puppet2.8.7终于解决了在使用nginx作为webserver时无法取到fact的bug。
http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.8
Fix missing facts under Mongrel
(#9109)
When using Puppet with Mongrel, facts were being lost from agent nodes running 2.7.0 or higher. This was caused by Mongrel puppet masters only retrieving request parameters from the query parameters of the URL, which mixed badly with clients that submit their facts in a POST request. This has been fixed, and Mongrel puppet masters can merge the POST request body with the query parameters.
当服务器数量较多时,puppet client经常出现time out的情况。
使用nginx代替pound:
优点
性能:nginx因为精简,运行起来非常快速,许多人声称它的比pound更高效。
日志,调试:在这两个方面,nginx比pound更简洁。
灵活性:nginx的处理SSL客户端验证是在应用层上实现的,而不会终止SSL连接。
nginx可以拿来即用, 不需要像pound打补丁,同时配置的语法也很直观。
缺点
一但在服务端使用puppetca进行sgin以后,无法主动在服务端撤销授权,
不过你可以在客户端删除ssl目录来取消授权,一般情况下没什么影响。
参考:
http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel_Nginx
原理:
更改puppetmaster的配置,使puppetmaster运行mongrel来作为webserver。监听在指定端口。
nginx用于接受puppet client的请求,并将请求转发给mongrel。nginx启动两个端口,分别是1840和1841
其中:
1840:响应puppet client的baokuo manifest,file,module等请求。响应请求时会验证客户端的证书。只有ca签发的证书才响应请求。
1841:接受用签发puppet client的证书。这个端口不验证客户端的证书。
1、安装mongrel:
Mongrel 是一个Ruby的web服务器,它已经是一个全功能、稳定、高效的web应用服务器,可以用它来支撑许多Ruby站点。
关于gem的安装,可以查看puppet dashboard里方法。
安装:gem install mongrel
2、修改puppetmaster配置文件
/etc/sysconfig/puppetmaster PUPPETMASTER_PORTS=( 18140 18141 18142 18143 ) PUPPETMASTER_EXTRA_OPTS="--servertype=mongrel --ssl_client_header=HTTP_X_SSL_SUBJECT"
3、修改puppet的auth.conf 需要么???????????
/etc/puppet/auth.conf
将以下内容添加到所有配置前面。
path / auth no allow *
5、重启puppetmaster
重启后,将启动以下端口
Port: 18140 [ OK ]
Port: 18141 [ OK ]
Port: 18142 [ OK ]
Port: 18143 [ OK ]
6、配置nginx
主配置文件:
include puppet_ssl.conf;
conf/puppet_ssl.conf
ssl_certificate /var/lib/puppet/ssl/certs/gh.test.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/gh.test.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_session_cache shared:SSL:8m;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_session_timeout 5m;
upstream puppet-production {
fair;
server 127.0.0.1:18140;
server 127.0.0.1:18141;
server 127.0.0.1:18142;
server 127.0.0.1:18143;
}
server {
listen 8140;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/ghcom.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/ghcom.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
# choose any ciphers
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
# allow authenticated and client without certs
ssl_verify_client optional;
# obey to the Puppet CRL
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
root /null;
access_log logs/puppet.log;
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
}
注:我将ssl on;这个参数放在了server段里了,因为如果放在http段,会造成原来的非https server不能访问:The plain HTTP request was sent to HTTPS port
重启nginx
8140被占用?找到对应的ruby进程,杀掉即可。