maehachi08 Anything Blog

2013年01月27日
puppetmasterdをapache + passengerで起動させる

通常、puppetmaster(puppet-server)は組み込みWEBrickサーバで動作します。しかし、WEBrickでは複数クライアントからのアクセスを捌けないこともあり、apache + passengerの組み合わせで動かしてみようと思います。
現在のpuppetmasterは標準的なRackアプリですし、Rackアプリケーションを起動する設定ファイル(rackup file)のconfig.ruもpuppetパッケージに含まれますので手軽にpassenger化することが可能です。
Rackについての詳細はこちらを参照。

Install puppet{,-server}

### epel-releaseパッケージのバージョン情報は更新される可能性があります
rpm -ivh http://ftp.jaist.ac.jp/pub/Linux/Fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y install puppet puppet-server

Install apache + passenger

### Install build tool
yum -y install make gcc-c++

### Require for "passenger-install-apache2-module"
yum -y install curl-devel openssl-devel zlib-devel

### Install apache
yum -y install httpd httpd-devel ruby-devel rubygems

# Install Rack
gem install -v 1.1.0 rack
gem install passenger

# Install Passnger
yes "" | passenger-install-apache2-module

### Install mod_ssl
yum -y install mod_ssl

Configuration of puppet-server

/etc/pupptディレクトリ以下の設定ファイルを環境に併せて適宜修正します。

mkdir -p /var/lib/puppet/data/{manifests,templates,dist,facts}
mkdir -p /var/lib/puppet/modules
mkdir -p /var/lib/puppet/lib/facter

### /etc/puppet/puppet.conf
cat << EOT > /etc/puppet/puppet.conf
[main]
ssldir = \$vardir/ssl
rundir = /var/run/puppet
logdir = /var/log/puppet

[master]
environment = production
certname    = pachi.localhost
manifestdir = \$vardir/data/manifests
templatedir = \$vardir/data/templates
modulepath  = \$vardir/data/modules:\$vardir/modules
ssl_client_header        = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
environment = production
server      = pachi.localhost
factsource  = puppet://\$server/facts
pluginsync  = true
EOT

### /etc/puppet/fileserver.conf
cat << EOT > /etc/puppet/fileserver.conf
[dist]
path /var/lib/puppet/data/dist
allow *

[facts]
path /var/lib/puppet/data/facts
allow *
EOT

### /etc/puppet/auth.conf
echo -n > /etc/puppet/auth.conf

### /etc/puppet/autosign.conf
echo "*.localhost" > /etc/puppet/autosign.conf

Configuration of Rack

cp /usr/share/puppet/ext/rack/files/apache2.conf /etc/httpd/conf.d/puppetmaster.conf

mkdir -p /usr/share/puppet/rack/puppetmasterd/{public,tmp}
cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/
chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru

cat << EOT > /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19
PassengerRuby /usr/bin/ruby
EOT

/etc/httpd/conf.d/puppetmaster.confのSSL証明書パスを既定値から設定値に変更します。

# you probably want to tune these settings
PassengerUseGlobalQueue on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /var/lib/puppet/ssl/certs/pachi.localhost.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/pachi.localhost.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

        RackBaseURI /
        PassengerHighPerformance on
        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
        CustomLog /var/log/httpd/puppet_access_log combined
        ErrorLog /var/log/httpd/puppet_error_log

        <Directory /usr/share/puppet/rack/puppetmasterd/public/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

create certification files

既にpuppet-serverをWEBrickサーバで動かしていた環境をpassenger化する際には必要ない作業です。

/etc/httpd/conf.d/puppetmaster.confで指定したSSL証明書ファイルは、puppetmasterが最初に起動した時に作成されるので、初期構築時は存在しません。そのままapacheを起動しようとしても以下のようなエラーで起動できないでしょう

# /etc/init.d/httpd start
httpd を起動中: Syntax error on line 17 of /etc/httpd/conf.d/puppetmaster.conf:
SSLCertificateFile: file '/var/lib/puppet/ssl/certs/pachi.localhost.pem' does not exist or is empty

なので、最初だけpuppetmasterを手動で起動します。--no-daemonizeなので[Ctrl] + Cで停止させます。

# puppetmasterd --no-daemonize --verbose
info: Creating a new SSL key for pachi.localhost
info: Creating a new SSL certificate request for pachi.localhost
info: Certificate Request fingerprint (md5): 9D:31:8C:E9:0C:95:DB:7E:28:A9:77:3D:33:97:03:08
notice: pachi.localhost has a waiting certificate request
notice: Signed certificate request for pachi.localhost
notice: Removing file Puppet::SSL::CertificateRequest pachi.localhost at '/var/lib/puppet/ssl/ca/requests/pachi.localhost.pem'
notice: Removing file Puppet::SSL::CertificateRequest pachi.localhost at '/var/lib/puppet/ssl/certificate_requests/pachi.localhost.pem'
notice: Starting Puppet master version 2.6.17

これでSSL証明書ファイルが作成されました。

# ls -l /var/lib/puppet/ssl/certs/pachi.localhost.pem
-rw-r--r-- 1 puppet puppet 924 10月 25 17:46 2012 /var/lib/puppet/ssl/certs/pachi.localhost.pem

start puppetmaster by passenger

/etc/init.d/httpd start

### 自動起動設定するなら以下コマンド
chkconfig httpd on

これでpuppet-serverをpassengerで起動させることが出来ました。

# ps auxf
・・・
root      4811  0.0  1.1 204572  5936 ?        Ss   21:35   0:00 /usr/sbin/httpd
root      4813  0.0  0.3 213936  1860 ?        Ssl  21:35   0:00  \_ PassengerWatchdog
root      4816  0.1  0.4 356048  2368 ?        Sl   21:35   0:03  |   \_ PassengerHelperAgent
root      4818  0.4  1.8  53028  9528 ?        Sl   21:35   0:11  |   |   \_ Passenger spawn server
nobody    4821  0.0  0.7 148084  3724 ?        Sl   21:35   0:00  |   \_ PassengerLoggingAgent
apache    4828  0.0  1.1 205460  5872 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4829  0.0  1.1 205456  5880 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4830  0.0  0.6 204704  3356 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4831  0.0  0.6 204704  3352 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4832  0.0  0.6 204704  3352 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4833  0.0  0.6 204704  3352 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4834  0.0  0.6 204704  3352 ?        S    21:35   0:00  \_ /usr/sbin/httpd
apache    4835  0.0  0.6 204704  3352 ?        S    21:35   0:00  \_ /usr/sbin/httpd
puppet    4878  0.0  8.1 139920 40924 ?        S    21:35   0:00 Rack: /usr/share/puppet/rack/puppetmasterd