puppet via apache using passenger from epel

I put together this serious of steps a few years ago long before Passenger made its way into Fedora/EPEL, when it was required putting together write ups from all over the place. Its easier now, but I’ve updated it and am publishing it to my blog because someone had expressed interest, and for my own use.

The goal of this set of steps is to enable the serving of Puppet through Apache using the Passenger module. mod_passenger to ruby what mod_cgi is to perl and mod_wsgi is to python. You would want to use this because Puppetmaster itself does not scale as well to large numbers of puppets. There are other options, but the whole thing is discussed more here.

Pre-requisites

• RHEL 6 or clone installed
• EPEL enabled on server (preferably with epel-release RPM)
• The knowledge to do the above without my help

Installing a Puppetmaster

• Install puppet and other packages:
  yum install --enablerepo=epel-testing httpd mod_ssl puppet-server mod_passenger
• Populate /etc/httpd/conf.d/puppetmaster.conf with the following block. There is a sample ‘apache2.conf’ file that comes with the puppet package, but its never worked for me:
  
  # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 <VirtualHost *:8140> SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # CRL checking should be enabled; # if you have problems with Apache complaining about the CRL, disable it SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyDepth 1 SSLOptions +StdEnvVars RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory> <Directory /etc/puppet/modules/> Options None AllowOverride None Order allow,deny allow from all </Directory> LogLevel warn ErrorLog /var/log/httpd/puppetmaster_error_log CustomLog /var/log/httpd/puppetmaster_access_log combined </VirtualHost>

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

  # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off   Listen 8140 <VirtualHost *:8140>     SSLEngine on     SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA     SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem     SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem     # CRL checking should be enabled;     # if you have problems with Apache complaining about the CRL, disable it     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem     SSLVerifyDepth 1     SSLOptions +StdEnvVars     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e     RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e     RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e     RackAutoDetect On     DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/     <Directory /usr/share/puppet/rack/puppetmasterd/>         Options None         AllowOverride None         Order allow,deny         allow from all     </Directory>     <Directory /etc/puppet/modules/>         Options None         AllowOverride None         Order allow,deny         allow from all     </Directory>     LogLevel warn     ErrorLog /var/log/httpd/puppetmaster_error_log     CustomLog /var/log/httpd/puppetmaster_access_log combined </VirtualHost>

• Optional
  • Set ServerName value in the VirtualHost block
  • Change the ssl cert file names from ‘puppet.pem’ to match your local environment
  • Set the correct puppet paths for ssl certificates in your environment
• Create rack directory structure
  mkdir -p /usr/share/puppet/rack/puppetmasterd/{public,tmp}
• Copy config.ru fromthe puppet source dir
  cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/
• Set permissions on the previous items
  chown -R puppet: /usr/share/puppet/rack/puppetmasterd/
• Configure /etc/puppet/puppet.conf to include the following, taking into consideration your local environment:
  
  [master] certname=puppet ssl_client_header=SSL_CLIENT_S_DN ssl_client_verify_header=SSL_CLIENT_VERIFY

  1 2 3 4

  [master] certname=puppet ssl_client_header=SSL_CLIENT_S_DN ssl_client_verify_header=SSL_CLIENT_VERIFY

• Configuring SSL the lazy way :)
  • Run puppetmasterd to build ssldirectory structure and keys
    /usr/sbin/puppetmasterd
  • Stop puppetmasterd
    killall -9 puppetmasterd
• Add firewall rules before the reject and commit rules in your firewall definition:
  -A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
• Restart firewall
  /etc/init.d/iptables restart
• Restart apache
  /etc/init.d/httpd restart
• Verifying that the system is working by browsing to admin page: https://puppetmaster:8140, and if its working you should see:
  The environment must be purely alphanumeric, not ''