Puppet apache + passenger模式擴展

    puppet使用SSL(https)協議來進行通信，默認狀況下，puppet server端使用基於Ruby的WEBRick HTTP服務器。因爲WEBRick HTTP服務器在處理agent端的性能方面並非很強勁，所以須要擴展puppet，搭建Apache或者其餘web服務器來處理客戶的https請求。    

    Passenger是一個將Ruby程序嵌入執行的apache的一個模塊,它可讓你運行Rails,即Rack應用內的一個Web服務器.可以自動增減集羣進程的數量.能提升性能並增長Master和agent之間的併發鏈接數量。

    工做原理以下:

    安裝好apache和passenger,而後配置apache處理puppet agent的SSL驗證請求,最後將apache鏈接到puppet master.在處理SSL驗證請求時,apache會驗證puppet agent的證書是否由puppet CA簽發,apache 會先驗證請求.若是受權經過,則調用master.同時,apache會提供給puppet agent一個證書用於驗證服務器的真實性,再將SSL證書存放在適當的位置.打開passenger模塊併爲puppet master服務建立一個虛擬主機來配置apache.

    下面來配置一番:

1.安裝apache等相關組件

yum install httpd httpd-devel mod_ssl ruby-devel rubygems libcurl-devel

2.使用ruby gem安裝passenger

更換gem鏡像 使用淘寶源:

gem sources --remove http://rubygems.org/
gem sources -a http://ruby.taobao.org/
gem sources -l
*** CURRENT SOURCES ***

http://ruby.taobao.org/

gem install rack passenger        #安裝passenger
passenger-install-apache2-module  #整合apache和passenger  按照相關提示解決依賴關係
安裝過程會提示配置apache虛擬主機時須要增長passenger模塊配置文件
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55
    PassengerDefaultRuby /usr/bin/ruby
</IfModule>

查看passengeroot目錄.
root@10.1.1.33:~# passenger-config --root
/usr/lib/ruby/gems/1.8/gems/passenger-4.0.55 

3.配置apache和passenger

須要在puppet master建立rack應用,建立一個目錄用來存放config.ru配置文件,並建立一個虛擬主機配置文件.rack爲web服務器提供了用來和puppet服務交換請求和響應的一些經常使用API.Rack適用於Ruby類的HTTP服務,能夠用於多臺服務器之間部署服務.

建立rack框架目錄,拷貝配置文件,賦予puppet權限.

mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp}
cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/puppetmaster/
chown puppet. /etc/puppet/rack/puppetmaster/config.ru

配置apache虛擬主機文件:

cp /usr/share/puppet/ext/rack/example-passenger-vhost.conf  /etc/httpd/conf.d/puppet.domain.com.conf
vim /etc/httpd/conf.d/puppet.domain.com.conf
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.


# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.


LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55
    PassengerDefaultRuby /usr/bin/ruby
    # you probably want to tune these settings
    PassengerHighPerformance on
    PassengerMaxPoolSize 12
    PassengerPoolIdleTime 1500
    # PassengerMaxRequests 1000
    PassengerStatThrottleRate 120
#    RackAutoDetect Off
#    RailsAutoDetect Off
</IfModule>


Listen 8140


<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        SSLHonorCipherOrder     on


        SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.domain.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        # SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData


        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For


        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e


        DocumentRoot /etc/puppet/rack/puppetmaster/public/
        RackBaseURI /
        <Directory /etc/puppet/rack/puppetmaster/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

檢查配置
root@10.1.1.33:~# service httpd configtest
Syntax OK  啓動apache
root@10.1.1.33:~# /etc/init.d/httpd start
檢測端口及進程
root@10.1.1.33:~# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:22000               0.0.0.0:*                   LISTEN      811/sshd            
tcp        0      0 127.0.0.1:55939             0.0.0.0:*                   LISTEN      15291/Passenger Rac 
tcp        0      0 :::8140                     :::*                        LISTEN      15234/httpd         
tcp        0      0 :::80                       :::*                        LISTEN      15234/httpd         
tcp        0      0 :::22000                    :::*                        LISTEN      811/sshd            
tcp        0      0 :::443                      :::*                        LISTEN      15234/httpd

4.客戶測試:

root@10.1.1.34:~# puppet agent --test 
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent.domain.com
Info: Applying configuration version '1418805297'
Notice: Finished catalog run in 0.36 seconds

5.查看passenger狀態

root@10.1.1.33:~# passenger-status
Version : 4.0.55
Date    : Wed Dec 17 17:24:28 +0800 2014
Instance: 15234
----------- General information -----------
Max pool size : 12
Processes     : 1
Requests in top-level queue : 0

----------- Application groups -----------
/etc/puppet/rack/puppetmaster#default:
  App root: /etc/puppet/rack/puppetmaster
  Requests in queue: 0
  * PID: 15291   Sessions: 0       Processed: 62      Uptime: 49m 35s
    CPU: 0%      Memory  : 85M     Last used: 1m 24s ago

root@10.1.1.33:~# passenger-memory-stats 
Version: 4.0.55
Date   : Wed Dec 17 17:24:32 +0800 2014

---------- Apache processes ----------
PID    PPID   VMSize    Private  Name
--------------------------------------
15234  1      203.0 MB  0.4 MB   /usr/sbin/httpd
15254  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15255  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15256  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15257  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15258  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15259  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15260  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
15261  15234  203.3 MB  0.5 MB   /usr/sbin/httpd
### Processes: 9
### Total private dirty RSS: 4.27 MB


-------- Nginx processes --------

### Processes: 0
### Total private dirty RSS: 0.00 MB


----- Passenger processes -----
PID    VMSize    Private  Name
-------------------------------
15236  211.6 MB  0.3 MB   PassengerWatchdog
15239  564.9 MB  0.7 MB   PassengerHelperAgent
15244  210.5 MB  0.8 MB   PassengerLoggingAgent
15291  190.6 MB  85.4 MB  Passenger RackApp: /etc/puppet/rack/puppetmaster
### Processes: 4
### Total private dirty RSS: 87.20 MB