPassReverse / balancer://puppetmaster/ProxyPreserveHost On |
f. 重启http
service httpd restart
puppetmaster ca 认证高可用性就配置完成,我们接下来测试puppetca:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119 |
root@client1 ~]# puppet agent --test --server puppetmaster1 ##客户端请求ssl认证 info: Creating a new SSL key for client1.test.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for client1.test.com info: Certificate Request fingerprint (md5): 78:13:CD:92:DD:46:50:8E:15:B7:1D:41:01:04:98:E1 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled [root@puppet1 conf.d]#cat /var/log/httpd/puppetmaster_worker_access_18142.log ##查看puppetmaster 日志 127.0.0.1 - - [23/Mar/2012:16:50:04 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-"127.0.0.1 - - [23/Mar/2012:16:50:06 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-"127.0.0.1 - - [23/Mar/2012:16:50:06 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 404 43 "-" "-" [root@puppet1 conf.d]#puppetca --sign client1.test.com ## 给client1.test.com进行ssl签名 notice: Signed certificate request for client1.test.com notice: Removing file Puppet::SSL::CertificateRequest client1.test.com at '/var/lib/puppet/ssl/ca/requests/client1.test.com.pem' [root@client1 ~]# puppet agent --test --server puppetmaster1 ##client 再次请求puppetmaster1 warning: peer certificate won't be verified in this SSL session info: Caching certificate for client1.test.com info: Caching certificate_revocation_list for ca info: Caching catalog for client1.test.com info: Applying configuration version '1332493513'notice: puppet1 notice: /Stage[main]//Notify[puppet1]/message: defined 'message' as 'puppet1'notice: Finished catalog run in 0.12 seconds [root@puppet1 conf.d]# tail -2 /var/log/httpd/puppetmaster_worker_access_18142.log ##再次验证puppetmaster 日志 127.0.0.1 - - [23/Mar/2012:17:05:05 +0800] "GET /production/certificate/client1.test.com HTTP/1.1" 200 863 "-" "-"127.0.0.1 - - [23/Mar/2012:17:05:08 +0800] "GET /production/certificate_revocation_list/ca HTTP/1.1" 200 443 "-" "-" [root@puppet1 conf.d]# cadir=$(puppet master --configprint cadir) ##获取当前puppetca 的目录 [root@puppet1 conf.d]# rsync -avxH --delete ${cadir}{,.standby}/ ##同步puppetmasterca 证书到备用puppetmaster的ssl 证书目录 building file list ... donedeleting requests/client1.test.com.pem deleting requests/client1.pem ./ inventory.txt serial requests/ signed/ signed/client1.pem signed/client1.test.com.pem signed/puppet1.pem sent 4665 bytes received 148 bytes 9626.00 bytes/sectotal size is 10816 speedup is 2.25 [root@puppet1 conf.d]# iptables -I INPUT -i lo -p tcp --dport 18142 -j REJECT --reject-with icmp-host-prohibited #设置防火墙,将所有目的端口为18142的请求都drop掉. [root@puppet1 conf.d]# curl --silent -o /dev/null -D /dev/stdout -q -k -H "Accept: s" https://puppetmaster1:8140/production/certificate/ca ##请求ca证书 HTTP/1.1 200 OK Date: Fri, 23 Mar 2012 09:16:02 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11 Content-Length: 830 Status: 200 Content-Type: text/plain; charset=UTF-8 Connection: close [root@puppet1 conf.d]# tail -n2 /var/log/httpd/balancer_error_log ## 查看日志 [Fri Mar 23 17:15:50 2012] [error] (113)No route to host: proxy: HTTP: attempt to connect to 127.0.0.1:18142 (127.0.0.1) failed [Fri Mar 23 17:15:50 2012] [error] ap_proxy_connect_backend disabling worker for (127.0.0.1) [root@puppet1 conf.d]# tail -n1 /var/log/httpd/puppetmaster_worker_access_18143.log ##查看日志 127.0.0.1 - - [23/Mar/2012:17:16:02 +0800] "GET /production/certificate/ca HTTP/1.1" 200 830 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5" [root@puppet1 conf.d]# puppet agent --certname test.test.com --test --noop ##采用试运行模式,生成新的证书 info: Creating a new SSL key for test.test.com warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for test.test.com info: Certificate Request fingerprint (md5): 12:A9:35:2E:D6:8F:9B:FA:42:E5:04:4E:05:4C:24:D7 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled [root@puppet1 conf.d]# puppet cert --cadir /var/lib/puppet/ssl/ca.standby --list ## 查看证书请求 test.test.com (12:A9:35:2E:D6:8F:9B:FA:42:E5:04:4E:05:4C:24:D7) [root@puppet1 conf.d]# puppet agent --certname test.test.com --test --noop --server puppetmaster1# 再次请求puppetmaster1 info: Caching catalog for test.example.lan info: Applying configuration version '1332494601'notice: /Stage[main]//Notify[puppet1]/message: current_value absent, should be puppet1 (noop) notice: Class[Main]: Would have triggered 'refresh' from 1 events notice: Stage[main]: Would have triggered 'refresh' from 1 events notice: Finished catalog run in 0.14 seconds [root@puppet1 conf.d]# rsync -avxH --delete /var/lib/puppet/ssl/ca{.standby,}/ ##再次同步ssl证书目录 building file list ... done./ inventory.txt serial requests/ signed/ signed/test.test.com.pem sent 2982 bytes received 104 bytes 6172.00 bytes/sectotal size is 12277 speedup is 3.98 [root@puppet1 conf.d]# iptables -L INPUT -n -v --line-number ##查看防火墙 Chain INPUT (policy ACCEPT 6418 packets, 1186K bytes) num pkts bytes target prot opt in out source destination 1 8 480 REJECT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18142 reject-with icmp-host-prohibited 2 0 0 REJECT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18142 reject-with icmp-net-unreachable [root@puppet1 conf.d]# iptables -D INPUT 1 ##删除规则1 [root@puppet1 conf.d]# iptables -D INPUT 2 ##删除规则2 [root@puppet1 conf.d]# time curl -v -H "Accept: pson, yaml" \ ##查看请求证书的时间 -H "X-Client-DN: /CN=test.example.com" \ -H "X-Client-Verify: SUCCESS" \ |
[总结]
这一篇文档也是前阵子做实验的.puppet pro pdf 文档里已经说得够明白了,看到这里,大家应该可以明白,实现puppeptmaster的高可用性,不仅包括puppetmaster的压力进行负载均衡,还要考虑到puppet 认证puppetca的负载均衡.实现方案比较简单,但有很强的参考意义,也给我们实现puppetmaster cluster的思路. 最近一直在看puppet,有部分同学问,最近怎么都没有写puppet 文档,这里说下,因为有太多东西,发现有好多东西不懂,期待大家一起交流进步,此文档会同步更新至puppet 中文社区,欢迎大家前往!再次说明:puppet pro pdf文档里有详细资料,如还没有puppet pro pdf文档的同学,可以搜索下载,或者发mail到107214359@qq.com,或者留下邮箱,
sky发通过电邮会送给大家!