前言:最近在服务器系统上安装了最新的Puppet客户端,发现与老版本的PuppetMaster同步时出现了一些问题。警告信息很好解决,把配置文件中的templatedir这一行注释掉,然后编辑PuppetMaster进行升级,直接升级到最新的3.6.1,然后发现PuppetMaster中默认安装的WEBrickwebserver性能低下,最新的3.6.1版本存在无法同时接受多个Agent客户端请求的bug,所以使用Apache+Passenger方案替代原有的WEBrick,提升并发性能,解决bug带来的问题。环境:Ubuntu12.0464-LTSPuppetMaster:3.6.1(升级前的版本是3.4.3)PuppetAgent:3.6.11,安装Apache2$sudoapt-getinstallapache2ruby1.8-devrubygems$sudoa2enmodssl$sudoa2enmodheaders2、InstallRack/Passenger$sudogeminstallrackpassenger$sudopassenger-install-apache2-module#根据提示解决软件依赖后,再次运行命令安装passenger模块。/1.8/gems/passenger-4.0.44/buildout/apache2/mod_passenger.soPassengerRoot/var/lib/gems/1.8/gems/passenger-4.0.44PassengerDefaultRuby/usr/bin/ruby1.8$sudomkdir/etc/puppet/rack$sudomkdir/etc/puppet/rack/{public,tmp}$sudoscp/usr/share/puppet/ext/rack/config.ru/etc/puppet/rack/$sudochown-Rpuppet:root/etc/puppet/rack3,配置Puppet虚拟主机文件$sudocp/usr/share/puppet/ext/rack/example-passenger-vhost.conf/etc/apache2/sites-available/puppet.conf$sudovim/etc/apache2/sites-available/puppet.conf#根据前面提示添加以下内容LoadModulepassenger_module/var/lib/gems/1.8/gems/passenger-4.0.44/buildout/apache2/mod_passenger。行Listen8140SSLEngineonSSLProtocolALL-SSLv2SSLCipherSuiteALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPSSLHonorCipherOrderon#修改为SSL实际路径和文件名SSLCertificateFile/var/lib/puppet/ssl/certs/test.cominggo.com.pemSSLCertificateKeyFile/var/lib/puppet/ssl/private_keys/test.cominggo.com.pemSSLCertificateChainFile/var/lib/puppet/ssl/certs/ca.pemSSLCACertificateFile/var/lib/puppet/ssl/certs/ca.pem#IfApache抱怨CRL上的签名无效,你可以尝试禁用#CRLcheckingbycommentingthenextline但这不推荐。SSLCARevocationFile/var/lib/puppet/ssl/crl.pemSSLVerifyClientoptionalSSLVerifyDepth1#The`ExportCertData`optionisneededforagentcertificateexpirationwarningsSSLOptions+StdEnvVars+ExportCertData#ThisheaderneedstobesetifusingaloadbalancerorproxyRequestHeaderunsetX-Forwarded-ForRequestHeadersetX-SSL-Subject%{SSL_CLIENT_S_DN}eRequestHeadersetX-Client-DN%{SSL_CLIENT_S_DN}eRequestHeadersetX-Client-Verify%{SSL_CLIENT_VERIFY}eDocumentRoot/etc/puppet/rack/public/RackBaseURI/OptionsNoneAllowOverrideNoneOrderallow,denyallowfromall##Logging#设置Puppet访问日志(可选,默认日志为other_vhosts_access.log)ErrorLog"/var/log/apache2/puppet_error.log"ServerSignatureOffCustomLog"/var/log/apache2/puppet_access.log"combined$cd/etc/apache2/sites-available/$sudoa2ensitepuppet.conf4.删除WEBrick服务(puppetmaster),并重新启动Apache服务$sudoupdate-rc.d-fpuppetmasterremove$sudo/etc/init.d/apache2restart$sudoss-talnp|grepapache2LISTEN0128*:8140*:*users:(("apache2",30037,5),("apache2",29472,5),("apache2",29467,5))LISTEN0128*:80*:*users:(("apache2",30037,3),("apache2",29472,3),("apache2",29467,3))LISTEN0128*:443*:*users:(("apache2",30037,4),("apache2",29472,4),("apache2",29467,4))5.验证是否部署成功1)访问HTTPS服务#访问页面:https://test.cominggo.com:8140/环境必须是纯字母数字,不能''2)PuppetAgent节点运行测试#PuppetAgent:$sudopuppetagent-t#PuppetMaster:检查apache访问日志是否有With200statusrequest$sudotail/var/log/apache2/puppet_access.log172.16.2.22--[20/Jun/2014:19:11:53+0800]"获取/pr产品/file_metadata/modules/zabbix/check.sh?source_permissions=use&links=manageHTTP/1.1"2005987"-""-"172.16.2.22--[20/Jun/2014:19:11:53+0800]"GET/生产/file_metadata/modules/zabbix/zabbix-release_2.2-1+precise_all.deb?source_permissions=use&links=manageHTTP/1.1"2006003"-""-"172.16.2.22--[20/Jun/2014:19:11:53+0800]"GET/production/file_metadata/modules/zabbix/game.conf?source_permissions=use&links=manageHTTP/1.1"2005971"-""-"172.16.2.22--[20/Jun/2014:19:11:53+0800]"GET/production/file_metadatas/modules/game/release/data?checksum_type=md5&recurse=true&links=manageHTTP/1.1"20044519"-""-"172.16.2.22--[20/Jun/2014:19:11:54+0800]"GET/production/file_metadata/modules/zabbix/netif.py?source_permissions=use&links=manageHTTP/1.1"2005987"-""-"172.16.2.22--[20/Jun/2014:19:11:56+0800]"PUT/production/report/t1.cominggo.comHTTP/1.1"2005683"-""-"参考:官方文档:http://docs.puppetlabs.com/guides/passenger.htmlKissPuppet博客:http://kisspuppet.com/2013/11/08/apache-passenger/博客地址:https://img.ydisp.cn/news/20220729/hvtnwc2ozxf.com
