@nerdsav
linux admin

Балансировщик HAProxy для Puppet server?

не выходит каменный цветок ((
нужно настроить haproxy как балансировщик нагрузки для н-серверов puppet master.
haproxy должен выполнять ssl авторизацию.
в качестве балансировщика попробовал apache - все отлично и в режиме ssl авторизации - тоже.
c haproxy мучаюсь долго - не получается.

конфиг:

global
daemon
user haproxy
group haproxy
maxconn 2048
log 127.0.0.1 local0
nbproc 1
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:tlsv10:tlsv11:tlsv12
ssl-default-bind-options no-sslv3

defaults
log global
option httplog
option httpclose
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r

option forwardfor
option redispatch
option tcp-smart-accept
option tcp-smart-connect
maxconn 8000
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s

frontend puppet-frontend
mode http
option httplog
bind 10.10.24.40:8140 ssl crt /etc/haproxy/ssl/cert_81.pem ca-file /etc/haproxy/ssl/ca.pem crl-file /etc/puppetlabs/puppet/ssl/crl.pem verify required
option forwardfor header X-Real-IP
default_backend puppet-backend

backend puppet-backend
balance roundrobin
mode http
option httpclose
option forwardfor
option httplog
log global
server null-1 10.10.24.40:18140 check
server null-2 10.10.24.50:18140 check

при коннекте Puppet agent -t :

# puppet agent -t --server=puppet --masterport=8140 --verbose
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/node/null-cli [find]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/pluginfacts [search]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/pluginfacts [find]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/plugins [search]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/plugins [find]
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/catalog/null-cli [find]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/report/null-cli [save]

т.е. : Warning: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/node/null-0 [find]

на стороне haproxy:

# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -d
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
00000000:puppet-frontend.accept(0004)=0006 from [10.10.24.40:14184]
00000000:puppet-frontend.clireq[0006:ffffffff]: GET /puppet/v3/node/null-cli?environment=production&transaction_uuid=e1d771f2-6557-4422-9a47-73a4133f0278&fail_on_404=true HTTP/1.1
00000000:puppet-frontend.clihdr[0006:ffffffff]: Accept: pson, binary
00000000:puppet-frontend.clihdr[0006:ffffffff]: X-Puppet-Version: 4.10.5
00000000:puppet-frontend.clihdr[0006:ffffffff]: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
00000000:puppet-frontend.clihdr[0006:ffffffff]: User-Agent: Puppet/4.10.5 Ruby/2.1.9-p490 (x86_64-linux)
00000000:puppet-frontend.clihdr[0006:ffffffff]: Host: puppet:8140
00000000:puppet-backend.srvrep[0006:0008]: HTTP/1.1 403 Forbidden
00000000:puppet-backend.srvhdr[0006:0008]: Date: Thu, 03 Aug 2017 16:36:11 GMT
00000000:puppet-backend.srvhdr[0006:0008]: Content-Type: application/json
00000000:puppet-backend.srvhdr[0006:0008]: X-Puppet-Version: 4.10.4
00000000:puppet-backend.srvhdr[0006:0008]: Connection: close
00000000:puppet-backend.srvhdr[0006:0008]: Server: Jetty(9.2.z-SNAPSHOT)
00000000:puppet-backend.srvcls[0006:0008]
00000000:puppet-backend.clicls[0006:0008]
00000000:puppet-backend.closed[0006:0008]
00000001:puppet-frontend.accept(0004)=0006 from [10.10.24.40:14185]
00000001:puppet-frontend.clireq[0006:ffffffff]: GET /puppet/v3/file_metadatas/pluginfacts?environment=production&links=follow&recurse=true&source_permissions=use&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&checksum_type=md5 HTTP/1.1
00000001:puppet-frontend.clihdr[0006:ffffffff]: Accept: pson, binary
00000001:puppet-frontend.clihdr[0006:ffffffff]: X-Puppet-Version: 4.10.5
00000001:puppet-frontend.clihdr[0006:ffffffff]: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
00000001:puppet-frontend.clihdr[0006:ffffffff]: User-Agent: Puppet/4.10.5 Ruby/2.1.9-p490 (x86_64-linux)
00000001:puppet-frontend.clihdr[0006:ffffffff]: Host: puppet:8140
00000001:puppet-backend.srvrep[0006:0008]: HTTP/1.1 403 Forbidden
00000001:puppet-backend.srvhdr[0006:0008]: Date: Thu, 03 Aug 2017 16:36:11 GMT
00000001:puppet-backend.srvhdr[0006:0008]: Content-Type: application/json
00000001:puppet-backend.srvhdr[0006:0008]: X-Puppet-Version: 4.10.4
00000001:puppet-backend.srvhdr[0006:0008]: Connection: close
00000001:puppet-backend.srvhdr[0006:0008]: Server: Jetty(9.2.z-SNAPSHOT)
00000001:puppet-backend.srvcls[0006:0008]
00000001:puppet-backend.clicls[0006:0008]
00000001:puppet-backend.closed[0006:0008]

и т.д.

перерыл весь гугл в поисках ответа.
кто подскажет, что я не так делаю в конфиге haproxy? Напомню, что если запустить балансировщик на apache - то все работает прекрасно с теми же puppet агентами и puppet мастерами!
  • Вопрос задан
  • 241 просмотр
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы