通常、puppetmaster(puppet-server)は組み込みWEBrickサーバで動作します。しかし、WEBrickでは複数クライアントからのアクセスを捌けないこともあり、apache + passengerの組み合わせで動かしてみようと思います。
現在のpuppetmasterは標準的なRackアプリですし、Rackアプリケーションを起動する設定ファイル(rackup file)のconfig.ruもpuppetパッケージに含まれますので手軽にpassenger化することが可能です。
Rackについての詳細はこちらを参照。
### epel-releaseパッケージのバージョン情報は更新される可能性があります
rpm -ivh http://ftp.jaist.ac.jp/pub/Linux/Fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y install puppet puppet-server
### Install build tool
yum -y install make gcc-c++
### Require for "passenger-install-apache2-module"
yum -y install curl-devel openssl-devel zlib-devel
### Install apache
yum -y install httpd httpd-devel ruby-devel rubygems
# Install Rack
gem install -v 1.1.0 rack
gem install passenger
# Install Passnger
yes "" | passenger-install-apache2-module
### Install mod_ssl
yum -y install mod_ssl
/etc/pupptディレクトリ以下の設定ファイルを環境に併せて適宜修正します。
mkdir -p /var/lib/puppet/data/{manifests,templates,dist,facts}
mkdir -p /var/lib/puppet/modules
mkdir -p /var/lib/puppet/lib/facter
### /etc/puppet/puppet.conf
cat << EOT > /etc/puppet/puppet.conf
[main]
ssldir = \$vardir/ssl
rundir = /var/run/puppet
logdir = /var/log/puppet
[master]
environment = production
certname = pachi.localhost
manifestdir = \$vardir/data/manifests
templatedir = \$vardir/data/templates
modulepath = \$vardir/data/modules:\$vardir/modules
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
environment = production
server = pachi.localhost
factsource = puppet://\$server/facts
pluginsync = true
EOT
### /etc/puppet/fileserver.conf
cat << EOT > /etc/puppet/fileserver.conf
[dist]
path /var/lib/puppet/data/dist
allow *
[facts]
path /var/lib/puppet/data/facts
allow *
EOT
### /etc/puppet/auth.conf
echo -n > /etc/puppet/auth.conf
### /etc/puppet/autosign.conf
echo "*.localhost" > /etc/puppet/autosign.conf
cp /usr/share/puppet/ext/rack/files/apache2.conf /etc/httpd/conf.d/puppetmaster.conf
mkdir -p /usr/share/puppet/rack/puppetmasterd/{public,tmp}
cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/
chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
cat << EOT > /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19
PassengerRuby /usr/bin/ruby
EOT
/etc/httpd/conf.d/puppetmaster.confのSSL証明書パスを既定値から設定値に変更します。
# you probably want to tune these settings
PassengerUseGlobalQueue on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/pachi.localhost.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/pachi.localhost.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RackBaseURI /
PassengerHighPerformance on
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
CustomLog /var/log/httpd/puppet_access_log combined
ErrorLog /var/log/httpd/puppet_error_log
<Directory /usr/share/puppet/rack/puppetmasterd/public/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
/etc/httpd/conf.d/puppetmaster.confで指定したSSL証明書ファイルは、puppetmasterが最初に起動した時に作成されるので、初期構築時は存在しません。そのままapacheを起動しようとしても以下のようなエラーで起動できないでしょう
# /etc/init.d/httpd start
httpd を起動中: Syntax error on line 17 of /etc/httpd/conf.d/puppetmaster.conf:
SSLCertificateFile: file '/var/lib/puppet/ssl/certs/pachi.localhost.pem' does not exist or is empty
なので、最初だけpuppetmasterを手動で起動します。--no-daemonizeなので[Ctrl] + Cで停止させます。
# puppetmasterd --no-daemonize --verbose
info: Creating a new SSL key for pachi.localhost
info: Creating a new SSL certificate request for pachi.localhost
info: Certificate Request fingerprint (md5): 9D:31:8C:E9:0C:95:DB:7E:28:A9:77:3D:33:97:03:08
notice: pachi.localhost has a waiting certificate request
notice: Signed certificate request for pachi.localhost
notice: Removing file Puppet::SSL::CertificateRequest pachi.localhost at '/var/lib/puppet/ssl/ca/requests/pachi.localhost.pem'
notice: Removing file Puppet::SSL::CertificateRequest pachi.localhost at '/var/lib/puppet/ssl/certificate_requests/pachi.localhost.pem'
notice: Starting Puppet master version 2.6.17
これでSSL証明書ファイルが作成されました。
# ls -l /var/lib/puppet/ssl/certs/pachi.localhost.pem
-rw-r--r-- 1 puppet puppet 924 10月 25 17:46 2012 /var/lib/puppet/ssl/certs/pachi.localhost.pem
/etc/init.d/httpd start
### 自動起動設定するなら以下コマンド
chkconfig httpd on
これでpuppet-serverをpassengerで起動させることが出来ました。
# ps auxf
・・・
root 4811 0.0 1.1 204572 5936 ? Ss 21:35 0:00 /usr/sbin/httpd
root 4813 0.0 0.3 213936 1860 ? Ssl 21:35 0:00 \_ PassengerWatchdog
root 4816 0.1 0.4 356048 2368 ? Sl 21:35 0:03 | \_ PassengerHelperAgent
root 4818 0.4 1.8 53028 9528 ? Sl 21:35 0:11 | | \_ Passenger spawn server
nobody 4821 0.0 0.7 148084 3724 ? Sl 21:35 0:00 | \_ PassengerLoggingAgent
apache 4828 0.0 1.1 205460 5872 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4829 0.0 1.1 205456 5880 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4830 0.0 0.6 204704 3356 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4831 0.0 0.6 204704 3352 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4832 0.0 0.6 204704 3352 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4833 0.0 0.6 204704 3352 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4834 0.0 0.6 204704 3352 ? S 21:35 0:00 \_ /usr/sbin/httpd
apache 4835 0.0 0.6 204704 3352 ? S 21:35 0:00 \_ /usr/sbin/httpd
puppet 4878 0.0 8.1 139920 40924 ? S 21:35 0:00 Rack: /usr/share/puppet/rack/puppetmasterd
Perl |
3
|
Linux |
16
|
Jenkins |
1
|
CI |
1
|
Bashシェル |
1
|
シェルスクリプト |
1
|
Munin |
7
|
Ruby on Rails |
7
|
plenv |
1
|
sudo |
2
|
Cobbler |
6
|
ruby |
1
|
rbenv |
1
|
WeeChat |
1
|
tmux |
2
|
Webistrano |
1
|
capistrano |
1
|
puppet |
8
|
growthforecast |
1
|
Supervisor |
1
|
perlbrew |
1
|
git |
2
|
Python |
1
|
pip |
1
|
PHP |
1
|
Nginx |
1
|
MySQL |
2
|
LXC |
2
|
RPM |
3
|
ImageMagick |
1
|
Subversion |
1
|
qmail |
3
|
yum |
1
|
ucspi-tcp |
1
|
daemontools |
1
|
Puppet |
1
|
IPVS |
1
|
Kickstart |
1
|
aaa |
0
|