Expand puppet-create a puppet ca Cluster

Source: Internet
Author: User
Tags rsync
Expand puppet-create a puppet ca cluster ( 1Votes, average: 5.00Out of 5) 588 views March 4, 2012 puppet, O & M ca, Master, puppet, cluster jsxubar

One way to expand puppet is to separate the CA function of puppet master and establishPuppet ca ClusterTo improve the throughput of the entire puppet system.

This tutorial is the last Tutorial: Expand puppet-create a puppet master cluster.

We need to implement this architecture:

Request --> Load Balancer ---> Puppet CA 1  ---> Puppet Master Worker  ---> Puppet CA 2

Similar to the previous tutorial, we put CA 1 AND Ca 2 on ports 8142 and 18142 first.

Directory [hide]

  • Build a puppet ca cluster on different ports of the same host
    • Create virtual host configuration
    • Create a VM directory
    • Copy ca directory
    • Modify the Load balancer Configuration
    • Restart the HTTPd service and Test
  • Build a puppet ca cluster on the same port of Different Hosts
    • Add the following lines to the/etc/httpd/CONF. d/30_puppetmaster_frontend_8140.conf file:
    • Create virtual host configuration
    • Create a virtual directory
    • Use rsync to synchronize ca. standby directories
    • Restart the HTTPd service
  • References
Create a puppet ca cluster on different ports of the same host to create a virtual host configuration
sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.confsed s/8141/18142/ 8141_puppetmaster_worker.conf >18142_puppetmaster_worker.conf
Create a VM directory
rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/rsync -avxH /etc/puppet/rack/{,18142_}puppetmaster/
Copy ca directory
rsync -axH /var/lib/puppet/ssl/ca{,.standby}/

Modify/etc/puppet/18142_puppetmaster/config.ru:

$0 = "master"# if you want debugging:# ARGV << "--debug"ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"  # add this lineARGV << "--rack"require ‘puppet/application/master‘run Puppet::Application[:master].run
Modify the Load balancer Configuration
# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf# /etc/httpd/conf.d/30_puppetmaster_frontend_8140.conf# Available back-end worker virtual hosts# NOTE the use of cleartext unencrypted HTTP.<Proxy balancer://puppetmaster>  BalancerMember http://127.0.0.1:8141  BalancerMember http://192.168.254.184:8141</Proxy> <Proxy balancer://puppetmasterca>  # Puppet CA Active Worker  BalancerMember http://127.0.0.1:8142  # Puppet CA Hot Standby  BalancerMember http://127.0.0.1:18142 status=+H#  BalancerMember http://192.168.254.184:8142 status=+H</Proxy>Listen 8140<VirtualHost *:8140>SSLEngine on# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSASSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP# Puppet master should generate initial CA certificate.# ensure certs are located in /var/lib/puppet/sslSSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.com.pemSSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.com.pemSSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pemSSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem# CRL checking should be enabled# disable next line if Apache complains about CRLSSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem# optional to allow CSR request, required if certificates distributed to client during provisioning.SSLVerifyClient optionalSSLVerifyDepth 1SSLOptions +StdEnvVars # The following client headers record authentication information for down stream workers.RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location />  SetHandler balancer-manager  Order allow,deny  Allow from all</Location> # Ordering of ProxyPass directives is important# Direct all Puppet agent CA requests to a specific set of workers.ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmastercaProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca# Direct all other Puppet agent requests to the default set of workers.ProxyPass / balancer://puppetmaster/ProxyPassReverse / balancer://puppetmaster/ProxyPreserveHost On# The load balancer logErrorLog /var/log/httpd/balancer_error.logCustomLog /var/log/httpd/balancer_access.log combinedCustomLog /var/log/httpd/balancer_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"</VirtualHost>

# Balancermember http: // 127.0.0.1: 18142 status = + H indicates that the standby server is used when the host does not respond
# Only one at work

Restart the HTTPd service and test whether a puppet ca cluster is created on the same port of different hosts.

Transfer 18142 to port 8142 of mailtest

Add the following lines to the/etc/httpd/CONF. d/30_puppetmaster_frontend_8140.conf file:
BalancerMember http://192.168.254.184:8142 status=+H

The following steps are performed on mailtest.example.com:

Create virtual host configuration
sed s/8141/8142/ 8141_puppetmaster_worker.conf >8142_puppetmaster_worker.conf
Create a virtual directory
rsync -avxH /etc/puppet/rack/{,8142_}puppetmaster/

Similarly, add the following lines to the config.ru file:

ARGV << "--cadir" << "/var/lib/puppet/ssl/ca.standby"
Use rsync to synchronize ca. standby directories
rsync -axH [email protected]:/var/lib/puppet/ssl/ca.standby/ /var/lib/puppet/ssl/ca.standby/
Restart the HTTPd service

Test shows that if a new host requests a certificate and the request has already arrived at Ca 1 but has not been signed, then there is a problem with Ca 1, and the CA directory of CA 1 is synchronized to Ca 2, then you can sign on Ca 2.

Note that the CA only processes the signing of the certificate for the first request, and does not process the verification of the signed certificate. that is to say, the host that has signed the certificate does not need to process CA 1 AND Ca 2 when running the puppet agent.

References

The article contains HTML tags, and Wordpress parses the HTML tags, so the blog may display an error. Download the word version ,:

  • Expand puppet-create puppet cacluster .doc

Related content:

  1. Expand puppet-create a puppet master Cluster
  2. Expand puppet-migrate puppet master to Apache
  3. Mcollective caught term; Calling stop
  4. Puppet dashboard add Authentication
  5. Puppet storage Configuration

Expand puppet-create a puppet ca Cluster

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.