puppet端口负载均衡配置(nginx+mongrel)
当puppetmaster管理的主机越来越多时,puppetmaster本身性能会存在性能瓶颈问题,除了增加服务器扩充puppetmaster的数量增加puppetmaster整体性能外,也可以通过单台扩充puppetmaster的进程数来增加puppetmaster的性能。以下是通过nginx负载均衡puppetmaster的进程,由nginx向所有puppetagent提供认证服务,除此之外的其他puppetmaster功能的实现由nginx转向puppetmaster其中一个进程去处理即可。而nginx的upstream字段里面所包含的地址填写为127.0.0.1指向puppetmaster进程,提高了安全性。
1.1 安装相关包
# yum install rubygem-mongrel nginx
1.2 修改puppet端口
# vim /etc/sysconfig/puppetmaster
PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"
1.3 配置nginx
# vim nginx.conf
user nginx nginx;
worker_processes4;
error_log/var/log/puppet/nginx-puppet.log notice;
pid /var/run/nginx.pid;
events {
worker_connections1024;
}
http {
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout65;
tcp_nodelay on;
large_client_header_buffers 16 4k;
proxy_buffers 128 4k;
upstream puppetmaster {
server 127.0.0.1:18140;
server 127.0.0.1:18141;
server 127.0.0.1:18142;
server 127.0.0.1:18143;
}
server {
listen 8140;
root /etc/puppet;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppetserver.kisspuppet.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetserver.kisspuppet.com.pem;
ssl_client_certificate/var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_verify_client optional;
location / {
proxy_pass http://puppetmaster;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout65;
}
}
}
1.4 启动puppetmaster和nginx服务
# /etc/rc.d/init.d/nginx restart
Stopping nginx:
Starting nginx:
# /etc/rc.d/init.d/puppetmaster start
Starting puppetmaster:
Port: 18140
Port: 18141
Port: 18142
Port: 18143
1.5 查看监听端口
# netstat -nlp | grep 814
tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 6224/nginx
tcp 0 0 127.0.0.1:18140 0.0.0.0:* LISTEN 6271/ruby
tcp 0 0 127.0.0.1:18141 0.0.0.0:* LISTEN 6312/ruby
tcp 0 0 127.0.0.1:18142 0.0.0.0:* LISTEN 6351/ruby
tcp 0 0 127.0.0.1:18143 0.0.0.0:* LISTEN 6390/ruby
1.6 通过日志/var/log/nginx/access.log进行查看
# tailf/var/log/nginx/access.log
192.168.100.127 - - "POST /production/catalog/agent2.kisspuppet.com HTTP/1.1" 200 570 "-" "-"
192.168.100.127 - - "PUT /production/report/agent2.kisspuppet.com HTTP/1.1" 200 58 "-" "-"
192.168.100.126 - - "GET /production/file_metadatas/plugins?links=manage&checksum_type=md5&&ignore=---+%0A++-+%22.svn%22%0A++-+CVS%0A++-+%22.git%22&recurse=true HTTP/1.1" 404 56 "-" "-"
192.168.100.126 - - "GET /production/file_metadata/plugins? HTTP/1.1" 404 36 "-" "-"
192.168.100.126 - - "POST /production/catalog/agent1.kisspuppet.com HTTP/1.1" 200 570 "-" "-"
192.168.100.126 - - "PUT /production/report/agent1.kisspuppet.com HTTP/1.1" 200 58 "-" "-"
192.168.100.125 - - "GET
页:
[1]