概要
之前做过 apache + passenger 作为 puppetmaster 前端的实验,
这次试试由 nginx + passenger 来作为 puppetmaster 的前端.
nginx + passenger 配置
package 安装
虽然debian 上有 puppetmaster-passenger 这个包, 但是它是针对 apache 服务器的,
安装这个包会顺带把 apache 也安装上, 然后passenger的配置都是在 apache 中.
所以, 我们通过 gem 的方式来安装 passenger,
root@master-2:~# gem install rake rack passenger --no-rdoc --no-ri
Successfully installed rake-10.4.2
Successfully installed rack-1.6.0
Fetching: passenger-4.0.57.gem (100%)
Building native extensions. This could take a while...
Successfully installed passenger-4.0.57
3 gems installed安装完成之后, nginx 不能直接从 apt-get 的源来安装, 但是可以用下面的命令来安装,
这样安装的 nginx 中就包含了 passenger 模块.
root@master-2:~# passenger-install-nginx-module
# 根据提示完成安装, 中途可能会提示用 apt-get 安装一些缺失的包.
# 安装完缺失的包后, 再次执行 passenger-install-nginx-module 即可.
# 安装 nginx 之前, 会有如下选择
Do you want this installer to download, compile and install Nginx for you?
1. Yes: download, compile and install Nginx for me. (recommended)
The easiest way to get started. A stock Nginx 1.6.2 with Passenger
support, but with no other additional third party modules, will be
installed for you to a directory of your choice.
2. No: I want to customize my Nginx installation. (for advanced users)
Choose this if you want to compile Nginx with more third party modules
besides Passenger, or if you need to pass additional options to Nginx's
'configure' script. This installer will 1) ask you for the location of
the Nginx source code, 2) run the 'configure' script according to your
instructions, and 3) run 'make install'.
Whichever you choose, if you already have an existing Nginx configuration file,
then it will be preserved.
Enter your choice (1 or 2) or press Ctrl-C to abort: 1
# 根据情况, 如果熟悉的话, 可以选择2, 否则选择1 即可自动编译安装 nginx配置文件设置
nginx 配置文件 nginx.conf
root@master-1:~# cat /opt/nginx/conf/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /var/lib/gems/1.9.1/gems/passenger-4.0.57;
passenger_ruby /usr/bin/ruby1.9.1;
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}nginx中作为puppet前端的配置.
root@master-1:~# cat /etc/nginx/conf.d/puppet.conf
server {
listen 8140 ssl;
server_name master-1 master-1.puppet.com;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
access_log /var/log/nginx/puppet_access.log;
error_log /var/log/nginx/puppet_error.log;
root /usr/share/puppet/rack/puppetmasterd/public;
ssl_certificate /var/lib/puppet/ssl/certs/master-1.puppet.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}测试配置结果
# 上面的配置完成后, master 上重启 nginx 服务
root@master-2:~# /opt/nginx/sbin/nginx -s reload
# agent 上允许测试, 查看是否连通
root@node-1:~# rm -rf /var/lib/puppet/ssl/*
root@node-1:~# puppet agent -t
Info: Creating a new SSL key for node-1.puppet.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for node-1.puppet.com
Info: Certificate Request fingerprint (SHA256): 7E:F9:4A:EA:B1:BE:A4:0B:33:1D:55:44:9B:4C:83:8D:74:49:25:0E:8B:A2:80:23:D0:6B:A5:0D:FB:E4:6F:07
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
# master 上许可证书
root@master-2:~# puppet cert list --all
"node-1.puppet.com" (SHA256) 7E:F9:4A:EA:B1:BE:A4:0B:33:1D:55:44:9B:4C:83:8D:74:49:25:0E:8B:A2:80:23:D0:6B:A5:0D:FB:E4:6F:07
+ "master-2.puppet.com" (SHA256) 86:12:B9:BE:B2:2C:26:B2:15:FE:07:11:A1:ED:E5:BC:95:0C:8F:D1:8B:E6:40:FB:C5:0D:D6:DD:F6:DC:ED:00
root@master-2:~# puppet cert sign node-1.puppet.com
Notice: Signed certificate request for node-1.puppet.com
Notice: Removing file Puppet::SSL::CertificateRequest node-1.puppet.com at '/var/lib/puppet/ssl/ca/requests/node-1.puppet.com.pem'
root@master-2:~# puppet cert list --all
+ "master-2.puppet.com" (SHA256) 86:12:B9:BE:B2:2C:26:B2:15:FE:07:11:A1:ED:E5:BC:95:0C:8F:D1:8B:E6:40:FB:C5:0D:D6:DD:F6:DC:ED:00
+ "node-1.puppet.com" (SHA256) 8C:EA:3E:05:A0:90:D4:89:75:B6:9A:A8:55:BC:48:F8:C3:E8:60:D9:E0:51:9A:3F:E6:49:FE:B5:EA:1B:05:F3
# agent 再次测试, 可以正常连接 master 了
root@node-1:~# puppet agent -t
Info: Caching certificate for node-1.puppet.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for node-1.puppet.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for node-1.puppet.com
Info: Applying configuration version '1420875451'
Notice: Finished catalog run in 0.02 seconds参考网址
http://z0mbix.github.io/blog/2012/03/01/use-nginx-and-passenger-to-power-your-puppet-master/
本文转自wang_yb博客园博客,原文链接:http://www.cnblogs.com/wang_yb/p/4247904.html,如需转载请自行联系原作者
