Puppet扩展(一)：纵向扩展Apache+Passenger

2025-02-01 技术教程

1、功能说明

puppet默认使用基于Ruby的WEBRickHTTP来处理HTTPS请求，

单个服务器使用Apache+Passenger替换掉WEBRickHTTP，

Passenger是用于将Ruby程序进行嵌入执行的Apache模块，

在安装前，首先至少要执行一次service puppetmaster start，生成本地证书

官方配置指南：https://docs.puppetlabs.com/guides/passenger.html

2、安装apache

[root@puppet~]#yuminstall-yhttpdhttpd-developensslmod_sslruby-devellibcurl-develrubygemsgcc

前面已安装了apache，这里主要安装mod_ssl ruby-devel libcurl-devel三个。

3、安装passenger

[root@puppet~]#geminstallrackpassenger[root@puppet~]#passenger-install-apache2-module

直接回车

默认选择了Ruby，直接回车

检查需要安装的包，根据提示安装需要的软件包，再重新执行

[root@puppet~]#yuminstalllibcurl-devel

需要将此段写入passenger.conf中：

[root@puppet~]#vi/etc/httpd/conf.d/passenger.confLoadModulepassenger_module/usr/lib/ruby/gems/1.8/gems/passenger-4.0.53/buildout/apache2/mod_passenger.so<IfModulemod_passenger.c>PassengerRoot/usr/lib/ruby/gems/1.8/gems/passenger-4.0.53PassengerDefaultRuby/usr/bin/ruby</IfModule>

继续回车完成，可以看到一个虚拟主机的配置样例。

4、配置rack

config.ru文件会告诉Rack如何生成puppet master进程

[root@puppet~]#cd/usr/share/puppet[root@puppetpuppet]#mkdir-prack/puppetmasterd/{public,tmp}[root@puppetpuppet]#cpext/rack/config.rurack/puppetmasterd/[root@puppetpuppet]#chownpuppet:puppetrack/puppetmasterd/config.ru

5、配置passenger和vhost

[root@puppetpuppet]#cpext/rack/example-passenger-vhost.conf/etc/httpd/conf.d/puppetmaster.conf[root@puppetpuppet]#vi/etc/httpd/conf.d/puppetmaster.conf#ThisApache2virtualhostconfigshowshowtousePuppetasaRack#applicationviaPassenger.See#http://docs.puppetlabs.com/guides/passenger.htmlformoreinformation.#Youcanalsousetheincludedconfig.rufiletorunPuppetwithotherRack#serversinsteadofPassenger.#youprobablywanttotunethesesettingsPassengerHighPerformanceonPassengerMaxPoolSize12PassengerPoolIdleTime1500#PassengerMaxRequests1000PassengerStatThrottleRate120#RackAutoDetectOff#注释掉这行#RailsAutoDetectOff#注释掉这行Listen8140<VirtualHost*:8140>SSLEngineonSSLProtocolALL-SSLv2-SSLv3SSLCipherSuiteEDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHASSLHonorCipherOrderonSSLCertificateFile/var/lib/puppet/ssl/certs/puppet.ewin.com.pem#修改路径和证书名称SSLCertificateKeyFile/var/lib/puppet/ssl/private_keys/puppet.ewin.com.pem#修改路径和证书名称SSLCertificateChainFile/var/lib/puppet/ssl/ca/ca_crt.pem#修改路径SSLCACertificateFile/var/lib/puppet/ssl/ca/ca_crt.pem#修改路径#IfApachecomplainsaboutinvalidsignaturesontheCRL,youcantrydisabling#CRLcheckingbycommentingthenextline,butthisisnotrecommended.SSLCARevocationFile/var/lib/puppet/ssl/ca/ca_crl.pem#修改路径#Apache2.4introducestheSSLCARevocationCheckdirectiveandsetsittonone#whicheffectivelydisablesCRLchecking;ifyouareusingApache2.4+youmust#specify'SSLCARevocationCheckchain'toactuallyusetheCRL.#SSLCARevocationCheckchainSSLVerifyClientoptionalSSLVerifyDepth1#The`ExportCertData`optionisneededforagentcertificateexpirationwarningsSSLOptions+StdEnvVars+ExportCertData#ThisheaderneedstobesetifusingaloadbalancerorproxyRequestHeaderunsetX-Forwarded-ForRequestHeadersetX-SSL-Subject%{SSL_CLIENT_S_DN}eRequestHeadersetX-Client-DN%{SSL_CLIENT_S_DN}eRequestHeadersetX-Client-Verify%{SSL_CLIENT_VERIFY}eDocumentRoot/usr/share/puppet/rack/puppetmasterd/public#修改路径RackBaseURI/<Directory/usr/share/puppet/rack/puppetmasterd/>#修改路径OptionsNoneAllowOverrideNoneOrderallow,denyallowfromall</Directory></VirtualHost>

6、服务

[root@puppet~]#servicepuppetmasterstop[root@puppet~]#servicehttpdrestart[root@puppet~]#chkconfighttpdon[root@puppet~]#netstat-nlp|grep8140

7、测试

（1）WEB网页访问测试

客户端修改IE设置，去掉标黄的勾：

使用IE浏览https://10.188.1.73:8140/

出现这一行表示配置成功，下一节配置Dashboard后就有内容了。

（2）linux客户端测试

[root@zabbix~]#puppetagent--serverpuppet.ewin.com--test

没有报错，显示配置版本号及完成时间表示成功。

（3）puppet服务端测试

[root@puppet~]#tailf/var/log/httpd/access_log