Puppet uses the SSL (HTTPS) protocol for communication, and by default, the puppet server uses a ruby-based Webrick http server. Because the Webrick HTTP server is not very robust in handling the performance of the agent side, it is necessary to extend the puppet to build Nginx or other strong Web servers to handle the client's HTTPS requests.
Issues that need to be addressed:
- Extended transport: Improves performance and increases the number of concurrent connections between master and agent.
- Extended SSL: Use a good SSL certificate management method to encrypt communication between master and agent.
Nginx+passenger Way:
6.1 Installing the required development package for Nginx
[Email protected] ~]# groupadd-g 3001 nginx
[Email protected] ~]# useradd-u 3001-g 3001 nginx
[email protected] ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build
6.2 Installing Passenger
It is best to change the gem source, Gem Sources-a http://ruby.taobao.org
Gem Sources-u
Gem Install rake rack Passenger--no-rdoc--no-ri
6.3 Compiling and installing Nginx
Note: The main purpose is to compile the module passenger-config in.
wget http://nginx.org/download/nginx-1.7.9.tar.gz
wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz
[Email protected] ~]# cd/usr/local/src/nginx-1.7.9/
[Email protected] ~]#/configure--user=nginx--group=nginx--prefix=/usr/local/nginx--with-http_stub_status_ Module--with-http_ssl_module--with-pcre=/usr/local/src/pcre-8.36--add-module= ' passenger-config--root '/ext/ Nginx
[[email protected] ~]# make && make install
Combined with passenger
Note: Be aware that the config.ru and the genus Group should be puppet
[Email protected] ~]# mkdir-p/etc/puppet/rack/public
[Email protected] ~]# Cp/usr/share/puppet/ext/rack/config.ru/etc/puppet/rack/public
[Email protected] ~]# chown-r puppet. /etc/puppet/rack/
7, configuration Nginx (recommended here to configure as a virtual host)
Remark: note The certificate name and path combined with puppet
Situation one: Direct passenger configuration in Nginx Master profile
[email protected] conf]# cat nginx.conf
User Nginx Nginx;
Worker_processes 1;
Pid/var/run/nginx.pid;
Events {
Worker_connections 1024;
}
HTTP {
passenger_root/usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;
Passenger_ruby/usr/bin/ruby;
Include Mime.types;
Default_type Application/octet-stream;
Sendfile on;
Keepalive_timeout 65;
server {
Listen 8140 SSL;
server_name puppetmaster;
Passenger_enabled on;
Passenger_set_cgi_param http_x_client_dn $ssl _client_s_dn;
Passenger_set_cgi_param http_x_client_verify $ssl _client_verify;
Proxy_buffer_size 4000k;
Proxy_buffering on;
Proxy_buffers 1280k;
Proxy_busy_buffers_size 17680k;
Client_max_body_size 10m;
Client_body_buffer_size 4096k;
Access_log/var/log/nginx/puppet_access.log;
Error_log/var/log/nginx/puppet_error.log;
Root/etc/puppet/rack/public;
#此处切记是public下, not public passenger don't know where to find the config file, resulting in the directory index of "/etc/puppet/rack/" is forbidden, client: 192.168.122.1, server:pm01.jq.com, Request: "get/http/1.1", Host: "Pm01.jq.com:8140"
SSL off;
Ssl_session_timeout 5m;
SSL_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/PUPPETMASTER1.JQ.COM.PEM;
SSL_CERTIFICATE_KEY/VAR/LIB/PUPPET/SSL/PRIVATE_KEYS/PUPPETMASTER1.JQ.COM.PEM;
SSL_CLIENT_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/CA.PEM;
SSL_CRL/VAR/LIB/PUPPET/SSL/CA/CA_CRL.PEM;
Ssl_verify_client Optional;
Ssl_ciphers Sslv2:-low:-export:rc4+rsa;
Ssl_prefer_server_ciphers on;
Ssl_verify_depth 1;
Ssl_session_cache shared:ssl:128m;
# File Sections
location/production/file_content/files/{
Types {}
Default_type Application/x-raw;
alias/etc/puppet/files/;
}
}
Include vhosts/*.conf;
}
Scenario two, passenger configured as a virtual machine host, configured as follows:
[email protected] conf]# cat nginx.conf
User Nginx Nginx;
Worker_processes 1;
#error_log Logs/error.log;
#error_log Logs/error.log Notice;
#error_log Logs/error.log Info;
Pid/var/run/nginx.pid;
Events {
Worker_connections 1024;
}
HTTP {
passenger_root/usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;
Passenger_ruby/usr/local/bin/ruby;
Include Mime.types;
Default_type Application/octet-stream;
Sendfile on;
Keepalive_timeout 65;
server {
Listen 8088;
server_name localhost;
Location/{
root HTML;
Index index.html index.htm;
}
Error_page 502 503 504/50x.html;
Location =/50x.html {
root HTML;
}
}
Include vhosts/*.conf;
}
Virtual Host Configuration
server {
Listen 8140 SSL;
server_name pm01;
Passenger_enabled on;
Passenger_set_cgi_param http_x_client_dn $ssl _client_s_dn;
Passenger_set_cgi_param http_x_client_verify $ssl _client_verify;
Proxy_buffer_size 4000k;
Proxy_buffering on;
Proxy_buffers 1280k;
Proxy_busy_buffers_size 17680k;
Client_max_body_size 10m;
Client_body_buffer_size 4096k;
Access_log/var/log/nginx/puppet_access.log;
Error_log/var/log/nginx/puppet_error.log;
Root/etc/puppet/rack/public;
SSL off;
Ssl_session_timeout 5m;
SSL_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/PM01.JQ.COM.PEM;
SSL_CERTIFICATE_KEY/VAR/LIB/PUPPET/SSL/PRIVATE_KEYS/PM01.JQ.COM.PEM;
SSL_CLIENT_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/CA.PEM;
SSL_CRL/VAR/LIB/PUPPET/SSL/CA/CA_CRL.PEM;
Ssl_verify_client Optional;
Ssl_ciphers Sslv2:-low:-export:rc4+rsa;
Ssl_prefer_server_ciphers on;
Ssl_verify_depth 1;
Ssl_session_cache shared:ssl:128m;
# File Sections
location/production/file_content/files/{
Types {}
Default_type Application/x-raw;
alias/etc/puppet/files/;
}
}
Configure puppet.conf
[Master]
CertName = puppetmaster
CA = False
Ssl_client_verify_header = http_x_client_verify
Ssl_client_header = http_x_client_dn
8. Start Nginx
[Email protected] gem]# mkdir/var/log/nginx/
[[email protected] nginx-1.4.2]#/etc/init.d/puppetmaster stop
[Email protected] nginx-1.4.2]# chkconfig puppetmaster off
[[email protected] nginx-1.4.2]#/etc/init.d/nginx start
[[email protected] nginx-1.4.2]# chkconfig nginx on
9. Testing
The Puppet agent-t command action is initiated on multiple nodes, and the Nginx log is viewed to see if the Nginx+passenger agent succeeds.
[Email protected] ~]# puppet agent-t
[Email protected] ~]# Tailf/var/log/nginx/puppet_access.log
Puppet Master Nginx Expansion boost performance (Puppet Automation series 4)