扩展Puppet – 建立Puppet CA集群

扩展Puppet的一种方式是将Puppet Master的CA功能分离出去，建立Puppet CA集群，集中处理CA的任务，从而提高整个Puppet系统的吞吐量。

本教程是上一个教程:扩展Puppet – 建立Puppet Master集群的继续。

我们要实现这样一种架构:

Request --> Load Balancer ---> Puppet CA 1  ---> Puppet Master Worker			  ---> Puppet CA 2

与上个教程类似,我们将CA 1和CA 2先放在8142和18142端口

相同主机不同端口建立Puppet CA集群

建立虚拟主机配置

sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.confsed s/8141/18142/ 8141_puppetmaster_worker.conf >18142_puppetmaster_worker.conf

建立虚拟主机目录

rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/rsync -avxH /etc/puppet/rack/{,18142_}puppetmaster/

复制ca目录

rsync -axH /var/lib/puppet/ssl/ca{,.standby}/

并将/etc/puppet/18142_puppetmaster/config.ru修改为:

$0 = "master"# if you want debugging:# ARGV << "--debug"ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"  # add this lineARGV << "--rack"require ‘puppet/application/master‘run Puppet::Application[:master].run

修改Load Balancer配置

# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf# Available back-end worker virtual hosts# NOTE the use of cleartext unencrypted HTTP.<Proxy balancer://puppetmaster>  BalancerMember http://127.0.0.1:8141  BalancerMember http://192.168.254.184:8141</Proxy> <Proxy balancer://puppetmasterca>  # Puppet CA Active Worker  BalancerMember http://127.0.0.1:8142  # Puppet CA Hot Standby  BalancerMember http://127.0.0.1:18142 status=+H#  BalancerMember http://192.168.254.184:8142 status=+H</Proxy>Listen 8140<VirtualHost *:8140>SSLEngine on# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSASSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP# Puppet master should generate initial CA certificate.# ensure certs are located in /var/lib/puppet/sslSSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.com.pemSSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.com.pemSSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pemSSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem# CRL checking should be enabled# disable next line if Apache complains about CRLSSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem# optional to allow CSR request, required if certificates distributed to client during provisioning.SSLVerifyClient optionalSSLVerifyDepth 1SSLOptions +StdEnvVars # The following client headers record authentication information for down stream workers.RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location />  SetHandler balancer-manager  Order allow,deny  Allow from all</Location> # Ordering of ProxyPass directives is important# Direct all Puppet agent CA requests to a specific set of workers.ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmastercaProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca# Direct all other Puppet agent requests to the default set of workers.ProxyPass / balancer://puppetmaster/ProxyPassReverse / balancer://puppetmaster/ProxyPreserveHost On# The load balancer logErrorLog /var/log/httpd/balancer_error.logCustomLog /var/log/httpd/balancer_access.log combinedCustomLog /var/log/httpd/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"</VirtualHost>

# BalancerMember http://127.0.0.1:18142 status=+H +H表示在主机没响应时再使用备机
# 只有一个在工作

重启httpd服务,测试

不同主机相同端口建立Puppet CA集群

将18142转移到mailtest的8142端口

在/etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf文件添加以下行:

BalancerMember http://192.168.254.184:8142 status=+H

下面步骤在mailtest.example.com上进行

建立虚拟主机配置

sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.conf

建立虚拟目录

rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/

与前面类似,同样的,config.ru文件添加以下行:

ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"

使用rsync同步ca.standby目录

rsync -axH root@192.168.254.181:/var/lib/puppet/ssl/ca.standby/ /var/lib/puppet/ssl/ca.standby/

重启httpd服务

测试发现,如果一个新主机申请证书,而请求已经到了CA 1,但是没有签署,这时CA 1出问题了,将CA 1的ca目录同步到CA 2,然后就可以在CA 2上进行签署了。

注意此处的CA处理的只是第一次请求证书时的证书签署工作,并不处理签署过的证书的验证工作.也就是说已经签署证书的主机运行puppet agent时并不需要CA 1和CA 2的处理。

参考文章

文章含有html标签，而wordpress本身会解析html标签，因此博客可能显示错误。下载word版本，下载地址：

• 扩展Puppet – 建立Puppet CA集群.doc