Mainly Linux

30Dec/1112

Install Puppet with Passenger on Centos 6 – Part Two

Last time we got our Puppet server embedded in a WEBrick server. Today I'll show how to go one step further by installing Passenger (mod_rails). By enabling Apache to serve our Puppet clients we will benefit from performance gains like being able to handle concurrent connections.

Getting Passenger working

Add the following into your puppet.conf:

[master]
ssl_client_header = SSL_CLIENT_S_D
ssl_client_verify_header = SSL_CLIENT_VERIFY

Install the following on our Puppet server:

[root@puppet]# yum install gcc-c++ httpd-devel apr-devel ruby-devel ruby-rdoc

Install some gems:

[root@puppet]# gem install -v=1.0.1 rack

[root@puppet]# gem install -v=2.3.5 activerecord

And Passenger:

[root@puppet]# gem install -v=2.2.11 passenger

And:

[root@puppet]# passenger-install-apache2-module

If this final install of Passenger fails it will tell you where it went wrong so fix as and if needed.

Install mod_ssl:

[root@puppet]# yum install mod_ssl

Create the document root:

[root@puppet]# mkdir -p /usr/share/puppet/rack/puppetmasterd/public

Now we need to create the Apache configuration in /etc/httpd/conf.d/puppet.conf:

LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11
PassengerRuby /usr/bin/ruby

Listen 8140

SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/lib/puppet/ssl/certs/test.tomhayman.co.uk.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/test.tomhayman.co.uk.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems withApache complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

# The following client headers allow the same configuration to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/

Options None
AllowOverride None
Order allow,deny
allow from all

Check the Apache configuration with an apachectl configtest and again fix any errors you encounter.

Now, copy the Rack config:

[root@puppet]# cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/

Give Puppet correct permission to access the Rack config:

[root@puppet]# chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

Stop the Puppet server with a service puppetmaster stop so it won't interfere with Passenger. Remember to deactivate the puppetmaster service via chkconfig too. Then start Apache and you should have Passenger working.

To check from our Puppet client:

[root@pclient]# puppetd --noop --test --server puppet.tomhayman.co.uk --port 8140

In part three we will get stored configurations working and also Puppet Dashboard. I hope this has helped and if you run into any problems let me know and I'll try and give you a hand.

Filed under: Linux Leave a comment
Comments (12) Trackbacks (0)
  1. Lachezar Stamenov
    February 9th, 2012 - 19:26

    yum install gcc-c++ httpd-devel apr-devel ruby-devel ruby-rdoc

    otherwise gem installation returns an error if ruby-rdoc is not present

    ( REPLY )
  2. Lachezar Stamenov
    February 9th, 2012 - 19:30

    wget http://production.cf.rubygems.org/rubygems/rubygems-1.4.2.tgz
    tar zxvf rubygems-1.4.2.tgz
    cd rubygems-1.4.2
    ruby setup.rb
    gem -v

    if gem is not installed

    ( REPLY )
  3. Tom Hayman
    February 20th, 2012 - 20:45

    Thanks for the info, will check it out later on and update.

    ( REPLY )
  4. Phillipp Hughes
    April 11th, 2012 - 07:42

    can’t wait for part3!!!

    ( REPLY )
  5. Tom Hayman
    April 11th, 2012 - 15:44

    I’ve been quite busy lately but will try and get part 3 up soon. Watch this space :)

    ( REPLY )
  6. CT
    May 18th, 2012 - 03:04

    I can’t start httpd with below line. Any idea ? Thanks

    Options None
    AllowOverride None
    Order allow,deny
    allow from all

    ——–Error messages————-
    Error :”Starting httpd: Syntax error on line 28 of /etc/httpd/conf.d/puppet.conf:
    AllowOverride not allowed here”

    Error :Starting httpd: Syntax error on line 29 of /etc/httpd/conf.d/puppet.conf:
    order not allowed here
    ————————————————–

    I can start after commented out those line , but certificate error on client logs…
    Here’s the error .

    ———-Error _——————

    puppet-agent[25847]: Could not request certificate: Error 405 on SERVER: #012#012405 Method Not Allowed#012#012Method Not Allowed#012The requested method PUT is not allowed for the URL /production/certificate_request/pclient1.#012#012Apache/2.2.15 (CentOS) Server at xx.xxx.xx.xx Port 8140#012

    ( REPLY )
  7. Tom Hayman
    May 18th, 2012 - 09:19

    Use the directory section in your conf. Mine is like this:

    Directory /usr/share/puppet/rack/puppetmasterd/
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
    /Directory

    Close the above with angle brackets. (My blog removes them).

    See http://httpd.apache.org/docs/current/mod/core.html#allowoverride

    ( REPLY )
  8. Michael Altfield
    May 25th, 2012 - 19:02

    Hi, thank you for the write-up. I followed your instructions, but when I go to verify that the client can connect using:

    `puppetd –waitforcert 30 –server dx-puppetmaster-01.datalex.com -v`

    followed by:

    `puppetca -l`

    I get nothing. The Puppet Master shows the following in access_log:

    10.10.10.1 – - [25/May/2012:14:54:51 -0400] “GET /production/certificate/dx-puppetnode-01.my.domain? HTTP/1.1″ 404 347 “-” “-”

    And the following in error_log:

    [Fri May 25 14:54:51 2012] [error] [client 10.10.10.1] File does not exist: /var/www/html/production

    Any ideas? TIA.

    ( REPLY )
    • Tom Hayman
      May 28th, 2012 - 10:38

      This happened to me. You need to check if the client and the master are communicating properly and if there are any firewall, network, or other troubles possibly stopping that communication. Check these things first and then go from there.

      ( REPLY )
      • Michael Altfield
        May 29th, 2012 - 23:17

        the 2 servers have no communication barriers. I fixed this issue by wrapping everything after “Listen 8140″ in a Stanza.

        Now httpd is serving puppet via passenger (verified with netstat grepped for 8140), but my puppet node is getting a 403 Forbidden error: You don’t have permission to access /production/certificate/ca
        on this server.

        Any ideas?

        ( REPLY )
      • Michael Altfield
        May 29th, 2012 - 23:19

        the 2 servers have no communication barriers. I fixed this issue by wrapping everything after “Listen 8140″ in a < VirtualHost *:8140 > Stanza. See this script for an example: https://privatepaste.com/b13e3362ab

        Now httpd is serving puppet via passenger (verified with netstat grepped for 8140), but my puppet node is getting a 403 Forbidden error: You don’t have permission to access /production/certificate/ca
        on this server.

        Any ideas?

        ( REPLY )
        • Tom Hayman
          June 6th, 2012 - 14:22

          Possibly a permissions issue?

          Also, did you give Puppet correct permission to access the Rack config (as stated above).

          Plus check /etc/puppet/auth.conf – try this:

          path /
          allow *
          auth any

          ( REPLY )

Leave a comment


No trackbacks yet.

» «

Recent Posts

Categories