Puppet Master Nginx Expansion boost performance (Puppet Automation series 4)

Last Update:2015-01-20 Source: Internet

Author: User

Tags sendfile ssl certificate

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Puppet uses the SSL (HTTPS) protocol for communication, and by default, the puppet server uses a ruby-based Webrick http server. Because the Webrick HTTP server is not very robust in handling the performance of the agent side, it is necessary to extend the puppet to build Nginx or other strong Web servers to handle the client's HTTPS requests.

Issues that need to be addressed:

Extended transport: Improves performance and increases the number of concurrent connections between master and agent.
Extended SSL: Use a good SSL certificate management method to encrypt communication between master and agent.

Nginx+passenger Way:

6.1 Installing the required development package for Nginx

[Email protected] ~]# groupadd-g 3001 nginx

[Email protected] ~]# useradd-u 3001-g 3001 nginx

[email protected] ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build

6.2 Installing Passenger

It is best to change the gem source, Gem Sources-a http://ruby.taobao.org

Gem Sources-u

Gem Install rake rack Passenger--no-rdoc--no-ri

6.3 Compiling and installing Nginx

Note: The main purpose is to compile the module passenger-config in.

wget http://nginx.org/download/nginx-1.7.9.tar.gz

wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz

[Email protected] ~]# cd/usr/local/src/nginx-1.7.9/

[Email protected] ~]#/configure--user=nginx--group=nginx--prefix=/usr/local/nginx--with-http_stub_status_ Module--with-http_ssl_module--with-pcre=/usr/local/src/pcre-8.36--add-module= ' passenger-config--root '/ext/ Nginx

[[email protected] ~]# make && make install

Combined with passenger

Note: Be aware that the config.ru and the genus Group should be puppet

[Email protected] ~]# mkdir-p/etc/puppet/rack/public

[Email protected] ~]# Cp/usr/share/puppet/ext/rack/config.ru/etc/puppet/rack/public

[Email protected] ~]# chown-r puppet. /etc/puppet/rack/

7, configuration Nginx (recommended here to configure as a virtual host)

Remark: note The certificate name and path combined with puppet

Situation one: Direct passenger configuration in Nginx Master profile

[email protected] conf]# cat nginx.conf

User Nginx Nginx;

Worker_processes 1;

Pid/var/run/nginx.pid;

Events {

Worker_connections 1024;

}

HTTP {

passenger_root/usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;

Passenger_ruby/usr/bin/ruby;

Include Mime.types;

Default_type Application/octet-stream;

Sendfile on;

Keepalive_timeout 65;

server {

Listen 8140 SSL;

server_name puppetmaster;

Passenger_enabled on;

Passenger_set_cgi_param http_x_client_dn $ssl _client_s_dn;

Passenger_set_cgi_param http_x_client_verify $ssl _client_verify;

Proxy_buffer_size 4000k;

Proxy_buffering on;

Proxy_buffers 1280k;

Proxy_busy_buffers_size 17680k;

Client_max_body_size 10m;

Client_body_buffer_size 4096k;

Access_log/var/log/nginx/puppet_access.log;

Error_log/var/log/nginx/puppet_error.log;

Root/etc/puppet/rack/public;

#此处切记是public下, not public passenger don't know where to find the config file, resulting in the directory index of "/etc/puppet/rack/" is forbidden, client: 192.168.122.1, server:pm01.jq.com, Request: "get/http/1.1", Host: "Pm01.jq.com:8140"

SSL off;

Ssl_session_timeout 5m;

SSL_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/PUPPETMASTER1.JQ.COM.PEM;

SSL_CERTIFICATE_KEY/VAR/LIB/PUPPET/SSL/PRIVATE_KEYS/PUPPETMASTER1.JQ.COM.PEM;

SSL_CLIENT_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/CA.PEM;

SSL_CRL/VAR/LIB/PUPPET/SSL/CA/CA_CRL.PEM;

Ssl_verify_client Optional;

Ssl_ciphers Sslv2:-low:-export:rc4+rsa;

Ssl_prefer_server_ciphers on;

Ssl_verify_depth 1;

Ssl_session_cache shared:ssl:128m;

# File Sections

location/production/file_content/files/{

Types {}

Default_type Application/x-raw;

alias/etc/puppet/files/;

}

Include vhosts/*.conf;

}

Scenario two, passenger configured as a virtual machine host, configured as follows:

[email protected] conf]# cat nginx.conf

User Nginx Nginx;

Worker_processes 1;

#error_log Logs/error.log;

#error_log Logs/error.log Notice;

#error_log Logs/error.log Info;

Pid/var/run/nginx.pid;

Events {

Worker_connections 1024;

HTTP {

passenger_root/usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;

Passenger_ruby/usr/local/bin/ruby;

Include Mime.types;

Default_type Application/octet-stream;

Sendfile on;

Keepalive_timeout 65;

server {

Listen 8088;

server_name localhost;

Location/{

root HTML;

Index index.html index.htm;

Error_page 502 503 504/50x.html;

Location =/50x.html {

root HTML;

Include vhosts/*.conf;

Virtual Host Configuration

server {

Listen 8140 SSL;

server_name pm01;

Passenger_enabled on;

Passenger_set_cgi_param http_x_client_dn $ssl _client_s_dn;

Passenger_set_cgi_param http_x_client_verify $ssl _client_verify;

Proxy_buffer_size 4000k;

Proxy_buffering on;

Proxy_buffers 1280k;

Proxy_busy_buffers_size 17680k;

Client_max_body_size 10m;

Client_body_buffer_size 4096k;

Access_log/var/log/nginx/puppet_access.log;

Error_log/var/log/nginx/puppet_error.log;

Root/etc/puppet/rack/public;

SSL off;

Ssl_session_timeout 5m;

SSL_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/PM01.JQ.COM.PEM;

SSL_CERTIFICATE_KEY/VAR/LIB/PUPPET/SSL/PRIVATE_KEYS/PM01.JQ.COM.PEM;

SSL_CLIENT_CERTIFICATE/VAR/LIB/PUPPET/SSL/CERTS/CA.PEM;

SSL_CRL/VAR/LIB/PUPPET/SSL/CA/CA_CRL.PEM;

Ssl_verify_client Optional;

Ssl_ciphers Sslv2:-low:-export:rc4+rsa;

Ssl_prefer_server_ciphers on;

Ssl_verify_depth 1;

Ssl_session_cache shared:ssl:128m;

# File Sections

location/production/file_content/files/{

Types {}

Default_type Application/x-raw;

alias/etc/puppet/files/;

Configure puppet.conf

[Master]

CertName = puppetmaster

CA = False

Ssl_client_verify_header = http_x_client_verify

Ssl_client_header = http_x_client_dn

8. Start Nginx

[Email protected] gem]# mkdir/var/log/nginx/

[[email protected] nginx-1.4.2]#/etc/init.d/puppetmaster stop

[Email protected] nginx-1.4.2]# chkconfig puppetmaster off

[[email protected] nginx-1.4.2]#/etc/init.d/nginx start

[[email protected] nginx-1.4.2]# chkconfig nginx on

9. Testing

The Puppet agent-t command action is initiated on multiple nodes, and the Nginx log is viewed to see if the Nginx+passenger agent succeeds.

[Email protected] ~]# puppet agent-t

[Email protected] ~]# Tailf/var/log/nginx/puppet_access.log

Puppet Master Nginx Expansion boost performance (Puppet Automation series 4)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More