Puppet Master Nginx Expansion boost performance (Puppet Automation series 4)

Source: Internet
Author: User
Tags sendfile ssl certificate

Puppet uses the SSL (HTTPS) protocol for communication, and by default, the puppet server uses a ruby-based Webrick http server. Because the Webrick HTTP server is not very robust in handling the performance of the agent side, it is necessary to extend the puppet to build Nginx or other strong Web servers to handle the client's HTTPS requests.

Issues that need to be addressed:

    • Extended transport: Improves performance and increases the number of concurrent connections between master and agent.
    • Extended SSL: Use a good SSL certificate management method to encrypt communication between master and agent.

Nginx+passenger Way:

6.1 Installing the required development package for Nginx

[Email protected] ~]# groupadd-g 3001 nginx
[Email protected] ~]# useradd-u 3001-g 3001 nginx
[email protected] ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build

6.2 Installing Passenger

It is best to change the gem source, Gem Sources-a http://ruby.taobao.org

Gem Sources-u

Gem Install rake rack Passenger--no-rdoc--no-ri

6.3 Compiling and installing Nginx

Note: The main purpose is to compile the module passenger-config in.

wget http://nginx.org/download/nginx-1.7.9.tar.gz

wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz

[Email protected] ~]# cd/usr/local/src/nginx-1.7.9/
[Email protected] ~]#/configure--user=nginx--group=nginx--prefix=/usr/local/nginx--with-http_stub_status_ Module--with-http_ssl_module--with-pcre=/usr/local/src/pcre-8.36--add-module= ' passenger-config--root '/ext/ Nginx
[[email protected] ~]# make && make install

Combined with passenger

Note: Be aware that the config.ru and the genus Group should be puppet

[Email protected] ~]# mkdir-p/etc/puppet/rack/public
[Email protected] ~]# Cp/usr/share/puppet/ext/rack/config.ru/etc/puppet/rack/public
[Email protected] ~]# chown-r puppet. /etc/puppet/rack/

7, configuration Nginx (recommended here to configure as a virtual host)

Remark: note The certificate name and path combined with puppet

Situation one: Direct passenger configuration in Nginx Master profile

[email protected] conf]# cat nginx.conf

User Nginx Nginx;

Worker_processes 1;

Pid/var/run/nginx.pid;

Events {

Worker_connections 1024;

}

HTTP {

passenger_root/usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;

Passenger_ruby/usr/bin/ruby;

Include Mime.types;

Default_type Application/octet-stream;

Sendfile on;

Keepalive_timeout 65;

server {

Listen 8140 SSL;

server_name puppetmaster;

Passenger_enabled on;

Passenger_set_cgi_param http_x_client_dn $ssl _client_s_dn;

Passenger_set_cgi_param http_x_client_verify $ssl _client_verify;

Proxy_buffer_size 4000k;

Proxy_buffering on;

Proxy_buffers 1280k;

Proxy_busy_buffers_size 17680k;

Client_max_body_size 10m;

Client_body_buffer_size 4096k;

Access_log/var/log/nginx/puppet_access.log;

Error_log/var/log/nginx/puppet_error.log;

Root/etc/puppet/rack/public;

#此处切记是public下, not public passenger don't know where to find the config file, resulting in the directory index of "/etc/puppet/rack/" is forbidden, client: 192.168.122.1, server:pm01.jq.com, Request: "get/http/1.1", Host: "Pm01.jq.com:8140"

SSL off;

Ssl_session_timeout 5m;

SSL_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/PUPPETMASTER1.JQ.COM.PEM;

SSL_CERTIFICATE_KEY/VAR/LIB/PUPPET/SSL/PRIVATE_KEYS/PUPPETMASTER1.JQ.COM.PEM;

SSL_CLIENT_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/CA.PEM;

SSL_CRL/VAR/LIB/PUPPET/SSL/CA/CA_CRL.PEM;

Ssl_verify_client Optional;

Ssl_ciphers Sslv2:-low:-export:rc4+rsa;

Ssl_prefer_server_ciphers on;

Ssl_verify_depth 1;

Ssl_session_cache shared:ssl:128m;

# File Sections

location/production/file_content/files/{

Types {}

Default_type Application/x-raw;

alias/etc/puppet/files/;

}

}

Include vhosts/*.conf;

}

Scenario two, passenger configured as a virtual machine host, configured as follows:
[email protected] conf]# cat nginx.conf
User Nginx Nginx;
Worker_processes 1;
#error_log Logs/error.log;
#error_log Logs/error.log Notice;
#error_log Logs/error.log Info;
Pid/var/run/nginx.pid;
Events {
Worker_connections 1024;
}
HTTP {
passenger_root/usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;
Passenger_ruby/usr/local/bin/ruby;
Include Mime.types;
Default_type Application/octet-stream;
Sendfile on;
Keepalive_timeout 65;
server {
Listen 8088;
server_name localhost;
Location/{
root HTML;
Index index.html index.htm;
}
Error_page 502 503 504/50x.html;
Location =/50x.html {
root HTML;
}
}
Include vhosts/*.conf;
}
Virtual Host Configuration
server {
Listen 8140 SSL;
server_name pm01;
Passenger_enabled on;
Passenger_set_cgi_param http_x_client_dn $ssl _client_s_dn;
Passenger_set_cgi_param http_x_client_verify $ssl _client_verify;
Proxy_buffer_size 4000k;
Proxy_buffering on;
Proxy_buffers 1280k;
Proxy_busy_buffers_size 17680k;
Client_max_body_size 10m;
Client_body_buffer_size 4096k;
Access_log/var/log/nginx/puppet_access.log;
Error_log/var/log/nginx/puppet_error.log;
Root/etc/puppet/rack/public;
SSL off;
Ssl_session_timeout 5m;
SSL_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/PM01.JQ.COM.PEM;
SSL_CERTIFICATE_KEY/VAR/LIB/PUPPET/SSL/PRIVATE_KEYS/PM01.JQ.COM.PEM;
SSL_CLIENT_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/CA.PEM;
SSL_CRL/VAR/LIB/PUPPET/SSL/CA/CA_CRL.PEM;
Ssl_verify_client Optional;
Ssl_ciphers Sslv2:-low:-export:rc4+rsa;
Ssl_prefer_server_ciphers on;
Ssl_verify_depth 1;
Ssl_session_cache shared:ssl:128m;
# File Sections
location/production/file_content/files/{
Types {}
Default_type Application/x-raw;
alias/etc/puppet/files/;
}
}

Configure puppet.conf

[Master]
CertName = puppetmaster
CA = False
Ssl_client_verify_header = http_x_client_verify
Ssl_client_header = http_x_client_dn

8. Start Nginx

[Email protected] gem]# mkdir/var/log/nginx/
[[email protected] nginx-1.4.2]#/etc/init.d/puppetmaster stop
[Email protected] nginx-1.4.2]# chkconfig puppetmaster off
[[email protected] nginx-1.4.2]#/etc/init.d/nginx start
[[email protected] nginx-1.4.2]# chkconfig nginx on

9. Testing

The Puppet agent-t command action is initiated on multiple nodes, and the Nginx log is viewed to see if the Nginx+passenger agent succeeds.

[Email protected] ~]# puppet agent-t
[Email protected] ~]# Tailf/var/log/nginx/puppet_access.log

Puppet Master Nginx Expansion boost performance (Puppet Automation series 4)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.