Puppet with Amazon AWS on CentOS 7 (II) - Configuring a Puppet Master Server with Passenger and Apache
Puppet
Continued from Puppet with Amazon AWS on CentOS 7 (I) - Master setup on EC2
Puppet includes a basic Puppet master web server based on Ruby's WEBrick library. (This is what Puppet uses if we run puppet master on the command line or use most puppetmaster init scripts.)
We cannot use this default server for real-life loads, as it can't handle concurrent connections; it is only suitable for small tests with ten nodes or fewer. We must configure a production quality web server before we start managing our nodes with Puppet.
"Any Rack-based application server stack will work with a Puppet master, but if you don't have any particular preference, you should use Passenger combined with Apache. This guide shows how to configure Puppet with this software."
We need to make sure puppet master has been run at least once, so that all required SSL certificates are in place.
Let's install apache 2:
[centos@puppet:environments]$ sudo yum install httpd httpd-devel mod_ssl ruby-devel rubygems gcc
To make our apache starts up automatically:
[centos@puppet:environments]$ sudo chkconfig httpd on Note: Forwarding request to 'systemctl enable httpd.service'. ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
Passenger (AKA mod_rails or mod_rack) is an Apache 2.x module which lets us run Rails or Rack applications inside a general purpose web server, like Apache httpd or nginx.
Let's install Rack/Passenger:
[centos@puppet:environments]$ sudo gem install rack passenger
Install passenger's Apache module:
[centos@puppet:environments]$ sudo /usr/local/bin/passenger-install-apache2-module Welcome to the Phusion Passenger Apache 2 module installer, v5.0.18. This installer will guide you through the entire installation process. It shouldn't take more than 3 minutes in total. Here's what you can expect from the installation process: 1. The Apache 2 module will be installed for you. 2. You'll learn how to configure Apache. 3. You'll learn how to deploy a Ruby on Rails application. Don't worry if anything goes wrong. This installer will advise you on how to solve any problems. Press Enter to continue, or Ctrl-C to abort. ... Installation instructions for required software * To install C++ compiler: Please install it with yum install gcc-c++ * To install Curl development headers with SSL support: Please install it with yum install libcurl-devel * To install OpenSSL development headers: Please install it with yum install openssl-devel * To install Zlib development headers: Please install it with yum install zlib-devel If the aforementioned instructions didn't solve your problem, then please take a look at our documentation for troubleshooting tips: https://www.phusionpassenger.com/library/install/apache/ https://www.phusionpassenger.com/library/admin/apache/troubleshooting/ [centos@puppet:environments]$
Following the instructions from the output, we can install additional software:
[centos@puppet:environments]$ sudo yum install gcc-c++ libcurl-devel openssl-devel zlib-devel
Once the required software installed, let's rerun the previous command to install passenger's Apache module, and the compilation will take couple of minutes:
[centos@puppet:environments]$ sudo /usr/local/bin/passenger-install-apache2-module
To configure Apache to run the Puppet master application, we should create a virtual host config file for the Puppet master application, and install/enable it.
Let's look up Installing Puppet: Post-Install Tasks. Go to a section "Configure a Production-Ready Web Server", and check the link for Create and Enable the Puppet Master Vhost.
Copy the whole section of code from "Example Vhost Configuration" which configures the Puppet master on the default puppetmaster port (8140), and put that into a newly created file /etc/httpd/conf.d/puppet.conf:
# You'll need to adjust the paths in the Passenger config depending on which OS # you're using, as well as the installed version of Passenger. # Debian/Ubuntu: #LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so #PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.x #PassengerRuby /usr/bin/ruby1.8 # RHEL/CentOS: #LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so #PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x #PassengerRuby /usr/bin/ruby # And the passenger performance tuning settings: # Set this to about 1.5 times the number of CPU cores in your master: PassengerMaxPoolSize 12 # Recycle master processes after they service 1000 requests PassengerMaxRequests 1000 # Stop processes if they sit idle for 10 minutes PassengerPoolIdleTime 600 Listen 8140 <VirtualHost *:8140> # Make Apache hand off HTTP requests to Puppet earlier, at the cost of # interfering with mod_proxy, mod_rewrite, etc. See note below. PassengerHighPerformance On SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/puppet-server.example.com.pem SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/puppet-server.example.pem SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none # which effectively disables CRL checking. If you are using Apache 2.4+ you must # specify 'SSLCARevocationCheck chain' to actually use the CRL. # These request headers are used to pass the client certificate # authentication information on to the Puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None # Apply the right behavior depending on Apache version. <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </Directory> ErrorLog /var/log/httpd/puppet-server.example.com_ssl_error.log CustomLog /var/log/httpd/puppet-server.example.com_ssl_access.log combined </VirtualHost>
But we need to modify the file:
- First, uncomment the section "# RHEL/CentOS"
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x PassengerRuby /usr/bin/ruby
- Then, need to set a correct path to "apache2/mod_passenger.so"
The easiest way of locate the passenger module is to use mlocate:[centos@puppet:conf.d]$ sudo yum install mlocate [centos@puppet:conf.d]$ sudo updatedb [centos@puppet:conf.d]$ locate mod_passenger.so /usr/local/share/gems/gems/passenger-5.0.18/buildout/apache2/mod_passenger.so
So, the path should replace the existing path to the passenger module and we need to update the "PassengerRoot" as well :# RHEL/CentOS: LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.0.18/buildout/apache2/mod_passenger.so PassengerRoot /usr/local/share/gems/gems/passenger-5.0.18 PassengerRuby /usr/bin/ruby
- Next, certificate should be changed to the actual cert name:
SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/puppet.localdomain.pem SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/puppet.localdomain.pem
- Note that the Apache version we've just installed is:
[centos@puppet:~]$ sudo httpd -v Server version: Apache/2.4.6 (CentOS) Server built: Aug 24 2015 18:11:25
Here is the final version of /etc/httpd/conf.d/puppet.conf file:
# You'll need to adjust the paths in the Passenger config depending on which OS # you're using, as well as the installed version of Passenger. # Debian/Ubuntu: #LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so #PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.x #PassengerRuby /usr/bin/ruby1.8 # RHEL/CentOS: LoadModule passenger_module /usr/local/share/gems/gems/passenger-5.0.18/buildout/apache2/mod_passenger.so PassengerRoot /usr/local/share/gems/gems/passenger-5.0.18 PassengerRuby /usr/bin/ruby # And the passenger performance tuning settings: # Set this to about 1.5 times the number of CPU cores in your master: PassengerMaxPoolSize 12 # Recycle master processes after they service 1000 requests PassengerMaxRequests 1000 # Stop processes if they sit idle for 10 minutes PassengerPoolIdleTime 600 Listen 8140 <VirtualHost *:8140> # Make Apache hand off HTTP requests to Puppet earlier, at the cost of # interfering with mod_proxy, mod_rewrite, etc. See note below. PassengerHighPerformance On SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.localdomain.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.localdomain.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none # which effectively disables CRL checking. If you are using Apache 2.4+ you must # specify 'SSLCARevocationCheck chain' to actually use the CRL. # These request headers are used to pass the client certificate # authentication information on to the Puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None # Apply the right behavior depending on Apache version. <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </Directory> ErrorLog /var/log/httpd/puppet-server.example.com_ssl_error.log CustomLog /var/log/httpd/puppet-server.example.com_ssl_access.log combined </VirtualHost>
Let's modify one line in /etc/httpd/conf/httpd.conf file - uncomment and change the server name:
ServerName puppet.localdomain:80
Let's check if Apache server runs:
[centos@puppet:~]$ sudo service httpd start Redirecting to /bin/systemctl start httpd.service [centos@puppet:~]$ [centos@puppet:~]$ ps -ef|grep httpd root 7689 1 0 05:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 7735 7689 0 05:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 7736 7689 0 05:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 7737 7689 0 05:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 7738 7689 0 05:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 7739 7689 0 05:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND centos 7743 952 0 05:08 pts/1 00:00:00 grep --color=auto httpd
Stop httpd:
[centos@puppet:~]$ sudo service httpd stop Redirecting to /bin/systemctl stop httpd.service [centos@puppet:~]$ [centos@puppet:~]$ ps -ef|grep httpd centos 7768 952 0 05:09 pts/1 00:00:00 grep --color=auto httpd
To configure Apache to run the Puppet master application, we created a virtual host config file for the Puppet master application.
Now, we need to install the Puppet master Rack application, by creating a directory for it and copying the config.ru file from the Puppet source. The config.ru tells Rack how to spawn Puppet master processes.
To install this Rack application in a form Passenger can use, we'll need to:
- Create three directories for the application (a parent directory, a âpublicâ directory, and a âtmpâ directory).
[centos@puppet:~]$ sudo mkdir -p /usr/share/puppet/rack/puppetmasterd [centos@puppet:~]$ sudo mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
- Copy the ext/rack/config.ru file from the Puppet source code into the parent directory.
[centos@puppet:~]$ sudo cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
- Set the ownership of the config.ru file.
[centos@puppet:~]$ sudo chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
Before starting the Apache service, we need to make sure that any WEBrick Puppet master process is stopped because only one can be bound to TCP port 8140.
[centos@puppet:~]$ sudo service httpd restart Redirecting to /bin/systemctl restart httpd.service
Check if Apache is listening on the puppet port:
[centos@puppet:~]$ netstat -anl | grep 8140 tcp6 0 0 :::8140 :::* LISTEN
Now, we're good to go!
Puppet
Ph.D. / Golden Gate Ave, San Francisco / Seoul National Univ / Carnegie Mellon / UC Berkeley / DevOps / Deep Learning / Visualization