Puppet master nginx 擴展提高性能（puppet自動化系列4）

puppet使用SSL(https)協議來進行通信，默認狀況下，puppet server端使用基於Ruby的WEBRick HTTP服務器。因爲WEBRick HTTP服務器在處理agent端的性能方面並非很強勁，所以須要擴展puppet，搭建nginx或者其餘強勁的web服務器來處理客戶的https請求。

須要解決的問題：

• 擴展傳輸方式：提升性能並增長Master和agent之間的併發鏈接數量。
• 擴展SSL：採用良好的SSL證書管理方法來加密Master和agent之間的通信。

Nginx+Passenger方式：

6.1 安裝編譯nginx所須要的開發包

[root@puppetmaster1 ~]# groupadd -g 3001 nginx

[root@puppetmaster1 ~]# useradd -u 3001 -g 3001 nginx

[root@puppetmaster1 ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build

6.2 安裝passenger

最好是更換gem源，gem sources -a http://ruby.taobao.org

gem sources -u

gem install  rake rack passenger --no-rdoc --no-ri

 

6.3 編譯並安裝nginx

備註：主要是爲了將模塊passenger-config編譯進來。

wget http://nginx.org/download/nginx-1.7.9.tar.gz

wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz

 

[root@puppetmaster1 ~]# cd /usr/local/src/nginx-1.7.9/

[root@puppetmaster1 ~]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.36 --add-module=`passenger-config --root`/ext/nginx

[root@puppetmaster1 ~]# make && make install

 

與passenger結合

備註：注意config.ru的屬主和屬組應該爲puppet

[root@puppetmaster1 ~]# mkdir  -p /etc/puppet/rack/public

[root@puppetmaster1 ~]# cp /usr/share/puppet/ext/rack/config.ru  /etc/puppet/rack/public

[root@puppetmaster1 ~]#  chown -R puppet. /etc/puppet/rack/

七、配置nginx（建議此處配置成虛擬主機）

備註：注意和puppet結合的證書名稱及路徑

狀況一：直接passenger配置在nginx主配置文件

[root@puppetmaster1 conf]# cat nginx.conf

user  nginx nginx;

worker_processes  1;

pid        /var/run/nginx.pid;

events {

    worker_connections  1024;

}

http {

    passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;

    passenger_ruby /usr/bin/ruby;

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

 

    server {

        listen 8140                ssl;

    server_name                puppetmaster;

    passenger_enabled          on;

    passenger_set_cgi_param    HTTP_X_CLIENT_DN $ssl_client_s_dn;

    passenger_set_cgi_param    HTTP_X_CLIENT_VERIFY $ssl_client_verify;

    proxy_buffer_size 4000k;

    proxy_buffering on;

    proxy_buffers 32 1280k;

    proxy_busy_buffers_size 17680k;

    client_max_body_size 10m;

    client_body_buffer_size 4096k;

    access_log /var/log/nginx/puppet_access.log;

    error_log /var/log/nginx/puppet_error.log;

root /etc/puppet/rack/public;

#此處切記是public下，不是public的話passenger就不知道哪裏去找 config文件，致使 *4 directory index of "/etc/puppet/rack/" is forbidden, client: 192.168.122.1, server: pm01.jq.com, request: "GET / HTTP/1.1", host: "pm01.jq.com:8140"

    ssl off;

    ssl_session_timeout 5m;

    ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster1.jq.com.pem;

    ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster1.jq.com.pem;

    ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;

    ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

    ssl_verify_client optional;

    ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;

    ssl_prefer_server_ciphers on;

    ssl_verify_depth 1;

    ssl_session_cache shared:SSL:128m;

    # File sections

    location /production/file_content/files/ {

      types { }

      default_type application/x-raw;

      alias /etc/puppet/files/;

  }

 }

  include vhosts/*.conf;

}

狀況2、passenger配置成虛擬機主機，配置以下：

[root@pm01 conf]# cat nginx.conf

user  nginx nginx;

worker_processes  1;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

pid        /var/run/nginx.pid;

events {

    worker_connections  1024;

}

http {

    passenger_root /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;

    passenger_ruby /usr/local/bin/ruby;

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {

        listen       8088;

        server_name  localhost;

        location / {

            root   html;

            index  index.html index.htm;

        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }

    }

    include vhosts/*.conf;

}

虛擬主機配置

[root@pm01 conf]# cat vhosts/passenger.conf 

    server {

        listen 8140                ssl;

    server_name                pm01;

    passenger_enabled          on;

    passenger_set_cgi_param    HTTP_X_CLIENT_DN $ssl_client_s_dn;

    passenger_set_cgi_param    HTTP_X_CLIENT_VERIFY $ssl_client_verify;

    proxy_buffer_size 4000k;

    proxy_buffering on;

    proxy_buffers 32 1280k;

    proxy_busy_buffers_size 17680k;

    client_max_body_size 10m;

    client_body_buffer_size 4096k;

    access_log /var/log/nginx/puppet_access.log;

    error_log /var/log/nginx/puppet_error.log;

    root /etc/puppet/rack/public;

    ssl off;

    ssl_session_timeout 5m;

    ssl_certificate /var/lib/puppet/ssl/certs/pm01.jq.com.pem;

    ssl_certificate_key /var/lib/puppet/ssl/private_keys/pm01.jq.com.pem;

    ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;

    ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

    ssl_verify_client optional;

    ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;

    ssl_prefer_server_ciphers on;

    ssl_verify_depth 1;

    ssl_session_cache shared:SSL:128m;

    # File sections

    location /production/file_content/files/ {

      types { }

      default_type application/x-raw;

      alias /etc/puppet/files/;

  }

 }

配置puppet.conf

[root@puppetmaster1 ~]# vim /etc/puppet/puppet.conf 

[master]

    certname = puppetmaster

    ca       = false

    ssl_client_verify_header = HTTP_X_CLIENT_VERIFY

    ssl_client_header = HTTP_X_CLIENT_DN

八、啓動nginx

[root@puppetmaster1 gem]# mkdir /var/log/nginx/

[root@puppetmaster1 nginx-1.4.2]# /etc/init.d/puppetmaster stop

[root@puppetmaster1 nginx-1.4.2]# chkconfig puppetmaster off

[root@puppetmaster1 nginx-1.4.2]# /etc/init.d/nginx start

[root@puppetmaster1 nginx-1.4.2]# chkconfig nginx on

九、測試

在多個節點發起puppet agent -t命令動做，查看nginx日誌看nginx+passenger是否代理成功。

[root@ag1 ~]# puppet  agent -t

[root@puppetmaster1 ~]# tailf  /var/log/nginx/puppet_access.log