使用Apache+Passenger部署高性能PuppetMaster

etge

前言：
最近在服务器系统上安装了最新的Puppet客户端，发现跟老版本的PuppetMaster做同步时出现了一些问题，警告类的信息很好解决，注释掉配置文件templatedir该行即可，后来又对PuppetMaster做了次升级，直接升为最新的3.6.1，随后发现PuppetMaster默认安装的WEBrick的web服务器性能较低且最新版本3.6.1存在bug以至于无法同时接受多台Agent客户端请求，因此使用Apache+Passenger方案替代原WEBrick，提高并发性能，同时解决bug带来的问题

环境：
Ubuntu 12.04 64-LTS
PuppetMaster: 3.6.1（升级前版本为3.4.3）
PuppetAgent: 3.6.1

1、安装Apache2

1 2 3

$ sudo apt-get install apache2 ruby1.8-dev rubygems $ sudo a2enmod ssl $ sudo a2enmod headers

2、安装Rack/Passenger

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

$ sudo gem install rack passenger $ sudo passenger-install-apache2-module # 按提示解决软件依赖关系后，再次运行命令安装passenger模块 Please edit your Apache configuration file, and add these lines: LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.44/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c>   PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.44   PassengerDefaultRuby /usr/bin/ruby1.8 </IfModule> $ sudo mkdir /etc/puppet/rack $ sudo mkdir /etc/puppet/rack/{public,tmp} $ sudo scp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/ $ sudo chown -R puppet:root /etc/puppet/rack

3、配置Puppet虚拟主机文件

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

$ sudo cp /usr/share/puppet/ext/rack/example-passenger-vhost.conf /etc/apache2/sites-available/puppet.conf $ sudo vim /etc/apache2/sites-available/puppet.conf # 按之前的提示添加如下内容 LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.44/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c>   PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.44   PassengerDefaultRuby /usr/bin/ruby1.8   PassengerHighPerformance on   PassengerMaxPoolSize 12   PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000   PassengerStatThrottleRate 120 # RackAutoDetect Off                 # 注释该行 # RailsAutoDetect Off                # 注释该行 </IfModule> Listen 8140 <VirtualHost *:8140>         SSLEngine on         SSLProtocol             ALL -SSLv2         SSLCipherSuite          ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP         SSLHonorCipherOrder     on         # 修改为SSL实际路径及文件名         SSLCertificateFile      /var/lib/puppet/ssl/certs/test.cominggo.com.pem         SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/test.cominggo.com.pem         SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem         SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem         # If Apache complains about invalid signatures on the CRL, you can try disabling         # CRL checking by commenting the next line, but this is not recommended.         SSLCARevocationFile     /var/lib/puppet/ssl/crl.pem         SSLVerifyClient optional         SSLVerifyDepth  1         # The `ExportCertData` option is needed for agent certificate expiration warnings         SSLOptions +StdEnvVars +ExportCertData         # This header needs to be set if using a loadbalancer or proxy         RequestHeader unset X-Forwarded-For         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e         DocumentRoot /etc/puppet/rack/public/         RackBaseURI /         <Directory /etc/puppet/rack/>                 Options None                 AllowOverride None                 Order allow,deny                 allow from all         </Directory>         ## Logging        # 设置Puppet访问日志（可选，默认日志为other_vhosts_access.log）         ErrorLog "/var/log/apache2/puppet_error.log"         ServerSignature Off         CustomLog "/var/log/apache2/puppet_access.log" combined </VirtualHost> $ cd /etc/apache2/sites-available/ $ sudo a2ensite puppet.conf

4、移除WEBrick服务（puppetmaster），并重启Apache服务

1 2 3 4 5 6 7

$ sudo /etc/init.d/puppetmaster stop $ sudo update-rc.d -f puppetmaster remove $ sudo /etc/init.d/apache2 restart $ sudo ss -talnp | grep apache2 LISTEN     0      128      *:8140         *:*      users:(("apache2",30037,5),("apache2",29472,5),("apache2",29467,5)) LISTEN     0      128      *:80           *:*      users:(("apache2",30037,3),("apache2",29472,3),("apache2",29467,3)) LISTEN     0      128      *:443          *:*      users:(("apache2",30037,4),("apache2",29472,4),("apache2",29467,4))

5、验证是否部署成功
1）访问HTTPS服务

1 2	# 访问页面：https://test.cominggo.com:8140/ The environment must be purely alphanumeric, not ''

2）PuppetAgent节点运行测试

1 2 3 4 5 6 7 8 9 10 11

# PuppetAgent： $ sudo puppet agent -t # PuppetMaster：查看apache访问日志是否有200状态请求 $ sudo tail /var/log/apache2/puppet_access.log 172.16.2.22 - - [20/Jun/2014:19:11:53 +0800] "GET /production/file_metadata/modules/zabbix/check.sh?source_permissions=use&links=manage HTTP/1.1" 200 5987 "-" "-" 172.16.2.22 - - [20/Jun/2014:19:11:53 +0800] "GET /production/file_metadata/modules/zabbix/zabbix-release_2.2-1+precise_all.deb?source_permissions=use&links=manage HTTP/1.1" 200 6003 "-" "-" 172.16.2.22 - - [20/Jun/2014:19:11:53 +0800] "GET /production/file_metadata/modules/zabbix/game.conf?source_permissions=use&links=manage HTTP/1.1" 200 5971 "-" "-" 172.16.2.22 - - [20/Jun/2014:19:11:53 +0800] "GET /production/file_metadatas/modules/game/release/data?checksum_type=md5&recurse=true&links=manage HTTP/1.1" 200 44519 "-" "-" 172.16.2.22 - - [20/Jun/2014:19:11:54 +0800] "GET /production/file_metadata/modules/zabbix/netif.py?source_permissions=use&links=manage HTTP/1.1" 200 5987 "-" "-" 172.16.2.22 - - [20/Jun/2014:19:11:56 +0800] "PUT /production/report/t1.cominggo.com HTTP/1.1" 200 5683 "-" "-"

参考：
官方文档：http://docs.puppetlabs.com/guides/passenger.html
KissPuppet博客：http://kisspuppet.com/2013/11/08/apache-passenger/