I put together this serious of steps a few years ago long before Passenger made its way into Fedora/EPEL, when it was required putting together write ups from all over the place. Its easier now, but I’ve updated it and am publishing it to my blog because someone had expressed interest, and for my own use.
The goal of this set of steps is to enable the serving of Puppet through Apache using the Passenger module. mod_passenger to ruby what mod_cgi is to perl and mod_wsgi is to python. You would want to use this because Puppetmaster itself does not scale as well to large numbers of puppets. There are other options, but the whole thing is discussed more here.
Pre-requisites
- RHEL 6 or clone installed
- EPEL enabled on server (preferably with epel-release RPM)
- The knowledge to do the above without my help
Installing a Puppetmaster
- Install puppet and other packages:
yum install --enablerepo=epel-testing httpd mod_ssl puppet-server mod_passenger - Populate /etc/httpd/conf.d/puppetmaster.conf with the following block. There is a sample ‘apache2.conf’ file that comes with the puppet package, but its never worked for me:
12345678910111213141516171819202122232425262728293031323334353637383940414243# you probably want to tune these settingsPassengerHighPerformance onPassengerMaxPoolSize 12PassengerPoolIdleTime 1500# PassengerMaxRequests 1000PassengerStatThrottleRate 120RackAutoDetect OffRailsAutoDetect OffListen 8140<VirtualHost *:8140>SSLEngine onSSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSASSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pemSSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pemSSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pemSSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem# CRL checking should be enabled;# if you have problems with Apache complaining about the CRL, disable itSSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pemSSLVerifyDepth 1SSLOptions +StdEnvVarsRequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}eRequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}eRackAutoDetect OnDocumentRoot /usr/share/puppet/rack/puppetmasterd/public/<Directory /usr/share/puppet/rack/puppetmasterd/>Options NoneAllowOverride NoneOrder allow,denyallow from all</Directory><Directory /etc/puppet/modules/>Options NoneAllowOverride NoneOrder allow,denyallow from all</Directory>LogLevel warnErrorLog /var/log/httpd/puppetmaster_error_logCustomLog /var/log/httpd/puppetmaster_access_log combined</VirtualHost> - Optional
- Set ServerName value in the VirtualHost block
- Change the ssl cert file names from ‘puppet.pem’ to match your local environment
- Set the correct puppet paths for ssl certificates in your environment
- Create rack directory structure
mkdir -p /usr/share/puppet/rack/puppetmasterd/{public,tmp} - Copy config.ru fromthe puppet source dir
cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/ - Set permissions on the previous items
chown -R puppet: /usr/share/puppet/rack/puppetmasterd/ - Configure /etc/puppet/puppet.conf to include the following, taking into consideration your local environment:
1234[master]certname=puppetssl_client_header=SSL_CLIENT_S_DNssl_client_verify_header=SSL_CLIENT_VERIFY - Configuring SSL the lazy way :)
- Run puppetmasterd to build ssldirectory structure and keys
/usr/sbin/puppetmasterd - Stop puppetmasterd
killall -9 puppetmasterd
- Run puppetmasterd to build ssldirectory structure and keys
- Add firewall rules before the reject and commit rules in your firewall definition:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT - Restart firewall
/etc/init.d/iptables restart - Restart apache
/etc/init.d/httpd restart - Verifying that the system is working by browsing to admin page: https://puppetmaster:8140, and if its working you should see:
The environment must be purely alphanumeric, not ''