Table of Contents
Puppetmasterd with Passenger on Debian Squeeze
Howto install your puppetmaster with passenger. This was tested with puppet version 2.6.2
The official puppet wiki:http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
Read /usr/share/doc/puppetmasterd/README.rack
Steps:
# puppet: aptitude install facter puppet puppetmaster librack-ruby librack-ruby1.8 mkdir -p /etc/puppet/rack/ # apache: aptitude install apache2 libapache2-mod-passenger a2dismod autoindex a2dismod status a2enmod ssl a2enmod headers # disable the default apache on port 80 and 443: a2dissite default a2dissite default-ssl # don't even listen anymore: sed -e "s/Include ports.conf/# Include ports.conf/" /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.tmp \ && mv /etc/apache2/apache2.conf.tmp /etc/apache2/apache2.conf cd /etc/apache2/sites-available wget https://raw.github.com/puppetlabs/puppet/master/ext/rack/files/apache2.conf mv apache2.conf puppetmasterd # edit puppetmasterd to reflect your path to ssl - see below vim puppetmasterd # enable passenger driven apache on port 8140: a2ensite puppetmasterd # Whatever you do, make sure your config.ru file is owned by the puppet user! # Passenger will setuid to that user. cd /etc/puppet/rack ln -s /usr/share/puppet/rack/puppetmasterd/ # puppetmaster has to be run once to create the certs automatically! /etc/init.d/puppetmaster stop /etc/init.d/apache2 restart
edit /etc/default/puppetmaster to disable the 'old-style' puppetmaster:
4c4 < START=yes --- > START=no
# test your puppet agent on one of the puppet nodes: puppet agent --test
Don't forget to harden your apache as usual, e.g. edit /etc/apache2/conf.d/security, disable all unneeded stuff, …
Files
/etc/apache2/sites-available/puppetmasterd
- puppetmasterd
PassengerRuby /usr/bin/ruby1.8 # you probably want to tune these settings PassengerHighPerformance on PassengerUseGlobalQueue on # Passenger Pool Size control number of application instances, # 1.5x the number of processor cores PassengerMaxPoolSize 2 PassengerPoolIdleTime 1800 PassengerMaxRequests 4000 PassengerStatThrottleRate 120 RackAutoDetect On RailsAutoDetect Off Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.example.lan.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.example.lan.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The following client headers record authentication information for down stream workers RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-CLIENT-DN %{SSL_CLIENT_VERIFY}e RequestHeader set X-ClIENT-VERIFY %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/puppetmasterd/public/ RackBaseURI / <Directory /etc/puppet/rack/puppetmasterd> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost>
/etc/puppet/rack/puppetmasterd/config.ru
- config.ru
# a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $:.unshift('/opt/puppet/lib') $0 = "master" # if you want debugging: # ARGV << "--debug" ARGV << "--rack" require 'puppet/application/master' # we're usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Application[:master].run
- puppet.conf
[master] certname=puppet.example.lan ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY [...]