puppet使用SSL(https)协议来进行通讯,默认情况下,puppet server端使用基于Ruby的WEBRick HTTP服务器。由于WEBRick HTTP服务器在处理agent端的性能方面并不是很强劲,因此需要扩展puppet,搭建nginx或者其他强劲的web服务器来处理客户的https请求。
需要解决的问题:
- 扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。
- 扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。
Nginx+Passenger方式:
6.1 安装编译nginx所需要的开发包
[[email protected] ~]# groupadd -g 3001 nginx
[[email protected] ~]# useradd -u 3001 -g 3001 nginx
[[email protected] ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build
6.2 安装passenger
最好是更换gem源,gem sources -a http://ruby.taobao.org
gem sources -u
gem install rake rack passenger --no-rdoc --no-ri
6.3 编译并安装nginx
备注:主要是为了将模块passenger-config编译进来。
wget http://nginx.org/download/nginx-1.7.9.tar.gz
wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz
[[email protected] ~]# cd /usr/local/src/nginx-1.7.9/
[[email protected] ~]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.36 --add-module=`passenger-config --root`/ext/nginx
[[email protected] ~]# make && make install
与passenger结合
备注:注意config.ru的属主和属组应该为puppet
[[email protected] ~]# mkdir -p /etc/puppet/rack/public
[[email protected] ~]# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/public
[[email protected] ~]# chown -R puppet. /etc/puppet/rack/
7、配置nginx(建议此处配置成虚拟主机)
备注:注意和puppet结合的证书名称及路径
情况一:直接passenger配置在nginx主配置文件
[[email protected] conf]# cat nginx.conf
user nginx nginx;
worker_processes 1;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;
passenger_ruby /usr/bin/ruby;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8140 ssl;
server_name puppetmaster;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
proxy_buffer_size 4000k;
proxy_buffering on;
proxy_buffers 32 1280k;
proxy_busy_buffers_size 17680k;
client_max_body_size 10m;
client_body_buffer_size 4096k;
access_log /var/log/nginx/puppet_access.log;
error_log /var/log/nginx/puppet_error.log;
root /etc/puppet/rack/public;
#此处切记是public下,不是public的话passenger就不知道哪里去找 config文件,导致 *4 directory index of "/etc/puppet/rack/" is forbidden, client: 192.168.122.1, server: pm01.jq.com, request: "GET / HTTP/1.1", host: "pm01.jq.com:8140"
ssl off;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster1.jq.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster1.jq.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
# File sections
location /production/file_content/files/ {
types { }
default_type application/x-raw;
alias /etc/puppet/files/;
}
}
include vhosts/*.conf;
}
情况二、passenger配置成虚拟机主机,配置如下:
[[email protected] conf]# cat nginx.conf
user nginx nginx;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;
passenger_ruby /usr/local/bin/ruby;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8088;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include vhosts/*.conf;
}
虚拟主机配置
[[email protected] conf]# cat vhosts/passenger.conf
server {
listen 8140 ssl;
server_name pm01;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
proxy_buffer_size 4000k;
proxy_buffering on;
proxy_buffers 32 1280k;
proxy_busy_buffers_size 17680k;
client_max_body_size 10m;
client_body_buffer_size 4096k;
access_log /var/log/nginx/puppet_access.log;
error_log /var/log/nginx/puppet_error.log;
root /etc/puppet/rack/public;
ssl off;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/pm01.jq.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/pm01.jq.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
# File sections
location /production/file_content/files/ {
types { }
default_type application/x-raw;
alias /etc/puppet/files/;
}
}
配置puppet.conf
[[email protected]1 ~]# vim /etc/puppet/puppet.conf
[master]
certname = puppetmaster
ca = false
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
ssl_client_header = HTTP_X_CLIENT_DN
8、启动nginx
[[email protected] gem]# mkdir /var/log/nginx/
[[email protected] nginx-1.4.2]# /etc/init.d/puppetmaster stop
[[email protected] nginx-1.4.2]# chkconfig puppetmaster off
[[email protected] nginx-1.4.2]# /etc/init.d/nginx start
[[email protected] nginx-1.4.2]# chkconfig nginx on
9、测试
在多个节点发起puppet agent -t命令动作,查看nginx日志看nginx+passenger是否代理成功。
[[email protected] ~]# puppet agent -t
[[email protected] ~]# tailf /var/log/nginx/puppet_access.log