Puppet master nginx 扩展提升性能(puppet自动化系列4)
puppet使用SSL(https)协议来进行通讯,默认情况下,puppet server端使用基于Ruby的WEBRick HTTP服务器。由于WEBRick HTTP服务器在处理agent端的性能方面并不是很强劲,因此需要扩展puppet,搭建nginx或者其他强劲的web服务器来处理客户的https请求。
需要解决的问题:
- 扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。
- 扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。
Nginx+Passenger方式:
6.1 安装编译nginx所需要的开发包
[root@puppetmaster1 ~]# groupadd -g 3001 nginx
[root@puppetmaster1 ~]# useradd -u 3001 -g 3001 nginx
[root@puppetmaster1 ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build
6.2 安装passenger
最好是更换gem源,gem sources -a http://ruby.taobao.org
gem sources -u
gem install rake rack passenger --no-rdoc --no-ri
6.3 编译并安装nginx
备注:主要是为了将模块passenger-config编译进来。
wget http://nginx.org/download/nginx-1.7.9.tar.gz
wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz
[root@puppetmaster1 ~]# cd /usr/local/src/nginx-1.7.9/
[root@puppetmaster1 ~]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.36 --add-module=`passenger-config --root`/ext/nginx
[root@puppetmaster1 ~]# make && make install
与passenger结合
备注:注意config.ru的属主和属组应该为puppet
[root@puppetmaster1 ~]# mkdir -p /etc/puppet/rack/public
[root@puppetmaster1 ~]# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/public
[root@puppetmaster1 ~]# chown -R puppet. /etc/puppet/rack/
7、配置nginx(建议此处配置成虚拟主机)
备注:注意和puppet结合的证书名称及路径
情况一:直接passenger配置在nginx主配置文件
[root@puppetmaster1 conf]# cat nginx.conf
user nginx nginx;
worker_processes 1;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;
passenger_ruby /usr/bin/ruby;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8140 ssl;
server_name puppetmaster;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
proxy_buffer_size 4000k;
proxy_buffering on;
proxy_buffers 32 1280k;
proxy_busy_buffers_size 17680k;
client_max_body_size 10m;
client_body_buffer_size 4096k;
access_log /var/log/nginx/puppet_access.log;
error_log /var/log/nginx/puppet_error.log;
root /etc/puppet/rack/public;
#此处切记是public下,不是public的话passenger就不知道哪里去找 config文件,导致 *4 directory index of "/etc/puppet/rack/" is forbidden, client: 192.168.122.1, server: pm01.jq.com, request: "GET / HTTP/1.1", host: "pm01.jq.com:8140"
ssl off;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster1.jq.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster1.jq.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
# File sections
location /production/file_content/files/ {
types { }
default_type application/x-raw;
alias /etc/puppet/files/;
}
}
include vhosts/*.conf;
}
情况二、passenger配置成虚拟机主机,配置如下:
[root@pm01 conf]# cat nginx.conf
user nginx nginx;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;
passenger_ruby /usr/local/bin/ruby;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8088;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include vhosts/*.conf;
}
虚拟主机配置
[root@pm01 conf]# cat vhosts/passenger.conf
server {
listen 8140 ssl;
server_name pm01;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
proxy_buffer_size 4000k;
proxy_buffering on;
proxy_buffers 32 1280k;
proxy_busy_buffers_size 17680k;
client_max_body_size 10m;
client_body_buffer_size 4096k;
access_log /var/log/nginx/puppet_access.log;
error_log /var/log/nginx/puppet_error.log;
root /etc/puppet/rack/public;
ssl off;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/pm01.jq.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/pm01.jq.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
# File sections
location /production/file_content/files/ {
types { }
default_type application/x-raw;
alias /etc/puppet/files/;
}
}
配置puppet.conf
[root@puppetmaster1 ~]# vim /etc/puppet/puppet.conf
[master]
certname = puppetmaster
ca = false
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
ssl_client_header = HTTP_X_CLIENT_DN
8、启动nginx
[root@puppetmaster1 gem]# mkdir /var/log/nginx/
[root@puppetmaster1 nginx-1.4.2]# /etc/init.d/puppetmaster stop
[root@puppetmaster1 nginx-1.4.2]# chkconfig puppetmaster off
[root@puppetmaster1 nginx-1.4.2]# /etc/init.d/nginx start
[root@puppetmaster1 nginx-1.4.2]# chkconfig nginx on
9、测试
在多个节点发起puppet agent -t命令动作,查看nginx日志看nginx+passenger是否代理成功。
[root@ag1 ~]# puppet agent -t
[root@puppetmaster1 ~]# tailf /var/log/nginx/puppet_access.log
Puppet master nginx 扩展提升性能(puppet自动化系列4)的更多相关文章
- puppet master/agent
puppet master/agent 配置 安装 master: yum install puppet-server agent: yum install puppet 自动签名 puppet的ma ...
- WEBrick/Rack Puppet Master
Puppet's Services: The WEBrick Puppet Master Puppet master is the application that compiles configur ...
- 部署puppet master/agent模型
自己画的一个简单的架构图 agent端每隔30分钟到master端请求与自己相关的catalog. 各节点时间要同步. 依赖DNS,各节点能通过主机名能解析. 1.同步时间 # yum install ...
- 基于 Nginx 的 HTTPS 性能优化
前言 分享一个卓见云的较多客户遇到HTTPS优化案例. 随着相关浏览器对HTTP协议的“不安全”.红色页面警告等严格措施的出台,以及向 iOS 应用的 ATS 要求和微信.支付宝小程序强制 HTTPS ...
- 基于 Nginx 的 HTTPS 性能优化实践
前言 分享一个卓见云的较多客户遇到HTTPS优化案例. 随着相关浏览器对HTTP协议的“不安全”.红色页面警告等严格措施的出台,以及向 iOS 应用的 ATS 要求和微信.支付宝小程序强制 HTTPS ...
- Advacned Puppet: Puppet Master性能调优
本文是Advanced Puppet系列的第一篇:Puppet master性能调优,谈一谈如何优化和提高C/S架构下master端的性能. 故事情节往往惊人地类似:你是一名使用Puppet管理线上业 ...
- puppet master 用 nginx + unicorn 作为前端
目录 1. 概要 2. nginx + unicorn 配置 2.1. package 安装 2.2. 配置文件设置 2.2.1. 配置 unicorn 2.2.2. 配置nginx 2.3. 测试配 ...
- centos6.5环境自动化运维之puppet实现nginx反向代理功能及puppet安装配置详解
puppet是一种Linux.Unix.windows平台的集中配置管理系统,使用自有的puppet描述语言,可管理配置文件.用户.cron任务.软件包.系统服务等.puppet把这些系统实体称之为资 ...
- 自动化运维工具之Puppet master/agent模型、站点清单和puppet多环境设定
前文我们了解了puppe中模块的使用,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/14086315.html:今天我来了解下puppet的master/age ...
随机推荐
- Struts2之ModelDriven的使用
http://www.cnblogs.com/luoyanli/archive/2012/11/20/2778361.html 我们可以根据Action属性的不同将它分为两类:Field-Driven ...
- ppm图像相关
PPM图像格式介绍 直接拿具体的数据来说明是最直接的,使用ue打开ppm文件,采用的都是十六进制asc码表示的,这里要注意地址00000000h中的最后一个字母是始终不变的,这原来没注意晕了我好久,第 ...
- python学习-3.一些常用模块用法
一.time.datetime 时间戳转化为元组 1 >>> time.localtime() 2 time.struct_time(tm_year=2016, tm_mon=8, ...
- linux 11 -- mount,umount
Linux 文件系统是一个以 / 为根的大树,我们在不同的设备和分区上都有文件系统.我们如何处理这种明显的不一致性?根 (/) 文件系统是在初始化过程中挂载的.您创建的其他每个文件系统在挂载 在挂载点 ...
- linux 中sort命令 按照指定列排序
sort怎样按指定的列排序0000 27189 41925425065f 15 419254250663 7 419254250675 5 419254250691 76 419254250693 2 ...
- python基础14 ---函数模块4(configparser模块)
configparser模块 一.configparser模块 1.什么是configparser模块:configparser模块操作配置文件,配置文件的格式与windows ini和linux的c ...
- 关于mosquitto_internal.h:40:25:#include <uuid/uuid.h> 致命错误的解决
一.安装mosquitto1.4的时候使用make的时候报以下错误: mosquitto_internal.h:40:25: 致命错误:openssl/ssl.h:没有那个文件或目录 #include ...
- xutils3文件上传、下载、get、post请求
@ContentView(R.layout.activity_xutils3_net) public class XUtils3NetActivity extends Activity { @View ...
- Kindeditor 函数用途
1.loadScript 加载文件 2.updateState 更新工具条状态 afterCreate在dom加载的时候执行,dom加载完之前执行的 K.ready dom加载完之后执行 ...
- 隐藏c语言烦人的{ }
.vimrc文件中添加 autocmd BufNewFile,BufRead * :syn match braces conceal "[{}]" set conceallevel ...