Puppet扩展篇3-如何扩展master的SSL传输性能(apache)

需要解决的问题:

  • 扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。
  • 扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。

参考:

  2. [root@puppetserver etc]# passenger-install-apache2-module #按照相关提示解决依赖关系,安装完成之后会显示
  4. The Apache 2 module was successfully installed.
  5. Please edit your Apache configuration file, and add these lines:
  6.    LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so
  7.    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19
  8.    PassengerDefaultRuby /usr/bin/ruby
  10. After you restart Apache, you are ready to deploy any number of Ruby on Rails
  11. applications on Apache, without any further Ruby on Rails-specific
  12. configuration!
  1. [root@puppetserver conf.d]# vim passenger.conf
  2. LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so
  3. <IfModule mod_passenger.c>
  4.    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19
  5.    PassengerRuby /usr/bin/ruby
  6.    PassengerHighPerformance on
  7.    PassengerMaxPoolSize 12
  8.    PassengerPoolIdleTime 1500
  9.    PassengerStatThrottleRate 120
  10.  # RailsAutoDetect On
  11. </IfModule>
  12. <VirtualHost *:8140>
  13.         SSLEngine on  #开始ssl加密
  14.         SSLProtocol -ALL +SSLv3 +TLSv1
  15.         SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP #开启ssl加密
  17.         SSLCertificateFile      /var/lib/puppet/ssl/certs/puppetserver.kisspuppet.com.pem 
  18.         SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppetserver.kisspuppet.com.pem
  19.         SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
  20.         SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
  21.         SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crt.pem #打开证书撤销功能,当我们颁发或撤销Puppet agent的证书时,Puppet cert命令会自动更关心ca_crl.pem文件
  22.         SSLVerifyClient optional
  23.         SSLVerifyDepth  1
  24.         SSLOptions +StdEnvVars #配置Apache来验证Puppet agent证书的真实性。验证的结果会被保存在这个环境变量中,运行在Passenger中的Puppet master进程会使用这个变量来认证Puppet agent。
  26. #Puppet agent证书验证的结果会以客户端请求头的形式存放在标准环境中。
  27.         RequestHeader unset X-Forwarded-For
  28.         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  29.         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  30.         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
  32.         DocumentRoot /etc/puppet/rack/puppetmaster/public/
  33.         RackBaseURI /
  34. #Rack为Web服务器提供了用来和Puppet这样的Ruby HTTP服务交换请求和响应的一些常用API。Rack经常被用于在多台Web服务器上部署如Puppet Dashboad这样的web程序。
  35.         <Directory /etc/puppet/rack/puppetmaster/>  #虚拟主机部分
  36.                 Options None
  37.                 AllowOverride None
  38.                 Order allow,deny
  39.                 allow from all
  40.         </Directory>
  41. </VirtualHost>

备注:有关puppet虚拟主机配置可参考默认配置

  1. /usr/share/puppet/ext/rack/files/apache2.conf
  1. [root@puppetserver rack]# cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/puppetmaster/ 
  2. [root@puppetserver rack]# vim /etc/puppet/rack/puppetmaster/config.ru  #默认即可
  4. # a config.ru, for use with every rack-compatible webserver.
  5. # SSL needs to be handled outside this, though.
  7. # if puppet is not in your RUBYLIB:
  8. # $:.unshift('/opt/puppet/lib')
  10. $0 = "master"
  12. # if you want debugging:
  13. # ARGV << "--debug"
  15. ARGV << "--rack"
  16. require 'puppet/application/master'
  17. # we're usually running inside a Rack::Builder.new {} block,
  18. # therefore we need to call run *here*.
  19. run Puppet::Application[:master].run

备注:
如果需要最新的Rack配置文件,可以在Puppet最新发行版的ext目录找到。也可以在https://github.com/puppetlabs/puppet/tree/master/ext/rack/files找到。

  1. [root@puppetserver ~]# /etc/rc.d/init.d/puppetmaster stop #停止puppetmaster进程
  2. [root@puppetserver ~]# chkconfig puppetmaster off #防止开机自动启动
  3. [root@puppetserver ~]# /etc/rc.d/init.d/httpd start #启动apache服务
  4. [root@puppetserver ~]# chkconfig httpd off  #设置开机自动启动
  5. [root@puppetserver ~]# netstat -nlp | grep 8140  #监听8140端口
  6. tcp        0      0 :::8140             :::*          LISTEN      4162/httpd

测试二:在节点上运行puppet程序,在服务器端通过apache访问日志查看是否有puppet的请求,如果返回状态吗“200”表明这次请求时成功的。

  1. [root@puppetserver conf.d]# tailf  /var/log/httpd/access_log
  2. 172.16.200.101 - - [22/Jul/2013:10:30:34 +0800] "GET /production/file_metadata/modules/mysql/etc/my.cnf? HTTP/1.1" 200 298 "-" "-"
  3. 172.16.200.101 - - [22/Jul/2013:10:30:34 +0800] "GET /production/file_metadata/modules/motd/etc/motd? HTTP/1.1" 200 295 "-" "-"
  4. 172.16.200.101 - - [22/Jul/2013:10:30:35 +0800] "PUT /production/report/agent1.kisspuppet.com HTTP/1.1" 200 14 "-" "-"
  5. 172.16.200.101 - - [22/Jul/2013:10:30:40 +0800] "POST /production/catalog/agent1.kisspuppet.com HTTP/1.1" 200 8346 "-" "-"
  6. 172.16.200.101 - - [22/Jul/2013:10:30:41 +0800] "GET /production/file_metadata/modules/ssh/etc/ssh/sshd_config? HTTP/1.1"