系统环境:rhel6.5,puppet 3.7.4
Master server1.example.com(192.168.88.128)
Agent server2.example.com(192.168.88.129)
原理:使用apache或nginx代替puppet原生态的Webrick以提升master的吞吐量,在master上启webserver以负责监听8140端口并处理客户端的请求、file文件以及验证的客户端请求,将编译部分代理转发到后端的master。极大扩展master能够管理的节点的数量。
Apache+passenger;
一.安装apache和passenger:
yum install httpd httpd-devel mod_ssl gcc gcc-c++ ruby-devel rubygems
安装passenger
gem installrack passenger(安装过程较慢)#rack 用来让webserver和puppet交换请求和相应的一些 常用API
passenger-install-apache2-module #安装apache模版
#有时gem安装失败,基本是网络原因,更换gem仓库
gem sources –-remove https://rubygems.org/
gem sources -a http://ruby.taobao.org/ #淘宝的gem镜像源
二.配置apache
[[email protected] rack]# pwd
/usr/share/puppet/ext/rack #配置文件模板位置
[[email protected] rack]# passenger-config --root #passengerroot 目录
/usr/lib/ruby/gems/1.8/gems/passenger-5.0.6
mkdir /etc/puppet/rack/
cd /etc/puppet/rack
cp example-passenger-vhost.conf/etc/httpd/conf.d/passenger.conf
cp config.ru /etc/puppet/rack/
[[email protected] rack]# ll
-rw-r--r-- 1 puppet puppet 1229 Apr 19 09:21 config.ru
drwxr-xr-x 2 root root 4096 Apr 19 09:20 public
drwxr-xr-x 2 root root 4096 Apr 19 09:22 tmp
[[email protected] rack]# cat/etc/httpd/conf.d/passenger.conf
# This Apache 2 virtual host config showshow to use Puppet as a Rack
# application via Passenger. See
#http://docs.puppetlabs.com/guides/passenger.html for more information.
LoadModule passenger_module/usr/lib/ruby/gems/1.8/gems/passenger-5.0.6/buildout/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-5.0.6
PassengerDefaultRuby /usr/bin/ruby # passenger-install-apache2-module提供的模块
# You can also use the included config.rufile to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
#RackAutoDetectOff
#RailsAutoDetectOff
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2-SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/server1.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/server1.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can trydisabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets itto none
# which effectively disables CRL checking; if you are using Apache 2.4+you must
# specify ‘SSLCARevocationCheck chain‘ to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expirationwarnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public/
RackBaseURI /
<Directory /etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Stop puppetmaster(8140) ;start httpd;
检测:端口;在agent上测试:puppet agent --server=server1.example.com --test
Master日志:
[[email protected] rack]# cat /etc/httpd/logs/access_log
192.168.88.129 - - [19/Apr/2015:09:45:49+0800] "GET /production/node/server2.example.com?fail_on_404=true&transaction_uuid=9823f7a3-0603-48c4-8c27-613697be985cHTTP/1.1" 200 4437 "-" "-"
192.168.88.129 - - [19/Apr/2015:09:45:51+0800] "GET/production/file_metadatas/pluginfacts?checksum_type=md5&ignore=.svn&ignore=CVS&ignore=.git&recurse=true&links=manageHTTP/1.1" 200283 "-" "-"
192.168.88.129 - - [19/Apr/2015:09:45:51+0800] "GET/production/file_metadatas/plugins?checksum_type=md5&ignore=.svn&ignore=CVS&ignore=.git&recurse=true&links=manageHTTP/1.1" 200 283 "-" "-"
192.168.88.129 - - [19/Apr/2015:09:45:51+0800] "POST /production/catalog/server2.example.com HTTP/1.1" 20040146 "-" "-"
192.168.88.129 - - [19/Apr/2015:09:45:53+0800] "PUT/production/report/server2.example.com HTTP/1.1" 200 8 "-""
查看passenger状态:passenger-status
Nginx+passenger
yum install -y gcc gcc-c++ curl-devel zlib-devel openssl-develruby-devel
gem install rack passenger
passenger-install-nginx-module
脚本会自动安装nginx支持,按提示操作,基本就是一路回车。(中间选1自动下载安装,选2为安装本地nginx包)
http {
passenger_root/usr/lib/ruby/gems/1.8/gems/passenger-5.0.6;
passenger_ruby/usr/bin/ruby; #默认已配置好
server {
listen 8140;
server_name server1.example.com;
root /etc/puppet/rack/public;
passenger_enabled on;
#passenger5.0后换成这个命令,之前的是
#passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
#passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
passenger_set_headerX_CLIENT_DN $ssl_client_s_dn;
passenger_set_headerX_CLIENT_VERIFY $ssl_client_verify;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/server1.example.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/server1.example.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
}
启动nginx即可;