Puppet master with Nginx and Passenger 5.0

2 min read

What is this

Puppet:
a free (libre) configuration management utility. It runs on many Unix-like systems as well as on Microsoft Windows, and includes its own declarative language to describe system configuration.

Passenger:
A web server and application server for your web apps. Keeps your users happy, saves your business time and money.

How to setup puppetmaster with nginx and passenger 5.0 in Ubuntu 14.04

0. Set up Passenger 5.0 repository

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7
sudo apt-get install apt-transport-https ca-certificates
sudo vim /etc/apt/sources.list.d/passenger.list
# Ubuntu 14.04
deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main
sudo apt-get update

1. Install nginx-full and Passenger

sudo apt-get install nginx-full passenger

2. Create rake working directory

sudo mkdir -p /etc/puppet/rack/{public,tmp}
sudo vim /etc/puppet/rack/config.ru

config some like this:

# config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $LOAD_PATH.unshift('/opt/puppet/lib')

$0 = "master"

# if you want debugging:
# ARGV << "--debug"

ARGV << "--rack"

# Rack applications typically don't start as root.  Set --confdir and --vardir
# to prevent reading configuration from ~puppet/.puppet/puppet.conf and writing
# to ~puppet/.puppet
ARGV << "--confdir" << "/etc/puppet"
ARGV << "--vardir"  << "/var/lib/puppet"

# NOTE: it's unfortunate that we have to use the "CommandLine" class
#  here to launch the app, but it contains some initialization logic
#  (such as triggering the parsing of the config file) that is very
#  important.  We should do something less nasty here when we've
#  gotten our API and settings initialization logic cleaned up.
#
# Also note that the "$0 = master" line up near the top here is
#  the magic that allows the CommandLine class to know that it's
#  supposed to be running master.
#
# --cprice 2012-05-22

require 'puppet/util/command_line'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Util::CommandLine.new.execute

3. Set up nginx.conf work with Passenger

sudo vim /etc/nginx/nginx.conf

change some like this:

user puppet;
worker_processes 4;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log warn;

events {
  worker_connections 1024;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  log_format main '$remote_addr – $remote_user [$time_local] "$request"'
  '$status $body_bytes_sent "$http_referer"'
  '"$http_user_agent" "$http_x_forwarded_for"';

  access_log /var/log/nginx/access.log main;

  sendfile on;

  keepalive_timeout 65;

  passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
  passenger_ruby /usr/bin/ruby;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*.conf;
}

4. Create nginx server block to replace webrick

sudo vim /etc/nginx/sites-enabled/puppet.conf

add some like this:

server {
  listen *:8140 ssl;
  server_name puppet.blackonsole.org;

  ssl on;
  ssl_certificate /var/lib/puppet/ssl/certs/puppet.blackonsole.org.pem;
  ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.blackonsole.org.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
  ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
  ssl_verify_client optional;
  ssl_verify_depth 1;

  index index.html index.htm index.php;

  access_log /var/log/nginx/puppet_access.log;
  error_log /var/log/nginx/puppet_error.log;

  root /etc/puppet/rack/public;

  passenger_enabled on;
  passenger_ruby /usr/bin/ruby;
  passenger_set_header X_CLIENT_S_DN $ssl_client_s_dn;
  passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
}

5. Make puppet.conf to work with nginx

sudo vim /etc/puppet/puppet.conf

add or change some like this:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
pluginsync=true
server=puppet.blackonsole.org

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = HTTP_X_CLIENT_S_DN 
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
certname=puppet.blackonsole.org

6. Disable puppetmaster service

sudo service puppetmaster stop
sudo update-rc.d -f puppetmaster remove

7. Restart nginx

sudo service nginx restart

8. Test

sudo pupet agent -t

Ref

+ Google

Reset root password on CentOS 7

Edit boot menu on-the-go 0. reboot the CentOS 7 and press ESC when GRUB menu show up on the screen and press “e”1. find...
Sysadmin.ID
18 sec read

Leave a Reply

Your email address will not be published. Required fields are marked *