Make puppet on apache
最近,发现puppet 性能问题。 查了下官方文档,puppet 自身携带的是 WEBrick 一个纯ruby写的web服务器。所以,性能并不好。
puppet可以通过 Mongrel ,使用 apache 或者 nginx 来 扩展它的性能。
安装环境:
OS: RHEL 5.5 Arch: x86_64
安装mongrel:
rpm -ivh rubygem-daemons-1.0.10-1.el5.noarch.rpm
rpm -ivh rubygem-fastthread-1.0.7-1.el5.x86_64.rpm
rpm -ivh rubygem-gem_plugin-0.2.2-2.el5.noarch.rpm
rpm -ivh rubygem-mongrel-1.0.1-6.el5.x86_64.rpm
rpm -ivh rubygem-rack-0.4.0-2.el5.noarch.rpm
rpm -ivh rubygem-rake-0.8.7-2.el5.noarch.rpm
rpm -ivh rubygems-1.3.1-1.el5.noarch.rpm
为puppet配置mongrel扩展:
/etc/init.d/puppetmaster stop
vi /etc/sysconfig/puppetmaster
PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
/etc/init.d/puppetmaster start
配置apache:
安装apache:
./configure --enable-so \
--enable-ssl=shared --enable-proxy=shared --enable-proxy_http=shared \
--enable-proxy_balancer=shared --enable-headers=shared \
--enable-authz_host=shared --enable-log_config=shared \
--prefix=/opt/puppet/apache2
配置apache:
Listen 8140
PidFile /opt/puppet/apache/logs/balancer.pid
User puppet
Group puppet
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule headers_module modules/mod_headers.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so
ServerName puppet10-001.ajkdns.com
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
BalancerMember http://10.10.6.131:18140 keepalive=on max=2 retry=30
BalancerMember http://10.10.6.131:18141 keepalive=on max=2 retry=30
BalancerMember http://10.10.6.131:18142 keepalive=on max=2 retry=30
BalancerMember http://10.10.6.131:18143 keepalive=on max=2 retry=30
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /etc/puppet/ssl/certs/puppet10-001.i.ajkdns.com.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/puppet10-001.i.ajkdns.com.pem
SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem
# Using the technique from above.
SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem
# SSLCARevocationPath /opt/puppet/apache/SSL/crl
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
SetHandler balancer-manager
Order allow,deny
Allow from all
ProxyPass / balancer://puppet10-001.i.ajkdns.com/ timeout=180
ProxyPassReverse / balancer://puppet10-001.i.ajkdns.com/
ProxyPreserveHost on
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
ErrorLog logs/balancer_error.log
CustomLog logs/balancer_access.log combined
CustomLog logs/balancer_ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"