利用nginx和mongrel、unicorn 对puppet进行端口负载均衡

公司的虚拟化平台上的主机，用的是puppet进行管理，但是单个puppet有很大的瓶颈的问题~ puppetmaster默认使用的是ruby自带的web服务器WEBRick，它太过简陋，无法满足puppet客户端成百上千的并发性能很不好。

ruby又是一种解析型语言，性能肯定不会非常好；这样呢，我们也不能用高性能的语言把他重写了去，但我们可以在部分地方动手脚来进行性能优化

我的思路是 结合反向代理，puppetmaster承受能力至少可以提升数倍以上，相当于在很大程度上优化了puppet的处理能力。

个人总结，puppet很适合做 各个服务的配置~ 但是不适合文件的传送，比如你想发个环境安装包，让客户端安装，这就很蛋疼了~

puppet的版本

ruby的版本

系统的版本

Nginx的版本

第一步

yum install -y rubygem-mongrel

第二步

vim /etc/sysconfig/puppetmaster加入以下内容

1. PUPPETMASTER_PORTS=(8141 8142 8143 8144 8145)

2. PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"

第三步

yum -y install nginx

也可以编译安装

1. wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz

2. tar zxf ./openssl-0.9.8l.tar.gz

3. cd ./openssl-0.9.8l

4. ./config enable-tl***t

5. make && make install

6. cd ..

7. tar -xzf pcre-8.12.tar.gz

8. cd pcre-8.12

9. ./configure && make && make install

10. cd ..

11. tar -xzf nginx-1.0.12.tar.gz

12. cd nginx-1.0.12

13. ./configure --user=nobody--group=nobody--prefix=/usr/local/nginx \

14. --with-http_stub_status_module --with-http_gzip_static_module \

15. --with-pcre=../pcre-8.12 --with-http_ssl_module --with-openssl=../openssl-0.9.8l/

16. make && make install

第四步

配置 nginx.conf

1. user www;

2. worker_processes 8;

3. events {

4. worker_connections 65535;

5. }

6. http {

7. include mime.types;

8. default_type application/octet-stream;

9. sendfile on;

10. tcp_nopush on;

11. keepalive_timeout 65;

12. #定义puppet客户端访问puppet-server端日志格式

13. log_format main '$remote_addr - $remote_user [$time_local] "$request" $request_length $request_time $time_local'

14. '$status $body_bytes_sent $bytes_sent $connection $msec "$http_referer" '

15. '"$http_user_agent" $http_x_forwarded_for $upstream_response_time $upstream_addr $upstream_status ';

16. access_log /etc/nginx/logs/access.log main;

17. upstream puppetmaster {

18. server 127.0.0.1:8141;

19. server 127.0.0.1:8142;

20. server 127.0.0.1:8143;

21. server 127.0.0.1:8144;

22. server 127.0.0.1:8145;

23. }

24. server {

25. listen 8140;

26. root /etc/puppet;

27. ssl on;

28. ssl_session_timeout 5m;

29. #如下为puppetmaster服务器端证书地址

30. ssl_certificate /var/lib/puppet/ssl/certs/master.rui.com.pem;

31. "nginx.conf" 71L, 2660C 19,9 顶端

32. ssl_certificate_key /var/lib/puppet/ssl/private_keys/master.rui.com.pem;

33. ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;

34. ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

35. ssl_verify_client optional;

36. #File sections

37. location /production/file_content/files/ {

38. types { }

39. default_type application/x-raw;

40. #定义puppet推送路径别名

41. alias /etc/puppet/files/;

42. }

43. # Modules files sections

44. location ~ /production/file_content/modules/.+/ {

45. root /etc/puppet/modules;

46. types { }

47. default_type application/x-raw;

48. rewrite ^/production/file_content/modules/(.+)/(.+)$ /$1/files/$2 break;

49. }

50. location / {

51. ##设置跳转到puppetmaster负载均衡

52. proxy_pass http://puppetmaster;

53. proxy_redirect off;

54. proxy_set_header Host $host;

55. proxy_set_header X-Real-IP $remote_addr;

56. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

57. proxy_set_header X-Client-Verify $ssl_client_verify;

58. proxy_set_header X-SSL-Subject $ssl_client_s_dn;

59. proxy_set_header X-SSL-Issuer $ssl_client_i_dn;

60. proxy_buffer_size 10m;

61. proxy_buffers 1024 10m;

62. proxy_busy_buffers_size 10m;

63. proxy_temp_file_write_size 10m;

64. proxy_read_timeout 120;

65. }

66. }

67. }

第五步

启动nginx 并看下端口情况~

第六步

启动 puppet服务端

另外大家也可以试试 用 unicorn 代替puppet本身的web~据说性能不错，最少github已经用了~

这个配置做完后，不知道性能不错的，但是运行几天后，会造成程序占资源~ 原因不明~

1. 安装依赖：

2. yum install ruby-devel gcc make

3. 安装unicron

4. gem install unicorn rack

5. 复制一个puppet的rack配置文件

6. cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/

vim /etc/puppet/unicorn.conf

1. worker_processes 8

2. working_directory "/etc/puppet"

3. listen '/var/run/puppet/puppetmaster_unicorn.sock', :backlog => 512

4. timeout 120

5. pid "/var/run/puppet/puppetmaster_unicorn.pid"

6. preload_app true

7. if GC.respond_to?(:copy_on_write_friendly=)

8. GC.copy_on_write_friendly = true

9. end

10. before_fork do |server, worker|

11. old_pid = "#{server.config[:pid]}.oldbin"

12. if File.exists?(old_pid) && server.pid != old_pid

13. begin

14. Process.kill("QUIT", File.read(old_pid).to_i)

15. rescue Errno::ENOENT, Errno::ESRCH

16. # someone else did our job for us

17. end

18. end

19. end

启动unicorn

1. unicorn -c unicorn.conf

vim /etc/nginx/nginx_puppet.conf

1. upstream puppetmaster_unicorn {

2. server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=0;

3. }

4. server {

5. listen 8140;

6. server_name master.puppet.lightcloud.cn;

7. ssl on;

8. ssl_session_timeout 5m;

9. ssl_certificate /etc/puppet/ssl/certs/master.puppet.lightcloud.cn.pem;

10. ssl_certificate_key /etc/puppet/ssl/private_keys/master.puppet.lightcloud.cn.pem;

11. ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;

12. ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;

13. ssl_verify_client optional;

14. root /usr/share/empty;

15. proxy_set_header Host $host;

16. proxy_set_header X-Real-IP $remote_addr;

17. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

18. proxy_set_header X-Client-Verify $ssl_client_verify;

19. proxy_set_header X-Client-DN $ssl_client_s_dn;

20. proxy_set_header X-SSL-Issuer $ssl_client_i_dn;

21. proxy_read_timeout 120;

22. location / {

23. proxy_pass http://puppetmaster_unicorn;

24. proxy_redirect off;

25. }

26. }