Назад | Перейти на главную страницу

Сервер MCollective не может подключиться к брокеру ActiveMQ

Я все пытался настроить MCollective на моем марионеточном кластере. Независимо от того, что я делаю, мне кажется, что сервер MCollective не может подключиться. Сервер (ы) MCollective работают в основном на Ubnutu Xenial. Брокер ActiveMQ (5.14.3) работает на Debian Stretch. Я запускаю puppet 4.x на всех узлах. Я использовал все транспортные соединители, которые могу найти, и все они не подключаются. Позвольте мне вылить вам несколько файлов журналов.

В mcollective.log я получаю Connection reset by peer:

I, [2017-01-27T15:43:59.869501 #18729]  INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://mcollective@broker.example.com:61614
E, [2017-01-27T15:44:00.070995 #18729] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@broker.example.com:61614 failed: Connection reset by peer - SSL_connect
I, [2017-01-27T15:44:00.071371 #18729]  INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@broker.example.com:61614 failed on attempt 24

Как ни странно, в журнале ActiveMQ я тоже вроде Connection reset by peer:

ERROR | Could not accept connection from null : {}
java.io.IOException: java.io.IOException: Connection reset by peer
    at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:188)[activemq-client.jar:]
    at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp.jar:]
    at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client.jar:]
    at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client.jar:]
    at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:462)[activemq-client.jar:]
    at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client.jar:]
    at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client.jar:]
    at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp.jar:]
    at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client.jar:]
    at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client.jar:]
    at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker.jar:]
    at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker.jar:]
    at java.lang.Thread.run(Thread.java:745)[:1.8.0_111]

Итак, они оба сбрасывают соединение. Ага. Прежде чем вы спросите, нет: правил iptables нет, и да: между двумя узлами есть маршрут. Давайте взглянем на lsof -i на всякий случай, а затем я брошу вам несколько файлов конфигурации.

java    20833 activemq   84u  IPv6  53552      0t0  TCP *:61614 (LISTEN)

activemq.xml:

<!DOCTYPE activemq [
  <!ENTITY keyStores SYSTEM "keyStores.xml">
]>
<beans
  xmlns="http://www.springframework.org/schema/beans"
  xmlns:amq="http://activemq.apache.org/schema/core"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">

    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

    <broker xmlns="http://activemq.apache.org/schema/core"
            useJmx="false"
            brokerName="broker"
            dataDirectory="${activemq.base}/data">

      <persistenceAdapter>
        <kahaDB directory="${activemq.base}/data/kahadb"/>
      </persistenceAdapter>

      <sslContext>
        &keyStores;
      </sslContext>

      <transportConnectors>
        <transportConnector
          name="stomp+nio"
          uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
      </transportConnectors>

      <plugins>
        <simpleAuthenticationPlugin>
          <users>
            <authenticationUser username="mcollective" password="password" groups="mcollective,everyone"/>
            <authenticationUser username="admin" password="password" groups="mcollective,admins,everyone"/>
          </users>
        </simpleAuthenticationPlugin>
        <authorizationPlugin>
          <map>
            <authorizationMap>
              <authorizationEntries>
                <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
                <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
                <authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
                <authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
                <authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
              </authorizationEntries>
            </authorizationMap>
          </map>
        </authorizationPlugin>
      </plugins>
    </broker>

</beans>

keyStores.xml:

<sslContext
    keyStore="/etc/activemq/keystore.jks"
    keyStorePassword="password"
    trustStore="/etc/activemq/truststore.jks"
    trustStorePassword="password" />

mcollective / server.cfg:

# /etc/mcollective/server.cfg

# ActiveMQ connector settings:
connector = activemq
direct_addressing = 1
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = broker.example.com
plugin.activemq.pool.1.port = 61614
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = password
plugin.activemq.pool.1.ssl = 1
plugin.activemq.pool.1.ssl.ca = /etc/puppetlabs/puppet/ssl/certs/ca.pem
plugin.activemq.pool.1.ssl.cert = /etc/puppetlabs/puppet/ssl/certs/mail.example.com.pem
plugin.activemq.pool.1.ssl.key = /etc/puppetlabs/puppet/ssl/private_keys/mail.example.com.pem
plugin.activemq.pool.1.ssl.fallback = 0

# SSL security plugin settings:
securityprovider = ssl
plugin.ssl_client_cert_dir = /etc/puppetlabs/mcollective/clients
plugin.ssl_server_private = /etc/puppetlabs/mcollective/server_private.pem
plugin.ssl_server_public = /etc/puppetlabs/mcollective/server_public.pem

# Facts, identity, and classes:
identity = mail.example.com
factsource = yaml
plugin.yaml = /etc/puppetlabs/mcollective/facts.yaml
classesfile = /var/lib/puppet/state/classes.txt

# No additional subcollectives:
collectives = mcollective
main_collective = mcollective

# Registration:
# We don't configure a listener, and only send these messages to keep the
# Stomp connection alive. This will use the default "agentlist" registration
# plugin.
registerinterval = 600

# Auditing (optional):
# If you turn this on, you must arrange to rotate the log file it creates.
rpcaudit = 1
rpcauditprovider = logfile
plugin.rpcaudit.logfile = /var/log/mcollective-audit.log

# Authorization:
# If you turn this on now, you won't be able to issue most MCollective
# commands, although `mco ping` will work. You should deploy the
# ActionPolicy plugin before uncommenting this; see "Deploy Plugins" below.

# rpcauthorization = 1
# rpcauthprovider = action_policy
# plugin.actionpolicy.allow_unconfigured = 1

# Logging:
logger_type = file
loglevel = debug
logfile = /var/log/mcollective.log
keeplogs = 5
max_log_size = 2097152
logfacility = user

# Platform defaults:
# These settings differ based on platform; the default config file created by
# the package should include correct values. If you are managing settings as
# resources, you can ignore them, but with a template you'll have to account
# for the differences.
libdir = /usr/share/mcollective/plugins
daemonize = 1

Ключи / сертификаты в keystore.jks и truststore.jks верны, как и пароль. Также доступны общие ключи и сертификаты. Итак, давайте попробуем подключиться к openssl:

root@mail:/etc/puppetlabs/puppet/ssl# openssl s_client -connect broker.example.com:61614 -CAfile certs/ca.pem -cert certs/mail.example.com.pem -key private_keys/mail.example.com.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1485554633
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Я не совсем уверен, как это интерпретировать, может кто знает. Любые новые хорошие догадки были бы полезны, я застрял.