puppet集群-白红宇

puppet集群

阅读量：5313 次

发布时间：2019-06-14

本文共 4744 字，大约阅读时间需要 15 分钟。

实验目的：

由于现有的环境中，puppetmaster是单节点，客户端更新时出现了更新失败和时间较长等现象。

考虑将puppetmaster做成集群的模式，解决大量客户端更新延时和单节点故障问题。主要解决证书问题

环境：

puppetmaster两台：

Puppetmaster1：10.9.24.168

Puppetmaster2：10.9.24.184

Nginx:

Nginx: 10.9.24.183

Client:

Client: 10.9.3.153

yum install puppet-server rubygem-mongrel

配置：

在/etc/hosts写好对应关系

Puppetmaster1:

/etc/sysconfig/puppetmaster(启用mongrel模式)

PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )

PUPPETMASTER_EXTRA_OPTS="—servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"

/etc/puppet/puppet.conf:

[main]

bindaddress = 0.0.0.0

（加上这句让puppetmaster监听地址为0.0.0.0，否则只以localhost监听）

netstat -antp

tcp 0 0 0.0.0.0:18140 0.0.0.0:* LISTEN 22822/ruby

tcp 0 0 0.0.0.0:18141 0.0.0.0:* LISTEN 22872/ruby

tcp 0 0 0.0.0.0:18142 0.0.0.0:* LISTEN 22922/ruby

tcp 0 0 0.0.0.0:18143 0.0.0.0:* LISTEN 22972/ruby

/etc/exports:

/var/lib/puppet 10.9.24.184(rw,sync)

(用nfs共享的模式，同步证书)

/etc/puppet//fileserver.conf:

[files]

path /var/lib/puppet/files

allow *

Puppetmaster2:

配置文件参照puppetmaster1

service puppetmaster start,启动puppetmaster

在/etc/fstab中加入如下：

10.9.24.168:/var/lib/puppet /var/lib/puppet nfs defaults 0 0

mount -a //挂载/var/lib/puppet

Nginx:

将puppetmaster1/var/lib/puppet下的文件拷贝到本机/var/lib/puppet下（用nfs挂载也可以）

cat /etc/nginx/nginx.conf:

user daemon daemon;

worker_processes 2;

error_log /var/log/nginx/error.log notice;

pid /var/run/nginx.pid;

events {

worker_connections 1024;

}

http {

default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

large_client_header_buffers 16 4k;

proxy_buffers 128 4k;

keepalive_timeout 65;

ssl on;

upstream puppet-production {

server 10.9.24.168:18140;

server 10.9.24.168:18141;

server 10.9.24.168:18142;

server 10.9.24.168:18143;

server 10.9.24.184:18140;

server 10.9.24.184:18141;

server 10.9.24.184:18142;

server 10.9.24.184:18143;

}

//nginx分发请求

server {

listen 8140;

ssl on;

ssl_session_timeout 5m;

ssl_certificate /var/lib/puppet/ssl/certs/xx.pem;

ssl_certificate_key /var/lib/puppet/ssl/private_keys/xx.pem;

ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;

ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;

ssl_verify_client optional;

ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

（证书位置，先复制到本地）

access_log /var/log/host.access.log main;

location / {

proxy_pass http://puppet-production;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Client-Verify $ssl_client_verify;

proxy_set_header X-Client-DN $ssl_client_s_dn;

proxy_set_header X-SSL-Subject $ssl_client_s_dn;

proxy_set_header X-SSL-Issuer $ssl_client_i_dn;

proxy_read_timeout 65;

}

现在puppetmaster是用同步方式实现的，可以考虑用证书链的方式实现

Client:

我故意在puppetmaster1和puppetmaster2配置不同的文件：

puppetmaster1

cat /etc/puppet/manifests/main.pp:

node default {

file { "/tmp/temp1.txt": content => "Hello,from puppetmaster1\n"; }

file { "/tmp/test.file":

path => "/tmp/test.file",

source => "puppet://puppet/files/test.file",

owner => "root",

group => "root",

mode => 644,

}

puppetmaster2

node default {

file { "/tmp/temp1.txt": content => "Hello,from puppetmaster2\n"; }

file { "/tmp/test.file":

path => "/tmp/test.file",

source => "puppet://puppet/files/test.file",

owner => "root",

group => "root",

mode => 644,

}

Client:

puppetd -t:

info: Caching catalog for taffy

info: Applying configuration version '1301714542'

notice: /Stage[main]//Node[default]/File[/tmp/test.file]/ensure: content changed '{md5}52688f6d76cbeccd058bdf6f412b4da0' to '{md5}52688f6d76cbeccd058bdf6f412b4da0'

notice: /Stage[main]//Node[default]/File[/tmp/temp1.txt]/checksum: defined 'checksum' as '{md5}1cf6c62d2c8ddde94e97aa9140861b0e'

notice: /Stage[main]//Node[default]/File[/tmp/temp1.txt]/content: defined content as 'unknown checksum'

notice: Finished catalog run in 0.13 seconds

cat /tmp/temp1.txt:

Hello,from puppetmaster1 (从puppetmaster1取过来的)

puppetd -t: （再推一次）

info: Caching catalog for taffy

info: Applying configuration version '1301505457'

--- /tmp/temp1.txt 2011-04-02 11:20:38.509009000 +0800

+++ /tmp/puppet-diffing20110402-1217-jqru9o-0 2011-04-02 11:30:10.258009000 +0800

@@ -1 +1 @@

-Hello,from puppetmaster1

+Hello,from puppetmaster2 （过来了，从puppetmaster2取出的）

info: /Stage[main]//Node[default]/File[/tmp/temp1.txt]: Filebucketed /tmp/temp1.txt to puppet with sum cab0e6a2c555b3f96f10ed2972708d34

notice: /Stage[main]//Node[default]/File[/tmp/temp1.txt]/content: content changed '{md5}cab0e6a2c555b3f96f10ed2972708d34' to 'unknown checksum'

notice: Finished catalog run in 0.11 seconds

转载于:https://www.cnblogs.com/L-H-R-X-hehe/p/3970337.html

你可能感兴趣的文章

ubuntu 18.04取消自动锁屏以及设置键盘快捷锁屏

查看>>

Leetcode 589. N-ary Tree Preorder Traversal

pip install torch on windows, and the 'from torch._C import * ImportError: DLL load failed:' s...

查看>>

java基础（一）：我对java的三个环境变量的简单理解和配置

查看>>

arcgis api 4.x for js 结合 Echarts4 实现散点图效果（附源码下载）

查看>>

YTU 2625: B 构造函数和析构函数

查看>>

apache自带压力测试工具ab的使用及解析

查看>>

C#使用Xamarin开发可移植移动应用(2.Xamarin.Forms布局,本篇很长,注意)附源码