Puppetmasterd with Passenger on Debian Squeeze

Howto install your puppetmaster with passenger. This was tested with puppet version 2.6.2
The official puppet wiki:http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger

Read /usr/share/doc/puppetmasterd/README.rack

Steps:

# puppet:
aptitude install facter puppet puppetmaster librack-ruby librack-ruby1.8
mkdir -p /etc/puppet/rack/
 
# apache:
aptitude install apache2 libapache2-mod-passenger 
a2dismod autoindex
a2dismod status
 
a2enmod ssl
a2enmod headers
 
# disable the default apache on port 80 and 443:
a2dissite default
a2dissite default-ssl
 
# don't even listen anymore:
sed -e "s/Include ports.conf/# Include ports.conf/" /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.tmp \
&& mv /etc/apache2/apache2.conf.tmp /etc/apache2/apache2.conf
 
cd /etc/apache2/sites-available
wget https://raw.github.com/puppetlabs/puppet/master/ext/rack/files/apache2.conf
mv apache2.conf puppetmasterd
 
# edit puppetmasterd to reflect your path to ssl - see below
vim puppetmasterd
 
# enable passenger driven apache on port 8140:
a2ensite puppetmasterd
 
# Whatever you do, make sure your config.ru file is owned by the puppet user! 
# Passenger will setuid to that user.
cd /etc/puppet/rack
ln -s /usr/share/puppet/rack/puppetmasterd/
 
# puppetmaster has to be run once to create the certs automatically!
/etc/init.d/puppetmaster stop
/etc/init.d/apache2 restart

edit /etc/default/puppetmaster to disable the 'old-style' puppetmaster:

4c4
< START=yes
---
> START=no
# test your puppet agent on one of the puppet nodes:
puppet agent --test

:!: Don't forget to harden your apache as usual, e.g. edit /etc/apache2/conf.d/security, disable all unneeded stuff, …

Files

/etc/apache2/sites-available/puppetmasterd

puppetmasterd
PassengerRuby /usr/bin/ruby1.8
 
# you probably want to tune these settings
PassengerHighPerformance on
PassengerUseGlobalQueue on
# Passenger Pool Size control number of application instances,
# 1.5x the number of processor cores
PassengerMaxPoolSize 2
PassengerPoolIdleTime 1800
PassengerMaxRequests 4000
PassengerStatThrottleRate 120
RackAutoDetect On
RailsAutoDetect Off
 
Listen 8140
 
<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
 
        SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.example.lan.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.example.lan.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars
 
        # The following client headers record authentication information for down stream workers
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-CLIENT-DN %{SSL_CLIENT_VERIFY}e
        RequestHeader set X-ClIENT-VERIFY %{SSL_CLIENT_VERIFY}e
 
        DocumentRoot /etc/puppet/rack/puppetmasterd/public/
        RackBaseURI /
        <Directory /etc/puppet/rack/puppetmasterd>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

/etc/puppet/rack/puppetmasterd/config.ru

config.ru
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
 
# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
 
$0 = "master"
 
# if you want debugging:
# ARGV << "--debug"
 
ARGV << "--rack"
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
puppet.conf
[master]
certname=puppet.example.lan
 
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
 
[...]
networking/puppet/passenger.txt · Last modified: 2014-12 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready