博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
puppet 横向扩展(三)
阅读量:7120 次
发布时间:2019-06-28

本文共 9182 字,大约阅读时间需要 30 分钟。

Table of Contents

概述

横向扩展实验之三 – 将CA 认证服务和 puppetmaster 分开

实验环境

master 和 node 都是 debian 7.7 i686 系统

2个 puppet master 在机器A 上, 都是 apache 虚拟主机
1个 CA 认证服务在 机器B 上.

实验步骤

机器B 的配置

# 清除 ca-1 上的既有证书root@ca-1:~# rm -rf /var/lib/puppet/ssl/# 在机器A 上认证 ca-1# 补充: master-1 的IP就是 192.168.1.100# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.confroot@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100Info: Creating a new SSL key for ca-1.puppet.comInfo: Caching certificate for caInfo: csr_attributes file loading from /etc/puppet/csr_attributes.yamlInfo: Creating a new SSL certificate request for ca-1.puppet.comInfo: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94Info: Caching certificate for caExiting; no certificate found and waitforcert is disabledroot@ca-1:/var/lib/puppet# puppet agent --testInfo: Caching certificate for ca-1.puppet.comInfo: Caching certificate_revocation_list for caInfo: Caching certificate for ca-1.puppet.comInfo: Retrieving pluginfactsInfo: Retrieving pluginInfo: Caching catalog for ca-1.puppet.comInfo: Applying configuration version '1420697839'Notice: Finished catalog run in 0.01 seconds# 将机器A 上的证书移到 ca-1 上 (机器A 之前作为CA服务器, 上面有 node 的认证情况)root@master-1:~# rsync -PHaze ssh /var/lib/puppet/ssl/ca 192.168.1.101:/var/lib/puppet/ssl/root@192.168.1.101's password:sending incremental file listca/ca/ca_crl.pem        1202 100%    0.00kB/s    0:00:00 (xfer#1, to-check=12/14)ca/ca_crt.pem        1968 100%    1.88MB/s    0:00:00 (xfer#2, to-check=11/14)ca/ca_key.pem        3243 100%    3.09MB/s    0:00:00 (xfer#3, to-check=10/14)ca/ca_pub.pem         800 100%  781.25kB/s    0:00:00 (xfer#4, to-check=9/14)ca/inventory.txt         611 100%  596.68kB/s    0:00:00 (xfer#5, to-check=8/14)ca/serial           4 100%    3.91kB/s    0:00:00 (xfer#6, to-check=7/14)ca/private/ca/private/ca.pass          20 100%   19.53kB/s    0:00:00 (xfer#7, to-check=3/14)ca/requests/ca/signed/ca/signed/ca-1.puppet.com.pem        1956 100%    1.87MB/s    0:00:00 (xfer#8, to-check=2/14)ca/signed/master-1.puppet.com.pem        2041 100%    1.95MB/s    0:00:00 (xfer#9, to-check=1/14)ca/signed/node-1.puppet.com.pem        1960 100%    1.87MB/s    0:00:00 (xfer#10, to-check=0/14)sent 10898 bytes  received 218 bytes  1170.11 bytes/sectotal size is 13805  speedup is 1.24# 修改 ca-1 上默认的 puppetmaster 配置root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster# This Apache 2 virtual host config shows how to use Puppet as a Rack# application via Passenger. See# http://docs.puppetlabs.com/guides/passenger.html for more information.# You can also use the included config.ru file to run Puppet with other Rack# servers instead of Passenger.# you probably want to tune these settingsPassengerHighPerformance onPassengerMaxPoolSize 12PassengerPoolIdleTime 1500# PassengerMaxRequests 1000PassengerStatThrottleRate 120RackAutoDetect OffRailsAutoDetect OffListen 8140
    
             SSLEngine on        SSLProtocol             ALL -SSLv2 -SSLv3        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA        SSLHonorCipherOrder     on        SSLCertificateFile      /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem        # If Apache complains about invalid signatures on the CRL, you can try disabling        # CRL checking by commenting the next line, but this is not recommended.        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none        # which effectively disables CRL checking; if you are using Apache 2.4+ you must        # specify 'SSLCARevocationCheck chain' to actually use the CRL.        # SSLCARevocationCheck chain        SSLVerifyClient optional        SSLVerifyDepth  1        # The `ExportCertData` option is needed for agent certificate expiration warnings        SSLOptions +StdEnvVars +ExportCertData        # This header needs to be set if using a loadbalancer or proxy        #!!! RequestHeader 相关内容都要注释掉        #RequestHeader unset X-Forwarded-For        #RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e        #RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e        #RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/        RackBaseURI /        
                     Options None                AllowOverride None                Order allow,deny                allow from all

机器A 的配置

就用 puppet横向扩展(一) 中所使用的环境就行

机器B 配置好之后, 修改 apache 的配置, 使之将 CA认证服务指向机器B上的 ca-1

重要的地方, 我加了 #!!! 的注释

# 完整的 proxy 配置如下: 192.168.1.101 就是ca-1 的IProot@master-1:~# cat /etc/apache2/sites-available/puppetmaster_proxy.conf# Available back-end worker virtual hosts# NOTE the use of cleartext unencrypted HTTP.
    
       BalancerMember https://192.168.1.101:8140    #!!! 这里是 https
    
    
       BalancerMember http://127.0.0.1:18140  BalancerMember http://127.0.0.1:18141
    Listen 8140
    
       SSLEngine on  SSLProxyEngine on     #!!! 这句很重要, 否则无法代理 https 的请求  # SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA  SSLProtocol ALL +SSLv3 +TLSv1  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP  #SSLProtocol ALL -SSLv2  #SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP  # Puppet master should generate initial CA certificate.  # ensure certs are located in /var/lib/puppet/ssl  SSLCertificateFile /var/lib/puppet/ssl/certs/master-1.puppet.com.pem  SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem  SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem  SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem  SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem  # optional to all CSR request, required if certificates distributed to client during provisioning.  SSLVerifyClient optional  SSLVerifyDepth 1  SSLOptions +StdEnvVars  # The following client headers record authentication information for downstream workers.  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e  
         SetHandler balancer-manager    Order allow,deny    Allow from all    ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca  ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca  ProxyPass / balancer://puppetmaster/  ProxyPassReverse / balancer://puppetmaster/  ProxyPreserveHost On  # log settings  ErrorLog /var/log/apache2/balancer_error.log  CustomLog /var/log/apache2/balancer_access.log combined  CustomLog /var/log/apache2/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ca 的服务也配置成负载均衡的模式了, 方便追加新的 ca 服务器

测试配置结果

# master-1 上, 清理log, 重启 apache服务root@master-1:~# rm -f /var/log/apache2/*root@master-1:~# service apache2 restart[ ok ] Restarting web server: apache2 ... waiting .# ca-1 上, 清理log, 重启 apache服务root@ca-1:~# rm -f /var/log/apache2/*root@ca-1:~# service apache2 restart[ ok ] Restarting web server: apache2 ... waiting .# 新建 agent 发送请求, 注意这个agent 不能是已经认证过的, 否则不会请求 ca-1root@node-2:~# puppet agent --testInfo: Caching certificate for caInfo: csr_attributes file loading from /etc/puppet/csr_attributes.yamlInfo: Creating a new SSL certificate request for node-2.puppet.comInfo: Certificate Request fingerprint (SHA256): E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1Info: Caching certificate for caExiting; no certificate found and waitforcert is disabled#  master-1 上没有生成证书请求root@master-1:~# puppet cert list --all+ "ca-1.puppet.com"     (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")+ "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA# ca-1 上生成了证书请求, 说明证书服务确实转移到 ca-1 上来处理了, node-2 就是新的agent 请求的证书root@ca-1:~# puppet cert list --all  "node-2.puppet.com"   (SHA256) E5:5C:82:63:0E:E5:41:FD:90:E4:BF:81:98:57:16:A5:98:72:64:1E:52:42:97:9D:1D:A5:43:5C:6D:19:C4:D1+ "ca-1.puppet.com"     (SHA256) 60:9F:42:7C:1C:70:D6:5C:C7:01:93:BF:69:8D:3C:6C:FE:26:D4:16:7A:E4:08:85:DE:77:94:2B:6A:2D:20:99+ "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")+ "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA

转载地址:http://frnel.baihongyu.com/

你可能感兴趣的文章
助力春运 重庆机场今晨新增一架飞机入列
查看>>
刘海I关于iPhone X 的适配
查看>>
百度Apollo发布智能驾驶商业化解决方案
查看>>
关闭tomcat报错Cannot allocate memory
查看>>
从源码角度看ContentProvider
查看>>
iOS--React Native浏览器插件
查看>>
一个JSON字符串和文件处理的命令行神器jq,windows和linux都可用
查看>>
Flask源码解析:从第一个版本开始阅读Flask源码
查看>>
JavaScript 工作原理之二-如何在 V8 引擎中书写最优代码的 5 条小技巧(译)
查看>>
SpringBoot Cache 深入
查看>>
Three.js Scene Graph
查看>>
PAT A1045 动态规划
查看>>
保持ssh的连接不断开
查看>>
897-递增顺序查找树
查看>>
wiki迁移方法操作步骤
查看>>
php_screw
查看>>
Go语言之读写锁
查看>>
openstack mitaka 完整安装详细文档(亲测,花了3天时间)
查看>>
for 循环嵌套for循环
查看>>
GTID复制异常的解决步骤
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-02-09 09:14:30   当前IP: 3.142.250.57   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我