Configure puppet master using nginx and mod passenger

From Wiki
Jump to: navigation, search

Unfortunately Puppet labs does not provide instructions on how to run a puppet master with passenger and nginx. Here is the procedure to set up nginx with mod_passenger on CentOS 6. This is assuming you already have puppet installed. See for details on how to do that.

Install Ruby and Rubygems:

yum install -y ruby rubygems ruby-devel

Install some dependency requirements to compile nginx:

yum install -y gcc gcc-c++ make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build php-devel

Install rake, rack and passenger ruby gems:

gem install rake rack passenger --no-rdoc --no-ri
Note: CentOS 5 requires older gem versions due to having an out of date ruby release (1.8.5).
gem install rake -v 0.8.3 --no-rdoc --no-ri
gem install rack --no-rdoc --no-ri
gem install rails -v 2.3.18 --no-rdoc --no-ri
gem install passenger --no-rdoc --no-ri

The official nginx RPMs provided by are not compiled with Passenger suppport so you will need to build your own package to enable this.

Download the SRPM from the nginx site and install it.

rpm -ivh

Download the updated spec file to replace the one provided by the srpm.

cd /root/rpmbuild/SPECS
rm -f nginx.spec && wget 

Build the rpm.

rpmbuild -bb /root/rpmbuild/SPECS/nginx.spec

Install the package.

rpm -ivh /root/rpmbuild/RPMS/x86_64/nginx-1.2.8-1.el6.ngx.x86_64.rpm

Create rack directory structure:

mkdir -p /etc/puppet/rack/public

Copy rackup file to the correct place:

cp /usr/share/puppet/ext/rack/files/ /etc/puppet/rack/

Set the correct permissions, this is important:

chown -R puppet:puppet /etc/puppet

Create the main nginx configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/;

events {
    worker_connections  1024;

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush      on;

    keepalive_timeout  65;

    # Passenger needed for puppet
    passenger_root  /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19;
    passenger_ruby  /usr/bin/ruby;
    passenger_max_pool_size 15;

    include /etc/nginx/conf.d/*.conf;

Make sure the passenger_root is set to whatever is returned by:

passenger-config --root

The passenger configuration is taken from the Suggested Tweaks section of the Puppet Labs Apache/Passenger document found here and adapted for Nginx using the Passenger Nginx user guide found here. The defaults are all acceptable apart from passenger_max_pool_size which by default is only 6. This sets the maximum number of rack application instances that can be simultaneously active. I’m presuming you won’t be running your puppet master on less than 1GB of RAM, so setting this to 15. Adjust this to suit your hardware/RAM.

Also, if you have installed Ruby any where else, update passenger_ruby. Feel free to update worker_processes for your hardware.

Create the nginx puppet server config /etc/nginx/conf.d/puppet.conf:

server {
  listen                     8140 ssl;
  server_name                puppet;

  passenger_enabled          on;
  passenger_set_cgi_param    HTTP_X_CLIENT_DN $ssl_client_s_dn; 
  passenger_set_cgi_param    HTTP_X_CLIENT_VERIFY $ssl_client_verify; 

  access_log                 /var/log/nginx/puppet_access.log;
  error_log                  /var/log/nginx/puppet_error.log;

  root                       /etc/puppet/rack/public;

  ssl_certificate            /var/lib/puppet/ssl/certs/;
  ssl_certificate_key        /var/lib/puppet/ssl/private_keys/;
  ssl_crl                    /var/lib/puppet/ssl/ca/ca_crl.pem;
  ssl_client_certificate     /var/lib/puppet/ssl/certs/ca.pem;
  ssl_ciphers                SSLv2:-LOW:-EXPORT:RC4+RSA;
  ssl_prefer_server_ciphers  on;
  ssl_verify_client          optional;
  ssl_verify_depth           1;
  ssl_session_cache          shared:SSL:128m;
  ssl_session_timeout        5m;

Turn puppet master off as it doesn’t need to run standalone:

chkconfig puppetmaster off

Enable nginx

chkconfig nginx on

Test the nginx configuration:

 service nginx configtest

If everything tests out, start the puppet master.

/etc/init.d/puppetmaster stop
/etc/init.d/nginx start

Now test a puppet agent:

puppet agent --test --server