puppet使用SSL(https)协议来进行通讯,默认情况下,puppet server端使用基于Ruby的WEBRick HTTP服务器。由于WEBRick HTTP服务器在处理agent端的性能方面并不是很强劲,因此需要扩展puppet,搭建Apache或者其他web服务器来处理客户的https请求。
Passenger是一个将Ruby程序嵌入执行的apache的一个模块,它可以让你运行Rails,即Rack应用内的一个Web服务器.能够自动增减集群进程的数量.能提高性能并增加Master和agent之间的并发连接数量。
工作原理如下:
安装好apache和passenger,然后配置apache处理puppet agent的SSL验证请求,最后将apache连接到puppet master.在处理SSL验证请求时,apache会验证puppet agent的证书是否由puppet CA签发,apache 会先验证请求.如果授权通过,则调用master.同时,apache会提供给puppet agent一个证书用于验证服务器的真实性,再将SSL证书存放在适当的位置.打开passenger模块并为puppet master服务创建一个虚拟主机来配置apache.
下面来配置一番:
1.安装apache等相关组件
yum install httpd httpd-devel mod_ssl ruby-devel rubygems libcurl-devel
2.使用ruby gem安装passenger
更换gem镜像 使用淘宝源:
gem sources --remove http://rubygems.org/ gem sources -a http://ruby.taobao.org/ gem sources -l *** CURRENT SOURCES *** http://ruby.taobao.org/
gem install rack passenger #安装passenger passenger-install-apache2-module #整合apache和passenger 按照相关提示解决依赖关系 安装过程会提示配置apache虚拟主机时需要增加passenger模块配置文件 LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55 PassengerDefaultRuby /usr/bin/ruby </IfModule> 查看passengeroot目录. [email protected]:~# passenger-config --root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55
3.配置apache和passenger
需要在puppet master创建rack应用,创建一个目录用来存放config.ru配置文件,并创建一个虚拟主机配置文件.rack为web服务器提供了用来和puppet服务交换请求和响应的一些常用API.Rack适用于Ruby类的HTTP服务,可以用于多台服务器之间部署服务.
创建rack框架目录,拷贝配置文件,赋予puppet权限.
mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp} cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/puppetmaster/ chown puppet. /etc/puppet/rack/puppetmaster/config.ru
配置apache虚拟主机文件:
cp /usr/share/puppet/ext/rack/example-passenger-vhost.conf /etc/httpd/conf.d/puppet.domain.com.conf vim /etc/httpd/conf.d/puppet.domain.com.conf # This Apache 2 virtual host config shows how to use Puppet as a Rack # application via Passenger. See # http://docs.puppetlabs.com/guides/passenger.html for more information. # You can also use the included config.ru file to run Puppet with other Rack # servers instead of Passenger. LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55 PassengerDefaultRuby /usr/bin/ruby # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 # RackAutoDetect Off # RailsAutoDetect Off </IfModule> Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none # which effectively disables CRL checking; if you are using Apache 2.4+ you must # specify ‘SSLCARevocationCheck chain‘ to actually use the CRL. # SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 # The `ExportCertData` option is needed for agent certificate expiration warnings SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/puppetmaster/public/ RackBaseURI / <Directory /etc/puppet/rack/puppetmaster/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> 检查配置 [email protected]:~# service httpd configtest Syntax OK 启动apache [email protected]:~# /etc/init.d/httpd start 检测端口及进程 [email protected]:~# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22000 0.0.0.0:* LISTEN 811/sshd tcp 0 0 127.0.0.1:55939 0.0.0.0:* LISTEN 15291/Passenger Rac tcp 0 0 :::8140 :::* LISTEN 15234/httpd tcp 0 0 :::80 :::* LISTEN 15234/httpd tcp 0 0 :::22000 :::* LISTEN 811/sshd tcp 0 0 :::443 :::* LISTEN 15234/httpd
4.客户测试:
[email protected]:~# puppet agent --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for agent.domain.com Info: Applying configuration version ‘1418805297‘ Notice: Finished catalog run in 0.36 seconds
5.查看passenger状态
[email protected]:~# passenger-status Version : 4.0.55 Date : Wed Dec 17 17:24:28 +0800 2014 Instance: 15234 ----------- General information ----------- Max pool size : 12 Processes : 1 Requests in top-level queue : 0 ----------- Application groups ----------- /etc/puppet/rack/puppetmaster#default: App root: /etc/puppet/rack/puppetmaster Requests in queue: 0 * PID: 15291 Sessions: 0 Processed: 62 Uptime: 49m 35s CPU: 0% Memory : 85M Last used: 1m 24s ago [email protected]:~# passenger-memory-stats Version: 4.0.55 Date : Wed Dec 17 17:24:32 +0800 2014 ---------- Apache processes ---------- PID PPID VMSize Private Name -------------------------------------- 15234 1 203.0 MB 0.4 MB /usr/sbin/httpd 15254 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15255 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15256 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15257 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15258 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15259 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15260 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15261 15234 203.3 MB 0.5 MB /usr/sbin/httpd ### Processes: 9 ### Total private dirty RSS: 4.27 MB -------- Nginx processes -------- ### Processes: 0 ### Total private dirty RSS: 0.00 MB ----- Passenger processes ----- PID VMSize Private Name ------------------------------- 15236 211.6 MB 0.3 MB PassengerWatchdog 15239 564.9 MB 0.7 MB PassengerHelperAgent 15244 210.5 MB 0.8 MB PassengerLoggingAgent 15291 190.6 MB 85.4 MB Passenger RackApp: /etc/puppet/rack/puppetmaster ### Processes: 4 ### Total private dirty RSS: 87.20 MB