2 min read

Make puppet on apache

最近,发现puppet 性能问题。 查了下官方文档,puppet 自身携带的是 WEBrick 一个纯ruby写的web服务器。所以,性能并不好。
puppet可以通过 Mongrel ,使用 apache 或者 nginx 来 扩展它的性能。


安装环境:

OS: RHEL 5.5 Arch: x86_64


安装mongrel:

rpm -ivh rubygem-daemons-1.0.10-1.el5.noarch.rpm
rpm -ivh rubygem-fastthread-1.0.7-1.el5.x86_64.rpm
rpm -ivh rubygem-gem_plugin-0.2.2-2.el5.noarch.rpm
rpm -ivh rubygem-mongrel-1.0.1-6.el5.x86_64.rpm
rpm -ivh rubygem-rack-0.4.0-2.el5.noarch.rpm
rpm -ivh rubygem-rake-0.8.7-2.el5.noarch.rpm
rpm -ivh rubygems-1.3.1-1.el5.noarch.rpm

为puppet配置mongrel扩展:

/etc/init.d/puppetmaster stop
vi /etc/sysconfig/puppetmaster
PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
/etc/init.d/puppetmaster start

配置apache:

安装apache:

./configure --enable-so \
--enable-ssl=shared --enable-proxy=shared --enable-proxy_http=shared \
--enable-proxy_balancer=shared --enable-headers=shared \
--enable-authz_host=shared --enable-log_config=shared \
 --prefix=/opt/puppet/apache2

配置apache:

Listen 8140
PidFile /opt/puppet/apache/logs/balancer.pid
User puppet
Group puppet

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule headers_module modules/mod_headers.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so

ServerName puppet10-001.ajkdns.com


    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all



  BalancerMember http://10.10.6.131:18140 keepalive=on max=2 retry=30
  BalancerMember http://10.10.6.131:18141 keepalive=on max=2 retry=30
  BalancerMember http://10.10.6.131:18142 keepalive=on max=2 retry=30
  BalancerMember http://10.10.6.131:18143 keepalive=on max=2 retry=30



    SSLEngine on
    SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
    SSLCertificateFile      /etc/puppet/ssl/certs/puppet10-001.i.ajkdns.com.pem
    SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/puppet10-001.i.ajkdns.com.pem
    SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /etc/puppet/ssl/ca/ca_crt.pem
    # Using the technique from above.
    SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
#    SSLCARevocationPath     /opt/puppet/apache/SSL/crl
    SSLVerifyClient require
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars

    # The following client headers allow the same configuration to work with Pound.
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    
        SetHandler balancer-manager
        Order allow,deny
        Allow from all
    

    ProxyPass / balancer://puppet10-001.i.ajkdns.com/ timeout=180
    ProxyPassReverse / balancer://puppet10-001.i.ajkdns.com/
    ProxyPreserveHost on
    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1

    ErrorLog  logs/balancer_error.log
    CustomLog logs/balancer_access.log combined
    CustomLog logs/balancer_ssl_request.log  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"