puppet 使用Apache+passenger

李兴庆
2023-12-01
很多同学喜欢使用ruby自带的webrick webserver来启动puppetmaster服务,因为简单方便。例如:
service puppetmaster start
首先,你要明白一点的是这些语言的内置webserver目的仅是为了方便调试代码,是根本不能放到生产环境去使用。
使用WebRick运行的Puppetmaster性能有多差?
仅9个并发请求就能把它拖垮。
我在在一台E5 2620的服务器上试验:只要9个puppet agent同时向运行在webrick上的puppet master发送请求,就处理不过来了,你会发现总有某台agent会出现40x Error的错误。
要提高单台Puppetmaster的性能很简单,只要使用常见的Web Server软件就可以显著地提高Puppet master的性能,例如Apache,Nginx等。这类文档很多,这里就不再详细说明配置的步骤了。


下面改用Apache http 作为puppetmaster的监听服务器
前提需求:
Puppet Master 默认启动在 TCP 8140 端口,这实际上是 WEBrick 在 8140 启动的一个简单的 WEB SERVER。
我们要做的就是使用 Apache  + Passenger 来代替默认的 WEBrick。
首先,确认你的 Puppet Master 至少曾经成功的启动过一次。
这主要是保证 Puppet Master 已经正确的签署了安全证书等文件,为后面的 SSL 认证提供基础。


# Download apache and necessary dependencies
yum install -y httpd httpd-devel mod_ssl ruby-devel rubygems gcc-c++ curl-devel zlib-devel make automake
yum install mod_passenger rubygem-rake.noarch 


1.安装必备的软件
[root@test conf.d]# yum install mod_passenger rubygem-rake.noarch 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
省略
Installed:
  mod_passenger.x86_64 0:4.0.18-9.6.el6                              rubygem-rake.noarch 0:0.8.7-2.1.el6                             


Dependency Installed:
  rubygem-passenger.x86_64 0:4.0.18-9.6.el6                            rubygem-passenger-native.x86_64 0:4.0.18-9.6.el6               
  rubygem-passenger-native-libs.x86_64 0:4.0.18-9.6.el6               


Complete!
[root@test conf.d]#




2.修改配置文件
[root@test conf.d]# ll /etc/httpd/conf.d/
total 32
-rw-r--r--. 1 root root  807 Nov 13 18:27 passenger.conf
-rw-r--r--. 1 root root  674 Sep 30 13:59 php.conf
-rw-r--r--. 1 root root  392 Apr  4  2014 README
-rw-r--r--. 1 root root 9473 Mar 20  2014 ssl.conf
-rw-r--r--. 1 root root  299 Mar 20  2014 welcome.conf
-rw-r--r--. 1 root root 1116 Aug 28 14:56 zabbix.conf
[root@test conf.d]# 


多了一个passenger.conf 
增加一个puppetmaster_01.conf  监听8140 
内容
[root@test conf.d]# cat puppetmaster_01.conf 
#很多目录需要自己创建
Listen 8140
<VirtualHost *:8140>
    SSLEngine On
 
    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/test.145.pem 
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/test.145.pem 
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData
 
    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
 
    #puppet 2.7.x 开启会报错
    #RackAutoDetect On
    DocumentRoot /etc/puppet/rack/puppetmaster/public/ 
    <Directory /etc/puppet/rack/puppetmaster/ >
        Options None
        AllowOverride None
        Order Allow,Deny
        Allow from All
    </Directory>
</VirtualHost>
[root@test conf.d]# 




3.启动http监听,关闭puppetmaster
[root@test conf.d]# /etc/init.d/puppetmaster stop
Stopping puppetmaster:                                     [  OK  ]
[root@test conf.d]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@test conf.d]# netstat -ltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 test.145:6379               *:*                         LISTEN      5992/redis-server   
tcp        0      0 *:35824                     *:*                         LISTEN      26345/beam          
tcp        0      0 *:epmd                      *:*                         LISTEN      2294/epmd           
tcp        0      0 *:ssh                       *:*                         LISTEN      1066/sshd           
tcp        0      0 localhost:ipp               *:*                         LISTEN      1032/cupsd          
tcp        0      0 test.145:ddi-tcp-1          *:*                         LISTEN      22921/./bin/mongod  
tcp        0      0 *:zabbix-trapper            *:*                         LISTEN      5612/zabbix_server  
tcp        0      0 *:mysql                     *:*                         LISTEN      5860/mysqld         
tcp        0      0 *:8140                      *:*                         LISTEN      31224/httpd         
tcp        0      0 *:http                      *:*                         LISTEN      31224/httpd         
tcp        0      0 *:ssh                       *:*                         LISTEN      1066/sshd           
tcp        0      0 ::1:ipp                     *:*                         LISTEN      1032/cupsd          
tcp        0      0 *:https                     *:*                         LISTEN      31224/httpd         
tcp        0      0 *:zabbix-trapper            *:*                         LISTEN      5612/zabbix_server  
tcp        0      0 *:amqp                      *:*                         LISTEN      26345/beam          
[root@test conf.d]# netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 10.210.71.145:6379          0.0.0.0:*                   LISTEN      5992/redis-server   
tcp        0      0 0.0.0.0:35824               0.0.0.0:*                   LISTEN      26345/beam          
tcp        0      0 0.0.0.0:4369                0.0.0.0:*                   LISTEN      2294/epmd           
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1066/sshd           
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      1032/cupsd          
tcp        0      0 10.210.71.145:8888          0.0.0.0:*                   LISTEN      22921/./bin/mongod  
tcp        0      0 0.0.0.0:10051               0.0.0.0:*                   LISTEN      5612/zabbix_server  
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      5860/mysqld         
tcp        0      0 :::8140                     :::*                        LISTEN      31224/httpd         
tcp        0      0 :::80                       :::*                        LISTEN      31224/httpd         
tcp        0      0 :::22                       :::*                        LISTEN      1066/sshd           
tcp        0      0 ::1:631                     :::*                        LISTEN      1032/cupsd          
tcp        0      0 :::443                      :::*                        LISTEN      31224/httpd         
tcp        0      0 :::10051                    :::*                        LISTEN      5612/zabbix_server  
tcp        0      0 :::5672                     :::*                        LISTEN      26345/beam          
[root@test conf.d]#


以上搞定了。测试下
因为之前已经搞定了 ssl的握手验证,所以先来测试下推送文件 是否OK
test1.
puppetmaster上的一个site.pp文件 
[root@test conf.d]# cat /etc/puppet/manifests/site.pp 
node default {
    file {
        "/tmp/hello_puppet":
        content=>"hello_puppet nice to meet you,come from apache\n";
    }   
}
[root@test conf.d]# hostname 
test.145
[root@test conf.d]# 


agent 144 端:
[root@test ~]# puppetd --test
notice: Ignoring --listen on onetime run
info: Caching catalog for test.144
info: Applying configuration version '1417611731'
notice: /Stage[main]//Node[default]/File[/tmp/hello_puppet]/content: 
--- /tmp/hello_puppet	2014-12-03 15:24:45.048201779 +0800
+++ /tmp/puppet-file20141203-13556-49sc5r-0	2014-12-03 21:02:12.653200583 +0800
@@ -1 +1 @@
-hello_puppet nice to meet you
\ No newline at end of file
+hello_puppet nice to meet you,come from apache


info: FileBucket adding {md5}6152d048657a8a30d6894b3a6f164657
info: /Stage[main]//Node[default]/File[/tmp/hello_puppet]: Filebucketed /tmp/hello_puppet to puppet with sum 6152d048657a8a30d6894b3a6f164657
notice: /Stage[main]//Node[default]/File[/tmp/hello_puppet]/content: content changed '{md5}6152d048657a8a30d6894b3a6f164657' to '{md5}918e67eed208f028b587e70fb21949ed'
notice: Finished catalog run in 0.17 seconds
[root@test ~]# cat /tmp/hello_puppet 
hello_puppet nice to meet you,come from apache
[root@test ~]# hostname 
test.144
[root@test ~]#




推送文件测试完毕。


验证测试:
服务端操作 test.145
[root@test conf.d]# cd /var/lib/puppet/ssl/ca/signed/
[root@test signed]# ll
total 8
-rw-r-----. 1 puppet puppet 1891 Dec  3 15:10 test.143.pem
-rw-r-----. 1 puppet puppet 1891 Dec  3 20:35 test.144.pem
[root@test signed]# rm -rf test.144.pem 
[root@test signed]# pwd
/var/lib/puppet/ssl/ca/signed
[root@test signed]# ll
total 4
-rw-r-----. 1 puppet puppet 1891 Dec  3 15:10 test.143.pem
[root@test signed]#



客户端操作test.144
[root@test puppet]# pwd
/etc/puppet
[root@test puppet]# cd /var/lib/puppet/
[root@test puppet]# ll
total 32
-rw-r----- 1 root   root   17 Dec  3 21:02 classes.txt
drwxr-x--- 3 root   root 4096 Dec  3 21:02 clientbucket
drwxr-x--- 2 root   root 4096 Dec  3 20:35 client_data
drwxr-x--- 3 root   root 4096 Dec  3 20:35 client_yaml
drwxr-xr-x 2 root   root 4096 Dec  3 20:35 facts
drwxr-xr-x 2 root   root 4096 Dec  3 20:35 lib
drwxrwx--x 7 puppet root 4096 Dec  3 20:35 ssl
drwxr-xr-t 3 root   root 4096 Dec  3 21:02 state
[root@test puppet]# /etc/init.d/puppet stop
Stopping puppet:                                           [  OK  ]
[root@test puppet]# rm -rf *
[root@test puppet]# pwd
/var/lib/puppet
[root@test puppet]# hostname 
test.144
[root@test puppet]#


以上两步操作,把信任关系干掉了。
然后启动 test.144 ,同时会向master发起ssl验证
[root@test puppet]# hostname 
test.144
[root@test puppet]# /etc/init.d/puppet start
Starting puppet:                                           [  OK  ]
[root@test puppet]# ll
total 28
drwxr-x--- 2 root   root 4096 Dec  4 10:48 clientbucket
drwxr-x--- 2 root   root 4096 Dec  4 10:48 client_data
drwxr-x--- 2 root   root 4096 Dec  4 10:48 client_yaml
drwxr-xr-x 2 root   root 4096 Dec  4 10:48 facts
drwxr-xr-x 2 root   root 4096 Dec  4 10:48 lib
drwxrwx--x 7 puppet root 4096 Dec  4 10:48 ssl
drwxr-xr-t 3 root   root 4096 Dec  4 10:48 state


master 端 test.155 查看
[root@test signed]# puppetca --list --all
  "test.144" (7C:14:91:F7:D7:5A:5B:6B:F2:2B:CE:16:C3:C6:02:E0)
+ "test.143" (D9:D5:89:D3:32:2C:CB:9D:50:F5:24:60:97:F5:C7:D7)
[root@test signed]# puppetca -s -a
notice: Signed certificate request for test.144
notice: Removing file Puppet::SSL::CertificateRequest test.144 at '/var/lib/puppet/ssl/ca/requests/test.144.pem'
[root@test signed]# puppetca --list --all
+ "test.143" (D9:D5:89:D3:32:2C:CB:9D:50:F5:24:60:97:F5:C7:D7)
+ "test.144" (D7:D4:F0:DD:C9:3E:A2:C6:3A:57:65:A7:3F:14:E6:3B)
[root@test signed]# 
OK 目前ssl 握手也是完成了。


目前成功的从puppetmaster自带的server 迁移到Apache上来了,并发可以承受住了。
当然下个目标可以使
1.Apache配置多个vhost ,这样的话一台机器上可以配置多个实例(很简单)

2.前端配置nginx做负载,后端配置多个Apache。(后续会有相关文章)


-----------------------update--------------------------------

568  yum install httpd httpd-devel mod_ssl ruby-devel rubygems gcc
  569  yum install mod_passenger rubygem-rake.noarch
  570  history
  571  sudo curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
  572  yum install mod_passenger rubygem-rake.noarch
  573  cd /etc/httpd/
  574  ll
  575  cd conf.d/
  576  ll
  577  cp passenger.conf passenger_01.conf
  578  cat passenger_01.conf
  579  ll
  580  >passenger_01.conf
  581  vim passenger_01.conf
  582  ll /etc/puppet/rack/puppetmaster/public/
  583  sudo mkdir -p /usr/share/puppet/rack/puppetmasterd
  584  sudo mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
  585  sudo cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
  586  sudo chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
  587  vim passenger_01.conf
  588  /etc/init.d/puppetmaster stop
  589  /etc/init.d/httpd restart
  590  vim /etc/httpd/conf.d/passenger_01.conf +1
  591  /etc/init.d/httpd restart
  592  vim /etc/httpd/conf.d/passenger_01.conf +1
  593  /etc/init.d/httpd restart
  594  /etc/init.d/nginx stop
  595  /etc/init.d/httpd restart
  596  netstat -lntp
  597  netstat -ltp
  598  history
  599  puppet kick -d --host hadoop00
  600  cd /etc/puppet/modules/apache/manifests/
  601  ll
  602  vim service.pp
  603  puppet kick -d --host hadoop00

update 2:

[root@hadoop01 manifests]# cat /etc/httpd/conf.d/passenger_01.conf
Listen 8140
<VirtualHost *:8140>
    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/hadoop01.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/hadoop01.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    #puppet 2.7.x 开启会报错
    #RackAutoDetect On
    #DocumentRoot /etc/puppet/rack/puppetmaster/public/
    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
    <Directory /usr/share/puppet/rack/puppetmasterd/ >
        Options None
        AllowOverride None
        Order Allow,Deny
        Allow from All
    </Directory>
</VirtualHost>
[root@hadoop01 manifests]#



参考链接 :

http://www.cnblogs.com/yuxc/p/3916726.html

http://www.6tech.org/2013/01/how-to-install-puppet-open-source-on-centos-6-3/

 类似资料: