Puppet master nginx 扩展提升性能(puppet自动化系列4)
2015-01-20 09:42
323 查看
puppet使用SSL(https)协议来进行通讯,默认情况下,puppetserver端使用基于Ruby的WEBRickHTTP服务器。由于WEBRickHTTP服务器在处理agent端的性能方面并不是很强劲,因此需要扩展puppet,搭建nginx或者其他强劲的web服务器来处理客户的https请求。
需要解决的问题:
扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。
扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。
Nginx+Passenger方式:
6.1安装编译nginx所需要的开发包
6.2安装passenger
最好是更换gem源,gemsources-ahttp://ruby.taobao.org
gemsources-u
geminstallrakerackpassenger--no-rdoc--no-ri
6.3编译并安装nginx
备注:主要是为了将模块passenger-config编译进来。
wgethttp://nginx.org/download/nginx-1.7.9.tar.gz
wgethttp://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz
与passenger结合
备注:注意config.ru的属主和属组应该为puppet
7、配置nginx(建议此处配置成虚拟主机)
备注:注意和puppet结合的证书名称及路径
情况一:直接passenger配置在nginx主配置文件
[root@puppetmaster1conf]#catnginx.conf
usernginxnginx;
worker_processes1;
pid/var/run/nginx.pid;
events{
worker_connections1024;
}
http{
passenger_root/usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;
passenger_ruby/usr/bin/ruby;
includemime.types;
default_typeapplication/octet-stream;
sendfileon;
keepalive_timeout65;
server{
listen8140ssl;
server_namepuppetmaster;
passenger_enabledon;
passenger_set_cgi_paramHTTP_X_CLIENT_DN$ssl_client_s_dn;
passenger_set_cgi_paramHTTP_X_CLIENT_VERIFY$ssl_client_verify;
proxy_buffer_size4000k;
proxy_bufferingon;
proxy_buffers321280k;
proxy_busy_buffers_size17680k;
client_max_body_size10m;
client_body_buffer_size4096k;
access_log/var/log/nginx/puppet_access.log;
error_log/var/log/nginx/puppet_error.log;
root/etc/puppet/rack/public;
#此处切记是public下,不是public的话passenger就不知道哪里去找config文件,导致*4directoryindexof"/etc/puppet/rack/"isforbidden,client:192.168.122.1,server:pm01.jq.com,request:"GET/HTTP/1.1",host:"pm01.jq.com:8140"
ssloff;
ssl_session_timeout5m;
ssl_certificate/var/lib/puppet/ssl/certs/puppetmaster1.jq.com.pem;
ssl_certificate_key/var/lib/puppet/ssl/private_keys/puppetmaster1.jq.com.pem;
ssl_client_certificate/var/lib/puppet/ssl/certs/ca.pem;
ssl_crl/var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_clientoptional;
ssl_ciphersSSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_cipherson;
ssl_verify_depth1;
ssl_session_cacheshared:SSL:128m;
#Filesections
location/production/file_content/files/{
types{}
default_typeapplication/x-raw;
alias/etc/puppet/files/;
}
}
includevhosts/*.conf;
}
配置puppet.conf
8、启动nginx
9、测试
在多个节点发起puppetagent-t命令动作,查看nginx日志看nginx+passenger是否代理成功。
需要解决的问题:
扩展传输方式:提高性能并增加Master和agent之间的并发连接数量。
扩展SSL:采用良好的SSL证书管理方法来加密Master和agent之间的通讯。
Nginx+Passenger方式:
6.1安装编译nginx所需要的开发包
[root@puppetmaster1~]#groupadd-g3001nginx
[root@puppetmaster1~]#useradd-u3001-g3001nginx
[root@puppetmaster1~]#yuminstallruby-develgccmakepcre-develzlib-developenssl-develpam-develcurl-develrpm-build
6.2安装passenger
最好是更换gem源,gemsources-a
gemsources-u
geminstallrakerackpassenger--no-rdoc--no-ri
6.3编译并安装nginx
备注:主要是为了将模块passenger-config编译进来。
wget
wget
[root@puppetmaster1~]#cd/usr/local/src/nginx-1.7.9/
[root@puppetmaster1~]#./configure--user=nginx--group=nginx--prefix=/usr/local/nginx--with-http_stub_status_module--with-http_ssl_module--with-pcre=/usr/local/src/pcre-8.36--add-module=`passenger-config--root`/ext/nginx
[root@puppetmaster1~]#make&&makeinstall
与passenger结合
备注:注意config.ru的属主和属组应该为puppet
[root@puppetmaster1~]#mkdir-p/etc/puppet/rack/public
[root@puppetmaster1~]#cp/usr/share/puppet/ext/rack/config.ru/etc/puppet/rack/public
[root@puppetmaster1~]#chown-Rpuppet./etc/puppet/rack/
7、配置nginx(建议此处配置成虚拟主机)
备注:注意和puppet结合的证书名称及路径
情况一:直接passenger配置在nginx主配置文件
[root@puppetmaster1conf]#catnginx.conf
usernginxnginx;
worker_processes1;
pid/var/run/nginx.pid;
events{
worker_connections1024;
}
http{
passenger_root/usr/lib/ruby/gems/1.8/gems/passenger-4.0.55;
passenger_ruby/usr/bin/ruby;
includemime.types;
default_typeapplication/octet-stream;
sendfileon;
keepalive_timeout65;
server{
listen8140ssl;
server_namepuppetmaster;
passenger_enabledon;
passenger_set_cgi_paramHTTP_X_CLIENT_DN$ssl_client_s_dn;
passenger_set_cgi_paramHTTP_X_CLIENT_VERIFY$ssl_client_verify;
proxy_buffer_size4000k;
proxy_bufferingon;
proxy_buffers321280k;
proxy_busy_buffers_size17680k;
client_max_body_size10m;
client_body_buffer_size4096k;
access_log/var/log/nginx/puppet_access.log;
error_log/var/log/nginx/puppet_error.log;
root/etc/puppet/rack/public;
#此处切记是public下,不是public的话passenger就不知道哪里去找config文件,导致*4directoryindexof"/etc/puppet/rack/"isforbidden,client:192.168.122.1,server:pm01.jq.com,request:"GET/HTTP/1.1",host:"pm01.jq.com:8140"
ssloff;
ssl_session_timeout5m;
ssl_certificate/var/lib/puppet/ssl/certs/puppetmaster1.jq.com.pem;
ssl_certificate_key/var/lib/puppet/ssl/private_keys/puppetmaster1.jq.com.pem;
ssl_client_certificate/var/lib/puppet/ssl/certs/ca.pem;
ssl_crl/var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_clientoptional;
ssl_ciphersSSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_cipherson;
ssl_verify_depth1;
ssl_session_cacheshared:SSL:128m;
#Filesections
location/production/file_content/files/{
types{}
default_typeapplication/x-raw;
alias/etc/puppet/files/;
}
}
includevhosts/*.conf;
}
情况二、passenger配置成虚拟机主机,配置如下:
[root@pm01conf]#catnginx.conf
usernginxnginx;
worker_processes1;
#error_loglogs/error.log;
#error_loglogs/error.lognotice;
#error_loglogs/error.loginfo;
pid/var/run/nginx.pid;
events{
worker_connections1024;
}
http{
passenger_root/usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.57/;
passenger_ruby/usr/local/bin/ruby;
includemime.types;
default_typeapplication/octet-stream;
sendfileon;
keepalive_timeout65;
server{
listen8088;
server_namelocalhost;
location/{
roothtml;
indexindex.htmlindex.htm;
}
error_page500502503504/50x.html;
location=/50x.html{
roothtml;
}
}
includevhosts/*.conf;
}
虚拟主机配置
[root@pm01conf]#catvhosts/passenger.conf
server{
listen8140ssl;
server_namepm01;
passenger_enabledon;
passenger_set_cgi_paramHTTP_X_CLIENT_DN$ssl_client_s_dn;
passenger_set_cgi_paramHTTP_X_CLIENT_VERIFY$ssl_client_verify;
proxy_buffer_size4000k;
proxy_bufferingon;
proxy_buffers321280k;
proxy_busy_buffers_size17680k;
client_max_body_size10m;
client_body_buffer_size4096k;
access_log/var/log/nginx/puppet_access.log;
error_log/var/log/nginx/puppet_error.log;
root/etc/puppet/rack/public;
ssloff;
ssl_session_timeout5m;
ssl_certificate/var/lib/puppet/ssl/certs/pm01.jq.com.pem;
ssl_certificate_key/var/lib/puppet/ssl/private_keys/pm01.jq.com.pem;
ssl_client_certificate/var/lib/puppet/ssl/certs/ca.pem;
ssl_crl/var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_clientoptional;
ssl_ciphersSSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_cipherson;
ssl_verify_depth1;
ssl_session_cacheshared:SSL:128m;
#Filesections
location/production/file_content/files/{
types{}
default_typeapplication/x-raw;
alias/etc/puppet/files/;
}
}
配置puppet.conf
[root@puppetmaster1~]#vim/etc/puppet/puppet.conf
[master]
certname=puppetmaster
ca=false
ssl_client_verify_header=HTTP_X_CLIENT_VERIFY
ssl_client_header=HTTP_X_CLIENT_DN
8、启动nginx
[root@puppetmaster1gem]#mkdir/var/log/nginx/
[root@puppetmaster1nginx-1.4.2]#/etc/init.d/puppetmasterstop
[root@puppetmaster1nginx-1.4.2]#chkconfigpuppetmasteroff
[root@puppetmaster1nginx-1.4.2]#/etc/init.d/nginxstart
[root@puppetmaster1nginx-1.4.2]#chkconfignginxon
9、测试
在多个节点发起puppetagent-t命令动作,查看nginx日志看nginx+passenger是否代理成功。
[root@ag1~]#puppetagent-t
[root@puppetmaster1~]#tailf/var/log/nginx/puppet_access.log
相关文章推荐
- Puppet扩展篇4-如何扩展master的SSL传输性能(nginx)
- Puppet扩展篇3-如何扩展master的SSL传输性能(apache) 推荐
- Puppet扩展篇5-通过多进程增强master的负载均衡能力(nginx+mongrel)
- Twitter 的架构扩展: 100 倍性能提升
- Visual studio 2005 静态页面生成法助E8.Net工作流应用系统提升性能(E8.Net工作流应用系统优化系列二)
- PHP应用系列之一:使用操作码缓存软件提升性能和吞吐量
- sendfile()对nginx性能的提升
- 设置NGINX进程分配至多核CPU提升性能
- 如何提升在使用DevExpress 系列DataGrid的性能问题
- puppet系列之nginx+foreman
- 运维自动化管理之puppet + nginx 部署与配置
- 服务器正式环境性能测试nginx-php 求指点性能提升突破口
- Visual studio 2005 静态页面生成法助E8.Net工作流应用系统提升性能(E8.Net工作流应用系统优化系列二)
- 【插件式框架探索系列】使用多UI线程提升性能
- [转]MySQL5.1新特性翻译系列 - 通过分区(Partition)提升MySQL性能
- 开发自动化系列-工具集(二)系统性能监控工具
- Twitter 的架构扩展: 100 倍性能提升
- Visual Studio 2005 通过静态变量及可系列化的HASHTABLE变量优化工厂模式(Factory)的效率,提升性能(E8.Net工作流应用系统优化系列四)
- Apache,Nginx,Lighttpd分别使用X-sendfile功能提升文件下载性能
- Puppet系列之一:自动化配置管理平台介绍