Configure puppet master using nginx and mod passenger
Unfortunately Puppet labs does not provide instructions on how to run a puppet master with passenger and nginx. Here is the procedure to set up nginx with mod_passenger on CentOS 6. This is assuming you already have puppet installed. See http://docs.puppetlabs.com/guides/installation.html#installing-puppet-1 for details on how to do that.
Install Ruby and Rubygems:
yum install -y ruby rubygems ruby-devel
Install some dependency requirements to compile nginx:
yum install -y gcc gcc-c++ make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build php-devel
Install rake, rack and passenger ruby gems:
gem install rake rack passenger --no-rdoc --no-ri
gem install rake -v 0.8.3 --no-rdoc --no-ri gem install rack --no-rdoc --no-ri gem install rails -v 2.3.18 --no-rdoc --no-ri gem install passenger --no-rdoc --no-ri
The official nginx RPMs provided by nginx.org are not compiled with Passenger suppport so you will need to build your own package to enable this.
Download the SRPM from the nginx site and install it.
rpm -ivh http://nginx.org/packages/rhel/6/SRPMS/nginx-1.2.8-1.el6.ngx.src.rpm
Download the updated spec file to replace the one provided by the srpm.
cd /root/rpmbuild/SPECS rm -f nginx.spec && wget http://watters.ws/rpms/centos/6/specs/nginx-1.2.8-passenger.spec
Build the rpm.
rpmbuild -bb /root/rpmbuild/SPECS/nginx.spec
Install the package.
rpm -ivh /root/rpmbuild/RPMS/x86_64/nginx-1.2.8-1.el6.ngx.x86_64.rpm
Create rack directory structure:
mkdir -p /etc/puppet/rack/public
Copy rackup file to the correct place:
cp /usr/share/puppet/ext/rack/files/config.ru /etc/puppet/rack/
Set the correct permissions, this is important:
chown -R puppet:puppet /etc/puppet
Create the main nginx configuration file /etc/nginx/nginx.conf:
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; keepalive_timeout 65; # Passenger needed for puppet passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19; passenger_ruby /usr/bin/ruby; passenger_max_pool_size 15; include /etc/nginx/conf.d/*.conf; }
Make sure the passenger_root is set to whatever is returned by:
passenger-config --root
The passenger configuration is taken from the Suggested Tweaks section of the Puppet Labs Apache/Passenger document found here and adapted for Nginx using the Passenger Nginx user guide found here. The defaults are all acceptable apart from passenger_max_pool_size which by default is only 6. This sets the maximum number of rack application instances that can be simultaneously active. I’m presuming you won’t be running your puppet master on less than 1GB of RAM, so setting this to 15. Adjust this to suit your hardware/RAM.
Also, if you have installed Ruby any where else, update passenger_ruby. Feel free to update worker_processes for your hardware.
Create the nginx puppet server config /etc/nginx/conf.d/puppet.conf:
server { listen 8140 ssl; server_name puppet puppetmaster.example.com; passenger_enabled on; passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; access_log /var/log/nginx/puppet_access.log; error_log /var/log/nginx/puppet_error.log; root /etc/puppet/rack/public; ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem; ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; ssl_prefer_server_ciphers on; ssl_verify_client optional; ssl_verify_depth 1; ssl_session_cache shared:SSL:128m; ssl_session_timeout 5m; }
Turn puppet master off as it doesn’t need to run standalone:
chkconfig puppetmaster off
Enable nginx
chkconfig nginx on
Test the nginx configuration:
service nginx configtest
If everything tests out, start the puppet master.
/etc/init.d/puppetmaster stop /etc/init.d/nginx start
Now test a puppet agent:
puppet agent --test --server puppetmaster.example.com