puppet使用SSL(https)協(xié)議來進(jìn)行通訊，默認(rèn)情況下，puppet server端使用基于Ruby的WEBRick HTTP服務(wù)器。由于WEBRick HTTP服務(wù)器在處理agent端的性能方面并不是很強(qiáng)勁，因此需要擴(kuò)展puppet，搭建Apache或者其他web服務(wù)器來處理客戶的https請求。

10余年的豐城網(wǎng)站建設(shè)經(jīng)驗(yàn)，針對(duì)設(shè)計(jì)、前端、開發(fā)、售后、文案、推廣等六對(duì)一服務(wù)，響應(yīng)快，48小時(shí)及時(shí)工作處理。營銷型網(wǎng)站的優(yōu)勢是能夠根據(jù)用戶設(shè)備顯示端的尺寸不同，自動(dòng)調(diào)整豐城建站的顯示方式，使網(wǎng)站能夠適用不同顯示終端，在瀏覽器中調(diào)整網(wǎng)站的寬度，無論在任何一種瀏覽器上瀏覽網(wǎng)站，都能展現(xiàn)優(yōu)雅布局與設(shè)計(jì)，從而大程度地提升瀏覽體驗(yàn)。成都創(chuàng)新互聯(lián)從事“豐城網(wǎng)站設(shè)計(jì)”,“豐城網(wǎng)站推廣”以來，每個(gè)客戶項(xiàng)目都認(rèn)真落實(shí)執(zhí)行。

Passenger是一個(gè)將Ruby程序嵌入執(zhí)行的apache的一個(gè)模塊,它可以讓你運(yùn)行Rails,即Rack應(yīng)用內(nèi)的一個(gè)Web服務(wù)器.能夠自動(dòng)增減集群進(jìn)程的數(shù)量.能提高性能并增加Master和agent之間的并發(fā)連接數(shù)量。

工作原理如下:

安裝好apache和passenger,然后配置apache處理puppet agent的SSL驗(yàn)證請求,最后將apache連接到puppet master.在處理SSL驗(yàn)證請求時(shí),apache會(huì)驗(yàn)證puppet agent的證書是否由puppet CA簽發(fā),apache 會(huì)先驗(yàn)證請求.如果授權(quán)通過,則調(diào)用master.同時(shí),apache會(huì)提供給puppet agent一個(gè)證書用于驗(yàn)證服務(wù)器的真實(shí)性,再將SSL證書存放在適當(dāng)?shù)奈恢?打開passenger模塊并為puppet master服務(wù)創(chuàng)建一個(gè)虛擬主機(jī)來配置apache.

下面來配置一番:

1.安裝apache等相關(guān)組件

yum install httpd httpd-devel mod_ssl ruby-devel rubygems libcurl-devel

2.使用ruby gem安裝passenger

更換gem鏡像

gem install rack passenger #安裝passenger passenger-install-apache2-module #整合apache和passenger 按照相關(guān)提示解決依賴關(guān)系 安裝過程會(huì)提示配置apache虛擬主機(jī)時(shí)需要增加passenger模塊配置文件 LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55/buildout/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55 PassengerDefaultRuby /usr/bin/ruby 查看passengeroot目錄. root@10.1.1.33:~# passenger-config --root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55

3.配置apache和passenger

需要在puppet master創(chuàng)建rack應(yīng)用,創(chuàng)建一個(gè)目錄用來存放config.ru配置文件,并創(chuàng)建一個(gè)虛擬主機(jī)配置文件.rack為web服務(wù)器提供了用來和puppet服務(wù)交換請求和響應(yīng)的一些常用API.Rack適用于Ruby類的HTTP服務(wù),可以用于多臺(tái)服務(wù)器之間部署服務(wù).

創(chuàng)建rack框架目錄,拷貝配置文件,賦予puppet權(quán)限.

mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp} cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/puppetmaster/ chown puppet. /etc/puppet/rack/puppetmaster/config.ru 配置apache虛擬主機(jī)文件:

cp /usr/share/puppet/ext/rack/example-passenger-vhost.conf /etc/httpd/conf.d/puppet.domain.com.conf vim /etc/httpd/conf.d/puppet.domain.com.conf # This Apache 2 virtual host config shows how to use Puppet as a Rack # application via Passenger. See # http://docs.puppetlabs.com/guides/passenger.html for more information. # You can also use the included config.ru file to run Puppet with other Rack # servers instead of Passenger. LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55/buildout/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55 PassengerDefaultRuby /usr/bin/ruby # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 # RackAutoDetect Off # RailsAutoDetect Off Listen 8140 SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none # which effectively disables CRL checking; if you are using Apache 2.4+ you must # specify \'SSLCARevocationCheck chain\' to actually use the CRL. # SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 # The `ExportCertData` option is needed for agent certificate expiration warnings SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/puppetmaster/public/ RackBaseURI / Options None AllowOverride None Order allow,deny allow from all 檢查配置 root@10.1.1.33:~# service httpd configtest Syntax OK 啟動(dòng)apache root@10.1.1.33:~# /etc/init.d/httpd start 檢測端口及進(jìn)程 root@10.1.1.33:~# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22000 0.0.0.0:* LISTEN 811/sshd tcp 0 0 127.0.0.1:55939 0.0.0.0:* LISTEN 15291/Passenger Rac tcp 0 0 :::8140 :::* LISTEN 15234/httpd tcp 0 0 :::80 :::* LISTEN 15234/httpd tcp 0 0 :::22000 :::* LISTEN 811/sshd tcp 0 0 :::443 :::* LISTEN 15234/httpd

4.客戶測試:

root@10.1.1.34:~# puppet agent --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for agent.domain.com Info: Applying configuration version \'1418805297\' Notice: Finished catalog run in 0.36 seconds 5.查看passenger狀態(tài)

root@10.1.1.33:~# passenger-status Version : 4.0.55 Date : Wed Dec 17 17:24:28 +0800 2014 Instance: 15234 ----------- General information ----------- Max pool size : 12 Processes : 1 Requests in top-level queue : 0 ----------- Application groups ----------- /etc/puppet/rack/puppetmaster#default: App root: /etc/puppet/rack/puppetmaster Requests in queue: 0 * PID: 15291 Sessions: 0 Processed: 62 Uptime: 49m 35s CPU: 0% Memory : 85M Last used: 1m 24s ago root@10.1.1.33:~# passenger-memory-stats Version: 4.0.55 Date : Wed Dec 17 17:24:32 +0800 2014 ---------- Apache processes ---------- PID PPID VMSize Private Name -------------------------------------- 15234 1 203.0 MB 0.4 MB /usr/sbin/httpd 15254 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15255 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15256 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15257 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15258 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15259 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15260 15234 203.3 MB 0.5 MB /usr/sbin/httpd 15261 15234 203.3 MB 0.5 MB /usr/sbin/httpd ### Processes: 9 ### Total private dirty RSS: 4.27 MB -------- Nginx processes -------- ### Processes: 0 ### Total private dirty RSS: 0.00 MB ----- Passenger processes ----- PID VMSize Private Name ------------------------------- 15236 211.6 MB 0.3 MB PassengerWatchdog 15239 564.9 MB 0.7 MB PassengerHelperAgent 15244 210.5 MB 0.8 MB PassengerLoggingAgent 15291 190.6 MB 85.4 MB Passenger RackApp: /etc/puppet/rack/puppetmaster ### Processes: 4 ### Total private dirty RSS: 87.20 MB