DevOps Monkey Goodness

Configure Puppet With Apache and Passenger – How To Series Part 4

So far we have a basic Puppet master up and running using WEBrick which is good for testing purposes but great for anything else.  Now we will remove WEBrick and run Puppet with Apache and Passenger.

How to Install and Configure Puppet with Apache

  1. First install Apache and relevant dependencies:
    # yum -y install httpd httpd-devel mod_ssl ruby-devel rubygems gcc gcc-c++ curl-devel openssl-devel zlib-devel make
  2. Next install Phusion Passenger and the Apache 2 module (takes a few mins to run):
    # gem install passenger –no-ri –no-rdoc
    # passenger-install-apache2-module –auto 
  3. Determine the Phusion Passenger version that was installed:
    # passenger -v
     
  4. Next we need to create the folders for the Puppet Master Rack application:
    # mkdir –p /usr/share/puppet/rack/puppetmasterd
    # mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
    # cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
    # chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
     
  5. We need to find the names of the Puppet certs so we can use the correct values later, they should default to the host name:
     
  6. Now we need to create a new virtual host file for Puppet:
    # nano /etc/httpd/conf.d/puppetmaster.conf 
  7. Copy the contents from the example puppetmaster.conf file below:
    # You'll need to adjust the paths in the Passenger config depending on which OS
    # you're using, as well as the installed version of Passenger.
    
    # RHEL/CentOS:
    LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.37/buildout/apache2/mod_passenger.so
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.37
    PassengerRuby /usr/bin/ruby
    
    # And the passenger performance tuning settings:
    PassengerHighPerformance On
    # Set this to about 1.5 times the number of CPU cores in your master:
    PassengerMaxPoolSize 12
    # Recycle master processes after they service 1000 requests
    PassengerMaxRequests 1000
    # Stop processes if they sit idle for 10 minutes
    PassengerPoolIdleTime 600
    
    Listen 8140
    <VirtualHost *:8140>
        SSLEngine On
    
        # Only allow high security cryptography. Alter if needed for compatibility.
        SSLProtocol             All -SSLv2
        SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
        SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.local.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.local.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient         optional
        SSLVerifyDepth          1
        SSLOptions              +StdEnvVars +ExportCertData
    
        # These request headers are used to pass the client certificate
        # authentication information on to the puppet master process
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    
        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
    
        <Directory /usr/share/puppet/rack/puppetmasterd/>
          Options None
          AllowOverride None
          # Apply the right behavior depending on Apache version.
          <IfVersion < 2.4>
            Order allow,deny
            Allow from all
          </IfVersion>
          <IfVersion >= 2.4>
            Require all granted
          </IfVersion>
        </Directory>
    
        ErrorLog /var/log/httpd/puppet.local_ssl_error.log
        CustomLog /var/log/httpd/puppet.local_ssl_access.log combined
    </VirtualHost>
  8. Ensure you update the following:
    – Set Passenger to the version that you installed (see step 3 above)
    – Set the SSL cert names 
    – Set the error log names

    Configure the Puppet Dashboard To Use Apache

  9. There is an example dashboard-vhost.conf file supplied with Passenger but I found it needed so many modifications I decided to place a copy here which you should copy and update:
    # cp /usr/share/puppet-dashboard/ext/passenger/dashboard-vhost.con/etc/httpd/conf.d/
  10. Edit the new file:
    # nano
    /etc/httpd/conf.d/dashboard-vhost.conf
  11. Copy my file below and update the purple bold entries:
    # UPDATE THESE PATHS TO SUIT YOUR ENVIRONMENT
    LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.37/buildout/apache2/mod_passenger.so
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.37
    PassengerRuby /usr/bin/ruby
    
    # you may want to tune these settings
    PassengerHighPerformance on
    PassengerMaxPoolSize 12
    PassengerPoolIdleTime 1500
    # PassengerMaxRequests 1000
    PassengerStatThrottleRate 120
    
    <VirtualHost *:80>
            ServerName puppet.local
            DocumentRoot /usr/share/puppet-dashboard/public/
            <Directory /usr/share/puppet-dashboard/public/>
                    Options None
                    Order allow,deny
                    allow from all
            </Directory>
      ErrorLog /var/log/httpd/dashboard.puppet.local_error.log
      LogLevel warn
      CustomLog /var/log/httpd/dashboard.puppet.local_access.log combined
      ServerSignature On
    
    # Uncomment this section to enable basic auth. This section can also be copied
    # to the HTTPS VirtualHost example below.
    # # For report submission from masters.
    # <Location /reports/upload>
    # <Limit POST>
    # # Configuration restricts HTTP actions to POST only
    # Order allow,deny
    # # Allow from localhost
    # # Allow from localhost.localdomain
    # # Allow from 127.0.0.1
    # # Allow from example.com
    # # This can be locked down to just your puppet master if required
    # # See examples above, or http://httpd.apache.org/docs/2.2/howto/access.html
    # Allow from all
    # Satisfy any
    # </Limit>
    # </Location>
    #
    # # For node definitions from masters.
    # <Location /nodes>
    # <Limit GET>
    # # Configuration restricts HTTP actions to GET only
    # Order allow,deny
    # # Allow from localhost.localdomain
    # # Allow from localhost
    # # Allow from 127.0.0.1
    # # Allow from example.com
    # # This can be locked down to just your puppet master if required
    # # See examples above, or http://httpd.apache.org/docs/2.2/howto/access.html
    # Allow from all
    # Satisfy any
    # </Limit>
    # </Location>
    #
    # # For web access by humans.
    # <Location "/">
    # AuthType basic
    # AuthName "Puppet Dashboard"
    # Require valid-user
    # AuthBasicProvider file
    # AuthUserFile /etc/apache2/passwords # Change to your preferred password file location
    # </Location>
    
    </VirtualHost>
    
    # Uncomment this section to enable HTTPS (SSL)
    #Listen 443
    #<VirtualHost *:443>
    # SSLEngine on
    # SSLProtocol -ALL +SSLv3 +TLSv1
    # SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    #
    # SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem
    # SSLCertificateKeyFile /usr/share/puppet-dashboard/certs/dashboard.private_key.pem
    # SSLCACertificateFile /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem
    #
    # # If Apache complains about invalid signatures on the CRL, you can try disabling
    # # CRL checking by commenting the next line, but this is not recommended.
    # SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem
    #
    # SSLVerifyClient optional
    # SSLVerifyDepth 1
    # SSLOptions +StdEnvVars
    #
    # ServerName dashboard.example.com # UPDATE THIS TO YOUR FQDN
    # DocumentRoot /usr/share/puppet-dashboard/public
    # <Directory /usr/share/puppet-dashboard/public>
    # Options None
    # AllowOverride None
    # Order allow,deny
    # allow from all
    # </Directory>
    # <Location / >
    # Order deny,allow
    # Allow from ALL
    # # Enable this to require client-side certificates for Dashboard connections
    # #SSLVerifyClient require
    # </Location>
    #</VirtualHost>
    


  12. Stop Puppetmaster From Auto Starting and Start Apache On Boot 

  13. # service puppetmaster stop
    # chkconfig puppetmaster off
    # service httpd restart
    # chckconfig httpd on
  14. When I ran the above I had the following error;
    httpd: Could not reliably determine the server’s fully qualified domain name, using.. 
  15. To fix this edit httpd.conf:
    # nano /etc/httpd/conf/httpd.conf
    Find ServerName, uncomment it and set to your local name which in my example is puppet.local
  16. Find ServerName, uncomment it and set to your local name which in my example is puppet.local
  17. After successfully running service httpd restart you should be able to access the dashboard once again

    Update Dashboard To Not Not Use WEBBrick Port 

  18. Edit puppet.conf
    # nano /etc/puppet/puppet.conf
  19. Update reporturl and external_nodes to reflect the correct dashboard URL (remove :3000)
  20. Restart Apache
    # service httpd restart
 
 

Check That Agents Are Still Working

If we look at the above dashboard we can see there are two unresponsive clients, lets run the Linux and Windows Puppet agents and see if they still work.
  1. On the Puppet master server test the agent:
     
  2. Run the Puppet command line tool: Start -> Programs – Puppet -> Start Command Prompt With Puppet
  3. Run:
    # puppet agent –test  
  4. Something doesn’t look good!
     
    Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Info: Retrieving plugin Error: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Error: /File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: An existing connection was forcibly closed by the remote host. – SSL_connect Could not retrieve file metadata for puppet://puppet.local/plugins: An existing connect ion was forcibly closed by the remote host. – SSL_connect Error: Could not retrieve catalog from remote server: An existing connection was forcibly closed by the remote host. – SSL_connect Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
  5.  

  6. Lets check the Windows Puppet config file at 
  7. sd

Useful Files and Commands

How to find the Apache log file location? 

Default = /var/log/httpd/error_log

No Comments Yet

Leave a Reply