#### Puppet擴展篇3-如何擴展master的SSL傳輸性能（apache） **描述：**puppet使用SSL(https)協議來進行通訊，默認情況下，puppet server端使用基于Ruby的WEBRick HTTP服務器。由于WEBRick HTTP服務器在處理agent端的性能方面并不是很強勁，因此需要擴展puppet，搭建Apache或者其他強勁的web服務器來處理客戶的https請求。 **需要解決的問題：** - 擴展傳輸方式：提高性能并增加Master和agent之間的并發連接數量。 - 擴展SSL：采用良好的SSL證書管理方法來加密Master和agent之間的通訊。 **參考：**[http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger](http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger) ### 1 使用Ruby Gem安裝Passenger ~~~ [root@puppetserver etc]# yum install ruby-devel ruby-libs rubygems libcurl-devel [root@puppetserver etc]# yum install httpd httpd-devel apr-util-devel apr-devel mod_ssl [root@puppetserver repos]# gem install --local passenger-4.0.19.gem #自動解決依賴關系，進入gem包目錄進行安裝 Building native extensions. This could take a while... Successfully installed rake-10.0.1 Successfully installed daemon_controller-1.1.5 Successfully installed rack-1.5.2 Successfully installed passenger-4.0.19 ~~~ ### 2 整合Apache和Passenger ~~~ [root@puppetserver rpms]# yum install gcc-c++ gcc openssl-devel #源碼包編譯安裝（安裝需要apache gcc gcc-c++ openssl-devel開發包的支持） [root@puppetserver etc]# passenger-install-apache2-module #按照相關提示解決依賴關系，安裝完成之后會顯示 … The Apache 2 module was successfully installed. Please edit your Apache configuration file, and add these lines: LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19 PassengerDefaultRuby /usr/bin/ruby After you restart Apache, you are ready to deploy any number of Ruby on Rails applications on Apache, without any further Ruby on Rails-specific configuration! … ~~~ ### 3 配置Apache和Passenger 創建虛擬主機并加載passenger相關模塊，注意證書路徑要和puppet實際證書路徑對應。虛擬主機配置Apache以監聽在8140端口，并且使用SSL和Puppet Master生成的證書對所有通訊進行加密。同時還將配置Passenger來使系統的Ruby解釋器并且提供Rack配置文件`config.ru`的路徑 ~~~ [root@puppetserver conf.d]# vim passenger.conf LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19 PassengerRuby /usr/bin/ruby PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerStatThrottleRate 120 # RailsAutoDetect On </IfModule> Listen 8140 #監聽TCP 8140端口，這是PuppetMaster服務器的標準端口 <VirtualHost *:8140> SSLEngine on #開始ssl加密 SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP #開啟ssl加密 SSLCertificateFile /var/lib/puppet/ssl/certs/puppetserver.kisspuppet.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppetserver.kisspuppet.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crt.pem #打開證書撤銷功能，當我們頒發或撤銷Puppet agent的證書時，Puppet cert命令會自動更關心ca_crl.pem文件 SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars #配置Apache來驗證Puppet agent證書的真實性。驗證的結果會被保存在這個環境變量中，運行在Passenger中的Puppet master進程會使用這個變量來認證Puppet agent。 #Puppet agent證書驗證的結果會以客戶端請求頭的形式存放在標準環境中。 RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/puppetmaster/public/ RackBaseURI / #Rack為Web服務器提供了用來和Puppet這樣的Ruby HTTP服務交換請求和響應的一些常用API。Rack經常被用于在多臺Web服務器上部署如Puppet Dashboad這樣的web程序。 <Directory /etc/puppet/rack/puppetmaster/> #虛擬主機部分 Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> ~~~ ~~~ [root@c1.inanu.net]# service httpd configtest #檢查apache配置語法是否正確 Warning: DocumentRoot [/etc/puppet/rack/puppetmaster/public/] does not exist Syntax OK ~~~ **備注：**有關puppet虛擬主機配置可參考默認配置 ~~~ /usr/share/puppet/ext/rack/files/apache2.conf ~~~ ### 4 準備config.ru配置文件 ~~~ [root@puppetserver rack]# mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp} #為Rack和Puppet master的rack程序實例創建框架目錄。 [root@puppetserver rack]# cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/puppetmaster/ [root@puppetserver rack]# vim /etc/puppet/rack/puppetmaster/config.ru #默認即可 # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $:.unshift('/opt/puppet/lib') $0 = "master" # if you want debugging: # ARGV << "--debug" ARGV << "--rack" require 'puppet/application/master' # we're usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Application[:master].run ~~~ **備注：**如果需要最新的Rack配置文件，可以在Puppet最新發行版的ext目錄找到。也可以在[https://github.com/puppetlabs/puppet/tree/master/ext/rack/files](https://github.com/puppetlabs/puppet/tree/master/ext/rack/files)找到。 ~~~ [root@puppetserver rack]# chown puppet. /etc/puppet/rack/puppetmaster/config.ru #Rack配置文件config.ru的用戶和組應該是puppet。當Apache啟動時，Passenger會檢查這個文件的所有者，并將其使用的賬號從root切換到權限較低的puppet賬戶。 ~~~ ### 5 在Apache中測試PuppetMaster ~~~ [root@puppetserver ~]# /etc/rc.d/init.d/puppetmaster stop #停止puppetmaster進程 [root@puppetserver ~]# chkconfig puppetmaster off #防止開機自動啟動 [root@puppetserver ~]# /etc/rc.d/init.d/httpd start #啟動apache服務 [root@puppetserver ~]# chkconfig httpd off #設置開機自動啟動 [root@puppetserver ~]# netstat -nlp | grep 8140 #監聽8140端口 tcp 0 0 :::8140 :::* LISTEN 4162/httpd ~~~ **測試一：**通過瀏覽器（IE版本<9）訪問[https://172.16.200.100:8140/，出現以下信息，說明配置正確](https://172.16.200.100:8140/，出現以下信息，說明配置正確) **測試二：**在節點上運行puppet程序，在服務器端通過apache訪問日志查看是否有puppet的請求，如果返回狀態嗎`“200”`表明這次請求時成功的。 ~~~ [root@puppetserver conf.d]# tailf /var/log/httpd/access_log 172.16.200.101 - - [22/Jul/2013:10:30:34 +0800] "GET /production/file_metadata/modules/mysql/etc/my.cnf? HTTP/1.1" 200 298 "-" "-" 172.16.200.101 - - [22/Jul/2013:10:30:34 +0800] "GET /production/file_metadata/modules/motd/etc/motd? HTTP/1.1" 200 295 "-" "-" 172.16.200.101 - - [22/Jul/2013:10:30:35 +0800] "PUT /production/report/agent1.kisspuppet.com HTTP/1.1" 200 14 "-" "-" 172.16.200.101 - - [22/Jul/2013:10:30:40 +0800] "POST /production/catalog/agent1.kisspuppet.com HTTP/1.1" 200 8346 "-" "-" 172.16.200.101 - - [22/Jul/2013:10:30:41 +0800] "GET /production/file_metadata/modules/ssh/etc/ssh/sshd_config? HTTP/1.1" ~~~