• puppet master 用 nginx + unicorn 作为前端


    概要

    unicorn 和之前的 passenger 的设计理念不同, 究竟谁更好其实还得看具体的使用场景.
    但是我觉得 unicorn 有个比 passenger 好的地方就是不用重新编译 nginx.

    nginx + unicorn 配置

    package 安装

    root@master-1:~# apt-get install nginx
    root@master-1:~# apt-get install ruby-dev
    root@master-1:~# gem install unicorn
    

    配置文件设置

    配置 unicorn

    root@master-1:~# cat /usr/share/puppet/rack/puppetmasterd/unicorn.conf
    worker_processes 8
        #working_directory "/etc/puppet"
        working_directory "/usr/share/puppet/rack/puppetmasterd"
        listen '/var/run/puppet/puppetmaster_unicorn.sock', :backlog => 512
        timeout 120
        pid "/var/run/puppet/puppetmaster_unicorn.pid"
        preload_app true
        if GC.respond_to?(:copy_on_write_friendly=)
          GC.copy_on_write_friendly = true
        end
        before_fork do |server, worker|
          old_pid = "#{server.config[:pid]}.oldbin"
          if File.exists?(old_pid); server.pid != old_pid
            begin
              Process.kill("QUIT", File.read(old_pid).to_i)
            rescue Errno::ENOENT, Errno::ESRCH
              # someone else did our job for us
            end
          end
        end
    

    配置nginx

    root@master-1:~# cat /etc/nginx/conf.d/puppet-unicorn.conf
    upstream puppetmaster_unicorn {
          server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=0;
    }
    server {
    listen 8140;
        ssl on;
        ssl_session_timeout 5m;
        ssl_certificate /var/lib/puppet/ssl/certs/master-1.puppet.com.pem;
        ssl_certificate_key /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem;
        ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
        ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
        ssl_verify_client optional;
        root /usr/share/empty;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Client-Verify $ssl_client_verify;
        proxy_set_header X-Client-DN $ssl_client_s_dn;
        proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
        proxy_read_timeout 120;
    location / {
        proxy_pass http://puppetmaster_unicorn;
        proxy_redirect off;
        }
    }
    

    测试配置结果

    # master 上清除证书
    root@master-1:/# puppet cert list --all
    + "master-1.puppet.com" (SHA256) 38:79:AE:E8:BF:04:EB:F5:C5:D0:62:08:35:D0:4A:13:A7:D4:F4:63:D7:C8:E4:D3:54:1E:35:E3:9F:70:A2:FE (alt names: "DNS:master-1.puppet.com", "DNS:puppet", "DNS:puppet.puppet.com")
    + "node-1.puppet.com"   (SHA256) 2A:3B:D4:A7:D2:29:50:AC:06:38:B7:16:AC:B8:F7:0C:4F:74:2A:28:6D:1F:00:D7:72:BB:C2:BE:6E:70:ED:AA
    root@master-1:/# puppet cert clean node-1.puppet.com
    Notice: Revoked certificate with serial 7
    Notice: Removing file Puppet::SSL::Certificate node-1.puppet.com at '/var/lib/puppet/ssl/ca/signed/node-1.puppet.com.pem'
    Notice: Removing file Puppet::SSL::Certificate node-1.puppet.com at '/var/lib/puppet/ssl/certs/node-1.puppet.com.pem'
    root@master-1:/# puppet cert -c node-1.puppet.com
    Notice: Revoked certificate with serial 5
    Notice: Revoked certificate with serial 7
    
    # master 上启动nginx 和 unicorn
    root@master-1:/# nginx
    root@master-1:/# cd /etc/puppet
    root@master-1:/etc/puppet# unicorn -c unicorn.conf
    
    # agent 上清除原有的证书
    root@node-1:~# rm -rf /var/lib/puppet/ssl/*
    
    # agent 重新生成证书
    root@node-1:~# puppet agent  -t
    Info: Creating a new SSL key for node-1.puppet.com
    Info: Caching certificate for ca
    Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
    Info: Creating a new SSL certificate request for node-1.puppet.com
    Info: Certificate Request fingerprint (SHA256): 41:BF:7B:CB:6A:2B:B4:1B:F3:36:14:8E:EF:F7:61:38:60:A2:59:DC:0E:1C:A2:CE:E5:31:0F:80:CD:7E:B3:D0
    Info: Caching certificate for ca
    Exiting; no certificate found and waitforcert is disabled
    
    # master 上对证书进行签名
    root@master-1:/# puppet cert list
      "node-1.puppet.com" (SHA256) 41:BF:7B:CB:6A:2B:B4:1B:F3:36:14:8E:EF:F7:61:38:60:A2:59:DC:0E:1C:A2:CE:E5:31:0F:80:CD:7E:B3:D0
    root@master-1:/# puppet cert sign node-1.puppet.com
    Notice: Signed certificate request for node-1.puppet.com
    Notice: Removing file Puppet::SSL::CertificateRequest node-1.puppet.com at '/var/lib/puppet/ssl/ca/requests/node-1.puppet.com.pem'
    
    # agent 上再次连接 master
    root@node-1:~# puppet agent  -t
    Info: Caching certificate for node-1.puppet.com
    Info: Caching certificate_revocation_list for ca
    Info: Caching certificate for node-1.puppet.com
    Info: Retrieving pluginfacts
    Info: Retrieving plugin
    Info: Caching catalog for node-1.puppet.com
    Info: Applying configuration version '1421053002'
    Notice: Finished catalog run in 0.02 seconds
    

    nginx 负载均衡

    上述方式中, 1个 nginx <> 1个 unicorn
    下面配置 nginx 的负载均衡的方式, 即 1个 nginx <
    > 2个 unicorn

    niginx.conf 修改如下:

    root@master-1:~# cat /etc/nginx/conf.d/puppet-unicorn.conf
    upstream puppetmaster_unicorn {
          server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=0;
          server unix:/var/run/puppet/puppetmaster_unicorn-1.sock fail_timeout=0;
    }
    
    server {
    listen 8140;
        ssl on;
        ssl_session_timeout 5m;
        ssl_certificate /var/lib/puppet/ssl/certs/master-1.puppet.com.pem;
        ssl_certificate_key /var/lib/puppet/ssl/private_keys/master-1.puppet.com.pem;
        ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
        ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
        ssl_verify_client optional;
        root /usr/share/empty;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Client-Verify $ssl_client_verify;
        proxy_set_header X-Client-DN $ssl_client_s_dn;
        proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
        proxy_read_timeout 120;
    
    location / {
        proxy_pass http://puppetmaster_unicorn;
        proxy_redirect off;
        }
    }
    

    再建立一个 puppetmaster

    root@master-1:~# cd /usr/share/puppet/rack/
    root@master-1:/usr/share/puppet/rack# cp -r puppetmasterd/ puppetmaster-1d/
    
    # 修改 puppetmaster-1d 中的 unicorn.conf
    root@master-1:/usr/share/puppet/rack# cat puppetmaster-1d/unicorn.conf
    worker_processes 8
        #working_directory "/etc/puppet"
        working_directory "/usr/share/puppet/rack/puppetmaster-1d"
        listen '/var/run/puppet/puppetmaster_unicorn-1.sock', :backlog => 512
        timeout 120
        pid "/var/run/puppet/puppetmaster_unicorn-1.pid"
        preload_app true
        if GC.respond_to?(:copy_on_write_friendly=)
          GC.copy_on_write_friendly = true
        end
        before_fork do |server, worker|
          old_pid = "#{server.config[:pid]}.oldbin"
          if File.exists?(old_pid); server.pid != old_pid
            begin
              Process.kill("QUIT", File.read(old_pid).to_i)
            rescue Errno::ENOENT, Errno::ESRCH
              # someone else did our job for us
            end
          end
        end
    

    启动 nginx, puppetmasterd puppetmaster-1d, 然后就可以接受 agent 的请求了.

    root@master-1:~# nginx -s reload
    root@master-1:~# unicorn -c /usr/share/puppet/rack/puppetmasterd/unicorn.conf
    root@master-1:~# unicorn -c /usr/share/puppet/rack/puppetmaster-1d/unicorn.conf
    

    补充说明

    上面的 unicorn 是在命令行启动的, 也可以把它做成 /etc/init.d 中的服务随系统自动启动.
    参考网址:

  • 相关阅读:
    001 windows下如何生成公钥和私钥
    函数基础
    各种推导式
    MySQL误删数据
    kafka 学习笔记
    Nginx 功能
    Nginx 到底可以做什么
    Nginx 到底可以做什么
    Shell的18条常用命令整理
    超详细 Nginx 极简教程
  • 原文地址:https://www.cnblogs.com/wang_yb/p/4248341.html
Copyright © 2020-2023  润新知