Puppet扩展(一):纵向扩展Apache+Passenger
1、功能说明puppet默认使用基于Ruby的WEBRickHTTP来处理HTTPS请求,
单个服务器使用Apache+Passenger替换掉WEBRickHTTP,
Passenger是用于将Ruby程序进行嵌入执行的Apache模块,
在安装前,首先至少要执行一次service puppetmaster start,生成本地证书
官方配置指南:https://docs.puppetlabs.com/guides/passenger.html
2、安装apache
1
# yum install -y httpd httpd-devel openssl mod_ssl ruby-devel libcurl-devel rubygems gcc
前面已安装了apache,这里主要安装mod_ssl ruby-devel libcurl-devel三个。
3、安装passenger
1
2
# gem install rack passenger
# passenger-install-apache2-module
直接回车
默认选择了Ruby,直接回车
检查需要安装的包,根据提示安装需要的软件包,再重新执行
1
# yum install libcurl-devel
需要将此段写入passenger.conf中:
1
2
3
4
5
6
# vi /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.53/buildout/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.53
PassengerDefaultRuby /usr/bin/ruby
继续回车完成,可以看到一个虚拟主机的配置样例。
4、配置rack
config.ru文件会告诉Rack如何生成puppet master进程
1
2
3
4
# cd /usr/share/puppet
# mkdir -p rack/puppetmasterd/{public,tmp}
# cp ext/rack/config.ru rack/puppetmasterd/
# chown puppet:puppet rack/puppetmasterd/config.ru
5、配置passenger和vhost
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# cp ext/rack/example-passenger-vhost.conf/etc/httpd/conf.d/puppetmaster.conf
# vi /etc/httpd/conf.d/puppetmaster.conf
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
#RackAutoDetect Off #注释掉这行
#RailsAutoDetect Off #注释掉这行
Listen 8140
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.ewin.com.pem #修改路径和证书名称
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.ewin.com.pem#修改路径和证书名称
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem#修改路径
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem#修改路径
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem#修改路径
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public #修改路径
RackBaseURI /
#修改路径
Options None
AllowOverride None
Order allow,deny
allow from all
6、服务
1
2
3
4
# service puppetmaster stop
# service httpd restart
# chkconfig httpd on
# netstat -nlp | grep 8140
7、测试
(1)WEB网页访问测试
客户端修改IE设置,去掉标黄的勾:
使用IE浏览https://10.188.1.73:8140/
出现这一行表示配置成功,下一节配置Dashboard后就有内容了。
(2)linux客户端测试
1
# puppet agent --server puppet.ewin.com --test
没有报错,显示配置版本号及完成时间表示成功。
(3)puppet服务端测试
1
# tailf /var/log/httpd/access_log
10.188.1.172是windows客户机ywzhou-pc:
10.188.1.103是linux客户机zabbix:
客户机发出HTTP GET请求,状态码200表示请求成功,再使用PUT请求提交了一个报告
页:
[1]