我一直在努力在我的木偶集群上设置MCollective。 不pipe我做什么,我似乎都无法连接到MCollective服务器。 MCollective服务器主要运行在Ubnutu Xenial上。 ActiveMQ代理(5.14.3)在Debian Stretch上运行。 我在所有节点上运行木偶4.x。 我已经使用了每个传输连接器,如果它们都无法连接。 让我转储一些日志文件给你。
在mcollective.log我得到Connection reset by peer :
I, [2017-01-27T15:43:59.869501 #18729] INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://[email protected]:61614 E, [2017-01-27T15:44:00.070995 #18729] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://[email protected]:61614 failed: Connection reset by peer - SSL_connect I, [2017-01-27T15:44:00.071371 #18729] INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://[email protected]:61614 failed on attempt 24
奇怪的是,在ActiveMQ日志中,我似乎也得到了Connection reset by peer :
ERROR | Could not accept connection from null : {} java.io.IOException: java.io.IOException: Connection reset by peer at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:188)[activemq-client.jar:] at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp.jar:] at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client.jar:] at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client.jar:] at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:462)[activemq-client.jar:] at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client.jar:] at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client.jar:] at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp.jar:] at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client.jar:] at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client.jar:] at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker.jar:] at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker.jar:] at java.lang.Thread.run(Thread.java:745)[:1.8.0_111]
所以他们都重置连接。 呵呵。 在你问之前,不,没有iptables规则,是的:两个节点之间有一条路由。 让我们先来看看lsof -i的高峰吧,然后我会抛出一些configuration文件给你。
java 20833 activemq 84u IPv6 53552 0t0 TCP *:61614 (LISTEN)
activemq.xml中:
<!DOCTYPE activemq [ <!ENTITY keyStores SYSTEM "keyStores.xml"> ]> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:amq="http://activemq.apache.org/schema/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd"> <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> <broker xmlns="http://activemq.apache.org/schema/core" useJmx="false" brokerName="broker" dataDirectory="${activemq.base}/data"> <persistenceAdapter> <kahaDB directory="${activemq.base}/data/kahadb"/> </persistenceAdapter> <sslContext> &keyStores; </sslContext> <transportConnectors> <transportConnector name="stomp+nio" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/> </transportConnectors> <plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="mcollective" password="password" groups="mcollective,everyone"/> <authenticationUser username="admin" password="password" groups="mcollective,admins,everyone"/> </users> </simpleAuthenticationPlugin> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" write="admins" read="admins" admin="admins" /> <authorizationEntry topic=">" write="admins" read="admins" admin="admins" /> <authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> <authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> <authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins> </broker> </beans>
keyStores.xml:
<sslContext keyStore="/etc/activemq/keystore.jks" keyStorePassword="password" trustStore="/etc/activemq/truststore.jks" trustStorePassword="password" />
mcollective / SERVER.CFG:
# /etc/mcollective/server.cfg # ActiveMQ connector settings: connector = activemq direct_addressing = 1 plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = broker.example.com plugin.activemq.pool.1.port = 61614 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = password plugin.activemq.pool.1.ssl = 1 plugin.activemq.pool.1.ssl.ca = /etc/puppetlabs/puppet/ssl/certs/ca.pem plugin.activemq.pool.1.ssl.cert = /etc/puppetlabs/puppet/ssl/certs/mail.example.com.pem plugin.activemq.pool.1.ssl.key = /etc/puppetlabs/puppet/ssl/private_keys/mail.example.com.pem plugin.activemq.pool.1.ssl.fallback = 0 # SSL security plugin settings: securityprovider = ssl plugin.ssl_client_cert_dir = /etc/puppetlabs/mcollective/clients plugin.ssl_server_private = /etc/puppetlabs/mcollective/server_private.pem plugin.ssl_server_public = /etc/puppetlabs/mcollective/server_public.pem # Facts, identity, and classes: identity = mail.example.com factsource = yaml plugin.yaml = /etc/puppetlabs/mcollective/facts.yaml classesfile = /var/lib/puppet/state/classes.txt # No additional subcollectives: collectives = mcollective main_collective = mcollective # Registration: # We don't configure a listener, and only send these messages to keep the # Stomp connection alive. This will use the default "agentlist" registration # plugin. registerinterval = 600 # Auditing (optional): # If you turn this on, you must arrange to rotate the log file it creates. rpcaudit = 1 rpcauditprovider = logfile plugin.rpcaudit.logfile = /var/log/mcollective-audit.log # Authorization: # If you turn this on now, you won't be able to issue most MCollective # commands, although `mco ping` will work. You should deploy the # ActionPolicy plugin before uncommenting this; see "Deploy Plugins" below. # rpcauthorization = 1 # rpcauthprovider = action_policy # plugin.actionpolicy.allow_unconfigured = 1 # Logging: logger_type = file loglevel = debug logfile = /var/log/mcollective.log keeplogs = 5 max_log_size = 2097152 logfacility = user # Platform defaults: # These settings differ based on platform; the default config file created by # the package should include correct values. If you are managing settings as # resources, you can ignore them, but with a template you'll have to account # for the differences. libdir = /usr/share/mcollective/plugins daemonize = 1
keystore.jks和truststore.jks中的密钥/证书是正确的,密码也是正确的。 共享密钥和证书也可用。 所以让我们尝试连接openssl :
root@mail:/etc/puppetlabs/puppet/ssl# openssl s_client -connect broker.example.com:61614 -CAfile certs/ca.pem -cert certs/mail.example.com.pem -key private_keys/mail.example.com.pem CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1485554633 Timeout : 300 (sec) Verify return code: 0 (ok) ---
我不确定如何解释这个,也许别人知道。 任何新的好猜都会有帮助,我卡住了。