Kenneth Holter
2008-Oct-15 09:12 UTC
[Puppet Users] Running multiple puppetmasters with nginx/mongrel
Hello list. I have a simple question about running multiple puppetmasters with nginx/mongrel. The sample nginx config file found on the puppet web site defines something like this: upstream puppet-production { server 127.0.0.1:18140; server 127.0.0.1:18141; server 127.0.0.1:18142; server 127.0.0.1:18143; } server { listen 8140; ssl_verify_client on; root /var/empty; access_log on; rewrite_log on; # Variables # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection # $ssl_client_serial returns the series number of client certificate for established SSL-connection # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection # $ssl_protocol returns the protocol of established SSL-connection location / { proxy_pass *http://puppet-production*<http://puppet-production/> ; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Verify SUCCESS; proxy_set_header X-SSL-Subject $ssl_client_s_dn; proxy_set_header X-SSL-Issuer $ssl_client_i_dn; proxy_read_timeout 65; } } This configuration means that I can run multiple puppetmasters, one for each of the ports defined under "upstream" in the above config file. As far as I can understand, all of these puppetmasters must use the same manifests. I mean, when puppet nodes connects to port 8140, they will be redirected to one of the puppetmasters determined by nginx. Therefor, all these puppetmasters must run the same manifests. Is this correct? Furthermore, if I want a separate puppetmaster (but running the same manifests) for our test-environments, I can simply add a new port (for example 8150), have to nodes connect to this port, and make sure there is a puppetmaster running to connect to. True? I''m sorry if these are too basic questions, but didn''t find the necessary documentation on the subject. Regards, Kenneth Holter --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brice Figureau
2008-Oct-15 09:35 UTC
[Puppet Users] Re: Running multiple puppetmasters with nginx/mongrel
Hi, Although I don''t run puppet behind nginx, I know well nginx (for using it as a proxy for several years, and for contributing a module). On Wed, 2008-10-15 at 11:12 +0200, Kenneth Holter wrote:> I have a simple question about running multiple puppetmasters with > nginx/mongrel. The sample nginx config file found on the puppet web > site defines something like this: > [snipped config]> > This configuration means that I can run multiple puppetmasters, one > for each of the ports defined under "upstream" in the above config > file. As far as I can understand, all of these puppetmasters must use > the same manifests. I mean, when puppet nodes connects to port 8140, > they will be redirected to one of the puppetmasters determined by > nginx. Therefor, all these puppetmasters must run the same manifests. > Is this correct?Yes, because you don''t know which master your client will be connected to. This will be one of the "upstream" puppet-production pool.> Furthermore, if I want a separate puppetmaster (but running the same > manifests) for our test-environments, I can simply add a new port (for > example 8150), have to nodes connect to this port, and make sure there > is a puppetmaster running to connect to. True?Yes. Or you can add a new server {} block in your nginx configuration, bound to another port, that directs communication to another "upstream" block that knows your development master''s port. Hope that helps, -- Brice Figureau <brice-puppet@daysofwonder.com> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Kenneth Holter
2008-Oct-15 10:15 UTC
[Puppet Users] Re: Running multiple puppetmasters with nginx/mongrel
The reply was very helpful. Thank you very much. Regarding a separate puppetmaster for test-environments: I thought I''d do something like the following, and add one or more puppetmasters to the "puppet-test1" pool: server { listen 8150; ssl_verify_client on; root /var/empty; access_log on; rewrite_log on; location / { proxy_pass http://puppet-test1; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Verify SUCCESS; proxy_set_header X-SSL-Subject $ssl_client_s_dn; proxy_set_header X-SSL-Issuer $ssl_client_i_dn; proxy_read_timeout 65; } } This was what you proposed, and seems like a good solution. Btw, are there any guidelines as to how many puppetmaster instances there should be in a pool? I figure I''d maybe start out with 4 instances and add more if performance degrades. On 10/15/08, Brice Figureau <brice-puppet@daysofwonder.com> wrote:> > > Hi, > > Although I don''t run puppet behind nginx, I know well nginx (for using > it as a proxy for several years, and for contributing a module). > > On Wed, 2008-10-15 at 11:12 +0200, Kenneth Holter wrote: > > I have a simple question about running multiple puppetmasters with > > nginx/mongrel. The sample nginx config file found on the puppet web > > site defines something like this: > > [snipped config] > > > > > This configuration means that I can run multiple puppetmasters, one > > for each of the ports defined under "upstream" in the above config > > file. As far as I can understand, all of these puppetmasters must use > > the same manifests. I mean, when puppet nodes connects to port 8140, > > they will be redirected to one of the puppetmasters determined by > > nginx. Therefor, all these puppetmasters must run the same manifests. > > Is this correct? > > Yes, because you don''t know which master your client will be connected > to. This will be one of the "upstream" puppet-production pool. > > > Furthermore, if I want a separate puppetmaster (but running the same > > manifests) for our test-environments, I can simply add a new port (for > > example 8150), have to nodes connect to this port, and make sure there > > is a puppetmaster running to connect to. True? > > Yes. Or you can add a new server {} block in your nginx configuration, > bound to another port, that directs communication to another "upstream" > block that knows your development master''s port. > > Hope that helps, > -- > Brice Figureau <brice-puppet@daysofwonder.com> > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brice Figureau
2008-Oct-15 13:11 UTC
[Puppet Users] Re: Running multiple puppetmasters with nginx/mongrel
On Wed, 2008-10-15 at 12:15 +0200, Kenneth Holter wrote:> The reply was very helpful. Thank you very much. > > Regarding a separate puppetmaster for test-environments: I thought I''d > do something like the following, and add one or more puppetmasters to > the "puppet-test1" pool: > server { > listen 8150; > ssl_verify_client on; > root /var/empty; > access_log on; > rewrite_log on; > > location / { > proxy_pass http://puppet-test1; > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Client-Verify SUCCESS; > proxy_set_header X-SSL-Subject > $ssl_client_s_dn; > proxy_set_header X-SSL-Issuer > $ssl_client_i_dn; > proxy_read_timeout 65; > } > } > This was what you proposed, and seems like a good solution.I think this should work.> Btw, are there any guidelines as to how many puppetmaster > instances there should be in a pool? I figure I''d maybe start out with > 4 instances and add more if performance degrades.I don''t really know, but I think this might depend on the number of clients and the time it takes to compile the catalog and/or serve the files... I think you can start with a low number (3 or 4), and if you see clients timeout, maybe you can increase this number. This also depends on the memory you have on your master server (more puppetmaster means more used memory). Also, if you use storeconfigs, make sure to run 0.24.6+ (when it''ll be released) for performance reasons. -- Brice Figureau <brice-puppet@daysofwonder.com> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---