Puppet: The Good, The Bad, And The Config – Part 3

In the previous post the basic setup of puppet on both the server and client was described, but, because I’d rather not use their built in server (scalability issues) it’s still left to install Passenger on Apache to handle the server side of things. Details are below…

Passenger Repo and Installs

The Puppet docs suggest you use rubygem to install Passenger. Personally I prefer if everything goes in with yum to keep it all handled by one package manager. Since Passenger isn’t in any of the usual repos, add this one then install the necessary bits and pieces.

yum install httpd mod_ssl mod_passenger rubygem-rake rubygem-rack ruby-rdoc

The httpd/rack Config

First, set up a DocumentRoot for the Ruby/Rack bits and copy the config into it.

mkdir -p /etc/puppet/rack/public /etc/puppet/rack/tmp
cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/.

Create an httpd configuration for the puppetmaster. It uses mod_passenger to run the Puppet server through the more scalable Apache backend. If your network is very large, you may need to run more than one and reverse proxy them, but I’ll leave that for you to Google for if needed. Otherwise, it’ll look like this:

PassengerHighPerformance on
PassengerMaxPoolSize 15
PassengerPoolIdleTime 300
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
 
Listen 8140
 
<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
 
        SSLCertificateFile      /ssl/certs/puppet1.DOMAIN.pem
        SSLCertificateKeyFile   /ssl/private_keys/puppet1.DOMAIN.pem
        SSLCertificateChainFile /ssl/ca/ca_crt.pem
        SSLCACertificateFile    /ssl/ca/ca_crt.pem
        SSLCARevocationFile     /ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars
 
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
 
        DocumentRoot /etc/puppet/rack/public/
        RackBaseURI /
        <Directory /etc/puppet/rack/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

Once that’s all in place, start httpd and make sure it starts at boot:

/etc/init.d/httpd start
chkconfig httpd on

A Test Run

Now that we’ve got a working Puppet server, we should be able to test it from the client. Run the following as root:

puppet agent --test

This should do a run, but because our default node setup is empty, won’t actually do anything.

Next Steps

I know this was a short one, but the next bit is setting up Dashboard, which is a bit more involved. Once that’s done, finally we can get to actually using Puppet for what it’s intended: managing hosts’ state.