One way to expand puppet is to separate the CA function of puppet master and establishPuppet ca ClusterTo improve the throughput of the entire puppet system.
This tutorial is the last Tutorial: Expand puppet-create a puppet master cluster.
We need to implement this architecture:
Request --> Load Balancer ---> Puppet CA 1 ---> Puppet Master Worker ---> Puppet CA 2
Similar to the previous tutorial, we put CA 1 AND Ca 2 on ports 8142 and 18142 first.
Directory [hide]
sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.confsed s/8141/18142/ 8141_puppetmaster_worker.conf >18142_puppetmaster_worker.confCreate a VM directory
rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/rsync -avxH /etc/puppet/rack/{,18142_}puppetmaster/Copy ca directory
rsync -axH /var/lib/puppet/ssl/ca{,.standby}/
Modify/etc/puppet/18142_puppetmaster/config.ru:
$0 = "master"# if you want debugging:# ARGV << "--debug"ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby" # add this lineARGV << "--rack"require ‘puppet/application/master‘run Puppet::Application[:master].runModify the Load balancer Configuration
# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf# Available back-end worker virtual hosts# NOTE the use of cleartext unencrypted HTTP.<Proxy balancer://puppetmaster> BalancerMember http://127.0.0.1:8141 BalancerMember http://192.168.254.184:8141</Proxy> <Proxy balancer://puppetmasterca> # Puppet CA Active Worker BalancerMember http://127.0.0.1:8142 # Puppet CA Hot Standby BalancerMember http://127.0.0.1:18142 status=+H# BalancerMember http://192.168.254.184:8142 status=+H</Proxy>Listen 8140<VirtualHost *:8140>SSLEngine on# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSASSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP# Puppet master should generate initial CA certificate.# ensure certs are located in /var/lib/puppet/sslSSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.com.pemSSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.com.pemSSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pemSSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem# CRL checking should be enabled# disable next line if Apache complains about CRLSSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem# optional to allow CSR request, required if certificates distributed to client during provisioning.SSLVerifyClient optionalSSLVerifyDepth 1SSLOptions +StdEnvVars # The following client headers record authentication information for down stream workers.RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location /> SetHandler balancer-manager Order allow,deny Allow from all</Location> # Ordering of ProxyPass directives is important# Direct all Puppet agent CA requests to a specific set of workers.ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmastercaProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca# Direct all other Puppet agent requests to the default set of workers.ProxyPass / balancer://puppetmaster/ProxyPassReverse / balancer://puppetmaster/ProxyPreserveHost On# The load balancer logErrorLog /var/log/httpd/balancer_error.logCustomLog /var/log/httpd/balancer_access.log combinedCustomLog /var/log/httpd/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"</VirtualHost>
# Balancermember http: // 127.0.0.1: 18142 status = + H indicates that the standby server is used when the host does not respond
# Only one at work
Transfer 18142 to port 8142 of mailtest
Add the following lines to the/etc/httpd/CONF. d/30_puppetmaster_frontend_8140.conf file:BalancerMember http://192.168.254.184:8142 status=+H
The following steps are performed on mailtest.example.com:
Create virtual host configurationsed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.confCreate a virtual directory
rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/
Similarly, add the following lines to the config.ru file:
ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"Use rsync to synchronize ca. standby directories
rsync -axH [email protected]:/var/lib/puppet/ssl/ca.standby/ /var/lib/puppet/ssl/ca.standby/Restart the HTTPd service
Test shows that if a new host requests a certificate and the request has already arrived at Ca 1 but has not been signed, then there is a problem with Ca 1, and the CA directory of CA 1 is synchronized to Ca 2, then you can sign on Ca 2.
Note that the CA only processes the signing of the certificate for the first request, and does not process the verification of the signed certificate. that is to say, the host that has signed the certificate does not need to process CA 1 AND Ca 2 when running the puppet agent.
ReferencesThe article contains HTML tags, and Wordpress parses the HTML tags, so the blog may display an error. Download the word version ,:
Related content:
Expand puppet-create a puppet ca Cluster
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
