Authors: Jeffrey McCune James Turnbull
Pro Puppet (28 page)
Note that the primary Puppet CA worker is using the default CA directory. If the active worker falls offline, requests will be redirected to the Puppet CA worker on 18143 and therefore the/var/lib/puppet/ssl/ca.standby/directory.
Once the certificate has been signed, you can run the Puppet agent on the new node again to make sure the agent is able to download its signed certificate from the master.
# puppet agent --test
info: Caching certificate for mock.example.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for mock.example.com
info: Applying configuration version '1290900612'
notice: Passenger is setup and serving catalogs.
notice: /Stage[main]//Node[default]/Notify[Passenger]/message: defined 'message' as 'Passenger is setup and serving catalogs.'
notice: Finished catalog run in 0.06 seconds
You can also check the logs again to make sure HTTP Status 200 is present, now that the Puppet agent has the signed certificate:
# tail -2 puppetmaster_worker_access_18142.log
127.0.0.1 - - [27/Nov/2010:15:04:31 -0800] "GET /production/certificate/mock.example.com HTTP/1.1" 200 875 "-" "-"
127.0.0.1 - - [27/Nov/2010:15:04:32 -0800] "GET /production/certificate_revocation_list/ca HTTP/1.1" 200 589 "-" "-"
You can see two log entries, matching up with the Puppet agent downloading its signed certificate and the certificate revocation list maintained by the Puppet CA worker. Both entries contain HTTP Status 200 “OK” codes, indicating that the Puppet agent successfully transferred the certificate and revocation list from the Puppet CA.
You can also see that the access logs for the active Puppet CA worker does not contain any catalog requests. Check the access logs of the two load balanced Puppet master workers running on ports 18140 and 18141 in order to make sure catalog requests are being routed correctly to only those two systems:
# less puppetmaster_worker_access_18140.log
127.0.0.1 - - [27/Nov/2010:15:04:32 -0800] "GET /production/catalog/mock.example.lan?facts_format=b64_zlib_yaml&facts=… HTTP/1.1" 200 942 "-" "-"
Note that the catalog requests are still being directed by the front-end load balancer to the worker running on Port 18140, while certificate requests are being directed to the active Puppet CA on port 18142.
With this, you’ve configured the front-end HTTP load balancer to direct all certificate related requests to a single Puppet CA worker. This redirection ensures that the certificate revocation list and serial.txt files are maintained properly.
Now that the certificate requests are being handled properly, the next step is to configure the hot standby Puppet CA worker. If the primary Puppet CA worker fails, another worker should quickly take over responsibility for responding to certificate requests. We will take advantage of the load balancer’s ability to redirect requests in order to quickly fail over to the backup Puppet CA worker.
You first need to configure a periodic task to automatically synchronize the CA directory across the primary and secondary workers. Next, you’ll configure the load balancer to use the secondary worker as a hot standby, automatically activated in the event the primary worker goes offline. Finally, you will test the new configuration and work through the exercise of testing the fail-over and fail-back to the primary Puppet CA worker.
In the following examples, we have configured both Puppet CA workers on the same system using two distinct certificate authority directories. Copy the existing certificate authority directory to the hot
standby usingrsync. This command could also be configured as acrontask, to keep the hot standby directory contents up to date:
# cadir=$(puppet master --configprint cadir)
This command sets an environment variable named$cadirset to the default value of thecadirconfiguration setting used by the primary CA worker.
# rsync -avxH --delete ${cadir}{,.standby}/
This rsync command synchronizes the primary CA directory into the standby CA directory, deleting any files existing in the destination and not in the source.
Once the certificate data has been synchronized, you can test failover between the two virtual hosts on ports 18142 and 18143. In the previous section, we configured the virtual host running on port 18143 as a hot standby. We also configured/etc/puppet/rack/puppetmaster_18143/config.ruto use a unique CA directory namedca.standby.
We’re going to use the iptables firewall to block traffic to the primary Puppet CA worker, effectively simulating a failure of the service. We expect the load balancer configuration to automatically redirect certificate requests to the hot standby.
$ sudo iptables -I INPUT -i lo -p tcp --dport 18142 -j REJECT --reject-with icmp-host-prohibited
Once the primary Puppet CA worker is inaccessible, you can test that certificate requests are automatically redirected to the secondary worker listening on port 18143, using thecurlcommand
$ curl --silent -o /dev/null -D /dev/stdout -q -k -H "Accept: s" https://puppet:8140/production/certificate/ca
HTTP/1.1 200 OK
Date: Sat, 04 Dec 2010 23:37:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 839
Status: 200
Content-Type: text/plain; charset=UTF-8
Connection: close
You can see the results of this curl in the logs:
$ tail -n2 /var/log/httpd/balancer_error.log
[Sat Dec 04 15:42:36 2010] [error] (113)No route to host: proxy: HTTP: attempt to connect to 127.0.0.1:18142 (127.0.0.1) failed
[Sat Dec 04 15:42:36 2010] [error] ap_proxy_connect_backend disabling worker for (127.0.0.1)
And:
$ tail -n1 /var/log/httpd/puppetmaster_worker_access_18143.log
127.0.0.1 - - [04/Dec/2010:15:42:36 -0800] "GET /production/certificate/ca HTTP/1.1" 200 839 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
The first command we’ve executed is a standard curl HTTP request. Rather than display the contents of the request body, we display the HTTP Response headers on standard output. The HTTP header output provides an indication of the status of the response, with anything other than status 200 indicating an error.
After requesting the Puppet CA certificate, you can look at the error log file of the front-end load balancer to see how the request as handled. As expected, theiptablesfirewall rule prevented the load balancer from forwarding the request to the primary Puppet CA worker listening on port 18142. The load balancer properly failed over to the hot standby Puppet CA worker listening on port 18143 and forwarded the request to the virtual host.
Looking at the access logs inpuppetmaster_worker_access_18143.logof the Puppet CA worker listening on port 18143, we can see the incoming request and resulting HTTP 200 OK status code for the response.
Now we want to make sure we can still provision new Puppet managed nodes while the hot standby certificate authority is currently active. With a different CA directory configured on the hot standby, the process of listing and signing certificates is slightly different, requiring the use of thepuppet cert --cadirconfiguration option:
# puppet agent --certname test.example.lan --test --noop
info: Creating a new SSL key for test.example.lan
info: Creating a new SSL certificate request for test.example.lan
info: Certificate Request fingerprint (md5): A5:47:AE:F9:08:A8:5D:EF:5D:82:7E:3F:8C:8C:09:82
Exiting; no certificate found and waitforcert is disabled
The first time a Puppet agent is run, a new certificate request is generated and submitted to the Puppet master. Since the primary Puppet CA worker is offline, we expect to see the pending certificate request in the standby directory:
# puppet cert --cadir /var/lib/puppet/ssl/ca.standby --list
test.example.lan
In order to see the pending certificate-signing request in the standby directory, you need to provide the--cadiroption, as we’ve done using thepuppet certcommand shown in
Listing 4-25
.
Listing 4-25.
Signing a CSR on the standby Puppet CA
# puppet cert --cadir /var/lib/puppet/ssl/ca.standby --sign test.example.lan
notice: Signed certificate request for test.example.lan
notice: Removing file Puppet::SSL::CertificateRequest test.example.lan at '/var/lib/puppet/ssl/ca.standby/requests/test.example.lan.pem'
Similar to listing the pending requests, you’re able to sign a specific request waiting in the standby directory usingpuppet certwith the--cadiroption.
# puppet agent --certname test.example.lan --test --noop
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for test.example.lan
info: Caching catalog for test.example.lan
info: Applying configuration version '1291556503'
notice: /Stage[main]//Node[default]/Notify[Passenger]/message: is absent, should be Passenger is setup and serving catalogs. (noop)
notice: Finished catalog run in 0.40 seconds
Finally, you can reconnect the Puppet agent and obtain the signed certificate using the same command we started with. The peer certificate warning in this output may be safely ignored.
The failover to the secondary CA is now working properly, and new certificates can be signed. Let’s test the process of re-activating the primary Puppet CA Worker. The load balancer will automatically start using the primary worker when it comes online again, so the process becomes a matter of synchronizing the secondary certificate authority back to the primary CA directory. You need to synchronize changes before re-activating the firewall rule to allow traffic back to the primary certificate authority.
Similar to the rsync command synchronizing the primary CA directory into the standby location, the rsync command shown in
Listing 4-26
reverses the direction and synchronizes the standby CA directory into the primary location before re-enabling the primary CA using the host firewall.
Listing 4-26.
How to rsync standby CA back to the primary CA
# rsync -avxH --delete /var/lib/puppet/ssl/ca{.standby,}/
building file list ... done
./
inventory.txt
serial
requests/
signed/
signed/test.example.lan.pem
sent 2103 bytes received 104 bytes 4414.00 bytes/sec
total size is 5980 speedup is 2.71
# iptables -L INPUT -n -v --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT tcp -- lo * 0.0.0.0/0 0.0.0.0/0
tcp dpt:18142 reject-with icmp-host-prohibited
2 290K 59M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -D INPUT 1
The twoiptablescommands first list the rules associated with incoming traffic. We see that rule #1 is rejecting traffic destined for the port used by the primary CA worker. The secondiptablescommand deletes rule #1 to allow traffic once again.
You performed three simple tasks to re-activate the primary Puppet CA Worker. First, you synchronized the CA directory from the standby in
Listing 4-23
. Notice that three files have changed since the hot standby worker has become active. These three files changed when you signed the certificate request fortest.example.lanin
Listing 4-22
. Immediately after synchronizing the CA directory, you removed the iptables rule blocking access to the primary Puppet CA worker. The first iptables command lists rules in the INPUT chain by number and the second iptables command removes rule number one from the firewall policy.
Caution
When failing back to the primary Puppet CA worker, there will be short delay where certificate requests are still directed to the hot standby. This delay is determined by how frequently the load balancer polls failed worker nodes to find out if they’re back online. In situations where a large number of certificate requests are being handled while the Puppet CA is being switched online, it is recommended to make theca.standbydirectory read-only to thepuppetuser and group to prevent changes from occurring after synchronization.
An Alternative: Load Balancing with DNS Round Robin
Up until now, we’ve relied on an HTTP load balancer using Apache to scale. This configuration allows us to easily redirect and consolidate all certificate requests to a single Puppet CA worker. However, we could also use DNS round robin to achieve the same ends.
DNS round robin is commonly used to cluster a group of worker processes providing the same service. In this configuration, redirection to different workers is performed at the name resolution stage instead of using a reverse HTTP proxy. As a result, the Puppet master infrastructure is no longer able to make decisions about the redirection based on the client request. Furthermore, if a specific Puppet master worker is offline, the DNS system is not checking the state of the worker and as a result, a portion of the Puppet agent systems will receive timeout errors when they are directed to connect to the failed worker system. We recommend deploying HTTP load balancing whenever possible to scale Puppet because of these shortcomings in DNS round robin.
Like our HTTP load balancing, all certificate-related requests should be consolidated onto one worker system to mitigate problems with certificate serial numbers and revocation lists diverging among the Puppet CA systems. To this end, the Puppet agent supports the configuration of a different Puppet CA server from the Puppet master server the configuration catalog is obtained from. When configuring Puppet using round robin DNS, it is recommended to maintain a single Puppet CA worker in addition to the number of Puppet master workers required. The Puppet agent configuration should set the --ca_server configuration option to bypass the round robin DNS configuration and contact the appropriate Puppet CA worker directly.
